Summary:


NtCallbackReturn(>)  1 
NtQuerySystemTime(>)  2 
NtGdiSaveDC(>)  7 
NtMapViewOfSection(>)  33 

NtFsControlFile(>)  1 
NtSetValueKey(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtUserRegisterClassExWOW(>)  34 

NtGdiCreatePaletteInternal(>)  1 
NtCreateSemaphore(>)  3 
NtQueryInformationFile(>)  7 
NtReleaseMutant(>)  38 

NtGdiInit(>)  1 
NtFreeVirtualMemory(>)  3 
NtQueryInformationToken(>)  7 
NtQueryAttributesFile(>)  39 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiHfontCreate(>)  3 
NtUserSetCursorIconData(>)  7 
NtUserFindExistingCursorIcon(>)  47 

NtOpenEvent(>)  1 
NtNotifyChangeKey(>)  3 
NtUserSystemParametersInfo(>)  7 
NtGdiSelectBitmap(>)  57 

NtOpenKeyedEvent(>)  1 
NtOpenProcessToken(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenKey(>)  80 

NtOpenProcess(>)  1 
NtOpenProcessTokenEx(>)  3 
NtCreateFile(>)  9 
NtContinue(>)  94 

NtOpenSymbolicLinkObject(>)  1 
NtOpenThreadTokenEx(>)  3 
NtGdiCreateCompatibleDC(>)  10 
NtResumeThread(>)  115 

NtQueryObject(>)  1 
NtQueryVirtualMemory(>)  3 
NtGdiExtGetObjectW(>)  10 
NtCreateThread(>)  121 

NtQuerySymbolicLinkObject(>)  1 
NtSetInformationObject(>)  3 
NtQuerySection(>)  10 
NtQueryInformationThread(>)  122 

NtSecureConnectPort(>)  1 
NtConnectPort(>)  4 
NtUserGetDC(>)  10 
NtRequestWaitReplyPort(>)  137 

NtSetInformationThread(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtFlushInstructionCache(>)  11 
NtTestAlert(>)  142 

NtUserCallNoParam(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtGdiDeleteObjectApp(>)  14 
NtProtectVirtualMemory(>)  143 

NtUserEnumDisplayMonitors(>)  1 
NtCreateKey(>)  5 
NtUserSelectPalette(>)  14 
NtRegisterThreadTerminatePort(>)  144 

NtUserGetKeyboardLayoutList(>)  1 
NtQueryInformationProcess(>)  6 
NtDeviceIoControlFile(>)  16 
NtClose(>)  148 

NtUserGetThreadDesktop(>)  1 
NtSetInformationFile(>)  6 
NtCreateSection(>)  17 
NtDuplicateObject(>)  148 

NtUserSetWindowsHookEx(>)  1 
NtUnmapViewOfSection(>)  6 
NtOpenFile(>)  17 
NtQueryValueKey(>)  182 

NtAddAtom(>)  2 
NtGdiBitBlt(>)  7 
NtReadFile(>)  18 
NtCreateEvent(>)  194 

NtCreateMutant(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtUserGetClassInfo(>)  18 
NtAllocateVirtualMemory(>)  331 

NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtUserCallOneParam(>)  19 
NtSetEventBoostPriority(>)  977 

NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtWriteFile(>)  22 
NtWaitForSingleObject(>)  1219 

