Summary:


NtCallbackReturn(>)  1 
NtQuerySystemTime(>)  2 
NtQueryInformationFile(>)  7 
NtMapViewOfSection(>)  34 

NtFsControlFile(>)  1 
NtSetValueKey(>)  2 
NtQueryInformationToken(>)  7 
NtUserRegisterClassExWOW(>)  34 

NtGdiCreatePaletteInternal(>)  1 
NtCreateSemaphore(>)  3 
NtUserSetCursorIconData(>)  7 
NtQueryAttributesFile(>)  38 

NtGdiInit(>)  1 
NtFreeVirtualMemory(>)  3 
NtUserSystemParametersInfo(>)  7 
NtReleaseMutant(>)  38 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiHfontCreate(>)  3 
NtGdiCreateBitmap(>)  8 
NtUserFindExistingCursorIcon(>)  47 

NtOpenEvent(>)  1 
NtNotifyChangeKey(>)  3 
NtCreateFile(>)  9 
NtGdiSelectBitmap(>)  57 

NtOpenKeyedEvent(>)  1 
NtOpenProcessToken(>)  3 
NtConnectPort(>)  10 
NtContinue(>)  82 

NtOpenProcess(>)  1 
NtOpenProcessTokenEx(>)  3 
NtGdiCreateCompatibleDC(>)  10 
NtCreateThread(>)  105 

NtOpenSymbolicLinkObject(>)  1 
NtOpenThreadTokenEx(>)  3 
NtGdiExtGetObjectW(>)  10 
NtQueryInformationThread(>)  105 

NtQueryObject(>)  1 
NtQueryVirtualMemory(>)  3 
NtQuerySection(>)  10 
NtOpenKey(>)  106 

NtQuerySymbolicLinkObject(>)  1 
NtSetInformationObject(>)  3 
NtUserGetDC(>)  10 
NtResumeThread(>)  111 

NtSecureConnectPort(>)  1 
NtQueryInformationProcess(>)  4 
NtFlushInstructionCache(>)  11 
NtTestAlert(>)  118 

NtSetInformationThread(>)  1 
NtQueryVolumeInformationFile(>)  4 
NtGdiDeleteObjectApp(>)  14 
NtRegisterThreadTerminatePort(>)  121 

NtUserCallNoParam(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtUserSelectPalette(>)  14 
NtProtectVirtualMemory(>)  132 

NtUserEnumDisplayMonitors(>)  1 
NtSetInformationFile(>)  6 
NtCreateSection(>)  16 
NtCreateEvent(>)  147 

NtUserGetKeyboardLayoutList(>)  1 
NtUnmapViewOfSection(>)  6 
NtDeviceIoControlFile(>)  16 
NtRequestWaitReplyPort(>)  151 

NtUserGetThreadDesktop(>)  1 
NtGdiBitBlt(>)  7 
NtOpenFile(>)  16 
NtDuplicateObject(>)  152 

NtUserSetWindowsHookEx(>)  1 
NtGdiCreateDIBitmapInternal(>)  7 
NtReadFile(>)  18 
NtClose(>)  174 

NtAddAtom(>)  2 
NtGdiGetDCObject(>)  7 
NtUserGetClassInfo(>)  18 
NtQueryValueKey(>)  207 

NtCreateMutant(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtCreateKey(>)  19 
NtAllocateVirtualMemory(>)  337 

NtGdiCreateSolidBrush(>)  2 
NtGdiGetStockObject(>)  7 
NtUserCallOneParam(>)  19 
NtSetEventBoostPriority(>)  1016 

NtOpenDirectoryObject(>)  2 
NtGdiRestoreDC(>)  7 
NtWriteFile(>)  22 
NtWaitForSingleObject(>)  1218 