NtOpenMutant(>)  2 
NtGdiGetStockObject(>)  7 
NtOpenSection(>)  23 

NtQueryDefaultLocale(>)  2 
NtGdiRestoreDC(>)  7 

Trace:
 00001   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   420   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   420   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   420   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   420   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   420   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   420   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   420   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   420   NtClose  (12, ... ) == 0x0
 00014   420   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   420   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   420   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   420   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   420   NtClose  (16, ... ) == 0x0
 00021   420   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   420   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   420   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   420   NtClose  (16, ... ) == 0x0
 00026   420   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   420   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   420   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   420   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 420, 1485, 0} "\340\254\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 412, 420, 1485, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 420, 1485, 0} "\340\254\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   420   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   420   NtClose  (16, ... ) == 0x0
 00036   420   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   420   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   420   NtClose  (28, ... ) == 0x0
 00041   420   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   420   NtClose  (28, ... ) == 0x0
 00045   420   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   420   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   420   NtClose  (28, ... ) == 0x0
 00049   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   420   NtClose  (28, ... ) == 0x0
 00052   420   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 420, 1487, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 412, 420, 1487, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 420, 1487, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   420   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00057   420   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00058   420   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00059   420   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   420   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   420   NtClose  (28, ... ) == 0x0
 00062   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   420   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   420   NtClose  (28, ... ) == 0x0
 00065   420   NtTestAlert  (... ) == 0x0
 00066   420   NtContinue  (1244464, 1, ...
 00067   420   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00068   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   420   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   420   NtClose  (28, ... ) == 0x0
 00071   420   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00073   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00074   420   NtClose  (28, ... ) == 0x0
 00075   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00076   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00077   420   NtClose  (28, ... ) == 0x0
 00078   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00079   420   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00080   420   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00081   420   NtClose  (28, ... ) == 0x0
 00082   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00083   420   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   420   NtClose  (28, ... ) == 0x0
 00085   420   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00086   420   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00087   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 32, ) == 0x0
 00090   420   NtQueryInformationToken  (32, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00091   420   NtClose  (32, ... ) == 0x0
 00092   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 32, ) }, ... 32, ) == 0x0
 00093   420   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00094   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 36, ) }, ... 36, ) == 0x0
 00095   420   NtQueryValueKey  (36,  (36, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   420   NtClose  (36, ... ) == 0x0
 00097   420   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00098   420   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00099   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) == 0x0
 00100   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00101   420   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 412, 420, 1491, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 412, 420, 1491, 0}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 412, 420, 1491, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00102   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) == 0x0
 00103   420   NtClose  (40, ... ) == 0x0
 00104   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00105   420   NtClose  (-2147482020, ... ) == 0x0
 00104   420   NtCreateFile  ... 40, {status=0x0, info=3}, ) == 0x0
 00106   420   NtSetInformationFile  (36, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00107   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Z\354\347\0\25\266\267\0\23\266\270\0\350I\267\0\257\266\267\0\27\266\267\0W\266\255\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\264\267\0\255\246\267\16\10\2\276\3156\16\266L\332\227'\220C\336\336s7\306\305op\304\326m7\333\302sc\226\325e7\304\302n7\303\331dr\304\227W~\330\2042\32\274\2237\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0\27\266\267\0", ) , ) == 0x0
 00108   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00109   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "B\276\201\34x\212\372Ex\304\316,\267\333\326\10'\2656\7\337~\321\331uv\366\304\337\365\177<\25\372\305\334\377G\335D}\326\346\271\23\255\313\3771t\357}\222\31\271DL\36\177\270\237\347\310\300q=\347\1G \334gv\264\367\315k\211\266\2\251\362\232\32\224t\262R\342\203\346\21\235o\204e7\6\35Ki\336\364,\377\24e\305\24\217_\353I\341k\200\2017\302\300\275\300C;\247\225\301\6\266\275^J\312\2718Z'n1J\255\241\31\207&o\225\254\4\347\12\273\241, ) , ) == 0x0
 00110   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00111   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\300t\274X\257\244\242w&\274\273H\304\373t\30] \373\340B\23\5H\27\35%\345\2473\0}\17\362\367\221\362&\322Zs\352\357Y\31\355-\0E\375\324TG\322\216d\14\324\2436s\326&\345\207\323\335!{\336\346\226T \305\14c\306\233\35\336\326|zk\203\317@=7/C\7\312\255\301h3#\235\214\326\320\20\271\306\14\363.\35\341%\5>\2739<2\247\274\20=19\215\367;\14\237\331\367\323\350A\235\276?<\360\10-f\3039\341\360\143\275\377b\256\217j\340\4\356\332\362]\240\262\3614\344\360\250\306\241\364\243\270\271Z\243\5\33\370\262>\23!\375V'\300\25\310\3750\212\366\22\2757KW\356t\13\2051\342?\34\306tk\270\233\\221\253R\177\257#~\266\367\26\230O\27\363\360\326ld1\331\31\3635\344Te\303\322\19\265?\4xC\206\322\235\346\241D\7\264\200\304\222\310\321\36\327\274\212P<\235\201\347\344Y\356\366Ih\177\314<\357c\203<\351\12\222\355\344o{\312\251\13\1\2568\36\32\217C\355\32H\357\32\227Qh9\334J\0\0X\247\257\33bZZ\355!\264\6 \200]\177?\227Sh:\241vZ\355\15]U\35\235\332\255\221{\256\365\305\205Iu\11\357Q\374u\3479\24:\234\211\4\4\227\211\262\266J\25\260\203\306\371\266\267\30DH\255\275\1\375\20m\261I\261e\275\300\15\30\11~\3]j\35\5+qH\321\231lHB\3628\216\1", ) , ) == 0x0
 00112   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00113   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\201]J\265\227a\33fD?2\6\16=\265`p2\227h\270\300\21q\11\3\22B\272\322\211\36\26\356\6\244q\326\35'\12\253\210\243\315(\240\235;">\35\266\3\274p\230\360\263f\234w0\16\357,4\26q\265\316\223\24\350\271\236!\203t\37\354\263\310\2122!\244"P6q5\237:\362\13_4\34\200\271<\273&>6\206\254*R\\12\12\275\300\266\3410J\13X<\342\373\0\347\362v"\320vi'7S1\320\352\301\2142\316\233\2\35\3665\32\223\275OB\260\2407{"\0\247\31\331(\307\353\20\222c\350$6!t\224\364\220!\177\357\367{\204\264:\5\3Pt\377:\233[Nq\27 \360q\21\227\364\20\27\266\303\274C\364\307|\247\2405\346\7\326:o\260C\353\373\330\0,\346\213/;\227\224\207\7\301\2138\14\304\177\310+\216\2138>\227\221\205\260Q\370\210\20m\214wL\270#\341\26\272\27\346\326+\267\233\37\314\261\243\14\264\231,\322q\341\272\275\207\241z\341t\247\360F;%`\224\240\243\310\363\352%\246\267\5\370X\347]\253\30K\26\34a\337\5\247\35$\177\343\17\200<\254\0\220Z\257\1\325\306n\22\265\270t^(\267E\204L1\234\271BHC\15\242@\263\322j@\362\376`\340o\353=\247\233\332\25\360K\26\311\313\204:+\313\274`\203\257\375\33\31,\337O\206\362\352\25\37\222\225\16\26\252\366\340w!\325\364T<\245\20\343\354\21\266\21\277\330\21\357F\33\0\17V\263U9\277\236*\36\262\20\26\37\346\333\253\253B\244\4\334>\220\247U\260\235H\377.D9\316\370\2j\342\260G\354\371\335\345\321\304\366O\234\325\264\203\0D\301\311\350h\306\334\330\273\246\250\322\357\343\3528", ) >\35\266\3\274p\230\360\263f\234w0\16\357,4\26q\265\316\223\24\350\271\236!\203t\37\354\263\310\2122!\244355\344\364B\344\223\361B\276\345 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\201]J\265\227a\33fD?2\6\16=\265`p2\227h\270\300\21q\11\3\22B\272\322\211\36\26\356\6\244q\326\35'\12\253\210\243\315(\240\235;">\35\266\3\274p\230\360\263f\234w0\16\357,4\26q\265\316\223\24\350\271\236!\203t\37\354\263\310\2122!\244"P6q5\237:\362\13_4\34\200\271<\273&>6\206\254*R\\12\12\275\300\266\3410J\13X<\342\373\0\347\362v"\320vi'7S1\320\352\301\2142\316\233\2\35\3665\32\223\275OB\260\2407{"\0\247\31\331(\307\353\20\222c\350$6!t\224\364\220!\177\357\367{\204\264:\5\3Pt\377:\233[Nq\27 \360q\21\227\364\20\27\266\303\274C\364\307|\247\2405\346\7\326:o\260C\353\373\330\0,\346\213/;\227\224\207\7\301\2138\14\304\177\310+\216\2138>\227\221\205\260Q\370\210\20m\214wL\270#\341\26\272\27\346\326+\267\233\37\314\261\243\14\264\231,\322q\341\272\275\207\241z\341t\247\360F;%`\224\240\243\310\363\352%\246\267\5\370X\347]\253\30K\26\34a\337\5\247\35$\177\343\17\200<\254\0\220Z\257\1\325\306n\22\265\270t^(\267E\204L1\234\271BHC\15\242@\263\322j@\362\376`\340o\353=\247\233\332\25\360K\26\311\313\204:+\313\274`\203\257\375\33\31,\337O\206\362\352\25\37\222\225\16\26\252\366\340w!\325\364T<\245\20\343\354\21\266\21\277\330\21\357F\33\0\17V\263U9\277\236*\36\262\20\26\37\346\333\253\253B\244\4\334>\220\247U\260\235H\377.D9\316\370\2j\342\260G\354\371\335\345\321\304\366O\234\325\264\203\0D\301\311\350h\306\334\330\273\246\250\322\357\343\3528", ) \320vi'7S1\320\352\301\2142\316\233\2\35\3665\32\223\275OB\260\2407{ (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\201]J\265\227a\33fD?2\6\16=\265`p2\227h\270\300\21q\11\3\22B\272\322\211\36\26\356\6\244q\326\35'\12\253\210\243\315(\240\235;">\35\266\3\274p\230\360\263f\234w0\16\357,4\26q\265\316\223\24\350\271\236!\203t\37\354\263\310\2122!\244"P6q5\237:\362\13_4\34\200\271<\273&>6\206\254*R\\12\12\275\300\266\3410J\13X<\342\373\0\347\362v"\320vi'7S1\320\352\301\2142\316\233\2\35\3665\32\223\275OB\260\2407{"\0\247\31\331(\307\353\20\222c\350$6!t\224\364\220!\177\357\367{\204\264:\5\3Pt\377:\233[Nq\27 \360q\21\227\364\20\27\266\303\274C\364\307|\247\2405\346\7\326:o\260C\353\373\330\0,\346\213/;\227\224\207\7\301\2138\14\304\177\310+\216\2138>\227\221\205\260Q\370\210\20m\214wL\270#\341\26\272\27\346\326+\267\233\37\314\261\243\14\264\231,\322q\341\272\275\207\241z\341t\247\360F;%`\224\240\243\310\363\352%\246\267\5\370X\347]\253\30K\26\34a\337\5\247\35$\177\343\17\200<\254\0\220Z\257\1\325\306n\22\265\270t^(\267E\204L1\234\271BHC\15\242@\263\322j@\362\376`\340o\353=\247\233\332\25\360K\26\311\313\204:+\313\274`\203\257\375\33\31,\337O\206\362\352\25\37\222\225\16\26\252\366\340w!\325\364T<\245\20\343\354\21\266\21\277\330\21\357F\33\0\17V\263U9\277\236*\36\262\20\26\37\346\333\253\253B\244\4\334>\220\247U\260\235H\377.D9\316\370\2j\342\260G\354\371\335\345\321\304\366O\234\325\264\203\0D\301\311\350h\306\334\330\273\246\250\322\357\343\3528", ) , ) == 0x0
 00114   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (40, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00115   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\10\331u#6\246w\11\257\232e\345s\271\36yqt6\307W\324\254\341\11\2245|\26\2765.O\240\242&4\35_{V\4t\270\31\272\17%V\12f\273\236\356\221w\301;\307\30\0\16\6\263\320\274>\34\336\244\312\314Q\14\274 \37\340,\301\201\36m\233z\273Q{\233\266YY\315\334\253\334\313\236\260\361bc\32\210\25\262p]\27\10\226\264\361^\246x-\320\250a\247~\327\315\343\253K\252B$\235\262\275\266\342\315i!\217\322"\300\222_c\251\340\307\31\275\265C2\236-8\374\267X\305\265\225\331\5\247\177\301Y\373\333\272P9\353[\271`\372\317\353*\7\15\370\7\302\276F\313\256\331\303\37\20\220\25\313\250\277Dh.Z\242t\226\2\347\327\366\16\14$\367b\222k\267\11v\237\22700\243x\307\302\16\177\376q@\345\214\370\244\351\243\237b\377\23;R6\302>s\333oCC\300\203JCu?=\27\274]\4\247\214\227m-\337\14\303q\177\337*!\257b\241\3479\237\30"\6\34\366%n\323$\211\337\272X t\220h\233\205l\265\146[0 \177C\246\16\275?5\275\21\201\31!\230\306\265\37\240\247\214\375\241>\342;{jq\177\36\7$S\3\376\4\27\243?\367\35\350\347\345/-\333\362\5\306\362\344G\16\256F\215:\274\254\222\326>\24\30163\35}\362\203=\21\326\224F\314;\21H\271\11;\2Q\10\ \177\324 \213\233\267\266X\2574\22I\33\357P\362\5V\324\2\305&Si\33\330W\14\345\263\262\333\26\254W\262\301*\330\35>\214t%H\11j\35/W\340E\32\214\205\252\301\21\21\253\227\7\177\247\177!\30\33 \344|A\24\366\357\227\7\377i\4\254\240\217@d\354\370~\213\241\311%n%\215\1z\236\343\34\374\377\7", ) \300\222_c\251\340\307\31\275\265C2\236-8\374\267X\305\265\225\331\5\247\177\301Y\373\333\272P9\353[\271`\372\317\353*\7\15\370\7\302\276F\313\256\331\303\37\20\220\25\313\250\277Dh.Z\242t\226\2\347\327\366\16\14$\367b\222k\267\11v\237\22700\243x\307\302\16\177\376q@\345\214\370\244\351\243\237b\377\23;R6\302>s\333oCC\300\203JCu?=\27\274]\4\247\214\227m-\337\14\303q\177\337*!\257b\241\3479\237\30 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\10\331u#6\246w\11\257\232e\345s\271\36yqt6\307W\324\254\341\11\2245|\26\2765.O\240\242&4\35_{V\4t\270\31\272\17%V\12f\273\236\356\221w\301;\307\30\0\16\6\263\320\274>\34\336\244\312\314Q\14\274 \37\340,\301\201\36m\233z\273Q{\233\266YY\315\334\253\334\313\236\260\361bc\32\210\25\262p]\27\10\226\264\361^\246x-\320\250a\247~\327\315\343\253K\252B$\235\262\275\266\342\315i!\217\322"\300\222_c\251\340\307\31\275\265C2\236-8\374\267X\305\265\225\331\5\247\177\301Y\373\333\272P9\353[\271`\372\317\353*\7\15\370\7\302\276F\313\256\331\303\37\20\220\25\313\250\277Dh.Z\242t\226\2\347\327\366\16\14$\367b\222k\267\11v\237\22700\243x\307\302\16\177\376q@\345\214\370\244\351\243\237b\377\23;R6\302>s\333oCC\300\203JCu?=\27\274]\4\247\214\227m-\337\14\303q\177\337*!\257b\241\3479\237\30"\6\34\366%n\323$\211\337\272X t\220h\233\205l\265\146[0 \177C\246\16\275?5\275\21\201\31!\230\306\265\37\240\247\214\375\241>\342;{jq\177\36\7$S\3\376\4\27\243?\367\35\350\347\345/-\333\362\5\306\362\344G\16\256F\215:\274\254\222\326>\24\30163\35}\362\203=\21\326\224F\314;\21H\271\11;\2Q\10\ \177\324 \213\233\267\266X\2574\22I\33\357P\362\5V\324\2\305&Si\33\330W\14\345\263\262\333\26\254W\262\301*\330\35>\214t%H\11j\35/W\340E\32\214\205\252\301\21\21\253\227\7\177\247\177!\30\33 \344|A\24\366\357\227\7\377i\4\254\240\217@d\354\370~\213\241\311%n%\215\1z\236\343\34\374\377\7", ) , ) == 0x0
 00116   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00117   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "%(\347\20\320\226\367\12\245\376\213\350\311\275\341\34\37\233\222\14#d\266\324\334\221C\377\227\353\16A58,\275\310\376\274\250\310\220E+\320\350\345 \13}I\342U\3gR\213\250<\373\207\331\\22L\241\271\332qI\241-\23\321\12K\370\215\J|,\234Uc\356\200W!\226\320\22\24\222\222\21\344\202\226%\270"7\341Rf\352N\2159\322\377\363\221\316\336\5\3049\252\222\247\303%!~\326\267\365\3611\312\371\324G\330]\260\333\25\24\235\347j\221\366ZuI\1-[\2r\223\1\222/~\325\215\20\16t\24C}\21:\370\330\11\244\20\336\237\317R\373\223.\332\322\206^\336\254\3\330\266\347\13t\246\227k\6\250)\212\261\226_\13l\351\255\3]\3536x\3r\355\3579\216\311\23B\220\26'[\0\334'`\322\343\317E\260\247SK\322\374c\234\253NJ/\235\333\260\300'\255\304\34\270e B\203\333\24\30\251\31\32\3\310o;D\222\37\345\321\27\25]\22!\364\30\231rZ\200\342\372\33#\307?\225\306T\2612\373\334\205^\1\306r\235e\27\3673\12A\22\334\337iI\244\211\23p\367,\27\265\222@z\202\265\324\204\232\321\210\212\336\323\242\23g\314~7V\246\360h\212P:M\36\315\237\341\363\303\371\33m\372\21\14\254{-#f\311\4x]\233\215SM\261\205\305\313\265\300<\262\244\353\334\340\25jB\253\251\14c\270\263\217\256\373\232\27\7\235u\263"\301\300\4i\260o\344\337\235}\15!\324\233>\234\271\352\20c\253\3\205\207\367\15\0\316\1673NYu\342\351\341\366\36#3\332\200\314\215\336t\16F\273P\12\204\276'\331\216~;'6\353\310\27\2\207\3666\26\3040\244\271?\4\253\233;\204 \345\217\27\236\346\217\221\226\34&&\245\265\243\275", ) 7\341Rf\352N\2159\322\377\363\221\316\336\5\3049\252\222\247\303%!~\326\267\365\3611\312\371\324G\330]\260\333\25\24\235\347j\221\366ZuI\1-[\2r\223\1\222/~\325\215\20\16t\24C}\21:\370\330\11\244\20\336\237\317R\373\223.\332\322\206^\336\254\3\330\266\347\13t\246\227k\6\250)\212\261\226_\13l\351\255\3]\3536x\3r\355\3579\216\311\23B\220\26'[\0\334'`\322\343\317E\260\247SK\322\374c\234\253NJ/\235\333\260\300'\255\304\34\270e B\203\333\24\30\251\31\32\3\310o;D\222\37\345\321\27\25]\22!\364\30\231rZ\200\342\372\33#\307?\225\306T\2612\373\334\205^\1\306r\235e\27\3673\12A\22\334\337iI\244\211\23p\367,\27\265\222@z\202\265\324\204\232\321\210\212\336\323\242\23g\314~7V\246\360h\212P:M\36\315\237\341\363\303\371\33m\372\21\14\254{-#f\311\4x]\233\215SM\261\205\305\313\265\300<\262\244\353\334\340\25jB\253\251\14c\270\263\217\256\373\232\27\7\235u\263 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "%(\347\20\320\226\367\12\245\376\213\350\311\275\341\34\37\233\222\14#d\266\324\334\221C\377\227\353\16A58,\275\310\376\274\250\310\220E+\320\350\345 \13}I\342U\3gR\213\250<\373\207\331\\22L\241\271\332qI\241-\23\321\12K\370\215\J|,\234Uc\356\200W!\226\320\22\24\222\222\21\344\202\226%\270"7\341Rf\352N\2159\322\377\363\221\316\336\5\3049\252\222\247\303%!~\326\267\365\3611\312\371\324G\330]\260\333\25\24\235\347j\221\366ZuI\1-[\2r\223\1\222/~\325\215\20\16t\24C}\21:\370\330\11\244\20\336\237\317R\373\223.\332\322\206^\336\254\3\330\266\347\13t\246\227k\6\250)\212\261\226_\13l\351\255\3]\3536x\3r\355\3579\216\311\23B\220\26'[\0\334'`\322\343\317E\260\247SK\322\374c\234\253NJ/\235\333\260\300'\255\304\34\270e B\203\333\24\30\251\31\32\3\310o;D\222\37\345\321\27\25]\22!\364\30\231rZ\200\342\372\33#\307?\225\306T\2612\373\334\205^\1\306r\235e\27\3673\12A\22\334\337iI\244\211\23p\367,\27\265\222@z\202\265\324\204\232\321\210\212\336\323\242\23g\314~7V\246\360h\212P:M\36\315\237\341\363\303\371\33m\372\21\14\254{-#f\311\4x]\233\215SM\261\205\305\313\265\300<\262\244\353\334\340\25jB\253\251\14c\270\263\217\256\373\232\27\7\235u\263"\301\300\4i\260o\344\337\235}\15!\324\233>\234\271\352\20c\253\3\205\207\367\15\0\316\1673NYu\342\351\341\366\36#3\332\200\314\215\336t\16F\273P\12\204\276'\331\216~;'6\353\310\27\2\207\3666\26\3040\244\271?\4\253\233;\204 \345\217\27\236\346\217\221\226\34&&\245\265\243\275", ) , ) == 0x0
 00118   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (40, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00119   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\25EoHb\34\35\277\337\367\225\210\3125:\327D\351\7\337\0v\177d\5\357\237`A\263\3a\14\244\12\377\1fT'\257\354\216\212[\267H\200\376\2749\375\315\354\17\4\24)\375\2151\322\203?\20C:IW\374\302\336H\304\34\14\313\331\265\25g\272EL\364\277\315\4\320\310\26\4\275\25Ed\26\223\300\24Ju25\364\14\31QS\3715\345\365yW\37\244\303h\235U?N-\323\336\325\272N\344=-=\210\355\317\224m\370\343\0\216\325\13\0aYbg\252;;\224$\335\237V\317\0\347\34\345*\32\345C-\205\225\5\215jN\22v}7m0cu?\0m\277\273\254\3641I 7\24\246\3\365ki\201\15W\304\36\375(x\223\26\25\264}c\302\331\243Y\200\223]{\310\345\16\303A\17"\10\353\377\354\37T\365n\34\4\266\12\375\177\271I \200t\3\25>~\26\347\250\176Kf\2160kB\201\213\253\215(\220\235\257\344\32S\373J\372\263B$\307\230\244\245D\5\373\224<\227\345\243C\26\14'j\207\321$&\236e\366"i\245BC\37\326\273t\14\233H\257\234\330\272\57\364\4\235\346\360\351^\230t\35\374\307\270\270\3571\213\344\207NOC\23N\177\0e\223O\370rvTM\357\304\16k3\2632\3441&\4<`\272=\343\341\16s\224w\366vp\314=v k\366s\30\363\220f73\217\34\362\17-=SP1\271\16\27\22\273\353.D\242H\22\5\265(\375\345\362\22\264\220\350\13<\350RV\6\16hc\300\177\246\225w?m\207\17\337\214\321\234\366\24_e$T\347s_0|\264\267\311\4\177\220\357\25\236\270a\21\246\12o\27\371\357aFg\325H\7\221\34\360'"\323\24+\266\361`\324\236\377`0\256\206\30", ) \10\353\377\354\37T\365n\34\4\266\12\375\177\271I \200t\3\25>~\26\347\250\176Kf\2160kB\201\213\253\215(\220\235\257\344\32S\373J\372\263B$\307\230\244\245D\5\373\224<\227\345\243C\26\14'j\207\321$&\236e\366 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\25EoHb\34\35\277\337\367\225\210\3125:\327D\351\7\337\0v\177d\5\357\237`A\263\3a\14\244\12\377\1fT'\257\354\216\212[\267H\200\376\2749\375\315\354\17\4\24)\375\2151\322\203?\20C:IW\374\302\336H\304\34\14\313\331\265\25g\272EL\364\277\315\4\320\310\26\4\275\25Ed\26\223\300\24Ju25\364\14\31QS\3715\345\365yW\37\244\303h\235U?N-\323\336\325\272N\344=-=\210\355\317\224m\370\343\0\216\325\13\0aYbg\252;;\224$\335\237V\317\0\347\34\345*\32\345C-\205\225\5\215jN\22v}7m0cu?\0m\277\273\254\3641I 7\24\246\3\365ki\201\15W\304\36\375(x\223\26\25\264}c\302\331\243Y\200\223]{\310\345\16\303A\17"\10\353\377\354\37T\365n\34\4\266\12\375\177\271I \200t\3\25>~\26\347\250\176Kf\2160kB\201\213\253\215(\220\235\257\344\32S\373J\372\263B$\307\230\244\245D\5\373\224<\227\345\243C\26\14'j\207\321$&\236e\366"i\245BC\37\326\273t\14\233H\257\234\330\272\57\364\4\235\346\360\351^\230t\35\374\307\270\270\3571\213\344\207NOC\23N\177\0e\223O\370rvTM\357\304\16k3\2632\3441&\4<`\272=\343\341\16s\224w\366vp\314=v k\366s\30\363\220f73\217\34\362\17-=SP1\271\16\27\22\273\353.D\242H\22\5\265(\375\345\362\22\264\220\350\13<\350RV\6\16hc\300\177\246\225w?m\207\17\337\214\321\234\366\24_e$T\347s_0|\264\267\311\4\177\220\357\25\236\270a\21\246\12o\27\371\357aFg\325H\7\221\34\360'"\323\24+\266\361`\324\236\377`0\256\206\30", ) \323\24+\266\361`\324\236\377`0\256\206\30", ) == 0x0
 00120   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00121   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "o\326\231\230\\370\330\374\0D\230{\\245\377Sg\332\336tA\32V,6\351\372\4~\346Nbh\3570SF\372\340a?\325\263\205\2273\262\323\243\221\265\366\7\373\267\227\23\261\203 v\15{\327L\276\200\260LA,\0 \324\234z\24\245\204\25\245\222\200\12\214\373\7\17\24\231\224\340\27\341<\326^\242\213\0\177\311\377S^\362\266\340\32\316n\220\225TZ\353\7\227|I\255N\357\305\26T\324\262$\276.\260%\312\364\214\3t\351}\232\345\266\271\26\365\366\202\235\245\225|b\266\214\200\164\371`\315\243?\267\24V\277*\22\27\276\12/\263\216\327\275\2065\216a\331\270\271:\323\210\242\265\2\212\215\1?\36(\7\12\252 \204\267#<\242\267su\3506\243\6\2\2137X\7Q\216\242B\210\265\201\13\266\320\3075\26\260\25\365\270\237h\336\5\33\221\30\347\274\5\327\245\315rx\255\25\362\343\215\317\4;I\264\24,\340\277IC\245=|\334\261\253\325\273\324\2\252\23b;\325\22\254\303\364\207\231\37\11hMO\207}\277\346-\17\254\362\225\201\1\24C\5\324\33j_\243q\333\16\265\0\213\246\270\377\333\246\12\2)\373\377u\32\3432"\341K\3568\374\213\11\16\323\212\4 \27r\&\277'\250*\177\243B\205\23&\267|R\301\235\12}\264\0\252\240\33\25G\313H\302G\320\354\266\3\25\324\323\236;}\5l\22\272\273\20\7\242\5,\334\4\243\30\17\226\227\313\245\232|$3\236\237,;\242,\0uaF\202G\367;\355C\266\34S\30C?fF\11\374\2424\354\265\213\306\265]\11\303\25\22vwZ\273\3", ) \254\362\225\201\1\24C\5\324\33j_\243q\333\16\265\0\213\246\270\377\333\246\12\2)\373\377u\32\3432 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "o\326\231\230\\370\330\374\0D\230{\\245\377Sg\332\336tA\32V,6\351\372\4~\346Nbh\3570SF\372\340a?\325\263\205\2273\262\323\243\221\265\366\7\373\267\227\23\261\203 v\15{\327L\276\200\260LA,\0 \324\234z\24\245\204\25\245\222\200\12\214\373\7\17\24\231\224\340\27\341<\326^\242\213\0\177\311\377S^\362\266\340\32\316n\220\225TZ\353\7\227|I\255N\357\305\26T\324\262$\276.\260%\312\364\214\3t\351}\232\345\266\271\26\365\366\202\235\245\225|b\266\214\200\164\371`\315\243?\267\24V\277*\22\27\276\12/\263\216\327\275\2065\216a\331\270\271:\323\210\242\265\2\212\215\1?\36(\7\12\252 \204\267#<\242\267su\3506\243\6\2\2137X\7Q\216\242B\210\265\201\13\266\320\3075\26\260\25\365\270\237h\336\5\33\221\30\347\274\5\327\245\315rx\255\25\362\343\215\317\4;I\264\24,\340\277IC\245=|\334\261\253\325\273\324\2\252\23b;\325\22\254\303\364\207\231\37\11hMO\207}\277\346-\17\254\362\225\201\1\24C\5\324\33j_\243q\333\16\265\0\213\246\270\377\333\246\12\2)\373\377u\32\3432"\341K\3568\374\213\11\16\323\212\4 \27r\&\277'\250*\177\243B\205\23&\267|R\301\235\12}\264\0\252\240\33\25G\313H\302G\320\354\266\3\25\324\323\236;}\5l\22\272\273\20\7\242\5,\334\4\243\30\17\226\227\313\245\232|$3\236\237,;\242,\0uaF\202G\367;\355C\266\34S\30C?fF\11\374\2424\354\265\213\306\265]\11\303\25\22vwZ\273\3", ) , ) == 0x0
 00122   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00123   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2Qxo\222\224\2461\314]\267\314\13\342\244\32x\300\326'\304\233\23P\13\36G\3548\314\343\36\330\356\356>bh\245\234\365\277\333\1\23\11\373 \241\342\273\360&\261M\17]\372\35~7\255,lN\316^P\\252\271\212\310|\376\25\353*\215PF\305`\16\6\267\265\216\230\377\242\4\264\225\317\203\2\266\20\322\213\236\26404\325\274|\130\2708\331\261\247\213RF7\0;(\3346\7\313cHis\252 BFm\25\206\204\15dl\366\251\325qdCY\37\264'C\31\217\264\4\22\375\35`e\205w\303qZ\254\311\302\333\7h\263\272\242<\205\343i\222\365\246\257I\314x\301\11\227w\235\336z\24\22_\247\256\227\206\33\376\363\3\237\177\274\211A\217a\23T\314\3451\207?\372\354\334\316[\205\307%?\\301\254\360`SY\2661\14$\345\350\203\206[Eym\227\1\20\310\314\321[\267\331z\257\207S\27f\324\363K`c?L\16\262\207\37\343\226\227\200\353\264`\25_wU\262\305\364\343\27\31\246\243hB\237\367\0\334\200B$\1\30<\1\305FCz\326\255\274\200P\262\229\5\276W%:FS\200c\247\23\344\300\252\2231v;\234\364\320\304\26\322\247\30\235{\16\267\346E\5\344:HF\232N\332\317\275\214\203B\265\314.PU\300\24\201\276\257`\310\321b#\36\316=\206\320if4{ao\22\350e\375\333O\265\274\372?\363M\232\266\251\30\3006\300\5\3\37\275\277$9\372\317\24`\254\256\177\321\356\273\11\324[@\336\261\363\\317\362\305F\232,\220\345\243\2575\223\230e\251\255\0y?\223\235\253Ej\247\365P\372\360\300u\342\261\214\271\251\264\365\242\36\347\200\253\342X\2\26\336\240\13>\354F=\357k\5\375\235\3471\246\220#/\14", ) , ) == 0x0
 00124   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00125   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\26\27HN\263c\277\22H\253\323\262\3132\234q<\367\256\367\237\201\2624\265;5:\230\370\5Cy\332\356\205i\226\204\312\374\233\13\274\2607\1\216\366\11&0\267\265\20G\330\326\315\323\305\3706\2371\277\370\374\260\215\7\254C\347\201z\265V\367-\264,\315C\307\302\32~\4%\254E\354\253\254V1`/\203\232\307x\226k\240\367E\253\231\14\245\362\3\254[\260\204\204\246\334\376\23\337x\354\251\311\36\221\330\371>\364\20\341\216FEg3x\300\177O=\276\241\267\235 \236\275\253F\24\16J\11`\366pFS\250W?\213*Bm\371\205\227&\37\263\357s\33\314<\300\37\216\257*\365\350\323V\214\250f\352\325\210\364\270\12\326\F9z\242\32%\256\273\320;6\373\2046\11\332\2\3736\373\37V\312\33\360\14\275\374 5\364/\33c\232,[/\333\27 \331\263\243\24\367\363s\262\17\256\304K0}a\257\33\272\273\30\25\242\324\7\374 \214u\35\276:_\3Q\241\212\232\303\32\211pJ\360\327P\34A\276w\201\323\353\0|\244\30\11\2565\220\212\302\273\301\3472-\20\2\377[OW\16!\252\270\243, ) , ) == 0x0
 00126   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (40, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00127   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "}\262E\30iX4\332V\26c|\237\271\4\237\331\324\322\204\377Vt{\234\272\362\332}.|0\221g\216\35\6!WD\49{]\227a\323D?!\311"\267\315\302\15e\267\311\34A(\376\217\261\33O\226\2\2330fJzs\353g\254.\14\7\277\274\25\333\263\38\10w\323\333Yn\310\360\31\264\343\5\324;\230\370:a\264\11\275\377\304\267\275{\343\23\10\220\364\271\3216\355Q\347\240\324\275\206\3125\233\236R\215\234[\30437\37^;\341Z4'\343*M63\3\207\354\244\336<\265\216\251&\203\2629>\17\1\3257LW\35\270\350\343i\277p\20\37]d0\25\2166m\243\243Q\2169D&\217\220\233\265~\22=\262\340\241\352&\311\373 \6\30\\240#\13\353B7\3\5k\234\336ce\236\221\201\342\262D5N\206!\2277\254\234\6c\377\26x\262\14\235\226\270&\35\316\322?K\201\312[\250o\247\276E\206F\253\330\354$\305\263\313\325@\31Z\357\342\211\353A\235*\351\34\226\3\352*vL\3\327T|\30\262\263\373\207~\270\267\336\244?!\243T\204\5\365d\261\32<\234\250b\10\252\354\30\36\343\352\364\236\306\312\254\2353\312\10q7}\265\325\3557\16\321\373\243\243\265\236\201\25\377\313\352d3\324\375\365\347\360\237Dl\0*\353 1`8/?\317\344\363|\301yj\222\217\364\223\363\345\24\243\241\15\22276\34\4\337\324\364`\346bI\0I\274\363\211\365&\202\375\23\220\3313hf\314\145\267C\256\1\31\276s\37\235@a\324\344\128\0\215y\302\346\257\264\307\346\342\243\217W\232\266s\33\260\27\35067tf\217j\353\276\352\277\303\14qI~\4\374\246>P\34\267\261\3G\234\366=F\271\367S_\2270\214\244%\17D\26\221\226\353", ) \267\315\302\15e\267\311\34A(\376\217\261\33O\226\2\2330fJzs\353g\254.\14\7\277\274\25\333\263\38\10w\323\333Yn\310\360\31\264\343\5\324;\230\370:a\264\11\275\377\304\267\275{\343\23\10\220\364\271\3216\355Q\347\240\324\275\206\3125\233\236R\215\234[\30437\37^;\341Z4'\343*M63\3\207\354\244\336<\265\216\251&\203\2629>\17\1\3257LW\35\270\350\343i\277p\20\37]d0\25\2166m\243\243Q\2169D&\217\220\233\265~\22=\262\340\241\352&\311\373 \6\30\\240#\13\353B7\3\5k\234\336ce\236\221\201\342\262D5N\206!\2277\254\234\6c\377\26x\262\14\235\226\270&\35\316\322?K\201\312[\250o\247\276E\206F\253\330\354$\305\263\313\325@\31Z\357\342\211\353A\235*\351\34\226\3\352*vL\3\327T|\30\262\263\373\207~\270\267\336\244?!\243T\204\5\365d\261\32<\234\250b\10\252\354\30\36\343\352\364\236\306\312\254\2353\312\10q7}\265\325\3557\16\321\373\243\243\265\236\201\25\377\313\352d3\324\375\365\347\360\237Dl\0*\353 1`8/?\317\344\363|\301yj\222\217\364\223\363\345\24\243\241\15\22276\34\4\337\324\364`\346bI\0I\274\363\211\365&\202\375\23\220\3313hf\314\145\267C\256\1\31\276s\37\235@a\324\344\128\0\215y\302\346\257\264\307\346\342\243\217W\232\266s\33\260\27\35067tf\217j\353\276\352\277\303\14qI~\4\374\246>P\34\267\261\3G\234\366=F\271\367S_\2270\214\244%\17D\26\221\226\353", ) == 0x0
 00128   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (40, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00129   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\221\244\223l\237\353\15\355^\310\3\30\367\22\240z\333w+.\222k?^\14\232\335\271F\325\215J\230u\10\354\276\302\323#{\300\367\332\221\224\363\370\365d4Z\250\255$7\345\227w\341u\361O\265b\353\273\374{\1\306\3N\354\373\\214C\21216K+i\262\232u\313\204S\271\212\0a.\277\367\3610FO{\232\242\325\346^D<\301\214\321\314<-L\240H[\374>\24\303\350\310?\12\321\255\313\14NjHM\317\310\334\245\355\303A\353\32I\272\261\324R\311\22\374\367ec\14 \237C\11\275\374\21\367\310\206}\245\250\27\212\243\275\334\271\21\34\302\353\11+\275\276\355m\25GU\270\262\337D;M}\246\342.\251\276\204F\276\342\377\322\15~\221\303A\345\254\371;\332ZO\270\34\261\343\373\376\232\10\241I\241\16\14\23\222\364\25\213\261u5\320@\240\335\343pF\21(\246\35cW\321\226\22\310\272\3W\337qC\251\232\307\267\373_\362@\314\230\5?~v\247M\221=\265\336\22wO\20j_B\227\377\233h\370\316W}1_oK\333:=\335\13\310\20\307\330\316-j\202\214\345E\350\310\324\312Ac\277m\273\371Nhu\361;\314\3\350[\250\2023-=D\2Sk\300\377\2627\344\30\320\262\360\372\1m0'W\326\353%v\35\213\363\265\312\10n\27Q\340JD5;j\272\214\4\357\310L\27m\244\304'!\215\2645e\223qD\21\266\370x\32HVn\350Q\260\22.\301Z\353\10\320p\245&\266\326\13x\6\0^\250$\223\317\26F\333,\26\337\360\14N\321\301\375\334>\7\7VO\3\237\345\265\303V\177\265\340\272\264\216\310\34|\312\201L'\243\373n\261\301\367\3175m\12\227\33\207\12q\275\372|\357@\214z\23\312\250\277\31\367\232!", ) , ) == 0x0
 00130   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00131   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "'\227\237\336\201\272\'\1\265\341\15\221H \254\32\252\240\213\310\215\u\325#\241\13=\10r\237\373\220\2037\35\357wZLfL\213xB\234\240%-\305lY\265\375\4l\205\266\4(\335zwI\247\16\255S\343\357\273\26\310o\31W\6\262)\257\362\323\20fU\201\353\201\274<\377\24x\366\304a\235\205\27,yJ)\1\266\16\266\212\220\243A\255\303f(\2653y\213\3746\341\24\5\36c4A\234\217\331\223]\273nD\366\7F\353\255\214\373b3c\221\276\340\30Y4\353>\30\212\210j\236\21\2376\306#7Q<.\266\255\1'\251\257U\326\244\346V[W\340Q*N>;\0e\17G)\324\214\254\333\325\244$\227\217\264\350\27X\26\272_AL_\26(9_B^T`}\300w\276\246\262\370h\34\343\345u\10\316\262\3151\361\263$N\264[\24`\300l0\3166\225\243\373>\277RS\262\214\270\366:\352\350\371\265r\211\342=\252T\0\254\311N\374\347Es\230X\300\14\313\233\233\200\24\300\214\31`\215\214c\277\314/\333\221?\262\24\33\300\214b\224\13\233tA\3042\12\320c\326\234\255\263\362\250\217\271h\251\365r\30\252O\303\20Q.\363\330k\326\23\10\31\31\277\267\360\26\362\247\344\1\267\212\334\37\273\31[\250&\27\10Lf<\352\2264\331[\306S\267\376\24\2726\302"-\314\233\327U\16\321\217\363(\373\326\350T\206s\362\213"x>\2165\326\213\316i\12\1\335}\325L\217a\274j;l\276\16/\30\241k\213\22I\301\36@\246\234\373@\7\252v\251\345wB\262]\27662\277=\317\31\17\13\210\345\257\201&<\3D\241\226P~\20\363\200\203\235\374\265\370\310\336\327jF\341\235\261A\223\216amx\211\253$d\265<\4,Y\304\214", ) -\314\233\327U\16\321\217\363(\373\326\350T\206s\362\213 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "'\227\237\336\201\272\'\1\265\341\15\221H \254\32\252\240\213\310\215\u\325#\241\13=\10r\237\373\220\2037\35\357wZLfL\213xB\234\240%-\305lY\265\375\4l\205\266\4(\335zwI\247\16\255S\343\357\273\26\310o\31W\6\262)\257\362\323\20fU\201\353\201\274<\377\24x\366\304a\235\205\27,yJ)\1\266\16\266\212\220\243A\255\303f(\2653y\213\3746\341\24\5\36c4A\234\217\331\223]\273nD\366\7F\353\255\214\373b3c\221\276\340\30Y4\353>\30\212\210j\236\21\2376\306#7Q<.\266\255\1'\251\257U\326\244\346V[W\340Q*N>;\0e\17G)\324\214\254\333\325\244$\227\217\264\350\27X\26\272_AL_\26(9_B^T`}\300w\276\246\262\370h\34\343\345u\10\316\262\3151\361\263$N\264[\24`\300l0\3166\225\243\373>\277RS\262\214\270\366:\352\350\371\265r\211\342=\252T\0\254\311N\374\347Es\230X\300\14\313\233\233\200\24\300\214\31`\215\214c\277\314/\333\221?\262\24\33\300\214b\224\13\233tA\3042\12\320c\326\234\255\263\362\250\217\271h\251\365r\30\252O\303\20Q.\363\330k\326\23\10\31\31\277\267\360\26\362\247\344\1\267\212\334\37\273\31[\250&\27\10Lf<\352\2264\331[\306S\267\376\24\2726\302"-\314\233\327U\16\321\217\363(\373\326\350T\206s\362\213"x>\2165\326\213\316i\12\1\335}\325L\217a\274j;l\276\16/\30\241k\213\22I\301\36@\246\234\373@\7\252v\251\345wB\262]\27662\277=\317\31\17\13\210\345\257\201&<\3D\241\226P~\20\363\200\203\235\374\265\370\310\336\327jF\341\235\261A\223\216amx\211\253$d\265<\4,Y\304\214", ) , ) == 0x0
 00132   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (40, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00133   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\233<\274\224\214\211\334\352\203\372\15\35?\266\241\21jq\0\31\317\313\364q}\235\263\2509\340\2\300\263"\32\320\277s\231\215\227\277\17\223%\220\353<\363S\35G\235\263\202\356,\252\257G_\312\217\37\346\2460\205\257\301\11\378#cH\225\227 \250y\343p\217\4y\207d \323\177\201\312{-\237\352\1;\223S\251\0\326\376\342|\274\216\263\270\340\365\232\17s\342\365\07uXT&\240\250\20\303\245\31\265]\260\20~\35\271\354\25[\327\250t*\337\340P\327\240\320\34X\23\34\255\205J\33D\16\202\317\353E\341\344\246Z\303\303_@\266\243\360\17\216\11\240';\307\30\340\22\344\300W\367r\261\315\306\272\211\354\.\16$\374+\253&\37\222\36\217\375\320\277\357\266ds&\37\33\213\217\2075\4q\324\227G\242w\3\214\355\342P\2756\265\22\2600\14\220o\250\207\310s\301\274\230\356\26>\312F\333\357L\326|!\320\35\261\0S\272\264GZ\37\15\310\3317\36"\202\23\267n\233Vk\204\213\335!(#<6H\2606\215Ir6\302\232\375\16\264\317\255:\221\2317\373\333\332\261\11\212K\261\353\271\361\257t\212 \177^9\340\212\347\6\224\340\254\246\347\212\367Au\374Z\353\321\253\357\1\330\231\232\372\240\374\21\361\265\213\20w]\3\5\323l\332z\261\274\4]i\262\10\37\272!eN \220\20\3\250\257\34N \322Y\2\226\223\14?\375\262\277R\274\3100]\303\177\350V\276\321\255\252J\331m\35\261n[\264Y\270\13\237\261I\312\245\326\363\27\350\243\331\257b\5<\205q\271`\363q\35(\2O@\256\357\211\204w$\353&H\374\345\30:w\350=\312\14, ) \32\320\277s\231\215\227\277\17\223%\220\353<\363S\35G\235\263\202\356,\252\257G_\312\217\37\346\2460\205\257\301\11\378#cH\225\227 \250y\343p\217\4y\207d \323\177\201\312{-\237\352\1;\223S\251\0\326\376\342|\274\216\263\270\340\365\232\17s\342\365\07uXT&\240\250\20\303\245\31\265]\260\20~\35\271\354\25[\327\250t*\337\340P\327\240\320\34X\23\34\255\205J\33D\16\202\317\353E\341\344\246Z\303\303_@\266\243\360\17\216\11\240';\307\30\340\22\344\300W\367r\261\315\306\272\211\354\.\16$\374+\253&\37\222\36\217\375\320\277\357\266ds&\37\33\213\217\2075\4q\324\227G\242w\3\214\355\342P\2756\265\22\2600\14\220o\250\207\310s\301\274\230\356\26>\312F\333\357L\326|!\320\35\261\0S\272\264GZ\37\15\310\3317\36 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\233<\274\224\214\211\334\352\203\372\15\35?\266\241\21jq\0\31\317\313\364q}\235\263\2509\340\2\300\263"\32\320\277s\231\215\227\277\17\223%\220\353<\363S\35G\235\263\202\356,\252\257G_\312\217\37\346\2460\205\257\301\11\378#cH\225\227 \250y\343p\217\4y\207d \323\177\201\312{-\237\352\1;\223S\251\0\326\376\342|\274\216\263\270\340\365\232\17s\342\365\07uXT&\240\250\20\303\245\31\265]\260\20~\35\271\354\25[\327\250t*\337\340P\327\240\320\34X\23\34\255\205J\33D\16\202\317\353E\341\344\246Z\303\303_@\266\243\360\17\216\11\240';\307\30\340\22\344\300W\367r\261\315\306\272\211\354\.\16$\374+\253&\37\222\36\217\375\320\277\357\266ds&\37\33\213\217\2075\4q\324\227G\242w\3\214\355\342P\2756\265\22\2600\14\220o\250\207\310s\301\274\230\356\26>\312F\333\357L\326|!\320\35\261\0S\272\264GZ\37\15\310\3317\36"\202\23\267n\233Vk\204\213\335!(#<6H\2606\215Ir6\302\232\375\16\264\317\255:\221\2317\373\333\332\261\11\212K\261\353\271\361\257t\212 \177^9\340\212\347\6\224\340\254\246\347\212\367Au\374Z\353\321\253\357\1\330\231\232\372\240\374\21\361\265\213\20w]\3\5\323l\332z\261\274\4]i\262\10\37\272!eN \220\20\3\250\257\34N \322Y\2\226\223\14?\375\262\277R\274\3100]\303\177\350V\276\321\255\252J\331m\35\261n[\264Y\270\13\237\261I\312\245\326\363\27\350\243\331\257b\5<\205q\271`\363q\35(\2O@\256\357\211\204w$\353&H\374\345\30:w\350=\312\14, ) , ) == 0x0
 00134   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00135   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "4C\242\205q\360K\6\14\302<\22\22m\277s8m)\242y\202\215C\211\264U\6\6Y\2672\243\304Y/\272L\214\373`\24\312\31\247\247\252\353\354\300X\377{I\260\167\24"\12,\373O\177\207\265\217\0\27\7\302\213\243\344Lx\336\356z0\313\321\366`\374Gi\5\37\1\232\227\3630+\231\262^g\16\323\256\1\375\357\261_\13c\236\256W\2\353\34\200\0\362:_\23\370\15\24\367\200\235\32\335\343\257\24\336\257\17?%\215\200|\375\331\30\330\36077\14\317\246W\202wg%\330\354\334\261\304\33\2Qo\366\333 \267\224IZhV\313\262\5\257\354\261\15\355\357\22\32\357_\245\17\234\205\351NS4.\350NGO\226\2066\3\36\247R\7\17=6\300\30\45\313\223\330\340\324\201U\311^tQ\266\252\247?66\21\264c\274\14l\233l\213\17\347\340\341)\363\250\237Aqd\364(\207\34w\240'\340\33I\272~\302s\257_$\235\343\224\253\213\211\301\201\2714%\253\324)\36012\366\13\26\374.\3\5\266~6\3N\346n\260\36&\12]\331J\336P\5\265\316\4\13\272\22\7\256\215\237\251\233\224\367b}X\363\262\374\330\370_\14"\34\264\271Fk\12\24\246m\213B\346\303x\264\262\346\13\346\344aXF7ngK\236\376\265O\247\1\335\344\366\301\351z\36"w\247O\273\223\327\267,\237%\264\370b\207E\243J\346\346\351\274\326t\202\4\322\217\213\335\14\257O\37\256\266\346N\356\3432\227\37y\370C\4g\262\5\16e\22\0\202\240(\0\235G\323\363\357wcA\262\324\17\21\205 D\324\2\274\260\2770\357xD\243\347\376\314\2676{\200;\253\224R\261\266\1j\240*|3\232_\0c=\205]}\252\361\354\6B\235\361\314\365pk\370\300\264\", ) \12,\373O\177\207\265\217\0\27\7\302\213\243\344Lx\336\356z0\313\321\366`\374Gi\5\37\1\232\227\3630+\231\262^g\16\323\256\1\375\357\261_\13c\236\256W\2\353\34\200\0\362:_\23\370\15\24\367\200\235\32\335\343\257\24\336\257\17?%\215\200|\375\331\30\330\36077\14\317\246W\202wg%\330\354\334\261\304\33\2Qo\366\333 \267\224IZhV\313\262\5\257\354\261\15\355\357\22\32\357_\245\17\234\205\351NS4.\350NGO\226\2066\3\36\247R\7\17=6\300\30\45\313\223\330\340\324\201U\311^tQ\266\252\247?66\21\264c\274\14l\233l\213\17\347\340\341)\363\250\237Aqd\364(\207\34w\240'\340\33I\272~\302s\257_$\235\343\224\253\213\211\301\201\2714%\253\324)\36012\366\13\26\374.\3\5\266~6\3N\346n\260\36&\12]\331J\336P\5\265\316\4\13\272\22\7\256\215\237\251\233\224\367b}X\363\262\374\330\370_\14 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "4C\242\205q\360K\6\14\302<\22\22m\277s8m)\242y\202\215C\211\264U\6\6Y\2672\243\304Y/\272L\214\373`\24\312\31\247\247\252\353\354\300X\377{I\260\167\24"\12,\373O\177\207\265\217\0\27\7\302\213\243\344Lx\336\356z0\313\321\366`\374Gi\5\37\1\232\227\3630+\231\262^g\16\323\256\1\375\357\261_\13c\236\256W\2\353\34\200\0\362:_\23\370\15\24\367\200\235\32\335\343\257\24\336\257\17?%\215\200|\375\331\30\330\36077\14\317\246W\202wg%\330\354\334\261\304\33\2Qo\366\333 \267\224IZhV\313\262\5\257\354\261\15\355\357\22\32\357_\245\17\234\205\351NS4.\350NGO\226\2066\3\36\247R\7\17=6\300\30\45\313\223\330\340\324\201U\311^tQ\266\252\247?66\21\264c\274\14l\233l\213\17\347\340\341)\363\250\237Aqd\364(\207\34w\240'\340\33I\272~\302s\257_$\235\343\224\253\213\211\301\201\2714%\253\324)\36012\366\13\26\374.\3\5\266~6\3N\346n\260\36&\12]\331J\336P\5\265\316\4\13\272\22\7\256\215\237\251\233\224\367b}X\363\262\374\330\370_\14"\34\264\271Fk\12\24\246m\213B\346\303x\264\262\346\13\346\344aXF7ngK\236\376\265O\247\1\335\344\366\301\351z\36"w\247O\273\223\327\267,\237%\264\370b\207E\243J\346\346\351\274\326t\202\4\322\217\213\335\14\257O\37\256\266\346N\356\3432\227\37y\370C\4g\262\5\16e\22\0\202\240(\0\235G\323\363\357wcA\262\324\17\21\205 D\324\2\274\260\2770\357xD\243\347\376\314\2676{\200;\253\224R\261\266\1j\240*|3\232_\0c=\205]}\252\361\354\6B\235\361\314\365pk\370\300\264\", ) w\247O\273\223\327\267,\237%\264\370b\207E\243J\346\346\351\274\326t\202\4\322\217\213\335\14\257O\37\256\266\346N\356\3432\227\37y\370C\4g\262\5\16e\22\0\202\240(\0\235G\323\363\357wcA\262\324\17\21\205 D\324\2\274\260\2770\357xD\243\347\376\314\2676{\200;\253\224R\261\266\1j\240*|3\232_\0c=\205]}\252\361\354\6B\235\361\314\365pk\370\300\264\", ) == 0x0
 00136   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00137   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "t\370\257!;\215\224\264\215\265\301BV\342\274D\3\267\324tW\370\323t\3\321\366\14\337\323z\4\3\216\224\220\273\375 <\224\222\353\310(\376^^v*?\233U\356\224\364T\177\322(k\377\273\240\277\350\343\5d\251\177\3\26\35\375D\22\365\257\316\20\177|H\26\265\322\30\27\210\223\313\265\234o\7\307d=A=6'\204SL\263\231\227}\276:7\363\341\7\316]\231M;\301\263\306\34R\373\201T\366\200\3\341~\355+T:\274|\177\366\371\232\3\267+\254\207!FJ\20\371\21\357F\353a*l\231\346\274\344!\264%\247\332\267O\250\371\226\233wi\363\24S\202\277K\21Z\322\13S\246\2248\244\241~\215\223\365\245\24SRd\14o\262\245SR\276\14\11.#+S"\363\217\35\325\346oS\13\331\3173\33!\212\204\203\351|E\277\351\343a\253~\301/B\276DE\317\331f\267\333\302\342\303\230\271\203t8\217&_RJ\361\30x"\375\232:'\224H\25717\220\14\332\264w\371\14\372p\214\341\360\30\24\321\260\246w\226\16\1\225\221\266\271\177\265N \356\266\2444\27\341\217\217\352\260S\0FV\265i\245\346\305\3B\322\321T\3y\307T\27\2265*\257o\31\27E\216\247\344`\340~&\20\256\241P\6\301\341\1\242x\246\27\354\305w\354\273\274\212\347(\345\327\20\7$\266E'"\347T\367H\210S\337\247\330\351\255Z3\346\34\342\345\2\310\352|\307\7!\334\314\2659p\26\244\\2\334\361\13\367=O\313\4\27\361oH\3\225\375.T\377\178N~\261\244\35\256\353\242\23M\273\2Z\303\247\257_\265\323\2\265\20\357h|S\320p\14\257S\3\270\232~\360.A\263\4\4&\265\3\305\273\263\266\33\266\267\10\13\265}\226#\265\367 \4\132M", ) \363\217\35\325\346oS\13\331\3173\33!\212\204\203\351|E\277\351\343a\253~\301/B\276DE\317\331f\267\333\302\342\303\230\271\203t8\217&_RJ\361\30x (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "t\370\257!;\215\224\264\215\265\301BV\342\274D\3\267\324tW\370\323t\3\321\366\14\337\323z\4\3\216\224\220\273\375 <\224\222\353\310(\376^^v*?\233U\356\224\364T\177\322(k\377\273\240\277\350\343\5d\251\177\3\26\35\375D\22\365\257\316\20\177|H\26\265\322\30\27\210\223\313\265\234o\7\307d=A=6'\204SL\263\231\227}\276:7\363\341\7\316]\231M;\301\263\306\34R\373\201T\366\200\3\341~\355+T:\274|\177\366\371\232\3\267+\254\207!FJ\20\371\21\357F\353a*l\231\346\274\344!\264%\247\332\267O\250\371\226\233wi\363\24S\202\277K\21Z\322\13S\246\2248\244\241~\215\223\365\245\24SRd\14o\262\245SR\276\14\11.#+S"\363\217\35\325\346oS\13\331\3173\33!\212\204\203\351|E\277\351\343a\253~\301/B\276DE\317\331f\267\333\302\342\303\230\271\203t8\217&_RJ\361\30x"\375\232:'\224H\25717\220\14\332\264w\371\14\372p\214\341\360\30\24\321\260\246w\226\16\1\225\221\266\271\177\265N \356\266\2444\27\341\217\217\352\260S\0FV\265i\245\346\305\3B\322\321T\3y\307T\27\2265*\257o\31\27E\216\247\344`\340~&\20\256\241P\6\301\341\1\242x\246\27\354\305w\354\273\274\212\347(\345\327\20\7$\266E'"\347T\367H\210S\337\247\330\351\255Z3\346\34\342\345\2\310\352|\307\7!\334\314\2659p\26\244\\2\334\361\13\367=O\313\4\27\361oH\3\225\375.T\377\178N~\261\244\35\256\353\242\23M\273\2Z\303\247\257_\265\323\2\265\20\357h|S\320p\14\257S\3\270\232~\360.A\263\4\4&\265\3\305\273\263\266\33\266\267\10\13\265}\226#\265\367 \4\132M", ) \347T\367H\210S\337\247\330\351\255Z3\346\34\342\345\2\310\352|\307\7!\334\314\2659p\26\244\\2\334\361\13\367=O\313\4\27\361oH\3\225\375.T\377\178N~\261\244\35\256\353\242\23M\273\2Z\303\247\257_\265\323\2\265\20\357h|S\320p\14\257S\3\270\232~\360.A\263\4\4&\265\3\305\273\263\266\33\266\267\10\13\265}\226#\265\367 \4\132M", ) == 0x0
 00138   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00139   420   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\215\366\247\214\25\252\247\205\234\347\254\27\327\215\3738F\227RRz\21\341\210\347\10\264|\335\332)\117\350'\346\14vrh\341\271\232\330\7\207\7F\374J\373\15s\275\314\301\33\266o\17+\274\361\21\323\240\353k\355\226\321A\12\267ck_%\275\345\364P?axn\274+\34\332\1\2145\10\247\201\25\24\\301\250\267\321@\253o\234v\231\270o\2627\366\270\21\247\206/\315]\204\372\263\373\223,@o\2701\14\336{\245\226?\376\271\133\366t@\7\363=\261N\2556|s\274\276\221 -\262\20\260\247\344\360\252u\5\11^\275\353B\320\265\251\357\240\272q\217\351\364\347\261\223\234\353\203vw\365\20\235M\221\364\374\35\211-\7\333\26\2638\245\141\305\206\353\200\264,\11y\222\247s\326\230\315\266.\353\231Y\233\204\320\20\314\302\347\5\244\274\236\370\245\277|\352\0\2x:\33\222\254BG\274\343\20\37\240\263M\21\347\233\2\23r\310d\22\335\243\6Q\22'\11\1\2755\242|\220\251#N\253\265=\377z/\5\366#T8\7\255\256\263\22\371\303\242\375\244!\260\4\237\202\26,\256\261\234A\323\214;\323\324\373\20\233\245\24\10w\5\217$\273\221\246I_.\334\4\31\206\307\232:\315\246n\32^\327\300\224\327\207\2118\232n\214\316\306\243\2\353\270\224\250\17t\357\337K\177)-\30\303\325\236R\340\346\21\23\250\270\22U\272\361@h\344\5C\335\274\5\14\312\10\277\322\247\24\344\344z\262\333Y\324\35\361\16\225\257\4%\212\271\25\336$\302|F\306\332\2776\33\326()5K\15A\33\356w\340v\212\366\315;!\12\2u\347\213s\3\262FN\357\344Ah\,\357\237\6\217E\1?\324\12\11\360\201$\226\332j\273\224\36\353o\222\326\4\323\20\340\246\355x\241L\241\4", ) , ) == 0x0
 00140   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (40, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00141   420   NtReadFile  (36, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (36, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "W\375\267\0G\375\267\0s\355\267\0c\355\267\0\363\337\267\0\343\337\267\0\23\334\267\0\33\334\267\0\3\334\267\0\13\334\267\03\334\267\0;\334\267\0#\334\267\0+\334\267\0S\334\267\0[\334\267\0\267\334\267\0\243\334\267\0\317\334\267\0\13\335\267\0G\335\267\0\277\335\267\0\307\335\267\0\7\332\267\0\207\332\267\0\377\332\267\0\223\330\267\0\347\331\267\0'\306\267\0\3\307\267\0\267\307\267\0c\305\267\0k\303\267\0S\301\267\0?\316\267\0\337\316\267\0_\317\267\0\237\317\267\0k\314\267\0\213\314\267\0\327\314\267\0\347\314\267\0\217\365\262\0\367\365\262\0\300\237\260\0\374\237\260\0\25\234\260\0\15\234\260\0#\234\260\0Y\234\260\0~\234\260\0\223\234\260\0\267\234\260\0\256\234\260\0\303\234\260\0\377\234\260\0\351\234\260\0\5\235\260\0?\235\260\0V\235\260\0G\235\260\0j\235\260\0\201\235\260\0\240\235\260\0\306\235\260\0\357\235\260\0\14\232\260\0]\232\260\0x\232\260\0\205\232\260\0\326\232\260\0\366\232\260\0\23\233\260\0.\233\260\0p\233\260\0k\233\260\0\205\233\260\0\275\233\260\0\327\233\260\0\301\233\260\0\373\233\260\0\26\230\260\0\15\230\260\08\230\260\0S\230\260\0I\230\260\0n\230\260\0\223\230\260\0\235\230\260\0\204\230\260\0\210\230\260\0\13\266\241\0\0\266\256\0\3\266\257\0\2\266\255\0\23\266\264\0\37\266\260\0\21\266\262\0<\266\254\0\12\266\251\03\266\227\0?\266\235\0>\266\226\04\266\225\0\10\266\222\01\266\220\0\4\266\246\0\5\266\273\0\7\266\271\0\30\266\272\0\34\266\275\0\36\266\233\0\27\266\265\0\26\266\231\0:\266\267\0\27\266\267\0\27\266\267\0\27\266\267@3\316\307$&\204\371mb\322\307@C\370\372US\346\267@3\316\307$&\203\371m", ) , ) == 0x0
 00142   420   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00143   420   NtClose  (40, ... ) == 0x0
 00144   420   NtClose  (36, ... ) == 0x0
 00145   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00146   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.tmp"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00147   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 40, ) == 0x0
 00148   420   NtClose  (36, ... ) == 0x0
 00149   420   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 176128, ) == 0x0
 00150   420   NtClose  (40, ... ) == 0x0
 00151   420   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00152   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00153   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00154   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.tmp"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00155   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00156   420   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00157   420   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00158   420   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00159   420   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00161   420   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00162   420   NtClose  (48, ... ) == 0x0
 00163   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00164   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00165   420   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00166   420   NtClose  (48, ... ) == 0x0
 00167   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   420   NtClose  (44, ... ) == 0x0
 00169   420   NtClose  (40, ... ) == 0x0
 00170   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x320000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00171   420   NtMapViewOfSection  (36, -1, (0x320000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00172   420   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00173   420   NtClose  (36, ... ) == 0x0
 00174   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 8, ) == 0x0
 00175   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 8, ... (0x392000), 4096, 4, ) == 0x0
 00176   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00177   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00178   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00179   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00180   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00181   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00182   420   NtClose  (36, ... ) == 0x0
 00183   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00184   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00185   420   NtClose  (36, ... ) == 0x0
 00186   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00187   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00188   420   NtClose  (36, ... ) == 0x0
 00189   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00190   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00191   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00192   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00193   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00194   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00195   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00196   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00197   420   NtClose  (36, ... ) == 0x0
 00198   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00199   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00200   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00201   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00202   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00203   420   NtClose  (36, ... ) == 0x0
 00204   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00205   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00206   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00207   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00208   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00209   420   NtClose  (36, ... ) == 0x0
 00210   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00211   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00212   420   NtClose  (36, ... ) == 0x0
 00213   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00214   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00215   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00216   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00217   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00218   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00219   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00223   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00224   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00225   420   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00226   420   NtClose  (36, ... ) == 0x0
 00227   420   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00228   420   NtClose  (40, ... ) == 0x0
 00229   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == 0x0
 00233   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00234   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00235   420   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00236   420   NtClose  (40, ... ) == 0x0