NtOpenMutant(>)  2 
NtGdiSaveDC(>)  7 
NtOpenSection(>)  23 

NtQueryDefaultLocale(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 

Trace:
 00001   468   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   468   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   468   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   468   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   468   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   468   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   468   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   468   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   468   NtClose  (12, ... ) == 0x0
 00014   468   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   468   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   468   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   468   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   468   NtClose  (16, ... ) == 0x0
 00021   468   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   468   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   468   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18350080}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18350080}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   468   NtClose  (16, ... ) == 0x0
 00026   468   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   468   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   468   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   468   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" ... {28, 56, reply, 0, 460, 468, 1495, 0} "\340\33\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" )  ... {28, 56, reply, 0, 460, 468, 1495, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" ... {28, 56, reply, 0, 460, 468, 1495, 0} "\340\33\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" )  ) == 0x0
 00032   468   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   468   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   468   NtClose  (16, ... ) == 0x0
 00036   468   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   468   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   468   NtClose  (28, ... ) == 0x0
 00041   468   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   468   NtClose  (28, ... ) == 0x0
 00045   468   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   468   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   468   NtClose  (28, ... ) == 0x0
 00049   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   468   NtClose  (28, ... ) == 0x0
 00052   468   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" ... {28, 56, reply, 0, 460, 468, 1498, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" )  ... {28, 56, reply, 0, 460, 468, 1498, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" ... {28, 56, reply, 0, 460, 468, 1498, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" )  ) == 0x0
 00056   468   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00057   468   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00058   468   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00059   468   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   468   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   468   NtClose  (28, ... ) == 0x0
 00062   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   468   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   468   NtClose  (28, ... ) == 0x0
 00065   468   NtTestAlert  (... ) == 0x0
 00066   468   NtContinue  (1244464, 1, ...
 00067   468   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00068   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   468   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   468   NtClose  (28, ... ) == 0x0
 00071   468   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00073   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00074   468   NtClose  (28, ... ) == 0x0
 00075   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00076   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00077   468   NtClose  (28, ... ) == 0x0
 00078   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00079   468   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00080   468   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00081   468   NtClose  (28, ... ) == 0x0
 00082   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00083   468   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   468   NtClose  (28, ... ) == 0x0
 00085   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00086   468   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00087   468   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00088   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 32, ) == 0x0
 00090   468   NtQueryInformationToken  (32, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00091   468   NtClose  (32, ... ) == 0x0
 00092   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 32, ) }, ... 32, ) == 0x0
 00093   468   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00094   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 36, ) }, ... 36, ) == 0x0
 00095   468   NtQueryValueKey  (36,  (36, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   468   NtClose  (36, ... ) == 0x0
 00097   468   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00098   468   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00099   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 36, {status=0x0, info=1}, ) == 0x0
 00100   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00101   468   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 460, 468, 1505, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 460, 468, 1505, 0}  (24, {20, 48, new_msg, 0, 3, 2, 11, 1311808} "\0\0\0\0\2\0\1\0d\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 460, 468, 1505, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00102   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 40, {status=0x0, info=2}, ) == 0x0
 00103   468   NtClose  (40, ... ) == 0x0
 00104   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00105   468   NtClose  (-2147482004, ... ) == 0x0
 00104   468   NtCreateFile  ... 40, {status=0x0, info=3}, ) == 0x0
 00106   468   NtSetInformationFile  (36, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00107   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\345q\326\0\252+\206\0\254+\211\0W\324\206\0\20+\206\0\250+\206\0\350+\234\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250)\206\0\22;\206\16\267\237\217\315\211\223\207Le\12\26\220\374C\357s\210[\364o\317Y\347m\210F\363s\334\13\344e\210Y\363n\210^\350d\315Y\246W\301E\2652\245!\2427\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0\250+\206\0", ) , ) == 0x0
 00108   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00109   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\375#\260\34\307\27\313E\307Y\377,\10F\347\10\230(\7\7`\343\340\331\312\353\307\304`hN<\252g\364\334@\332\354D\302K\327\271\2540\372\377\216\351\336}-\204\210D\363\203N\270 z\371\300\316\240\326\1\370\275\355g\311)\306\315\324\24\207\2\26o\253\32+\351\203R]\36\327\21"\362\265e\210\233,K\326C\305,@\211T\305\253\22n\353\366|Z\200\257\254\6\302\177 \361C\204:\244\301\271+\214^\365W\2108\345\272_1\3650\220\318\273^\225\23\231\326\12\4<\15Q\347#\342\2038/\216#d\371\252\210\230\355\375\22\351%g\311Pm\256IL\35\235\37\254\344vfx\32723\256\350g\15\231\251~4vG\304\266\370OvX\226\35T l\31\301W`\257N\257\344\5\367PAo\206(\251\367\6\24+\21\254\12\330.\203\34\303\200P\12@{T<\216[(\10\376_\363\310\355\255\223\212u\346j\10n+\341)+\22~\251S\17L\232\352h\277R\262k\321\3448\35\267\15#j\262\324\1\202K\\341>\203-d\17\36\365\350&\324\314\370\270\6\221\5\271h\3341\372\242\370\15V\323uh\240\333\304cr\20\357$\350.\306\4\2332F\370%g\224\220\343\325\16\203\261\225\216\377\256\217\33\230C\223^\21\241\250\11+8m\307\23\5x\360F\266\213\34\240\314X\205\17\201\220\327\343\246^\261\310\255\227\274\324y\12\204S\272\231\2113\342\360|\272\376]\225\5%\261|Na\354\251\360\212p\242\365uP\317HN\266\266i\245\350\321\303\2155\301\235b&Ls\211\11u\366\266\2\252K\306\3:c.\211\352s\2752\214pa\324|x%\17,:4\1D47\22\314cN\324\257\357\334\274\315\202a$\243 \235a.\347\0[\4\333[\17", ) \362\265e\210\233,K\326C\305,@\211T\305\253\22n\353\366|Z\200\257\254\6\302\177 \361C\204:\244\301\271+\214^\365W\2108\345\272_1\3650\220\318\273^\225\23\231\326\12\4<\15Q\347#\342\2038/\216#d\371\252\210\230\355\375\22\351%g\311Pm\256IL\35\235\37\254\344vfx\32723\256\350g\15\231\251~4vG\304\266\370OvX\226\35T l\31\301W`\257N\257\344\5\367PAo\206(\251\367\6\24+\21\254\12\330.\203\34\303\200P\12@{T<\216[(\10\376_\363\310\355\255\223\212u\346j\10n+\341)+\22~\251S\17L\232\352h\277R\262k\321\3448\35\267\15#j\262\324\1\202K\\341>\203-d\17\36\365\350&\324\314\370\270\6\221\5\271h\3341\372\242\370\15V\323uh\240\333\304cr\20\357$\350.\306\4\2332F\370%g\224\220\343\325\16\203\261\225\216\377\256\217\33\230C\223^\21\241\250\11+8m\307\23\5x\360F\266\213\34\240\314X\205\17\201\220\327\343\246^\261\310\255\227\274\324y\12\204S\272\231\2113\342\360|\272\376]\225\5%\261|Na\354\251\360\212p\242\365uP\317HN\266\266i\245\350\321\303\2155\301\235b&Ls\211\11u\366\266\2\252K\306\3:c.\211\352s\2752\214pa\324|x%\17,:4\1D47\22\314cN\324\257\357\334\274\315\202a$\243 \235a.\347\0[\4\333[\17", ) == 0x0
 00110   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00111   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\177\351\215X\209\223w\231!\212H{fE\30\342\275\312\340\375\2164H\250\200\24\345\30\2561}\260o\306\221M\273\343Z\314w\336Y\246p\34\0\372`\345T\370O\277d\263I\2226\314K\27\3458N\354!\304C\327\226\353\275\364\14\334[\252\35aKMz\324\36\376@\202\252\36C\270W\234\301\327\256\22\2353K\341\20\6[=\363\221\200\320%\272\243\2129\203\257\226\274\257\240\092j\12\14 D\306\323W\334\254\276\200\241\301\10\222\373\3629^m=3\2bS\2560\367\321\4QG\303]\37/\3004[m\231\306\36i\222\270\6\307\222\5\244e\203>\254\274\314V\230]$\310B\255\273\366\255 \6K\350sE\13:\254\323?\243[Ek\7\6m\221\24\317N\257\234\343\207\367\251\5~\27Lm\347l\333\254\350\31L\250\325T\332^\343\1\206(\16\4\307\336\267\322"{\220D\270)\261\304-U\15w\223\32O\212\340h\302\10T\324\304\267\367+\216\215\335$\15|\240,\267\300"%\275JT^1~\11p\10\\242\331\232\16^\350Y\237\341^do\363\200w\371\277k\242\16\251\22~~u\216\341\5\205\357\275\200\220\14\211M\254p}\302\332\317\3\257\307\2349\202\334\204\17\321\241J\215\212\357\241\254\201Xyh\356I\324Y\177s\241\336c<\241\330\12-p\325o\304W\230\13\2763\11\36\245\22r\355\245\325\336\32(\314Y9c\3271\0\347:\236\33\335\307k\355\236)7 ?\300N?(\316Y:\36\353k\355\262\300d\35"G\234\221\3043\304\305:\324D\11P\314\315uX\244%:#\245\4(\24\203\266\365\210\201\203yd\207\267\247\331y\255\2\234\314\20\322,x\261\332 \361\15\247\224O\3\342\367,\5\224\354y\321&\361yBM\245\277\1", ) {\220D\270)\261\304-U\15w\223\32O\212\340h\302\10T\324\304\267\367+\216\215\335$\15|\240,\267\300 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\177\351\215X\209\223w\231!\212H{fE\30\342\275\312\340\375\2164H\250\200\24\345\30\2561}\260o\306\221M\273\343Z\314w\336Y\246p\34\0\372`\345T\370O\277d\263I\2226\314K\27\3458N\354!\304C\327\226\353\275\364\14\334[\252\35aKMz\324\36\376@\202\252\36C\270W\234\301\327\256\22\2353K\341\20\6[=\363\221\200\320%\272\243\2129\203\257\226\274\257\240\092j\12\14 D\306\323W\334\254\276\200\241\301\10\222\373\3629^m=3\2bS\2560\367\321\4QG\303]\37/\3004[m\231\306\36i\222\270\6\307\222\5\244e\203>\254\274\314V\230]$\310B\255\273\366\255 \6K\350sE\13:\254\323?\243[Ek\7\6m\221\24\317N\257\234\343\207\367\251\5~\27Lm\347l\333\254\350\31L\250\325T\332^\343\1\206(\16\4\307\336\267\322"{\220D\270)\261\304-U\15w\223\32O\212\340h\302\10T\324\304\267\367+\216\215\335$\15|\240,\267\300"%\275JT^1~\11p\10\\242\331\232\16^\350Y\237\341^do\363\200w\371\277k\242\16\251\22~~u\216\341\5\205\357\275\200\220\14\211M\254p}\302\332\317\3\257\307\2349\202\334\204\17\321\241J\215\212\357\241\254\201Xyh\356I\324Y\177s\241\336c<\241\330\12-p\325o\304W\230\13\2763\11\36\245\22r\355\245\325\336\32(\314Y9c\3271\0\347:\236\33\335\307k\355\236)7 ?\300N?(\316Y:\36\353k\355\262\300d\35"G\234\221\3043\304\305:\324D\11P\314\315uX\244%:#\245\4(\24\203\266\365\210\201\203yd\207\267\247\331y\255\2\234\314\20\322,x\261\332 \361\15\247\224O\3\342\367,\5\224\354y\321&\361yBM\245\277\1", ) G\234\221\3043\304\305:\324D\11P\314\315uX\244%:#\245\4(\24\203\266\365\210\201\203yd\207\267\247\331y\255\2\234\314\20\322,x\261\332 \361\15\247\224O\3\342\367,\5\224\354y\321&\361yBM\245\277\1", ) == 0x0
 00112   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00113   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ">\300{\265(\374*f\373\242\3\6\276\253\14\265\337\355\3\227\327%\361\21\316\2242\22\375'\343\211\241\213\337\6\33\354\347\35\230\227\232\210\34P\31\240"\246\23>\242+2\274\317\5\301\263\331\1F0\261r\354\251\354\204\316,\211\331\271!\274\262t\240q\202\3105\257\20\244\203\365wt\313p\325\364\375y\242\361\375#\324"\357\253@5 \247\303\13\340\251-\200\6\241\212&\201\253\267\254\225\317m\12\265 \361\266^\255{\13\347\241\323\373\277z\303v\235MGi\230\252b1ow\360\214\215S\252\2\242k\4\32, ~B\17=\6{\235\235\226\31f\265\366\353\257\17R\350\233\253\20t+i\241!\300r\306{;)\13\5\274\315E\377\205\6jN\316\212\21\360\316\214\246\364\275\255&\266|!r\364x\341\226\240\212{6\326\205\362\201CTf\351\0\223{\272/\204\12\245\207\270\\2728\263YN\310\224\23\2728\201\12\240\205\17\314\311\210\257\360\275w\363%\22\341\251'&\346i\266\206\233\240Q\200\243\263)\250,m\354\320\272\2\32\220z^\351\226\360\371\246\24`+=\222\310Lw\24\246\10\230\311XX\300\232\30\364\213-a`\230\226\35\233\342\322\17?\241\235\0/\307\236\1j[_\22\12%E^\227*t\204\363\254\255\271\375\325r\15\35\335\202\322\325\335\303\376\337}^\353\202:\252\332\252mz\26vV\265:\224V\215`<2\314\33\246\261\356O9o\333\25\240\17\244\16\2517\307\340\310\274\344\364\353\241\224\20\q \266\256"\351\21P\333*\0\260\313\202U\206"\257*\241/!\26\240{\352\253\24\337\225\4c\243\241\247\352-\254H@\263u9qe3j]-v\354F@\324\321{k~\234j)\262\0\373\\370\350\327[\355\330\4;\231\322P~\3338", ) \246\23>\242+2\274\317\5\301\263\331\1F0\261r\354\251\354\204\316,\211\331\271!\274\262t\240q\202\3105\257\20\244\203\365wt\313p\325\364\375y\242\361\375#\324 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ">\300{\265(\374*f\373\242\3\6\276\253\14\265\337\355\3\227\327%\361\21\316\2242\22\375'\343\211\241\213\337\6\33\354\347\35\230\227\232\210\34P\31\240"\246\23>\242+2\274\317\5\301\263\331\1F0\261r\354\251\354\204\316,\211\331\271!\274\262t\240q\202\3105\257\20\244\203\365wt\313p\325\364\375y\242\361\375#\324"\357\253@5 \247\303\13\340\251-\200\6\241\212&\201\253\267\254\225\317m\12\265 \361\266^\255{\13\347\241\323\373\277z\303v\235MGi\230\252b1ow\360\214\215S\252\2\242k\4\32, ~B\17=\6{\235\235\226\31f\265\366\353\257\17R\350\233\253\20t+i\241!\300r\306{;)\13\5\274\315E\377\205\6jN\316\212\21\360\316\214\246\364\275\255&\266|!r\364x\341\226\240\212{6\326\205\362\201CTf\351\0\223{\272/\204\12\245\207\270\\2728\263YN\310\224\23\2728\201\12\240\205\17\314\311\210\257\360\275w\363%\22\341\251'&\346i\266\206\233\240Q\200\243\263)\250,m\354\320\272\2\32\220z^\351\226\360\371\246\24`+=\222\310Lw\24\246\10\230\311XX\300\232\30\364\213-a`\230\226\35\233\342\322\17?\241\235\0/\307\236\1j[_\22\12%E^\227*t\204\363\254\255\271\375\325r\15\35\335\202\322\325\335\303\376\337}^\353\202:\252\332\252mz\26vV\265:\224V\215`<2\314\33\246\261\356O9o\333\25\240\17\244\16\2517\307\340\310\274\344\364\353\241\224\20\q \266\256"\351\21P\333*\0\260\313\202U\206"\257*\241/!\26\240{\352\253\24\337\225\4c\243\241\247\352-\254H@\263u9qe3j]-v\354F@\324\321{k~\234j)\262\0\373\\370\350\327[\355\330\4;\231\322P~\3338", ) \351\21P\333*\0\260\313\202U\206 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ">\300{\265(\374*f\373\242\3\6\276\253\14\265\337\355\3\227\327%\361\21\316\2242\22\375'\343\211\241\213\337\6\33\354\347\35\230\227\232\210\34P\31\240"\246\23>\242+2\274\317\5\301\263\331\1F0\261r\354\251\354\204\316,\211\331\271!\274\262t\240q\202\3105\257\20\244\203\365wt\313p\325\364\375y\242\361\375#\324"\357\253@5 \247\303\13\340\251-\200\6\241\212&\201\253\267\254\225\317m\12\265 \361\266^\255{\13\347\241\323\373\277z\303v\235MGi\230\252b1ow\360\214\215S\252\2\242k\4\32, ~B\17=\6{\235\235\226\31f\265\366\353\257\17R\350\233\253\20t+i\241!\300r\306{;)\13\5\274\315E\377\205\6jN\316\212\21\360\316\214\246\364\275\255&\266|!r\364x\341\226\240\212{6\326\205\362\201CTf\351\0\223{\272/\204\12\245\207\270\\2728\263YN\310\224\23\2728\201\12\240\205\17\314\311\210\257\360\275w\363%\22\341\251'&\346i\266\206\233\240Q\200\243\263)\250,m\354\320\272\2\32\220z^\351\226\360\371\246\24`+=\222\310Lw\24\246\10\230\311XX\300\232\30\364\213-a`\230\226\35\233\342\322\17?\241\235\0/\307\236\1j[_\22\12%E^\227*t\204\363\254\255\271\375\325r\15\35\335\202\322\325\335\303\376\337}^\353\202:\252\332\252mz\26vV\265:\224V\215`<2\314\33\246\261\356O9o\333\25\240\17\244\16\2517\307\340\310\274\344\364\353\241\224\20\q \266\256"\351\21P\333*\0\260\313\202U\206"\257*\241/!\26\240{\352\253\24\337\225\4c\243\241\247\352-\254H@\263u9qe3j]-v\354F@\324\321{k~\234j)\262\0\373\\370\350\327[\355\330\4;\231\322P~\3338", ) , ) == 0x0
 00114   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (40, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00115   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\267DD#\211;F\11\20\7T\345\314$/y\316\351\7\307\350I\235\341\266\11\4|\251#\4.\360=\223&\213\200n{\351\231E\270\246'>%\351\227W\273!s\240w~\246\366\30\277\2237\263o!\17\34a9\373\314\356\221\215 \240}\35\301>\203\\233\305&`{$+hYrA\232\334t\3\201\361\335\376+\210\252/A]\250\225\247\264N\303\227x\222M\231a\30\343\346\315\6z\252\375\271\254\262\2+\323\315\326\274\276\322\235]\243_\3344\321\307\246 \204C\215\3\348C*i\305\12\10\350\5\30\342\360YDF\213P\206vj\271\337g\376\353\225\232<\370\270_\217Ft3\350\303\240\215\241\25t5\216D\327\263k\242\313\133\347hk?\14\233jS\222\324*8v \12\10\34\345\366\302\261\342\317q\377x\275\370\33t\222\237\335b";\355\253\363>\314F^C\374]\262J\374\350\16=\250!l\4\30\21\246m\222B=\303\316\342\356*\2362S\241X\244\256\30\235\233-\366\232\363\342$6B\213X\237\351\241h$\30]\265\263\253j0\237\342r\246\261 \165\2\214\260\31\236\5\367\265\240=\226\214B<\17\342\204\346[q\300\2036$\354\236\317\4\250>\16\367\242u\326\345\220\260\352\362\272[\303\344\370\223\237F2\247\215\254-K\17\24~\253\2\35\302o\262=\256K\245Fs\246 H\6\224\12\2\356\225m \300I\21\213$*\207X\20\251#I\244ra\362\272\313\345\2z\273bi\244Ef\14Z.\203\333\2511f\262\247\254\33\330\242\243\275t\232\3258j\242\262f\340\372\207\275\205\25\ \21\24\126\177\30\342\20\30\244\275\325|\376\211\307\357(\232\316i\2731\221\217\377\371\335\370\301\26\220\311\232\363\24\215\276\347\257\343\243a\316\7", ) ;\355\253\363>\314F^C\374]\262J\374\350\16=\250!l\4\30\21\246m\222B=\303\316\342\356*\2362S\241X\244\256\30\235\233-\366\232\363\342$6B\213X\237\351\241h$\30]\265\263\253j0\237\342r\246\261 \165\2\214\260\31\236\5\367\265\240=\226\214B<\17\342\204\346[q\300\2036$\354\236\317\4\250>\16\367\242u\326\345\220\260\352\362\272[\303\344\370\223\237F2\247\215\254-K\17\24~\253\2\35\302o\262=\256K\245Fs\246 H\6\224\12\2\356\225m \300I\21\213$*\207X\20\251#I\244ra\362\272\313\345\2z\273bi\244Ef\14Z.\203\333\2511f\262\247\254\33\330\242\243\275t\232\3258j\242\262f\340\372\207\275\205\25\ \21\24\126\177\30\342\20\30\244\275\325|\376\211\307\357(\232\316i\2731\221\217\377\371\335\370\301\26\220\311\232\363\24\215\276\347\257\343\243a\316\7", ) == 0x0
 00116   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00117   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\232\265\326\20o\13\306\12\32c\272\350v \320\34\240\6\243\14\234\371\207\324c\14r\377(v?A\212\245\35\275wc\215\250w\15t+ou\324 \264\340x\342\352\236VR45\15\3738Dm\22\363<\210\332\316\324\220-\254L;KG\20mJ\303\261\255U\334s\261W\236\13\341\22\253\17\243\21[\37\247%\7\277\6\341\355\373\333N2\244\343\377L\14\377\336\272Y\10\252-:\362%\236\343\347\267Jl\0\312FIv\330\342-\352\25\253\0\326j.kku\366\234\34[\275\357\242\1-\262O\3252\215?t\253\336L\21\205e\351\11\33\215\357\237p\317\312\223\221G\343\206\341C\235\3g+\326\13\313;\246k\2715\30\212\16\13n\13\323t\234\3\342v\7x\274\357\334\357\206\23\370\23\375\15''\344\235\355'\337O\322\317\372-\226S\364O\315c#6\177J\220\0\352\260\177\272\234\304\243%T \375\36\352\24\2474(\32\274U^;\373\17.\345n\212$]\255\274\305\30&\357k\200]g*#x\242\244\306\353,\3\373c\30o\1y\357\254e\250j\2\12\376\217\355\337\326\324\225\211\254\355\306,\250(\243@\305\37\204\324;\7\340\2105C\342\242\254\372\375~\210\313\227\360\327\27a:\362\203\374\237^n\362\371\244\360\313\21\2631J-\234\373\370\4\307\300\252\215\354\320\200\205zV\204\300\203/\225\353c}$j\3756\230\14\334%\202\217\21f\253\27\270\0D\263\235\\361\4\326-^\344`\0L\15\236I\252>#$\333\20\33462\2058j<\0q\223\63\361\304D\342V|\307\36\234\256\353\200s\20\357t\261\333\212P\265\31\217'f\23O;\230\253\332\310\250\237\266\366\211\213\3650\33$\16\4\24\6\12\204\237x\276\27!{\276\221)\201\27&\32(\222\275", ) , ) == 0x0