 00237   420   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00238   420   NtClose  (36, ... ) == 0x0
 00239   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == 0x0
 00243   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00244   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00245   420   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00246   420   NtClose  (36, ... ) == 0x0
 00247   420   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00248   420   NtClose  (40, ... ) == 0x0
 00249   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00250   420   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00251   420   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00252   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00253   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 420, 1501, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 412, 420, 1501, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 420, 1501, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00254   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   420   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4f0000), 0x0, 1060864, ) == 0x0
 00256   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00257   420   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00258   420   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00259   420   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00260   420   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00261   420   NtClose  (-2147482020, ... ) == 0x0
 00262   420   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3801088, 4096, ) == 0x0
 00263   420   NtFreeVirtualMemory  (-1, (0x3a0000), 4096, 32768, ... (0x3a0000), 4096, ) == 0x0
 00264   420   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00265   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00266   420   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   420   NtClose  (-2147482020, ... ) == 0x0
 00268   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00269   420   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   420   NtClose  (-2147482020, ... ) == 0x0
 00271   420   NtQueryDefaultLocale  (0, -135984628, ... ) == 0x0
 00272   420   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00273   420   NtUserCallNoParam  (24, ... ) == 0x0
 00274   420   NtGdiCreateCompatibleDC  (0, ...
 00275   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00274   420   NtGdiCreateCompatibleDC  ... ) == 0x100103cd
 00276   420   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00277   420   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00278   420   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050404
 00279   420   NtGdiCreateSolidBrush  (0, 0, ...
 00280   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3866624, 4096, ) == 0x0
 00279   420   NtGdiCreateSolidBrush  ... ) == 0xe10040a
 00281   420   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00282   420   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010383
 00283   420   NtGdiSelectBitmap  (1879114627, 319095812, ... ) == 0x185000f
 00284   420   NtUserGetThreadDesktop  (420, 0, ... ) == 0x30
 00285   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00286   420   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00287   420   NtClose  (56, ... ) == 0x0
 00288   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00289   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 673, 128, 0, ... ) == 0x810ec017
 00290   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00291   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 674, 128, 0, ... ) == 0x810ec01c
 00292   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00293   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 675, 128, 0, ... ) == 0x810ec01e
 00294   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00295   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 676, 128, 0, ... ) == 0x810e8002
 00296   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10013
 00297   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 677, 128, 0, ... ) == 0x810ec018
 00298   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00299   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 678, 128, 0, ... ) == 0x810ec01a
 00300   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00301   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 679, 128, 0, ... ) == 0x810ec01d
 00302   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00303   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 681, 128, 0, ... ) == 0x810ec026
 00304   420   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00305   420   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 680, 128, 0, ...
 00306   420   NtAllocateVirtualMemory  (-1, 6385664, 0, 4096, 4096, 32, ... 6385664, 4096, ) == 0x0
 00305   420   NtUserRegisterClassExWOW  ... ) == 0x810ec019
 00307   420   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810ec020
 00308   420   NtUserRegisterClassExWOW  (1241004, 1241080, 1241096, 1241068, 0, 130, 0, ... ) == 0x810ec022
 00309   420   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810ec023
 00310   420   NtUserRegisterClassExWOW  (1241004, 1241080, 1241096, 1241068, 0, 130, 0, ... ) == 0x810ec024
 00311   420   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810ec025
 00312   420   NtCallbackReturn  (0, 0, 0, ...
 00313   420   NtGdiInit  (... ) == 0x1
 00314   420   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00315   420   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00316   420   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00317   420   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 56, ) == 0x0
 00318   420   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00319   420   NtClose  (56, ... ) == 0x0
 00320   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00321   420   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00322   420   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00323   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00324   420   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   420   NtClose  (56, ... ) == 0x0
 00326   420   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00327   420   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00328   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00329   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00330   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec03b
 00331   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00332   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec03d
 00333   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00334   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00335   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec03f
 00336   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00337   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00338   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec041
 00339   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00340   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00341   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec043
 00342   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00343   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec045
 00344   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00345   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00346   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec047
 00347   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00348   420   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00349   420   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810ec049
 00350   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00351   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00352   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec04b
 00353   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00354   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00355   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec04d
 00356   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00357   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00358   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec04f
 00359   420   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00360   420   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810ec051
 00361   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00362   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00363   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec053
 00364   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00365   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00366   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec055
 00367   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec057
 00368   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00369   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00370   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec059
 00371   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00372   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00373   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec05b
 00374   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00375   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00376   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec05d
 00377   420   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00378   420   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00379   420   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810ec05f
 00380   420   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 56, ) == 0x0
 00381   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00382   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 64, ) }, ... 64, ) == 0x0
 00383   420   NtNotifyChangeKey  (64, 60, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00384   420   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00385   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00386   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00387   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00388   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00389   420   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 76, ) }, ... 76, ) == 0x0
 00390   420   NtQueryValueKey  (76,  (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00391   420   NtClose  (76, ... ) == 0x0
 00392   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00393   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00394   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00395   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00396   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 76, ) }, ... 76, ) == 0x0
 00397   420   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   420   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   420   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   420   NtClose  (76, ... ) == 0x0
 00401   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 76, ) }, ... 76, ) == 0x0
 00402   420   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   420   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404   420   NtClose  (76, ... ) == 0x0
 00405   420   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 76, ) }, ... 76, ) == 0x0
 00406   420   NtOpenEvent  (0x1f0003, {24, 76, 0x0, 0, 0,  (0x1f0003, {24, 76, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3932160, 65536, ) == 0x0
 00409   420   NtAllocateVirtualMemory  (-1, 3932160, 0, 4096, 4096, 4, ... 3932160, 4096, ) == 0x0
 00410   420   NtAllocateVirtualMemory  (-1, 3936256, 0, 8192, 4096, 4, ... 3936256, 8192, ) == 0x0
 00411   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00412   420   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3d0000), 0x0, 12288, ) == 0x0
 00413   420   NtClose  (80, ... ) == 0x0
 00414   420   NtAllocateVirtualMemory  (-1, 3944448, 0, 4096, 4096, 4, ... 3944448, 4096, ) == 0x0
 00415   420   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00416   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417   420   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00420   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00421   420   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00422   420   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00423   420   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00424   420   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00425   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9437184, 1048576, ) == 0x0
 00426   420   NtAllocateVirtualMemory  (-1, 9437184, 0, 16384, 4096, 4, ... 9437184, 16384, ) == 0x0
 00427   420   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00428   420   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00429   420   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430   420   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   420   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00432   420   NtQueryInformationToken  (80, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00433   420   NtClose  (80, ... ) == 0x0
 00434   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00435   420   NtReleaseMutant  (16, ...
 00436   420   NtContinue  (-135987064, 0, ...
 00435   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00437   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00440   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00441   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\xka1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00444   420   NtReleaseMutant  (16, ...
 00445   420   NtContinue  (-135987064, 0, ...
 00444   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00446   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00447   420   NtReleaseMutant  (16, ...
 00448   420   NtContinue  (-135987064, 0, ...
 00447   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00449   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00450   420   NtReleaseMutant  (16, ...
 00451   420   NtContinue  (-135987064, 0, ...
 00450   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00452   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00453   420   NtReleaseMutant  (16, ...
 00454   420   NtContinue  (-135987064, 0, ...
 00453   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00455   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00456   420   NtReleaseMutant  (16, ...
 00457   420   NtContinue  (-135987064, 0, ...
 00456   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00458   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00459   420   NtReleaseMutant  (16, ...
 00460   420   NtContinue  (-135987064, 0, ...
 00459   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00461   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00462   420   NtReleaseMutant  (16, ...
 00463   420   NtContinue  (-135987064, 0, ...
 00462   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00464   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00465   420   NtReleaseMutant  (16, ...
 00466   420   NtContinue  (-135987064, 0, ...
 00465   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00467   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00468   420   NtReleaseMutant  (16, ...
 00469   420   NtContinue  (-135987064, 0, ...
 00468   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00470   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00471   420   NtReleaseMutant  (16, ...
 00472   420   NtContinue  (-135987064, 0, ...
 00471   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00473   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00474   420   NtReleaseMutant  (16, ...
 00475   420   NtContinue  (-135987064, 0, ...
 00474   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00476   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00477   420   NtReleaseMutant  (16, ...
 00478   420   NtContinue  (-135987064, 0, ...
 00477   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00479   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00480   420   NtReleaseMutant  (16, ...
 00481   420   NtContinue  (-135987064, 0, ...
 00480   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00482   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00483   420   NtReleaseMutant  (16, ...
 00484   420   NtContinue  (-135987064, 0, ...
 00483   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00485   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00486   420   NtReleaseMutant  (16, ...
 00487   420   NtContinue  (-135987064, 0, ...
 00486   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00488   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00489   420   NtReleaseMutant  (16, ...
 00490   420   NtContinue  (-135987064, 0, ...
 00489   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00491   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00492   420   NtReleaseMutant  (16, ...
 00493   420   NtContinue  (-135987064, 0, ...
 00492   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00494   420   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00495   420   NtReleaseMutant  (16, ...
 00496   420   NtContinue  (-135987064, 0, ...
 00495   420   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00497   420   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 80, ) == 0x0
 00498   420   NtUserGetDC  (0, ... ) == 0x1010052
 00499   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00500   420   NtUserGetDC  (0, ... ) == 0x1010052
 00501   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00502   420   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x16080381
 00503   420   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00504   420   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00505   420   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00506   420   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\09\0C\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00507   420   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\03\02\00\00\00\00\00\00\00\00\00\01\0A\04\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00508   420   NtUserSystemParametersInfo  (104, 0, 9442428, 0, ... ) == 0x1
 00509   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00510   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00511   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00512   420   NtUserGetDC  (0, ... ) == 0x1010052
 00513   420   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x805040c
 00514   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00515   420   NtGdiSelectBitmap  (268501965, 134546444, ... ) == 0x185000f
 00516   420   NtGdiGetDCforBitmap  (134546444, ... ) == 0x100103cd
 00517   420   NtGdiSaveDC  (268501965, ... ) == 0x1
 00518   420   NtGdiSelectBitmap  (268501965, 134546444, ... ) == 0x805040c
 00519   420   NtGdiGetDCObject  (268501965, 524288, ... ) == 0x188000b
 00520   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00521   420   NtGdiSetDIBitsToDeviceInternal  (268501965, 0, 0, 32, 64, 0, 0, 0, 64, 3683852, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00522   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00523   420   NtGdiSelectBitmap  (268501965, 134546444, ... ) == 0x805040c
 00524   420   NtGdiRestoreDC  (268501965, -1, ... ) == 0x1
 00525   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0x805040c
 00526   420   NtGdiCreateCompatibleDC  (268501965, ... ) == 0xd0103ff
 00527   420   NtGdiExtGetObjectW  (134546444, 24, 1241324, ... ) == 0x18
 00528   420   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x9050407
 00529   420   NtGdiSelectBitmap  (268501965, 134546444, ... ) == 0x185000f
 00530   420   NtGdiSelectBitmap  (218170367, 151323655, ... ) == 0x185000f
 00531   420   NtGdiBitBlt  (218170367, 0, 0, 32, 64, 268501965, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00532   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0x805040c
 00533   420   NtGdiSelectBitmap  (218170367, 25493519, ... ) == 0x9050407
 00534   420   NtGdiDeleteObjectApp  (134546444, ... ) == 0x1
 00535   420   NtGdiDeleteObjectApp  (218170367, ... ) == 0x1
 00536   420   NtUserCallOneParam  (0, 33, ... ) == 0x20075
 00537   420   NtUserSetCursorIconData  (131189, 1241432, 1241448, 1242028, ... ) == 0x1
 00538   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00539   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00540   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00541   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00542   420   NtUserGetDC  (0, ... ) == 0x1010052
 00543   420   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xa05040b
 00544   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00545   420   NtGdiSelectBitmap  (268501965, 168100875, ... ) == 0x185000f
 00546   420   NtGdiGetDCforBitmap  (168100875, ... ) == 0x100103cd
 00547   420   NtGdiSaveDC  (268501965, ... ) == 0x1
 00548   420   NtGdiSelectBitmap  (268501965, 168100875, ... ) == 0xa05040b
 00549   420   NtGdiGetDCObject  (268501965, 524288, ... ) == 0x188000b
 00550   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00551   420   NtGdiSetDIBitsToDeviceInternal  (268501965, 0, 0, 32, 64, 0, 0, 0, 64, 3684160, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00552   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00553   420   NtGdiSelectBitmap  (268501965, 168100875, ... ) == 0xa05040b
 00554   420   NtGdiRestoreDC  (268501965, -1, ... ) == 0x1
 00555   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xa05040b
 00556   420   NtGdiCreateCompatibleDC  (268501965, ... ) == 0xa01040c
 00557   420   NtGdiExtGetObjectW  (168100875, 24, 1241324, ... ) == 0x18
 00558   420   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb050408
 00559   420   NtGdiSelectBitmap  (268501965, 168100875, ... ) == 0x185000f
 00560   420   NtGdiSelectBitmap  (167838732, 184878088, ... ) == 0x185000f
 00561   420   NtGdiBitBlt  (167838732, 0, 0, 32, 64, 268501965, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00562   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xa05040b
 00563   420   NtGdiSelectBitmap  (167838732, 25493519, ... ) == 0xb050408
 00564   420   NtGdiDeleteObjectApp  (168100875, ... ) == 0x1
 00565   420   NtGdiDeleteObjectApp  (167838732, ... ) == 0x1
 00566   420   NtUserCallOneParam  (0, 33, ... ) == 0x20091
 00567   420   NtUserSetCursorIconData  (131217, 1241432, 1241448, 1242028, ... ) == 0x1
 00568   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00569   420   NtUserGetDC  (0, ... ) == 0x1010052
 00570   420   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xf0503ff
 00571   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00572   420   NtGdiSelectBitmap  (268501965, 251986943, ... ) == 0x185000f
 00573   420   NtGdiGetDCforBitmap  (251986943, ... ) == 0x100103cd
 00574   420   NtGdiSaveDC  (268501965, ... ) == 0x1
 00575   420   NtGdiSelectBitmap  (268501965, 251986943, ... ) == 0xf0503ff
 00576   420   NtGdiGetDCObject  (268501965, 524288, ... ) == 0x188000b
 00577   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00578   420   NtGdiSetDIBitsToDeviceInternal  (268501965, 0, 0, 32, 64, 0, 0, 0, 64, 3684468, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00579   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00580   420   NtGdiSelectBitmap  (268501965, 251986943, ... ) == 0xf0503ff
 00581   420   NtGdiRestoreDC  (268501965, -1, ... ) == 0x1
 00582   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xf0503ff
 00583   420   NtGdiCreateCompatibleDC  (268501965, ... ) == 0xc01040b
 00584   420   NtGdiExtGetObjectW  (251986943, 24, 1241324, ... ) == 0x18
 00585   420   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050405
 00586   420   NtGdiSelectBitmap  (268501965, 251986943, ... ) == 0x185000f
 00587   420   NtGdiSelectBitmap  (201393163, 134546437, ... ) == 0x185000f
 00588   420   NtGdiBitBlt  (201393163, 0, 0, 32, 64, 268501965, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00589   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xf0503ff
 00590   420   NtGdiSelectBitmap  (201393163, 25493519, ... ) == 0x8050405
 00591   420   NtGdiDeleteObjectApp  (251986943, ... ) == 0x1
 00592   420   NtGdiDeleteObjectApp  (201393163, ... ) == 0x1
 00593   420   NtUserCallOneParam  (0, 33, ... ) == 0x20069
 00594   420   NtUserSetCursorIconData  (131177, 1241432, 1241448, 1242028, ... ) == 0x1
 00595   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00596   420   NtUserGetDC  (0, ... ) == 0x1010052
 00597   420   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xc05040c
 00598   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00599   420   NtGdiSelectBitmap  (268501965, 201655308, ... ) == 0x185000f
 00600   420   NtGdiGetDCforBitmap  (201655308, ... ) == 0x100103cd
 00601   420   NtGdiSaveDC  (268501965, ... ) == 0x1
 00602   420   NtGdiSelectBitmap  (268501965, 201655308, ... ) == 0xc05040c
 00603   420   NtGdiGetDCObject  (268501965, 524288, ... ) == 0x188000b
 00604   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00605   420   NtGdiSetDIBitsToDeviceInternal  (268501965, 0, 0, 32, 64, 0, 0, 0, 64, 3684776, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00606   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00607   420   NtGdiSelectBitmap  (268501965, 201655308, ... ) == 0xc05040c
 00608   420   NtGdiRestoreDC  (268501965, -1, ... ) == 0x1
 00609   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xc05040c
 00610   420   NtGdiCreateCompatibleDC  (268501965, ... ) == 0x110103ff
 00611   420   NtGdiExtGetObjectW  (201655308, 24, 1241324, ... ) == 0x18
 00612   420   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050406
 00613   420   NtGdiSelectBitmap  (268501965, 201655308, ... ) == 0x185000f
 00614   420   NtGdiSelectBitmap  (285279231, 134546438, ... ) == 0x185000f
 00615   420   NtGdiBitBlt  (285279231, 0, 0, 32, 64, 268501965, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00616   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xc05040c
 00617   420   NtGdiSelectBitmap  (285279231, 25493519, ... ) == 0x8050406
 00618   420   NtGdiDeleteObjectApp  (201655308, ... ) == 0x1
 00619   420   NtGdiDeleteObjectApp  (285279231, ... ) == 0x1
 00620   420   NtUserCallOneParam  (0, 33, ... ) == 0x2006b
 00621   420   NtUserSetCursorIconData  (131179, 1241432, 1241448, 1242028, ... ) == 0x1
 00622   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00623   420   NtUserGetDC  (0, ... ) == 0x1010052
 00624   420   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xe05040b
 00625   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00626   420   NtGdiSelectBitmap  (268501965, 235209739, ... ) == 0x185000f
 00627   420   NtGdiGetDCforBitmap  (235209739, ... ) == 0x100103cd
 00628   420   NtGdiSaveDC  (268501965, ... ) == 0x1
 00629   420   NtGdiSelectBitmap  (268501965, 235209739, ... ) == 0xe05040b
 00630   420   NtGdiGetDCObject  (268501965, 524288, ... ) == 0x188000b
 00631   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00632   420   NtGdiSetDIBitsToDeviceInternal  (268501965, 0, 0, 32, 64, 0, 0, 0, 64, 3685084, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00633   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00634   420   NtGdiSelectBitmap  (268501965, 235209739, ... ) == 0xe05040b
 00635   420   NtGdiRestoreDC  (268501965, -1, ... ) == 0x1
 00636   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xe05040b
 00637   420   NtGdiCreateCompatibleDC  (268501965, ... ) == 0xe01040c
 00638   420   NtGdiExtGetObjectW  (235209739, 24, 1241324, ... ) == 0x18
 00639   420   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb0503e2
 00640   420   NtGdiSelectBitmap  (268501965, 235209739, ... ) == 0x185000f
 00641   420   NtGdiSelectBitmap  (234947596, 184878050, ... ) == 0x185000f
 00642   420   NtGdiBitBlt  (234947596, 0, 0, 32, 64, 268501965, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00643   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0xe05040b
 00644   420   NtGdiSelectBitmap  (234947596, 25493519, ... ) == 0xb0503e2
 00645   420   NtGdiDeleteObjectApp  (235209739, ... ) == 0x1
 00646   420   NtGdiDeleteObjectApp  (234947596, ... ) == 0x1
 00647   420   NtUserCallOneParam  (0, 33, ... ) == 0x300a7
 00648   420   NtUserSetCursorIconData  (196775, 1241432, 1241448, 1242028, ... ) == 0x1
 00649   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00650   420   NtUserGetDC  (0, ... ) == 0x1010052
 00651   420   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x130503ff
 00652   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00653   420   NtGdiSelectBitmap  (268501965, 319095807, ... ) == 0x185000f
 00654   420   NtGdiGetDCforBitmap  (319095807, ... ) == 0x100103cd
 00655   420   NtGdiSaveDC  (268501965, ... ) == 0x1
 00656   420   NtGdiSelectBitmap  (268501965, 319095807, ... ) == 0x130503ff
 00657   420   NtGdiGetDCObject  (268501965, 524288, ... ) == 0x188000b
 00658   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00659   420   NtGdiSetDIBitsToDeviceInternal  (268501965, 0, 0, 32, 64, 0, 0, 0, 64, 3685700, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00660   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00661   420   NtGdiSelectBitmap  (268501965, 319095807, ... ) == 0x130503ff
 00662   420   NtGdiRestoreDC  (268501965, -1, ... ) == 0x1
 00663   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0x130503ff
 00664   420   NtGdiCreateCompatibleDC  (268501965, ... ) == 0x1001040b
 00665   420   NtGdiExtGetObjectW  (319095807, 24, 1241324, ... ) == 0x18
 00666   420   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x140503ed
 00667   420   NtGdiSelectBitmap  (268501965, 319095807, ... ) == 0x185000f
 00668   420   NtGdiSelectBitmap  (268502027, 335873005, ... ) == 0x185000f
 00669   420   NtGdiBitBlt  (268502027, 0, 0, 32, 64, 268501965, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00670   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0x130503ff
 00671   420   NtGdiSelectBitmap  (268502027, 25493519, ... ) == 0x140503ed
 00672   420   NtGdiDeleteObjectApp  (319095807, ... ) == 0x1
 00673   420   NtGdiDeleteObjectApp  (268502027, ... ) == 0x1
 00674   420   NtUserCallOneParam  (0, 33, ... ) == 0x300a5
 00675   420   NtUserSetCursorIconData  (196773, 1241432, 1241448, 1242028, ... ) == 0x1
 00676   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00677   420   NtUserGetDC  (0, ... ) == 0x1010052
 00678   420   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1005040c
 00679   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00680   420   NtGdiSelectBitmap  (268501965, 268764172, ... ) == 0x185000f
 00681   420   NtGdiGetDCforBitmap  (268764172, ... ) == 0x100103cd
 00682   420   NtGdiSaveDC  (268501965, ... ) == 0x1
 00683   420   NtGdiSelectBitmap  (268501965, 268764172, ... ) == 0x1005040c
 00684   420   NtGdiGetDCObject  (268501965, 524288, ... ) == 0x188000b
 00685   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00686   420   NtGdiSetDIBitsToDeviceInternal  (268501965, 0, 0, 32, 64, 0, 0, 0, 64, 3685392, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00687   420   NtUserSelectPalette  (268501965, 25690123, 0, ... ) == 0x188000b
 00688   420   NtGdiSelectBitmap  (268501965, 268764172, ... ) == 0x1005040c
 00689   420   NtGdiRestoreDC  (268501965, -1, ... ) == 0x1
 00690   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0x1005040c
 00691   420   NtGdiCreateCompatibleDC  (268501965, ... ) == 0x150103ff
 00692   420   NtGdiExtGetObjectW  (268764172, 24, 1241324, ... ) == 0x18
 00693   420   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xe0503e4
 00694   420   NtGdiSelectBitmap  (268501965, 268764172, ... ) == 0x185000f
 00695   420   NtGdiSelectBitmap  (352388095, 235209700, ... ) == 0x185000f
 00696   420   NtGdiBitBlt  (352388095, 0, 0, 32, 64, 268501965, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00697   420   NtGdiSelectBitmap  (268501965, 25493519, ... ) == 0x1005040c
 00698   420   NtGdiSelectBitmap  (352388095, 25493519, ... ) == 0xe0503e4
 00699   420   NtGdiDeleteObjectApp  (268764172, ... ) == 0x1
 00700   420   NtGdiDeleteObjectApp  (352388095, ... ) == 0x1
 00701   420   NtUserCallOneParam  (0, 33, ... ) == 0x300a3
 00702   420   NtUserSetCursorIconData  (196771, 1241432, 1241448, 1242028, ... ) == 0x1
 00703   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00704   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00705   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00706   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00707   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00708   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00709   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00710   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00711   420   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00712   420   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00713   420   NtUserGetDC  (0, ... ) == 0x1010052
 00714   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00715   420   NtUserEnumDisplayMonitors  (0, 0, 3408484, 9443008, ... ) == 0x1
 00716   420   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00717   420   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329296, ... ) == 0x160a03ff
 00718   420   NtGdiExtGetObjectW  (369755135, 420, 1241808, ... ) == 0x164
 00719   420   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00720   420   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329288, ... ) == 0x120a040b
 00721   420   NtGdiExtGetObjectW  (302646283, 420, 1241808, ... ) == 0x164
 00722   420   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329280, ... ) == 0x110a040c
 00723   420   NtGdiExtGetObjectW  (285869068, 420, 1241808, ... ) == 0x164
 00724   420   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00725   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 4063232, 4096, ) == 0x0
 00726   420   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00727   420   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00728   420   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00729   420   NtOpenMutant  (0x1f0001, {24, 76, 0x0, 0, 0,  (0x1f0001, {24, 76, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   420   NtUserSetWindowsHookEx  (3276800, 1243796, 0, 4, 3284668, 2, ... ) == 0x200a1
 00731   420   NtContinue  (1244400, 0, ...
 00732   420   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 4128768, 4096, ) == 0x0
 00733   420   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 10485760, 28672, ) == 0x0
 00734   420   NtFreeVirtualMemory  (-1, (0xa00000), 0, 32768, ... (0xa00000), 28672, ) == 0x0
 00735   420   NtFreeVirtualMemory  (-1, (0x3f0144), 0, 32768, ... (0x3f0000), 4096, ) == 0x0
 00736   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00737   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4128768, 65536, ) == 0x0
 00738   420   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 00739   420   NtAllocateVirtualMemory  (-1, 4132864, 0, 20480, 4096, 4, ... 4132864, 20480, ) == 0x0
 00740   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10485760, 1048576, ) == 0x0
 00741   420   NtAllocateVirtualMemory  (-1, 10485760, 0, 32768, 4096, 4, ... 10485760, 32768, ) == 0x0
 00742   420   NtCreateMutant  (0x1f0001, {24, 76, 0x80, 0, 0,  (0x1f0001, {24, 76, 0x80, 0, 0, "Jobaka3"}, 0, ... 84, ) }, 0, ... 84, ) == 0x0
 00743   420   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00744   420   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00745   420   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00746   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00747   420   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 96, ) }, ... 96, ) == 0x0
 00748   420   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00749   420   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00750   420   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00751   420   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00752   420   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00753   420   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00754   420   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00755   420   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00756   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00757   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00758   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00759   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\370\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\371\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\372\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\370\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\371\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\372\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\370\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\371\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\372\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00760   420   NtClose  (104, ... ) == 0x0
 00761   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00762   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00763   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00764   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\375\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\375\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\376\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\377\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\375\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\375\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\376\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\377\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\375\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\375\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\376\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\377\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00765   420   NtClose  (104, ... ) == 0x0
 00766   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00767   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00768   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00769   420   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00770   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\3\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\4\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\5\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\3\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\4\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\5\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\3\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\4\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\5\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00771   420   NtClose  (104, ... ) == 0x0
 00772   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 00773   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00774   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00775   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\10\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\10\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\11\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\12\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\10\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\10\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\11\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\12\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\10\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\10\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\11\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\12\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00776   420   NtClose  (104, ... ) == 0x0
 00777   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 00778   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00779   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00780   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\15\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\15\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\16\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\17\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\15\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\15\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\16\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\17\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\15\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\15\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\16\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\17\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00781   420   NtClose  (104, ... ) == 0x0
 00782   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 00783   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00784   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00785   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\22\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\22\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\23\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\24\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\22\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\22\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\23\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\24\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\22\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\22\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\23\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\24\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00786   420   NtClose  (104, ... ) == 0x0
 00787   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 00788   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00789   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00790   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\30\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\31\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\30\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\31\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\30\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\31\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00791   420   NtClose  (104, ... ) == 0x0
 00792   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 00793   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00794   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00795   420   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00796   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\35\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\36\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\37\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\35\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\36\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\37\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\35\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\36\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\37\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00797   420   NtClose  (104, ... ) == 0x0
 00798   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 00799   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00800   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00801   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00802   420   NtClose  (104, ... ) == 0x0
 00803   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 00804   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00805   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00806   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0'\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0(\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0)\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0'\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0(\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0)\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0'\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0(\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0)\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00807   420   NtClose  (104, ... ) == 0x0
 00808   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 00809   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00810   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00811   420   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0,\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0,\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0-\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\3\0\0\234\1\0\0\244\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\3\0\0\234\1\0\0\244\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0/\3\0\0\234\1\0\0\244\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0/\3\0\0\234\1\0\0\244\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\00\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\214\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hm\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0,\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0,\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0-\3\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\3\0\0\234\1\0\0\244\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\3\0\0\234\1\0\0\244\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0/\3\0\0\234\1\0\0\244\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0/\3\0\0\234\1\0\0\244\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\00\3\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\214\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hm\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00812   420   NtClose  (104, ... ) == 0x0
 00813   420   NtClose  (100, ... ) == 0x0
 00814   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00815   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00816   420   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 00817   420   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00818   420   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00819   420   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00820   420   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   420   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00822   420   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 108, ) }, ... 108, ) == 0x0
 00823   420   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000001"}, ... 112, ) }, ... 112, ) == 0x0
 00824   420   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00825   420   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00826   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00827   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00828   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00829   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00830   420   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00831   420   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832   420   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00833   420   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00834   420   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00835   420   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00836   420   NtClose  (112, ... ) == 0x0
 00837   420   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00838   420   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000002"}, ... 112, ) }, ... 112, ) == 0x0
 00839   420   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00840   420   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00841   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00842   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00843   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00844   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00845   420   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00846   420   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   420   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00848   420   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00849   420   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00850   420   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00851   420   NtClose  (112, ... ) == 0x0
 00852   420   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000003"}, ... 112, ) }, ... 112, ) == 0x0
 00853   420   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00854   420   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00855   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00856   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00857   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00858   420   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00859   420   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00860   420   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   420   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00862   420   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00863   420   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00864   420   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00865   420   NtClose  (112, ... ) == 0x0
 00866   420   NtClose  (108, ... ) == 0x0
 00867   420   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 00868   420   NtClose  (88, ... ) == 0x0
 00869   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00870   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00871   420   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00872   420   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   420   NtClose  (88, ... ) == 0x0
 00874   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 00875   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241680,  (0x80100080, {24, 0, 0x40, 0, 1241680, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   420   NtQueryInformationFile  (108, 1242616, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00877   420   NtQueryInformationFile  (108, 1242588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00878   420   NtQueryInformationFile  (108, 1242540, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00879   420   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 00880   420   NtQueryInformationFile  (108, 1353704, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00881   420   NtQueryInformationFile  (108, 1241084, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00882   420   NtQueryInformationFile  (108, 1240928, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00883   420   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240936,  (0x40110080, {24, 0, 0x40, 0, 1240936, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00884   420   NtClose  (-2147482020, ... ) == 0x0
 00883   420   NtCreateFile  ... 112, {status=0x0, info=2}, ) == 0x0
 00885   420   NtQueryVolumeInformationFile  (112, 1240308, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00886   420   NtQueryInformationFile  (112, 1240268, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00887   420   NtQueryVolumeInformationFile  (108, 1240308, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00888   420   NtQueryVolumeInformationFile  (108, 1239992, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00889   420   NtSetInformationFile  (112, 1240096, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00890   420   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 108, ... 116, ) == 0x0
 00891   420   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb00000), {0, 0}, 196608, ) == 0x0
 00892   420   NtClose  (116, ... ) == 0x0