 00118   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (40, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00119   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\252\330^H\335\201,\277`j\244\210u\250\13\327\373t6\337\277\353Nd\272r\256`\376.2a\2639;\377\276\373e'\20q\277\212\344*y\200A!\10\375rq>\4\253\264\314\215\216O\262?\257\336\13I\350a\363\336\367Y-\14tD\204\25\330'tLK"\374\4oU'\4\2\210td\251\16\361\2\213\327D2\212i=\31\356\316\3105ZhHW\2409\362h"\310\16N\222N\357\325\5\323\325=\222\240\271\355p\11\\370\\235\277\325\264\235PY\335\372\233;\204\11\25\335 \313\376\0X\201\324*\245xr-:\104\215\325\323#v\302\252\0\334\350\16\0\322"\212\254K\254x \210\211\227\3J\366X\201\262\312\365\36B\265I\223\251\210\205}\334_\350\243\346\35\242]\304U\324\16|\334>"\267v\316\354\240\311\304n\243\231\207\12B\342\210I\237\35E\3\252\243O\26X5>6\364\373\2770\324\337\260\213\24\20\31\220"2\325\32\354f{\372\14\337\25\307'9\224D\272f\245<(x\222C\251\221\26j8L\25&!\370\307"\3268sC\240K\212t\263\6y\257\254\251\351\272\272\252\305\4"{\301\351\341\5E\35CZ\211\270P\254\272\3448\323~C\254\323N\0\332\16~\370\315\353eMPY?k\214.\3\344\216\2735<\337'\14\343^\223B\224\310kGps\240G \324kB\30L\15W7\214\22-\362\260\260\14S\357\254\210\16\250\217\212\353\221\331\223H\255\230\204(\240\250\324\362\255)\241\350\264\241\331R\351\233?h\334]N\246*\352\16m8\222\356\214n\1\307\24\340\370\25TX\356n0\303)\206\311\273\342\241\357\252\3\211a\256;;o\250d\336a\371\372\344H\270\14-\360\230\277\342\24\224+\300`k\3\316`\2173\267\30", ) \374\4oU'\4\2\210td\251\16\361\2\213\327D2\212i=\31\356\316\3105ZhHW\2409\362h (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\252\330^H\335\201,\277`j\244\210u\250\13\327\373t6\337\277\353Nd\272r\256`\376.2a\2639;\377\276\373e'\20q\277\212\344*y\200A!\10\375rq>\4\253\264\314\215\216O\262?\257\336\13I\350a\363\336\367Y-\14tD\204\25\330'tLK"\374\4oU'\4\2\210td\251\16\361\2\213\327D2\212i=\31\356\316\3105ZhHW\2409\362h"\310\16N\222N\357\325\5\323\325=\222\240\271\355p\11\\370\\235\277\325\264\235PY\335\372\233;\204\11\25\335 \313\376\0X\201\324*\245xr-:\104\215\325\323#v\302\252\0\334\350\16\0\322"\212\254K\254x \210\211\227\3J\366X\201\262\312\365\36B\265I\223\251\210\205}\334_\350\243\346\35\242]\304U\324\16|\334>"\267v\316\354\240\311\304n\243\231\207\12B\342\210I\237\35E\3\252\243O\26X5>6\364\373\2770\324\337\260\213\24\20\31\220"2\325\32\354f{\372\14\337\25\307'9\224D\272f\245<(x\222C\251\221\26j8L\25&!\370\307"\3268sC\240K\212t\263\6y\257\254\251\351\272\272\252\305\4"{\301\351\341\5E\35CZ\211\270P\254\272\3448\323~C\254\323N\0\332\16~\370\315\353eMPY?k\214.\3\344\216\2735<\337'\14\343^\223B\224\310kGps\240G \324kB\30L\15W7\214\22-\362\260\260\14S\357\254\210\16\250\217\212\353\221\331\223H\255\230\204(\240\250\324\362\255)\241\350\264\241\331R\351\233?h\334]N\246*\352\16m8\222\356\214n\1\307\24\340\370\25TX\356n0\303)\206\311\273\342\241\357\252\3\211a\256;;o\250d\336a\371\372\344H\270\14-\360\230\277\342\24\224+\300`k\3\316`\2173\267\30", ) \212\254K\254x \210\211\227\3J\366X\201\262\312\365\36B\265I\223\251\210\205}\334_\350\243\346\35\242]\304U\324\16|\334> (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\252\330^H\335\201,\277`j\244\210u\250\13\327\373t6\337\277\353Nd\272r\256`\376.2a\2639;\377\276\373e'\20q\277\212\344*y\200A!\10\375rq>\4\253\264\314\215\216O\262?\257\336\13I\350a\363\336\367Y-\14tD\204\25\330'tLK"\374\4oU'\4\2\210td\251\16\361\2\213\327D2\212i=\31\356\316\3105ZhHW\2409\362h"\310\16N\222N\357\325\5\323\325=\222\240\271\355p\11\\370\\235\277\325\264\235PY\335\372\233;\204\11\25\335 \313\376\0X\201\324*\245xr-:\104\215\325\323#v\302\252\0\334\350\16\0\322"\212\254K\254x \210\211\227\3J\366X\201\262\312\365\36B\265I\223\251\210\205}\334_\350\243\346\35\242]\304U\324\16|\334>"\267v\316\354\240\311\304n\243\231\207\12B\342\210I\237\35E\3\252\243O\26X5>6\364\373\2770\324\337\260\213\24\20\31\220"2\325\32\354f{\372\14\337\25\307'9\224D\272f\245<(x\222C\251\221\26j8L\25&!\370\307"\3268sC\240K\212t\263\6y\257\254\251\351\272\272\252\305\4"{\301\351\341\5E\35CZ\211\270P\254\272\3448\323~C\254\323N\0\332\16~\370\315\353eMPY?k\214.\3\344\216\2735<\337'\14\343^\223B\224\310kGps\240G \324kB\30L\15W7\214\22-\362\260\260\14S\357\254\210\16\250\217\212\353\221\331\223H\255\230\204(\240\250\324\362\255)\241\350\264\241\331R\351\233?h\334]N\246*\352\16m8\222\356\214n\1\307\24\340\370\25TX\356n0\303)\206\311\273\342\241\357\252\3\211a\256;;o\250d\336a\371\372\344H\270\14-\360\230\277\342\24\224+\300`k\3\316`\2173\267\30", ) 2\325\32\354f{\372\14\337\25\307'9\224D\272f\245<(x\222C\251\221\26j8L\25&!\370\307 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\252\330^H\335\201,\277`j\244\210u\250\13\327\373t6\337\277\353Nd\272r\256`\376.2a\2639;\377\276\373e'\20q\277\212\344*y\200A!\10\375rq>\4\253\264\314\215\216O\262?\257\336\13I\350a\363\336\367Y-\14tD\204\25\330'tLK"\374\4oU'\4\2\210td\251\16\361\2\213\327D2\212i=\31\356\316\3105ZhHW\2409\362h"\310\16N\222N\357\325\5\323\325=\222\240\271\355p\11\\370\\235\277\325\264\235PY\335\372\233;\204\11\25\335 \313\376\0X\201\324*\245xr-:\104\215\325\323#v\302\252\0\334\350\16\0\322"\212\254K\254x \210\211\227\3J\366X\201\262\312\365\36B\265I\223\251\210\205}\334_\350\243\346\35\242]\304U\324\16|\334>"\267v\316\354\240\311\304n\243\231\207\12B\342\210I\237\35E\3\252\243O\26X5>6\364\373\2770\324\337\260\213\24\20\31\220"2\325\32\354f{\372\14\337\25\307'9\224D\272f\245<(x\222C\251\221\26j8L\25&!\370\307"\3268sC\240K\212t\263\6y\257\254\251\351\272\272\252\305\4"{\301\351\341\5E\35CZ\211\270P\254\272\3448\323~C\254\323N\0\332\16~\370\315\353eMPY?k\214.\3\344\216\2735<\337'\14\343^\223B\224\310kGps\240G \324kB\30L\15W7\214\22-\362\260\260\14S\357\254\210\16\250\217\212\353\221\331\223H\255\230\204(\240\250\324\362\255)\241\350\264\241\331R\351\233?h\334]N\246*\352\16m8\222\356\214n\1\307\24\340\370\25TX\356n0\303)\206\311\273\342\241\357\252\3\211a\256;;o\250d\336a\371\372\344H\270\14-\360\230\277\342\24\224+\300`k\3\316`\2173\267\30", ) {\301\351\341\5E\35CZ\211\270P\254\272\3448\323~C\254\323N\0\332\16~\370\315\353eMPY?k\214.\3\344\216\2735<\337'\14\343^\223B\224\310kGps\240G \324kB\30L\15W7\214\22-\362\260\260\14S\357\254\210\16\250\217\212\353\221\331\223H\255\230\204(\240\250\324\362\255)\241\350\264\241\331R\351\233?h\334]N\246*\352\16m8\222\356\214n\1\307\24\340\370\25TX\356n0\303)\206\311\273\342\241\357\252\3\211a\256;;o\250d\336a\371\372\344H\270\14-\360\230\277\342\24\224+\300`k\3\316`\2173\267\30", ) == 0x0
 00120   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (40, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00121   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\320K\250\230\343e\351\374\277\331\251{\3438\316S\330G\357t\376\207g,\211t\313\4\301{\177b\327r\1S\371g\321a\200H\202\205(\256\203\323\34\14\204\366\270f\206\227\254,\262 \311\220J\327\363#\261\260\363\334\35\0\237I\255z\2538\265\25\32\17\261\123f6\17\253\4\245\340\250|\15\326\341?\272\0\300T\316S\341o\207\340\245S_\220*\311k\353\270\12MI\22\323\336\305\251\311\345\262\233#\37\260\232W\305\214\274\351\330}%x\207\271\251h\307\202"8\244|\335+\275\200\261\251\310`r>\16\267\253\313\216*\255\212\217\12\220.\277\327\2\33\4\216\336D\211\271\205N\271\242\12\237\273\215\276\242/(\270\227\233 ;*\22<\35*BuW\253\222\6\275\26\6X\270\314\277\242\375\25\204\201\264+\341\307\212\213\201\25J%\256ha\230*\221\247z\215\5h8\374r\3070$\362\\20\376\4\204\324\205\24\223}\216I\3748\14|c,\232\325\4I3\252\254\377\12\325\2551\362\3648\4.\11\327\320~\207\302"\327-\260\241\16;\0(\21\200^\326\3378C\268\16l\275 \250\357m&\0\272\231*\300>s\205\254\273\206|\355\\254\12\302)1\252\37\206$Gt\325\363Goq\207\3\252I\342\236\204\3404l\255'\212\20\270?4,c\231\222\30\260\13\246\313\32\7M$\214\3\256,\204?\35\0\312\374w\202\370j\12\355\374+-S\247\336\16f\371\224\315\242\213q\204\213y(l\11|\210#v\310\307\212\3", ) 8\244|\335+\275\200\261\251\310`r>\16\267\253\313\216*\255\212\217\12\220.\277\327\2\33\4\216\336D\211\271\205N\271\242\12\237\273\215\276\242/(\270\227\233 ;*\22<\35*BuW\253\222\6\275\26\6X\270\314\277\242\375\25\204\201\264+\341\307\212\213\201\25J%\256ha\230*\221\247z\215\5h8\374r\3070$\362\\20\376\4\204\324\205\24\223}\216I\3748\14|c,\232\325\4I3\252\254\377\12\325\2551\362\3648\4.\11\327\320~\207\302 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\320K\250\230\343e\351\374\277\331\251{\3438\316S\330G\357t\376\207g,\211t\313\4\301{\177b\327r\1S\371g\321a\200H\202\205(\256\203\323\34\14\204\366\270f\206\227\254,\262 \311\220J\327\363#\261\260\363\334\35\0\237I\255z\2538\265\25\32\17\261\123f6\17\253\4\245\340\250|\15\326\341?\272\0\300T\316S\341o\207\340\245S_\220*\311k\353\270\12MI\22\323\336\305\251\311\345\262\233#\37\260\232W\305\214\274\351\330}%x\207\271\251h\307\202"8\244|\335+\275\200\261\251\310`r>\16\267\253\313\216*\255\212\217\12\220.\277\327\2\33\4\216\336D\211\271\205N\271\242\12\237\273\215\276\242/(\270\227\233 ;*\22<\35*BuW\253\222\6\275\26\6X\270\314\277\242\375\25\204\201\264+\341\307\212\213\201\25J%\256ha\230*\221\247z\215\5h8\374r\3070$\362\\20\376\4\204\324\205\24\223}\216I\3748\14|c,\232\325\4I3\252\254\377\12\325\2551\362\3648\4.\11\327\320~\207\302"\327-\260\241\16;\0(\21\200^\326\3378C\268\16l\275 \250\357m&\0\272\231*\300>s\205\254\273\206|\355\\254\12\302)1\252\37\206$Gt\325\363Goq\207\3\252I\342\236\204\3404l\255'\212\20\270?4,c\231\222\30\260\13\246\313\32\7M$\214\3\256,\204?\35\0\312\374w\202\370j\12\355\374+-S\247\336\16f\371\224\315\242\213q\204\213y(l\11|\210#v\310\307\212\3", ) ^\326\3378C\268\16l\275 \250\357m&\0\272\231*\300>s\205\254\273\206|\355\\254\12\302)1\252\37\206$Gt\325\363Goq\207\3\252I\342\236\204\3404l\255'\212\20\270?4,c\231\222\30\260\13\246\313\32\7M$\214\3\256,\204?\35\0\312\374w\202\370j\12\355\374+-S\247\336\16f\371\224\315\242\213q\204\213y(l\11|\210#v\310\307\212\3", ) == 0x0
 00122   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (40, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00123   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\275\314Io-\11\2271s\300\206\314\264\177\225\32\307]\347'{\6"P\264\203v\354\207Q\322\36gs\337>\335\365\224\234J"\352\1\254\224\312 \36\177\212\360\231,|\17\342g,~\2100\35l\361SoP\3437\210\212w\341\317\25T\267\274P\371XQ\16\271*\204\216'b\223\4\13\10\376\203\275+!\3224\3\2050\213H\215|\264\255\2118f,\226\213\355\333\6\0\204\265\3556\270VRH\326\356\233 \375\333\\259\31\344\1777\2421\311\246\255\364oY'\322\30\205\254{\261*\327E\272y\13H\371\7\177\332p \275\203\375(\375.\357\310\361\24>#\236`wLS#\241S\14\206o\364W4\304\374^\22W\370\314\333\360(\215\372\200n|\232\114)\300\211]4\3\240 \216$\206g\376\24\3371\237\177ns\212\11k\306q\336\16\203\2\po)5\371\7\35\220Z>\2365,\5T\251\22\235H?,\0\232E\325:\304PEm\361u],\275\271\26)\304\242\241\201\6\200\24\177i\2\251C\221\13\201qw=P\3664\375"z\0\246/\276\36\14", ) P\264\203v\354\207Q\322\36gs\337>\335\365\224\234J (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\275\314Io-\11\2271s\300\206\314\264\177\225\32\307]\347'{\6"P\264\203v\354\207Q\322\36gs\337>\335\365\224\234J"\352\1\254\224\312 \36\177\212\360\231,|\17\342g,~\2100\35l\361SoP\3437\210\212w\341\317\25T\267\274P\371XQ\16\271*\204\216'b\223\4\13\10\376\203\275+!\3224\3\2050\213H\215|\264\255\2118f,\226\213\355\333\6\0\204\265\3556\270VRH\326\356\233 \375\333\\259\31\344\1777\2421\311\246\255\364oY'\322\30\205\254{\261*\327E\272y\13H\371\7\177\332p \275\203\375(\375.\357\310\361\24>#\236`wLS#\241S\14\206o\364W4\304\374^\22W\370\314\333\360(\215\372\200n|\232\114)\300\211]4\3\240 \216$\206g\376\24\3371\237\177ns\212\11k\306q\336\16\203\2\po)5\371\7\35\220Z>\2365,\5T\251\22\235H?,\0\232E\325:\304PEm\361u],\275\271\26)\304\242\241\201\6\200\24\177i\2\251C\221\13\201qw=P\3664\375"z\0\246/\276\36\14", ) \344\1777\2421\311\246\255\364oY'\322\30\205\254{\261*\327E\272y\13H\371\7\177\332p \275\203\375(\375.\357\310\361\24>#\236`wLS#\241S\14\206o\364W4\304\374^\22W\370\314\333\360(\215\372\200n|\232\114)\300\211]4\3\240 \216$\206g\376\24\3371\237\177ns\212\11k\306q\336\16\203\2\po)5\371\7\35\220Z>\2365,\5T\251\22\235H?,\0\232E\325:\304PEm\361u],\275\271\26)\304\242\241\201\6\200\24\177i\2\251C\221\13\201qw=P\3664\375 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\275\314Io-\11\2271s\300\206\314\264\177\225\32\307]\347'{\6"P\264\203v\354\207Q\322\36gs\337>\335\365\224\234J"\352\1\254\224\312 \36\177\212\360\231,|\17\342g,~\2100\35l\361SoP\3437\210\212w\341\317\25T\267\274P\371XQ\16\271*\204\216'b\223\4\13\10\376\203\275+!\3224\3\2050\213H\215|\264\255\2118f,\226\213\355\333\6\0\204\265\3556\270VRH\326\356\233 \375\333\\259\31\344\1777\2421\311\246\255\364oY'\322\30\205\254{\261*\327E\272y\13H\371\7\177\332p \275\203\375(\375.\357\310\361\24>#\236`wLS#\241S\14\206o\364W4\304\374^\22W\370\314\333\360(\215\372\200n|\232\114)\300\211]4\3\240 \216$\206g\376\24\3371\237\177ns\212\11k\306q\336\16\203\2\po)5\371\7\35\220Z>\2365,\5T\251\22\235H?,\0\232E\325:\304PEm\361u],\275\271\26)\304\242\241\201\6\200\24\177i\2\251C\221\13\201qw=P\3664\375"z\0\246/\276\36\14", ) , ) == 0x0
 00124   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00125   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\251\212yN\14\376\216\22\3676\342\262t\257\255q\203j\237\367 \34\2034\12\246\4:'e4C\306G\337\205\326\13\265\31\215a\252\13\3-\6\11k8&\217*\204\20\370E\347\315lX\3116 \254\216\370C-\274\7\23\336\326\201\305(g\367\222)\35\315\374Z\363\32\301\231\24\254\372q\232\254\351\254Q/<\7\366x)\366\221\367\3726\250\14\32o2\254\344-\265\204\31A\317\23`\345\335\251v\203\240\330F\243\305\20^\23wE\330\256I\300\300\322\14\276\36*\254 ! \232F\253\223{\11\337kAF\3545f?4\267smF\30\246&\240.\336s\244Q\15\300\240\23\236*Ju\342V35W\352j\25\305\270\265KmF\206\347\223\32\2323\212\320\204\253\312\204\211\224\353\2D\253\312\37\351W*\360\263 \315 \212i\36\33\334\7\35[\220F& f.\222\24HnB\262\2603\365K\217\340P\257\244'\212\30\252?\345\7C\275\275u\242#\13_\274\314\220\212%^+\211\317\327\301\327\357\201p\276\310\34\342\353\277\341\225\30\2663\4\2205_\212\301X\257\34\20\275bjO\350\223\20\252\7>\15D\260\241\334\31\360\206\363\346\363\34N\213\351'\210\33\242W]Y\333\234\304\2\3423\225\10\10{1Q\32\7]\22\303\12\222\14\2603\373\266pY\212\30\205\220\316P\240o\252ad&\6[_~K\22\213q\315\270\321\21h\12\262i1\232jT\254[\223\235\205~\341\327\203\370\203I\224|\322\313w\261\277\11r\307\2509\215\222X\363\246\237\305Z\267\316\352)\3639\250jJ\326\1\177\255\204\233(-1\30\313\10\341\250zAZ\351\27~\200\25\337\346\366\202\245\306 \232$\11\370W?s\222\246\353B\3\3323\275\306hG\21m\261\365\2568\245\373ON", ) , ) == 0x0
 00126   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (40, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00127   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\302/t\30\326\305\5\332\351\213R| $5\237fI\343\204@\313E{#'\303\332\302\263M0.\372\277\35\271\274fD\273\244J](\374\342D\200\274\370"\10P\363\15\332*\370\34\376\265\317\217\16\206~\226\275\6\1f\365\347B\353\3301\37\14\270"\215\25d.28\267\352\342\333\346\363\371\360\246)\322\5k\246\251\370\205\374\205\11\2b\365\267\2\346\322\23\267\15\305\271n\253\334QX=\345\2759W\4\233!\317\274\234\344Y\27\240\303\12\341\345\251\26\343\225\320\73\274\32\335\244a\241\204\216\26\273\262\262\206\243>\1j\252}W\242%\331\343\326"A\20\240\300U0\252\23\7m\34>`\216\206\331\27\217/\6\204~\255\240\203\340\36w\27\311D\2757\30\343=\22\13T\337\6\3\272\366\255\336\334\370\257\221>\177\203D\212\323\267!(\252\235\234\271\376\316\26\307/=\235)%\27\35qO\16K>Wj\250\320:\217E9\333\232\330S\271\364\263tHq\31\345r\323\211T\334\254*V\201\247\3U\267GL\274Je|\247/\202\3738\343\211\267a9\16!\34\311\265\5J\371\200\32\203\1\231b\2677\335\30\241~\333\364![\373\254"\256\373\10\316\252L\265jp\6\16nf\222\243\12\3\260\25@V\333d\214I\314\365Xm\256D\323\235\33\353\237\254Q8\220\242\376\344L\341\360y\325\17\276\364,n\324\24\34<<\222\210\253-\4`I\305`Y\377x\0\366!\302\211J\273\263\375\254\15\3503\327\373\375\14\212*r\256\276\204\217s\240\0qaky;8\277\20H\302Y2\205\307Y\177\222\217\350\7\207s\244-&\350\211\252Ef0\367\332\276U"\362\14\316\324O\4C;\17P\243*\200\3\370\1\307=\371$\306S\340\12\1\214\33\270>D\251\14\247\353", ) \10P\363\15\332*\370\34\376\265\317\217\16\206~\226\275\6\1f\365\347B\353\3301\37\14\270 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\302/t\30\326\305\5\332\351\213R| $5\237fI\343\204@\313E{#'\303\332\302\263M0.\372\277\35\271\274fD\273\244J](\374\342D\200\274\370"\10P\363\15\332*\370\34\376\265\317\217\16\206~\226\275\6\1f\365\347B\353\3301\37\14\270"\215\25d.28\267\352\342\333\346\363\371\360\246)\322\5k\246\251\370\205\374\205\11\2b\365\267\2\346\322\23\267\15\305\271n\253\334QX=\345\2759W\4\233!\317\274\234\344Y\27\240\303\12\341\345\251\26\343\225\320\73\274\32\335\244a\241\204\216\26\273\262\262\206\243>\1j\252}W\242%\331\343\326"A\20\240\300U0\252\23\7m\34>`\216\206\331\27\217/\6\204~\255\240\203\340\36w\27\311D\2757\30\343=\22\13T\337\6\3\272\366\255\336\334\370\257\221>\177\203D\212\323\267!(\252\235\234\271\376\316\26\307/=\235)%\27\35qO\16K>Wj\250\320:\217E9\333\232\330S\271\364\263tHq\31\345r\323\211T\334\254*V\201\247\3U\267GL\274Je|\247/\202\3738\343\211\267a9\16!\34\311\265\5J\371\200\32\203\1\231b\2677\335\30\241~\333\364![\373\254"\256\373\10\316\252L\265jp\6\16nf\222\243\12\3\260\25@V\333d\214I\314\365Xm\256D\323\235\33\353\237\254Q8\220\242\376\344L\341\360y\325\17\276\364,n\324\24\34<<\222\210\253-\4`I\305`Y\377x\0\366!\302\211J\273\263\375\254\15\3503\327\373\375\14\212*r\256\276\204\217s\240\0qaky;8\277\20H\302Y2\205\307Y\177\222\217\350\7\207s\244-&\350\211\252Ef0\367\332\276U"\362\14\316\324O\4C;\17P\243*\200\3\370\1\307=\371$\306S\340\12\1\214\33\270>D\251\14\247\353", ) A\20\240\300U0\252\23\7m\34>`\216\206\331\27\217/\6\204~\255\240\203\340\36w\27\311D\2757\30\343=\22\13T\337\6\3\272\366\255\336\334\370\257\221>\177\203D\212\323\267!(\252\235\234\271\376\316\26\307/=\235)%\27\35qO\16K>Wj\250\320:\217E9\333\232\330S\271\364\263tHq\31\345r\323\211T\334\254*V\201\247\3U\267GL\274Je|\247/\202\3738\343\211\267a9\16!\34\311\265\5J\371\200\32\203\1\231b\2677\335\30\241~\333\364![\373\254 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\302/t\30\326\305\5\332\351\213R| $5\237fI\343\204@\313E{#'\303\332\302\263M0.\372\277\35\271\274fD\273\244J](\374\342D\200\274\370"\10P\363\15\332*\370\34\376\265\317\217\16\206~\226\275\6\1f\365\347B\353\3301\37\14\270"\215\25d.28\267\352\342\333\346\363\371\360\246)\322\5k\246\251\370\205\374\205\11\2b\365\267\2\346\322\23\267\15\305\271n\253\334QX=\345\2759W\4\233!\317\274\234\344Y\27\240\303\12\341\345\251\26\343\225\320\73\274\32\335\244a\241\204\216\26\273\262\262\206\243>\1j\252}W\242%\331\343\326"A\20\240\300U0\252\23\7m\34>`\216\206\331\27\217/\6\204~\255\240\203\340\36w\27\311D\2757\30\343=\22\13T\337\6\3\272\366\255\336\334\370\257\221>\177\203D\212\323\267!(\252\235\234\271\376\316\26\307/=\235)%\27\35qO\16K>Wj\250\320:\217E9\333\232\330S\271\364\263tHq\31\345r\323\211T\334\254*V\201\247\3U\267GL\274Je|\247/\202\3738\343\211\267a9\16!\34\311\265\5J\371\200\32\203\1\231b\2677\335\30\241~\333\364![\373\254"\256\373\10\316\252L\265jp\6\16nf\222\243\12\3\260\25@V\333d\214I\314\365Xm\256D\323\235\33\353\237\254Q8\220\242\376\344L\341\360y\325\17\276\364,n\324\24\34<<\222\210\253-\4`I\305`Y\377x\0\366!\302\211J\273\263\375\254\15\3503\327\373\375\14\212*r\256\276\204\217s\240\0qaky;8\277\20H\302Y2\205\307Y\177\222\217\350\7\207s\244-&\350\211\252Ef0\367\332\276U"\362\14\316\324O\4C;\17P\243*\200\3\370\1\307=\371$\306S\340\12\1\214\33\270>D\251\14\247\353", ) \362\14\316\324O\4C;\17P\243*\200\3\370\1\307=\371$\306S\340\12\1\214\33\270>D\251\14\247\353", ) == 0x0
 00128   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (40, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00129   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\273\14\225\223\323\2\332\15R\303\371\3\247j#\240\305FF+\221\17Z?\341\221\253\335\6\333\344\215\365\5D\10S#\363\323\234\346\361\367e\14\245\363GhU4\3455\234$\210x\246w^\350\300O\12\377\332\273C\3460\306\274\323\335\373\343\21r\212\216\253z+\326/\253ut\31b\2715\235P.\0j\3000\371\322J\232\35H\327^\373\241\360\214nQ\15-\363=y[C\243%\303WU\16\12n0\372\14\361\367yMpU\355\245R^p\353\245\324\213\261k\317\370\22CjTc\263\275\256C\266 \315\21HU\267}\325&\212\34 \355\271\256\201\363\353\266\266\214\27\211p\\25\370\310\211\262`\331\12M\302;\323.\26#\265F\1\177\316\322\262\343\240\303\376x\235\371\204GkO\7\201\200\343Dc\253\10\36\324\220\16\263\216\243\364\252\26\200u\212Mq\240b~AF\256\265\227\35\334\312\340\226\255U\213\3\350B@C\26\7\366\267D\302\303@s\54?\301\353\226M.\240\204\336\255\352~\20\325\302s\227@\6Y\370q\312L1\340\362z\333\205\240\354\13w\215\366\330q\260[\2023xt\350wI\373A\334"\\273F\323YuN\246\375\3W\306\231\202\214\260\14D\275\316Z\300@/\6\344\247M\203\360E\234\0\230\312\347\353\232\353,\213L(\373\10\321\212`\340\365\331\4;\325'\275\4PU}\27\3229\365'\236\20\2055\332\16@D\256+\311x\245\325gnW\314\201\22\221\k\353\267MA\245\231+\347\13\307\2331^\27\271\242\31\210\213w\333\223\213\356\360\263\323\340\301BA\17\7\270\313~\3 x\204\303\351\342\204\340\5)\277\310\243\341\373\201\363\272\222\373\321,\360\367p\250\\12(\206\266\12\316 \313|P\335\275z\254W\231\277\246j\253!", ) \\273F\323YuN\246\375\3W\306\231\202\214\260\14D\275\316Z\300@/\6\344\247M\203\360E\234\0\230\312\347\353\232\353,\213L(\373\10\321\212`\340\365\331\4;\325'\275\4PU}\27\3229\365'\236\20\2055\332\16@D\256+\311x\245\325gnW\314\201\22\221\k\353\267MA\245\231+\347\13\307\2331^\27\271\242\31\210\213w\333\223\213\356\360\263\323\340\301BA\17\7\270\313~\3 x\204\303\351\342\204\340\5)\277\310\243\341\373\201\363\272\222\373\321,\360\367p\250\\12(\206\266\12\316 \313|P\335\275z\254W\231\277\246j\253!", ) == 0x0