 00893   420   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\3\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00894   420   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\330R\247XNU\263\374\277\260j\215\266;\377\30\334|\17\3248\21\325d\263\254\266\340K\222\364B\260\252\263\257\265\342e\34R\26\261\301\320\311o\3Bw\21\256\0W\246\10O\246Ghbf'\16\20\246\362\255\27v9\313\177\332\365XW\233\243\243\322L\307\16J\2530\304#\303\16l\262\357K\307\222\7\260\7=\267\330\332\224r?O\332\2153\203\22Ff\17_\315\320\224\352\355\202\214=\331 \231\\372\7\256\352\255\30B\346\345\215\365\362\303\245\241\371\273xRa\227\332:\3063\224\37\242,\205\365\16\255>`\246V6\265\227\265\244\26\253\246V-\365d\243\26g\23\352vwq\352\225\32\114\36\0W\24=\222i\244\375\14\356\6\311\272\366*q\272\277X!\226]\27Lt\353\37"\363\347*\16Hin\35\215\254s\23\227\6u*5/\356\26\310\2\6!g\3030\11\234d\203`\370\35*\354\246\232\362\266\3062rj\210\372\12\327w\221\304K\10{f\304.\337%\32\307\255\266C\271\263,$F=\30\375\217\301\354\260\304\303'\207\302\261t\7\27\362\2\314\246\362\330TY\363\374\314\316\37\22\177\221\272\333X\215\207[\11\346:,\212\330\36j5\276\277\213\320(\353P\326\263\32\214?\257\372\302\5RC\36X\4\370\331\244\271\;6\343\207\271?\270\244\20\353o[\25\341\363\367\3\317\334\27\32O\356\213\254g\332Sh\367?Wk\31\354\215w\321\264*\13\240zM.6\361\260S\272\11\13\177\247\267b\306\21\202\235k\267{\333\354\36o5Z\204\2\275\25\216\217GA\344v+6S\301}Z\11U4\253|~~\7}`W\23'\373\364\345\272\13`\345\22C\203%#\223=\267\277?:\371\235\33x\337\254<\0\321R\367\242\227&\364\14\302\227\263\251", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \363\347*\16Hin\35\215\254s\23\227\6u*5/\356\26\310\2\6!g\3030\11\234d\203`\370\35*\354\246\232\362\266\3062rj\210\372\12\327w\221\304K\10{f\304.\337%\32\307\255\266C\271\263,$F=\30\375\217\301\354\260\304\303'\207\302\261t\7\27\362\2\314\246\362\330TY\363\374\314\316\37\22\177\221\272\333X\215\207[\11\346:,\212\330\36j5\276\277\213\320(\353P\326\263\32\214?\257\372\302\5RC\36X\4\370\331\244\271\;6\343\207\271?\270\244\20\353o[\25\341\363\367\3\317\334\27\32O\356\213\254g\332Sh\367?Wk\31\354\215w\321\264*\13\240zM.6\361\260S\272\11\13\177\247\267b\306\21\202\235k\267{\333\354\36o5Z\204\2\275\25\216\217GA\344v+6S\301}Z\11U4\253|~~\7}`W\23'\373\364\345\272\13`\345\22C\203%#\223=\267\277?:\371\235\33x\337\254<\0\321R\367\242\227&\364\14\302\227\263\251", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00895   420   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "=|\360\364\2363kk\367\205\55\256\33O\0\4R_\201\6s?\336\245\241\241\200\276\256H\334\306$\370=\24\226=\10S\376\371\31\265\32\313J2?\222w\247n\275\200\260\275\206\14J%s\222Vi[<\271\3629\0\204\322?\256\16\177\4!\\207O\30\272Dt \267q\14E\255\246\24\312\23\256\364\5\267\243\370K\354yd\2\340\244\14\12\106\313\2039\303F\31\217\35\32X/\346a\317\254\200W\303\224X\324P5\325TPC:\342P\0JGRgec\233\226(\312\365\37\316\27\260\234\36\327\202k>\303z6\317\205D\321\2122w\327\246\363T\266=\21\345\30\334\330;\233\316\213\357\207\267mkq\270\21\277\347u\307\350ej57\377\363\17\363qe@\235\226~\3m\234\253\314_\\33\203\7V=\277a \241\207\242\310L\227sY\2520+\323\362M?/\244\200\13\27\1\0D\36\7\347NV\344\244\322;=\303\206\244\\216\227\327\341\16\234\31\200\3\224\230\21\351\255\301\7\245\265r\23\316Z4\14\305\13\201\27\24\33216\261\337\1d$\265\267\242\26fA\245\347\333<\32\231\205w\13\235Vkg\274\7\231\232\322&\257\216\2053\22\243\230\314d\222\33\363\210v\244\321\211\4\4\210e<\244\37t\312\353O\233\4ZE\225\13\2n\364\310\313\x/\320\206\372\213\37\367\353p\24\244G(M\225\265\373\2\331\370\374\372\5\366\204\333\5\320\17\254_o", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \234\36\327\202k>\303z6\317\205D\321\2122w\327\246\363T\266=\21\345\30\334\330;\233\316\213\357\207\267mkq\270\21\277\347u\307\350ej57\377\363\17\363qe@\235\226~\3m\234\253\314_\\33\203\7V=\277a \241\207\242\310L\227sY\2520+\323\362M?/\244\200\13\27\1\0D\36\7\347NV\344\244\322;=\303\206\244\\216\227\327\341\16\234\31\200\3\224\230\21\351\255\301\7\245\265r\23\316Z4\14\305\13\201\27\24\33216\261\337\1d$\265\267\242\26fA\245\347\333<\32\231\205w\13\235Vkg\274\7\231\232\322&\257\216\2053\22\243\230\314d\222\33\363\210v\244\321\211\4\4\210e<\244\37t\312\353O\233\4ZE\225\13\2n\364\310\313\x/\320\206\372\213\37\367\353p\24\244G(M\225\265\373\2\331\370\374\372\5\366\204\333\5\320\17\254_o", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00896   420   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\233\212\256\271\357\267\205\360\340\266\303d5\267\261\377\341\23\265\262\23\260\1\21&\266\231\337a\2400p\7\366T\377\350j\177\261\347\335\265E4\255G\27\26\271\234YI\276\346L\277"_\372\250\371\2451G#\321\34Zr\274\17>\214z\377\250B\254\30\13'\341"\3\\271\333\203\244l\30\360\376\5V\231\362\277\352iU/o\257Q\2019\346\243%\316\372\204\13\32>\272\13\303\27G\3479\10JY\25\1\207m\121V\304\20\37\35708\324\354\374\350!\236\360-\264\377\368F\321\1\1\200\241,9\242\313\361\377\0O\277z\305\240S\30F\220\1?5G\374\27\231\255\13`5\354\5\212\376\225+l\245\217\3\355\355\332p;\256\244\16\4\33\257\22\10\244\332\201\350IH\263\225\252\341\32==\237\212<\240\317"\17\271\2557.\201+>\30\210.&\34\241\237\321\201\276\271\3W\320\240#\350\275\254\374\364\357\275\32\347\206@\229\364\10(\11\215\222\346\0\331G\377HNGQ\25]\327\204\347\242\266\14\317\351\271\360f\267\246\16\212\261\217\35x\233\2\13~\225\270\205\17\361^\31g\255H\322\312\264`m\20\303\2053v\252\236\17\305\251\357\13\366\331G\366\15\364\247\36\275\334Al\250\377\10W\271\367\222UM\262ZuA\257\26\276\253\262B\15m\222\370\222?\253"\177 \2\25\347\324y\360\222m\301\203\31[G\341\24,\225"\6\216\335\350\3503\2377r\235\360\17\10\226\262>>\231\236\245\36\315\36\207"\\265\324\265%\227H\30\266\10[\242\0\232\12:\363\226\315\33\266\235\247\223IH\2\220\245\274B\2\177\255v1\227\336B\221F.\2\250tu\306\341\251\223\2\7\366\372/\234\275#\5\26\204\222\333\15\351O\12\0\271\247v\2\260\272\215\261\277\5\257FHB", 9180, 0x0, 0, ... {status=0x0, info=9180}, ) _\372\250\371\2451G#\321\34Zr\274\17>\214z\377\250B\254\30\13'\341 (112, 0, 0, 0, "\233\212\256\271\357\267\205\360\340\266\303d5\267\261\377\341\23\265\262\23\260\1\21&\266\231\337a\2400p\7\366T\377\350j\177\261\347\335\265E4\255G\27\26\271\234YI\276\346L\277"_\372\250\371\2451G#\321\34Zr\274\17>\214z\377\250B\254\30\13'\341"\3\\271\333\203\244l\30\360\376\5V\231\362\277\352iU/o\257Q\2019\346\243%\316\372\204\13\32>\272\13\303\27G\3479\10JY\25\1\207m\121V\304\20\37\35708\324\354\374\350!\236\360-\264\377\368F\321\1\1\200\241,9\242\313\361\377\0O\277z\305\240S\30F\220\1?5G\374\27\231\255\13`5\354\5\212\376\225+l\245\217\3\355\355\332p;\256\244\16\4\33\257\22\10\244\332\201\350IH\263\225\252\341\32==\237\212<\240\317"\17\271\2557.\201+>\30\210.&\34\241\237\321\201\276\271\3W\320\240#\350\275\254\374\364\357\275\32\347\206@\229\364\10(\11\215\222\346\0\331G\377HNGQ\25]\327\204\347\242\266\14\317\351\271\360f\267\246\16\212\261\217\35x\233\2\13~\225\270\205\17\361^\31g\255H\322\312\264`m\20\303\2053v\252\236\17\305\251\357\13\366\331G\366\15\364\247\36\275\334Al\250\377\10W\271\367\222UM\262ZuA\257\26\276\253\262B\15m\222\370\222?\253"\177 \2\25\347\324y\360\222m\301\203\31[G\341\24,\225"\6\216\335\350\3503\2377r\235\360\17\10\226\262>>\231\236\245\36\315\36\207"\\265\324\265%\227H\30\266\10[\242\0\232\12:\363\226\315\33\266\235\247\223IH\2\220\245\274B\2\177\255v1\227\336B\221F.\2\250tu\306\341\251\223\2\7\366\372/\234\275#\5\26\204\222\333\15\351O\12\0\271\247v\2\260\272\215\261\277\5\257FHB", 9180, 0x0, 0, ... {status=0x0, info=9180}, ) \17\271\2557.\201+>\30\210.&\34\241\237\321\201\276\271\3W\320\240#\350\275\254\374\364\357\275\32\347\206@\229\364\10(\11\215\222\346\0\331G\377HNGQ\25]\327\204\347\242\266\14\317\351\271\360f\267\246\16\212\261\217\35x\233\2\13~\225\270\205\17\361^\31g\255H\322\312\264`m\20\303\2053v\252\236\17\305\251\357\13\366\331G\366\15\364\247\36\275\334Al\250\377\10W\271\367\222UM\262ZuA\257\26\276\253\262B\15m\222\370\222?\253 (112, 0, 0, 0, "\233\212\256\271\357\267\205\360\340\266\303d5\267\261\377\341\23\265\262\23\260\1\21&\266\231\337a\2400p\7\366T\377\350j\177\261\347\335\265E4\255G\27\26\271\234YI\276\346L\277"_\372\250\371\2451G#\321\34Zr\274\17>\214z\377\250B\254\30\13'\341"\3\\271\333\203\244l\30\360\376\5V\231\362\277\352iU/o\257Q\2019\346\243%\316\372\204\13\32>\272\13\303\27G\3479\10JY\25\1\207m\121V\304\20\37\35708\324\354\374\350!\236\360-\264\377\368F\321\1\1\200\241,9\242\313\361\377\0O\277z\305\240S\30F\220\1?5G\374\27\231\255\13`5\354\5\212\376\225+l\245\217\3\355\355\332p;\256\244\16\4\33\257\22\10\244\332\201\350IH\263\225\252\341\32==\237\212<\240\317"\17\271\2557.\201+>\30\210.&\34\241\237\321\201\276\271\3W\320\240#\350\275\254\374\364\357\275\32\347\206@\229\364\10(\11\215\222\346\0\331G\377HNGQ\25]\327\204\347\242\266\14\317\351\271\360f\267\246\16\212\261\217\35x\233\2\13~\225\270\205\17\361^\31g\255H\322\312\264`m\20\303\2053v\252\236\17\305\251\357\13\366\331G\366\15\364\247\36\275\334Al\250\377\10W\271\367\222UM\262ZuA\257\26\276\253\262B\15m\222\370\222?\253"\177 \2\25\347\324y\360\222m\301\203\31[G\341\24,\225"\6\216\335\350\3503\2377r\235\360\17\10\226\262>>\231\236\245\36\315\36\207"\\265\324\265%\227H\30\266\10[\242\0\232\12:\363\226\315\33\266\235\247\223IH\2\220\245\274B\2\177\255v1\227\336B\221F.\2\250tu\306\341\251\223\2\7\366\372/\234\275#\5\26\204\222\333\15\351O\12\0\271\247v\2\260\272\215\261\277\5\257FHB", 9180, 0x0, 0, ... {status=0x0, info=9180}, ) \6\216\335\350\3503\2377r\235\360\17\10\226\262>>\231\236\245\36\315\36\207 (112, 0, 0, 0, "\233\212\256\271\357\267\205\360\340\266\303d5\267\261\377\341\23\265\262\23\260\1\21&\266\231\337a\2400p\7\366T\377\350j\177\261\347\335\265E4\255G\27\26\271\234YI\276\346L\277"_\372\250\371\2451G#\321\34Zr\274\17>\214z\377\250B\254\30\13'\341"\3\\271\333\203\244l\30\360\376\5V\231\362\277\352iU/o\257Q\2019\346\243%\316\372\204\13\32>\272\13\303\27G\3479\10JY\25\1\207m\121V\304\20\37\35708\324\354\374\350!\236\360-\264\377\368F\321\1\1\200\241,9\242\313\361\377\0O\277z\305\240S\30F\220\1?5G\374\27\231\255\13`5\354\5\212\376\225+l\245\217\3\355\355\332p;\256\244\16\4\33\257\22\10\244\332\201\350IH\263\225\252\341\32==\237\212<\240\317"\17\271\2557.\201+>\30\210.&\34\241\237\321\201\276\271\3W\320\240#\350\275\254\374\364\357\275\32\347\206@\229\364\10(\11\215\222\346\0\331G\377HNGQ\25]\327\204\347\242\266\14\317\351\271\360f\267\246\16\212\261\217\35x\233\2\13~\225\270\205\17\361^\31g\255H\322\312\264`m\20\303\2053v\252\236\17\305\251\357\13\366\331G\366\15\364\247\36\275\334Al\250\377\10W\271\367\222UM\262ZuA\257\26\276\253\262B\15m\222\370\222?\253"\177 \2\25\347\324y\360\222m\301\203\31[G\341\24,\225"\6\216\335\350\3503\2377r\235\360\17\10\226\262>>\231\236\245\36\315\36\207"\\265\324\265%\227H\30\266\10[\242\0\232\12:\363\226\315\33\266\235\247\223IH\2\220\245\274B\2\177\255v1\227\336B\221F.\2\250tu\306\341\251\223\2\7\366\372/\234\275#\5\26\204\222\333\15\351O\12\0\271\247v\2\260\272\215\261\277\5\257FHB", 9180, 0x0, 0, ... {status=0x0, info=9180}, ) , 9180, 0x0, 0, ... {status=0x0, info=9180}, ) == 0x0
 00897   420   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 00898   420   NtSetInformationFile  (112, 1242540, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00899   420   NtClose  (108, ... ) == 0x0
 00900   420   NtClose  (112, ... ) == 0x0
 00901   420   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 112, ) }, ... 112, ) == 0x0
 00902   420   NtSetValueKey  (112,  (112, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (112, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00903   420   NtSetInformationFile  (-2147482808, -135985356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00904   420   NtSetInformationFile  (-2147482808, -135985448, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00905   420   NtSetInformationFile  (-2147482808, -135985756, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00902   420   NtSetValueKey  ... ) == 0x0
 00906   420   NtClose  (112, ... ) == 0x0
 00907   420   NtCreateMutant  (0x1f0001, {24, 76, 0x80, 0, 0,  (0x1f0001, {24, 76, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 112, ) }, 0, ... 112, ) == 0x0
 00908   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11534336, 1048576, ) == 0x0
 00909   420   NtAllocateVirtualMemory  (-1, 12574720, 0, 8192, 4096, 4, ... 12574720, 8192, ) == 0x0
 00910   420   NtProtectVirtualMemory  (-1, (0xbfe000), 4096, 260, ... (0xbfe000), 4096, 4, ) == 0x0
 00911   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 108, {412, 572}, ) == 0x0
 00912   420   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=412,Tid=572,}, 0x0, ) == 0x0
 00913   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932}  (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932} "\0\0\0\0\1\0\1\0C:\WINDOl\0\0\0\234\1\0\0<\2\0\0" ... {28, 56, reply, 0, 412, 420, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\0\0\0\234\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1502, 0}  (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932} "\0\0\0\0\1\0\1\0C:\WINDOl\0\0\0\234\1\0\0<\2\0\0" ... {28, 56, reply, 0, 412, 420, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\0\0\0\234\1\0\0<\2\0\0" )  ) == 0x0
 00914   420   NtResumeThread  (108, ... 1, ) == 0x0
 00915   572   NtTestAlert  (... ) == 0x0
 00916   572   NtContinue  (12582192, 1, ...
 00917   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00918   572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 116, ) == 0x0
 00919   572   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00920   572   NtAllocateVirtualMemory  (-1, 12570624, 0, 4096, 4096, 260, ...
 00921   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12582912, 1048576, ) == 0x0
 00922   420   NtAllocateVirtualMemory  (-1, 13623296, 0, 8192, 4096, 4, ... 13623296, 8192, ) == 0x0
 00923   420   NtProtectVirtualMemory  (-1, (0xcfe000), 4096, 260, ... (0xcfe000), 4096, 4, ) == 0x0
 00924   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 120, {412, 588}, ) == 0x0
 00925   420   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=412,Tid=588,}, 0x0, ) == 0x0
 00926   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1502, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\234\1\0\0L\2\0\0" ...  ...
 00920   572   NtAllocateVirtualMemory  ... 12570624, 4096, ) == 0x0
 00927   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579388, ... ) }, 12579388, ... ) == 0x0
 00928   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00929   572   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ...
 00926   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1503, 0}  ... {28, 56, reply, 0, 412, 420, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\234\1\0\0L\2\0\0" )  ) == 0x0
 00930   420   NtResumeThread  (120, ... 1, ) == 0x0
 00931   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13631488, 1048576, ) == 0x0
 00932   420   NtAllocateVirtualMemory  (-1, 14671872, 0, 8192, 4096, 4, ... 14671872, 8192, ) == 0x0
 00933   420   NtProtectVirtualMemory  (-1, (0xdfe000), 4096, 260, ... (0xdfe000), 4096, 4, ) == 0x0
 00934   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 128, {412, 580}, ) == 0x0
 00935   420   NtQueryInformationThread  (128, Basic, 28, ...
 00929   572   NtCreateSection  ... 132, ) == 0x0
 00936   588   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00937   572   NtClose  (124, ...
 00936   588   NtCreateEvent  ... 136, ) == 0x0
 00937   572   NtClose  ... ) == 0x0
 00938   588   NtWaitForSingleObject  (136, 0, 0x0, ...
 00939   572   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe00000), 0x0, 229376, ) == 0x0
 00940   572   NtClose  (132, ... ) == 0x0
 00941   572   NtUnmapViewOfSection  (-1, 0xe00000, ... ) == 0x0
 00942   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579704, ... ) }, 12579704, ... ) == 0x0
 00943   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 00935   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=412,Tid=580,}, 0x0, ) == 0x0
 00944   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1503, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\234\1\0\0D\2\0\0" ... {28, 56, reply, 0, 412, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\234\1\0\0D\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1504, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\234\1\0\0D\2\0\0" ... {28, 56, reply, 0, 412, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\234\1\0\0D\2\0\0" )  ) == 0x0
 00945   420   NtResumeThread  (128, ... 1, ) == 0x0
 00946   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14680064, 1048576, ) == 0x0
 00947   420   NtAllocateVirtualMemory  (-1, 15720448, 0, 8192, 4096, 4, ... 15720448, 8192, ) == 0x0
 00948   420   NtProtectVirtualMemory  (-1, (0xefe000), 4096, 260, ... (0xefe000), 4096, 4, ) == 0x0
 00943   572   NtOpenFile  ... 132, {status=0x0, info=1}, ) == 0x0
 00949   580   NtWaitForSingleObject  (136, 0, 0x0, ...
 00950   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 124, ) == 0x0
 00951   572   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00952   572   NtClose  (132, ... ) == 0x0
 00953   572   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 00954   572   NtClose  (124, ... ) == 0x0
 00955   572   NtQuerySystemInformation  (Basic, 44, ...
 00956   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 124, {412, 584}, ) == 0x0
 00957   420   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=412,Tid=584,}, 0x0, ) == 0x0
 00958   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1504, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\0\0\0\234\1\0\0H\2\0\0" ... {28, 56, reply, 0, 412, 420, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\0\0\0\234\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1505, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\0\0\0\234\1\0\0H\2\0\0" ... {28, 56, reply, 0, 412, 420, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\0\0\0\234\1\0\0H\2\0\0" )  ) == 0x0
 00959   420   NtResumeThread  (124, ... 1, ) == 0x0
 00960   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15728640, 1048576, ) == 0x0
 00961   420   NtAllocateVirtualMemory  (-1, 16769024, 0, 8192, 4096, 4, ...
 00955   572   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00962   584   NtWaitForSingleObject  (136, 0, 0x0, ...
 00963   572   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00964   572   NtSetEventBoostPriority  (136, ...
 00938   588   NtWaitForSingleObject  ... ) == 0x0
 00965   588   NtSetEventBoostPriority  (136, ...
 00949   580   NtWaitForSingleObject  ... ) == 0x0
 00966   580   NtSetEventBoostPriority  (136, ...
 00962   584   NtWaitForSingleObject  ... ) == 0x0
 00967   584   NtTestAlert  (... ) == 0x0
 00966   580   NtSetEventBoostPriority  ... ) == 0x0
 00965   588   NtSetEventBoostPriority  ... ) == 0x0
 00964   572   NtSetEventBoostPriority  ... ) == 0x0
 00961   420   NtAllocateVirtualMemory  ... 16769024, 8192, ) == 0x0
 00968   584   NtContinue  (15727920, 1, ...
 00969   580   NtTestAlert  (...
 00970   572   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00971   420   NtProtectVirtualMemory  (-1, (0xffe000), 4096, 260, ...
 00972   584   NtRegisterThreadTerminatePort  (24, ...
 00969   580   NtTestAlert  ... ) == 0x0
 00973   588   NtTestAlert  (...
 00971   420   NtProtectVirtualMemory  ... (0xffe000), 4096, 4, ) == 0x0
 00972   584   NtRegisterThreadTerminatePort  ... ) == 0x0
 00974   580   NtContinue  (14679344, 1, ...
 00973   588   NtTestAlert  ... ) == 0x0
 00975   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 00976   584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00977   580   NtRegisterThreadTerminatePort  (24, ...
 00978   588   NtContinue  (13630768, 1, ...
 00975   420   NtCreateThread  ... 132, {412, 576}, ) == 0x0
 00976   584   NtDuplicateObject  ... 140, ) == 0x0
 00977   580   NtRegisterThreadTerminatePort  ... ) == 0x0
 00979   588   NtRegisterThreadTerminatePort  (24, ...
 00980   420   NtQueryInformationThread  (132, Basic, 28, ...
 00981   584   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 00982   580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00979   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 00970   572   NtCreateEvent  ... 144, ) == 0x0
 00980   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=412,Tid=576,}, 0x0, ) == 0x0
 00981   584   NtWaitForSingleObject  ... ) == 0x102
 00983   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00984   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579032, ... }, 12579032, ...
 00985   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1505, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0\234\1\0\0@\2\0\0" ...  ...
 00986   584   NtAllocateVirtualMemory  (-1, 15716352, 0, 4096, 4096, 260, ...
 00982   580   NtDuplicateObject  ... 148, ) == 0x0
 00984   572   NtQueryAttributesFile  ... ) == 0x0
 00985   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1506, 0}  ... {28, 56, reply, 0, 412, 420, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0\234\1\0\0@\2\0\0" )  ) == 0x0
 00986   584   NtAllocateVirtualMemory  ... 15716352, 4096, ) == 0x0
 00987   580   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 00988   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 00989   420   NtResumeThread  (132, ...
 00990   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15723564, ... }, 15723564, ...
 00987   580   NtWaitForSingleObject  ... ) == 0x102
 00988   572   NtOpenKey  ... 152, ) == 0x0
 00989   420   NtResumeThread  ... 1, ) == 0x0
 00990   584   NtQueryAttributesFile  ... ) == 0x0
 00991   580   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00992   572   NtQueryValueKey  (152,  (152, "Transports", Partial, 144, ... , Partial, 144, ...
 00983   588   NtDuplicateObject  ... 156, ) == 0x0
 00993   576   NtWaitForSingleObject  (136, 0, 0x0, ...
 00994   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00991   580   NtCreateEvent  ... 160, ) == 0x0
 00995   584   NtSetEventBoostPriority  (136, ...
 00996   588   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 00994   420   NtAllocateVirtualMemory  ... 16777216, 1048576, ) == 0x0
 00992   572   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 00993   576   NtWaitForSingleObject  ... ) == 0x0
 00995   584   NtSetEventBoostPriority  ... ) == 0x0
 00996   588   NtWaitForSingleObject  ... ) == 0x102
 00997   420   NtAllocateVirtualMemory  (-1, 17817600, 0, 8192, 4096, 4, ...
 00998   576   NtTestAlert  (...
 00999   572   NtQueryValueKey  (152,  (152, "Transports", Partial, 144, ... , Partial, 144, ...
 01000   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01001   588   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00998   576   NtTestAlert  ... ) == 0x0
 00997   420   NtAllocateVirtualMemory  ... 17817600, 8192, ) == 0x0
 00999   572   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01000   584   NtCreateEvent  ... 164, ) == 0x0
 01001   588   NtCreateEvent  ... 168, ) == 0x0
 01002   580   NtWaitForSingleObject  (160, 0, 0x0, ...
 01003   420   NtProtectVirtualMemory  (-1, (0x10fe000), 4096, 260, ...
 01004   572   NtClose  (152, ...
 01005   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01006   576   NtContinue  (16776496, 1, ...
 01003   420   NtProtectVirtualMemory  ... (0x10fe000), 4096, 4, ) == 0x0
 01004   572   NtClose  ... ) == 0x0
 01005   584   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007   576   NtRegisterThreadTerminatePort  (24, ...
 01008   588   NtClose  (168, ...
 01009   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01010   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01007   576   NtRegisterThreadTerminatePort  ... ) == 0x0
 01008   588   NtClose  ... ) == 0x0
 01011   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15723680, ... }, 15723680, ...
 01010   420   NtCreateThread  ... 168, {412, 596}, ) == 0x0
 01012   576   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01013   588   NtWaitForSingleObject  (160, 0, 0x0, ...
 01014   420   NtQueryInformationThread  (168, Basic, 28, ...
 01012   576   NtDuplicateObject  ... 152, ) == 0x0
 01014   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=412,Tid=596,}, 0x0, ) == 0x0
 01015   576   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01016   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1506, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\234\1\0\0T\2\0\0" ...  ...
 01009   572   NtOpenKey  ... 172, ) == 0x0
 01017   572   NtQueryValueKey  (172,  (172, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01018   572   NtQueryValueKey  (172,  (172, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01019   572   NtQueryValueKey  (172,  (172, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (172, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01020   572   NtClose  (172, ... ) == 0x0
 01021   572   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 172, ) }, ... 172, ) == 0x0
 01022   572   NtQueryValueKey  (172,  (172, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01015   576   NtWaitForSingleObject  ... ) == 0x102
 01016   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1507, 0}  ... {28, 56, reply, 0, 412, 420, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\234\1\0\0T\2\0\0" )  ) == 0x0
 01023   576   NtWaitForSingleObject  (160, 0, 0x0, ...
 01024   420   NtResumeThread  (168, ... 1, ) == 0x0
 01025   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17825792, 1048576, ) == 0x0
 01026   420   NtAllocateVirtualMemory  (-1, 18866176, 0, 8192, 4096, 4, ... 18866176, 8192, ) == 0x0
 01027   420   NtProtectVirtualMemory  (-1, (0x11fe000), 4096, 260, ... (0x11fe000), 4096, 4, ) == 0x0
 01028   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 176, {412, 636}, ) == 0x0
 01029   420   NtQueryInformationThread  (176, Basic, 28, ...
 01022   572   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01030   596   NtWaitForSingleObject  (136, 0, 0x0, ...
 01031   572   NtQueryValueKey  (172,  (172, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01032   572   NtQueryValueKey  (172,  (172, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01033   572   NtQueryValueKey  (172,  (172, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (172, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01034   572   NtWaitForSingleObject  (136, 0, 0x0, ...
 01029   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=412,Tid=636,}, 0x0, ) == 0x0
 01035   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1507, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\234\1\0\0|\2\0\0" ... {28, 56, reply, 0, 412, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\234\1\0\0|\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1508, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\234\1\0\0|\2\0\0" ... {28, 56, reply, 0, 412, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\234\1\0\0|\2\0\0" )  ) == 0x0
 01036   420   NtResumeThread  (176, ... 1, ) == 0x0
 01037   636   NtWaitForSingleObject  (136, 0, 0x0, ...
 01038   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18874368, 1048576, ) == 0x0
 01039   420   NtAllocateVirtualMemory  (-1, 19914752, 0, 8192, 4096, 4, ... 19914752, 8192, ) == 0x0
 01040   420   NtProtectVirtualMemory  (-1, (0x12fe000), 4096, 260, ... (0x12fe000), 4096, 4, ) == 0x0
 01041   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 180, {412, 732}, ) == 0x0
 01042   420   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=412,Tid=732,}, 0x0, ) == 0x0
 01043   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1508, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\234\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 412, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\234\1\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1509, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\234\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 412, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\234\1\0\0\334\2\0\0" )  ) == 0x0
 01044   420   NtResumeThread  (180, ... 1, ) == 0x0
 01045   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19922944, 1048576, ) == 0x0
 01046   420   NtAllocateVirtualMemory  (-1, 20963328, 0, 8192, 4096, 4, ...
 01047   732   NtWaitForSingleObject  (136, 0, 0x0, ...
 01046   420   NtAllocateVirtualMemory  ... 20963328, 8192, ) == 0x0
 01048   420   NtProtectVirtualMemory  (-1, (0x13fe000), 4096, 260, ... (0x13fe000), 4096, 4, ) == 0x0
 01049   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 184, {412, 744}, ) == 0x0
 01050   420   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=412,Tid=744,}, 0x0, ) == 0x0
 01051   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1509, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\234\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 412, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\234\1\0\0\350\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1510, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\234\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 412, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\234\1\0\0\350\2\0\0" )  ) == 0x0
 01052   420   NtResumeThread  (184, ... 1, ) == 0x0
 01053   744   NtWaitForSingleObject  (136, 0, 0x0, ...
 01054   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20971520, 1048576, ) == 0x0
 01055   420   NtAllocateVirtualMemory  (-1, 22011904, 0, 8192, 4096, 4, ... 22011904, 8192, ) == 0x0
 01056   420   NtProtectVirtualMemory  (-1, (0x14fe000), 4096, 260, ... (0x14fe000), 4096, 4, ) == 0x0
 01057   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 188, {412, 676}, ) == 0x0
 01058   420   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=412,Tid=676,}, 0x0, ) == 0x0
 01059   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1510, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\234\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 412, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\234\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1511, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\234\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 412, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\234\1\0\0\244\2\0\0" )  ) == 0x0
 01060   420   NtResumeThread  (188, ... 1, ) == 0x0
 01061   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22020096, 1048576, ) == 0x0
 01062   420   NtAllocateVirtualMemory  (-1, 23060480, 0, 8192, 4096, 4, ...
 01063   676   NtWaitForSingleObject  (136, 0, 0x0, ...
 01062   420   NtAllocateVirtualMemory  ... 23060480, 8192, ) == 0x0
 01064   420   NtProtectVirtualMemory  (-1, (0x15fe000), 4096, 260, ... (0x15fe000), 4096, 4, ) == 0x0
 01065   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 192, {412, 788}, ) == 0x0
 01066   420   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=412,Tid=788,}, 0x0, ) == 0x0
 01067   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1511, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\234\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 412, 420, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\234\1\0\0\24\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1512, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\234\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 412, 420, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\234\1\0\0\24\3\0\0" )  ) == 0x0
 01068   420   NtResumeThread  (192, ... 1, ) == 0x0
 01069   788   NtWaitForSingleObject  (136, 0, 0x0, ...
 01070   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23068672, 1048576, ) == 0x0
 01071   420   NtAllocateVirtualMemory  (-1, 24109056, 0, 8192, 4096, 4, ... 24109056, 8192, ) == 0x0
 01072   420   NtProtectVirtualMemory  (-1, (0x16fe000), 4096, 260, ... (0x16fe000), 4096, 4, ) == 0x0
 01073   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 196, {412, 784}, ) == 0x0
 01074   420   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=412,Tid=784,}, 0x0, ) == 0x0
 01075   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1512, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\234\1\0\0\20\3\0\0" ...  ...
 01011   584   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1513, 0}  ... {28, 56, reply, 0, 412, 420, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\234\1\0\0\20\3\0\0" )  ) == 0x0
 01076   420   NtResumeThread  (196, ... 1, ) == 0x0
 01077   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24117248, 1048576, ) == 0x0
 01078   420   NtAllocateVirtualMemory  (-1, 25157632, 0, 8192, 4096, 4, ... 25157632, 8192, ) == 0x0
 01079   420   NtProtectVirtualMemory  (-1, (0x17fe000), 4096, 260, ... (0x17fe000), 4096, 4, ) == 0x0
 01080   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 200, {412, 716}, ) == 0x0
 01081   420   NtQueryInformationThread  (200, Basic, 28, ...
 01082   584   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 15723680, ... }, 15723680, ...
 01083   784   NtWaitForSingleObject  (136, 0, 0x0, ...
 01081   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=412,Tid=716,}, 0x0, ) == 0x0
 01084   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1513, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\234\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 412, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\234\1\0\0\314\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1514, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\234\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 412, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\234\1\0\0\314\2\0\0" )  ) == 0x0
 01085   420   NtResumeThread  (200, ... 1, ) == 0x0
 01086   716   NtWaitForSingleObject  (136, 0, 0x0, ...
 01087   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25165824, 1048576, ) == 0x0
 01088   420   NtAllocateVirtualMemory  (-1, 26206208, 0, 8192, 4096, 4, ... 26206208, 8192, ) == 0x0
 01089   420   NtProtectVirtualMemory  (-1, (0x18fe000), 4096, 260, ... (0x18fe000), 4096, 4, ) == 0x0
 01090   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 204, {412, 836}, ) == 0x0
 01091   420   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=412,Tid=836,}, 0x0, ) == 0x0
 01092   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1514, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\234\1\0\0D\3\0\0" ... {28, 56, reply, 0, 412, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\234\1\0\0D\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1515, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\234\1\0\0D\3\0\0" ... {28, 56, reply, 0, 412, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\234\1\0\0D\3\0\0" )  ) == 0x0
 01093   420   NtResumeThread  (204, ... 1, ) == 0x0
 01094   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26214400, 1048576, ) == 0x0
 01095   420   NtAllocateVirtualMemory  (-1, 27254784, 0, 8192, 4096, 4, ...
 01096   836   NtWaitForSingleObject  (136, 0, 0x0, ...
 01095   420   NtAllocateVirtualMemory  ... 27254784, 8192, ) == 0x0
 01097   420   NtProtectVirtualMemory  (-1, (0x19fe000), 4096, 260, ... (0x19fe000), 4096, 4, ) == 0x0
 01098   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 208, {412, 856}, ) == 0x0
 01099   420   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=412,Tid=856,}, 0x0, ) == 0x0
 01100   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1515, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\234\1\0\0X\3\0\0" ... {28, 56, reply, 0, 412, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\234\1\0\0X\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1516, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\234\1\0\0X\3\0\0" ... {28, 56, reply, 0, 412, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\0\0\0\234\1\0\0X\3\0\0" )  ) == 0x0
 01101   420   NtResumeThread  (208, ... 1, ) == 0x0
 01102   856   NtWaitForSingleObject  (136, 0, 0x0, ...
 01103   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27262976, 1048576, ) == 0x0
 01104   420   NtAllocateVirtualMemory  (-1, 28303360, 0, 8192, 4096, 4, ... 28303360, 8192, ) == 0x0
 01105   420   NtProtectVirtualMemory  (-1, (0x1afe000), 4096, 260, ... (0x1afe000), 4096, 4, ) == 0x0
 01106   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 212, {412, 860}, ) == 0x0
 01107   420   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=412,Tid=860,}, 0x0, ) == 0x0
 01108   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1516, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\234\1\0\0\\3\0\0" ... {28, 56, reply, 0, 412, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\234\1\0\0\\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1517, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\234\1\0\0\\3\0\0" ... {28, 56, reply, 0, 412, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\234\1\0\0\\3\0\0" )  ) == 0x0
 01109   420   NtResumeThread  (212, ... 1, ) == 0x0
 01110   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28311552, 1048576, ) == 0x0
 01111   420   NtAllocateVirtualMemory  (-1, 29351936, 0, 8192, 4096, 4, ...
 01112   860   NtWaitForSingleObject  (136, 0, 0x0, ...
 01111   420   NtAllocateVirtualMemory  ... 29351936, 8192, ) == 0x0
 01113   420   NtProtectVirtualMemory  (-1, (0x1bfe000), 4096, 260, ... (0x1bfe000), 4096, 4, ) == 0x0
 01114   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 216, {412, 864}, ) == 0x0
 01115   420   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=412,Tid=864,}, 0x0, ) == 0x0
 01116   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1517, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\234\1\0\0`\3\0\0" ... {28, 56, reply, 0, 412, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\234\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1518, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\234\1\0\0`\3\0\0" ... {28, 56, reply, 0, 412, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\234\1\0\0`\3\0\0" )  ) == 0x0
 01117   420   NtResumeThread  (216, ... 1, ) == 0x0
 01118   864   NtWaitForSingleObject  (136, 0, 0x0, ...
 01119   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29360128, 1048576, ) == 0x0
 01120   420   NtAllocateVirtualMemory  (-1, 30400512, 0, 8192, 4096, 4, ... 30400512, 8192, ) == 0x0
 01121   420   NtProtectVirtualMemory  (-1, (0x1cfe000), 4096, 260, ... (0x1cfe000), 4096, 4, ) == 0x0
 01122   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 220, {412, 868}, ) == 0x0
 01123   420   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=412,Tid=868,}, 0x0, ) == 0x0
 01124   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1518, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\234\1\0\0d\3\0\0" ... {28, 56, reply, 0, 412, 420, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\234\1\0\0d\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1519, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\234\1\0\0d\3\0\0" ... {28, 56, reply, 0, 412, 420, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\234\1\0\0d\3\0\0" )  ) == 0x0
 01125   420   NtResumeThread  (220, ... 1, ) == 0x0
 01126   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30408704, 1048576, ) == 0x0
 01127   420   NtAllocateVirtualMemory  (-1, 31449088, 0, 8192, 4096, 4, ...
 01128   868   NtWaitForSingleObject  (136, 0, 0x0, ...
 01127   420   NtAllocateVirtualMemory  ... 31449088, 8192, ) == 0x0
 01129   420   NtProtectVirtualMemory  (-1, (0x1dfe000), 4096, 260, ... (0x1dfe000), 4096, 4, ) == 0x0
 01130   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 224, {412, 872}, ) == 0x0
 01131   420   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=412,Tid=872,}, 0x0, ) == 0x0
 01132   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1519, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\234\1\0\0h\3\0\0" ... {28, 56, reply, 0, 412, 420, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\234\1\0\0h\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1520, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\234\1\0\0h\3\0\0" ... {28, 56, reply, 0, 412, 420, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\234\1\0\0h\3\0\0" )  ) == 0x0
 01133   420   NtResumeThread  (224, ... 1, ) == 0x0
 01134   872   NtWaitForSingleObject  (136, 0, 0x0, ...
 01135   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31457280, 1048576, ) == 0x0
 01136   420   NtAllocateVirtualMemory  (-1, 32497664, 0, 8192, 4096, 4, ... 32497664, 8192, ) == 0x0
 01137   420   NtProtectVirtualMemory  (-1, (0x1efe000), 4096, 260, ... (0x1efe000), 4096, 4, ) == 0x0
 01138   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 228, {412, 876}, ) == 0x0
 01139   420   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=412,Tid=876,}, 0x0, ) == 0x0
 01140   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1520, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\234\1\0\0l\3\0\0" ... {28, 56, reply, 0, 412, 420, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\234\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1521, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\234\1\0\0l\3\0\0" ... {28, 56, reply, 0, 412, 420, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\234\1\0\0l\3\0\0" )  ) == 0x0
 01141   420   NtResumeThread  (228, ... 1, ) == 0x0
 01142   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32505856, 1048576, ) == 0x0
 01143   420   NtAllocateVirtualMemory  (-1, 33546240, 0, 8192, 4096, 4, ...
 01144   876   NtWaitForSingleObject  (136, 0, 0x0, ...
 01143   420   NtAllocateVirtualMemory  ... 33546240, 8192, ) == 0x0
 01145   420   NtProtectVirtualMemory  (-1, (0x1ffe000), 4096, 260, ... (0x1ffe000), 4096, 4, ) == 0x0
 01146   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 232, {412, 880}, ) == 0x0
 01147   420   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=412,Tid=880,}, 0x0, ) == 0x0
 01148   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1521, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\234\1\0\0p\3\0\0" ... {28, 56, reply, 0, 412, 420, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\234\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1522, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\234\1\0\0p\3\0\0" ... {28, 56, reply, 0, 412, 420, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\234\1\0\0p\3\0\0" )  ) == 0x0
 01149   420   NtResumeThread  (232, ... 1, ) == 0x0
 01150   880   NtWaitForSingleObject  (136, 0, 0x0, ...
 01151   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33554432, 1048576, ) == 0x0
 01152   420   NtAllocateVirtualMemory  (-1, 34594816, 0, 8192, 4096, 4, ... 34594816, 8192, ) == 0x0
 01153   420   NtProtectVirtualMemory  (-1, (0x20fe000), 4096, 260, ... (0x20fe000), 4096, 4, ) == 0x0
 01154   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 236, {412, 884}, ) == 0x0
 01155   420   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=412,Tid=884,}, 0x0, ) == 0x0
 01156   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1522, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\234\1\0\0t\3\0\0" ... {28, 56, reply, 0, 412, 420, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\234\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1523, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\234\1\0\0t\3\0\0" ... {28, 56, reply, 0, 412, 420, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\234\1\0\0t\3\0\0" )  ) == 0x0
 01157   420   NtResumeThread  (236, ... 1, ) == 0x0
 01158   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34603008, 1048576, ) == 0x0
 01159   420   NtAllocateVirtualMemory  (-1, 35643392, 0, 8192, 4096, 4, ...
 01160   884   NtWaitForSingleObject  (136, 0, 0x0, ...
 01159   420   NtAllocateVirtualMemory  ... 35643392, 8192, ) == 0x0
 01161   420   NtProtectVirtualMemory  (-1, (0x21fe000), 4096, 260, ... (0x21fe000), 4096, 4, ) == 0x0
 01162   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 240, {412, 888}, ) == 0x0
 01163   420   NtQueryInformationThread  (240, Basic, 28, ...
 01082   584   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 15723680, ... ) }, 15723680, ... ) == 0x0
 01165   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 244, {status=0x0, info=1}, ) }, 5, 96, ... 244, {status=0x0, info=1}, ) == 0x0
 01166   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 248, ) == 0x0
 01167   584   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01168   584   NtClose  (244, ...
 01163   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=412,Tid=888,}, 0x0, ) == 0x0
 01169   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1523, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\234\1\0\0x\3\0\0" ... {28, 56, reply, 0, 412, 420, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\234\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1524, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\234\1\0\0x\3\0\0" ... {28, 56, reply, 0, 412, 420, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\234\1\0\0x\3\0\0" )  ) == 0x0
 01170   420   NtResumeThread  (240, ... 1, ) == 0x0
 01171   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35651584, 1048576, ) == 0x0
 01172   420   NtAllocateVirtualMemory  (-1, 36691968, 0, 8192, 4096, 4, ... 36691968, 8192, ) == 0x0
 01173   420   NtProtectVirtualMemory  (-1, (0x22fe000), 4096, 260, ... (0x22fe000), 4096, 4, ) == 0x0
 01168   584   NtClose  ... ) == 0x0
 01174   888   NtWaitForSingleObject  (136, 0, 0x0, ...
 01175   584   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01176   584   NtClose  (248, ... ) == 0x0
 01177   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 248, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 248, 2, ) , 0, ... 248, 2, ) == 0x0
 01178   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 244, ) }, ... 244, ) == 0x0
 01179   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... }, ...
 01181   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 252, {412, 892}, ) == 0x0
 01182   420   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=412,Tid=892,}, 0x0, ) == 0x0
 01183   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1524, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\234\1\0\0|\3\0\0" ... {28, 56, reply, 0, 412, 420, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\234\1\0\0|\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1525, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\234\1\0\0|\3\0\0" ... {28, 56, reply, 0, 412, 420, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\234\1\0\0|\3\0\0" )  ) == 0x0
 01184   420   NtResumeThread  (252, ... 1, ) == 0x0
 01185   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36700160, 1048576, ) == 0x0
 01186   420   NtAllocateVirtualMemory  (-1, 37740544, 0, 8192, 4096, 4, ...
 01180   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   892   NtWaitForSingleObject  (136, 0, 0x0, ...
 01188   584   NtQueryValueKey  (244,  (244, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   584   NtQueryValueKey  (248,  (248, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   584   NtQueryValueKey  (244,  (244, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   584   NtQueryValueKey  (248,  (248, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01192   584   NtQueryValueKey  (244,  (244, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   584   NtQueryValueKey  (248,  (248, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01186   420   NtAllocateVirtualMemory  ... 37740544, 8192, ) == 0x0
 01194   420   NtProtectVirtualMemory  (-1, (0x23fe000), 4096, 260, ... (0x23fe000), 4096, 4, ) == 0x0
 01195   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 256, {412, 908}, ) == 0x0
 01196   420   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=412,Tid=908,}, 0x0, ) == 0x0
 01197   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1525, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0\234\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 412, 420, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0\234\1\0\0\214\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1526, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0\234\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 412, 420, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0\234\1\0\0\214\3\0\0" )  ) == 0x0
 01198   420   NtResumeThread  (256, ... 1, ) == 0x0
 01193   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199   908   NtWaitForSingleObject  (136, 0, 0x0, ...
 01200   584   NtQueryValueKey  (244,  (244, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   584   NtQueryValueKey  (248,  (248, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01202   584   NtQueryValueKey  (244,  (244, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   584   NtQueryValueKey  (244,  (244, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   584   NtQueryValueKey  (244,  (244, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   584   NtQueryValueKey  (244,  (244, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 01206   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37748736, 1048576, ) == 0x0
 01207   420   NtAllocateVirtualMemory  (-1, 38789120, 0, 8192, 4096, 4, ... 38789120, 8192, ) == 0x0
 01208   420   NtProtectVirtualMemory  (-1, (0x24fe000), 4096, 260, ... (0x24fe000), 4096, 4, ) == 0x0
 01209   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 260, {412, 912}, ) == 0x0
 01210   420   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=412,Tid=912,}, 0x0, ) == 0x0
 01211   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1526, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\1\0\0\234\1\0\0\220\3\0\0" ...  ...
 01205   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   584   NtQueryValueKey  (244,  (244, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   584   NtQueryValueKey  (244,  (244, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   584   NtQueryValueKey  (244,  (244, "RegistrationEnabled", Partial, 144, ... , Partial, 144, ...
 01211   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1527, 0}  ... {28, 56, reply, 0, 412, 420, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\1\0\0\234\1\0\0\220\3\0\0" )  ) == 0x0
 01215   420   NtResumeThread  (260, ... 1, ) == 0x0
 01216   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38797312, 1048576, ) == 0x0
 01217   420   NtAllocateVirtualMemory  (-1, 39837696, 0, 8192, 4096, 4, ... 39837696, 8192, ) == 0x0
 01218   420   NtProtectVirtualMemory  (-1, (0x25fe000), 4096, 260, ... (0x25fe000), 4096, 4, ) == 0x0
 01219   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 264, {412, 916}, ) == 0x0
 01220   420   NtQueryInformationThread  (264, Basic, 28, ...
 01214   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   912   NtWaitForSingleObject  (136, 0, 0x0, ...
 01222   584   NtQueryValueKey  (248,  (248, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   584   NtQueryValueKey  (244,  (244, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   584   NtQueryValueKey  (244,  (244, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   584   NtQueryValueKey  (248,  (248, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   584   NtQueryValueKey  (244,  (244, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   584   NtQueryValueKey  (248,  (248, "DisableReverseAddressRegistrations", Partial, 144, ... , Partial, 144, ...
 01220   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=412,Tid=916,}, 0x0, ) == 0x0
 01228   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1527, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\234\1\0\0\224\3\0\0" ... {28, 56, reply, 0, 412, 420, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\234\1\0\0\224\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1528, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\234\1\0\0\224\3\0\0" ... {28, 56, reply, 0, 412, 420, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\234\1\0\0\224\3\0\0" )  ) == 0x0
 01229   420   NtResumeThread  (264, ... 1, ) == 0x0
 01230   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39845888, 1048576, ) == 0x0
 01231   420   NtAllocateVirtualMemory  (-1, 40886272, 0, 8192, 4096, 4, ... 40886272, 8192, ) == 0x0
 01232   420   NtProtectVirtualMemory  (-1, (0x26fe000), 4096, 260, ... (0x26fe000), 4096, 4, ) == 0x0
 01227   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   916   NtWaitForSingleObject  (136, 0, 0x0, ...
 01234   584   NtQueryValueKey  (244,  (244, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   584   NtQueryValueKey  (248,  (248, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01236   584   NtQueryValueKey  (244,  (244, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   584   NtQueryValueKey  (248,  (248, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01238   584   NtQueryValueKey  (244,  (244, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   584   NtQueryValueKey  (248,  (248, "DefaultRegistrationTTL", Partial, 144, ... , Partial, 144, ...
 01240   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 268, {412, 920}, ) == 0x0
 01241   420   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=412,Tid=920,}, 0x0, ) == 0x0
 01242   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1528, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\234\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 412, 420, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\234\1\0\0\230\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1529, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\234\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 412, 420, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\234\1\0\0\230\3\0\0" )  ) == 0x0
 01243   420   NtResumeThread  (268, ... 1, ) == 0x0
 01244   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40894464, 1048576, ) == 0x0
 01245   420   NtAllocateVirtualMemory  (-1, 41934848, 0, 8192, 4096, 4, ...
 01239   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   920   NtWaitForSingleObject  (136, 0, 0x0, ...
 01247   584   NtQueryValueKey  (244,  (244, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   584   NtQueryValueKey  (248,  (248, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   584   NtQueryValueKey  (244,  (244, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   584   NtQueryValueKey  (248,  (248, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   584   NtQueryValueKey  (244,  (244, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   584   NtQueryValueKey  (248,  (248, "UpdateSecurityLevel", Partial, 144, ... , Partial, 144, ...
 01245   420   NtAllocateVirtualMemory  ... 41934848, 8192, ) == 0x0
 01253   420   NtProtectVirtualMemory  (-1, (0x27fe000), 4096, 260, ... (0x27fe000), 4096, 4, ) == 0x0
 01254   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 272, {412, 924}, ) == 0x0
 01255   420   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=412,Tid=924,}, 0x0, ) == 0x0
 01256   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1529, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\234\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 412, 420, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\234\1\0\0\234\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1530, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\234\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 412, 420, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\234\1\0\0\234\3\0\0" )  ) == 0x0
 01257   420   NtResumeThread  (272, ... 1, ) == 0x0
 01252   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   924   NtWaitForSingleObject  (136, 0, 0x0, ...
 01259   584   NtQueryValueKey  (244,  (244, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   584   NtQueryValueKey  (244,  (244, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   584   NtQueryValueKey  (244,  (244, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   584   NtQueryValueKey  (244,  (244, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   584   NtQueryValueKey  (244,  (244, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   584   NtQueryValueKey  (244,  (244, "MaxNegativeCacheTtl", Partial, 144, ... , Partial, 144, ...
 01265   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 41943040, 1048576, ) == 0x0
 01266   420   NtAllocateVirtualMemory  (-1, 42983424, 0, 8192, 4096, 4, ... 42983424, 8192, ) == 0x0
 01267   420   NtProtectVirtualMemory  (-1, (0x28fe000), 4096, 260, ... (0x28fe000), 4096, 4, ) == 0x0
 01268   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 276, {412, 928}, ) == 0x0
 01269   420   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=412,Tid=928,}, 0x0, ) == 0x0
 01270   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1530, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\234\1\0\0\240\3\0\0" ...  ...
 01264   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01271   584   NtQueryValueKey  (244,  (244, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   584   NtQueryValueKey  (244,  (244, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   584   NtQueryValueKey  (244,  (244, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 01270   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1531, 0}  ... {28, 56, reply, 0, 412, 420, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\234\1\0\0\240\3\0\0" )  ) == 0x0
 01274   420   NtResumeThread  (276, ... 1, ) == 0x0
 01275   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 42991616, 1048576, ) == 0x0
 01276   420   NtAllocateVirtualMemory  (-1, 44032000, 0, 8192, 4096, 4, ... 44032000, 8192, ) == 0x0
 01277   420   NtProtectVirtualMemory  (-1, (0x29fe000), 4096, 260, ... (0x29fe000), 4096, 4, ) == 0x0
 01278   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 280, {412, 932}, ) == 0x0
 01279   420   NtQueryInformationThread  (280, Basic, 28, ...
 01273   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   928   NtWaitForSingleObject  (136, 0, 0x0, ...
 01281   584   NtQueryValueKey  (244,  (244, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   584   NtQueryValueKey  (244,  (244, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   584   NtQueryValueKey  (244,  (244, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   584   NtQueryValueKey  (244,  (244, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 284, ) }, ... 284, ) == 0x0
 01286   584   NtQueryValueKey  (284,  (284, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ...
 01279   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=412,Tid=932,}, 0x0, ) == 0x0
 01287   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1531, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\234\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 412, 420, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\234\1\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1532, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\234\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 412, 420, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\234\1\0\0\244\3\0\0" )  ) == 0x0
 01288   420   NtResumeThread  (280, ... 1, ) == 0x0
 01289   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 44040192, 1048576, ) == 0x0
 01290   420   NtAllocateVirtualMemory  (-1, 45080576, 0, 8192, 4096, 4, ... 45080576, 8192, ) == 0x0
 01291   420   NtProtectVirtualMemory  (-1, (0x2afe000), 4096, 260, ... (0x2afe000), 4096, 4, ) == 0x0
 01286   584   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01292   932   NtWaitForSingleObject  (136, 0, 0x0, ...
 01293   584   NtClose  (284, ... ) == 0x0
 01294   584   NtClose  (248, ... ) == 0x0
 01295   584   NtClose  (244, ... ) == 0x0
 01296   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 244, ) }, ... 244, ) == 0x0
 01297   584   NtQueryValueKey  (244,  (244, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   584   NtQueryValueKey  (244,  (244, "DnsQuickQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01299   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 248, {412, 936}, ) == 0x0
 01300   420   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=412,Tid=936,}, 0x0, ) == 0x0
 01301   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1532, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\234\1\0\0\250\3\0\0" ... {28, 56, reply, 0, 412, 420, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\234\1\0\0\250\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1533, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\234\1\0\0\250\3\0\0" ... {28, 56, reply, 0, 412, 420, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\234\1\0\0\250\3\0\0" )  ) == 0x0
 01302   420   NtResumeThread  (248, ... 1, ) == 0x0
 01303   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 45088768, 1048576, ) == 0x0
 01304   420   NtAllocateVirtualMemory  (-1, 46129152, 0, 8192, 4096, 4, ...
 01298   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   936   NtWaitForSingleObject  (136, 0, 0x0, ...
 01306   584   NtQueryValueKey  (244,  (244, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   584   NtClose  (244, ... ) == 0x0
 01308   584   NtSetEventBoostPriority  (136, ...
 01030   596   NtWaitForSingleObject  ... ) == 0x0
 01309   596   NtSetEventBoostPriority  (136, ...
 01034   572   NtWaitForSingleObject  ... ) == 0x0
 01310   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 12579952, ... ) }, 12579952, ... ) == 0x0
 01309   596   NtSetEventBoostPriority  ... ) == 0x0
 01308   584   NtSetEventBoostPriority  ... ) == 0x0
 01304   420   NtAllocateVirtualMemory  ... 46129152, 8192, ) == 0x0
 01311   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01312   584   NtWaitForSingleObject  (136, 0, 0x0, ...
 01313   420   NtProtectVirtualMemory  (-1, (0x2bfe000), 4096, 260, ...
 01311   572   NtOpenFile  ... 244, {status=0x0, info=1}, ) == 0x0
 01313   420   NtProtectVirtualMemory  ... (0x2bfe000), 4096, 4, ) == 0x0
 01314   572   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 244, ...
 01315   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01314   572   NtCreateSection  ... 284, ) == 0x0
 01315   420   NtCreateThread  ... 288, {412, 940}, ) == 0x0
 01316   572   NtClose  (244, ...
 01317   420   NtQueryInformationThread  (288, Basic, 28, ...
 01316   572   NtClose  ... ) == 0x0
 01318   596   NtTestAlert  (...
 01317   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=412,Tid=940,}, 0x0, ) == 0x0
 01318   596   NtTestAlert  ... ) == 0x0
 01319   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1533, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0\234\1\0\0\254\3\0\0" ...  ...
 01320   596   NtContinue  (17825072, 1, ...
 01319   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1534, 0}  ... {28, 56, reply, 0, 412, 420, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0\234\1\0\0\254\3\0\0" )  ) == 0x0
 01321   596   NtRegisterThreadTerminatePort  (24, ...
 01322   420   NtResumeThread  (288, ...
 01321   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01322   420   NtResumeThread  ... 1, ) == 0x0
 01323   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01324   572   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01325   940   NtWaitForSingleObject  (136, 0, 0x0, ...
 01326   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01324   572   NtMapViewOfSection  ... (0x2c00000), 0x0, 20480, ) == 0x0
 01326   420   NtAllocateVirtualMemory  ... 46202880, 1048576, ) == 0x0
 01327   572   NtClose  (284, ...
 01328   420   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ...
 01327   572   NtClose  ... ) == 0x0
 01328   420   NtAllocateVirtualMemory  ... 47243264, 8192, ) == 0x0
 01329   572   NtUnmapViewOfSection  (-1, 0x2c00000, ...
 01330   420   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ...
 01329   572   NtUnmapViewOfSection  ... ) == 0x0
 01330   420   NtProtectVirtualMemory  ... (0x2d0e000), 4096, 4, ) == 0x0
 01323   596   NtDuplicateObject  ... 284, ) == 0x0
 01331   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 12580268, ... }, 12580268, ...
 01332   596   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01331   572   NtQueryAttributesFile  ... ) == 0x0
 01332   596   NtWaitForSingleObject  ... ) == 0x102
 01333   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01334   596   NtWaitForSingleObject  (160, 0, 0x0, ...
 01333   572   NtOpenFile  ... 244, {status=0x0, info=1}, ) == 0x0
 01335   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 244, ... 292, ) == 0x0
 01336   572   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01337   572   NtClose  (244, ... ) == 0x0
 01338   572   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01339   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 244, {412, 944}, ) == 0x0
 01340   420   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=412,Tid=944,}, 0x0, ) == 0x0
 01341   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1534, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\234\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 412, 420, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\234\1\0\0\260\3\0\0" )  ... {28, 56, reply, 0, 412, 420, 1535, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\234\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 412, 420, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\234\1\0\0\260\3\0\0" )  ) == 0x0
 01342   420   NtResumeThread  (244, ... 1, ) == 0x0
 01343   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47251456, 1048576, ) == 0x0
 01344   420   NtAllocateVirtualMemory  (-1, 48291840, 0, 8192, 4096, 4, ...
 01345   572   NtClose  (292, ...
 01346   944   NtWaitForSingleObject  (136, 0, 0x0, ...
 01345   572   NtClose  ... ) == 0x0
 01347   572   NtSetEventBoostPriority  (136, ...
 01037   636   NtWaitForSingleObject  ... ) == 0x0
 01348   636   NtSetEventBoostPriority  (136, ...
 01047   732   NtWaitForSingleObject  ... ) == 0x0
 01349   732   NtSetEventBoostPriority  (136, ...
 01053   744   NtWaitForSingleObject  ... ) == 0x0
 01350   744   NtSetEventBoostPriority  (136, ...
 01063   676   NtWaitForSingleObject  ... ) == 0x0
 01351   676   NtSetEventBoostPriority  (136, ...
 01069   788   NtWaitForSingleObject  ... ) == 0x0
 01352   788   NtSetEventBoostPriority  (136, ...
 01083   784   NtWaitForSingleObject  ... ) == 0x0
 01353   784   NtSetEventBoostPriority  (136, ...
 01086   716   NtWaitForSingleObject  ... ) == 0x0
 01354   716   NtSetEventBoostPriority  (136, ...
 01096   836   NtWaitForSingleObject  ... ) == 0x0
 01355   836   NtSetEventBoostPriority  (136, ...
 01102   856   NtWaitForSingleObject  ... ) == 0x0
 01356   856   NtAllocateVirtualMemory  (-1, 3948544, 0, 4096, 4096, 4, ... 3948544, 4096, ) == 0x0
 01355   836   NtSetEventBoostPriority  ... ) == 0x0
 01354   716   NtSetEventBoostPriority  ... ) == 0x0
 01353   784   NtSetEventBoostPriority  ... ) == 0x0
 01352   788   NtSetEventBoostPriority  ... ) == 0x0
 01351   676   NtSetEventBoostPriority  ... ) == 0x0
 01350   744   NtSetEventBoostPriority  ... ) == 0x0
 01349   732   NtSetEventBoostPriority  ... ) == 0x0
 01348   636   NtSetEventBoostPriority  ... ) == 0x0
 01347   572   NtSetEventBoostPriority  ... ) == 0x0
 01344   420   NtAllocateVirtualMemory  ... 48291840, 8192, ) == 0x0
 01357   856   NtSetEventBoostPriority  (136, ...
 01358   836   NtTestAlert  (...
 01359   716   NtTestAlert  (...
 01360   784   NtTestAlert  (...
 01361   788   NtTestAlert  (...
 01362   676   NtTestAlert  (...
 01363   744   NtTestAlert  (...
 01364   732   NtTestAlert  (...
 01365   572   NtClose  (172, ...
 01366   420   NtProtectVirtualMemory  (-1, (0x2e0e000), 4096, 260, ...
 01112   860   NtWaitForSingleObject  ... ) == 0x0
 01357   856   NtSetEventBoostPriority  ... ) == 0x0
 01358   836   NtTestAlert  ... ) == 0x0
 01359   716   NtTestAlert  ... ) == 0x0
 01360   784   NtTestAlert  ... ) == 0x0
 01361   788   NtTestAlert  ... ) == 0x0
 01362   676   NtTestAlert  ... ) == 0x0
 01363   744   NtTestAlert  ... ) == 0x0
 01364   732   NtTestAlert  ... ) == 0x0
 01365   572   NtClose  ... ) == 0x0
 01367   860   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ...
 01366   420   NtProtectVirtualMemory  ... (0x2e0e000), 4096, 4, ) == 0x0
 01368   856   NtTestAlert  (...
 01369   836   NtContinue  (26213680, 1, ...
 01370   716   NtContinue  (25165104, 1, ...
 01371   784   NtContinue  (24116528, 1, ...
 01372   788   NtContinue  (23067952, 1, ...
 01373   676   NtContinue  (22019376, 1, ...
 01374   744   NtContinue  (20970800, 1, ...
 01375   732   NtContinue  (19922224, 1, ...
 01376   636   NtTestAlert  (...
 01367   860   NtAllocateVirtualMemory  ... 1363968, 4096, ) == 0x0
 01377   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01368   856   NtTestAlert  ... ) == 0x0
 01378   836   NtRegisterThreadTerminatePort  (24, ...
 01379   716   NtRegisterThreadTerminatePort  (24, ...
 01380   784   NtRegisterThreadTerminatePort  (24, ...
 01381   788   NtRegisterThreadTerminatePort  (24, ...
 01382   676   NtRegisterThreadTerminatePort  (24, ...
 01383   744   NtRegisterThreadTerminatePort  (24, ...
 01384   732   NtRegisterThreadTerminatePort  (24, ...
 01376   636   NtTestAlert  ... ) == 0x0
 01385   572   NtWaitForSingleObject  (136, 0, 0x0, ...
 01377   420   NtCreateThread  ... 172, {412, 948}, ) == 0x0
 01386   856   NtContinue  (27262256, 1, ...
 01378   836   NtRegisterThreadTerminatePort  ... ) == 0x0
 01379   716   NtRegisterThreadTerminatePort  ... ) == 0x0
 01380   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01381   788   NtRegisterThreadTerminatePort  ... ) == 0x0
 01382   676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01383   744   NtRegisterThreadTerminatePort  ... ) == 0x0
 01384   732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01387   636   NtContinue  (18873648, 1, ...
 01388   420   NtQueryInformationThread  (172, Basic, 28, ...
 01389   856   NtRegisterThreadTerminatePort  (24, ...
 01390   836   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01391   716   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01392   784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01393   788   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01394   676   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01395   744   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01396   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01397   636   NtRegisterThreadTerminatePort  (24, ...
 01398   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01388   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=412,Tid=948,}, 0x0, ) == 0x0
 01389   856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01390   836   NtCreateEvent  ... 292, ) == 0x0
 01391   716   NtCreateEvent  ... 296, ) == 0x0
 01392   784   NtCreateEvent  ... 300, ) == 0x0
 01393   788   NtCreateEvent  ... 304, ) == 0x0
 01394   676   NtCreateEvent  ... 308, ) == 0x0
 01395   744   NtCreateEvent  ... 312, ) == 0x0
 01397   636   NtRegisterThreadTerminatePort  ... ) == 0x0
 01398   860   NtCreateEvent  ... 316, ) == 0x0
 01399   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1535, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\234\1\0\0\264\3\0\0" ...  ...
 01400   856   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01401   836   NtWaitForSingleObject  (292, 0, 0x0, ...
 01402   716   NtClose  (296, ...
 01403   784   NtClose  (300, ...
 01404   788   NtClose  (304, ...
 01405   676   NtClose  (308, ...
 01406   744   NtClose  (312, ...
 01407   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 01408   860   NtClose  (316, ...
 01399   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1536, 0}  ... {28, 56, reply, 0, 412, 420, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\234\1\0\0\264\3\0\0" )  ) == 0x0
 01400   856   NtCreateEvent  ... 320, ) == 0x0
 01402   716   NtClose  ... ) == 0x0
 01403   784   NtClose  ... ) == 0x0
 01404   788   NtClose  ... ) == 0x0
 01405   676   NtClose  ... ) == 0x0
 01406   744   NtClose  ... ) == 0x0
 01396   732   NtCreateEvent  ... 312, ) == 0x0
 01408   860   NtClose  ... ) == 0x0
 01409   420   NtResumeThread  (172, ...
 01410   856   NtClose  (320, ...
 01411   716   NtWaitForSingleObject  (292, 0, 0x0, ...
 01412   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 01413   788   NtWaitForSingleObject  (292, 0, 0x0, ...
 01414   676   NtWaitForSingleObject  (292, 0, 0x0, ...
 01415   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 01416   732   NtClose  (312, ...
 01417   860   NtSetEventBoostPriority  (292, ...
 01409   420   NtResumeThread  ... 1, ) == 0x0
 01410   856   NtClose  ... ) == 0x0
 01416   732   NtClose  ... ) == 0x0
 01401   836   NtWaitForSingleObject  ... ) == 0x0
 01417   860   NtSetEventBoostPriority  ... ) == 0x0
 01418   948   NtWaitForSingleObject  (136, 0, 0x0, ...
 01419   856   NtWaitForSingleObject  (292, 0, 0x0, ...
 01420   836   NtSetEventBoostPriority  (292, ...
 01421   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01422   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01423   860   NtSetEventBoostPriority  (136, ...
 01411   716   NtWaitForSingleObject  ... ) == 0x0
 01420   836   NtSetEventBoostPriority  ... ) == 0x0
 01422   420   NtAllocateVirtualMemory  ... 48300032, 1048576, ) == 0x0
 01424   716   NtSetEventBoostPriority  (292, ...
 01118   864   NtWaitForSingleObject  ... ) == 0x0
 01423   860   NtSetEventBoostPriority  ... ) == 0x0
 01412   784   NtWaitForSingleObject  ... ) == 0x0
 01425   864   NtWaitForSingleObject  (292, 0, 0x0, ...
 01424   716   NtSetEventBoostPriority  ... ) == 0x0
 01426   420   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 01427   784   NtSetEventBoostPriority  (292, ...
 01428   860   NtTestAlert  (...
 01429   836   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01413   788   NtWaitForSingleObject  ... ) == 0x0
 01427   784   NtSetEventBoostPriority  ... ) == 0x0
 01426   420   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 01428   860   NtTestAlert  ... ) == 0x0
 01430   788   NtSetEventBoostPriority  (292, ...
 01429   836   NtDuplicateObject  ... 312, ) == 0x0
 01431   716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01414   676   NtWaitForSingleObject  ... ) == 0x0
 01430   788   NtSetEventBoostPriority  ... ) == 0x0
 01432   860   NtContinue  (28310832, 1, ...
 01433   836   NtWaitForSingleObject  (292, 0, 0x0, ...
 01434   676   NtSetEventBoostPriority  (292, ...
 01431   716   NtDuplicateObject  ... 320, ) == 0x0
 01435   420   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 01436   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01437   860   NtRegisterThreadTerminatePort  (24, ...
 01415   744   NtWaitForSingleObject  ... ) == 0x0
 01434   676   NtSetEventBoostPriority  ... ) == 0x0
 01438   716   NtWaitForSingleObject  (292, 0, 0x0, ...
 01435   420   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 01436   784   NtDuplicateObject  ... 316, ) == 0x0
 01439   788   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01440   744   NtSetEventBoostPriority  (292, ...
 01437   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 01441   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01442   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 01407   636   NtWaitForSingleObject  ... ) == 0x0
 01440   744   NtSetEventBoostPriority  ... ) == 0x0
 01439   788   NtDuplicateObject  ... 308, ) == 0x0
 01443   860   NtWaitForSingleObject  (292, 0, 0x0, ...
 01441   420   NtCreateThread  ... 304, {412, 952}, ) == 0x0
 01444   636   NtSetEventBoostPriority  (292, ...
 01445   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01446   788   NtWaitForSingleObject  (292, 0, 0x0, ...
 01421   732   NtWaitForSingleObject  ... ) == 0x0
 01447   420   NtQueryInformationThread  (304, Basic, 28, ...
 01445   676   NtDuplicateObject  ... 300, ) == 0x0
 01448   732   NtSetEventBoostPriority  (292, ...
 01447   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=412,Tid=952,}, 0x0, ) == 0x0
 01449   676   NtWaitForSingleObject  (292, 0, 0x0, ...
 01419   856   NtWaitForSingleObject  ... ) == 0x0
 01448   732   NtSetEventBoostPriority  ... ) == 0x0
 01444   636   NtSetEventBoostPriority  ... ) == 0x0
 01450   744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01451   856   NtSetEventBoostPriority  (292, ...
 01452   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1536, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\234\1\0\0\270\3\0\0" ...  ...
 01453   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01425   864   NtWaitForSingleObject  ... ) == 0x0
 01450   744   NtDuplicateObject  ... 296, ) == 0x0
 01452   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1537, 0}  ... {28, 56, reply, 0, 412, 420, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\234\1\0\0\270\3\0\0" )  ) == 0x0
 01454   864   NtSetEventBoostPriority  (292, ...
 01453   636   NtDuplicateObject  ... 324, ) == 0x0
 01455   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 01433   836   NtWaitForSingleObject  ... ) == 0x0
 01454   864   NtSetEventBoostPriority  ... ) == 0x0
 01456   420   NtResumeThread  (304, ...
 01451   856   NtSetEventBoostPriority  ... ) == 0x0
 01457   732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01458   836   NtSetEventBoostPriority  (292, ...
 01459   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 01456   420   NtResumeThread  ... 1, ) == 0x0
 01460   856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01438   716   NtWaitForSingleObject  ... ) == 0x0
 01458   836   NtSetEventBoostPriority  ... ) == 0x0
 01457   732   NtDuplicateObject  ... 328, ) == 0x0
 01461   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01462   716   NtSetEventBoostPriority  (292, ...
 01460   856   NtDuplicateObject  ... 332, ) == 0x0
 01463   864   NtSetEventBoostPriority  (136, ...
 01464   952   NtWaitForSingleObject  (136, 0, 0x0, ...
 01465   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01466   836   NtWaitForSingleObject  (292, 0, 0x0, ...
 01442   784   NtWaitForSingleObject  ... ) == 0x0
 01462   716   NtSetEventBoostPriority  ... ) == 0x0
 01461   420   NtAllocateVirtualMemory  ... 49348608, 1048576, ) == 0x0
 01128   868   NtWaitForSingleObject  ... ) == 0x0
 01463   864   NtSetEventBoostPriority  ... ) == 0x0
 01467   784   NtSetEventBoostPriority  (292, ...
 01468   856   NtWaitForSingleObject  (292, 0, 0x0, ...
 01469   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01470   420   NtAllocateVirtualMemory  (-1, 50388992, 0, 8192, 4096, 4, ...
 01443   860   NtWaitForSingleObject  ... ) == 0x0
 01467   784   NtSetEventBoostPriority  ... ) == 0x0
 01471   864   NtTestAlert  (...
 01472   860   NtSetEventBoostPriority  (292, ...
 01470   420   NtAllocateVirtualMemory  ... 50388992, 8192, ) == 0x0
 01473   716   NtWaitForSingleObject  (292, 0, 0x0, ...
 01446   788   NtWaitForSingleObject  ... ) == 0x0
 01472   860   NtSetEventBoostPriority  ... ) == 0x0
 01471   864   NtTestAlert  ... ) == 0x0
 01474   420   NtProtectVirtualMemory  (-1, (0x300e000), 4096, 260, ...
 01475   788   NtSetEventBoostPriority  (292, ...
 01476   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 01477   864   NtContinue  (29359408, 1, ...
 01449   676   NtWaitForSingleObject  ... ) == 0x0
 01475   788   NtSetEventBoostPriority  ... ) == 0x0
 01474   420   NtProtectVirtualMemory  ... (0x300e000), 4096, 4, ) == 0x0
 01478   676   NtSetEventBoostPriority  (292, ...
 01479   864   NtRegisterThreadTerminatePort  (24, ...
 01480   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01455   744   NtWaitForSingleObject  ... ) == 0x0
 01478   676   NtSetEventBoostPriority  ... ) == 0x0
 01481   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01482   788   NtWaitForSingleObject  (292, 0, 0x0, ...
 01483   744   NtSetEventBoostPriority  (292, ...
 01480   860   NtDuplicateObject  ... 336, ) == 0x0
 01479   864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01484   676   NtWaitForSingleObject  (292, 0, 0x0, ...
 01459   636   NtWaitForSingleObject  ... ) == 0x0
 01483   744   NtSetEventBoostPriority  ... ) == 0x0
 01485   860   NtWaitForSingleObject  (292, 0, 0x0, ...
 01486   864   NtWaitForSingleObject  (292, 0, 0x0, ...
 01487   636   NtSetEventBoostPriority  (292, ...
 01481   420   NtCreateThread  ... 340, {412, 956}, ) == 0x0
 01465   732   NtWaitForSingleObject  ... ) == 0x0
 01487   636   NtSetEventBoostPriority  ... ) == 0x0
 01488   732   NtSetEventBoostPriority  (292, ...
 01489   420   NtQueryInformationThread  (340, Basic, 28, ...
 01466   836   NtWaitForSingleObject  ... ) == 0x0
 01488   732   NtSetEventBoostPriority  ... ) == 0x0
 01490   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 01491   836   NtSetEventBoostPriority  (292, ...
 01489   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=412,Tid=956,}, 0x0, ) == 0x0
 01492   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 01493   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01469   868   NtWaitForSingleObject  ... ) == 0x0
 01491   836   NtSetEventBoostPriority  ... ) == 0x0
 01494   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1537, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\234\1\0\0\274\3\0\0" ...  ...
 01495   868   NtSetEventBoostPriority  (292, ...
 01496   836   NtWaitForSingleObject  (292, 0, 0x0, ...
 01468   856   NtWaitForSingleObject  ... ) == 0x0
 01495   868   NtSetEventBoostPriority  ... ) == 0x0
 01494   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1538, 0}  ... {28, 56, reply, 0, 412, 420, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\234\1\0\0\274\3\0\0" )  ) == 0x0
 01497   856   NtSetEventBoostPriority  (292, ...
 01498   868   NtSetEventBoostPriority  (136, ...
 01473   716   NtWaitForSingleObject  ... ) == 0x0
 01497   856   NtSetEventBoostPriority  ... ) == 0x0
 01499   716   NtSetEventBoostPriority  (292, ...
 01134   872   NtWaitForSingleObject  ... ) == 0x0
 01498   868   NtSetEventBoostPriority  ... ) == 0x0
 01476   784   NtWaitForSingleObject  ... ) == 0x0
 01500   872   NtWaitForSingleObject  (292, 0, 0x0, ...
 01499   716   NtSetEventBoostPriority  ... ) == 0x0
 01501   856   NtWaitForSingleObject  (292, 0, 0x0, ...
 01502   784   NtSetEventBoostPriority  (292, ...
 01503   868   NtTestAlert  (...
 01504   716   NtWaitForSingleObject  (292, 0, 0x0, ...
 01505   420   NtResumeThread  (340, ...
 01482   788   NtWaitForSingleObject  ... ) == 0x0
 01502   784   NtSetEventBoostPriority  ... ) == 0x0
 01503   868   NtTestAlert  ... ) == 0x0
 01506   788   NtSetEventBoostPriority  (292, ...
 01505   420   NtResumeThread  ... 1, ) == 0x0
 01507   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 01484   676   NtWaitForSingleObject  ... ) == 0x0
 01506   788   NtSetEventBoostPriority  ... ) == 0x0
 01508   868   NtContinue  (30407984, 1, ...
 01509   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01510   956   NtWaitForSingleObject  (136, 0, 0x0, ...
 01511   676   NtSetEventBoostPriority  (292, ...
 01512   788   NtWaitForSingleObject  (292, 0, 0x0, ...
 01513   868   NtRegisterThreadTerminatePort  (24, ...
 01509   420   NtAllocateVirtualMemory  ... 50397184, 1048576, ) == 0x0
 01485   860   NtWaitForSingleObject  ... ) == 0x0
 01511   676   NtSetEventBoostPriority  ... ) == 0x0
 01514   860   NtSetEventBoostPriority  (292, ...
 01515   420   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ...
 01486   864   NtWaitForSingleObject  ... ) == 0x0
 01514   860   NtSetEventBoostPriority  ... ) == 0x0
 01516   676   NtWaitForSingleObject  (292, 0, 0x0, ...
 01517   864   NtSetEventBoostPriority  (292, ...
 01515   420   NtAllocateVirtualMemory  ... 51437568, 8192, ) == 0x0
 01513   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 01518   860   NtWaitForSingleObject  (292, 0, 0x0, ...
 01492   744   NtWaitForSingleObject  ... ) == 0x0
 01517   864   NtSetEventBoostPriority  ... ) == 0x0
 01519   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01520   744   NtSetEventBoostPriority  (292, ...
 01521   420   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ...
 01493   732   NtWaitForSingleObject  ... ) == 0x0
 01520   744   NtSetEventBoostPriority  ... ) == 0x0
 01522   732   NtSetEventBoostPriority  (292, ...
 01521   420   NtProtectVirtualMemory  ... (0x310e000), 4096, 4, ) == 0x0
 01490   636   NtWaitForSingleObject  ... ) == 0x0
 01522   732   NtSetEventBoostPriority  ... ) == 0x0
 01523   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 01524   636   NtSetEventBoostPriority  (292, ...
 01525   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01526   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01527   864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01496   836   NtWaitForSingleObject  ... ) == 0x0
 01525   420   NtCreateThread  ... 344, {412, 960}, ) == 0x0
 01524   636   NtSetEventBoostPriority  ... ) == 0x0
 01527   864   NtDuplicateObject  ... 348, ) == 0x0
 01528   836   NtSetEventBoostPriority  (292, ...
 01529   420   NtQueryInformationThread  (344, Basic, 28, ...
 01530   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 01531   864   NtWaitForSingleObject  (292, 0, 0x0, ...
 01500   872   NtWaitForSingleObject  ... ) == 0x0
 01529   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=412,Tid=960,}, 0x0, ) == 0x0
 01532   872   NtSetEventBoostPriority  (292, ...
 01528   836   NtSetEventBoostPriority  ... ) == 0x0
 01501   856   NtWaitForSingleObject  ... ) == 0x0
 01532   872   NtSetEventBoostPriority  ... ) == 0x0
 01533   856   NtSetEventBoostPriority  (292, ...
 01534   836   NtWaitForSingleObject  (292, 0, 0x0, ...
 01535   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1538, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\234\1\0\0\300\3\0\0" ...  ...
 01504   716   NtWaitForSingleObject  ... ) == 0x0
 01535   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1539, 0}  ... {28, 56, reply, 0, 412, 420, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\234\1\0\0\300\3\0\0" )  ) == 0x0
 01536   716   NtSetEventBoostPriority  (292, ...
 01537   420   NtResumeThread  (344, ...
 01507   784   NtWaitForSingleObject  ... ) == 0x0
 01537   420   NtResumeThread  ... 1, ) == 0x0
 01538   784   NtSetEventBoostPriority  (292, ...
 01539   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01512   788   NtWaitForSingleObject  ... ) == 0x0
 01538   784   NtSetEventBoostPriority  ... ) == 0x0
 01536   716   NtSetEventBoostPriority  ... ) == 0x0
 01533   856   NtSetEventBoostPriority  ... ) == 0x0
 01540   872   NtSetEventBoostPriority  (136, ...
 01541   960   NtWaitForSingleObject  (136, 0, 0x0, ...
 01542   788   NtSetEventBoostPriority  (292, ...
 01543   784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01544   716   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01545   856   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01144   876   NtWaitForSingleObject  ... ) == 0x0
 01540   872   NtSetEventBoostPriority  ... ) == 0x0
 01516   676   NtWaitForSingleObject  ... ) == 0x0
 01543   784   NtCreateEvent  ... 352, ) == 0x0
 01544   716   NtCreateEvent  ... 356, ) == 0x0
 01546   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 01545   856   NtCreateEvent  ... 360, ) == 0x0
 01547   872   NtTestAlert  (...
 01548   676   NtSetEventBoostPriority  (292, ...
 01542   788   NtSetEventBoostPriority  ... ) == 0x0
 01539   420   NtAllocateVirtualMemory  ... 51445760, 1048576, ) == 0x0
 01549   784   NtWaitForSingleObject  (352, 0, 0x0, ...
 01550   716   NtClose  (356, ...
 01547   872   NtTestAlert  ... ) == 0x0
 01518   860   NtWaitForSingleObject  ... ) == 0x0
 01551   788   NtWaitForSingleObject  (352, 0, 0x0, ...
 01552   420   NtAllocateVirtualMemory  (-1, 52486144, 0, 8192, 4096, 4, ...
 01550   716   NtClose  ... ) == 0x0
 01553   872   NtContinue  (31456560, 1, ...
 01554   860   NtSetEventBoostPriority  (292, ...
 01552   420   NtAllocateVirtualMemory  ... 52486144, 8192, ) == 0x0
 01555   716   NtWaitForSingleObject  (352, 0, 0x0, ...
 01556   872   NtRegisterThreadTerminatePort  (24, ...
 01519   868   NtWaitForSingleObject  ... ) == 0x0
 01554   860   NtSetEventBoostPriority  ... ) == 0x0
 01557   420   NtProtectVirtualMemory  (-1, (0x320e000), 4096, 260, ...
 01548   676   NtSetEventBoostPriority  ... ) == 0x0
 01558   856   NtClose  (360, ...
 01559   868   NtSetEventBoostPriority  (292, ...
 01560   860   NtWaitForSingleObject  (292, 0, 0x0, ...
 01557   420   NtProtectVirtualMemory  ... (0x320e000), 4096, 4, ) == 0x0
 01561   676   NtWaitForSingleObject  (292, 0, 0x0, ...
 01523   744   NtWaitForSingleObject  ... ) == 0x0
 01559   868   NtSetEventBoostPriority  ... ) == 0x0
 01558   856   NtClose  ... ) == 0x0
 01556   872   NtRegisterThreadTerminatePort  ... ) == 0x0
 01562   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01563   744   NtSetEventBoostPriority  (292, ...
 01564   856   NtWaitForSingleObject  (352, 0, 0x0, ...
 01565   872   NtWaitForSingleObject  (292, 0, 0x0, ...
 01566   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01530   636   NtWaitForSingleObject  ... ) == 0x0
 01566   868   NtDuplicateObject  ... 360, ) == 0x0
 01567   636   NtSetEventBoostPriority  (292, ...
 01568   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01531   864   NtWaitForSingleObject  ... ) == 0x0
 01567   636   NtSetEventBoostPriority  ... ) == 0x0
 01569   864   NtSetEventBoostPriority  (292, ...
 01563   744   NtSetEventBoostPriority  ... ) == 0x0
 01562   420   NtCreateThread  ... 356, {412, 984}, ) == 0x0
 01526   732   NtWaitForSingleObject  ... ) == 0x0
 01569   864   NtSetEventBoostPriority  ... ) == 0x0
 01570   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 01571   732   NtSetEventBoostPriority  (292, ...
 01572   420   NtQueryInformationThread  (356, Basic, 28, ...
 01573   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 01534   836   NtWaitForSingleObject  ... ) == 0x0
 01572   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=412,Tid=984,}, 0x0, ) == 0x0
 01574   836   NtSetEventBoostPriority  (292, ...
 01575   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1539, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\234\1\0\0\330\3\0\0" ...  ...
 01546   876   NtWaitForSingleObject  ... ) == 0x0
 01574   836   NtSetEventBoostPriority  ... ) == 0x0
 01576   876   NtSetEventBoostPriority  (292, ...
 01575   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1540, 0}  ... {28, 56, reply, 0, 412, 420, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\234\1\0\0\330\3\0\0" )  ) == 0x0
 01571   732   NtSetEventBoostPriority  ... ) == 0x0
 01577   864   NtWaitForSingleObject  (352, 0, 0x0, ...
 01561   676   NtWaitForSingleObject  ... ) == 0x0
 01576   876   NtSetEventBoostPriority  ... ) == 0x0
 01578   836   NtSetEventBoostPriority  (352, ...
 01579   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01580   676   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01581   420   NtResumeThread  (356, ...
 01549   784   NtWaitForSingleObject  ... ) == 0x0
 01578   836   NtSetEventBoostPriority  ... ) == 0x0
 01580   676   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01582   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 01581   420   NtResumeThread  ... 1, ) == 0x0
 01583   836   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01584   876   NtSetEventBoostPriority  (136, ...
 01585   984   NtWaitForSingleObject  (136, 0, 0x0, ...
 01586   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01583   836   NtWaitForSingleObject  ... ) == 0x102
 01150   880   NtWaitForSingleObject  ... ) == 0x0
 01584   876   NtSetEventBoostPriority  ... ) == 0x0
 01586   420   NtAllocateVirtualMemory  ... 52494336, 1048576, ) == 0x0
 01587   880   NtWaitForSingleObject  (292, 0, 0x0, ...
 01588   836   NtWaitForSingleObject  (160, 0, 0x0, ...
 01589   876   NtTestAlert  (...
 01590   420   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ...
 01591   676   NtSetEventBoostPriority  (292, ...
 01589   876   NtTestAlert  ... ) == 0x0
 01590   420   NtAllocateVirtualMemory  ... 53534720, 8192, ) == 0x0
 01560   860   NtWaitForSingleObject  ... ) == 0x0
 01591   676   NtSetEventBoostPriority  ... ) == 0x0
 01592   876   NtContinue  (32505136, 1, ...
 01593   860   NtSetEventBoostPriority  (292, ...
 01594   676   NtWaitForSingleObject  (352, 0, 0x0, ...
 01565   872   NtWaitForSingleObject  ... ) == 0x0
 01595   876   NtRegisterThreadTerminatePort  (24, ...
 01596   872   NtSetEventBoostPriority  (292, ...
 01593   860   NtSetEventBoostPriority  ... ) == 0x0
 01597   420   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 01568   868   NtWaitForSingleObject  ... ) == 0x0
 01596   872   NtSetEventBoostPriority  ... ) == 0x0
 01598   860   NtWaitForSingleObject  (352, 0, 0x0, ...
 01599   868   NtSetEventBoostPriority  (292, ...
 01597   420   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 01595   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01570   744   NtWaitForSingleObject  ... ) == 0x0
 01599   868   NtSetEventBoostPriority  ... ) == 0x0
 01600   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01601   744   NtSetEventBoostPriority  (292, ...
 01602   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 01603   872   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01573   636   NtWaitForSingleObject  ... ) == 0x0
 01601   744   NtSetEventBoostPriority  ... ) == 0x0
 01600   420   NtCreateThread  ... 364, {412, 988}, ) == 0x0
 01604   636   NtSetEventBoostPriority  (292, ...
 01603   872   NtDuplicateObject  ... 368, ) == 0x0
 01605   868   NtWaitForSingleObject  (352, 0, 0x0, ...
 01579   732   NtWaitForSingleObject  ... ) == 0x0
 01604   636   NtSetEventBoostPriority  ... ) == 0x0
 01606   420   NtQueryInformationThread  (364, Basic, 28, ...
 01607   872   NtWaitForSingleObject  (292, 0, 0x0, ...
 01608   732   NtSetEventBoostPriority  (292, ...
 01609   636   NtWaitForSingleObject  (352, 0, 0x0, ...
 01606   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=412,Tid=988,}, 0x0, ) == 0x0
 01582   784   NtWaitForSingleObject  ... ) == 0x0
 01608   732   NtSetEventBoostPriority  ... ) == 0x0
 01610   744   NtWaitForSingleObject  (352, 0, 0x0, ...
 01611   784   NtSetEventBoostPriority  (292, ...
 01612   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1540, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\1\0\0\234\1\0\0\334\3\0\0" ...  ...
 01587   880   NtWaitForSingleObject  ... ) == 0x0
 01611   784   NtSetEventBoostPriority  ... ) == 0x0
 01613   880   NtSetEventBoostPriority  (292, ...
 01612   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1541, 0}  ... {28, 56, reply, 0, 412, 420, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\1\0\0\234\1\0\0\334\3\0\0" )  ) == 0x0
 01614   732   NtWaitForSingleObject  (352, 0, 0x0, ...
 01602   876   NtWaitForSingleObject  ... ) == 0x0
 01613   880   NtSetEventBoostPriority  ... ) == 0x0
 01615   420   NtResumeThread  (364, ...
 01616   876   NtSetEventBoostPriority  (292, ...
 01617   784   NtSetEventBoostPriority  (352, ...
 01607   872   NtWaitForSingleObject  ... ) == 0x0
 01616   876   NtSetEventBoostPriority  ... ) == 0x0
 01615   420   NtResumeThread  ... 1, ) == 0x0
 01618   872   NtWaitForSingleObject  (352, 0, 0x0, ...
 01551   788   NtWaitForSingleObject  ... ) == 0x0
 01617   784   NtSetEventBoostPriority  ... ) == 0x0
 01619   880   NtSetEventBoostPriority  (136, ...
 01620   988   NtWaitForSingleObject  (136, 0, 0x0, ...
 01621   788   NtSetEventBoostPriority  (352, ...
 01622   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01623   784   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01160   884   NtWaitForSingleObject  ... ) == 0x0
 01619   880   NtSetEventBoostPriority  ... ) == 0x0
 01555   716   NtWaitForSingleObject  ... ) == 0x0
 01621   788   NtSetEventBoostPriority  ... ) == 0x0
 01624   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01625   884   NtSetEventBoostPriority  (136, ...
 01623   784   NtWaitForSingleObject  ... ) == 0x102
 01626   716   NtSetEventBoostPriority  (352, ...
 01627   880   NtTestAlert  (...
 01622   420   NtAllocateVirtualMemory  ... 53542912, 1048576, ) == 0x0
 01174   888   NtWaitForSingleObject  ... ) == 0x0
 01625   884   NtSetEventBoostPriority  ... ) == 0x0
 01624   876   NtDuplicateObject  ... 372, ) == 0x0
 01564   856   NtWaitForSingleObject  ... ) == 0x0
 01626   716   NtSetEventBoostPriority  ... ) == 0x0
 01628   784   NtWaitForSingleObject  (160, 0, 0x0, ...
 01627   880   NtTestAlert  ... ) == 0x0
 01629   888   NtSetEventBoostPriority  (136, ...
 01630   420   NtAllocateVirtualMemory  (-1, 54583296, 0, 8192, 4096, 4, ...
 01631   788   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01632   856   NtSetEventBoostPriority  (352, ...
 01633   876   NtWaitForSingleObject  (352, 0, 0x0, ...
 01634   884   NtTestAlert  (...
 01635   716   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01187   892   NtWaitForSingleObject  ... ) == 0x0
 01629   888   NtSetEventBoostPriority  ... ) == 0x0
 01636   880   NtContinue  (33553712, 1, ...
 01630   420   NtAllocateVirtualMemory  ... 54583296, 8192, ) == 0x0
 01577   864   NtWaitForSingleObject  ... ) == 0x0
 01632   856   NtSetEventBoostPriority  ... ) == 0x0
 01631   788   NtWaitForSingleObject  ... ) == 0x102
 01634   884   NtTestAlert  ... ) == 0x0
 01637   892   NtSetEventBoostPriority  (136, ...
 01635   716   NtWaitForSingleObject  ... ) == 0x102
 01638   880   NtRegisterThreadTerminatePort  (24, ...
 01639   864   NtSetEventBoostPriority  (352, ...
 01640   420   NtProtectVirtualMemory  (-1, (0x340e000), 4096, 260, ...
 01641   888   NtTestAlert  (...
 01642   788   NtWaitForSingleObject  (160, 0, 0x0, ...
 01199   908   NtWaitForSingleObject  ... ) == 0x0
 01637   892   NtSetEventBoostPriority  ... ) == 0x0
 01643   884   NtContinue  (34602288, 1, ...
 01644   716   NtWaitForSingleObject  (160, 0, 0x0, ...
 01645   856   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01594   676   NtWaitForSingleObject  ... ) == 0x0
 01639   864   NtSetEventBoostPriority  ... ) == 0x0
 01640   420   NtProtectVirtualMemory  ... (0x340e000), 4096, 4, ) == 0x0
 01641   888   NtTestAlert  ... ) == 0x0
 01646   908   NtSetEventBoostPriority  (136, ...
 01638   880   NtRegisterThreadTerminatePort  ... ) == 0x0
 01647   884   NtRegisterThreadTerminatePort  (24, ...
 01648   676   NtSetEventBoostPriority  (352, ...
 01645   856   NtWaitForSingleObject  ... ) == 0x102
 01649   864   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01650   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01221   912   NtWaitForSingleObject  ... ) == 0x0
 01646   908   NtSetEventBoostPriority  ... ) == 0x0
 01651   888   NtContinue  (35650864, 1, ...
 01652   880   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01598   860   NtWaitForSingleObject  ... ) == 0x0
 01648   676   NtSetEventBoostPriority  ... ) == 0x0
 01647   884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01653   856   NtWaitForSingleObject  (160, 0, 0x0, ...
 01654   892   NtTestAlert  (...
 01649   864   NtWaitForSingleObject  ... ) == 0x102
 01655   912   NtSetEventBoostPriority  (136, ...
 01650   420   NtCreateThread  ... 376, {412, 1012}, ) == 0x0
 01656   888   NtRegisterThreadTerminatePort  (24, ...
 01657   860   NtSetEventBoostPriority  (352, ...
 01652   880   NtDuplicateObject  ... 380, ) == 0x0
 01658   908   NtTestAlert  (...
 01659   884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01654   892   NtTestAlert  ... ) == 0x0
 01233   916   NtWaitForSingleObject  ... ) == 0x0
 01655   912   NtSetEventBoostPriority  ... ) == 0x0
 01660   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 01661   420   NtQueryInformationThread  (376, Basic, 28, ...
 01605   868   NtWaitForSingleObject  ... ) == 0x0
 01657   860   NtSetEventBoostPriority  ... ) == 0x0
 01656   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01662   880   NtWaitForSingleObject  (352, 0, 0x0, ...
 01658   908   NtTestAlert  ... ) == 0x0
 01663   676   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01664   916   NtSetEventBoostPriority  (136, ...
 01665   892   NtContinue  (36699440, 1, ...
 01659   884   NtDuplicateObject  ... 384, ) == 0x0
 01666   868   NtSetEventBoostPriority  (352, ...
 01661   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=412,Tid=1012,}, 0x0, ) == 0x0
 01667   912   NtTestAlert  (...
 01668   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01669   908   NtContinue  (37748016, 1, ...
 01246   920   NtWaitForSingleObject  ... ) == 0x0
 01664   916   NtSetEventBoostPriority  ... ) == 0x0
 01663   676   NtWaitForSingleObject  ... ) == 0x102
 01670   892   NtRegisterThreadTerminatePort  (24, ...
 01609   636   NtWaitForSingleObject  ... ) == 0x0
 01666   868   NtSetEventBoostPriority  ... ) == 0x0
 01671   884   NtWaitForSingleObject  (352, 0, 0x0, ...
 01672   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1541, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\234\1\0\0\364\3\0\0" ...  ...
 01667   912   NtTestAlert  ... ) == 0x0
 01673   860   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01674   920   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01675   908   NtRegisterThreadTerminatePort  (24, ...
 01668   888   NtDuplicateObject  ... 388, ) == 0x0
 01676   676   NtWaitForSingleObject  (160, 0, 0x0, ...
 01677   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 01670   892   NtRegisterThreadTerminatePort  ... ) == 0x0
 01678   868   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01672   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1542, 0}  ... {28, 56, reply, 0, 412, 420, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\234\1\0\0\364\3\0\0" )  ) == 0x0
 01679   912   NtContinue  (38796592, 1, ...
 01674   920   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01673   860   NtWaitForSingleObject  ... ) == 0x102
 01675   908   NtRegisterThreadTerminatePort  ... ) == 0x0
 01680   888   NtWaitForSingleObject  (292, 0, 0x0, ...
 01681   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 01682   916   NtTestAlert  (...
 01678   868   NtWaitForSingleObject  ... ) == 0x102
 01683   912   NtRegisterThreadTerminatePort  (24, ...
 01684   420   NtResumeThread  (376, ...
 01685   860   NtWaitForSingleObject  (292, 0, 0x0, ...
 01686   908   NtWaitForSingleObject  (292, 0, 0x0, ...
 01687   920   NtSetEventBoostPriority  (292, ...
 01682   916   NtTestAlert  ... ) == 0x0
 01688   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 01683   912   NtRegisterThreadTerminatePort  ... ) == 0x0
 01684   420   NtResumeThread  ... 1, ) == 0x0
 01689  1012   NtWaitForSingleObject  (136, 0, 0x0, ...
 01677   636   NtWaitForSingleObject  ... ) == 0x0
 01687   920   NtSetEventBoostPriority  ... ) == 0x0
 01690   916   NtContinue  (39845168, 1, ...
 01691   912   NtWaitForSingleObject  (292, 0, 0x0, ...
 01692   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01693   636   NtSetEventBoostPriority  (292, ...
 01694   920   NtSetEventBoostPriority  (136, ...
 01695   916   NtRegisterThreadTerminatePort  (24, ...
 01680   888   NtWaitForSingleObject  ... ) == 0x0
 01692   420   NtAllocateVirtualMemory  ... 54591488, 1048576, ) == 0x0
 01258   924   NtWaitForSingleObject  ... ) == 0x0
 01694   920   NtSetEventBoostPriority  ... ) == 0x0
 01695   916   NtRegisterThreadTerminatePort  ... ) == 0x0
 01696   888   NtSetEventBoostPriority  (292, ...
 01697   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 01698   420   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ...
 01699   920   NtTestAlert  (...
 01700   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 01685   860   NtWaitForSingleObject  ... ) == 0x0
 01696   888   NtSetEventBoostPriority  ... ) == 0x0
 01698   420   NtAllocateVirtualMemory  ... 55631872, 8192, ) == 0x0
 01699   920   NtTestAlert  ... ) == 0x0
 01693   636   NtSetEventBoostPriority  ... ) == 0x0
 01701   860   NtSetEventBoostPriority  (292, ...
 01702   888   NtWaitForSingleObject  (292, 0, 0x0, ...
 01703   420   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ...
 01704   920   NtContinue  (40893744, 1, ...
 01681   892   NtWaitForSingleObject  ... ) == 0x0
 01701   860   NtSetEventBoostPriority  ... ) == 0x0
 01703   420   NtProtectVirtualMemory  ... (0x350e000), 4096, 4, ) == 0x0
 01705   892   NtSetEventBoostPriority  (292, ...
 01706   920   NtRegisterThreadTerminatePort  (24, ...
 01707   636   NtSetEventBoostPriority  (352, ...
 01688   868   NtWaitForSingleObject  ... ) == 0x0
 01708   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01706   920   NtRegisterThreadTerminatePort  ... ) == 0x0
 01610   744   NtWaitForSingleObject  ... ) == 0x0
 01707   636   NtSetEventBoostPriority  ... ) == 0x0
 01709   868   NtSetEventBoostPriority  (292, ...
 01708   420   NtCreateThread  ... 392, {412, 1016}, ) == 0x0
 01710   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 01711   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 01712   636   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01686   908   NtWaitForSingleObject  ... ) == 0x0
 01709   868   NtSetEventBoostPriority  ... ) == 0x0
 01713   420   NtQueryInformationThread  (392, Basic, 28, ...
 01714   908   NtSetEventBoostPriority  (292, ...
 01712   636   NtWaitForSingleObject  ... ) == 0x102
 01705   892   NtSetEventBoostPriority  ... ) == 0x0
 01715   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01697   924   NtWaitForSingleObject  ... ) == 0x0
 01713   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=412,Tid=1016,}, 0x0, ) == 0x0
 01716   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 01717   892   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01718   924   NtSetEventBoostPriority  (292, ...
 01714   908   NtSetEventBoostPriority  ... ) == 0x0
 01719   868   NtWaitForSingleObject  (160, 0, 0x0, ...
 01720   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1542, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\234\1\0\0\370\3\0\0" ...  ...
 01691   912   NtWaitForSingleObject  ... ) == 0x0
 01718   924   NtSetEventBoostPriority  ... ) == 0x0
 01717   892   NtDuplicateObject  ... 396, ) == 0x0
 01721   908   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01722   912   NtSetEventBoostPriority  (292, ...
 01720   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1543, 0}  ... {28, 56, reply, 0, 412, 420, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\234\1\0\0\370\3\0\0" )  ) == 0x0
 01723   924   NtSetEventBoostPriority  (136, ...
 01700   916   NtWaitForSingleObject  ... ) == 0x0
 01721   908   NtDuplicateObject  ... 400, ) == 0x0
 01724   420   NtResumeThread  (392, ...
 01280   928   NtWaitForSingleObject  ... ) == 0x0
 01723   924   NtSetEventBoostPriority  ... ) == 0x0
 01725   916   NtSetEventBoostPriority  (292, ...
 01722   912   NtSetEventBoostPriority  ... ) == 0x0
 01726   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 01727   928   NtWaitForSingleObject  (292, 0, 0x0, ...
 01724   420   NtResumeThread  ... 1, ) == 0x0
 01728   924   NtTestAlert  (...
 01702   888   NtWaitForSingleObject  ... ) == 0x0
 01729   912   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01730   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01728   924   NtTestAlert  ... ) == 0x0
 01731   888   NtSetEventBoostPriority  (292, ...
 01729   912   NtDuplicateObject  ... 404, ) == 0x0
 01725   916   NtSetEventBoostPriority  ... ) == 0x0
 01732   908   NtWaitForSingleObject  (292, 0, 0x0, ...
 01733  1016   NtWaitForSingleObject  (136, 0, 0x0, ...
 01734   924   NtContinue  (41942320, 1, ...
 01710   744   NtWaitForSingleObject  ... ) == 0x0
 01731   888   NtSetEventBoostPriority  ... ) == 0x0
 01730   420   NtAllocateVirtualMemory  ... 55640064, 1048576, ) == 0x0
 01735   916   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01736   744   NtSetEventBoostPriority  (292, ...
 01737   924   NtRegisterThreadTerminatePort  (24, ...
 01738   888   NtWaitForSingleObject  (292, 0, 0x0, ...
 01739   420   NtAllocateVirtualMemory  (-1, 56680448, 0, 8192, 4096, 4, ...
 01711   920   NtWaitForSingleObject  ... ) == 0x0
 01736   744   NtSetEventBoostPriority  ... ) == 0x0
 01735   916   NtDuplicateObject  ... 408, ) == 0x0
 01740   912   NtWaitForSingleObject  (292, 0, 0x0, ...
 01737   924   NtRegisterThreadTerminatePort  ... ) == 0x0
 01741   920   NtSetEventBoostPriority  (292, ...
 01739   420   NtAllocateVirtualMemory  ... 56680448, 8192, ) == 0x0
 01742   744   NtSetEventBoostPriority  (352, ...
 01716   636   NtWaitForSingleObject  ... ) == 0x0
 01741   920   NtSetEventBoostPriority  ... ) == 0x0
 01743   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 01744   420   NtProtectVirtualMemory  (-1, (0x360e000), 4096, 260, ...
 01745   636   NtSetEventBoostPriority  (292, ...
 01614   732   NtWaitForSingleObject  ... ) == 0x0
 01742   744   NtSetEventBoostPriority  ... ) == 0x0
 01746   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 01727   928   NtWaitForSingleObject  ... ) == 0x0
 01747   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01744   420   NtProtectVirtualMemory  ... (0x360e000), 4096, 4, ) == 0x0
 01748   744   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01749   928   NtSetEventBoostPriority  (292, ...
 01750   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01726   892   NtWaitForSingleObject  ... ) == 0x0
 01749   928   NtSetEventBoostPriority  ... ) == 0x0
 01748   744   NtWaitForSingleObject  ... ) == 0x102
 01745   636   NtSetEventBoostPriority  ... ) == 0x0
 01751   920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01752   892   NtSetEventBoostPriority  (292, ...
 01750   420   NtCreateThread  ... 412, {412, 1020}, ) == 0x0
 01753   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 01754   636   NtWaitForSingleObject  (160, 0, 0x0, ...
 01732   908   NtWaitForSingleObject  ... ) == 0x0
 01752   892   NtSetEventBoostPriority  ... ) == 0x0
 01751   920   NtDuplicateObject  ... 416, ) == 0x0
 01755   420   NtQueryInformationThread  (412, Basic, 28, ...
 01756   928   NtSetEventBoostPriority  (136, ...
 01757   908   NtSetEventBoostPriority  (292, ...
 01758   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 01759   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 01755   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=412,Tid=1020,}, 0x0, ) == 0x0
 01738   888   NtWaitForSingleObject  ... ) == 0x0
 01757   908   NtSetEventBoostPriority  ... ) == 0x0
 01292   932   NtWaitForSingleObject  ... ) == 0x0
 01756   928   NtSetEventBoostPriority  ... ) == 0x0
 01760   888   NtSetEventBoostPriority  (292, ...
 01761   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1543, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\234\1\0\0\374\3\0\0" ...  ...
 01762   932   NtWaitForSingleObject  (292, 0, 0x0, ...
 01763   908   NtWaitForSingleObject  (292, 0, 0x0, ...
 01740   912   NtWaitForSingleObject  ... ) == 0x0
 01764   928   NtTestAlert  (...
 01761   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1544, 0}  ... {28, 56, reply, 0, 412, 420, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\234\1\0\0\374\3\0\0" )  ) == 0x0
 01760   888   NtSetEventBoostPriority  ... ) == 0x0
 01765   912   NtSetEventBoostPriority  (292, ...
 01764   928   NtTestAlert  ... ) == 0x0
 01766   888   NtWaitForSingleObject  (352, 0, 0x0, ...
 01743   924   NtWaitForSingleObject  ... ) == 0x0
 01765   912   NtSetEventBoostPriority  ... ) == 0x0
 01767   928   NtContinue  (42990896, 1, ...
 01768   924   NtSetEventBoostPriority  (292, ...
 01769   912   NtWaitForSingleObject  (292, 0, 0x0, ...
 01747   732   NtWaitForSingleObject  ... ) == 0x0
 01768   924   NtSetEventBoostPriority  ... ) == 0x0
 01770   928   NtRegisterThreadTerminatePort  (24, ...
 01771   420   NtResumeThread  (412, ...
 01772   732   NtSetEventBoostPriority  (292, ...
 01773   924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01746   916   NtWaitForSingleObject  ... ) == 0x0
 01772   732   NtSetEventBoostPriority  ... ) == 0x0
 01771   420   NtResumeThread  ... 1, ) == 0x0
 01774   916   NtSetEventBoostPriority  (292, ...
 01773   924   NtDuplicateObject  ... 420, ) == 0x0
 01770   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01775  1020   NtWaitForSingleObject  (136, 0, 0x0, ...
 01753   744   NtWaitForSingleObject  ... ) == 0x0
 01774   916   NtSetEventBoostPriority  ... ) == 0x0
 01776   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01777   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 01778   928   NtWaitForSingleObject  (292, 0, 0x0, ...
 01779   744   NtSetEventBoostPriority  (292, ...
 01780   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 01776   420   NtAllocateVirtualMemory  ... 56688640, 1048576, ) == 0x0
 01759   920   NtWaitForSingleObject  ... ) == 0x0
 01779   744   NtSetEventBoostPriority  ... ) == 0x0
 01781   732   NtSetEventBoostPriority  (352, ...
 01782   420   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ...
 01783   920   NtSetEventBoostPriority  (292, ...
 01784   744   NtWaitForSingleObject  (160, 0, 0x0, ...
 01618   872   NtWaitForSingleObject  ... ) == 0x0
 01781   732   NtSetEventBoostPriority  ... ) == 0x0
 01782   420   NtAllocateVirtualMemory  ... 57729024, 8192, ) == 0x0
 01762   932   NtWaitForSingleObject  ... ) == 0x0
 01783   920   NtSetEventBoostPriority  ... ) == 0x0
 01785   872   NtWaitForSingleObject  (292, 0, 0x0, ...
 01786   732   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01787   932   NtSetEventBoostPriority  (292, ...
 01788   420   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ...
 01758   892   NtWaitForSingleObject  ... ) == 0x0
 01787   932   NtSetEventBoostPriority  ... ) == 0x0
 01786   732   NtWaitForSingleObject  ... ) == 0x102
 01789   892   NtSetEventBoostPriority  (292, ...
 01788   420   NtProtectVirtualMemory  ... (0x370e000), 4096, 4, ) == 0x0
 01790   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 01763   908   NtWaitForSingleObject  ... ) == 0x0
 01791   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 01792   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01793   908   NtSetEventBoostPriority  (292, ...
 01789   892   NtSetEventBoostPriority  ... ) == 0x0
 01794   932   NtSetEventBoostPriority  (136, ...
 01792   420   NtCreateThread  ... 424, {412, 996}, ) == 0x0
 01769   912   NtWaitForSingleObject  ... ) == 0x0