 00130   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00131   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\230\12\256\336>'m'\276(\320\15.\325\21\254\2457\221\213w\20muj\276\220\13\202\225C\237D\15\2627\242rFZ\363\373}\213\307\337\255\240\232\260\364l\346(\314\4\323\30\207\4\227@Kw\366:?\255\354~\336\273\251U^\31\350\233\203)\20o\342\20\331\310\260\353>!\15\377\253\345\307\304\336\0\264\27\223\344{)\276+?\2665\15\222A\22^W(\12\256H\213C\253\320\24\272\203R4\376\1\276\331,\300\212n\373k6FT0\275\373\335\256R\221\1})Y\213v\17\305\25[\236\256\2\7\306\234\252`<\221+\234\1\2304\236Ui9\327V\344\312\321Q\225\323\17;\277\370>G\226I\275\254dH\225$(\22\205\350\250\305'\272\340\334}_\251\265\10_\375\303e`\302]F\276\31/\311h\243~\324u\267S\203\315\216l\202$\361)j\24\337]]0q\253\244\243D\243\216R\354/\275\270I\247\333\350F(C\211]\240\233T\2771\370NCzts'\305\361\14t\6\252\200\253]\275\31\337\20\275c\0Q\36\333.\242\203\24\244]\275b+\226\252t\376Y\3\12o\376\347\234\22.\303\2500$Y\251J\357)\252\360^!Q\221n\351ki\2169\31\246"\206\360\251o\226\344\276*\273\334\240&([\27\273&\10\363\373\15\352)\251\350[y\316\206\376\253'\7\302\235\260\375\233\245\252d\16n\22\302(DK\331T9\356\303\213\235\345\17\216\212K\272\316\326\2270\335\302H}\217\336![;\323#?/\247"\14\317\246\222:\210Z2\260&\203\236u\241)\315O\20L\35\262\235C(\311\310aJ[F^\0\200A,\23Pm\307\24\232$\333(\15\4\223\304\365\214", ) \206\360\251o\226\344\276*\273\334\240&([\27\273&\10\363\373\15\352)\251\350[y\316\206\376\253'\7\302\235\260\375\233\245\252d\16n\22\302(DK\331T9\356\303\213\235\345\17\216\212K\272\316\326\2270\335\302H}\217\336![;\323#?/\247213\255\324\360\36\377;\255\373\377\232\233v\26xFB\15\300\2176\215 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\230\12\256\336>'m'\276(\320\15.\325\21\254\2457\221\213w\20muj\276\220\13\202\225C\237D\15\2627\242rFZ\363\373}\213\307\337\255\240\232\260\364l\346(\314\4\323\30\207\4\227@Kw\366:?\255\354~\336\273\251U^\31\350\233\203)\20o\342\20\331\310\260\353>!\15\377\253\345\307\304\336\0\264\27\223\344{)\276+?\2665\15\222A\22^W(\12\256H\213C\253\320\24\272\203R4\376\1\276\331,\300\212n\373k6FT0\275\373\335\256R\221\1})Y\213v\17\305\25[\236\256\2\7\306\234\252`<\221+\234\1\2304\236Ui9\327V\344\312\321Q\225\323\17;\277\370>G\226I\275\254dH\225$(\22\205\350\250\305'\272\340\334}_\251\265\10_\375\303e`\302]F\276\31/\311h\243~\324u\267S\203\315\216l\202$\361)j\24\337]]0q\253\244\243D\243\216R\354/\275\270I\247\333\350F(C\211]\240\233T\2771\370NCzts'\305\361\14t\6\252\200\253]\275\31\337\20\275c\0Q\36\333.\242\203\24\244]\275b+\226\252t\376Y\3\12o\376\347\234\22.\303\2500$Y\251J\357)\252\360^!Q\221n\351ki\2169\31\246"\206\360\251o\226\344\276*\273\334\240&([\27\273&\10\363\373\15\352)\251\350[y\316\206\376\253'\7\302\235\260\375\233\245\252d\16n\22\302(DK\331T9\356\303\213\235\345\17\216\212K\272\316\326\2270\335\302H}\217\336![;\323#?/\247"\14\317\246\222:\210Z2\260&\203\236u\241)\315O\20L\35\262\235C(\311\310aJ[F^\0\200A,\23Pm\307\24\232$\333(\15\4\223\304\365\214", ) , ) == 0x0
 00132   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (40, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00133   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\273\6\15\274+\21\270\334U\36\313\15\242\242\207\241\256\367@\0\246R\372\364\316\340\254\263\27\244\321\2\177.\23\32o"B\2312\12\216\17,\270\241\353\203nb\35\370\0\202\202Q\261\233\257\370\302\373\217\240{\2270:2\360\11\240\245\22c\367\10\246 \27\344\322p0\231H\207\333\275\342\177>WJ- w0;,\316\230\0ic\323|\3\23\202\270_h\253\17\314\177\304\0\210\350iT\231=\231\20|8(\265\342-!~\242$\335\25\344J\231t\225B\321Ph=\341\34\347\216-\255:\327*D\261\37\376\353\372|\325\246\345^\362_\377+\222\360\260\238\240\230\246\366\30_\217\325\300\350jC\261r[\213\211\242\251m.\261\271\315+\24\273.\222\241\22\314\320\0r\207d\314\273.\334\22\2665\273\354\345\227\370?F\33p\323P\2\253\204\22\17\255=\220\3205\266\310\314\\215\230Q\213\17\312\371F\336Li\341\20\320\242,1S\5)vZ\240\220\371\331\210\203\23\202\254*_\233\351\366\265\213b\274\31#\203\253y\260\211\20xr\211_\253\375\261)\376\255\205\14\2507DF\353\261\266\27z\261T$\300\257\313\27\21\177\341\244\321\212X\233\245\340\23;\326\212H\334D\374\345v\340\253P\234\351\231%g\221\374\256l\204\213\257\352l\3\272N]\332\305,\215\4\342\364\203\10\240'\20e\361\275\241\20\2745\236\34\361\275\343Y\275\13\242\14\200`\203\277\355!\3710\342^N\350\351#\340\255\25\327\350m\242,_[\13\304\211\13 ,x\312\32K\302\27W>\350\257\335\230\15\205\316$Q\363\316\200\31\2\360\335\237\3576\31F$T\273y\374Z\205\13wW\240\373\14\203\322\1\367\200\333\313\21\304\312\303\250\253^\253\213u}K\1\2441N\1\250\252\330\340\37\346d\200", ) B\2312\12\216\17,\270\241\353\203nb\35\370\0\202\202Q\261\233\257\370\302\373\217\240{\2270:2\360\11\240\245\22c\367\10\246 \27\344\322p0\231H\207\333\275\342\177>WJ- w0;,\316\230\0ic\323|\3\23\202\270_h\253\17\314\177\304\0\210\350iT\231=\231\20|8(\265\342-!~\242$\335\25\344J\231t\225B\321Ph=\341\34\347\216-\255:\327*D\261\37\376\353\372|\325\246\345^\362_\377+\222\360\260\238\240\230\246\366\30_\217\325\300\350jC\261r[\213\211\242\251m.\261\271\315+\24\273.\222\241\22\314\320\0r\207d\314\273.\334\22\2665\273\354\345\227\370?F\33p\323P\2\253\204\22\17\255=\220\3205\266\310\314\\215\230Q\213\17\312\371F\336Li\341\20\320\242,1S\5)vZ\240\220\371\331\210\203\23\202\254*_\233\351\366\265\213b\274\31#\203\253y\260\211\20xr\211_\253\375\261)\376\255\205\14\2507DF\353\261\266\27z\261T$\300\257\313\27\21\177\341\244\321\212X\233\245\340\23;\326\212H\334D\374\345v\340\253P\234\351\231%g\221\374\256l\204\213\257\352l\3\272N]\332\305,\215\4\342\364\203\10\240'\20e\361\275\241\20\2745\236\34\361\275\343Y\275\13\242\14\200`\203\277\355!\3710\342^N\350\351#\340\255\25\327\350m\242,_[\13\304\211\13 ,x\312\32K\302\27W>\350\257\335\230\15\205\316$Q\363\316\200\31\2\360\335\237\3576\31F$T\273y\374Z\205\13wW\240\373\14\203\322\1\367\200\333\313\21\304\312\303\250\253^\253\213u}K\1\2441N\1\250\252\330\340\37\346d\200", ) == 0x0
 00134   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00135   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\213\336\223\205\316mz\6\263_\15\22\255\360\216s\207\360\30\242\306\37\274C6)d\6\271\304\2062\34Yh/\5\321\275\373\337\211\373\31\30:\233\353S]i\377\304\324\201\16\210\211\23\12\223f~\1778(\276\0\250\232\363\213\34y}xasK0tL\307`C\332X\5\240\234\253\227L\255\32\231\15\303V\16l30\375P,n\13\334\3\237W\275v-\200\277o\13_\254e<\24H\35\254\32b~\236\24a2>?\232\20\261|BD)\330O\252\6\14p;f\202\310\372\24\330SA\200\304\244\237`oIF\21\267+\324kh\351V\203\5\20q\200\15Rr#\32P\302\224\17#\30\330N\354\251\37\350\361\332~\2269\2532\36\30\3176\17\202\253\361\30\273\250\372\223g}\345\201\352Tot\356+\233\247\200\253\7\21\13\376\215\14\323\6]\213\260z\321\341\226n\231\237\376\354U\364\227\32-w\37\272\321\3\214\324\213~}\356\236_\233\0\322\224\24\26\270\301>$\5%\24I\30\360\216\257\307\13\251a\37\3\272+O6\274\323\327n\17\203\27\12\342D{\336\357\230\204\316\273\226\213\22\2703\274\237\26\6\245\367\335\340i\363\15a\351\370\340\221\23\34\13$wk\265\211\227m4\337\327\303\307)\203\346\264{\325a\347\333\6n\330\326\257\376\12\322\226\1by\307\301V\347/"\310:~\273,J\206, \270\205\370\335\32t\243\365{\327\351\3KE\202\273O\276\213b\221\236O\2403\207\346\361s\3222(\202H\370\374\231V\262\272\223T\22\277\37\221(\277\0v\323LrFc\376/\345\17\256\30\21Dk\237\215\260\0\255\336x\373>\326\376s*\7{?\246\232\224\355,\207\1\325=\33|\214\7n\0\334\240\264]\3027\300\354\271\337\254\361shAkG]\205\", ) \310:~\273,J\206, \270\205\370\335\32t\243\365{\327\351\3KE\202\273O\276\213b\221\236O\2403\207\346\361s\3222(\202H\370\374\231V\262\272\223T\22\277\37\221(\277\0v\323LrFc\376/\345\17\256\30\21Dk\237\215\260\0\255\336x\373>\326\376s*\7{?\246\232\224\355,\207\1\325=\33|\214\7n\0\334\240\264]\3027\300\354\271\337\254\361shAkG]\205\", ) == 0x0
 00136   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00137   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\313e\236!\204\20\245\2642(\360B\351\177\215D\274*\345t\350e\342t\274L\307\14`NK\4\274\23\245\220\4`\21<+\17\332\310\227co^\311\267\16\233\352s\245\364\353\342\343(\324b\212\240\0u\322\5\3334N\3\251\200\314D\255h\236\316\257\342MH\251(\343\30\250\25\242\313\12\1^\7x\371\14A\202\253\26\204\354\321\202\231(\340\217:\210n\320\7q\300\250M\204\\202\306\243\317\312\201\353k\261\3^\343\334+\353\247\215|\300k\310\232\274*\32\2548\274wJ\257d \357\371vP*\323\4\327\274[\274\205%\30G\206O\27d\247\233\310\364\302\24\354\37\216K\256\307\343\13\354;\2458\338\361\343\200\244\2423\332\242\254\320\212\2\345^\226\257\340(\342\2\12\215\336h\303\316\341p\2632b\3\7\7O\360\221\334\202\4\273\273\204\3z&\202\266\244+\206\10\264(L\226\234(\306 \273\226\3M", ) , ) == 0x0
 00138   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00139   468   NtReadFile  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "2k\226\214\2527\226\205#z\235\27h\20\3128\371\12cR\305\214\320\210X\225\205|bG\30\11\210u\26\346\263\353Ch^$\253\330\270\326FC\327\312\15\314 \375\301\244+^\17\224!\300\21l=\332kR\13\340A\265*Rk\340\270\214\345K\315\16a\307\363\215+\243G0\214\212\225\226\201\252\211m\301\27*\340@\24\362\255v&%^\262\210k\211\21\30\33\36\315\342\31\313\263D\16\35@\320%\0\14a\346\224\226\200c\210\13\214kE@\270n\14\261\3610\7|\314!\217\221\237\260\203\20\17:\325\360\25\3504\11\341 \332Bo(\230\357\37'@\217Vi\326\261,\1\332\203\311\352\304\20"\320\240\364\240\251,\211\222\232\352\26\14\245\224\14\216X\267\353?)\35\11\306\17\226si\5\374\266\221v\250Y$\31\341\20s_\326\5\33!\257\370\32"M\352\277\237I:\244\17\235B\370!\322\20\240=\202M\256z\252\2\254\357\371d\255@\222\6\356\217\26\11\276 \4\242\303\15\230#\3616\204=@\347\36\5I\276e8\2700\237\263\255d\362\242B9\20\260\273\2\263\26\2233\200\234\376N\275;lI\312\20$8%\10\310\230\276$\4\14\227I\340\263\355\4\246\33\366\232\205P\227n\245\303\346\300+J\266\211\207\7_\214q[\222\2T%\245\250\260\351\336\337\364\342\30-\247^\344\236\355}\327\21\2545\211\22\352'\300@\327y4Cb!4\14u\225\216\322\30\211\325\344\305/\352Yk\200\300\16*25%5$$\336\233_MFyG\2166\244K\31)\212\326, ) \320\240\364\240\251,\211\222\232\352\26\14\245\224\14\216X\267\353?)\35\11\306\17\226si\5\374\266\221v\250Y$\31\341\20s_\326\5\33!\257\370\32 (36, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "2k\226\214\2527\226\205#z\235\27h\20\3128\371\12cR\305\214\320\210X\225\205|bG\30\11\210u\26\346\263\353Ch^$\253\330\270\326FC\327\312\15\314 \375\301\244+^\17\224!\300\21l=\332kR\13\340A\265*Rk\340\270\214\345K\315\16a\307\363\215+\243G0\214\212\225\226\201\252\211m\301\27*\340@\24\362\255v&%^\262\210k\211\21\30\33\36\315\342\31\313\263D\16\35@\320%\0\14a\346\224\226\200c\210\13\214kE@\270n\14\261\3610\7|\314!\217\221\237\260\203\20\17:\325\360\25\3504\11\341 \332Bo(\230\357\37'@\217Vi\326\261,\1\332\203\311\352\304\20"\320\240\364\240\251,\211\222\232\352\26\14\245\224\14\216X\267\353?)\35\11\306\17\226si\5\374\266\221v\250Y$\31\341\20s_\326\5\33!\257\370\32"M\352\277\237I:\244\17\235B\370!\322\20\240=\202M\256z\252\2\254\357\371d\255@\222\6\356\217\26\11\276 \4\242\303\15\230#\3616\204=@\347\36\5I\276e8\2700\237\263\255d\362\242B9\20\260\273\2\263\26\2233\200\234\376N\275;lI\312\20$8%\10\310\230\276$\4\14\227I\340\263\355\4\246\33\366\232\205P\227n\245\303\346\300+J\266\211\207\7_\214q[\222\2T%\245\250\260\351\336\337\364\342\30-\247^\344\236\355}\327\21\2545\211\22\352'\300@\327y4Cb!4\14u\225\216\322\30\211\325\344\305/\352Yk\200\300\16*25%5$$\336\233_MFyG\2166\244K\31)\212\326, ) , ) == 0x0
 00140   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (40, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00141   468   NtReadFile  (36, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (36, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\350`\206\0\370`\206\0\314p\206\0\334p\206\0LB\206\0\B\206\0\254A\206\0\244A\206\0\274A\206\0\264A\206\0\214A\206\0\204A\206\0\234A\206\0\224A\206\0\354A\206\0\344A\206\0\10A\206\0\34A\206\0pA\206\0\264@\206\0\370@\206\0\0@\206\0x@\206\0\270G\206\08G\206\0@G\206\0,E\206\0XD\206\0\230[\206\0\274Z\206\0\10Z\206\0\334X\206\0\324^\206\0\354\\206\0\200S\206\0`S\206\0\340R\206\0 R\206\0\324Q\206\04Q\206\0hQ\206\0XQ\206\00h\203\0Hh\203\0\177\2\201\0C\2\201\0\252\1\201\0\262\1\201\0\234\1\201\0\346\1\201\0\301\1\201\0,\1\201\0\10\1\201\0\21\1\201\0|\1\201\0@\1\201\0V\1\201\0\272\0\201\0\200\0\201\0\351\0\201\0\370\0\201\0\325\0\201\0>\0\201\0\37\0\201\0y\0\201\0P\0\201\0\263\7\201\0\342\7\201\0\307\7\201\0:\7\201\0i\7\201\0I\7\201\0\254\6\201\0\221\6\201\0\317\6\201\0\324\6\201\0:\6\201\0\2\6\201\0h\6\201\0~\6\201\0D\6\201\0\251\5\201\0\262\5\201\0\207\5\201\0\354\5\201\0\366\5\201\0\321\5\201\0,\5\201\0"\5\201\0;\5\201\07\5\201\0\264+\220\0\277+\237\0\274+\236\0\275+\234\0\254+\205\0\240+\201\0\256+\203\0\203+\235\0\265+\230\0\214+\246\0\200+\254\0\201+\247\0\213+\244\0\267+\243\0\216+\241\0\273+\227\0\272+\212\0\270+\210\0\247+\213\0\243+\214\0\241+\252\0\250+\204\0\251+\250\0\205+\206\0\250+\206\0\250+\206\0\250+\206@\214S\366$\231\31\310m\335O\366@\374e\313U\354{\206@\214S\366$\231\36\310m", ) \5\201\0;\5\201\07\5\201\0\264+\220\0\277+\237\0\274+\236\0\275+\234\0\254+\205\0\240+\201\0\256+\203\0\203+\235\0\265+\230\0\214+\246\0\200+\254\0\201+\247\0\213+\244\0\267+\243\0\216+\241\0\273+\227\0\272+\212\0\270+\210\0\247+\213\0\243+\214\0\241+\252\0\250+\204\0\251+\250\0\205+\206\0\250+\206\0\250+\206\0\250+\206@\214S\366$\231\31\310m\335O\366@\374e\313U\354{\206@\214S\366$\231\36\310m", ) == 0x0
 00142   468   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00143   468   NtClose  (40, ... ) == 0x0
 00144   468   NtClose  (36, ... ) == 0x0
 00145   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00146   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.tmp"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00147   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 36, ... 40, ) == 0x0
 00148   468   NtClose  (36, ... ) == 0x0
 00149   468   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 176128, ) == 0x0
 00150   468   NtClose  (40, ... ) == 0x0
 00151   468   NtUnmapViewOfSection  (-1, 0x320000, ... ) == 0x0
 00152   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00153   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00154   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.tmp"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00155   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00156   468   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00157   468   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00158   468   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00159   468   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00161   468   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00162   468   NtClose  (48, ... ) == 0x0
 00163   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00164   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00165   468   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00166   468   NtClose  (48, ... ) == 0x0
 00167   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   468   NtClose  (44, ... ) == 0x0
 00169   468   NtClose  (40, ... ) == 0x0
 00170   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x320000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00171   468   NtMapViewOfSection  (36, -1, (0x320000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00172   468   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00173   468   NtClose  (36, ... ) == 0x0
 00174   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 8, ) == 0x0
 00175   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 8, ... (0x392000), 4096, 4, ) == 0x0
 00176   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00177   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00178   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00179   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00180   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00181   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00182   468   NtClose  (36, ... ) == 0x0
 00183   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00184   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00185   468   NtClose  (36, ... ) == 0x0
 00186   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00187   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00188   468   NtClose  (36, ... ) == 0x0
 00189   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00190   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00191   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00192   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00193   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00194   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00195   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00196   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00197   468   NtClose  (36, ... ) == 0x0
 00198   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00199   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00200   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00201   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00202   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00203   468   NtClose  (36, ... ) == 0x0
 00204   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00205   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00206   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00207   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00208   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00209   468   NtClose  (36, ... ) == 0x0
 00210   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 36, ) }, ... 36, ) == 0x0
 00211   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00212   468   NtClose  (36, ... ) == 0x0
 00213   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00214   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00215   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00216   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00217   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00218   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00219   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00223   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00224   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00225   468   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00226   468   NtClose  (36, ... ) == 0x0
 00227   468   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00228   468   NtClose  (40, ... ) == 0x0
 00229   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == 0x0
 00233   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 40, {status=0x0, info=1}, ) }, 5, 96, ... 40, {status=0x0, info=1}, ) == 0x0
 00234   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 40, ... 36, ) == 0x0
 00235   468   NtQuerySection  (36, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00236   468   NtClose  (40, ... ) == 0x0
 00237   468   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00238   468   NtClose  (36, ... ) == 0x0
 00239   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == 0x0
 00243   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0
 00244   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 36, ... 40, ) == 0x0
 00245   468   NtQuerySection  (40, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00246   468   NtClose  (36, ... ) == 0x0
 00247   468   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00248   468   NtClose  (40, ... ) == 0x0
 00249   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00250   468   NtProtectVirtualMemory  (-1, (0x392000), 4096, 4, ... (0x392000), 4096, 4, ) == 0x0
 00251   468   NtFlushInstructionCache  (-1, 3743744, 4096, ... ) == 0x0
 00252   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00253   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\30\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\30\1$\1\0\0" ... {28, 56, reply, 0, 460, 468, 1516, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\30\1$\1\0\0" )  ... {28, 56, reply, 0, 460, 468, 1516, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\30\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\30\1$\1\0\0" ... {28, 56, reply, 0, 460, 468, 1516, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\30\1$\1\0\0" )  ) == 0x0
 00254   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   468   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4f0000), 0x0, 1060864, ) == 0x0
 00256   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00257   468   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00258   468   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482004, ) == 0x0
 00259   468   NtQueryInformationToken  (-2147482004, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00260   468   NtQueryInformationToken  (-2147482004, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00261   468   NtClose  (-2147482004, ... ) == 0x0
 00262   468   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3801088, 4096, ) == 0x0
 00263   468   NtFreeVirtualMemory  (-1, (0x3a0000), 4096, 32768, ... (0x3a0000), 4096, ) == 0x0
 00264   468   NtDuplicateObject  (-1, 44, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00265   468   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482004, ) }, ... -2147482004, ) == 0x0
 00266   468   NtQueryValueKey  (-2147482004,  (-2147482004, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   468   NtClose  (-2147482004, ... ) == 0x0
 00268   468   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482004, ) }, ... -2147482004, ) == 0x0
 00269   468   NtQueryValueKey  (-2147482004,  (-2147482004, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   468   NtClose  (-2147482004, ... ) == 0x0
 00271   468   NtQueryDefaultLocale  (0, -136443380, ... ) == 0x0
 00272   468   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00273   468   NtUserCallNoParam  (24, ... ) == 0x0
 00274   468   NtGdiCreateCompatibleDC  (0, ...
 00275   468   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00274   468   NtGdiCreateCompatibleDC  ... ) == 0x1401031f
 00276   468   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00277   468   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00278   468   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x38050408
 00279   468   NtGdiCreateSolidBrush  (0, 0, ...
 00280   468   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3866624, 4096, ) == 0x0
 00279   468   NtGdiCreateSolidBrush  ... ) == 0x19100404
 00281   468   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00282   468   NtGdiCreateCompatibleDC  (0, ... ) == 0x1d010403
 00283   468   NtGdiSelectBitmap  (486605827, 939852808, ... ) == 0x185000f
 00284   468   NtUserGetThreadDesktop  (468, 0, ... ) == 0x30
 00285   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 56, ) }, ... 56, ) == 0x0
 00286   468   NtQueryValueKey  (56,  (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (56, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00287   468   NtClose  (56, ... ) == 0x0
 00288   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00289   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 673, 128, 0, ... ) == 0x810dc017
 00290   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00291   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 674, 128, 0, ... ) == 0x810dc01c
 00292   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00293   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 675, 128, 0, ... ) == 0x810dc01e
 00294   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00295   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 676, 128, 0, ... ) == 0x810d8002
 00296   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10013
 00297   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 677, 128, 0, ... ) == 0x810dc018
 00298   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00299   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 678, 128, 0, ... ) == 0x810dc01a
 00300   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00301   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 679, 128, 0, ... ) == 0x810dc01d
 00302   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00303   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 681, 128, 0, ... ) == 0x810dc026
 00304   468   NtUserFindExistingCursorIcon  (1240532, 1240548, 1241116, ... ) == 0x10011
 00305   468   NtUserRegisterClassExWOW  (1241052, 1241132, 1241116, 1241148, 680, 128, 0, ...
 00306   468   NtAllocateVirtualMemory  (-1, 6385664, 0, 4096, 4096, 32, ... 6385664, 4096, ) == 0x0
 00305   468   NtUserRegisterClassExWOW  ... ) == 0x810dc019
 00307   468   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810dc020
 00308   468   NtUserRegisterClassExWOW  (1241004, 1241080, 1241096, 1241068, 0, 130, 0, ... ) == 0x810dc022
 00309   468   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810dc023
 00310   468   NtUserRegisterClassExWOW  (1241004, 1241080, 1241096, 1241068, 0, 130, 0, ... ) == 0x810dc024
 00311   468   NtUserRegisterClassExWOW  (1241004, 1241084, 1241068, 1241100, 0, 128, 0, ... ) == 0x810dc025
 00312   468   NtCallbackReturn  (0, 0, 0, ...
 00313   468   NtGdiInit  (... ) == 0x1
 00314   468   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00315   468   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00316   468   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00317   468   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {460, 0}, ... 56, ) == 0x0
 00318   468   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00319   468   NtClose  (56, ... ) == 0x0
 00320   468   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00321   468   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00322   468   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00323   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00324   468   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   468   NtClose  (56, ... ) == 0x0
 00326   468   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00327   468   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00328   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00329   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00330   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03b
 00331   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00332   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03d
 00333   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00334   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00335   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03f
 00336   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00337   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00338   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc041
 00339   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00340   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00341   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc043
 00342   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00343   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc045
 00344   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00345   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00346   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc047
 00347   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00348   468   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00349   468   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810dc049
 00350   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00351   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00352   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04b
 00353   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00354   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00355   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04d
 00356   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00357   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00358   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04f
 00359   468   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00360   468   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810dc051
 00361   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00362   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00363   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc053
 00364   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00365   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00366   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc055
 00367   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc057
 00368   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00369   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00370   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc059
 00371   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00372   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00373   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05b
 00374   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00375   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00376   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05d
 00377   468   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00378   468   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00379   468   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05f
 00380   468   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 56, ) == 0x0
 00381   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 60, ) == 0x0
 00382   468   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 64, ) }, ... 64, ) == 0x0
 00383   468   NtNotifyChangeKey  (64, 60, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00384   468   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00385   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00386   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00387   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00388   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00389   468   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 76, ) }, ... 76, ) == 0x0
 00390   468   NtQueryValueKey  (76,  (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00391   468   NtClose  (76, ... ) == 0x0
 00392   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00393   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00394   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00395   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00396   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 76, ) }, ... 76, ) == 0x0
 00397   468   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   468   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00399   468   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00400   468   NtClose  (76, ... ) == 0x0
 00401   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 76, ) }, ... 76, ) == 0x0
 00402   468   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   468   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404   468   NtClose  (76, ... ) == 0x0
 00405   468   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 76, ) }, ... 76, ) == 0x0
 00406   468   NtOpenEvent  (0x1f0003, {24, 76, 0x0, 0, 0,  (0x1f0003, {24, 76, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00408   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3932160, 65536, ) == 0x0
 00409   468   NtAllocateVirtualMemory  (-1, 3932160, 0, 4096, 4096, 4, ... 3932160, 4096, ) == 0x0
 00410   468   NtAllocateVirtualMemory  (-1, 3936256, 0, 8192, 4096, 4, ... 3936256, 8192, ) == 0x0
 00411   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00412   468   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3d0000), 0x0, 12288, ) == 0x0
 00413   468   NtClose  (80, ... ) == 0x0
 00414   468   NtAllocateVirtualMemory  (-1, 3944448, 0, 4096, 4096, 4, ... 3944448, 4096, ) == 0x0
 00415   468   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00416   468   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417   468   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   468   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00420   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00421   468   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00422   468   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00423   468   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00424   468   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00425   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9437184, 1048576, ) == 0x0
 00426   468   NtAllocateVirtualMemory  (-1, 9437184, 0, 16384, 4096, 4, ... 9437184, 16384, ) == 0x0
 00427   468   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00428   468   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00429   468   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00430   468   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   468   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00432   468   NtQueryInformationToken  (80, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00433   468   NtClose  (80, ... ) == 0x0
 00434   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00435   468   NtReleaseMutant  (16, ...
 00436   468   NtContinue  (-136445816, 0, ...
 00435   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00437   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00439   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00440   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00441   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\rma1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00444   468   NtReleaseMutant  (16, ...
 00445   468   NtContinue  (-136445816, 0, ...
 00444   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00446   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00447   468   NtReleaseMutant  (16, ...
 00448   468   NtContinue  (-136445816, 0, ...
 00447   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00449   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00450   468   NtReleaseMutant  (16, ...
 00451   468   NtContinue  (-136445816, 0, ...
 00450   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00452   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00453   468   NtReleaseMutant  (16, ...
 00454   468   NtContinue  (-136445816, 0, ...
 00453   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00455   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00456   468   NtReleaseMutant  (16, ...
 00457   468   NtContinue  (-136445816, 0, ...
 00456   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00458   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00459   468   NtReleaseMutant  (16, ...
 00460   468   NtContinue  (-136445816, 0, ...
 00459   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00461   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00462   468   NtReleaseMutant  (16, ...
 00463   468   NtContinue  (-136445816, 0, ...
 00462   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00464   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00465   468   NtReleaseMutant  (16, ...
 00466   468   NtContinue  (-136445816, 0, ...
 00465   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00467   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00468   468   NtReleaseMutant  (16, ...
 00469   468   NtContinue  (-136445816, 0, ...
 00468   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00470   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00471   468   NtReleaseMutant  (16, ...
 00472   468   NtContinue  (-136445816, 0, ...
 00471   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00473   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00474   468   NtReleaseMutant  (16, ...
 00475   468   NtContinue  (-136445816, 0, ...
 00474   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00476   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00477   468   NtReleaseMutant  (16, ...
 00478   468   NtContinue  (-136445816, 0, ...
 00477   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00479   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00480   468   NtReleaseMutant  (16, ...
 00481   468   NtContinue  (-136445816, 0, ...
 00480   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00482   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00483   468   NtReleaseMutant  (16, ...
 00484   468   NtContinue  (-136445816, 0, ...
 00483   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00485   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00486   468   NtReleaseMutant  (16, ...
 00487   468   NtContinue  (-136445816, 0, ...
 00486   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00488   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00489   468   NtReleaseMutant  (16, ...
 00490   468   NtContinue  (-136445816, 0, ...
 00489   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00491   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00492   468   NtReleaseMutant  (16, ...
 00493   468   NtContinue  (-136445816, 0, ...
 00492   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00494   468   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00495   468   NtReleaseMutant  (16, ...
 00496   468   NtContinue  (-136445816, 0, ...
 00495   468   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00497   468   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 80, ) == 0x0
 00498   468   NtUserGetDC  (0, ... ) == 0x1010054
 00499   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00500   468   NtUserGetDC  (0, ... ) == 0x1010054
 00501   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00502   468   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x41080406
 00503   468   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00504   468   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00505   468   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00506   468   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\0C\0C\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00507   468   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\03\02\00\00\00\00\00\00\00\00\00\01\0D\04\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00508   468   NtUserSystemParametersInfo  (104, 0, 9442428, 0, ... ) == 0x1
 00509   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00510   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00511   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00512   468   NtUserGetDC  (0, ... ) == 0x1010054
 00513   468   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x270503e5
 00514   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00515   468   NtGdiSelectBitmap  (335610655, 654640101, ... ) == 0x185000f
 00516   468   NtGdiGetDCforBitmap  (654640101, ... ) == 0x1401031f
 00517   468   NtGdiSaveDC  (335610655, ... ) == 0x1
 00518   468   NtGdiSelectBitmap  (335610655, 654640101, ... ) == 0x270503e5
 00519   468   NtGdiGetDCObject  (335610655, 524288, ... ) == 0x188000b
 00520   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00521   468   NtGdiSetDIBitsToDeviceInternal  (335610655, 0, 0, 32, 64, 0, 0, 0, 64, 3683852, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00522   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00523   468   NtGdiSelectBitmap  (335610655, 654640101, ... ) == 0x270503e5
 00524   468   NtGdiRestoreDC  (335610655, -1, ... ) == 0x1
 00525   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x270503e5
 00526   468   NtGdiCreateCompatibleDC  (335610655, ... ) == 0x1a010405
 00527   468   NtGdiExtGetObjectW  (654640101, 24, 1241324, ... ) == 0x18
 00528   468   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x1a050321
 00529   468   NtGdiSelectBitmap  (335610655, 654640101, ... ) == 0x185000f
 00530   468   NtGdiSelectBitmap  (436274181, 436536097, ... ) == 0x185000f
 00531   468   NtGdiBitBlt  (436274181, 0, 0, 32, 64, 335610655, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00532   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x270503e5
 00533   468   NtGdiSelectBitmap  (436274181, 25493519, ... ) == 0x1a050321
 00534   468   NtGdiDeleteObjectApp  (654640101, ... ) == 0x1
 00535   468   NtGdiDeleteObjectApp  (436274181, ... ) == 0x1
 00536   468   NtUserCallOneParam  (0, 33, ... ) == 0x3004d
 00537   468   NtUserSetCursorIconData  (196685, 1241432, 1241448, 1242028, ... ) == 0x1