 01795   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 01305   936   NtWaitForSingleObject  ... ) == 0x0
 01794   932   NtSetEventBoostPriority  ... ) == 0x0
 01796   420   NtQueryInformationThread  (424, Basic, 28, ...
 01797   912   NtSetEventBoostPriority  (292, ...
 01798   936   NtWaitForSingleObject  (292, 0, 0x0, ...
 01799   932   NtTestAlert  (...
 01796   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=412,Tid=996,}, 0x0, ) == 0x0
 01777   924   NtWaitForSingleObject  ... ) == 0x0
 01799   932   NtTestAlert  ... ) == 0x0
 01797   912   NtSetEventBoostPriority  ... ) == 0x0
 01793   908   NtSetEventBoostPriority  ... ) == 0x0
 01800   924   NtSetEventBoostPriority  (292, ...
 01801   932   NtContinue  (44039472, 1, ...
 01802   912   NtWaitForSingleObject  (352, 0, 0x0, ...
 01803   908   NtWaitForSingleObject  (292, 0, 0x0, ...
 01778   928   NtWaitForSingleObject  ... ) == 0x0
 01800   924   NtSetEventBoostPriority  ... ) == 0x0
 01804   932   NtRegisterThreadTerminatePort  (24, ...
 01805   928   NtSetEventBoostPriority  (292, ...
 01806   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1544, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\1\0\0\234\1\0\0\344\3\0\0" ...  ...
 01807   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 01780   916   NtWaitForSingleObject  ... ) == 0x0
 01805   928   NtSetEventBoostPriority  ... ) == 0x0
 01806   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1545, 0}  ... {28, 56, reply, 0, 412, 420, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\1\0\0\234\1\0\0\344\3\0\0" )  ) == 0x0
 01808   916   NtSetEventBoostPriority  (292, ...
 01804   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01785   872   NtWaitForSingleObject  ... ) == 0x0
 01809   420   NtResumeThread  (424, ...
 01810   872   NtSetEventBoostPriority  (292, ...
 01811   932   NtWaitForSingleObject  (292, 0, 0x0, ...
 01790   920   NtWaitForSingleObject  ... ) == 0x0
 01810   872   NtSetEventBoostPriority  ... ) == 0x0
 01809   420   NtResumeThread  ... 1, ) == 0x0
 01812   920   NtSetEventBoostPriority  (292, ...
 01808   916   NtSetEventBoostPriority  ... ) == 0x0
 01813   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01814   996   NtWaitForSingleObject  (136, 0, 0x0, ...
 01795   892   NtWaitForSingleObject  ... ) == 0x0
 01812   920   NtSetEventBoostPriority  ... ) == 0x0
 01815   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01816   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 01813   928   NtDuplicateObject  ... 428, ) == 0x0
 01817   892   NtSetEventBoostPriority  (292, ...
 01818   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 01819   872   NtSetEventBoostPriority  (352, ...
 01798   936   NtWaitForSingleObject  ... ) == 0x0
 01817   892   NtSetEventBoostPriority  ... ) == 0x0
 01820   928   NtWaitForSingleObject  (292, 0, 0x0, ...
 01815   420   NtAllocateVirtualMemory  ... 57737216, 1048576, ) == 0x0
 01821   936   NtSetEventBoostPriority  (292, ...
 01633   876   NtWaitForSingleObject  ... ) == 0x0
 01819   872   NtSetEventBoostPriority  ... ) == 0x0
 01791   732   NtWaitForSingleObject  ... ) == 0x0
 01822   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 01821   936   NtSetEventBoostPriority  ... ) == 0x0
 01823   420   NtAllocateVirtualMemory  (-1, 58777600, 0, 8192, 4096, 4, ...
 01824   732   NtSetEventBoostPriority  (292, ...
 01825   872   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01826   892   NtWaitForSingleObject  (352, 0, 0x0, ...
 01803   908   NtWaitForSingleObject  ... ) == 0x0
 01823   420   NtAllocateVirtualMemory  ... 58777600, 8192, ) == 0x0
 01825   872   NtWaitForSingleObject  ... ) == 0x102
 01827   908   NtSetEventBoostPriority  (292, ...
 01828   420   NtProtectVirtualMemory  (-1, (0x380e000), 4096, 260, ...
 01829   872   NtWaitForSingleObject  (160, 0, 0x0, ...
 01807   924   NtWaitForSingleObject  ... ) == 0x0
 01827   908   NtSetEventBoostPriority  ... ) == 0x0
 01828   420   NtProtectVirtualMemory  ... (0x380e000), 4096, 4, ) == 0x0
 01824   732   NtSetEventBoostPriority  ... ) == 0x0
 01830   936   NtSetEventBoostPriority  (136, ...
 01831   924   NtSetEventBoostPriority  (292, ...
 01832   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01833   732   NtWaitForSingleObject  (160, 0, 0x0, ...
 01811   932   NtWaitForSingleObject  ... ) == 0x0
 01831   924   NtSetEventBoostPriority  ... ) == 0x0
 01312   584   NtWaitForSingleObject  ... ) == 0x0
 01830   936   NtSetEventBoostPriority  ... ) == 0x0
 01834   908   NtWaitForSingleObject  (352, 0, 0x0, ...
 01835   932   NtSetEventBoostPriority  (292, ...
 01836   584   NtSetEventBoostPriority  (136, ...
 01837   924   NtWaitForSingleObject  (352, 0, 0x0, ...
 01838   936   NtTestAlert  (...
 01816   916   NtWaitForSingleObject  ... ) == 0x0
 01325   940   NtWaitForSingleObject  ... ) == 0x0
 01836   584   NtSetEventBoostPriority  ... ) == 0x0
 01835   932   NtSetEventBoostPriority  ... ) == 0x0
 01832   420   NtCreateThread  ... 432, {412, 1028}, ) == 0x0
 01839   916   NtSetEventBoostPriority  (292, ...
 01840   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 01838   936   NtTestAlert  ... ) == 0x0
 01841   584   NtWaitForSingleObject  (292, 0, 0x0, ...
 01818   920   NtWaitForSingleObject  ... ) == 0x0
 01839   916   NtSetEventBoostPriority  ... ) == 0x0
 01842   420   NtQueryInformationThread  (432, Basic, 28, ...
 01843   936   NtContinue  (45088048, 1, ...
 01844   920   NtSetEventBoostPriority  (292, ...
 01845   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01842   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=412,Tid=1028,}, 0x0, ) == 0x0
 01820   928   NtWaitForSingleObject  ... ) == 0x0
 01846   936   NtRegisterThreadTerminatePort  (24, ...
 01845   932   NtDuplicateObject  ... 436, ) == 0x0
 01847   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1545, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\1\0\0\234\1\0\0\4\4\0\0" ...  ...
 01848   928   NtSetEventBoostPriority  (292, ...
 01844   920   NtSetEventBoostPriority  ... ) == 0x0
 01849   916   NtWaitForSingleObject  (352, 0, 0x0, ...
 01850   932   NtWaitForSingleObject  (292, 0, 0x0, ...
 01847   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1546, 0}  ... {28, 56, reply, 0, 412, 420, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\1\0\0\234\1\0\0\4\4\0\0" )  ) == 0x0
 01822   876   NtWaitForSingleObject  ... ) == 0x0
 01848   928   NtSetEventBoostPriority  ... ) == 0x0
 01851   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 01846   936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01852   876   NtSetEventBoostPriority  (292, ...
 01853   420   NtResumeThread  (432, ...
 01840   940   NtWaitForSingleObject  ... ) == 0x0
 01852   876   NtSetEventBoostPriority  ... ) == 0x0
 01854   936   NtWaitForSingleObject  (292, 0, 0x0, ...
 01855   940   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01853   420   NtResumeThread  ... 1, ) == 0x0
 01856   928   NtWaitForSingleObject  (352, 0, 0x0, ...
 01855   940   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01857   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01858   876   NtSetEventBoostPriority  (352, ...
 01859  1028   NtWaitForSingleObject  (136, 0, 0x0, ...
 01857   420   NtAllocateVirtualMemory  ... 58785792, 1048576, ) == 0x0
 01662   880   NtWaitForSingleObject  ... ) == 0x0
 01858   876   NtSetEventBoostPriority  ... ) == 0x0
 01860   880   NtWaitForSingleObject  (292, 0, 0x0, ...
 01861   420   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 01862   876   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01861   420   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 01862   876   NtWaitForSingleObject  ... ) == 0x102
 01863   940   NtSetEventBoostPriority  (292, ...
 01864   876   NtWaitForSingleObject  (160, 0, 0x0, ...
 01841   584   NtWaitForSingleObject  ... ) == 0x0
 01863   940   NtSetEventBoostPriority  ... ) == 0x0
 01865   420   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 01866   584   NtSetEventBoostPriority  (292, ...
 01867   940   NtSetEventBoostPriority  (136, ...
 01850   932   NtWaitForSingleObject  ... ) == 0x0
 01866   584   NtSetEventBoostPriority  ... ) == 0x0
 01865   420   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 01868   932   NtSetEventBoostPriority  (292, ...
 01346   944   NtWaitForSingleObject  ... ) == 0x0
 01867   940   NtSetEventBoostPriority  ... ) == 0x0
 01869   584   NtWaitForSingleObject  (292, 0, 0x0, ...
 01851   920   NtWaitForSingleObject  ... ) == 0x0
 01870   944   NtWaitForSingleObject  (292, 0, 0x0, ...
 01868   932   NtSetEventBoostPriority  ... ) == 0x0
 01871   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01872   940   NtTestAlert  (...
 01873   920   NtSetEventBoostPriority  (292, ...
 01871   420   NtCreateThread  ... 440, {412, 1040}, ) == 0x0
 01854   936   NtWaitForSingleObject  ... ) == 0x0
 01873   920   NtSetEventBoostPriority  ... ) == 0x0
 01872   940   NtTestAlert  ... ) == 0x0
 01874   936   NtSetEventBoostPriority  (292, ...
 01875   420   NtQueryInformationThread  (440, Basic, 28, ...
 01876   932   NtWaitForSingleObject  (352, 0, 0x0, ...
 01877   920   NtWaitForSingleObject  (352, 0, 0x0, ...
 01860   880   NtWaitForSingleObject  ... ) == 0x0
 01874   936   NtSetEventBoostPriority  ... ) == 0x0
 01875   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=412,Tid=1040,}, 0x0, ) == 0x0
 01878   880   NtSetEventBoostPriority  (292, ...
 01879   940   NtContinue  (46136624, 1, ...
 01880   936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01870   944   NtWaitForSingleObject  ... ) == 0x0
 01878   880   NtSetEventBoostPriority  ... ) == 0x0
 01881   940   NtRegisterThreadTerminatePort  (24, ...
 01882   944   NtSetEventBoostPriority  (292, ...
 01880   936   NtDuplicateObject  ... 444, ) == 0x0
 01883   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1546, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\234\1\0\0\20\4\0\0" ...  ...
 01869   584   NtWaitForSingleObject  ... ) == 0x0
 01882   944   NtSetEventBoostPriority  ... ) == 0x0
 01881   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01884   936   NtWaitForSingleObject  (292, 0, 0x0, ...
 01885   584   NtSetEventBoostPriority  (292, ...
 01883   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1547, 0}  ... {28, 56, reply, 0, 412, 420, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\234\1\0\0\20\4\0\0" )  ) == 0x0
 01886   880   NtSetEventBoostPriority  (352, ...
 01887   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 01885   584   NtSetEventBoostPriority  ... ) == 0x0
 01884   936   NtWaitForSingleObject  ... ) == 0x0
 01888   420   NtResumeThread  (440, ...
 01671   884   NtWaitForSingleObject  ... ) == 0x0
 01886   880   NtSetEventBoostPriority  ... ) == 0x0
 01889   584   NtQuerySystemInformation  (Basic, 44, ...
 01890   936   NtSetEventBoostPriority  (292, ...
 01891   884   NtWaitForSingleObject  (292, 0, 0x0, ...
 01888   420   NtResumeThread  ... 1, ) == 0x0
 01889   584   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01892   880   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01893   944   NtSetEventBoostPriority  (136, ...
 01894  1040   NtWaitForSingleObject  (136, 0, 0x0, ...
 01895   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01887   940   NtWaitForSingleObject  ... ) == 0x0
 01890   936   NtSetEventBoostPriority  ... ) == 0x0
 01892   880   NtWaitForSingleObject  ... ) == 0x102
 01385   572   NtWaitForSingleObject  ... ) == 0x0
 01893   944   NtSetEventBoostPriority  ... ) == 0x0
 01896   584   NtWaitForSingleObject  (352, 0, 0x0, ...
 01897   940   NtSetEventBoostPriority  (292, ...
 01898   936   NtWaitForSingleObject  (292, 0, 0x0, ...
 01899   572   NtSetEventBoostPriority  (136, ...
 01900   880   NtWaitForSingleObject  (292, 0, 0x0, ...
 01901   944   NtTestAlert  (...
 01891   884   NtWaitForSingleObject  ... ) == 0x0
 01897   940   NtSetEventBoostPriority  ... ) == 0x0
 01418   948   NtWaitForSingleObject  ... ) == 0x0
 01899   572   NtSetEventBoostPriority  ... ) == 0x0
 01895   420   NtAllocateVirtualMemory  ... 59834368, 1048576, ) == 0x0
 01902   884   NtSetEventBoostPriority  (292, ...
 01901   944   NtTestAlert  ... ) == 0x0
 01903   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 01904   572   NtWaitForSingleObject  (136, 0, 0x0, ...
 01898   936   NtWaitForSingleObject  ... ) == 0x0
 01902   884   NtSetEventBoostPriority  ... ) == 0x0
 01905   420   NtAllocateVirtualMemory  (-1, 60874752, 0, 8192, 4096, 4, ...
 01906   944   NtContinue  (47250736, 1, ...
 01907   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01908   936   NtSetEventBoostPriority  (292, ...
 01905   420   NtAllocateVirtualMemory  ... 60874752, 8192, ) == 0x0
 01909   944   NtRegisterThreadTerminatePort  (24, ...
 01900   880   NtWaitForSingleObject  ... ) == 0x0
 01908   936   NtSetEventBoostPriority  ... ) == 0x0
 01907   940   NtDuplicateObject  ... 448, ) == 0x0
 01910   420   NtProtectVirtualMemory  (-1, (0x3a0e000), 4096, 260, ...
 01911   884   NtSetEventBoostPriority  (352, ...
 01912   880   NtSetEventBoostPriority  (292, ...
 01909   944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01913   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 01910   420   NtProtectVirtualMemory  ... (0x3a0e000), 4096, 4, ) == 0x0
 01903   948   NtWaitForSingleObject  ... ) == 0x0
 01766   888   NtWaitForSingleObject  ... ) == 0x0
 01911   884   NtSetEventBoostPriority  ... ) == 0x0
 01914   944   NtWaitForSingleObject  (292, 0, 0x0, ...
 01915   948   NtSetEventBoostPriority  (292, ...
 01916   888   NtWaitForSingleObject  (292, 0, 0x0, ...
 01917   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01918   884   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01913   940   NtWaitForSingleObject  ... ) == 0x0
 01915   948   NtSetEventBoostPriority  ... ) == 0x0
 01912   880   NtSetEventBoostPriority  ... ) == 0x0
 01919   936   NtWaitForSingleObject  (292, 0, 0x0, ...
 01920   940   NtSetEventBoostPriority  (292, ...
 01918   884   NtWaitForSingleObject  ... ) == 0x102
 01917   420   NtCreateThread  ... 452, {412, 1044}, ) == 0x0
 01921   880   NtWaitForSingleObject  (160, 0, 0x0, ...
 01916   888   NtWaitForSingleObject  ... ) == 0x0
 01920   940   NtSetEventBoostPriority  ... ) == 0x0
 01922   884   NtWaitForSingleObject  (160, 0, 0x0, ...
 01923   420   NtQueryInformationThread  (452, Basic, 28, ...
 01924   888   NtSetEventBoostPriority  (292, ...
 01925   948   NtSetEventBoostPriority  (136, ...
 01926   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 01914   944   NtWaitForSingleObject  ... ) == 0x0
 01924   888   NtSetEventBoostPriority  ... ) == 0x0
 01923   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=412,Tid=1044,}, 0x0, ) == 0x0
 01464   952   NtWaitForSingleObject  ... ) == 0x0
 01925   948   NtSetEventBoostPriority  ... ) == 0x0
 01927   944   NtSetEventBoostPriority  (292, ...
 01928   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 01929   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1547, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\1\0\0\234\1\0\0\24\4\0\0" ...  ...
 01919   936   NtWaitForSingleObject  ... ) == 0x0
 01927   944   NtSetEventBoostPriority  ... ) == 0x0
 01930   948   NtTestAlert  (...
 01931   936   NtSetEventBoostPriority  (292, ...
 01929   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1548, 0}  ... {28, 56, reply, 0, 412, 420, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\1\0\0\234\1\0\0\24\4\0\0" )  ) == 0x0
 01932   888   NtSetEventBoostPriority  (352, ...
 01926   940   NtWaitForSingleObject  ... ) == 0x0
 01931   936   NtSetEventBoostPriority  ... ) == 0x0
 01930   948   NtTestAlert  ... ) == 0x0
 01933   944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01934   940   NtSetEventBoostPriority  (292, ...
 01802   912   NtWaitForSingleObject  ... ) == 0x0
 01932   888   NtSetEventBoostPriority  ... ) == 0x0
 01935   936   NtWaitForSingleObject  (352, 0, 0x0, ...
 01936   948   NtContinue  (48299312, 1, ...
 01928   952   NtWaitForSingleObject  ... ) == 0x0
 01937   912   NtWaitForSingleObject  (292, 0, 0x0, ...
 01934   940   NtSetEventBoostPriority  ... ) == 0x0
 01933   944   NtDuplicateObject  ... 456, ) == 0x0
 01938   888   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01939   420   NtResumeThread  (452, ...
 01940   952   NtSetEventBoostPriority  (292, ...
 01941   948   NtRegisterThreadTerminatePort  (24, ...
 01942   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 01943   944   NtWaitForSingleObject  (292, 0, 0x0, ...
 01938   888   NtWaitForSingleObject  ... ) == 0x102
 01937   912   NtWaitForSingleObject  ... ) == 0x0
 01940   952   NtSetEventBoostPriority  ... ) == 0x0
 01939   420   NtResumeThread  ... 1, ) == 0x0
 01941   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01944  1044   NtWaitForSingleObject  (136, 0, 0x0, ...
 01945   912   NtSetEventBoostPriority  (292, ...
 01946   888   NtWaitForSingleObject  (292, 0, 0x0, ...
 01947   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01948   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 01943   944   NtWaitForSingleObject  ... ) == 0x0
 01945   912   NtSetEventBoostPriority  ... ) == 0x0
 01949   952   NtSetEventBoostPriority  (136, ...
 01947   420   NtAllocateVirtualMemory  ... 60882944, 1048576, ) == 0x0
 01950   944   NtSetEventBoostPriority  (292, ...
 01510   956   NtWaitForSingleObject  ... ) == 0x0
 01949   952   NtSetEventBoostPriority  ... ) == 0x0
 01942   940   NtWaitForSingleObject  ... ) == 0x0
 01951   956   NtWaitForSingleObject  (292, 0, 0x0, ...
 01950   944   NtSetEventBoostPriority  ... ) == 0x0
 01952   420   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ...
 01953   940   NtSetEventBoostPriority  (292, ...
 01954   952   NtTestAlert  (...
 01955   912   NtSetEventBoostPriority  (352, ...
 01948   948   NtWaitForSingleObject  ... ) == 0x0
 01952   420   NtAllocateVirtualMemory  ... 61923328, 8192, ) == 0x0
 01954   952   NtTestAlert  ... ) == 0x0
 01826   892   NtWaitForSingleObject  ... ) == 0x0
 01955   912   NtSetEventBoostPriority  ... ) == 0x0
 01956   948   NtSetEventBoostPriority  (292, ...
 01953   940   NtSetEventBoostPriority  ... ) == 0x0
 01957   944   NtWaitForSingleObject  (292, 0, 0x0, ...
 01958   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 01959   952   NtContinue  (49347888, 1, ...
 01960   912   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01946   888   NtWaitForSingleObject  ... ) == 0x0
 01956   948   NtSetEventBoostPriority  ... ) == 0x0
 01961   940   NtWaitForSingleObject  (352, 0, 0x0, ...
 01962   952   NtRegisterThreadTerminatePort  (24, ...
 01963   888   NtSetEventBoostPriority  (292, ...
 01960   912   NtWaitForSingleObject  ... ) == 0x102
 01964   420   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ...
 01965   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01951   956   NtWaitForSingleObject  ... ) == 0x0
 01966   912   NtWaitForSingleObject  (160, 0, 0x0, ...
 01964   420   NtProtectVirtualMemory  ... (0x3b0e000), 4096, 4, ) == 0x0
 01967   956   NtSetEventBoostPriority  (292, ...
 01965   948   NtDuplicateObject  ... 460, ) == 0x0
 01963   888   NtSetEventBoostPriority  ... ) == 0x0
 01962   952   NtRegisterThreadTerminatePort  ... ) == 0x0
 01958   892   NtWaitForSingleObject  ... ) == 0x0
 01967   956   NtSetEventBoostPriority  ... ) == 0x0
 01968   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01969   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 01970   888   NtWaitForSingleObject  (160, 0, 0x0, ...
 01971   892   NtSetEventBoostPriority  (292, ...
 01972   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 01968   420   NtCreateThread  ... 464, {412, 308}, ) == 0x0
 01957   944   NtWaitForSingleObject  ... ) == 0x0
 01971   892   NtSetEventBoostPriority  ... ) == 0x0
 01973   944   NtSetEventBoostPriority  (292, ...
 01974   420   NtQueryInformationThread  (464, Basic, 28, ...
 01975   956   NtSetEventBoostPriority  (136, ...
 01969   948   NtWaitForSingleObject  ... ) == 0x0
 01973   944   NtSetEventBoostPriority  ... ) == 0x0
 01974   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=412,Tid=308,}, 0x0, ) == 0x0
 01976   948   NtSetEventBoostPriority  (292, ...
 01541   960   NtWaitForSingleObject  ... ) == 0x0
 01975   956   NtSetEventBoostPriority  ... ) == 0x0
 01977   944   NtWaitForSingleObject  (352, 0, 0x0, ...
 01978   892   NtSetEventBoostPriority  (352, ...
 01972   952   NtWaitForSingleObject  ... ) == 0x0
 01979   960   NtWaitForSingleObject  (292, 0, 0x0, ...
 01976   948   NtSetEventBoostPriority  ... ) == 0x0
 01980   956   NtTestAlert  (...
 01981   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1548, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\234\1\0\04\1\0\0" ...  ...
 01982   952   NtSetEventBoostPriority  (292, ...
 01834   908   NtWaitForSingleObject  ... ) == 0x0
 01978   892   NtSetEventBoostPriority  ... ) == 0x0
 01980   956   NtTestAlert  ... ) == 0x0
 01979   960   NtWaitForSingleObject  ... ) == 0x0
 01983   908   NtWaitForSingleObject  (292, 0, 0x0, ...
 01982   952   NtSetEventBoostPriority  ... ) == 0x0
 01981   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1549, 0}  ... {28, 56, reply, 0, 412, 420, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\234\1\0\04\1\0\0" )  ) == 0x0
 01984   892   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01985   960   NtSetEventBoostPriority  (292, ...
 01986   956   NtContinue  (50396464, 1, ...
 01987   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 01988   420   NtResumeThread  (464, ...
 01983   908   NtWaitForSingleObject  ... ) == 0x0
 01985   960   NtSetEventBoostPriority  ... ) == 0x0
 01984   892   NtWaitForSingleObject  ... ) == 0x102
 01989   956   NtRegisterThreadTerminatePort  (24, ...
 01990   908   NtSetEventBoostPriority  (292, ...
 01988   420   NtResumeThread  ... 1, ) == 0x0
 01991   952   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01992   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 01993   960   NtSetEventBoostPriority  (136, ...
 01994   308   NtWaitForSingleObject  (136, 0, 0x0, ...
 01987   948   NtWaitForSingleObject  ... ) == 0x0
 01990   908   NtSetEventBoostPriority  ... ) == 0x0
 01995   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01991   952   NtDuplicateObject  ... 468, ) == 0x0
 01989   956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01585   984   NtWaitForSingleObject  ... ) == 0x0
 01993   960   NtSetEventBoostPriority  ... ) == 0x0
 01996   948   NtSetEventBoostPriority  (292, ...
 01997   908   NtSetEventBoostPriority  (352, ...
 01998   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 01999   984   NtWaitForSingleObject  (292, 0, 0x0, ...
 02000   956   NtWaitForSingleObject  (292, 0, 0x0, ...
 01992   892   NtWaitForSingleObject  ... ) == 0x0
 01996   948   NtSetEventBoostPriority  ... ) == 0x0
 02001   960   NtTestAlert  (...
 01837   924   NtWaitForSingleObject  ... ) == 0x0
 01997   908   NtSetEventBoostPriority  ... ) == 0x0
 02002   892   NtSetEventBoostPriority  (292, ...
 02003   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 02004   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 02001   960   NtTestAlert  ... ) == 0x0
 01999   984   NtWaitForSingleObject  ... ) == 0x0
 02005   908   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02002   892   NtSetEventBoostPriority  ... ) == 0x0
 01995   420   NtAllocateVirtualMemory  ... 61931520, 1048576, ) == 0x0
 02006   984   NtSetEventBoostPriority  (292, ...
 02007   960   NtContinue  (51445040, 1, ...
 02005   908   NtWaitForSingleObject  ... ) == 0x102
 02008   892   NtWaitForSingleObject  (160, 0, 0x0, ...
 01998   952   NtWaitForSingleObject  ... ) == 0x0
 02006   984   NtSetEventBoostPriority  ... ) == 0x0
 02009   420   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ...
 02010   960   NtRegisterThreadTerminatePort  (24, ...
 02011   908   NtWaitForSingleObject  (160, 0, 0x0, ...
 02012   952   NtSetEventBoostPriority  (292, ...
 02009   420   NtAllocateVirtualMemory  ... 62971904, 8192, ) == 0x0
 02013   984   NtSetEventBoostPriority  (136, ...
 02010   960   NtRegisterThreadTerminatePort  ... ) == 0x0
 02000   956   NtWaitForSingleObject  ... ) == 0x0
 02012   952   NtSetEventBoostPriority  ... ) == 0x0
 02014   420   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ...
 01620   988   NtWaitForSingleObject  ... ) == 0x0
 02013   984   NtSetEventBoostPriority  ... ) == 0x0
 02015   956   NtSetEventBoostPriority  (292, ...
 02016   960   NtWaitForSingleObject  (292, 0, 0x0, ...
 02017   988   NtWaitForSingleObject  (292, 0, 0x0, ...
 02014   420   NtProtectVirtualMemory  ... (0x3c0e000), 4096, 4, ) == 0x0
 02004   924   NtWaitForSingleObject  ... ) == 0x0
 02015   956   NtSetEventBoostPriority  ... ) == 0x0
 02018   984   NtTestAlert  (...
 02019   924   NtSetEventBoostPriority  (292, ...
 02020   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02021   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 02003   948   NtWaitForSingleObject  ... ) == 0x0
 02018   984   NtTestAlert  ... ) == 0x0
 02019   924   NtSetEventBoostPriority  ... ) == 0x0
 02022   956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02023   948   NtSetEventBoostPriority  (292, ...
 02024   984   NtContinue  (52493616, 1, ...
 02020   420   NtCreateThread  ... 472, {412, 1068}, ) == 0x0
 02022   956   NtDuplicateObject  ... 476, ) == 0x0
 02017   988   NtWaitForSingleObject  ... ) == 0x0
 02025   984   NtRegisterThreadTerminatePort  (24, ...
 02026   420   NtQueryInformationThread  (472, Basic, 28, ...
 02027   988   NtSetEventBoostPriority  (292, ...
 02028   956   NtWaitForSingleObject  (292, 0, 0x0, ...
 02023   948   NtSetEventBoostPriority  ... ) == 0x0
 02029   924   NtSetEventBoostPriority  (352, ...
 02016   960   NtWaitForSingleObject  ... ) == 0x0
 02027   988   NtSetEventBoostPriority  ... ) == 0x0
 02026   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=412,Tid=1068,}, 0x0, ) == 0x0
 02030   948   NtWaitForSingleObject  (352, 0, 0x0, ...
 02031   960   NtSetEventBoostPriority  (292, ...
 01849   916   NtWaitForSingleObject  ... ) == 0x0
 02029   924   NtSetEventBoostPriority  ... ) == 0x0
 02025   984   NtRegisterThreadTerminatePort  ... ) == 0x0
 02032   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1549, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\234\1\0\0,\4\0\0" ...  ...
 02021   952   NtWaitForSingleObject  ... ) == 0x0
 02033   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 02031   960   NtSetEventBoostPriority  ... ) == 0x0
 02034   924   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02035   984   NtWaitForSingleObject  (292, 0, 0x0, ...
 02036   952   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 02032   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1550, 0}  ... {28, 56, reply, 0, 412, 420, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\234\1\0\0,\4\0\0" )  ) == 0x0
 02037   988   NtSetEventBoostPriority  (136, ...
 02034   924   NtWaitForSingleObject  ... ) == 0x102
 02036   952   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 02038   960   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01689  1012   NtWaitForSingleObject  ... ) == 0x0
 02037   988   NtSetEventBoostPriority  ... ) == 0x0
 02039   952   NtSetEventBoostPriority  (292, ...
 02040   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 02041  1012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02038   960   NtDuplicateObject  ... 480, ) == 0x0
 02042   988   NtTestAlert  (...
 02043   420   NtResumeThread  (472, ...
 02028   956   NtWaitForSingleObject  ... ) == 0x0
 02039   952   NtSetEventBoostPriority  ... ) == 0x0
 02044   960   NtWaitForSingleObject  (292, 0, 0x0, ...
 02042   988   NtTestAlert  ... ) == 0x0
 02043   420   NtResumeThread  ... 1, ) == 0x0
 02045   956   NtSetEventBoostPriority  (292, ...
 02046   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 02047   988   NtContinue  (53542192, 1, ...
 02048   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02033   916   NtWaitForSingleObject  ... ) == 0x0
 02045   956   NtSetEventBoostPriority  ... ) == 0x0
 02049   988   NtRegisterThreadTerminatePort  (24, ...
 02050   916   NtSetEventBoostPriority  (292, ...
 02048   420   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 02051  1068   NtWaitForSingleObject  (136, 0, 0x0, ...
 02052   956   NtWaitForSingleObject  (292, 0, 0x0, ...
 02035   984   NtWaitForSingleObject  ... ) == 0x0
 02050   916   NtSetEventBoostPriority  ... ) == 0x0
 02053   420   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 02054   984   NtSetEventBoostPriority  (292, ...
 02049   988   NtRegisterThreadTerminatePort  ... ) == 0x0
 02041  1012   NtWaitForSingleObject  ... ) == 0x0
 02054   984   NtSetEventBoostPriority  ... ) == 0x0
 02053   420   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 02055  1012   NtSetEventBoostPriority  (292, ...
 02056   988   NtWaitForSingleObject  (292, 0, 0x0, ...
 02057   916   NtSetEventBoostPriority  (352, ...
 02058   984   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02044   960   NtWaitForSingleObject  ... ) == 0x0
 02055  1012   NtSetEventBoostPriority  ... ) == 0x0
 01856   928   NtWaitForSingleObject  ... ) == 0x0
 02057   916   NtSetEventBoostPriority  ... ) == 0x0
 02059   960   NtSetEventBoostPriority  (292, ...
 02058   984   NtDuplicateObject  ... 484, ) == 0x0
 02060   420   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ...
 02061   928   NtWaitForSingleObject  (292, 0, 0x0, ...
 02046   952   NtWaitForSingleObject  ... ) == 0x0
 02059   960   NtSetEventBoostPriority  ... ) == 0x0
 02062   916   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02063   984   NtWaitForSingleObject  (292, 0, 0x0, ...
 02064   952   NtSetEventBoostPriority  (292, ...
 02060   420   NtProtectVirtualMemory  ... (0x3d0e000), 4096, 4, ) == 0x0
 02065  1012   NtSetEventBoostPriority  (136, ...
 02062   916   NtWaitForSingleObject  ... ) == 0x102
 02040   924   NtWaitForSingleObject  ... ) == 0x0
 02064   952   NtSetEventBoostPriority  ... ) == 0x0
 02066   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01733  1016   NtWaitForSingleObject  ... ) == 0x0
 02065  1012   NtSetEventBoostPriority  ... ) == 0x0
 02067   924   NtSetEventBoostPriority  (292, ...
 02068   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 02069   960   NtWaitForSingleObject  (292, 0, 0x0, ...
 02070  1016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02066   420   NtCreateThread  ... 488, {412, 1076}, ) == 0x0
 02052   956   NtWaitForSingleObject  ... ) == 0x0
 02071  1012   NtTestAlert  (...
 02067   924   NtSetEventBoostPriority  ... ) == 0x0
 02072   952   NtWaitForSingleObject  (352, 0, 0x0, ...
 02073   420   NtQueryInformationThread  (488, Basic, 28, ...
 02074   956   NtSetEventBoostPriority  (292, ...
 02071  1012   NtTestAlert  ... ) == 0x0
 02075   924   NtWaitForSingleObject  (160, 0, 0x0, ...
 02073   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=412,Tid=1076,}, 0x0, ) == 0x0
 02056   988   NtWaitForSingleObject  ... ) == 0x0
 02074   956   NtSetEventBoostPriority  ... ) == 0x0
 02076  1012   NtContinue  (54590768, 1, ...
 02077   988   NtSetEventBoostPriority  (292, ...
 02078   956   NtWaitForSingleObject  (352, 0, 0x0, ...
 02061   928   NtWaitForSingleObject  ... ) == 0x0
 02077   988   NtSetEventBoostPriority  ... ) == 0x0
 02079  1012   NtRegisterThreadTerminatePort  (24, ...
 02080   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1550, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\234\1\0\04\4\0\0" ...  ...
 02081   928   NtSetEventBoostPriority  (292, ...
 02082   988   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02063   984   NtWaitForSingleObject  ... ) == 0x0
 02081   928   NtSetEventBoostPriority  ... ) == 0x0
 02080   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1551, 0}  ... {28, 56, reply, 0, 412, 420, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\234\1\0\04\4\0\0" )  ) == 0x0
 02083   984   NtSetEventBoostPriority  (292, ...
 02082   988   NtDuplicateObject  ... 492, ) == 0x0
 02079  1012   NtRegisterThreadTerminatePort  ... ) == 0x0
 02070  1016   NtWaitForSingleObject  ... ) == 0x0
 02083   984   NtSetEventBoostPriority  ... ) == 0x0
 02084   420   NtResumeThread  (488, ...
 02085   988   NtWaitForSingleObject  (292, 0, 0x0, ...
 02086  1016   NtSetEventBoostPriority  (292, ...
 02087  1012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02088   928   NtSetEventBoostPriority  (352, ...
 02084   420   NtResumeThread  ... 1, ) == 0x0
 02069   960   NtWaitForSingleObject  ... ) == 0x0
 02086  1016   NtSetEventBoostPriority  ... ) == 0x0
 01876   932   NtWaitForSingleObject  ... ) == 0x0
 02088   928   NtSetEventBoostPriority  ... ) == 0x0
 02089   960   NtSetEventBoostPriority  (292, ...
 02090   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02091   984   NtWaitForSingleObject  (292, 0, 0x0, ...
 02092  1076   NtWaitForSingleObject  (136, 0, 0x0, ...
 02093   932   NtWaitForSingleObject  (292, 0, 0x0, ...
 02068   916   NtWaitForSingleObject  ... ) == 0x0
 02089   960   NtSetEventBoostPriority  ... ) == 0x0
 02094   928   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02095  1016   NtSetEventBoostPriority  (136, ...
 02096   916   NtSetEventBoostPriority  (292, ...
 02097   960   NtWaitForSingleObject  (292, 0, 0x0, ...
 02094   928   NtWaitForSingleObject  ... ) == 0x102
 02085   988   NtWaitForSingleObject  ... ) == 0x0
 01775  1020   NtWaitForSingleObject  ... ) == 0x0
 02095  1016   NtSetEventBoostPriority  ... ) == 0x0
 02096   916   NtSetEventBoostPriority  ... ) == 0x0
 02090   420   NtAllocateVirtualMemory  ... 64028672, 1048576, ) == 0x0
 02098   928   NtWaitForSingleObject  (160, 0, 0x0, ...
 02099  1020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02100   988   NtSetEventBoostPriority  (292, ...
 02101  1016   NtTestAlert  (...
 02102   916   NtWaitForSingleObject  (160, 0, 0x0, ...
 02103   420   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ...
 02087  1012   NtWaitForSingleObject  ... ) == 0x0
 02100   988   NtSetEventBoostPriority  ... ) == 0x0
 02101  1016   NtTestAlert  ... ) == 0x0
 02104  1012   NtSetEventBoostPriority  (292, ...
 02103   420   NtAllocateVirtualMemory  ... 65069056, 8192, ) == 0x0
 02091   984   NtWaitForSingleObject  ... ) == 0x0
 02104  1012   NtSetEventBoostPriority  ... ) == 0x0
 02105  1016   NtContinue  (55639344, 1, ...
 02106   984   NtSetEventBoostPriority  (292, ...
 02107   420   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ...
 02108   988   NtWaitForSingleObject  (292, 0, 0x0, ...
 02093   932   NtWaitForSingleObject  ... ) == 0x0
 02106   984   NtSetEventBoostPriority  ... ) == 0x0
 02109  1016   NtRegisterThreadTerminatePort  (24, ...
 02107   420   NtProtectVirtualMemory  ... (0x3e0e000), 4096, 4, ) == 0x0
 02110   932   NtSetEventBoostPriority  (292, ...
 02111   984   NtWaitForSingleObject  (352, 0, 0x0, ...
 02112  1012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02097   960   NtWaitForSingleObject  ... ) == 0x0
 02110   932   NtSetEventBoostPriority  ... ) == 0x0
 02113   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02109  1016   NtRegisterThreadTerminatePort  ... ) == 0x0
 02114   960   NtSetEventBoostPriority  (292, ...
 02112  1012   NtDuplicateObject  ... 496, ) == 0x0
 02115   932   NtSetEventBoostPriority  (352, ...
 02099  1020   NtWaitForSingleObject  ... ) == 0x0
 02116  1016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02117  1012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02118  1020   NtSetEventBoostPriority  (292, ...
 01877   920   NtWaitForSingleObject  ... ) == 0x0
 02115   932   NtSetEventBoostPriority  ... ) == 0x0
 02108   988   NtWaitForSingleObject  ... ) == 0x0
 02119   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 02118  1020   NtSetEventBoostPriority  ... ) == 0x0
 02120   988   NtSetEventBoostPriority  (292, ...
 02121   932   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02114   960   NtSetEventBoostPriority  ... ) == 0x0
 02113   420   NtCreateThread  ... 500, {412, 1080}, ) == 0x0
 02116  1016   NtWaitForSingleObject  ... ) == 0x0
 02120   988   NtSetEventBoostPriority  ... ) == 0x0
 02121   932   NtWaitForSingleObject  ... ) == 0x102
 02122   960   NtWaitForSingleObject  (352, 0, 0x0, ...
 02123  1016   NtSetEventBoostPriority  (292, ...
 02124   420   NtQueryInformationThread  (500, Basic, 28, ...
 02125   988   NtWaitForSingleObject  (352, 0, 0x0, ...
 02126   932   NtWaitForSingleObject  (292, 0, 0x0, ...
 02117  1012   NtWaitForSingleObject  ... ) == 0x0
 02123  1016   NtSetEventBoostPriority  ... ) == 0x0
 02124   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=412,Tid=1080,}, 0x0, ) == 0x0
 02127  1020   NtAllocateVirtualMemory  (-1, 3952640, 0, 4096, 4096, 4, ...
 02128  1012   NtSetEventBoostPriority  (292, ...
 02129   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1551, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\234\1\0\08\4\0\0" ...  ...
 02119   920   NtWaitForSingleObject  ... ) == 0x0
 02128  1012   NtSetEventBoostPriority  ... ) == 0x0
 02127  1020   NtAllocateVirtualMemory  ... 3952640, 4096, ) == 0x0
 02130   920   NtSetEventBoostPriority  (292, ...
 02129   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1552, 0}  ... {28, 56, reply, 0, 412, 420, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\234\1\0\08\4\0\0" )  ) == 0x0
 02131  1016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02126   932   NtWaitForSingleObject  ... ) == 0x0
 02130   920   NtSetEventBoostPriority  ... ) == 0x0
 02132  1020   NtSetEventBoostPriority  (136, ...
 02133  1012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02134   932   NtSetEventBoostPriority  (292, ...
 02131  1016   NtDuplicateObject  ... 504, ) == 0x0
 02135   420   NtResumeThread  (500, ...
 01814   996   NtWaitForSingleObject  ... ) == 0x0
 02132  1020   NtSetEventBoostPriority  ... ) == 0x0
 02134   932   NtSetEventBoostPriority  ... ) == 0x0
 02133  1012   NtWaitForSingleObject  ... ) == 0x0
 02136  1016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02137   996   NtWaitForSingleObject  (292, 0, 0x0, ...
 02135   420   NtResumeThread  ... 1, ) == 0x0
 02138   932   NtWaitForSingleObject  (160, 0, 0x0, ...
 02139  1020   NtTestAlert  (...
 02140  1012   NtSetEventBoostPriority  (292, ...
 02141   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02139  1020   NtTestAlert  ... ) == 0x0
 02137   996   NtWaitForSingleObject  ... ) == 0x0
 02140  1012   NtSetEventBoostPriority  ... ) == 0x0
 02141   420   NtAllocateVirtualMemory  ... 65077248, 1048576, ) == 0x0
 02142   920   NtSetEventBoostPriority  (352, ...
 02143  1080   NtWaitForSingleObject  (136, 0, 0x0, ...
 02144   996   NtSetEventBoostPriority  (292, ...
 02145  1012   NtWaitForSingleObject  (352, 0, 0x0, ...
 02146   420   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ...
 01896   584   NtWaitForSingleObject  ... ) == 0x0
 02142   920   NtSetEventBoostPriority  ... ) == 0x0
 02136  1016   NtWaitForSingleObject  ... ) == 0x0
 02144   996   NtSetEventBoostPriority  ... ) == 0x0
 02147  1020   NtContinue  (56687920, 1, ...
 02148   584   NtWaitForSingleObject  (292, 0, 0x0, ...
 02146   420   NtAllocateVirtualMemory  ... 66117632, 8192, ) == 0x0
 02149  1016   NtSetEventBoostPriority  (292, ...
 02150   920   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02151  1020   NtRegisterThreadTerminatePort  (24, ...
 02152   996   NtSetEventBoostPriority  (136, ...
 02148   584   NtWaitForSingleObject  ... ) == 0x0
 02149  1016   NtSetEventBoostPriority  ... ) == 0x0
 02150   920   NtWaitForSingleObject  ... ) == 0x102
 02151  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02153   584   NtSetEventBoostPriority  (352, ...
 01859  1028   NtWaitForSingleObject  ... ) == 0x0
 02152   996   NtSetEventBoostPriority  ... ) == 0x0
 02154   420   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ...
 02155   920   NtWaitForSingleObject  (160, 0, 0x0, ...
 01935   936   NtWaitForSingleObject  ... ) == 0x0
 02156  1028   NtSetEventBoostPriority  (136, ...
 02153   584   NtSetEventBoostPriority  ... ) == 0x0
 02157  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02158   996   NtTestAlert  (...
 02154   420   NtProtectVirtualMemory  ... (0x3f0e000), 4096, 4, ) == 0x0
 02159  1016   NtWaitForSingleObject  (352, 0, 0x0, ...
 02160   936   NtSetEventBoostPriority  (352, ...
 01894  1040   NtWaitForSingleObject  ... ) == 0x0
 02156  1028   NtSetEventBoostPriority  ... ) == 0x0
 02157  1020   NtDuplicateObject  ... 508, ) == 0x0
 02158   996   NtTestAlert  ... ) == 0x0
 02161   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01961   940   NtWaitForSingleObject  ... ) == 0x0
 02162  1040   NtSetEventBoostPriority  (136, ...
 02160   936   NtSetEventBoostPriority  ... ) == 0x0
 02163   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 02164  1020   NtWaitForSingleObject  (352, 0, 0x0, ...
 02165   996   NtContinue  (57736496, 1, ...
 02161   420   NtCreateThread  ... 512, {412, 1096}, ) == 0x0
 01904   572   NtWaitForSingleObject  ... ) == 0x0
 02162  1040   NtSetEventBoostPriority  ... ) == 0x0
 02166   940   NtSetEventBoostPriority  (352, ...
 02167   936   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02163   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168  1028   NtTestAlert  (...
 02169   996   NtRegisterThreadTerminatePort  (24, ...
 02170   572   NtSetEventBoostPriority  (136, ...
 02171   420   NtQueryInformationThread  (512, Basic, 28, ...
 01977   944   NtWaitForSingleObject  ... ) == 0x0
 02166   940   NtSetEventBoostPriority  ... ) == 0x0
 02172   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 02168  1028   NtTestAlert  ... ) == 0x0
 02173  1040   NtTestAlert  (...
 02167   936   NtWaitForSingleObject  ... ) == 0x102
 01944  1044   NtWaitForSingleObject  ... ) == 0x0
 02174   944   NtSetEventBoostPriority  (352, ...
 02171   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=412,Tid=1096,}, 0x0, ) == 0x0
 02170   572   NtSetEventBoostPriority  ... ) == 0x0
 02169   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 02172   584   NtOpenKey  ... 516, ) == 0x0
 02175  1028   NtContinue  (58785072, 1, ...
 02173  1040   NtTestAlert  ... ) == 0x0
 02176   936   NtWaitForSingleObject  (160, 0, 0x0, ...
 02030   948   NtWaitForSingleObject  ... ) == 0x0
 02177  1044   NtSetEventBoostPriority  (136, ...
 02174   944   NtSetEventBoostPriority  ... ) == 0x0
 02178   940   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02179   572   NtWaitForSingleObject  (136, 0, 0x0, ...
 02180   996   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 02181   584   NtQueryValueKey  (516,  (516, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 02182  1028   NtRegisterThreadTerminatePort  (24, ...
 02183  1040   NtContinue  (59833648, 1, ...
 02184   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 01994   308   NtWaitForSingleObject  ... ) == 0x0
 02177  1044   NtSetEventBoostPriority  ... ) == 0x0
 02185   944   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02178   940   NtWaitForSingleObject  ... ) == 0x102
 02180   996   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 02181   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02182  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 02186  1040   NtRegisterThreadTerminatePort  (24, ...
 02187   308   NtWaitForSingleObject  (292, 0, 0x0, ...
 02188   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1552, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\234\1\0\0H\4\0\0" ...  ...
 02189   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 02190   996   NtSetEventBoostPriority  (292, ...
 02191  1044   NtTestAlert  (...
 02185   944   NtWaitForSingleObject  ... ) == 0x102
 02192  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02186  1040   NtRegisterThreadTerminatePort  ... ) == 0x0
 02188   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1553, 0}  ... {28, 56, reply, 0, 412, 420, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\234\1\0\0H\4\0\0" )  ) == 0x0
 02184   948   NtWaitForSingleObject  ... ) == 0x0
 02190   996   NtSetEventBoostPriority  ... ) == 0x0
 02191  1044   NtTestAlert  ... ) == 0x0
 02193   944   NtWaitForSingleObject  (292, 0, 0x0, ...
 02194   584   NtClose  (516, ...
 02195  1040   NtWaitForSingleObject  (292, 0, 0x0, ...
 02196   948   NtSetEventBoostPriority  (292, ...
 02197   420   NtResumeThread  (512, ...
 02198   996   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02199  1044   NtContinue  (60882224, 1, ...
 02194   584   NtClose  ... ) == 0x0
 02187   308   NtWaitForSingleObject  ... ) == 0x0
 02196   948   NtSetEventBoostPriority  ... ) == 0x0
 02197   420   NtResumeThread  ... 1, ) == 0x0
 02200  1044   NtRegisterThreadTerminatePort  (24, ...
 02201   308   NtSetEventBoostPriority  (292, ...
 02202   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 02198   996   NtDuplicateObject  ... 516, ) == 0x0
 02203  1096   NtWaitForSingleObject  (136, 0, 0x0, ...
 02204   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02189   940   NtWaitForSingleObject  ... ) == 0x0
 02201   308   NtSetEventBoostPriority  ... ) == 0x0
 02200  1044   NtRegisterThreadTerminatePort  ... ) == 0x0
 02202   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   996   NtWaitForSingleObject  (292, 0, 0x0, ...
 02206   948   NtSetEventBoostPriority  (352, ...
 02207   940   NtSetEventBoostPriority  (292, ...
 02204   420   NtAllocateVirtualMemory  ... 66125824, 1048576, ) == 0x0
 02208  1044   NtWaitForSingleObject  (292, 0, 0x0, ...
 02209   584   NtWaitForSingleObject  (292, 0, 0x0, ...
 02193   944   NtWaitForSingleObject  ... ) == 0x0
 02207   940   NtSetEventBoostPriority  ... ) == 0x0
 02072   952   NtWaitForSingleObject  ... ) == 0x0
 02206   948   NtSetEventBoostPriority  ... ) == 0x0
 02210   420   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ...
 02211   308   NtSetEventBoostPriority  (136, ...
 02212   944   NtSetEventBoostPriority  (292, ...
 02213   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 02214   948   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02210   420   NtAllocateVirtualMemory  ... 67166208, 8192, ) == 0x0
 02192  1028   NtWaitForSingleObject  ... ) == 0x0
 02212   944   NtSetEventBoostPriority  ... ) == 0x0
 02051  1068   NtWaitForSingleObject  ... ) == 0x0
 02211   308   NtSetEventBoostPriority  ... ) == 0x0
 02214   948   NtWaitForSingleObject  ... ) == 0x102
 02215  1028   NtSetEventBoostPriority  (292, ...
 02216   420   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ...
 02217   940   NtWaitForSingleObject  (160, 0, 0x0, ...
 02218  1068   NtWaitForSingleObject  (292, 0, 0x0, ...
 02219   308   NtTestAlert  (...
 02195  1040   NtWaitForSingleObject  ... ) == 0x0
 02220   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 02216   420   NtProtectVirtualMemory  ... (0x400e000), 4096, 4, ) == 0x0
 02219   308   NtTestAlert  ... ) == 0x0
 02221  1040   NtSetEventBoostPriority  (292, ...
 02215  1028   NtSetEventBoostPriority  ... ) == 0x0
 02222   944   NtWaitForSingleObject  (160, 0, 0x0, ...
 02223   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02224   308   NtContinue  (61930800, 1, ...
 02205   996   NtWaitForSingleObject  ... ) == 0x0
 02225  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02221  1040   NtSetEventBoostPriority  ... ) == 0x0
 02226   308   NtRegisterThreadTerminatePort  (24, ...
 02227   996   NtSetEventBoostPriority  (292, ...
 02225  1028   NtDuplicateObject  ... 520, ) == 0x0
 02228  1040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02223   420   NtCreateThread  ... 524, {412, 1092}, ) == 0x0
 02209   584   NtWaitForSingleObject  ... ) == 0x0
 02227   996   NtSetEventBoostPriority  ... ) == 0x0
 02226   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02228  1040   NtDuplicateObject  ... 528, ) == 0x0
 02229   584   NtSetEventBoostPriority  (292, ...
 02230   420   NtQueryInformationThread  (524, Basic, 28, ...
 02231  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02232   308   NtWaitForSingleObject  (292, 0, 0x0, ...
 02233   996   NtWaitForSingleObject  (292, 0, 0x0, ...
 02208  1044   NtWaitForSingleObject  ... ) == 0x0
 02229   584   NtSetEventBoostPriority  ... ) == 0x0
 02230   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=412,Tid=1092,}, 0x0, ) == 0x0
 02234  1044   NtSetEventBoostPriority  (292, ...
 02235  1040   NtWaitForSingleObject  (292, 0, 0x0, ...
 02213   952   NtWaitForSingleObject  ... ) == 0x0
 02236   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1553, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\234\1\0\0D\4\0\0" ...  ...
 02237   952   NtSetEventBoostPriority  (292, ...
 02218  1068   NtWaitForSingleObject  ... ) == 0x0
 02238  1068   NtSetEventBoostPriority  (292, ...
 02220   948   NtWaitForSingleObject  ... ) == 0x0
 02239   948   NtSetEventBoostPriority  (292, ...
 02231  1028   NtWaitForSingleObject  ... ) == 0x0
 02240  1028   NtSetEventBoostPriority  (292, ...
 02232   308   NtWaitForSingleObject  ... ) == 0x0
 02241   308   NtSetEventBoostPriority  (292, ...
 02233   996   NtWaitForSingleObject  ... ) == 0x0
 02242   996   NtSetEventBoostPriority  (292, ...
 02235  1040   NtWaitForSingleObject  ... ) == 0x0
 02243  1040   NtWaitForSingleObject  (352, 0, 0x0, ...
 02242   996   NtSetEventBoostPriority  ... ) == 0x0
 02244   996   NtWaitForSingleObject  (352, 0, 0x0, ...
 02241   308   NtSetEventBoostPriority  ... ) == 0x0
 02240  1028   NtSetEventBoostPriority  ... ) == 0x0
 02238  1068   NtSetEventBoostPriority  ... ) == 0x0
 02237   952   NtSetEventBoostPriority  ... ) == 0x0
 02236   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1554, 0}  ... {28, 56, reply, 0, 412, 420, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\234\1\0\0D\4\0\0" )  ) == 0x0
 02239   948   NtSetEventBoostPriority  ... ) == 0x0
 02234  1044   NtSetEventBoostPriority  ... ) == 0x0
 02245   584   NtWaitForSingleObject  (352, 0, 0x0, ...
 02246  1028   NtWaitForSingleObject  (352, 0, 0x0, ...
 02247   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02248  1068   NtSetEventBoostPriority  (136, ...
 02249   952   NtSetEventBoostPriority  (352, ...
 02250   948   NtWaitForSingleObject  (160, 0, 0x0, ...
 02251  1044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02252   420   NtResumeThread  (524, ...
 02247   308   NtDuplicateObject  ... 532, ) == 0x0
 02092  1076   NtWaitForSingleObject  ... ) == 0x0
 02248  1068   NtSetEventBoostPriority  ... ) == 0x0
 02078   956   NtWaitForSingleObject  ... ) == 0x0
 02249   952   NtSetEventBoostPriority  ... ) == 0x0
 02251  1044   NtDuplicateObject  ... 536, ) == 0x0
 02252   420   NtResumeThread  ... 1, ) == 0x0
 02253  1076   NtSetEventBoostPriority  (136, ...
 02254   308   NtWaitForSingleObject  (352, 0, 0x0, ...
 02255   956   NtSetEventBoostPriority  (352, ...
 02256  1068   NtTestAlert  (...
 02257   952   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02258  1092   NtWaitForSingleObject  (136, 0, 0x0, ...
 02143  1080   NtWaitForSingleObject  ... ) == 0x0
 02253  1076   NtSetEventBoostPriority  ... ) == 0x0
 02259   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02111   984   NtWaitForSingleObject  ... ) == 0x0
 02256  1068   NtTestAlert  ... ) == 0x0
 02257   952   NtWaitForSingleObject  ... ) == 0x102
 02260  1080   NtSetEventBoostPriority  (136, ...
 02255   956   NtSetEventBoostPriority  ... ) == 0x0
 02261  1044   NtWaitForSingleObject  (352, 0, 0x0, ...
 02259   420   NtAllocateVirtualMemory  ... 67174400, 1048576, ) == 0x0
 02262   984   NtSetEventBoostPriority  (352, ...
 02263  1068   NtContinue  (62979376, 1, ...
 02179   572   NtWaitForSingleObject  ... ) == 0x0
 02260  1080   NtSetEventBoostPriority  ... ) == 0x0
 02264   952   NtWaitForSingleObject  (160, 0, 0x0, ...
 02265   956   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02266   420   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ...
 02122   960   NtWaitForSingleObject  ... ) == 0x0
 02267   572   NtSetEventBoostPriority  (136, ...
 02268  1068   NtRegisterThreadTerminatePort  (24, ...
 02262   984   NtSetEventBoostPriority  ... ) == 0x0
 02269  1076   NtTestAlert  (...
 02270  1080   NtTestAlert  (...
 02266   420   NtAllocateVirtualMemory  ... 68214784, 8192, ) == 0x0
 02203  1096   NtWaitForSingleObject  ... ) == 0x0
 02267   572   NtSetEventBoostPriority  ... ) == 0x0
 02271   960   NtSetEventBoostPriority  (352, ...
 02265   956   NtWaitForSingleObject  ... ) == 0x102
 02272   984   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02269  1076   NtTestAlert  ... ) == 0x0
 02270  1080   NtTestAlert  ... ) == 0x0
 02268  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 02273  1096   NtSetEventBoostPriority  (136, ...
 02274   420   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ...
 02125   988   NtWaitForSingleObject  ... ) == 0x0
 02271   960   NtSetEventBoostPriority  ... ) == 0x0
 02275   956   NtWaitForSingleObject  (160, 0, 0x0, ...
 02276  1076   NtContinue  (64027952, 1, ...
 02277  1080   NtContinue  (65076528, 1, ...
 02258  1092   NtWaitForSingleObject  ... ) == 0x0
 02273  1096   NtSetEventBoostPriority  ... ) == 0x0
 02278  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02279   988   NtSetEventBoostPriority  (352, ...
 02274   420   NtProtectVirtualMemory  ... (0x410e000), 4096, 4, ) == 0x0
 02280   572   NtWaitForSingleObject  (136, 0, 0x0, ...
 02272   984   NtWaitForSingleObject  ... ) == 0x102
 02281  1076   NtRegisterThreadTerminatePort  (24, ...
 02282  1092   NtSetEventBoostPriority  (136, ...
 02283  1080   NtRegisterThreadTerminatePort  (24, ...
 02284   960   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02145  1012   NtWaitForSingleObject  ... ) == 0x0
 02278  1068   NtDuplicateObject  ... 540, ) == 0x0
 02285   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02286   984   NtWaitForSingleObject  (160, 0, 0x0, ...
 02280   572   NtWaitForSingleObject  ... ) == 0x0
 02282  1092   NtSetEventBoostPriority  ... ) == 0x0
 02281  1076   NtRegisterThreadTerminatePort  ... ) == 0x0
 02283  1080   NtRegisterThreadTerminatePort  ... ) == 0x0
 02284   960   NtWaitForSingleObject  ... ) == 0x102
 02287  1012   NtSetEventBoostPriority  (352, ...
 02288  1068   NtWaitForSingleObject  (352, 0, 0x0, ...
 02285   420   NtCreateThread  ... 544, {412, 1064}, ) == 0x0
 02289   572   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 02279   988   NtSetEventBoostPriority  ... ) == 0x0
 02290  1096   NtTestAlert  (...
 02291  1076   NtWaitForSingleObject  (292, 0, 0x0, ...
 02292  1080   NtWaitForSingleObject  (292, 0, 0x0, ...
 02293   960   NtWaitForSingleObject  (160, 0, 0x0, ...
 02159  1016   NtWaitForSingleObject  ... ) == 0x0
 02289   572   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 02294   420   NtQueryInformationThread  (544, Basic, 28, ...
 02295   988   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02290  1096   NtTestAlert  ... ) == 0x0
 02287  1012   NtSetEventBoostPriority  ... ) == 0x0
 02296  1092   NtTestAlert  (...
 02297   572   NtSetEventBoostPriority  (292, ...
 02298  1016   NtSetEventBoostPriority  (352, ...
 02294   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=412,Tid=1064,}, 0x0, ) == 0x0
 02299  1096   NtContinue  (66125104, 1, ...
 02300  1012   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02296  1092   NtTestAlert  ... ) == 0x0
 02295   988   NtWaitForSingleObject  ... ) == 0x102
 02164  1020   NtWaitForSingleObject  ... ) == 0x0
 02298  1016   NtSetEventBoostPriority  ... ) == 0x0
 02291  1076   NtWaitForSingleObject  ... ) == 0x0
 02297   572   NtSetEventBoostPriority  ... ) == 0x0
 02301  1096   NtRegisterThreadTerminatePort  (24, ...
 02302  1092   NtContinue  (67173680, 1, ...
 02303  1020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02304   988   NtWaitForSingleObject  (292, 0, 0x0, ...
 02305  1016   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02306  1076   NtSetEventBoostPriority  (292, ...
 02307   572   NtWaitForSingleObject  (352, 0, 0x0, ...
 02301  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02308  1092   NtRegisterThreadTerminatePort  (24, ...
 02309   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1554, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\234\1\0\0(\4\0\0" ...  ...
 02300  1012   NtWaitForSingleObject  ... ) == 0x102
 02292  1080   NtWaitForSingleObject  ... ) == 0x0
 02310  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02308  1092   NtRegisterThreadTerminatePort  ... ) == 0x0
 02309   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1555, 0}  ... {28, 56, reply, 0, 412, 420, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\234\1\0\0(\4\0\0" )  ) == 0x0
 02311  1012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02312  1080   NtSetEventBoostPriority  (292, ...
 02306  1076   NtSetEventBoostPriority  ... ) == 0x0
 02305  1016   NtWaitForSingleObject  ... ) == 0x102
 02313  1092   NtWaitForSingleObject  (292, 0, 0x0, ...
 02314   420   NtResumeThread  (544, ...
 02303  1020   NtWaitForSingleObject  ... ) == 0x0
 02315  1076   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02316  1016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02312  1080   NtSetEventBoostPriority  ... ) == 0x0
 02317  1020   NtSetEventBoostPriority  (292, ...
 02314   420   NtResumeThread  ... 1, ) == 0x0
 02315  1076   NtDuplicateObject  ... 548, ) == 0x0
 02304   988   NtWaitForSingleObject  ... ) == 0x0
 02318  1080   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02319   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02317  1020   NtSetEventBoostPriority  ... ) == 0x0
 02320  1064   NtWaitForSingleObject  (292, 0, 0x0, ...
 02321   988   NtSetEventBoostPriority  (292, ...
 02318  1080   NtDuplicateObject  ... 552, ) == 0x0
 02322  1076   NtWaitForSingleObject  (292, 0, 0x0, ...
 02319   420   NtAllocateVirtualMemory  ... 68222976, 1048576, ) == 0x0
 02311  1012   NtWaitForSingleObject  ... ) == 0x0
 02321   988   NtSetEventBoostPriority  ... ) == 0x0
 02323  1020   NtSetEventBoostPriority  (352, ...
 02324  1012   NtSetEventBoostPriority  (292, ...
 02325   420   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ...
 02326  1080   NtWaitForSingleObject  (292, 0, 0x0, ...
 02310  1096   NtWaitForSingleObject  ... ) == 0x0
 02324  1012   NtSetEventBoostPriority  ... ) == 0x0
 02243  1040   NtWaitForSingleObject  ... ) == 0x0
 02323  1020   NtSetEventBoostPriority  ... ) == 0x0
 02325   420   NtAllocateVirtualMemory  ... 69263360, 8192, ) == 0x0
 02327  1096   NtSetEventBoostPriority  (292, ...
 02328   988   NtWaitForSingleObject  (160, 0, 0x0, ...
 02329  1040   NtWaitForSingleObject  (292, 0, 0x0, ...
 02330  1020   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02316  1016   NtWaitForSingleObject  ... ) == 0x0
 02331   420   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ...
 02330  1020   NtWaitForSingleObject  ... ) == 0x102
 02332  1016   NtSetEventBoostPriority  (292, ...
 02331   420   NtProtectVirtualMemory  ... (0x420e000), 4096, 4, ) == 0x0
 02333  1020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02313  1092   NtWaitForSingleObject  ... ) == 0x0
 02332  1016   NtSetEventBoostPriority  ... ) == 0x0
 02334   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02327  1096   NtSetEventBoostPriority  ... ) == 0x0
 02335  1012   NtWaitForSingleObject  (160, 0, 0x0, ...
 02336  1092   NtSetEventBoostPriority  (292, ...
 02337  1016   NtWaitForSingleObject  (160, 0, 0x0, ...
 02338  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02320  1064   NtWaitForSingleObject  ... ) == 0x0
 02338  1096   NtDuplicateObject  ... 556, ) == 0x0
 02339  1064   NtSetEventBoostPriority  (292, ...
 02336  1092   NtSetEventBoostPriority  ... ) == 0x0
 02334   420   NtCreateThread  ... 560, {412, 1100}, ) == 0x0
 02322  1076   NtWaitForSingleObject  ... ) == 0x0
 02339  1064   NtSetEventBoostPriority  ... ) == 0x0
 02340  1092   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02341  1076   NtSetEventBoostPriority  (292, ...
 02342   420   NtQueryInformationThread  (560, Basic, 28, ...
 02343  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02326  1080   NtWaitForSingleObject  ... ) == 0x0
 02341  1076   NtSetEventBoostPriority  ... ) == 0x0
 02340  1092   NtDuplicateObject  ... 564, ) == 0x0
 02342   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=412,Tid=1100,}, 0x0, ) == 0x0
 02344  1080   NtSetEventBoostPriority  (292, ...
 02345  1076   NtWaitForSingleObject  (292, 0, 0x0, ...
 02346  1064   NtTestAlert  (...
 02329  1040   NtWaitForSingleObject  ... ) == 0x0
 02344  1080   NtSetEventBoostPriority  ... ) == 0x0
 02347   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1555, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\234\1\0\0L\4\0\0" ...  ...
 02348  1092   NtWaitForSingleObject  (292, 0, 0x0, ...
 02349  1040   NtSetEventBoostPriority  (292, ...
 02346  1064   NtTestAlert  ... ) == 0x0
 02350  1080   NtWaitForSingleObject  (292, 0, 0x0, ...
 02347   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1556, 0}  ... {28, 56, reply, 0, 412, 420, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\234\1\0\0L\4\0\0" )  ) == 0x0
 02333  1020   NtWaitForSingleObject  ... ) == 0x0
 02349  1040   NtSetEventBoostPriority  ... ) == 0x0
 02351  1064   NtContinue  (68222256, 1, ...
 02352  1020   NtSetEventBoostPriority  (292, ...
 02353   420   NtResumeThread  (560, ...
 02343  1096   NtWaitForSingleObject  ... ) == 0x0
 02354  1064   NtRegisterThreadTerminatePort  (24, ...
 02353   420   NtResumeThread  ... 1, ) == 0x0
 02355  1096   NtSetEventBoostPriority  (292, ...
 02354  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 02356   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02348  1092   NtWaitForSingleObject  ... ) == 0x0
 02355  1096   NtSetEventBoostPriority  ... ) == 0x0
 02357  1064   NtWaitForSingleObject  (292, 0, 0x0, ...
 02358  1092   NtSetEventBoostPriority  (292, ...
 02356   420   NtAllocateVirtualMemory  ... 69271552, 1048576, ) == 0x0
 02359  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02352  1020   NtSetEventBoostPriority  ... ) == 0x0
 02360  1040   NtSetEventBoostPriority  (352, ...
 02361  1100   NtWaitForSingleObject  (292, 0, 0x0, ...
 02345  1076   NtWaitForSingleObject  ... ) == 0x0
 02358  1092   NtSetEventBoostPriority  ... ) == 0x0
 02362   420   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ...
 02363  1020   NtWaitForSingleObject  (160, 0, 0x0, ...
 02244   996   NtWaitForSingleObject  ... ) == 0x0
 02360  1040   NtSetEventBoostPriority  ... ) == 0x0
 02364  1076   NtSetEventBoostPriority  (292, ...
 02365  1092   NtWaitForSingleObject  (292, 0, 0x0, ...
 02362   420   NtAllocateVirtualMemory  ... 70311936, 8192, ) == 0x0
 02366   996   NtWaitForSingleObject  (292, 0, 0x0, ...
 02350  1080   NtWaitForSingleObject  ... ) == 0x0
 02367  1040   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02364  1076   NtSetEventBoostPriority  ... ) == 0x0
 02368  1080   NtSetEventBoostPriority  (292, ...
 02367  1040   NtWaitForSingleObject  ... ) == 0x102
 02369  1076   NtWaitForSingleObject  (292, 0, 0x0, ...
 02357  1064   NtWaitForSingleObject  ... ) == 0x0
 02370  1040   NtWaitForSingleObject  (160, 0, 0x0, ...
 02371  1064   NtSetEventBoostPriority  (292, ...
 02368  1080   NtSetEventBoostPriority  ... ) == 0x0
 02372   420   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ...
 02361  1100   NtWaitForSingleObject  ... ) == 0x0
 02373  1080   NtWaitForSingleObject  (292, 0, 0x0, ...
 02372   420   NtProtectVirtualMemory  ... (0x430e000), 4096, 4, ) == 0x0
 02374  1100   NtSetEventBoostPriority  (292, ...
 02375   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02359  1096   NtWaitForSingleObject  ... ) == 0x0
 02374  1100   NtSetEventBoostPriority  ... ) == 0x0
 02376  1096   NtSetEventBoostPriority  (292, ...
 02375   420   NtCreateThread  ... 568, {412, 1104}, ) == 0x0
 02371  1064   NtSetEventBoostPriority  ... ) == 0x0
 02365  1092   NtWaitForSingleObject  ... ) == 0x0
 02377   420   NtQueryInformationThread  (568, Basic, 28, ...
 02378  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02379  1092   NtSetEventBoostPriority  (292, ...
 02377   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=412,Tid=1104,}, 0x0, ) == 0x0
 02378  1064   NtDuplicateObject  ... 572, ) == 0x0
 02366   996   NtWaitForSingleObject  ... ) == 0x0
 02379  1092   NtSetEventBoostPriority  ... ) == 0x0
 02376  1096   NtSetEventBoostPriority  ... ) == 0x0
 02380  1100   NtTestAlert  (...
 02381   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1556, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\234\1\0\0P\4\0\0" ...  ...
 02382   996   NtSetEventBoostPriority  (292, ...
 02383  1092   NtWaitForSingleObject  (292, 0, 0x0, ...
 02384  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02380  1100   NtTestAlert  ... ) == 0x0
 02369  1076   NtWaitForSingleObject  ... ) == 0x0
 02381   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1557, 0}  ... {28, 56, reply, 0, 412, 420, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\234\1\0\0P\4\0\0" )  ) == 0x0
 02385  1100   NtContinue  (69270832, 1, ...
 02386  1076   NtSetEventBoostPriority  (292, ...
 02387   420   NtResumeThread  (568, ...
 02388  1100   NtRegisterThreadTerminatePort  (24, ...
 02373  1080   NtWaitForSingleObject  ... ) == 0x0
 02386  1076   NtSetEventBoostPriority  ... ) == 0x0
 02387   420   NtResumeThread  ... 1, ) == 0x0
 02389  1080   NtSetEventBoostPriority  (292, ...
 02388  1100   NtRegisterThreadTerminatePort  ... ) == 0x0
 02382   996   NtSetEventBoostPriority  ... ) == 0x0
 02390  1064   NtWaitForSingleObject  (292, 0, 0x0, ...
 02391  1104   NtWaitForSingleObject  (292, 0, 0x0, ...
 02383  1092   NtWaitForSingleObject  ... ) == 0x0
 02389  1080   NtSetEventBoostPriority  ... ) == 0x0
 02392   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02393  1100   NtWaitForSingleObject  (292, 0, 0x0, ...
 02394  1076   NtWaitForSingleObject  (352, 0, 0x0, ...
 02395  1092   NtSetEventBoostPriority  (292, ...
 02396   996   NtSetEventBoostPriority  (352, ...
 02397  1080   NtWaitForSingleObject  (352, 0, 0x0, ...
 02392   420   NtAllocateVirtualMemory  ... 70320128, 1048576, ) == 0x0
 02384  1096   NtWaitForSingleObject  ... ) == 0x0
 02395  1092   NtSetEventBoostPriority  ... ) == 0x0
 02245   584   NtWaitForSingleObject  ... ) == 0x0
 02396   996   NtSetEventBoostPriority  ... ) == 0x0
 02398  1096   NtSetEventBoostPriority  (292, ...
 02399   420   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ...
 02400   584   NtWaitForSingleObject  (292, 0, 0x0, ...
 02390  1064   NtWaitForSingleObject  ... ) == 0x0
 02398  1096   NtSetEventBoostPriority  ... ) == 0x0
 02401   996   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02402  1064   NtSetEventBoostPriority  (292, ...
 02399   420   NtAllocateVirtualMemory  ... 71360512, 8192, ) == 0x0
 02403  1092   NtWaitForSingleObject  (352, 0, 0x0, ...
 02391  1104   NtWaitForSingleObject  ... ) == 0x0
 02402  1064   NtSetEventBoostPriority  ... ) == 0x0
 02401   996   NtWaitForSingleObject  ... ) == 0x102
 02404   420   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ...
 02405  1104   NtSetEventBoostPriority  (292, ...
 02406  1064   NtWaitForSingleObject  (352, 0, 0x0, ...
 02407   996   NtWaitForSingleObject  (160, 0, 0x0, ...
 02393  1100   NtWaitForSingleObject  ... ) == 0x0
 02405  1104   NtSetEventBoostPriority  ... ) == 0x0
 02404   420   NtProtectVirtualMemory  ... (0x440e000), 4096, 4, ) == 0x0
 02408  1096   NtWaitForSingleObject  (352, 0, 0x0, ...
 02409  1100   NtSetEventBoostPriority  (292, ...
 02410   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02400   584   NtWaitForSingleObject  ... ) == 0x0
 02409  1100   NtSetEventBoostPriority  ... ) == 0x0
 02411  1104   NtTestAlert  (...
 02412   584   NtSetEventBoostPriority  (352, ...
 02413  1100   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02246  1028   NtWaitForSingleObject  ... ) == 0x0
 02412   584   NtSetEventBoostPriority  ... ) == 0x0
 02411  1104   NtTestAlert  ... ) == 0x0
 02414  1028   NtSetEventBoostPriority  (352, ...
 02413  1100   NtDuplicateObject  ... 576, ) == 0x0
 02410   420   NtCreateThread  ... 580, {412, 1116}, ) == 0x0
 02254   308   NtWaitForSingleObject  ... ) == 0x0
 02415  1104   NtContinue  (70319408, 1, ...
 02414  1028   NtSetEventBoostPriority  ... ) == 0x0
 02416   584   NtWaitForSingleObject  (352, 0, 0x0, ...
 02417   420   NtQueryInformationThread  (580, Basic, 28, ...
 02418   308   NtSetEventBoostPriority  (352, ...
 02419  1104   NtRegisterThreadTerminatePort  (24, ...
 02420  1028   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02417   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=412,Tid=1116,}, 0x0, ) == 0x0
 02261  1044   NtWaitForSingleObject  ... ) == 0x0
 02418   308   NtSetEventBoostPriority  ... ) == 0x0
 02419  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02421  1044   NtSetEventBoostPriority  (352, ...
 02422   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1557, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\234\1\0\0\\4\0\0" ...  ...
 02423  1100   NtWaitForSingleObject  (352, 0, 0x0, ...
 02420  1028   NtWaitForSingleObject  ... ) == 0x102
 02288  1068   NtWaitForSingleObject  ... ) == 0x0
 02421  1044   NtSetEventBoostPriority  ... ) == 0x0
 02424  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02422   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1558, 0}  ... {28, 56, reply, 0, 412, 420, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\234\1\0\0\\4\0\0" )  ) == 0x0
 02425  1068   NtSetEventBoostPriority  (352, ...
 02426  1028   NtWaitForSingleObject  (160, 0, 0x0, ...
 02427  1044   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02428   308   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02424  1104   NtDuplicateObject  ... 584, ) == 0x0
 02307   572   NtWaitForSingleObject  ... ) == 0x0
 02425  1068   NtSetEventBoostPriority  ... ) == 0x0
 02429   420   NtResumeThread  (580, ...
 02428   308   NtWaitForSingleObject  ... ) == 0x102
 02430   572   NtSetEventBoostPriority  (352, ...
 02431  1104   NtWaitForSingleObject  (352, 0, 0x0, ...
 02427  1044   NtWaitForSingleObject  ... ) == 0x102
 02429   420   NtResumeThread  ... 1, ) == 0x0
 02394  1076   NtWaitForSingleObject  ... ) == 0x0
 02430   572   NtSetEventBoostPriority  ... ) == 0x0
 02432   308   NtWaitForSingleObject  (160, 0, 0x0, ...
 02433  1044   NtWaitForSingleObject  (160, 0, 0x0, ...
 02434  1076   NtSetEventBoostPriority  (352, ...
 02435   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02436  1068   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02437  1116   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 02397  1080   NtWaitForSingleObject  ... ) == 0x0
 02434  1076   NtSetEventBoostPriority  ... ) == 0x0
 02435   420   NtAllocateVirtualMemory  ... 71368704, 1048576, ) == 0x0
 02436  1068   NtWaitForSingleObject  ... ) == 0x102
 02438  1080   NtWaitForSingleObject  (292, 0, 0x0, ...
 02437  1116   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02439  1076   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02440   420   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ...
 02441  1068   NtWaitForSingleObject  (292, 0, 0x0, ...
 02442  1116   NtSetEventBoostPriority  (292, ...
 02443   572   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12582468, 67, ... }, 0x0, 0, 3, 3, 0, 12582468, 67, ...
 02440   420   NtAllocateVirtualMemory  ... 72409088, 8192, ) == 0x0
 02438  1080   NtWaitForSingleObject  ... ) == 0x0
 02442  1116   NtSetEventBoostPriority  ... ) == 0x0
 02443   572   NtCreateFile  ... 588, {status=0x0, info=0}, ) == 0x0
 02439  1076   NtWaitForSingleObject  ... ) == 0x102
 02444  1080   NtSetEventBoostPriority  (292, ...
 02445  1116   NtTestAlert  (...
 02446   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x1207b,  (588, 144, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\0\265\24\0\17\346\367w", 16, 16, ... , 16, 16, ...
 02441  1068   NtWaitForSingleObject  ... ) == 0x0
 02444  1080   NtSetEventBoostPriority  ... ) == 0x0
 02447  1076   NtWaitForSingleObject  (292, 0, 0x0, ...
 02448   420   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ...
 02449  1068   NtSetEventBoostPriority  (292, ...
 02446   572   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\330\320\14\201", ) , ) == 0x0
 02445  1116   NtTestAlert  ... ) == 0x0
 02447  1076   NtWaitForSingleObject  ... ) == 0x0
 02449  1068   NtSetEventBoostPriority  ... ) == 0x0
 02448   420   NtProtectVirtualMemory  ... (0x450e000), 4096, 4, ) == 0x0
 02450   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x1207b,  (588, 144, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\330\320\14\201", 16, 16, ... , 16, 16, ...
 02451  1076   NtWaitForSingleObject  (160, 0, 0x0, ...
 02452  1116   NtContinue  (71367984, 1, ...
 02453  1080   NtSetEventBoostPriority  (352, ...
 02454   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02450   572   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\330\320\14\201", ) , ) == 0x0
 02455  1116   NtRegisterThreadTerminatePort  (24, ...
 02403  1092   NtWaitForSingleObject  ... ) == 0x0
 02453  1080   NtSetEventBoostPriority  ... ) == 0x0
 02454   420   NtCreateThread  ... 592, {412, 1000}, ) == 0x0
 02456  1068   NtWaitForSingleObject  (160, 0, 0x0, ...
 02457  1092   NtSetEventBoostPriority  (352, ...
 02455  1116   NtRegisterThreadTerminatePort  ... ) == 0x0
 02458  1080   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02459   420   NtQueryInformationThread  (592, Basic, 28, ...
 02406  1064   NtWaitForSingleObject  ... ) == 0x0
 02457  1092   NtSetEventBoostPriority  ... ) == 0x0
 02460  1116   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02458  1080   NtWaitForSingleObject  ... ) == 0x102
 02461  1064   NtSetEventBoostPriority  (352, ...
 02459   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=412,Tid=1000,}, 0x0, ) == 0x0
 02462  1092   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02460  1116   NtDuplicateObject  ... 596, ) == 0x0
 02408  1096   NtWaitForSingleObject  ... ) == 0x0
 02463  1080   NtWaitForSingleObject  (160, 0, 0x0, ...
 02464   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1558, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\234\1\0\0\350\3\0\0" ...  ...
 02461  1064   NtSetEventBoostPriority  ... ) == 0x0
 02465   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x12047,  (588, 144, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310=\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02462  1092   NtWaitForSingleObject  ... ) == 0x102
 02466  1096   NtSetEventBoostPriority  (352, ...
 02467  1116   NtWaitForSingleObject  (352, 0, 0x0, ...
 02464   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1559, 0}  ... {28, 56, reply, 0, 412, 420, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\234\1\0\0\350\3\0\0" )  ) == 0x0
 02468  1064   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02465   572   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02469  1092   NtWaitForSingleObject  (160, 0, 0x0, ...
 02416   584   NtWaitForSingleObject  ... ) == 0x0
 02466  1096   NtSetEventBoostPriority  ... ) == 0x0
 02470   572   NtWaitForSingleObject  (92, 0, {0, 0}, ...
 02471   584   NtSetEventBoostPriority  (352, ...
 02472  1096   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02423  1100   NtWaitForSingleObject  ... ) == 0x0
 02471   584   NtSetEventBoostPriority  ... ) == 0x0
 02470   572   NtWaitForSingleObject  ... ) == 0x102
 02473   420   NtResumeThread  (592, ...
 02468  1064   NtWaitForSingleObject  ... ) == 0x102
 02474  1100   NtSetEventBoostPriority  (352, ...
 02475   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02476   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x12003,  (588, 144, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02473   420   NtResumeThread  ... 1, ) == 0x0
 02431  1104   NtWaitForSingleObject  ... ) == 0x0
 02474  1100   NtSetEventBoostPriority  ... ) == 0x0
 02477  1064   NtWaitForSingleObject  (160, 0, 0x0, ...
 02472  1096   NtWaitForSingleObject  ... ) == 0x102
 02478  1000   NtTestAlert  (...
 02475   584   NtCreateEvent  ... 600, ) == 0x0
 02479  1104   NtSetEventBoostPriority  (352, ...
 02480   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02481  1100   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02482  1096   NtWaitForSingleObject  (160, 0, 0x0, ...
 02478  1000   NtTestAlert  ... ) == 0x0
 02467  1116   NtWaitForSingleObject  ... ) == 0x0
 02479  1104   NtSetEventBoostPriority  ... ) == 0x0
 02483   584   NtWaitForSingleObject  (352, 0, 0x0, ...
 02480   420   NtAllocateVirtualMemory  ... 72417280, 1048576, ) == 0x0
 02476   572   NtDeviceIoControlFile  ... {status=0x0, info=604},  ... {status=0x0, info=604}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02484  1116   NtSetEventBoostPriority  (352, ...
 02485  1000   NtContinue  (72416560, 1, ...
 02481  1100   NtWaitForSingleObject  ... ) == 0x102
 02486   420   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ...
 02483   584   NtWaitForSingleObject  ... ) == 0x0
 02484  1116   NtSetEventBoostPriority  ... ) == 0x0
 02487   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x12047,  (588, 144, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02488  1000   NtRegisterThreadTerminatePort  (24, ...
 02489  1100   NtWaitForSingleObject  (160, 0, 0x0, ...
 02490   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02486   420   NtAllocateVirtualMemory  ... 73457664, 8192, ) == 0x0
 02491  1116   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02487   572   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02488  1000   NtRegisterThreadTerminatePort  ... ) == 0x0
 02490   584   NtCreateEvent  ... 608, ) == 0x0
 02492  1104   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02493   420   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ...
 02494   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x1200b,  (588, 144, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 02491  1116   NtWaitForSingleObject  ... ) == 0x102
 02495  1000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02492  1104   NtWaitForSingleObject  ... ) == 0x102
 02493   420   NtProtectVirtualMemory  ... (0x460e000), 4096, 4, ) == 0x0
 02494   572   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02496  1116   NtWaitForSingleObject  (160, 0, 0x0, ...
 02495  1000   NtDuplicateObject  ... 612, ) == 0x0
 02497  1104   NtWaitForSingleObject  (160, 0, 0x0, ...
 02498   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02499   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x12047,  (588, 144, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0e\0t\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02500  1000   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02498   420   NtCreateThread  ... 616, {412, 1120}, ) == 0x0
 02501   584   NtQuerySystemTime  (...
 02500  1000   NtWaitForSingleObject  ... ) == 0x102
 02502   420   NtQueryInformationThread  (616, Basic, 28, ...
 02501   584   NtQuerySystemTime  ... {-1401688560, 29889234}, ) == 0x0
 02503  1000   NtWaitForSingleObject  (160, 0, 0x0, ...
 02502   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=412,Tid=1120,}, 0x0, ) == 0x0
 02504   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02499   572   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02504   584   NtCreateEvent  ... 620, ) == 0x0
 02505   572   NtDeviceIoControlFile  (588, 144, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02506   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 02505   572   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02506   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02507   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1559, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\234\1\0\0`\4\0\0" ... {28, 56, reply, 0, 412, 420, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\234\1\0\0`\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1560, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\234\1\0\0`\4\0\0" ... {28, 56, reply, 0, 412, 420, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\234\1\0\0`\4\0\0" )  ) == 0x0
 02508   420   NtResumeThread  (616, ... 1, ) == 0x0
 02509   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73465856, 1048576, ) == 0x0
 02510   420   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ...
 02511   572   NtWaitForSingleObject  (144, 1, {-5000000, -1}, ...
 02510   420   NtAllocateVirtualMemory  ... 74506240, 8192, ) == 0x0
 02512   584   NtQuerySystemInformation  (Performance, 312, ...
 02513  1120   NtTestAlert  (...
 02514   420   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ...
 02512   584   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02513  1120   NtTestAlert  ... ) == 0x0
 02514   420   NtProtectVirtualMemory  ... (0x470e000), 4096, 4, ) == 0x0
 02515   584   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 02516  1120   NtContinue  (73465136, 1, ...
 02517   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02515   584   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02518  1120   NtRegisterThreadTerminatePort  (24, ...
 02519   584   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 02518  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02519   584   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02517   420   NtCreateThread  ... 624, {412, 1172}, ) == 0x0
 02520  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02521   420   NtQueryInformationThread  (624, Basic, 28, ...
 02520  1120   NtDuplicateObject  ... 628, ) == 0x0
 02521   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=412,Tid=1172,}, 0x0, ) == 0x0
 02522  1120   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02523   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1560, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\234\1\0\0\224\4\0\0" ...  ...
 02522  1120   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02523   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1561, 0}  ... {28, 56, reply, 0, 412, 420, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\234\1\0\0\224\4\0\0" )  ) == 0x0
 02524  1120   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02525   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 632, ) == 0x0
 02526   584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 636, ) == 0x0
 02527   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 640, ) == 0x0
 02528   584   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15724156, 112, ... 644, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 15724156, 112, ... 644, 0x0, 0x0, 0x0, 112, ) == 0x0
 02529   584   NtRequestWaitReplyPort  (644, {128, 152, new_msg, 0, 1310720, 126032, 1310720, 15723920}  (644, {128, 152, new_msg, 0, 1310720, 126032, 1310720, 15723920} "\0$\370w@\364\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0PW\25\0\4\0\0\0PW\25\0\20\344\314wPW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0\0\0\0\0\370V\25\0`U\25\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370V\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 412, 584, 1563, 0} "\7$\370w@\364\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0PW\25\0\377\377\377\377PW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0\0\0\0\0\370V\25\0`U\25\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370V\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 412, 584, 1563, 0}  (644, {128, 152, new_msg, 0, 1310720, 126032, 1310720, 15723920} "\0$\370w@\364\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0PW\25\0\4\0\0\0PW\25\0\20\344\314wPW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0\0\0\0\0\370V\25\0`U\25\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370V\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 412, 584, 1563, 0} "\7$\370w@\364\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0PW\25\0\377\377\377\377PW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1\24\0\0\0\0\0\370V\25\0`U\25\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\370V\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02530   420   NtResumeThread  (624, ...
 02524  1120   NtWaitForSingleObject  ... ) == 0x102
 02530   420   NtResumeThread  ... 1, ) == 0x0
 02531  1120   NtWaitForSingleObject  (160, 0, 0x0, ...
 02532   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 74514432, 1048576, ) == 0x0
 02533   420   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ... 75554816, 8192, ) == 0x0
 02534   420   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ... (0x480e000), 4096, 4, ) == 0x0
 02535   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 648, {412, 1168}, ) == 0x0
 02536   420   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=412,Tid=1168,}, 0x0, ) == 0x0
 02537   584   NtRequestWaitReplyPort  (644, {64, 88, new_msg, 0, 0, 0, 0, 0}  (644, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02538  1172   NtTestAlert  (... ) == 0x0
 02539  1172   NtContinue  (74513712, 1, ...
 02540  1172   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02541  1172   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 652, ) == 0x0
 02542  1172   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 02543  1172   NtWaitForSingleObject  (160, 0, 0x0, ...
 02544   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1561, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\234\1\0\0\220\4\0\0" ... {28, 56, reply, 0, 412, 420, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\234\1\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1565, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\234\1\0\0\220\4\0\0" ... {28, 56, reply, 0, 412, 420, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\234\1\0\0\220\4\0\0" )  ) == 0x0
 02545   420   NtResumeThread  (648, ... 1, ) == 0x0
 02546   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75563008, 1048576, ) == 0x0
 02547   420   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 02548   420   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 02549   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02550  1168   NtTestAlert  (... ) == 0x0
 02551  1168   NtContinue  (75562288, 1, ...
 02552  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02553  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 656, ) == 0x0
 02554  1168   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 02555  1168   NtWaitForSingleObject  (160, 0, 0x0, ...
 02549   420   NtCreateThread  ... 660, {412, 1156}, ) == 0x0
 02556   420   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=412,Tid=1156,}, 0x0, ) == 0x0
 02557   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1565, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\234\1\0\0\204\4\0\0" ... {28, 56, reply, 0, 412, 420, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\234\1\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1566, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\234\1\0\0\204\4\0\0" ... {28, 56, reply, 0, 412, 420, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\234\1\0\0\204\4\0\0" )  ) == 0x0
 02558   420   NtResumeThread  (660, ... 1, ) == 0x0
 02559   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 76611584, 1048576, ) == 0x0
 02560   420   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ... 77651968, 8192, ) == 0x0
 02561  1156   NtTestAlert  (...
 02537   584   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 412, 584, 1564, 0}  ... {52, 76, reply, 0, 412, 584, 1564, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02561  1156   NtTestAlert  ... ) == 0x0
 02562   584   NtClose  (640, ...
 02563  1156   NtContinue  (76610864, 1, ...
 02562   584   NtClose  ... ) == 0x0
 02564  1156   NtRegisterThreadTerminatePort  (24, ...
 02565   584   NtClose  (644, ...
 02564  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02566   420   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ...
 02565   584   NtClose  ... ) == 0x0
 02566   420   NtProtectVirtualMemory  ... (0x4a0e000), 4096, 4, ) == 0x0
 02567   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02568   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02567   584   NtCreateKey  ... 644, 2, ) == 0x0
 02568   420   NtCreateThread  ... 640, {412, 1188}, ) == 0x0
 02569   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02570   420   NtQueryInformationThread  (640, Basic, 28, ...
 02569   584   NtOpenKey  ... 664, ) == 0x0
 02570   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=412,Tid=1188,}, 0x0, ) == 0x0
 02571   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02572  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02573   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1566, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\234\1\0\0\244\4\0\0" ...  ...
 02572  1156   NtDuplicateObject  ... 668, ) == 0x0
 02573   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1568, 0}  ... {28, 56, reply, 0, 412, 420, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\234\1\0\0\244\4\0\0" )  ) == 0x0
 02574  1156   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02575   420   NtResumeThread  (640, ...
 02574  1156   NtWaitForSingleObject  ... ) == 0x102
 02575   420   NtResumeThread  ... 1, ) == 0x0
 02576  1156   NtWaitForSingleObject  (160, 0, 0x0, ...
 02577   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02571   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02578  1188   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02579   584   NtQueryValueKey  (644,  (644, "Hostname", Partial, 144, ... , Partial, 144, ...
 02578  1188   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02579   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02580  1188   NtTestAlert  (...
 02581   584   NtQueryValueKey  (644,  (644, "Hostname", Partial, 144, ... , Partial, 144, ...
 02580  1188   NtTestAlert  ... ) == 0x0
 02581   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02582  1188   NtContinue  (77659440, 1, ...
 02583   584   NtClose  (644, ...
 02577   420   NtAllocateVirtualMemory  ... 77660160, 1048576, ) == 0x0
 02584  1188   NtRegisterThreadTerminatePort  (24, ...
 02585   420   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ...
 02584  1188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02585   420   NtAllocateVirtualMemory  ... 78700544, 8192, ) == 0x0
 02586  1188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02587   420   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ...
 02586  1188   NtDuplicateObject  ... 672, ) == 0x0
 02587   420   NtProtectVirtualMemory  ... (0x4b0e000), 4096, 4, ) == 0x0
 02588  1188   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02589   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02588  1188   NtWaitForSingleObject  ... ) == 0x102
 02583   584   NtClose  ... ) == 0x0
 02590  1188   NtWaitForSingleObject  (160, 0, 0x0, ...
 02591   584   NtClose  (664, ... ) == 0x0
 02592   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 664, ) == 0x0
 02593   584   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15724020, 112, ... 644, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 15724020, 112, ... 644, 0x0, 0x0, 0x0, 112, ) == 0x0
 02594   584   NtRequestWaitReplyPort  (644, {128, 152, new_msg, 0, 1310720, 125896, 1310720, 15723784}  (644, {128, 152, new_msg, 0, 1310720, 125896, 1310720, 15723784} "\0$\370w\270\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0PW\25\0\4\0\0\0PW\25\0\20\344\314wPW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\30R\25\0\0\0\0\0\350a\25\0\230a\25\0\300a\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350a\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02589   420   NtCreateThread  ... 676, {412, 1072}, ) == 0x0
 02595   420   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=412,Tid=1072,}, 0x0, ) == 0x0
 02596   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1568, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\234\1\0\00\4\0\0" ... {28, 56, reply, 0, 412, 420, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\234\1\0\00\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1571, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\234\1\0\00\4\0\0" ... {28, 56, reply, 0, 412, 420, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\234\1\0\00\4\0\0" )  ) == 0x0
 02597   420   NtResumeThread  (676, ... 1, ) == 0x0
 02598   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 78708736, 1048576, ) == 0x0
 02599   420   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ... 79749120, 8192, ) == 0x0
 02594   584   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 412, 584, 1570, 0}  ... {128, 152, reply, 0, 412, 584, 1570, 0} "\7$\370w\270\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0PW\25\0\377\377\377\377PW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\30R\25\0\0\0\0\0\350a\25\0\230a\25\0\300a\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350a\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02600  1072   NtTestAlert  (...
 02601   584   NtRequestWaitReplyPort  (644, {44, 68, new_msg, 0, 412, 584, 1564, 0}  (644, {44, 68, new_msg, 0, 412, 584, 1564, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02600  1072   NtTestAlert  ... ) == 0x0
 02602   420   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ...
 02603  1072   NtContinue  (78708016, 1, ...
 02602   420   NtProtectVirtualMemory  ... (0x4c0e000), 4096, 4, ) == 0x0
 02604  1072   NtRegisterThreadTerminatePort  (24, ...
 02605   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02604  1072   NtRegisterThreadTerminatePort  ... ) == 0x0
 02605   420   NtCreateThread  ... 680, {412, 1140}, ) == 0x0
 02606   420   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=412,Tid=1140,}, 0x0, ) == 0x0
 02607   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1571, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\234\1\0\0t\4\0\0" ... {28, 56, reply, 0, 412, 420, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\234\1\0\0t\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1573, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\234\1\0\0t\4\0\0" ... {28, 56, reply, 0, 412, 420, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\234\1\0\0t\4\0\0" )  ) == 0x0
 02608   420   NtResumeThread  (680, ... 1, ) == 0x0
 02609   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02610  1072   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02611  1140   NtTestAlert  (...
 02610  1072   NtDuplicateObject  ... 684, ) == 0x0
 02611  1140   NtTestAlert  ... ) == 0x0
 02612  1072   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02613  1140   NtContinue  (79756592, 1, ...
 02612  1072   NtWaitForSingleObject  ... ) == 0x102
 02614  1140   NtRegisterThreadTerminatePort  (24, ...
 02615  1072   NtWaitForSingleObject  (160, 0, 0x0, ...
 02614  1140   NtRegisterThreadTerminatePort  ... ) == 0x0
 02609   420   NtAllocateVirtualMemory  ... 79757312, 1048576, ) == 0x0
 02616   420   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ... 80797696, 8192, ) == 0x0
 02617   420   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ... (0x4d0e000), 4096, 4, ) == 0x0
 02618   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 688, {412, 324}, ) == 0x0
 02619   420   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=412,Tid=324,}, 0x0, ) == 0x0
 02620   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1573, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\234\1\0\0D\1\0\0" ... {28, 56, reply, 0, 412, 420, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\234\1\0\0D\1\0\0" )  ... {28, 56, reply, 0, 412, 420, 1574, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\234\1\0\0D\1\0\0" ... {28, 56, reply, 0, 412, 420, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\234\1\0\0D\1\0\0" )  ) == 0x0
 02621  1140   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02601   584   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 412, 584, 1572, 0}  ... {40, 64, reply, 0, 412, 584, 1572, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02621  1140   NtDuplicateObject  ... 692, ) == 0x0
 02622   584   NtRequestWaitReplyPort  (644, {64, 88, new_msg, 56, 0, 1, 0, 0}  (644, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\357\357\0@\0\314w@S\25\0\274\357\357\0$\360\357\0\0\267\362v$\360\357\0@S\25\0\1\0\0\0\310e\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02623  1140   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 02624  1140   NtWaitForSingleObject  (160, 0, 0x0, ...
 02622   584   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 412, 584, 1575, 0}  ... {64, 88, reply, 56, 412, 584, 1575, 0} "\10\357\357\0@\0\314w@S\25\0\274\357\357\0$\360\357\0\0\267\362v$\360\357\0@S\25\0\1\0\0\0\310e\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02625   420   NtResumeThread  (688, ...
 02626   584   NtClose  (664, ...
 02625   420   NtResumeThread  ... 1, ) == 0x0
 02627   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 80805888, 1048576, ) == 0x0
 02628   420   NtAllocateVirtualMemory  (-1, 81846272, 0, 8192, 4096, 4, ... 81846272, 8192, ) == 0x0
 02629   420   NtProtectVirtualMemory  (-1, (0x4e0e000), 4096, 260, ... (0x4e0e000), 4096, 4, ) == 0x0
 02630   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 696, {412, 1224}, ) == 0x0
 02631   420   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=412,Tid=1224,}, 0x0, ) == 0x0
 02626   584   NtClose  ... ) == 0x0
 02632   324   NtTestAlert  (...
 02633   584   NtClose  (644, ...
 02632   324   NtTestAlert  ... ) == 0x0
 02633   584   NtClose  ... ) == 0x0
 02634   324   NtContinue  (80805168, 1, ...
 02635   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02636   324   NtRegisterThreadTerminatePort  (24, ...
 02635   584   NtCreateKey  ... 644, 2, ) == 0x0
 02636   324   NtRegisterThreadTerminatePort  ... ) == 0x0
 02637   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02638   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1574, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\234\1\0\0\310\4\0\0" ...  ...
 02639   324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02638   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1577, 0}  ... {28, 56, reply, 0, 412, 420, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\234\1\0\0\310\4\0\0" )  ) == 0x0
 02639   324   NtDuplicateObject  ... 664, ) == 0x0
 02640   420   NtResumeThread  (696, ...
 02641   324   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02640   420   NtResumeThread  ... 1, ) == 0x0
 02641   324   NtWaitForSingleObject  ... ) == 0x102
 02642   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02643   324   NtWaitForSingleObject  (160, 0, 0x0, ...
 02637   584   NtOpenKey  ... 700, ) == 0x0
 02644  1224   NtTestAlert  (...
 02642   420   NtAllocateVirtualMemory  ... 81854464, 1048576, ) == 0x0
 02645   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02644  1224   NtTestAlert  ... ) == 0x0
 02646   420   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ...
 02645   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02647  1224   NtContinue  (81853744, 1, ...
 02646   420   NtAllocateVirtualMemory  ... 82894848, 8192, ) == 0x0
 02648   584   NtQueryValueKey  (644,  (644, "Domain", Partial, 144, ... , Partial, 144, ...
 02649  1224   NtRegisterThreadTerminatePort  (24, ...
 02650   420   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ...
 02648   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02649  1224   NtRegisterThreadTerminatePort  ... ) == 0x0
 02650   420   NtProtectVirtualMemory  ... (0x4f0e000), 4096, 4, ) == 0x0
 02651   584   NtQueryValueKey  (644,  (644, "Domain", Partial, 144, ... , Partial, 144, ...
 02652   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02653  1224   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02651   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02653  1224   NtDuplicateObject  ... 704, ) == 0x0
 02654   584   NtClose  (644, ...
 02655  1224   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02654   584   NtClose  ... ) == 0x0
 02655  1224   NtWaitForSingleObject  ... ) == 0x102
 02656   584   NtClose  (700, ...
 02657  1224   NtWaitForSingleObject  (160, 0, 0x0, ...
 02656   584   NtClose  ... ) == 0x0
 02652   420   NtCreateThread  ... 700, {412, 1232}, ) == 0x0
 02658   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02659   420   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=412,Tid=1232,}, 0x0, ) == 0x0
 02660   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1577, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\234\1\0\0\320\4\0\0" ... {28, 56, reply, 0, 412, 420, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\234\1\0\0\320\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1578, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\234\1\0\0\320\4\0\0" ... {28, 56, reply, 0, 412, 420, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\234\1\0\0\320\4\0\0" )  ) == 0x0
 02661   420   NtResumeThread  (700, ... 1, ) == 0x0
 02662   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 82903040, 1048576, ) == 0x0
 02663   420   NtAllocateVirtualMemory  (-1, 83943424, 0, 8192, 4096, 4, ... 83943424, 8192, ) == 0x0
 02658   584   NtOpenKey  ... 644, ) == 0x0
 02664  1232   NtTestAlert  (...
 02665   584   NtQueryValueKey  (644,  (644, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02664  1232   NtTestAlert  ... ) == 0x0
 02665   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02666  1232   NtContinue  (82902320, 1, ...
 02667   584   NtClose  (644, ...
 02668  1232   NtRegisterThreadTerminatePort  (24, ...
 02667   584   NtClose  ... ) == 0x0
 02668  1232   NtRegisterThreadTerminatePort  ... ) == 0x0
 02669   584   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02670   420   NtProtectVirtualMemory  (-1, (0x500e000), 4096, 260, ...
 02671  1232   NtWaitForSingleObject  (292, 0, 0x0, ...
 02670   420   NtProtectVirtualMemory  ... (0x500e000), 4096, 4, ) == 0x0
 02672   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 644, {412, 1244}, ) == 0x0
 02673   420   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=412,Tid=1244,}, 0x0, ) == 0x0
 02674   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1578, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\234\1\0\0\334\4\0\0" ... {28, 56, reply, 0, 412, 420, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\234\1\0\0\334\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1579, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\234\1\0\0\334\4\0\0" ... {28, 56, reply, 0, 412, 420, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\234\1\0\0\334\4\0\0" )  ) == 0x0
 02675   420   NtResumeThread  (644, ... 1, ) == 0x0
 02676   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02669   584   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02677  1244   NtWaitForSingleObject  (292, 0, 0x0, ...
 02678   584   NtSetEventBoostPriority  (292, ...
 02671  1232   NtWaitForSingleObject  ... ) == 0x0
 02679  1232   NtSetEventBoostPriority  (292, ...
 02677  1244   NtWaitForSingleObject  ... ) == 0x0
 02680  1244   NtTestAlert  (... ) == 0x0
 02679  1232   NtSetEventBoostPriority  ... ) == 0x0
 02678   584   NtSetEventBoostPriority  ... ) == 0x0
 02676   420   NtAllocateVirtualMemory  ... 83951616, 1048576, ) == 0x0
 02681  1232   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02682   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15723564, ... }, 15723564, ...
 02683   420   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ...
 02684  1244   NtContinue  (83950896, 1, ...
 02682   584   NtQueryAttributesFile  ... ) == 0x0
 02683   420   NtAllocateVirtualMemory  ... 84992000, 8192, ) == 0x0
 02685  1244   NtRegisterThreadTerminatePort  (24, ...
 02686   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02687   420   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ...
 02685  1244   NtRegisterThreadTerminatePort  ... ) == 0x0
 02681  1232   NtDuplicateObject  ... 708, ) == 0x0
 02687   420   NtProtectVirtualMemory  ... (0x510e000), 4096, 4, ) == 0x0
 02688  1244   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02689  1232   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02690   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02688  1244   NtDuplicateObject  ... 712, ) == 0x0
 02689  1232   NtWaitForSingleObject  ... ) == 0x102
 02686   584   NtOpenFile  ... 716, {status=0x0, info=1}, ) == 0x0
 02691  1244   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02692  1232   NtWaitForSingleObject  (160, 0, 0x0, ...
 02693   584   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 716, ...
 02690   420   NtCreateThread  ... 720, {412, 1248}, ) == 0x0
 02693   584   NtCreateSection  ... 724, ) == 0x0
 02694   420   NtQueryInformationThread  (720, Basic, 28, ...
 02695   584   NtClose  (716, ...
 02694   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=412,Tid=1248,}, 0x0, ) == 0x0
 02695   584   NtClose  ... ) == 0x0
 02696   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1579, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\234\1\0\0\340\4\0\0" ...  ...
 02697   584   NtMapViewOfSection  (724, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02696   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1580, 0}  ... {28, 56, reply, 0, 412, 420, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\234\1\0\0\340\4\0\0" )  ) == 0x0
 02691  1244   NtWaitForSingleObject  ... ) == 0x102
 02697   584   NtMapViewOfSection  ... (0x2c00000), 0x0, 16384, ) == 0x0
 02698  1244   NtWaitForSingleObject  (160, 0, 0x0, ...
 02699   584   NtClose  (724, ... ) == 0x0
 02700   584   NtUnmapViewOfSection  (-1, 0x2c00000, ... ) == 0x0
 02701   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15723880, ... ) }, 15723880, ... ) == 0x0
 02702   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 724, {status=0x0, info=1}, ) }, 5, 96, ... 724, {status=0x0, info=1}, ) == 0x0
 02703   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 724, ... 716, ) == 0x0
 02704   584   NtQuerySection  (716, Image, 48, ...
 02705   420   NtResumeThread  (720, ... 1, ) == 0x0
 02706   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85000192, 1048576, ) == 0x0
 02707   420   NtAllocateVirtualMemory  (-1, 86040576, 0, 8192, 4096, 4, ... 86040576, 8192, ) == 0x0
 02708   420   NtProtectVirtualMemory  (-1, (0x520e000), 4096, 260, ... (0x520e000), 4096, 4, ) == 0x0
 02709   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 728, {412, 1252}, ) == 0x0
 02710   420   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=412,Tid=1252,}, 0x0, ) == 0x0
 02704   584   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02711  1248   NtWaitForSingleObject  (136, 0, 0x0, ...
 02712   584   NtClose  (724, ... ) == 0x0
 02713   584   NtMapViewOfSection  (716, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02714   584   NtClose  (716, ... ) == 0x0
 02715   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 716, ) }, ... 716, ) == 0x0
 02716   584   NtMapViewOfSection  (716, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02717   584   NtClose  (716, ...
 02718   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1580, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\234\1\0\0\344\4\0\0" ... {28, 56, reply, 0, 412, 420, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\234\1\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1581, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\234\1\0\0\344\4\0\0" ... {28, 56, reply, 0, 412, 420, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\234\1\0\0\344\4\0\0" )  ) == 0x0
 02719   420   NtResumeThread  (728, ... 1, ) == 0x0
 02720   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 86048768, 1048576, ) == 0x0
 02721   420   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ... 87089152, 8192, ) == 0x0
 02722   420   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ... (0x530e000), 4096, 4, ) == 0x0
 02723   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02717   584   NtClose  ... ) == 0x0
 02724  1252   NtWaitForSingleObject  (136, 0, 0x0, ...
 02725   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 716, ) == 0x0
 02726   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 724, ) }, ... 724, ) == 0x0
 02727   584   NtQueryValueKey  (724,  (724, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (724, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02728   584   NtClose  (724, ... ) == 0x0
 02729   584   NtSetEventBoostPriority  (136, ...
 02723   420   NtCreateThread  ... 724, {412, 1256}, ) == 0x0
 02730   420   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=412,Tid=1256,}, 0x0, ) == 0x0
 02731   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1581, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\234\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 412, 420, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\234\1\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 412, 420, 1582, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\234\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 412, 420, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\234\1\0\0\350\4\0\0" )  ) == 0x0
 02732   420   NtResumeThread  (724, ... 1, ) == 0x0
 02733   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87097344, 1048576, ) == 0x0
 02734   420   NtAllocateVirtualMemory  (-1, 88137728, 0, 8192, 4096, 4, ... 88137728, 8192, ) == 0x0
 02711  1248   NtWaitForSingleObject  ... ) == 0x0
 02729   584   NtSetEventBoostPriority  ... ) == 0x0
 02735  1256   NtWaitForSingleObject  (136, 0, 0x0, ...
 02736  1248   NtSetEventBoostPriority  (136, ...
 02737   584   NtWaitForSingleObject  (136, 0, 0x0, ...
 02724  1252   NtWaitForSingleObject  ... ) == 0x0
 02736  1248   NtSetEventBoostPriority  ... ) == 0x0
 02738  1252   NtSetEventBoostPriority  (136, ...
 02739   420   NtProtectVirtualMemory  (-1, (0x540e000), 4096, 260, ...
 02735  1256   NtWaitForSingleObject  ... ) == 0x0
 02738  1252   NtSetEventBoostPriority  ... ) == 0x0
 02740  1256   NtAllocateVirtualMemory  (-1, 3956736, 0, 4096, 4096, 4, ...
 02739   420   NtProtectVirtualMemory  ... (0x540e000), 4096, 4, ) == 0x0
 02741  1248   NtTestAlert  (...
 02740  1256   NtAllocateVirtualMemory  ... 3956736, 4096, ) == 0x0
 02742   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02741  1248   NtTestAlert  ... ) == 0x0
 02743  1252   NtTestAlert  (...
 02742   420   NtCreateThread  ... 732, {412, 1264}, ) == 0x0
 02744  1248   NtContinue  (84999472, 1, ...
 02743  1252   NtTestAlert  ... ) == 0x0
 02745   420   NtQueryInformationThread  (732, Basic, 28, ...