 00538   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00539   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00540   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00541   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00542   468   NtUserGetDC  (0, ... ) == 0x1010054
 00543   468   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1305031d
 00544   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00545   468   NtGdiSelectBitmap  (335610655, 319095581, ... ) == 0x185000f
 00546   468   NtGdiGetDCforBitmap  (319095581, ... ) == 0x1401031f
 00547   468   NtGdiSaveDC  (335610655, ... ) == 0x1
 00548   468   NtGdiSelectBitmap  (335610655, 319095581, ... ) == 0x1305031d
 00549   468   NtGdiGetDCObject  (335610655, 524288, ... ) == 0x188000b
 00550   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00551   468   NtGdiSetDIBitsToDeviceInternal  (335610655, 0, 0, 32, 64, 0, 0, 0, 64, 3684160, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00552   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00553   468   NtGdiSelectBitmap  (335610655, 319095581, ... ) == 0x1305031d
 00554   468   NtGdiRestoreDC  (335610655, -1, ... ) == 0x1
 00555   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x1305031d
 00556   468   NtGdiCreateCompatibleDC  (335610655, ... ) == 0x290103e5
 00557   468   NtGdiExtGetObjectW  (319095581, 24, 1241324, ... ) == 0x18
 00558   468   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503fe
 00559   468   NtGdiSelectBitmap  (335610655, 319095581, ... ) == 0x185000f
 00560   468   NtGdiSelectBitmap  (687932389, 134546430, ... ) == 0x185000f
 00561   468   NtGdiBitBlt  (687932389, 0, 0, 32, 64, 335610655, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00562   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x1305031d
 00563   468   NtGdiSelectBitmap  (687932389, 25493519, ... ) == 0x80503fe
 00564   468   NtGdiDeleteObjectApp  (319095581, ... ) == 0x1
 00565   468   NtGdiDeleteObjectApp  (687932389, ... ) == 0x1
 00566   468   NtUserCallOneParam  (0, 33, ... ) == 0x20097
 00567   468   NtUserSetCursorIconData  (131223, 1241432, 1241448, 1242028, ... ) == 0x1
 00568   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00569   468   NtUserGetDC  (0, ... ) == 0x1010054
 00570   468   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1c050405
 00571   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00572   468   NtGdiSelectBitmap  (335610655, 470090757, ... ) == 0x185000f
 00573   468   NtGdiGetDCforBitmap  (470090757, ... ) == 0x1401031f
 00574   468   NtGdiSaveDC  (335610655, ... ) == 0x1
 00575   468   NtGdiSelectBitmap  (335610655, 470090757, ... ) == 0x1c050405
 00576   468   NtGdiGetDCObject  (335610655, 524288, ... ) == 0x188000b
 00577   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00578   468   NtGdiSetDIBitsToDeviceInternal  (335610655, 0, 0, 32, 64, 0, 0, 0, 64, 3684468, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00579   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00580   468   NtGdiSelectBitmap  (335610655, 470090757, ... ) == 0x1c050405
 00581   468   NtGdiRestoreDC  (335610655, -1, ... ) == 0x1
 00582   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x1c050405
 00583   468   NtGdiCreateCompatibleDC  (335610655, ... ) == 0x1501031d
 00584   468   NtGdiExtGetObjectW  (470090757, 24, 1241324, ... ) == 0x18
 00585   468   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503ff
 00586   468   NtGdiSelectBitmap  (335610655, 470090757, ... ) == 0x185000f
 00587   468   NtGdiSelectBitmap  (352387869, 134546431, ... ) == 0x185000f
 00588   468   NtGdiBitBlt  (352387869, 0, 0, 32, 64, 335610655, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00589   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x1c050405
 00590   468   NtGdiSelectBitmap  (352387869, 25493519, ... ) == 0x80503ff
 00591   468   NtGdiDeleteObjectApp  (470090757, ... ) == 0x1
 00592   468   NtGdiDeleteObjectApp  (352387869, ... ) == 0x1
 00593   468   NtUserCallOneParam  (0, 33, ... ) == 0x4009f
 00594   468   NtUserSetCursorIconData  (262303, 1241432, 1241448, 1242028, ... ) == 0x1
 00595   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00596   468   NtUserGetDC  (0, ... ) == 0x1010054
 00597   468   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x2b0503e5
 00598   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00599   468   NtGdiSelectBitmap  (335610655, 721748965, ... ) == 0x185000f
 00600   468   NtGdiGetDCforBitmap  (721748965, ... ) == 0x1401031f
 00601   468   NtGdiSaveDC  (335610655, ... ) == 0x1
 00602   468   NtGdiSelectBitmap  (335610655, 721748965, ... ) == 0x2b0503e5
 00603   468   NtGdiGetDCObject  (335610655, 524288, ... ) == 0x188000b
 00604   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00605   468   NtGdiSetDIBitsToDeviceInternal  (335610655, 0, 0, 32, 64, 0, 0, 0, 64, 3684776, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00606   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00607   468   NtGdiSelectBitmap  (335610655, 721748965, ... ) == 0x2b0503e5
 00608   468   NtGdiRestoreDC  (335610655, -1, ... ) == 0x1
 00609   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x2b0503e5
 00610   468   NtGdiCreateCompatibleDC  (335610655, ... ) == 0x1e010405
 00611   468   NtGdiExtGetObjectW  (721748965, 24, 1241324, ... ) == 0x18
 00612   468   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503f9
 00613   468   NtGdiSelectBitmap  (335610655, 721748965, ... ) == 0x185000f
 00614   468   NtGdiSelectBitmap  (503383045, 134546425, ... ) == 0x185000f
 00615   468   NtGdiBitBlt  (503383045, 0, 0, 32, 64, 335610655, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00616   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x2b0503e5
 00617   468   NtGdiSelectBitmap  (503383045, 25493519, ... ) == 0x80503f9
 00618   468   NtGdiDeleteObjectApp  (721748965, ... ) == 0x1
 00619   468   NtGdiDeleteObjectApp  (503383045, ... ) == 0x1
 00620   468   NtUserCallOneParam  (0, 33, ... ) == 0x3009d
 00621   468   NtUserSetCursorIconData  (196765, 1241432, 1241448, 1242028, ... ) == 0x1
 00622   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00623   468   NtUserGetDC  (0, ... ) == 0x1010054
 00624   468   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1705031d
 00625   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00626   468   NtGdiSelectBitmap  (335610655, 386204445, ... ) == 0x185000f
 00627   468   NtGdiGetDCforBitmap  (386204445, ... ) == 0x1401031f
 00628   468   NtGdiSaveDC  (335610655, ... ) == 0x1
 00629   468   NtGdiSelectBitmap  (335610655, 386204445, ... ) == 0x1705031d
 00630   468   NtGdiGetDCObject  (335610655, 524288, ... ) == 0x188000b
 00631   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00632   468   NtGdiSetDIBitsToDeviceInternal  (335610655, 0, 0, 32, 64, 0, 0, 0, 64, 3685084, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00633   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00634   468   NtGdiSelectBitmap  (335610655, 386204445, ... ) == 0x1705031d
 00635   468   NtGdiRestoreDC  (335610655, -1, ... ) == 0x1
 00636   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x1705031d
 00637   468   NtGdiCreateCompatibleDC  (335610655, ... ) == 0x2d0103e5
 00638   468   NtGdiExtGetObjectW  (386204445, 24, 1241324, ... ) == 0x18
 00639   468   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xf0503ef
 00640   468   NtGdiSelectBitmap  (335610655, 386204445, ... ) == 0x185000f
 00641   468   NtGdiSelectBitmap  (755041253, 251986927, ... ) == 0x185000f
 00642   468   NtGdiBitBlt  (755041253, 0, 0, 32, 64, 335610655, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00643   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x1705031d
 00644   468   NtGdiSelectBitmap  (755041253, 25493519, ... ) == 0xf0503ef
 00645   468   NtGdiDeleteObjectApp  (386204445, ... ) == 0x1
 00646   468   NtGdiDeleteObjectApp  (755041253, ... ) == 0x1
 00647   468   NtUserCallOneParam  (0, 33, ... ) == 0x2009b
 00648   468   NtUserSetCursorIconData  (131227, 1241432, 1241448, 1242028, ... ) == 0x1
 00649   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00650   468   NtUserGetDC  (0, ... ) == 0x1010054
 00651   468   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x20050405
 00652   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00653   468   NtGdiSelectBitmap  (335610655, 537199621, ... ) == 0x185000f
 00654   468   NtGdiGetDCforBitmap  (537199621, ... ) == 0x1401031f
 00655   468   NtGdiSaveDC  (335610655, ... ) == 0x1
 00656   468   NtGdiSelectBitmap  (335610655, 537199621, ... ) == 0x20050405
 00657   468   NtGdiGetDCObject  (335610655, 524288, ... ) == 0x188000b
 00658   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00659   468   NtGdiSetDIBitsToDeviceInternal  (335610655, 0, 0, 32, 64, 0, 0, 0, 64, 3685700, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00660   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00661   468   NtGdiSelectBitmap  (335610655, 537199621, ... ) == 0x20050405
 00662   468   NtGdiRestoreDC  (335610655, -1, ... ) == 0x1
 00663   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x20050405
 00664   468   NtGdiCreateCompatibleDC  (335610655, ... ) == 0x1901031d
 00665   468   NtGdiExtGetObjectW  (537199621, 24, 1241324, ... ) == 0x18
 00666   468   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503fb
 00667   468   NtGdiSelectBitmap  (335610655, 537199621, ... ) == 0x185000f
 00668   468   NtGdiSelectBitmap  (419496733, 151323643, ... ) == 0x185000f
 00669   468   NtGdiBitBlt  (419496733, 0, 0, 32, 64, 335610655, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00670   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x20050405
 00671   468   NtGdiSelectBitmap  (419496733, 25493519, ... ) == 0x90503fb
 00672   468   NtGdiDeleteObjectApp  (537199621, ... ) == 0x1
 00673   468   NtGdiDeleteObjectApp  (419496733, ... ) == 0x1
 00674   468   NtUserCallOneParam  (0, 33, ... ) == 0x30099
 00675   468   NtUserSetCursorIconData  (196761, 1241432, 1241448, 1242028, ... ) == 0x1
 00676   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00677   468   NtUserGetDC  (0, ... ) == 0x1010054
 00678   468   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x2f0503e5
 00679   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00680   468   NtGdiSelectBitmap  (335610655, 788857829, ... ) == 0x185000f
 00681   468   NtGdiGetDCforBitmap  (788857829, ... ) == 0x1401031f
 00682   468   NtGdiSaveDC  (335610655, ... ) == 0x1
 00683   468   NtGdiSelectBitmap  (335610655, 788857829, ... ) == 0x2f0503e5
 00684   468   NtGdiGetDCObject  (335610655, 524288, ... ) == 0x188000b
 00685   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00686   468   NtGdiSetDIBitsToDeviceInternal  (335610655, 0, 0, 32, 64, 0, 0, 0, 64, 3685392, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00687   468   NtUserSelectPalette  (335610655, 25690123, 0, ... ) == 0x188000b
 00688   468   NtGdiSelectBitmap  (335610655, 788857829, ... ) == 0x2f0503e5
 00689   468   NtGdiRestoreDC  (335610655, -1, ... ) == 0x1
 00690   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x2f0503e5
 00691   468   NtGdiCreateCompatibleDC  (335610655, ... ) == 0x22010405
 00692   468   NtGdiExtGetObjectW  (788857829, 24, 1241324, ... ) == 0x18
 00693   468   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x60503f8
 00694   468   NtGdiSelectBitmap  (335610655, 788857829, ... ) == 0x185000f
 00695   468   NtGdiSelectBitmap  (570491909, 100991992, ... ) == 0x185000f
 00696   468   NtGdiBitBlt  (570491909, 0, 0, 32, 64, 335610655, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00697   468   NtGdiSelectBitmap  (335610655, 25493519, ... ) == 0x2f0503e5
 00698   468   NtGdiSelectBitmap  (570491909, 25493519, ... ) == 0x60503f8
 00699   468   NtGdiDeleteObjectApp  (788857829, ... ) == 0x1
 00700   468   NtGdiDeleteObjectApp  (570491909, ... ) == 0x1
 00701   468   NtUserCallOneParam  (0, 33, ... ) == 0x4006d
 00702   468   NtUserSetCursorIconData  (262253, 1241432, 1241448, 1242028, ... ) == 0x1
 00703   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00704   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00705   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00706   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00707   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00708   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00709   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00710   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00711   468   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00712   468   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00713   468   NtUserGetDC  (0, ... ) == 0x1010054
 00714   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00715   468   NtUserEnumDisplayMonitors  (0, 0, 3408484, 9443008, ... ) == 0x1
 00716   468   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00717   468   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329296, ... ) == 0x230a0405
 00718   468   NtGdiExtGetObjectW  (587858949, 420, 1241808, ... ) == 0x164
 00719   468   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00720   468   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329288, ... ) == 0x1b0a031d
 00721   468   NtGdiExtGetObjectW  (453640989, 420, 1241808, ... ) == 0x164
 00722   468   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329280, ... ) == 0x300a03e5
 00723   468   NtGdiExtGetObjectW  (805962725, 420, 1241808, ... ) == 0x164
 00724   468   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00725   468   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 4063232, 4096, ) == 0x0
 00726   468   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00727   468   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00728   468   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00729   468   NtOpenMutant  (0x1f0001, {24, 76, 0x0, 0, 0,  (0x1f0001, {24, 76, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   468   NtUserSetWindowsHookEx  (3276800, 1243796, 0, 4, 3284668, 2, ... ) == 0x4006b
 00731   468   NtContinue  (1244400, 0, ...
 00732   468   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 4128768, 4096, ) == 0x0
 00733   468   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 10485760, 28672, ) == 0x0
 00734   468   NtFreeVirtualMemory  (-1, (0xa00000), 0, 32768, ... (0xa00000), 28672, ) == 0x0
 00735   468   NtFreeVirtualMemory  (-1, (0x3f0144), 0, 32768, ... (0x3f0000), 4096, ) == 0x0
 00736   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00737   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4128768, 65536, ) == 0x0
 00738   468   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 00739   468   NtAllocateVirtualMemory  (-1, 4132864, 0, 20480, 4096, 4, ... 4132864, 20480, ) == 0x0
 00740   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10485760, 1048576, ) == 0x0
 00741   468   NtAllocateVirtualMemory  (-1, 10485760, 0, 32768, 4096, 4, ... 10485760, 32768, ) == 0x0
 00742   468   NtCreateMutant  (0x1f0001, {24, 76, 0x80, 0, 0,  (0x1f0001, {24, 76, 0x80, 0, 0, "Jobaka3"}, 0, ... 84, ) }, 0, ... 84, ) == 0x0
 00743   468   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00744   468   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00745   468   NtQueryValueKey  (88,  (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00746   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00747   468   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Protocol_Catalog9"}, ... 96, ) }, ... 96, ) == 0x0
 00748   468   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00749   468   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00750   468   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00751   468   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00752   468   NtQueryValueKey  (96,  (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00753   468   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00754   468   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00755   468   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00756   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00757   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00758   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00759   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\370\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\371\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\372\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\370\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\371\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\372\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\370\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\370\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\371\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\371\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\372\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\372\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\373\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00760   468   NtClose  (104, ... ) == 0x0
 00761   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00762   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00763   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00764   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\375\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\375\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\376\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\377\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\375\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\375\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\376\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\377\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\375\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\375\2\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\376\2\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\377\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\377\2\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\0\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00765   468   NtClose  (104, ... ) == 0x0
 00766   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00767   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00768   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00769   468   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00770   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\3\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\4\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\5\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\3\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\4\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\5\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\3\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\3\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\4\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\4\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\5\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\5\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\6\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00771   468   NtClose  (104, ... ) == 0x0
 00772   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 104, ) }, ... 104, ) == 0x0
 00773   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00774   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00775   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\10\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\10\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\11\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\12\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\10\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\10\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\11\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\12\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\10\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\10\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\11\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\11\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\12\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\12\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\13\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00776   468   NtClose  (104, ... ) == 0x0
 00777   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 104, ) }, ... 104, ) == 0x0
 00778   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00779   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00780   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\15\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\15\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\16\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\17\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\15\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\15\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\16\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\17\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\15\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\15\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\16\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\17\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\17\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\20\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00781   468   NtClose  (104, ... ) == 0x0
 00782   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 104, ) }, ... 104, ) == 0x0
 00783   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00784   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00785   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\22\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\22\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\23\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\24\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\22\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\22\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\23\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\24\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\22\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\22\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\23\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\24\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\24\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\25\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00786   468   NtClose  (104, ... ) == 0x0
 00787   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 104, ) }, ... 104, ) == 0x0
 00788   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00789   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00790   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\30\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\31\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\30\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\31\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\27\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\30\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\31\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\31\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\32\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00791   468   NtClose  (104, ... ) == 0x0
 00792   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 104, ) }, ... 104, ) == 0x0
 00793   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00794   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00795   468   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00796   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\35\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\36\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\37\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\35\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\36\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\37\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\35\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0\35\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\36\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\36\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0\37\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\37\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0 \3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00797   468   NtClose  (104, ... ) == 0x0
 00798   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 104, ) }, ... 104, ) == 0x0
 00799   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00800   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00801   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0"\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0#\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0$\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0%\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00802   468   NtClose  (104, ... ) == 0x0
 00803   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 104, ) }, ... 104, ) == 0x0
 00804   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00805   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00806   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0'\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0(\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0)\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0'\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0(\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0)\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0 (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0'\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0'\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0(\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xn\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0(\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0h\0\0\0)\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0)\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0*\3\0\0\314\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0h\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00807   468   NtClose  (104, ... ) == 0x0
 00808   468   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 104, ) }, ... 104, ) == 0x0
 00809   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00810   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00811   468   NtQueryValueKey  (104,  (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0,\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0,\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0-\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\3\0\0\314\1\0\0\324\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\3\0\0\314\1\0\0\324\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0/\3\0\0\314\1\0\0\324\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0/\3\0\0\314\1\0\0\324\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\00\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\214\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hm\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (104, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0,\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0h\0\0\0,\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\0-\3\0\0\314\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\3\0\0\314\1\0\0\324\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.\3\0\0\314\1\0\0\324\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0/\3\0\0\314\1\0\0\324\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0/\3\0\0\314\1\0\0\324\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\00\3\0\0\314\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0X\0\0\0\214\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0Hm\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00812   468   NtClose  (104, ... ) == 0x0
 00813   468   NtClose  (100, ... ) == 0x0
 00814   468   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00815   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00816   468   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 104, ) }, ... 104, ) == 0x0
 00817   468   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00818   468   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00819   468   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00820   468   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   468   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00822   468   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 108, ) }, ... 108, ) == 0x0
 00823   468   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000001"}, ... 112, ) }, ... 112, ) == 0x0
 00824   468   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00825   468   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00826   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00827   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00828   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00829   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00830   468   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00831   468   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832   468   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00833   468   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00834   468   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00835   468   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00836   468   NtClose  (112, ... ) == 0x0
 00837   468   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00838   468   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000002"}, ... 112, ) }, ... 112, ) == 0x0
 00839   468   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00840   468   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00841   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00842   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00843   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00844   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00845   468   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00846   468   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   468   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00848   468   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00849   468   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00850   468   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00851   468   NtClose  (112, ... ) == 0x0
 00852   468   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000003"}, ... 112, ) }, ... 112, ) == 0x0
 00853   468   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00854   468   NtQueryValueKey  (112,  (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00855   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00856   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00857   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00858   468   NtQueryValueKey  (112,  (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00859   468   NtQueryValueKey  (112,  (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (112, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00860   468   NtQueryValueKey  (112,  (112, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   468   NtQueryValueKey  (112,  (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00862   468   NtQueryValueKey  (112,  (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00863   468   NtQueryValueKey  (112,  (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00864   468   NtQueryValueKey  (112,  (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00865   468   NtClose  (112, ... ) == 0x0
 00866   468   NtClose  (108, ... ) == 0x0
 00867   468   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 00868   468   NtClose  (88, ... ) == 0x0
 00869   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00870   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00871   468   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 88, ) }, ... 88, ) == 0x0
 00872   468   NtQueryValueKey  (88,  (88, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   468   NtClose  (88, ... ) == 0x0
 00874   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 00875   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241680,  (0x80100080, {24, 0, 0x40, 0, 1241680, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 00876   468   NtQueryInformationFile  (108, 1242616, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00877   468   NtQueryInformationFile  (108, 1242588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00878   468   NtQueryInformationFile  (108, 1242540, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00879   468   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 00880   468   NtQueryInformationFile  (108, 1353704, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00881   468   NtQueryInformationFile  (108, 1241084, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00882   468   NtQueryInformationFile  (108, 1240928, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00883   468   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240936,  (0x40110080, {24, 0, 0x40, 0, 1240936, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00884   468   NtClose  (-2147482004, ... ) == 0x0
 00883   468   NtCreateFile  ... 112, {status=0x0, info=2}, ) == 0x0
 00885   468   NtQueryVolumeInformationFile  (112, 1240308, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00886   468   NtQueryInformationFile  (112, 1240268, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00887   468   NtQueryVolumeInformationFile  (108, 1240308, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00888   468   NtQueryVolumeInformationFile  (108, 1239992, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00889   468   NtSetInformationFile  (112, 1240096, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00890   468   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 108, ... 116, ) == 0x0
 00891   468   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb00000), {0, 0}, 196608, ) == 0x0
 00892   468   NtClose  (116, ... ) == 0x0
 00893   468   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00894   468   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\353\241\300\344g\317\226X\361\310\202\374\0-[\215\11\246\316\30c\341>\324\207\214\344d\141\207\340\364\17\305B\177\202\257\12\177T\34\355\213\200\301oT^\3\375\352 \256\277\312\227\10\360;vh\335\373\26\16\257;\303\255\250\353\10\313\300G\304X\350\6\222\243m\321\366\16\3656\1\30\213\276\362\16\323/\336Kx\176\260\270\240\206\330e\11C?\360G\2743<\217wf\260\302\374\320+w\334\2023\240\350 &\301\313\7\21w\234\30\375{\324\215Jo\362\245\36d\212x\355\374\246\332\205[\2\224\240?\35\205J\223\234>\337;g6\12\12\204\244\2516\227V\222hU\243\251\372"\352\311\352@\352*\20784\241\235f\24\202\17X\244B\221\337\6v'\307*\316'\216X\236\13l\27\363\351\332\37\235n\326*\261\325Xn\242\20\235s\254\127u\225\250\36\356\251U3\6\236\372\3620\266\1U\203\337e,*S;\253\362\11[\3r\325\25\313\12h\352\240\304\364\225Jf{\263\356%\245Z\234\266\374$\202,\233\333\14\30B\22\360\354\17Y\362'8_\200t\270\212\303\2s;\303\330\353\304\302\374sS.\22\300\14\213\333\347\20\266[\266{\13,5E/j\212#\216\213o\265\332Pi.+\214\2002\313\302\272\317r\36\347\231\311\331\33$m;\211~\266\271\200%\225\20T\362j\25^n\306\3pA&\32\360s\272\254\330Gbh\241\252\16W\324\204\335\215\310L\205*\264=KM\221\253\300\260\354'8\13\300:\206by\214\263\235\324*J\333S\203^5\345\313\275\252\23\276G\376yG+\211\316\360}\345\224d4\24\341O~\270\340QW\254\272\312\364Z':`Z\217r\203\232\276\242=\10"\16:F\0*x`1\15\0n\317\306\242(\273\305\14", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \352\311\352@\352*\20784\241\235f\24\202\17X\244B\221\337\6v'\307*\316'\216X\236\13l\27\363\351\332\37\235n\326*\261\325Xn\242\20\235s\254\127u\225\250\36\356\251U3\6\236\372\3620\266\1U\203\337e,*S;\253\362\11[\3r\325\25\313\12h\352\240\304\364\225Jf{\263\356%\245Z\234\266\374$\202,\233\333\14\30B\22\360\354\17Y\362'8_\200t\270\212\303\2s;\303\330\353\304\302\374sS.\22\300\14\213\333\347\20\266[\266{\13,5E/j\212#\216\213o\265\332Pi.+\214\2002\313\302\272\317r\36\347\231\311\331\33$m;\211~\266\271\200%\225\20T\362j\25^n\306\3pA&\32\360s\272\254\330Gbh\241\252\16W\324\204\335\215\310L\205*\264=KM\221\253\300\260\354'8\13\300:\206by\214\263\235\324*J\333S\203^5\345\313\275\252\23\276G\376yG+\211\316\360}\345\224d4\24\341O~\270\340QW\254\272\312\364Z':`Z\217r\203\232\276\242=\10 (112, 0, 0, 0, "\353\241\300\344g\317\226X\361\310\202\374\0-[\215\11\246\316\30c\341>\324\207\214\344d\141\207\340\364\17\305B\177\202\257\12\177T\34\355\213\200\301oT^\3\375\352 \256\277\312\227\10\360;vh\335\373\26\16\257;\303\255\250\353\10\313\300G\304X\350\6\222\243m\321\366\16\3656\1\30\213\276\362\16\323/\336Kx\176\260\270\240\206\330e\11C?\360G\2743<\217wf\260\302\374\320+w\334\2023\240\350 &\301\313\7\21w\234\30\375{\324\215Jo\362\245\36d\212x\355\374\246\332\205[\2\224\240?\35\205J\223\234>\337;g6\12\12\204\244\2516\227V\222hU\243\251\372"\352\311\352@\352*\20784\241\235f\24\202\17X\244B\221\337\6v'\307*\316'\216X\236\13l\27\363\351\332\37\235n\326*\261\325Xn\242\20\235s\254\127u\225\250\36\356\251U3\6\236\372\3620\266\1U\203\337e,*S;\253\362\11[\3r\325\25\313\12h\352\240\304\364\225Jf{\263\356%\245Z\234\266\374$\202,\233\333\14\30B\22\360\354\17Y\362'8_\200t\270\212\303\2s;\303\330\353\304\302\374sS.\22\300\14\213\333\347\20\266[\266{\13,5E/j\212#\216\213o\265\332Pi.+\214\2002\313\302\272\317r\36\347\231\311\331\33$m;\211~\266\271\200%\225\20T\362j\25^n\306\3pA&\32\360s\272\254\330Gbh\241\252\16W\324\204\335\215\310L\205*\264=KM\221\253\300\260\354'8\13\300:\206by\214\263\235\324*J\333S\203^5\345\313\275\252\23\276G\376yG+\211\316\360}\345\224d4\24\341O~\270\340QW\254\272\312\364Z':`Z\217r\203\232\276\242=\10"\16:F\0*x`1\15\0n\317\306\242(\273\305\14", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00895   468   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\236\32\206\207\202\341\301\364!\256ZkH\3045\21\206~\0\273\317n\201\271\356\16\336\32<\220\200\13y\334y\271\311=\253\13\14\10\354c\310\31\12\207\372J\215\242\243w\30\363\214\200\17 \267\14\365\270B\222\351\364j<\6o\10\0;O\16\256\261\3425!\343\32~\30\5\331E \10\354=E\22;%\312\2543\305\5\10>\311KS\344U\2_9=\12\267\253\372\203\206^w\310\200+X\220{P\317\23\35f\303+\305\345P\212HeP\374\247\323P\277\327vR\330\370R\233)\265\373\365\240S&\260\203\372\201\357\274\364\351&(\23\201u\245\25vc\275\17\4l\330)F\|D\35\30\211\321*\200\361\375\305c\5*,\215\340J\344Dg\271\276\373_\6\341\260X\300\254\277\250Q\277b\237\307\202\321\26S\366\203\24\207\4\222;\30\336\4Z\36\32:\244\25\276\3)\200\301\362\205\242\255&\235\1/\327=\366\17\303\305\253\376\205\373L\2732\310J\227\363\353+\14\21Z\205\355\330\204\6\377\213P\32\206m\324\354\211\21\0zD\307W\370[5\210b\302\17L\354T@"\13O\3\322\1\232\314\340\301*\203\270\313\14\277\336\275\220\207\35U}\227\314\304\2330\224N\303M\200\262\225\200\264\2120\0\373\2036\347\361\313\325\244m\246\14\30399m\216(J\320\16#\204\261\3+\5 \351\22\205\0\7\32(C\23q\307\5\14z\226\260\27\253G\06\16B0d\233(\206\24\215\213WA\32z\352<\245\4\264w\264\0gk\330!6\231%O\27\2571\30\2\22\34\5\375d-\206\302\210\3119\340\211\273\231\271e\2039.tuv~\233\273\307t\225\264\237_\364wVmx\220M\267\3724\202\306\353\317\211\225G\227\320\244\265D\237\350\370Cg4\366;F4\320", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \13O\3\322\1\232\314\340\301*\203\270\313\14\277\336\275\220\207\35U}\227\314\304\2330\224N\303M\200\262\225\200\264\2120\0\373\2036\347\361\313\325\244m\246\14\30399m\216(J\320\16#\204\261\3+\5 \351\22\205\0\7\32(C\23q\307\5\14z\226\260\27\253G\06\16B0d\233(\206\24\215\213WA\32z\352<\245\4\264w\264\0gk\330!6\231%O\27\2571\30\2\22\34\5\375d-\206\302\210\3119\340\211\273\231\271e\2039.tuv~\233\273\307t\225\264\237_\364wVmx\220M\267\3724\202\306\353\317\211\225G\227\320\244\265D\237\350\370Cg4\366;F4\320", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00896   468   NtWriteFile  (112, 0, 0, 0,  (112, 0, 0, 0, "\241v\217\360$\27\237\271P*\264\360_+\362d\212*\200\377^\216\204\262\254-0\21\231+\250\337\336=\1p\270ke\377W\367N\261X@\204E\2130v\27\251$\255Y\366#\327L\0\277n\372\27d\2241\370\276\340\34\345\357\215\17\201\21K\377\27\337\235\30\264\272\320"\274\301\210\33\214\36\225l\247m\317\5\351\4\303\277U\364d/\3202`\201\206{\222%qg\265\13\245\243\213\13|\212v\347\206\225{Y\252\234\266m\265\254g\304\257\202\3360\207I\335\374W\274\257\360\222)\316\36\207\333\340\1\276\35\220,\206?\372\361@\235~\277\305X\221S\247\333\241\1\200\250v\374\250\4\234\13\337\250\335\55c\244+\3238\276\3Rp\353p\2043\225\16\273\206\236\22\2679\353\201W\324y\263*7\320\32\202\240\256\212\203=\376"\260$\2347\221\34\32>\247\25\37&\243<\256\321>#\210\3\350M\221#W \235\374Kr\214\32X\33q\22\206i9(\266\20\243\346\277Dv\377\367\323vQ\252\300\346\204X?\207\14pt\210\360\331*\227\165,\276\35\307\63\13\301\10\211\205\260lo\31\3300y\322u)Qm\257^\2643\3117\257\17z4\336\13IDv\366\262i\226\36\2\206\5A\3235\316\10\350$\306\222\352\320\203Z\312\334\236\26\16\203B\262\360\243\370-\242\232"\300\2753\25XIH\360-\360\360\203\246\306v\341\253\261\244"\271\23\354\350W\256\2567\315\0\301\17\267\13\203>\201\4\257\245\241P/\207\235\301\204\324\12\270\246H\247+9[\35\235\253\12\205n\247\315\244+\254\247,\324y\2/8\215B\275\342\234v\216\12\357B.