 02746  1248   NtRegisterThreadTerminatePort  (24, ...
 02747  1252   NtContinue  (86048048, 1, ...
 02745   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=412,Tid=1264,}, 0x0, ) == 0x0
 02746  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02748  1252   NtRegisterThreadTerminatePort  (24, ...
 02749  1256   NtSetEventBoostPriority  (136, ...
 02750  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02748  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02737   584   NtWaitForSingleObject  ... ) == 0x0
 02749  1256   NtSetEventBoostPriority  ... ) == 0x0
 02751   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1582, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\234\1\0\0\360\4\0\0" ...  ...
 02752   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15723564, ... }, 15723564, ...
 02753  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02754  1256   NtTestAlert  (...
 02752   584   NtQueryAttributesFile  ... ) == 0x0
 02751   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1583, 0}  ... {28, 56, reply, 0, 412, 420, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\234\1\0\0\360\4\0\0" )  ) == 0x0
 02750  1248   NtDuplicateObject  ... 736, ) == 0x0
 02754  1256   NtTestAlert  ... ) == 0x0
 02753  1252   NtDuplicateObject  ... 740, ) == 0x0
 02755   420   NtResumeThread  (732, ...
 02756  1248   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02757  1256   NtContinue  (87096624, 1, ...
 02758  1252   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02755   420   NtResumeThread  ... 1, ) == 0x0
 02756  1248   NtWaitForSingleObject  ... ) == 0x102
 02759  1256   NtRegisterThreadTerminatePort  (24, ...
 02758  1252   NtWaitForSingleObject  ... ) == 0x102
 02760   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02761  1248   NtWaitForSingleObject  (160, 0, 0x0, ...
 02762   584   NtQuerySystemInformation  (Basic, 44, ...
 02763  1264   NtTestAlert  (...
 02764  1252   NtWaitForSingleObject  (160, 0, 0x0, ...
 02759  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 02762   584   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02763  1264   NtTestAlert  ... ) == 0x0
 02765  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02766   584   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02767  1264   NtContinue  (88145200, 1, ...
 02765  1256   NtDuplicateObject  ... 744, ) == 0x0
 02766   584   NtAllocateVirtualMemory  ... 46137344, 65536, ) == 0x0
 02768  1264   NtRegisterThreadTerminatePort  (24, ...
 02769  1256   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02770   584   NtAllocateVirtualMemory  (-1, 46137344, 0, 4096, 4096, 4, ...
 02768  1264   NtRegisterThreadTerminatePort  ... ) == 0x0
 02769  1256   NtWaitForSingleObject  ... ) == 0x102
 02770   584   NtAllocateVirtualMemory  ... 46137344, 4096, ) == 0x0
 02760   420   NtAllocateVirtualMemory  ... 88145920, 1048576, ) == 0x0
 02771  1264   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02772  1256   NtWaitForSingleObject  (160, 0, 0x0, ...
 02773   420   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ...
 02771  1264   NtDuplicateObject  ... 748, ) == 0x0
 02773   420   NtAllocateVirtualMemory  ... 89186304, 8192, ) == 0x0
 02774  1264   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02775   420   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ...
 02774  1264   NtWaitForSingleObject  ... ) == 0x102
 02775   420   NtProtectVirtualMemory  ... (0x550e000), 4096, 4, ) == 0x0
 02776  1264   NtWaitForSingleObject  (160, 0, 0x0, ...
 02777   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02778   584   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 02779   584   NtAllocateVirtualMemory  (-1, 46141440, 0, 8192, 4096, 4, ... 46141440, 8192, ) == 0x0
 02780   584   NtSetEventBoostPriority  (160, ...
 01002   580   NtWaitForSingleObject  ... ) == 0x0
 02781   580   NtSetEventBoostPriority  (160, ...
 01013   588   NtWaitForSingleObject  ... ) == 0x0
 02782   588   NtSetEventBoostPriority  (160, ...
 01023   576   NtWaitForSingleObject  ... ) == 0x0
 02783   576   NtSetEventBoostPriority  (160, ...
 01334   596   NtWaitForSingleObject  ... ) == 0x0
 02784   596   NtSetEventBoostPriority  (160, ...
 01588   836   NtWaitForSingleObject  ... ) == 0x0
 02785   836   NtSetEventBoostPriority  (160, ...
 01628   784   NtWaitForSingleObject  ... ) == 0x0
 02786   784   NtSetEventBoostPriority  (160, ...
 01642   788   NtWaitForSingleObject  ... ) == 0x0
 02787   788   NtSetEventBoostPriority  (160, ...
 01644   716   NtWaitForSingleObject  ... ) == 0x0
 02788   716   NtSetEventBoostPriority  (160, ...
 01653   856   NtWaitForSingleObject  ... ) == 0x0
 02789   856   NtSetEventBoostPriority  (160, ...
 01660   864   NtWaitForSingleObject  ... ) == 0x0
 02790   864   NtSetEventBoostPriority  (160, ...
 01676   676   NtWaitForSingleObject  ... ) == 0x0
 02791   676   NtSetEventBoostPriority  (160, ...
 01715   860   NtWaitForSingleObject  ... ) == 0x0
 02792   860   NtSetEventBoostPriority  (160, ...
 01719   868   NtWaitForSingleObject  ... ) == 0x0
 02793   868   NtSetEventBoostPriority  (160, ...
 01754   636   NtWaitForSingleObject  ... ) == 0x0
 02794   636   NtSetEventBoostPriority  (160, ...
 01784   744   NtWaitForSingleObject  ... ) == 0x0
 02795   744   NtSetEventBoostPriority  (160, ...
 01829   872   NtWaitForSingleObject  ... ) == 0x0
 02796   872   NtSetEventBoostPriority  (160, ...
 01833   732   NtWaitForSingleObject  ... ) == 0x0
 02797   732   NtSetEventBoostPriority  (160, ...
 01864   876   NtWaitForSingleObject  ... ) == 0x0
 02798   876   NtSetEventBoostPriority  (160, ...
 01921   880   NtWaitForSingleObject  ... ) == 0x0
 02799   880   NtSetEventBoostPriority  (160, ...
 01922   884   NtWaitForSingleObject  ... ) == 0x0
 02800   884   NtSetEventBoostPriority  (160, ...
 01966   912   NtWaitForSingleObject  ... ) == 0x0
 02801   912   NtSetEventBoostPriority  (160, ...
 01970   888   NtWaitForSingleObject  ... ) == 0x0
 02802   888   NtSetEventBoostPriority  (160, ...
 02008   892   NtWaitForSingleObject  ... ) == 0x0
 02803   892   NtSetEventBoostPriority  (160, ...
 02011   908   NtWaitForSingleObject  ... ) == 0x0
 02804   908   NtSetEventBoostPriority  (160, ...
 02075   924   NtWaitForSingleObject  ... ) == 0x0
 02805   924   NtSetEventBoostPriority  (160, ...
 02102   916   NtWaitForSingleObject  ... ) == 0x0
 02806   916   NtSetEventBoostPriority  (160, ...
 02098   928   NtWaitForSingleObject  ... ) == 0x0
 02807   928   NtSetEventBoostPriority  (160, ...
 02138   932   NtWaitForSingleObject  ... ) == 0x0
 02808   932   NtSetEventBoostPriority  (160, ...
 02155   920   NtWaitForSingleObject  ... ) == 0x0
 02809   920   NtSetEventBoostPriority  (160, ...
 02176   936   NtWaitForSingleObject  ... ) == 0x0
 02810   936   NtSetEventBoostPriority  (160, ...
 02217   940   NtWaitForSingleObject  ... ) == 0x0
 02811   940   NtSetEventBoostPriority  (160, ...
 02222   944   NtWaitForSingleObject  ... ) == 0x0
 02812   944   NtSetEventBoostPriority  (160, ...
 02250   948   NtWaitForSingleObject  ... ) == 0x0
 02813   948   NtSetEventBoostPriority  (160, ...
 02264   952   NtWaitForSingleObject  ... ) == 0x0
 02814   952   NtSetEventBoostPriority  (160, ...
 02275   956   NtWaitForSingleObject  ... ) == 0x0
 02815   956   NtSetEventBoostPriority  (160, ...
 02286   984   NtWaitForSingleObject  ... ) == 0x0
 02816   984   NtSetEventBoostPriority  (160, ...
 02293   960   NtWaitForSingleObject  ... ) == 0x0
 02817   960   NtSetEventBoostPriority  (160, ...
 02328   988   NtWaitForSingleObject  ... ) == 0x0
 02818   988   NtSetEventBoostPriority  (160, ...
 02335  1012   NtWaitForSingleObject  ... ) == 0x0
 02819  1012   NtSetEventBoostPriority  (160, ...
 02337  1016   NtWaitForSingleObject  ... ) == 0x0
 02820  1016   NtSetEventBoostPriority  (160, ...
 02363  1020   NtWaitForSingleObject  ... ) == 0x0
 02821  1020   NtSetEventBoostPriority  (160, ...
 02370  1040   NtWaitForSingleObject  ... ) == 0x0
 02822  1040   NtSetEventBoostPriority  (160, ...
 02407   996   NtWaitForSingleObject  ... ) == 0x0
 02823   996   NtSetEventBoostPriority  (160, ...
 02426  1028   NtWaitForSingleObject  ... ) == 0x0
 02824  1028   NtSetEventBoostPriority  (160, ...
 02432   308   NtWaitForSingleObject  ... ) == 0x0
 02825   308   NtSetEventBoostPriority  (160, ...
 02433  1044   NtWaitForSingleObject  ... ) == 0x0
 02826  1044   NtSetEventBoostPriority  (160, ...
 02451  1076   NtWaitForSingleObject  ... ) == 0x0
 02827  1076   NtSetEventBoostPriority  (160, ...
 02456  1068   NtWaitForSingleObject  ... ) == 0x0
 02828  1068   NtSetEventBoostPriority  (160, ...
 02463  1080   NtWaitForSingleObject  ... ) == 0x0
 02829  1080   NtSetEventBoostPriority  (160, ...
 02469  1092   NtWaitForSingleObject  ... ) == 0x0
 02830  1092   NtSetEventBoostPriority  (160, ...
 02477  1064   NtWaitForSingleObject  ... ) == 0x0
 02831  1064   NtSetEventBoostPriority  (160, ...
 02482  1096   NtWaitForSingleObject  ... ) == 0x0
 02832  1096   NtSetEventBoostPriority  (160, ...
 02489  1100   NtWaitForSingleObject  ... ) == 0x0
 02833  1100   NtSetEventBoostPriority  (160, ...
 02496  1116   NtWaitForSingleObject  ... ) == 0x0
 02834  1116   NtSetEventBoostPriority  (160, ...
 02497  1104   NtWaitForSingleObject  ... ) == 0x0
 02835  1104   NtSetEventBoostPriority  (160, ...
 02503  1000   NtWaitForSingleObject  ... ) == 0x0
 02836  1000   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 02837  1000   NtSetEventBoostPriority  (160, ...
 02531  1120   NtWaitForSingleObject  ... ) == 0x0
 02838  1120   NtSetEventBoostPriority  (160, ...
 02543  1172   NtWaitForSingleObject  ... ) == 0x0
 02839  1172   NtSetEventBoostPriority  (160, ...
 02555  1168   NtWaitForSingleObject  ... ) == 0x0
 02840  1168   NtSetEventBoostPriority  (160, ...
 02576  1156   NtWaitForSingleObject  ... ) == 0x0
 02841  1156   NtSetEventBoostPriority  (160, ...
 02590  1188   NtWaitForSingleObject  ... ) == 0x0
 02842  1188   NtSetEventBoostPriority  (160, ...
 02615  1072   NtWaitForSingleObject  ... ) == 0x0
 02843  1072   NtSetEventBoostPriority  (160, ...
 02624  1140   NtWaitForSingleObject  ... ) == 0x0
 02844  1140   NtSetEventBoostPriority  (160, ...
 02643   324   NtWaitForSingleObject  ... ) == 0x0
 02845   324   NtSetEventBoostPriority  (160, ...
 02657  1224   NtWaitForSingleObject  ... ) == 0x0
 02846  1224   NtSetEventBoostPriority  (160, ...
 02692  1232   NtWaitForSingleObject  ... ) == 0x0
 02847  1232   NtSetEventBoostPriority  (160, ...
 02698  1244   NtWaitForSingleObject  ... ) == 0x0
 02848  1244   NtSetEventBoostPriority  (160, ...
 02761  1248   NtWaitForSingleObject  ... ) == 0x0
 02849  1248   NtSetEventBoostPriority  (160, ...
 02764  1252   NtWaitForSingleObject  ... ) == 0x0
 02850  1252   NtSetEventBoostPriority  (160, ...
 02772  1256   NtWaitForSingleObject  ... ) == 0x0
 02851  1256   NtSetEventBoostPriority  (160, ...
 02776  1264   NtWaitForSingleObject  ... ) == 0x0
 02852  1264   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 752, ) == 0x0
 02853  1264   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 02851  1256   NtSetEventBoostPriority  ... ) == 0x0
 02850  1252   NtSetEventBoostPriority  ... ) == 0x0
 02849  1248   NtSetEventBoostPriority  ... ) == 0x0
 02848  1244   NtSetEventBoostPriority  ... ) == 0x0
 02847  1232   NtSetEventBoostPriority  ... ) == 0x0
 02842  1188   NtSetEventBoostPriority  ... ) == 0x0
 02838  1120   NtSetEventBoostPriority  ... ) == 0x0
 02835  1104   NtSetEventBoostPriority  ... ) == 0x0
 02834  1116   NtSetEventBoostPriority  ... ) == 0x0
 02833  1100   NtSetEventBoostPriority  ... ) == 0x0
 02832  1096   NtSetEventBoostPriority  ... ) == 0x0
 02831  1064   NtSetEventBoostPriority  ... ) == 0x0
 02830  1092   NtSetEventBoostPriority  ... ) == 0x0
 02828  1068   NtSetEventBoostPriority  ... ) == 0x0
 02827  1076   NtSetEventBoostPriority  ... ) == 0x0
 02826  1044   NtSetEventBoostPriority  ... ) == 0x0
 02825   308   NtSetEventBoostPriority  ... ) == 0x0
 02824  1028   NtSetEventBoostPriority  ... ) == 0x0
 02821  1020   NtSetEventBoostPriority  ... ) == 0x0
 02820  1016   NtSetEventBoostPriority  ... ) == 0x0
 02819  1012   NtSetEventBoostPriority  ... ) == 0x0
 02818   988   NtSetEventBoostPriority  ... ) == 0x0
 02817   960   NtSetEventBoostPriority  ... ) == 0x0
 02816   984   NtSetEventBoostPriority  ... ) == 0x0
 02815   956   NtSetEventBoostPriority  ... ) == 0x0
 02813   948   NtSetEventBoostPriority  ... ) == 0x0
 02812   944   NtSetEventBoostPriority  ... ) == 0x0
 02811   940   NtSetEventBoostPriority  ... ) == 0x0
 02810   936   NtSetEventBoostPriority  ... ) == 0x0
 02806   916   NtSetEventBoostPriority  ... ) == 0x0
 02805   924   NtSetEventBoostPriority  ... ) == 0x0
 02803   892   NtSetEventBoostPriority  ... ) == 0x0
 02802   888   NtSetEventBoostPriority  ... ) == 0x0
 02799   880   NtSetEventBoostPriority  ... ) == 0x0
 02797   732   NtSetEventBoostPriority  ... ) == 0x0
 02795   744   NtSetEventBoostPriority  ... ) == 0x0
 02794   636   NtSetEventBoostPriority  ... ) == 0x0
 02793   868   NtSetEventBoostPriority  ... ) == 0x0
 02792   860   NtSetEventBoostPriority  ... ) == 0x0
 02791   676   NtSetEventBoostPriority  ... ) == 0x0
 02790   864   NtSetEventBoostPriority  ... ) == 0x0
 02789   856   NtSetEventBoostPriority  ... ) == 0x0
 02788   716   NtSetEventBoostPriority  ... ) == 0x0
 02787   788   NtSetEventBoostPriority  ... ) == 0x0
 02784   596   NtSetEventBoostPriority  ... ) == 0x0
 02783   576   NtSetEventBoostPriority  ... ) == 0x0
 02782   588   NtSetEventBoostPriority  ... ) == 0x0
 02781   580   NtSetEventBoostPriority  ... ) == 0x0
 02780   584   NtSetEventBoostPriority  ... ) == 0x0
 02846  1224   NtSetEventBoostPriority  ... ) == 0x0
 02845   324   NtSetEventBoostPriority  ... ) == 0x0
 02844  1140   NtSetEventBoostPriority  ... ) == 0x0
 02843  1072   NtSetEventBoostPriority  ... ) == 0x0
 02841  1156   NtSetEventBoostPriority  ... ) == 0x0
 02840  1168   NtSetEventBoostPriority  ... ) == 0x0
 02839  1172   NtSetEventBoostPriority  ... ) == 0x0
 02837  1000   NtSetEventBoostPriority  ... ) == 0x0
 02829  1080   NtSetEventBoostPriority  ... ) == 0x0
 02823   996   NtSetEventBoostPriority  ... ) == 0x0
 02822  1040   NtSetEventBoostPriority  ... ) == 0x0
 02814   952   NtSetEventBoostPriority  ... ) == 0x0
 02809   920   NtSetEventBoostPriority  ... ) == 0x0
 02808   932   NtSetEventBoostPriority  ... ) == 0x0
 02807   928   NtSetEventBoostPriority  ... ) == 0x0
 02804   908   NtSetEventBoostPriority  ... ) == 0x0
 02801   912   NtSetEventBoostPriority  ... ) == 0x0
 02800   884   NtSetEventBoostPriority  ... ) == 0x0
 02798   876   NtSetEventBoostPriority  ... ) == 0x0
 02796   872   NtSetEventBoostPriority  ... ) == 0x0
 02786   784   NtSetEventBoostPriority  ... ) == 0x0
 02785   836   NtSetEventBoostPriority  ... ) == 0x0
 02777   420   NtCreateThread  ... 756, {412, 1268}, ) == 0x0
 02854  1256   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02855  1264   NtAllocateVirtualMemory  (-1, 88133632, 0, 4096, 4096, 260, ...
 02856  1252   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02857  1248   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02858  1244   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02859  1232   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02860  1188   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02861  1120   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02862  1104   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02863  1116   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02864  1100   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02865  1096   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02866  1064   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02867  1068   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02868  1092   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02869  1076   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02870  1044   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02871   308   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02872  1028   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02873  1016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02874  1012   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02875   988   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02876  1020   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02877   960   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02878   984   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02879   956   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02880   944   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02881   940   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02882   948   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02883   936   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02884   916   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02885   924   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02886   892   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02887   888   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02888   880   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02889   732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02890   744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02891   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02892   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02893   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02894   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02895   864   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02896   856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02897   716   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02898   788   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02899   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02900   576   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02901   580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02902   588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02903  1224   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02904   324   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02905  1140   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02906  1072   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02907  1156   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02908  1168   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02909  1172   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02910   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02911  1080   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02912   996   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02913  1040   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02914   952   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02915   920   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02916  1000   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02917   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02918   908   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02919   912   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02920   884   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02921   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02922   872   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02923   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02924   836   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02925   420   NtQueryInformationThread  (756, Basic, 28, ...
 02926   932   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02855  1264   NtAllocateVirtualMemory  ... 88133632, 4096, ) == 0x0
 02856  1252   NtCreateEvent  ... 760, ) == 0x0
 02857  1248   NtCreateEvent  ... 764, ) == 0x0
 02858  1244   NtCreateEvent  ... 768, ) == 0x0
 02859  1232   NtCreateEvent  ... 772, ) == 0x0
 02860  1188   NtCreateEvent  ... 776, ) == 0x0
 02861  1120   NtCreateEvent  ... 780, ) == 0x0
 02862  1104   NtCreateEvent  ... 784, ) == 0x0
 02863  1116   NtCreateEvent  ... 788, ) == 0x0
 02864  1100   NtCreateEvent  ... 792, ) == 0x0
 02865  1096   NtCreateEvent  ... 796, ) == 0x0
 02866  1064   NtCreateEvent  ... 800, ) == 0x0
 02854  1256   NtCreateEvent  ... 804, ) == 0x0
 02868  1092   NtCreateEvent  ... 808, ) == 0x0
 02869  1076   NtCreateEvent  ... 812, ) == 0x0
 02870  1044   NtCreateEvent  ... 816, ) == 0x0
 02871   308   NtCreateEvent  ... 820, ) == 0x0
 02872  1028   NtCreateEvent  ... 824, ) == 0x0
 02867  1068   NtCreateEvent  ... 828, ) == 0x0
 02873  1016   NtCreateEvent  ... 832, ) == 0x0
 02874  1012   NtCreateEvent  ... 836, ) == 0x0
 02876  1020   NtCreateEvent  ... 840, ) == 0x0
 02877   960   NtCreateEvent  ... 844, ) == 0x0
 02878   984   NtCreateEvent  ... 848, ) == 0x0
 02879   956   NtCreateEvent  ... 852, ) == 0x0
 02875   988   NtCreateEvent  ... 856, ) == 0x0
 02880   944   NtCreateEvent  ... 860, ) == 0x0
 02882   948   NtCreateEvent  ... 864, ) == 0x0
 02883   936   NtCreateEvent  ... 868, ) == 0x0
 02884   916   NtCreateEvent  ... 872, ) == 0x0
 02885   924   NtCreateEvent  ... 876, ) == 0x0
 02886   892   NtCreateEvent  ... 880, ) == 0x0
 02887   888   NtCreateEvent  ... 884, ) == 0x0
 02888   880   NtCreateEvent  ... 888, ) == 0x0
 02889   732   NtCreateEvent  ... 892, ) == 0x0
 02890   744   NtCreateEvent  ... 896, ) == 0x0
 02881   940   NtCreateEvent  ... 900, ) == 0x0
 02891   868   NtCreateEvent  ... 904, ) == 0x0
 02893   636   NtCreateEvent  ... 908, ) == 0x0
 02894   676   NtCreateEvent  ... 912, ) == 0x0
 02895   864   NtCreateEvent  ... 916, ) == 0x0
 02896   856   NtCreateEvent  ... 920, ) == 0x0
 02897   716   NtCreateEvent  ... 924, ) == 0x0
 02898   788   NtCreateEvent  ... 928, ) == 0x0
 02899   596   NtCreateEvent  ... 932, ) == 0x0
 02900   576   NtCreateEvent  ... 936, ) == 0x0
 02892   860   NtCreateEvent  ... 940, ) == 0x0
 02902   588   NtCreateEvent  ... 944, ) == 0x0
 02903  1224   NtCreateEvent  ... 948, ) == 0x0
 02904   324   NtCreateEvent  ... 952, ) == 0x0
 02905  1140   NtCreateEvent  ... 956, ) == 0x0
 02906  1072   NtCreateEvent  ... 960, ) == 0x0
 02907  1156   NtCreateEvent  ... 964, ) == 0x0
 02908  1168   NtCreateEvent  ... 968, ) == 0x0
 02909  1172   NtCreateEvent  ... 972, ) == 0x0
 02910   584   NtCreateEvent  ... 976, ) == 0x0
 02911  1080   NtCreateEvent  ... 980, ) == 0x0
 02912   996   NtCreateEvent  ... 984, ) == 0x0
 02913  1040   NtCreateEvent  ... 988, ) == 0x0
 02914   952   NtCreateEvent  ... 992, ) == 0x0
 02915   920   NtCreateEvent  ... 996, ) == 0x0
 02916  1000   NtCreateEvent  ... 1000, ) == 0x0
 02917   928   NtCreateEvent  ... 1004, ) == 0x0
 02918   908   NtCreateEvent  ... 1008, ) == 0x0
 02919   912   NtCreateEvent  ... 1012, ) == 0x0
 02920   884   NtCreateEvent  ... 1016, ) == 0x0
 02921   876   NtCreateEvent  ... 1020, ) == 0x0
 02922   872   NtCreateEvent  ... 1024, ) == 0x0
 02923   784   NtCreateEvent  ... 1028, ) == 0x0
 02924   836   NtCreateEvent  ... 1032, ) == 0x0
 02925   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=412,Tid=1268,}, 0x0, ) == 0x0
 02926   932   NtCreateEvent  ... 1036, ) == 0x0
 02927  1264   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02928  1252   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02929  1248   NtWaitForSingleObject  (292, 0, 0x0, ...
 02930  1244   NtWaitForSingleObject  (292, 0, 0x0, ...
 02931  1232   NtWaitForSingleObject  (292, 0, 0x0, ...
 02932  1188   NtWaitForSingleObject  (292, 0, 0x0, ...
 02933  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 02934  1104   NtWaitForSingleObject  (292, 0, 0x0, ...
 02935  1116   NtWaitForSingleObject  (292, 0, 0x0, ...
 02936  1100   NtWaitForSingleObject  (292, 0, 0x0, ...
 02937  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02938  1064   NtWaitForSingleObject  (292, 0, 0x0, ...
 02939  1256   NtWaitForSingleObject  (292, 0, 0x0, ...
 02940  1092   NtWaitForSingleObject  (292, 0, 0x0, ...
 02941  1076   NtWaitForSingleObject  (292, 0, 0x0, ...
 02942  1044   NtWaitForSingleObject  (292, 0, 0x0, ...
 02943   308   NtWaitForSingleObject  (292, 0, 0x0, ...
 02944  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02945  1068   NtWaitForSingleObject  (292, 0, 0x0, ...
 02946  1016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02947  1012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02948  1020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02949   960   NtWaitForSingleObject  (292, 0, 0x0, ...
 02950   984   NtWaitForSingleObject  (292, 0, 0x0, ...
 02951   956   NtWaitForSingleObject  (292, 0, 0x0, ...
 02952   988   NtWaitForSingleObject  (292, 0, 0x0, ...
 02953   944   NtWaitForSingleObject  (292, 0, 0x0, ...
 02954   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 02955   936   NtWaitForSingleObject  (292, 0, 0x0, ...
 02956   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 02957   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 02958   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 02959   888   NtWaitForSingleObject  (292, 0, 0x0, ...
 02960   880   NtWaitForSingleObject  (292, 0, 0x0, ...
 02961   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 02962   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 02963   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 02964   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 02965   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 02966   676   NtWaitForSingleObject  (292, 0, 0x0, ...
 02967   864   NtWaitForSingleObject  (292, 0, 0x0, ...
 02968   856   NtWaitForSingleObject  (292, 0, 0x0, ...
 02969   716   NtWaitForSingleObject  (292, 0, 0x0, ...
 02970   788   NtWaitForSingleObject  (292, 0, 0x0, ...
 02971   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 02972   576   NtWaitForSingleObject  (292, 0, 0x0, ...
 02973   860   NtWaitForSingleObject  (292, 0, 0x0, ...
 02974   588   NtWaitForSingleObject  (292, 0, 0x0, ...
 02901   580   NtCreateEvent  ... 1040, ) == 0x0
 02975  1224   NtWaitForSingleObject  (292, 0, 0x0, ...
 02976   324   NtWaitForSingleObject  (292, 0, 0x0, ...
 02977  1140   NtWaitForSingleObject  (292, 0, 0x0, ...
 02978  1072   NtWaitForSingleObject  (292, 0, 0x0, ...
 02979  1156   NtWaitForSingleObject  (292, 0, 0x0, ...
 02980  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 02981   584   NtWaitForSingleObject  (292, 0, 0x0, ...
 02982  1172   NtWaitForSingleObject  (292, 0, 0x0, ...
 02983  1080   NtWaitForSingleObject  (292, 0, 0x0, ...
 02984   996   NtWaitForSingleObject  (292, 0, 0x0, ...
 02985  1040   NtWaitForSingleObject  (292, 0, 0x0, ...
 02986   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 02987  1000   NtWaitForSingleObject  (292, 0, 0x0, ...
 02988   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 02989   928   NtWaitForSingleObject  (292, 0, 0x0, ...
 02990   908   NtWaitForSingleObject  (292, 0, 0x0, ...
 02991   912   NtWaitForSingleObject  (292, 0, 0x0, ...
 02992   884   NtWaitForSingleObject  (292, 0, 0x0, ...
 02993   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 02994   872   NtWaitForSingleObject  (292, 0, 0x0, ...
 02995   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 02996   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1583, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\234\1\0\0\364\4\0\0" ...  ...
 02997   932   NtWaitForSingleObject  (292, 0, 0x0, ...
 02927  1264   NtCreateEvent  ... 1044, ) == 0x0
 02928  1252   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02998   580   NtWaitForSingleObject  (292, 0, 0x0, ...
 02996   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1584, 0}  ... {28, 56, reply, 0, 412, 420, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\234\1\0\0\364\4\0\0" )  ) == 0x0
 02999  1264   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03000  1252   NtSetEventBoostPriority  (292, ...
 03001   836   NtWaitForSingleObject  (292, 0, 0x0, ...
 02999  1264   NtDuplicateObject  ... 1048, ) == 0x0
 02929  1248   NtWaitForSingleObject  ... ) == 0x0
 03000  1252   NtSetEventBoostPriority  ... ) == 0x0
 03002   420   NtResumeThread  (756, ...
 03003  1248   NtSetEventBoostPriority  (292, ...
 03004  1264   NtWaitForSingleObject  (292, 0, 0x0, ...
 02930  1244   NtWaitForSingleObject  ... ) == 0x0
 03003  1248   NtSetEventBoostPriority  ... ) == 0x0
 03002   420   NtResumeThread  ... 1, ) == 0x0
 03005  1244   NtSetEventBoostPriority  (292, ...
 03006  1252   NtWaitForSingleObject  (292, 0, 0x0, ...
 03007  1268   NtWaitForSingleObject  (292, 0, 0x0, ...
 02931  1232   NtWaitForSingleObject  ... ) == 0x0
 03005  1244   NtSetEventBoostPriority  ... ) == 0x0
 03008   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03009  1232   NtSetEventBoostPriority  (292, ...
 03010  1248   NtWaitForSingleObject  (292, 0, 0x0, ...
 02932  1188   NtWaitForSingleObject  ... ) == 0x0
 03009  1232   NtSetEventBoostPriority  ... ) == 0x0
 03008   420   NtAllocateVirtualMemory  ... 89194496, 1048576, ) == 0x0
 03011  1188   NtSetEventBoostPriority  (292, ...
 03012  1244   NtWaitForSingleObject  (292, 0, 0x0, ...
 02933  1120   NtWaitForSingleObject  ... ) == 0x0
 03011  1188   NtSetEventBoostPriority  ... ) == 0x0
 03013   420   NtAllocateVirtualMemory  (-1, 90234880, 0, 8192, 4096, 4, ...
 03014  1120   NtSetEventBoostPriority  (292, ...
 03015  1232   NtWaitForSingleObject  (292, 0, 0x0, ...
 02934  1104   NtWaitForSingleObject  ... ) == 0x0
 03014  1120   NtSetEventBoostPriority  ... ) == 0x0
 03013   420   NtAllocateVirtualMemory  ... 90234880, 8192, ) == 0x0
 03016  1104   NtSetEventBoostPriority  (292, ...
 03017  1188   NtWaitForSingleObject  (292, 0, 0x0, ...
 03018  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 02935  1116   NtWaitForSingleObject  ... ) == 0x0
 03016  1104   NtSetEventBoostPriority  ... ) == 0x0
 03019  1116   NtSetEventBoostPriority  (292, ...
 03020   420   NtProtectVirtualMemory  (-1, (0x560e000), 4096, 260, ...
 02936  1100   NtWaitForSingleObject  ... ) == 0x0
 03019  1116   NtSetEventBoostPriority  ... ) == 0x0
 03021  1100   NtSetEventBoostPriority  (292, ...
 03020   420   NtProtectVirtualMemory  ... (0x560e000), 4096, 4, ) == 0x0
 03022  1104   NtWaitForSingleObject  (292, 0, 0x0, ...
 02937  1096   NtWaitForSingleObject  ... ) == 0x0
 03021  1100   NtSetEventBoostPriority  ... ) == 0x0
 03023   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 03024  1096   NtSetEventBoostPriority  (292, ...
 03025  1116   NtWaitForSingleObject  (292, 0, 0x0, ...
 02938  1064   NtWaitForSingleObject  ... ) == 0x0
 03024  1096   NtSetEventBoostPriority  ... ) == 0x0
 03023   420   NtCreateThread  ... 1052, {412, 1272}, ) == 0x0
 03026  1064   NtSetEventBoostPriority  (292, ...
 03027  1100   NtWaitForSingleObject  (292, 0, 0x0, ...
 02939  1256   NtWaitForSingleObject  ... ) == 0x0
 03026  1064   NtSetEventBoostPriority  ... ) == 0x0
 03028   420   NtQueryInformationThread  (1052, Basic, 28, ...
 03029  1256   NtSetEventBoostPriority  (292, ...
 03030  1096   NtWaitForSingleObject  (292, 0, 0x0, ...
 02940  1092   NtWaitForSingleObject  ... ) == 0x0
 03029  1256   NtSetEventBoostPriority  ... ) == 0x0
 03028   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=412,Tid=1272,}, 0x0, ) == 0x0
 03031  1092   NtSetEventBoostPriority  (292, ...
 03032  1064   NtWaitForSingleObject  (292, 0, 0x0, ...
 03033  1256   NtWaitForSingleObject  (292, 0, 0x0, ...
 02941  1076   NtWaitForSingleObject  ... ) == 0x0
 03031  1092   NtSetEventBoostPriority  ... ) == 0x0
 03034  1076   NtSetEventBoostPriority  (292, ...
 03035   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1584, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\4\0\0\234\1\0\0\370\4\0\0" ...  ...
 02942  1044   NtWaitForSingleObject  ... ) == 0x0
 03034  1076   NtSetEventBoostPriority  ... ) == 0x0
 03036  1044   NtSetEventBoostPriority  (292, ...
 03035   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1585, 0}  ... {28, 56, reply, 0, 412, 420, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\4\0\0\234\1\0\0\370\4\0\0" )  ) == 0x0
 03037  1092   NtWaitForSingleObject  (292, 0, 0x0, ...
 02943   308   NtWaitForSingleObject  ... ) == 0x0
 03036  1044   NtSetEventBoostPriority  ... ) == 0x0
 03038   420   NtResumeThread  (1052, ...
 03039   308   NtSetEventBoostPriority  (292, ...
 03040  1076   NtWaitForSingleObject  (292, 0, 0x0, ...
 02944  1028   NtWaitForSingleObject  ... ) == 0x0
 03039   308   NtSetEventBoostPriority  ... ) == 0x0
 03038   420   NtResumeThread  ... 1, ) == 0x0
 03041  1028   NtSetEventBoostPriority  (292, ...
 03042  1044   NtWaitForSingleObject  (292, 0, 0x0, ...
 03043  1272   NtWaitForSingleObject  (136, 0, 0x0, ...
 02945  1068   NtWaitForSingleObject  ... ) == 0x0
 03041  1028   NtSetEventBoostPriority  ... ) == 0x0
 03044   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03045  1068   NtSetEventBoostPriority  (292, ...
 03046   308   NtWaitForSingleObject  (292, 0, 0x0, ...
 03047  1028   NtWaitForSingleObject  (292, 0, 0x0, ...
 02946  1016   NtWaitForSingleObject  ... ) == 0x0
 03045  1068   NtSetEventBoostPriority  ... ) == 0x0
 03048  1016   NtSetEventBoostPriority  (292, ...
 03044   420   NtAllocateVirtualMemory  ... 90243072, 1048576, ) == 0x0
 02947  1012   NtWaitForSingleObject  ... ) == 0x0
 03048  1016   NtSetEventBoostPriority  ... ) == 0x0
 03049  1012   NtSetEventBoostPriority  (292, ...
 03050   420   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ...
 03051  1068   NtWaitForSingleObject  (292, 0, 0x0, ...
 02948  1020   NtWaitForSingleObject  ... ) == 0x0
 03049  1012   NtSetEventBoostPriority  ... ) == 0x0
 03050   420   NtAllocateVirtualMemory  ... 91283456, 8192, ) == 0x0
 03052  1020   NtSetEventBoostPriority  (292, ...
 03053  1016   NtWaitForSingleObject  (292, 0, 0x0, ...
 02949   960   NtWaitForSingleObject  ... ) == 0x0
 03052  1020   NtSetEventBoostPriority  ... ) == 0x0
 03054   420   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ...
 03055   960   NtSetEventBoostPriority  (292, ...
 03056  1012   NtWaitForSingleObject  (292, 0, 0x0, ...
 02950   984   NtWaitForSingleObject  ... ) == 0x0
 03055   960   NtSetEventBoostPriority  ... ) == 0x0
 03054   420   NtProtectVirtualMemory  ... (0x570e000), 4096, 4, ) == 0x0
 03057   984   NtSetEventBoostPriority  (292, ...
 03058  1020   NtWaitForSingleObject  (292, 0, 0x0, ...
 02951   956   NtWaitForSingleObject  ... ) == 0x0
 03057   984   NtSetEventBoostPriority  ... ) == 0x0
 03059   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 03060   956   NtSetEventBoostPriority  (292, ...
 03061   960   NtWaitForSingleObject  (292, 0, 0x0, ...
 03062   984   NtWaitForSingleObject  (292, 0, 0x0, ...
 02952   988   NtWaitForSingleObject  ... ) == 0x0
 03060   956   NtSetEventBoostPriority  ... ) == 0x0
 03063   988   NtSetEventBoostPriority  (292, ...
 03059   420   NtCreateThread  ... 1056, {412, 1276}, ) == 0x0
 02953   944   NtWaitForSingleObject  ... ) == 0x0
 03063   988   NtSetEventBoostPriority  ... ) == 0x0
 03064   944   NtSetEventBoostPriority  (292, ...
 03065   420   NtQueryInformationThread  (1056, Basic, 28, ...
 03066   956   NtWaitForSingleObject  (292, 0, 0x0, ...
 02954   948   NtWaitForSingleObject  ... ) == 0x0
 03064   944   NtSetEventBoostPriority  ... ) == 0x0
 03065   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=412,Tid=1276,}, 0x0, ) == 0x0
 03067   948   NtSetEventBoostPriority  (292, ...
 03068   988   NtWaitForSingleObject  (292, 0, 0x0, ...
 02955   936   NtWaitForSingleObject  ... ) == 0x0
 03067   948   NtSetEventBoostPriority  ... ) == 0x0
 03069   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1585, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \4\0\0\234\1\0\0\374\4\0\0" ...  ...
 03070   936   NtSetEventBoostPriority  (292, ...
 03071   944   NtWaitForSingleObject  (292, 0, 0x0, ...
 02956   916   NtWaitForSingleObject  ... ) == 0x0
 03070   936   NtSetEventBoostPriority  ... ) == 0x0
 03069   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1586, 0}  ... {28, 56, reply, 0, 412, 420, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \4\0\0\234\1\0\0\374\4\0\0" )  ) == 0x0
 03072   916   NtSetEventBoostPriority  (292, ...
 03073   948   NtWaitForSingleObject  (292, 0, 0x0, ...
 03074   936   NtWaitForSingleObject  (292, 0, 0x0, ...
 02957   924   NtWaitForSingleObject  ... ) == 0x0
 03072   916   NtSetEventBoostPriority  ... ) == 0x0
 03075   924   NtSetEventBoostPriority  (292, ...
 03076   420   NtResumeThread  (1056, ...
 02958   892   NtWaitForSingleObject  ... ) == 0x0
 03075   924   NtSetEventBoostPriority  ... ) == 0x0
 03077   892   NtSetEventBoostPriority  (292, ...
 03076   420   NtResumeThread  ... 1, ) == 0x0
 03078   916   NtWaitForSingleObject  (292, 0, 0x0, ...
 02959   888   NtWaitForSingleObject  ... ) == 0x0
 03077   892   NtSetEventBoostPriority  ... ) == 0x0
 03079   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03080   888   NtSetEventBoostPriority  (292, ...
 03081   924   NtWaitForSingleObject  (292, 0, 0x0, ...
 03082  1276   NtWaitForSingleObject  (136, 0, 0x0, ...
 02960   880   NtWaitForSingleObject  ... ) == 0x0
 03080   888   NtSetEventBoostPriority  ... ) == 0x0
 03079   420   NtAllocateVirtualMemory  ... 91291648, 1048576, ) == 0x0
 03083   880   NtSetEventBoostPriority  (292, ...
 03084   892   NtWaitForSingleObject  (292, 0, 0x0, ...
 02961   732   NtWaitForSingleObject  ... ) == 0x0
 03083   880   NtSetEventBoostPriority  ... ) == 0x0
 03085   420   NtAllocateVirtualMemory  (-1, 92332032, 0, 8192, 4096, 4, ...
 03086   732   NtSetEventBoostPriority  (292, ...
 03087   888   NtWaitForSingleObject  (292, 0, 0x0, ...
 02962   744   NtWaitForSingleObject  ... ) == 0x0
 03086   732   NtSetEventBoostPriority  ... ) == 0x0
 03085   420   NtAllocateVirtualMemory  ... 92332032, 8192, ) == 0x0
 03088   744   NtSetEventBoostPriority  (292, ...
 03089   880   NtWaitForSingleObject  (292, 0, 0x0, ...
 03090   732   NtWaitForSingleObject  (292, 0, 0x0, ...
 02963   940   NtWaitForSingleObject  ... ) == 0x0
 03088   744   NtSetEventBoostPriority  ... ) == 0x0
 03091   940   NtSetEventBoostPriority  (292, ...
 03092   420   NtProtectVirtualMemory  (-1, (0x580e000), 4096, 260, ...
 02964   868   NtWaitForSingleObject  ... ) == 0x0
 03091   940   NtSetEventBoostPriority  ... ) == 0x0
 03093   868   NtSetEventBoostPriority  (292, ...
 03092   420   NtProtectVirtualMemory  ... (0x580e000), 4096, 4, ) == 0x0
 03094   744   NtWaitForSingleObject  (292, 0, 0x0, ...
 02965   636   NtWaitForSingleObject  ... ) == 0x0
 03093   868   NtSetEventBoostPriority  ... ) == 0x0
 03095   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 03096   636   NtSetEventBoostPriority  (292, ...
 03097   940   NtWaitForSingleObject  (292, 0, 0x0, ...
 02966   676   NtWaitForSingleObject  ... ) == 0x0
 03096   636   NtSetEventBoostPriority  ... ) == 0x0
 03095   420   NtCreateThread  ... 1060, {412, 1280}, ) == 0x0
 03098   676   NtSetEventBoostPriority  (292, ...
 03099   868   NtWaitForSingleObject  (292, 0, 0x0, ...
 02967   864   NtWaitForSingleObject  ... ) == 0x0
 03098   676   NtSetEventBoostPriority  ... ) == 0x0
 03100   420   NtQueryInformationThread  (1060, Basic, 28, ...
 03101   864   NtSetEventBoostPriority  (292, ...
 03102   636   NtWaitForSingleObject  (292, 0, 0x0, ...
 02968   856   NtWaitForSingleObject  ... ) == 0x0
 03101   864   NtSetEventBoostPriority  ... ) == 0x0
 03100   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=412,Tid=1280,}, 0x0, ) == 0x0
 03103   856   NtSetEventBoostPriority  (292, ...
 03104   676   NtWaitForSingleObject  (292, 0, 0x0, ...
 03105   864   NtWaitForSingleObject  (292, 0, 0x0, ...
 02969   716   NtWaitForSingleObject  ... ) == 0x0
 03103   856   NtSetEventBoostPriority  ... ) == 0x0
 03106   716   NtSetEventBoostPriority  (292, ...
 03107   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1586, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\4\0\0\234\1\0\0\0\5\0\0" ...  ...
 02970   788   NtWaitForSingleObject  ... ) == 0x0
 03106   716   NtSetEventBoostPriority  ... ) == 0x0
 03108   788   NtSetEventBoostPriority  (292, ...
 03107   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1587, 0}  ... {28, 56, reply, 0, 412, 420, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\4\0\0\234\1\0\0\0\5\0\0" )  ) == 0x0
 03109   856   NtWaitForSingleObject  (292, 0, 0x0, ...
 02971   596   NtWaitForSingleObject  ... ) == 0x0
 03108   788   NtSetEventBoostPriority  ... ) == 0x0
 03110   420   NtResumeThread  (1060, ...
 03111   596   NtSetEventBoostPriority  (292, ...
 03112   716   NtWaitForSingleObject  (292, 0, 0x0, ...
 02972   576   NtWaitForSingleObject  ... ) == 0x0
 03111   596   NtSetEventBoostPriority  ... ) == 0x0
 03110   420   NtResumeThread  ... 1, ) == 0x0
 03113   576   NtSetEventBoostPriority  (292, ...
 03114   788   NtWaitForSingleObject  (292, 0, 0x0, ...
 03115  1280   NtWaitForSingleObject  (136, 0, 0x0, ...
 02973   860   NtWaitForSingleObject  ... ) == 0x0
 03113   576   NtSetEventBoostPriority  ... ) == 0x0
 03116   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03117   860   NtSetEventBoostPriority  (292, ...
 03118   596   NtWaitForSingleObject  (292, 0, 0x0, ...
 03119   576   NtWaitForSingleObject  (292, 0, 0x0, ...
 02974   588   NtWaitForSingleObject  ... ) == 0x0
 03117   860   NtSetEventBoostPriority  ... ) == 0x0
 03120   588   NtSetEventBoostPriority  (292, ...
 03116   420   NtAllocateVirtualMemory  ... 92340224, 1048576, ) == 0x0
 02975  1224   NtWaitForSingleObject  ... ) == 0x0
 03120   588   NtSetEventBoostPriority  ... ) == 0x0
 03121  1224   NtSetEventBoostPriority  (292, ...
 03122   420   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ...
 03123   860   NtWaitForSingleObject  (292, 0, 0x0, ...
 02976   324   NtWaitForSingleObject  ... ) == 0x0
 03121  1224   NtSetEventBoostPriority  ... ) == 0x0
 03122   420   NtAllocateVirtualMemory  ... 93380608, 8192, ) == 0x0
 03124   324   NtSetEventBoostPriority  (292, ...
 03125  1224   NtWaitForSingleObject  (292, 0, 0x0, ...
 02977  1140   NtWaitForSingleObject  ... ) == 0x0
 03124   324   NtSetEventBoostPriority  ... ) == 0x0
 03126   420   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ...
 03127   588   NtWaitForSingleObject  (292, 0, 0x0, ...
 03128  1140   NtSetEventBoostPriority  (292, ...
 03129   324   NtWaitForSingleObject  (292, 0, 0x0, ...
 03126   420   NtProtectVirtualMemory  ... (0x590e000), 4096, 4, ) == 0x0
 02978  1072   NtWaitForSingleObject  ... ) == 0x0
 03128  1140   NtSetEventBoostPriority  ... ) == 0x0
 03130  1072   NtSetEventBoostPriority  (292, ...
 03131   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02979  1156   NtWaitForSingleObject  ... ) == 0x0
 03130  1072   NtSetEventBoostPriority  ... ) == 0x0
 03132  1140   NtWaitForSingleObject  (292, 0, 0x0, ...
 03133  1156   NtSetEventBoostPriority  (292, ...
 03134  1072   NtWaitForSingleObject  (292, 0, 0x0, ...
 03131   420   NtCreateThread  ... 1064, {412, 1284}, ) == 0x0
 02980  1168   NtWaitForSingleObject  ... ) == 0x0
 03133  1156   NtSetEventBoostPriority  ... ) == 0x0
 03135  1168   NtSetEventBoostPriority  (292, ...
 03136   420   NtQueryInformationThread  (1064, Basic, 28, ...
 02981   584   NtWaitForSingleObject  ... ) == 0x0
 03135  1168   NtSetEventBoostPriority  ... ) == 0x0
 03137  1156   NtWaitForSingleObject  (292, 0, 0x0, ...
 03138   584   NtSetEventBoostPriority  (292, ...
 03136   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=412,Tid=1284,}, 0x0, ) == 0x0
 03139  1168   NtWaitForSingleObject  (292, 0, 0x0, ...
 02982  1172   NtWaitForSingleObject  ... ) == 0x0
 03138   584   NtSetEventBoostPriority  ... ) == 0x0
 03140   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1587, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\4\0\0\234\1\0\0\4\5\0\0" ...  ...
 03141  1172   NtSetEventBoostPriority  (292, ...
 02983  1080   NtWaitForSingleObject  ... ) == 0x0
 03142  1080   NtSetEventBoostPriority  (292, ...
 02984   996   NtWaitForSingleObject  ... ) == 0x0
 03143   996   NtSetEventBoostPriority  (292, ...
 02985  1040   NtWaitForSingleObject  ... ) == 0x0
 03144  1040   NtSetEventBoostPriority  (292, ...
 02986   952   NtWaitForSingleObject  ... ) == 0x0
 03145   952   NtSetEventBoostPriority  (292, ...
 02987  1000   NtWaitForSingleObject  ... ) == 0x0
 03146  1000   NtSetEventBoostPriority  (292, ...
 02988   920   NtWaitForSingleObject  ... ) == 0x0
 03147   920   NtSetEventBoostPriority  (292, ...
 02989   928   NtWaitForSingleObject  ... ) == 0x0
 03148   928   NtSetEventBoostPriority  (292, ...
 02990   908   NtWaitForSingleObject  ... ) == 0x0
 03149   908   NtSetEventBoostPriority  (292, ...
 02991   912   NtWaitForSingleObject  ... ) == 0x0
 03150   912   NtSetEventBoostPriority  (292, ...
 02992   884   NtWaitForSingleObject  ... ) == 0x0
 03151   884   NtSetEventBoostPriority  (292, ...
 02993   876   NtWaitForSingleObject  ... ) == 0x0
 03152   876   NtSetEventBoostPriority  (292, ...
 02994   872   NtWaitForSingleObject  ... ) == 0x0
 03153   872   NtSetEventBoostPriority  (292, ...
 02995   784   NtWaitForSingleObject  ... ) == 0x0
 03154   784   NtSetEventBoostPriority  (292, ...
 02997   932   NtWaitForSingleObject  ... ) == 0x0
 03155   932   NtSetEventBoostPriority  (292, ...
 02998   580   NtWaitForSingleObject  ... ) == 0x0
 03156   580   NtSetEventBoostPriority  (292, ...
 03001   836   NtWaitForSingleObject  ... ) == 0x0
 03157   836   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 03158   836   NtSetEventBoostPriority  (292, ...
 03156   580   NtSetEventBoostPriority  ... ) == 0x0
 03155   932   NtSetEventBoostPriority  ... ) == 0x0
 03154   784   NtSetEventBoostPriority  ... ) == 0x0
 03153   872   NtSetEventBoostPriority  ... ) == 0x0
 03152   876   NtSetEventBoostPriority  ... ) == 0x0
 03151   884   NtSetEventBoostPriority  ... ) == 0x0
 03150   912   NtSetEventBoostPriority  ... ) == 0x0
 03149   908   NtSetEventBoostPriority  ... ) == 0x0
 03148   928   NtSetEventBoostPriority  ... ) == 0x0
 03147   920   NtSetEventBoostPriority  ... ) == 0x0
 03146  1000   NtSetEventBoostPriority  ... ) == 0x0
 03145   952   NtSetEventBoostPriority  ... ) == 0x0
 03144  1040   NtSetEventBoostPriority  ... ) == 0x0
 03143   996   NtSetEventBoostPriority  ... ) == 0x0
 03142  1080   NtSetEventBoostPriority  ... ) == 0x0
 03141  1172   NtSetEventBoostPriority  ... ) == 0x0
 03140   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1588, 0}  ... {28, 56, reply, 0, 412, 420, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\4\0\0\234\1\0\0\4\5\0\0" )  ) == 0x0
 03159   584   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15723852, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 15723852, 112, ...
 03004  1264   NtWaitForSingleObject  ... ) == 0x0
 03158   836   NtSetEventBoostPriority  ... ) == 0x0
 03160   580   NtWaitForSingleObject  (292, 0, 0x0, ...
 03161   784   NtWaitForSingleObject  (292, 0, 0x0, ...
 03162   872   NtWaitForSingleObject  (292, 0, 0x0, ...
 03163   876   NtWaitForSingleObject  (292, 0, 0x0, ...
 03164   884   NtWaitForSingleObject  (292, 0, 0x0, ...
 03165   912   NtWaitForSingleObject  (292, 0, 0x0, ...
 03166   908   NtWaitForSingleObject  (292, 0, 0x0, ...
 03167   928   NtWaitForSingleObject  (292, 0, 0x0, ...
 03168   920   NtWaitForSingleObject  (292, 0, 0x0, ...
 03169   932   NtWaitForSingleObject  (292, 0, 0x0, ...
 03170   952   NtWaitForSingleObject  (292, 0, 0x0, ...
 03171  1040   NtWaitForSingleObject  (292, 0, 0x0, ...
 03172   996   NtWaitForSingleObject  (292, 0, 0x0, ...
 03173  1080   NtWaitForSingleObject  (292, 0, 0x0, ...
 03174  1172   NtWaitForSingleObject  (292, 0, 0x0, ...
 03175  1000   NtWaitForSingleObject  (292, 0, 0x0, ...
 03176  1264   NtSetEventBoostPriority  (292, ...
 03177   836   NtWaitForSingleObject  (292, 0, 0x0, ...
 03159   584   NtConnectPort  ... 1068, 0x0, 0x0, 0x0, 112, ) == 0x0
 03178   420   NtResumeThread  (1064, ...
 03006  1252   NtWaitForSingleObject  ... ) == 0x0
 03176  1264   NtSetEventBoostPriority  ... ) == 0x0
 03179   584   NtRequestWaitReplyPort  (1068, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 15723616}  (1068, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 15723616} "\0$\370w\20\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0PW\25\0\4\0\0\0PW\25\0\20\344\314wPW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\350\236\25\0\0\0\0\0\260\274\25\0\10\237\25\0x\1\24\0\0\0\0\0\0\0\25\0\0\0\0\0\260\274\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03180  1252   NtSetEventBoostPriority  (292, ...
 03178   420   NtResumeThread  ... 1, ) == 0x0
 03181  1264   NtWaitForSingleObject  (292, 0, 0x0, ...
 03007  1268   NtWaitForSingleObject  ... ) == 0x0
 03180  1252   NtSetEventBoostPriority  ... ) == 0x0
 03182   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03179   584   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 412, 584, 1590, 0}  ... {128, 152, reply, 0, 412, 584, 1590, 0} "\7$\370w\20\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0PW\25\0\377\377\377\377PW\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\350\236\25\0\0\0\0\0\260\274\25\0\10\237\25\0x\1\24\0\0\0\0\0\0\0\25\0\0\0\0\0\260\274\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03183  1284   NtWaitForSingleObject  (136, 0, 0x0, ...
 03184  1268   NtSetEventBoostPriority  (292, ...
 03185  1252   NtWaitForSingleObject  (292, 0, 0x0, ...
 03182   420   NtAllocateVirtualMemory  ... 93388800, 1048576, ) == 0x0
 03010  1248   NtWaitForSingleObject  ... ) == 0x0
 03184  1268   NtSetEventBoostPriority  ... ) == 0x0
 03186   584   NtRequestWaitReplyPort  (1068, {64, 88, new_msg, 0, 412, 584, 1572, 0}  (1068, {64, 88, new_msg, 0, 412, 584, 1572, 0} "\1\240\0\0A\2\10\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03187  1248   NtSetEventBoostPriority  (292, ...
 03188   420   NtAllocateVirtualMemory  (-1, 94429184, 0, 8192, 4096, 4, ...
 03012  1244   NtWaitForSingleObject  ... ) == 0x0
 03187  1248   NtSetEventBoostPriority  ... ) == 0x0
 03189  1244   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ...
 03188   420   NtAllocateVirtualMemory  ... 94429184, 8192, ) == 0x0
 03189  1244   NtAllocateVirtualMemory  ... 1429504, 4096, ) == 0x0
 03190  1248   NtWaitForSingleObject  (292, 0, 0x0, ...
 03186   584   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 412, 584, 1591, 0}  ... {52, 76, reply, 0, 412, 584, 1591, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03191  1268   NtWaitForSingleObject  (292, 0, 0x0, ...
 03192  1244   NtSetEventBoostPriority  (292, ...
 03193   420   NtProtectVirtualMemory  (-1, (0x5a0e000), 4096, 260, ...
 03194   584   NtWaitForSingleObject  (292, 0, 0x0, ...
 03193   420   NtProtectVirtualMemory  ... (0x5a0e000), 4096, 4, ) == 0x0
 03195   420   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 1072, {412, 1296}, ) == 0x0
 03196   420   NtQueryInformationThread  (1072, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=412,Tid=1296,}, 0x0, ) == 0x0
 03197   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1588, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\4\0\0\234\1\0\0\20\5\0\0" ... {28, 56, reply, 0, 412, 420, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\4\0\0\234\1\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 412, 420, 1592, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\4\0\0\234\1\0\0\20\5\0\0" ... {28, 56, reply, 0, 412, 420, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\4\0\0\234\1\0\0\20\5\0\0" )  ) == 0x0
 03198   420   NtResumeThread  (1072, ... 1, ) == 0x0
 03199   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03015  1232   NtWaitForSingleObject  ... ) == 0x0
 03192  1244   NtSetEventBoostPriority  ... ) == 0x0
 03200  1296   NtWaitForSingleObject  (136, 0, 0x0, ...
 03201  1232   NtSetEventBoostPriority  (292, ...
 03202  1244   NtWaitForSingleObject  (292, 0, 0x0, ...
 03017  1188   NtWaitForSingleObject  ... ) == 0x0
 03201  1232   NtSetEventBoostPriority  ... ) == 0x0
 03203  1188   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 03204  1188   NtSetEventBoostPriority  (292, ...
 03205  1232   NtWaitForSingleObject  (292, 0, 0x0, ...
 03199   420   NtAllocateVirtualMemory  ... 94437376, 1048576, ) == 0x0
 03018  1120   NtWaitForSingleObject  ... ) == 0x0
 03204  1188   NtSetEventBoostPriority  ... ) == 0x0
 03206   420   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ...
 03207  1120   NtSetEventBoostPriority  (292, ...
 03208  1188   NtWaitForSingleObject  (292, 0, 0x0, ...
 03206   420   NtAllocateVirtualMemory  ... 95477760, 8192, ) == 0x0
 03022  1104   NtWaitForSingleObject  ... ) == 0x0
 03207  1120   NtSetEventBoostPriority  ... ) == 0x0
 03209  1104   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 03210   420   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ...
 03209  1104   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 03211  1120   NtWaitForSingleObject  (292, 0, 0x0, ...
 03212  1104   NtSetEventBoostPriority  (292, ...
NtCallbackReturn(>)	1	NtQuerySystemTime(>)	2	NtGdiSaveDC(>)	7	NtMapViewOfSection(>)	33
NtFsControlFile(>)	1	NtSetValueKey(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtUserRegisterClassExWOW(>)	34
NtGdiCreatePaletteInternal(>)	1	NtCreateSemaphore(>)	3	NtQueryInformationFile(>)	7	NtReleaseMutant(>)	38
NtGdiInit(>)	1	NtFreeVirtualMemory(>)	3	NtQueryInformationToken(>)	7	NtQueryAttributesFile(>)	39
NtGdiQueryFontAssocInfo(>)	1	NtGdiHfontCreate(>)	3	NtUserSetCursorIconData(>)	7	NtUserFindExistingCursorIcon(>)	47
NtOpenEvent(>)	1	NtNotifyChangeKey(>)	3	NtUserSystemParametersInfo(>)	7	NtGdiSelectBitmap(>)	57
NtOpenKeyedEvent(>)	1	NtOpenProcessToken(>)	3	NtGdiCreateBitmap(>)	8	NtOpenKey(>)	80
NtOpenProcess(>)	1	NtOpenProcessTokenEx(>)	3	NtCreateFile(>)	9	NtContinue(>)	94
NtOpenSymbolicLinkObject(>)	1	NtOpenThreadTokenEx(>)	3	NtGdiCreateCompatibleDC(>)	10	NtResumeThread(>)	115
NtQueryObject(>)	1	NtQueryVirtualMemory(>)	3	NtGdiExtGetObjectW(>)	10	NtCreateThread(>)	121
NtQuerySymbolicLinkObject(>)	1	NtSetInformationObject(>)	3	NtQuerySection(>)	10	NtQueryInformationThread(>)	122
NtSecureConnectPort(>)	1	NtConnectPort(>)	4	NtUserGetDC(>)	10	NtRequestWaitReplyPort(>)	137
NtSetInformationThread(>)	1	NtQueryVolumeInformationFile(>)	4	NtFlushInstructionCache(>)	11	NtTestAlert(>)	142
NtUserCallNoParam(>)	1	NtUserRegisterWindowMessage(>)	4	NtGdiDeleteObjectApp(>)	14	NtProtectVirtualMemory(>)	143
NtUserEnumDisplayMonitors(>)	1	NtCreateKey(>)	5	NtUserSelectPalette(>)	14	NtRegisterThreadTerminatePort(>)	144
NtUserGetKeyboardLayoutList(>)	1	NtQueryInformationProcess(>)	6	NtDeviceIoControlFile(>)	16	NtClose(>)	148
NtUserGetThreadDesktop(>)	1	NtSetInformationFile(>)	6	NtCreateSection(>)	17	NtDuplicateObject(>)	148
NtUserSetWindowsHookEx(>)	1	NtUnmapViewOfSection(>)	6	NtOpenFile(>)	17	NtQueryValueKey(>)	182
NtAddAtom(>)	2	NtGdiBitBlt(>)	7	NtReadFile(>)	18	NtCreateEvent(>)	194
NtCreateMutant(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtUserGetClassInfo(>)	18	NtAllocateVirtualMemory(>)	331
NtGdiCreateSolidBrush(>)	2	NtGdiGetDCObject(>)	7	NtUserCallOneParam(>)	19	NtSetEventBoostPriority(>)	977
NtOpenDirectoryObject(>)	2	NtGdiGetDCforBitmap(>)	7	NtWriteFile(>)	22	NtWaitForSingleObject(>)	1219
NtOpenMutant(>)	2	NtGdiGetStockObject(>)	7	NtOpenSection(>)	23
NtQueryDefaultLocale(>)	2	NtGdiRestoreDC(>)	7