\333\37\2\27\351D\306^4\242\2\270k\313/# \22\5\251\31\243\333\262t~\12\277$\226v\275-\213\21\212,\216\5", 9184, 0x0, 0, ... {status=0x0, info=9184}, ) \274\301\210\33\214\36\225l\247m\317\5\351\4\303\277U\364d/\3202`\201\206{\222%qg\265\13\245\243\213\13|\212v\347\206\225{Y\252\234\266m\265\254g\304\257\202\3360\207I\335\374W\274\257\360\222)\316\36\207\333\340\1\276\35\220,\206?\372\361@\235~\277\305X\221S\247\333\241\1\200\250v\374\250\4\234\13\337\250\335\55c\244+\3238\276\3Rp\353p\2043\225\16\273\206\236\22\2679\353\201W\324y\263*7\320\32\202\240\256\212\203=\376 (112, 0, 0, 0, "\241v\217\360$\27\237\271P*\264\360_+\362d\212*\200\377^\216\204\262\254-0\21\231+\250\337\336=\1p\270ke\377W\367N\261X@\204E\2130v\27\251$\255Y\366#\327L\0\277n\372\27d\2241\370\276\340\34\345\357\215\17\201\21K\377\27\337\235\30\264\272\320"\274\301\210\33\214\36\225l\247m\317\5\351\4\303\277U\364d/\3202`\201\206{\222%qg\265\13\245\243\213\13|\212v\347\206\225{Y\252\234\266m\265\254g\304\257\202\3360\207I\335\374W\274\257\360\222)\316\36\207\333\340\1\276\35\220,\206?\372\361@\235~\277\305X\221S\247\333\241\1\200\250v\374\250\4\234\13\337\250\335\55c\244+\3238\276\3Rp\353p\2043\225\16\273\206\236\22\2679\353\201W\324y\263*7\320\32\202\240\256\212\203=\376"\260$\2347\221\34\32>\247\25\37&\243<\256\321>#\210\3\350M\221#W \235\374Kr\214\32X\33q\22\206i9(\266\20\243\346\277Dv\377\367\323vQ\252\300\346\204X?\207\14pt\210\360\331*\227\165,\276\35\307\63\13\301\10\211\205\260lo\31\3300y\322u)Qm\257^\2643\3117\257\17z4\336\13IDv\366\262i\226\36\2\206\5A\3235\316\10\350$\306\222\352\320\203Z\312\334\236\26\16\203B\262\360\243\370-\242\232"\300\2753\25XIH\360-\360\360\203\246\306v\341\253\261\244"\271\23\354\350W\256\2567\315\0\301\17\267\13\203>\201\4\257\245\241P/\207\235\301\204\324\12\270\246H\247+9[\35\235\253\12\205n\247\315\244+\254\247,\324y\2/8\215B\275\342\234v\216\12\357B.\333\37\2\27\351D\306^4\242\2\270k\313/# \22\5\251\31\243\333\262t~\12\277$\226v\275-\213\21\212,\216\5", 9184, 0x0, 0, ... {status=0x0, info=9184}, ) \300\2753\25XIH\360-\360\360\203\246\306v\341\253\261\244 (112, 0, 0, 0, "\241v\217\360$\27\237\271P*\264\360_+\362d\212*\200\377^\216\204\262\254-0\21\231+\250\337\336=\1p\270ke\377W\367N\261X@\204E\2130v\27\251$\255Y\366#\327L\0\277n\372\27d\2241\370\276\340\34\345\357\215\17\201\21K\377\27\337\235\30\264\272\320"\274\301\210\33\214\36\225l\247m\317\5\351\4\303\277U\364d/\3202`\201\206{\222%qg\265\13\245\243\213\13|\212v\347\206\225{Y\252\234\266m\265\254g\304\257\202\3360\207I\335\374W\274\257\360\222)\316\36\207\333\340\1\276\35\220,\206?\372\361@\235~\277\305X\221S\247\333\241\1\200\250v\374\250\4\234\13\337\250\335\55c\244+\3238\276\3Rp\353p\2043\225\16\273\206\236\22\2679\353\201W\324y\263*7\320\32\202\240\256\212\203=\376"\260$\2347\221\34\32>\247\25\37&\243<\256\321>#\210\3\350M\221#W \235\374Kr\214\32X\33q\22\206i9(\266\20\243\346\277Dv\377\367\323vQ\252\300\346\204X?\207\14pt\210\360\331*\227\165,\276\35\307\63\13\301\10\211\205\260lo\31\3300y\322u)Qm\257^\2643\3117\257\17z4\336\13IDv\366\262i\226\36\2\206\5A\3235\316\10\350$\306\222\352\320\203Z\312\334\236\26\16\203B\262\360\243\370-\242\232"\300\2753\25XIH\360-\360\360\203\246\306v\341\253\261\244"\271\23\354\350W\256\2567\315\0\301\17\267\13\203>\201\4\257\245\241P/\207\235\301\204\324\12\270\246H\247+9[\35\235\253\12\205n\247\315\244+\254\247,\324y\2/8\215B\275\342\234v\216\12\357B.\333\37\2\27\351D\306^4\242\2\270k\313/# \22\5\251\31\243\333\262t~\12\277$\226v\275-\213\21\212,\216\5", 9184, 0x0, 0, ... {status=0x0, info=9184}, ) , 9184, 0x0, 0, ... {status=0x0, info=9184}, ) == 0x0
 00897   468   NtUnmapViewOfSection  (-1, 0xb00000, ... ) == 0x0
 00898   468   NtSetInformationFile  (112, 1242540, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00899   468   NtClose  (108, ... ) == 0x0
 00900   468   NtClose  (112, ... ) == 0x0
 00901   468   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 112, ) }, ... 112, ) == 0x0
 00902   468   NtSetValueKey  (112,  (112, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (112, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00903   468   NtSetInformationFile  (-2147482808, -136444108, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00904   468   NtSetInformationFile  (-2147482808, -136444200, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00905   468   NtSetInformationFile  (-2147482808, -136444508, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00902   468   NtSetValueKey  ... ) == 0x0
 00906   468   NtClose  (112, ... ) == 0x0
 00907   468   NtCreateMutant  (0x1f0001, {24, 76, 0x80, 0, 0,  (0x1f0001, {24, 76, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 112, ) }, 0, ... 112, ) == 0x0
 00908   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11534336, 1048576, ) == 0x0
 00909   468   NtAllocateVirtualMemory  (-1, 12574720, 0, 8192, 4096, 4, ... 12574720, 8192, ) == 0x0
 00910   468   NtProtectVirtualMemory  (-1, (0xbfe000), 4096, 260, ... (0xbfe000), 4096, 4, ) == 0x0
 00911   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 108, {460, 588}, ) == 0x0
 00912   468   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=460,Tid=588,}, 0x0, ) == 0x0
 00913   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932}  (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932} "\0\0\0\0\1\0\1\0C:\WINDOl\0\0\0\314\1\0\0L\2\0\0" ... {28, 56, reply, 0, 460, 468, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\0\0\0\314\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 460, 468, 1517, 0}  (24, {28, 56, new_msg, 0, 1243948, 1244004, 2010981548, 1243932} "\0\0\0\0\1\0\1\0C:\WINDOl\0\0\0\314\1\0\0L\2\0\0" ... {28, 56, reply, 0, 460, 468, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\0\0\0\314\1\0\0L\2\0\0" )  ) == 0x0
 00914   468   NtResumeThread  (108, ... 1, ) == 0x0
 00915   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12582912, 1048576, ) == 0x0
 00916   588   NtTestAlert  (... ) == 0x0
 00917   588   NtContinue  (12582192, 1, ...
 00918   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00919   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 116, ) == 0x0
 00920   588   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00921   588   NtAllocateVirtualMemory  (-1, 12570624, 0, 4096, 4096, 260, ...
 00922   468   NtAllocateVirtualMemory  (-1, 13623296, 0, 8192, 4096, 4, ... 13623296, 8192, ) == 0x0
 00923   468   NtProtectVirtualMemory  (-1, (0xcfe000), 4096, 260, ... (0xcfe000), 4096, 4, ) == 0x0
 00924   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 120, {460, 572}, ) == 0x0
 00925   468   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=460,Tid=572,}, 0x0, ) == 0x0
 00926   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1517, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\314\1\0\0<\2\0\0" ... {28, 56, reply, 0, 460, 468, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\314\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 460, 468, 1518, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\314\1\0\0<\2\0\0" ... {28, 56, reply, 0, 460, 468, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\314\1\0\0<\2\0\0" )  ) == 0x0
 00927   468   NtResumeThread  (120, ...
 00921   588   NtAllocateVirtualMemory  ... 12570624, 4096, ) == 0x0
 00928   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579388, ... ) }, 12579388, ... ) == 0x0
 00929   588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00930   588   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00931   588   NtClose  (124, ... ) == 0x0
 00927   468   NtResumeThread  ... 1, ) == 0x0
 00932   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13631488, 1048576, ) == 0x0
 00933   468   NtAllocateVirtualMemory  (-1, 14671872, 0, 8192, 4096, 4, ... 14671872, 8192, ) == 0x0
 00934   468   NtProtectVirtualMemory  (-1, (0xdfe000), 4096, 260, ... (0xdfe000), 4096, 4, ) == 0x0
 00935   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 124, {460, 580}, ) == 0x0
 00936   468   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=460,Tid=580,}, 0x0, ) == 0x0
 00937   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1518, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\0\0\0\314\1\0\0D\2\0\0" ...  ...
 00938   588   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 00939   572   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00938   588   NtMapViewOfSection  ... (0xe00000), 0x0, 229376, ) == 0x0
 00939   572   NtCreateEvent  ... 132, ) == 0x0
 00940   588   NtClose  (128, ...
 00941   572   NtWaitForSingleObject  (132, 0, 0x0, ...
 00940   588   NtClose  ... ) == 0x0
 00942   588   NtUnmapViewOfSection  (-1, 0xe00000, ... ) == 0x0
 00943   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579704, ... ) }, 12579704, ... ) == 0x0
 00944   588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00945   588   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 136, ) == 0x0
 00937   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1519, 0}  ... {28, 56, reply, 0, 460, 468, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\0\0\0\314\1\0\0D\2\0\0" )  ) == 0x0
 00946   468   NtResumeThread  (124, ... 1, ) == 0x0
 00947   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14680064, 1048576, ) == 0x0
 00948   468   NtAllocateVirtualMemory  (-1, 15720448, 0, 8192, 4096, 4, ... 15720448, 8192, ) == 0x0
 00949   468   NtProtectVirtualMemory  (-1, (0xefe000), 4096, 260, ... (0xefe000), 4096, 4, ) == 0x0
 00950   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 140, {460, 584}, ) == 0x0
 00951   588   NtQuerySection  (136, Image, 48, ...
 00952   580   NtWaitForSingleObject  (132, 0, 0x0, ...
 00951   588   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00953   588   NtClose  (128, ... ) == 0x0
 00954   588   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 00955   588   NtClose  (136, ... ) == 0x0
 00956   588   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00957   588   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00958   468   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=460,Tid=584,}, 0x0, ) == 0x0
 00959   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1519, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\314\1\0\0H\2\0\0" ... {28, 56, reply, 0, 460, 468, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\314\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 460, 468, 1520, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\314\1\0\0H\2\0\0" ... {28, 56, reply, 0, 460, 468, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\314\1\0\0H\2\0\0" )  ) == 0x0
 00960   468   NtResumeThread  (140, ... 1, ) == 0x0
 00961   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15728640, 1048576, ) == 0x0
 00962   468   NtAllocateVirtualMemory  (-1, 16769024, 0, 8192, 4096, 4, ... 16769024, 8192, ) == 0x0
 00963   468   NtProtectVirtualMemory  (-1, (0xffe000), 4096, 260, ...
 00964   588   NtSetEventBoostPriority  (132, ...
 00965   584   NtWaitForSingleObject  (132, 0, 0x0, ...
 00941   572   NtWaitForSingleObject  ... ) == 0x0
 00964   588   NtSetEventBoostPriority  ... ) == 0x0
 00966   572   NtSetEventBoostPriority  (132, ...
 00952   580   NtWaitForSingleObject  ... ) == 0x0
 00967   580   NtSetEventBoostPriority  (132, ...
 00965   584   NtWaitForSingleObject  ... ) == 0x0
 00968   584   NtTestAlert  (... ) == 0x0
 00967   580   NtSetEventBoostPriority  ... ) == 0x0
 00966   572   NtSetEventBoostPriority  ... ) == 0x0
 00969   588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00963   468   NtProtectVirtualMemory  ... (0xffe000), 4096, 4, ) == 0x0
 00970   584   NtContinue  (15727920, 1, ...
 00971   580   NtTestAlert  (...
 00969   588   NtCreateEvent  ... 136, ) == 0x0
 00972   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 00973   584   NtRegisterThreadTerminatePort  (24, ...
 00971   580   NtTestAlert  ... ) == 0x0
 00974   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579032, ... }, 12579032, ...
 00972   468   NtCreateThread  ... 128, {460, 576}, ) == 0x0
 00973   584   NtRegisterThreadTerminatePort  ... ) == 0x0
 00975   580   NtContinue  (14679344, 1, ...
 00974   588   NtQueryAttributesFile  ... ) == 0x0
 00976   468   NtQueryInformationThread  (128, Basic, 28, ...
 00977   584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00978   580   NtRegisterThreadTerminatePort  (24, ...
 00979   572   NtTestAlert  (...
 00976   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=460,Tid=576,}, 0x0, ) == 0x0
 00977   584   NtDuplicateObject  ... 144, ) == 0x0
 00978   580   NtRegisterThreadTerminatePort  ... ) == 0x0
 00979   572   NtTestAlert  ... ) == 0x0
 00980   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1520, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\314\1\0\0@\2\0\0" ...  ...
 00981   584   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 00982   580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00983   572   NtContinue  (13630768, 1, ...
 00984   588   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 00980   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1521, 0}  ... {28, 56, reply, 0, 460, 468, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\314\1\0\0@\2\0\0" )  ) == 0x0
 00981   584   NtWaitForSingleObject  ... ) == 0x102
 00985   572   NtRegisterThreadTerminatePort  (24, ...
 00984   588   NtOpenKey  ... 148, ) == 0x0
 00986   468   NtResumeThread  (128, ...
 00987   584   NtAllocateVirtualMemory  (-1, 15716352, 0, 4096, 4096, 260, ...
 00985   572   NtRegisterThreadTerminatePort  ... ) == 0x0
 00988   588   NtQueryValueKey  (148,  (148, "Transports", Partial, 144, ... , Partial, 144, ...
 00986   468   NtResumeThread  ... 1, ) == 0x0
 00987   584   NtAllocateVirtualMemory  ... 15716352, 4096, ) == 0x0
 00989   572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00988   588   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 00990   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00991   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15723564, ... }, 15723564, ...
 00982   580   NtDuplicateObject  ... 152, ) == 0x0
 00992   576   NtWaitForSingleObject  (132, 0, 0x0, ...
 00993   588   NtQueryValueKey  (148,  (148, "Transports", Partial, 144, ... , Partial, 144, ...
 00990   468   NtAllocateVirtualMemory  ... 16777216, 1048576, ) == 0x0
 00991   584   NtQueryAttributesFile  ... ) == 0x0
 00994   580   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 00993   588   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 00989   572   NtDuplicateObject  ... 156, ) == 0x0
 00995   468   NtAllocateVirtualMemory  (-1, 17817600, 0, 8192, 4096, 4, ...
 00994   580   NtWaitForSingleObject  ... ) == 0x102
 00996   584   NtSetEventBoostPriority  (132, ...
 00997   572   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 00995   468   NtAllocateVirtualMemory  ... 17817600, 8192, ) == 0x0
 00998   580   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00992   576   NtWaitForSingleObject  ... ) == 0x0
 00996   584   NtSetEventBoostPriority  ... ) == 0x0
 00997   572   NtWaitForSingleObject  ... ) == 0x102
 00999   468   NtProtectVirtualMemory  (-1, (0x10fe000), 4096, 260, ...
 01000   576   NtTestAlert  (...
 00998   580   NtCreateEvent  ... 160, ) == 0x0
 01001   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01002   572   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01000   576   NtTestAlert  ... ) == 0x0
 00999   468   NtProtectVirtualMemory  ... (0x10fe000), 4096, 4, ) == 0x0
 01003   588   NtClose  (148, ...
 01001   584   NtCreateEvent  ... 164, ) == 0x0
 01002   572   NtCreateEvent  ... 168, ) == 0x0
 01004   580   NtWaitForSingleObject  (160, 0, 0x0, ...
 01005   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01003   588   NtClose  ... ) == 0x0
 01006   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01007   576   NtContinue  (16776496, 1, ...
 01005   468   NtCreateThread  ... 148, {460, 596}, ) == 0x0
 01008   588   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01006   584   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   576   NtRegisterThreadTerminatePort  (24, ...
 01010   572   NtClose  (168, ...
 01008   588   NtOpenKey  ... 172, ) == 0x0
 01011   468   NtQueryInformationThread  (148, Basic, 28, ...
 01009   576   NtRegisterThreadTerminatePort  ... ) == 0x0
 01010   572   NtClose  ... ) == 0x0
 01012   588   NtQueryValueKey  (172,  (172, "Mapping", Partial, 144, ... , Partial, 144, ...
 01011   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=460,Tid=596,}, 0x0, ) == 0x0
 01013   576   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01014   572   NtWaitForSingleObject  (160, 0, 0x0, ...
 01012   588   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01015   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1521, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0\314\1\0\0T\2\0\0" ...  ...
 01013   576   NtDuplicateObject  ... 168, ) == 0x0
 01016   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 15723680, ... }, 15723680, ...
 01015   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1522, 0}  ... {28, 56, reply, 0, 460, 468, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0\314\1\0\0T\2\0\0" )  ) == 0x0
 01017   576   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01018   468   NtResumeThread  (148, ...
 01019   588   NtQueryValueKey  (172,  (172, "Mapping", Partial, 144, ... , Partial, 144, ...
 01017   576   NtWaitForSingleObject  ... ) == 0x102
 01019   588   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01020   576   NtWaitForSingleObject  (160, 0, 0x0, ...
 01021   588   NtQueryValueKey  (172,  (172, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (172, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01022   588   NtClose  (172, ... ) == 0x0
 01023   588   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 172, ) }, ... 172, ) == 0x0
 01024   588   NtQueryValueKey  (172,  (172, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01025   588   NtQueryValueKey  (172,  (172, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01018   468   NtResumeThread  ... 1, ) == 0x0
 01026   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17825792, 1048576, ) == 0x0
 01027   468   NtAllocateVirtualMemory  (-1, 18866176, 0, 8192, 4096, 4, ... 18866176, 8192, ) == 0x0
 01028   468   NtProtectVirtualMemory  (-1, (0x11fe000), 4096, 260, ... (0x11fe000), 4096, 4, ) == 0x0
 01029   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 176, {460, 636}, ) == 0x0
 01030   468   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=460,Tid=636,}, 0x0, ) == 0x0
 01031   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1522, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\314\1\0\0|\2\0\0" ...  ...
 01032   588   NtQueryValueKey  (172,  (172, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01033   596   NtWaitForSingleObject  (132, 0, 0x0, ...
 01032   588   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01034   588   NtQueryValueKey  (172,  (172, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (172, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01035   588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01031   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1523, 0}  ... {28, 56, reply, 0, 460, 468, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\314\1\0\0|\2\0\0" )  ) == 0x0
 01036   468   NtResumeThread  (176, ... 1, ) == 0x0
 01037   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18874368, 1048576, ) == 0x0
 01038   636   NtWaitForSingleObject  (132, 0, 0x0, ...
 01039   468   NtAllocateVirtualMemory  (-1, 19914752, 0, 8192, 4096, 4, ... 19914752, 8192, ) == 0x0
 01040   468   NtProtectVirtualMemory  (-1, (0x12fe000), 4096, 260, ... (0x12fe000), 4096, 4, ) == 0x0
 01041   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 180, {460, 732}, ) == 0x0
 01042   468   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=460,Tid=732,}, 0x0, ) == 0x0
 01043   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1523, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\314\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 460, 468, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\314\1\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 460, 468, 1524, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\314\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 460, 468, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\314\1\0\0\334\2\0\0" )  ) == 0x0
 01044   468   NtResumeThread  (180, ... 1, ) == 0x0
 01045   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19922944, 1048576, ) == 0x0
 01046   468   NtAllocateVirtualMemory  (-1, 20963328, 0, 8192, 4096, 4, ... 20963328, 8192, ) == 0x0
 01047   468   NtProtectVirtualMemory  (-1, (0x13fe000), 4096, 260, ...
 01048   732   NtWaitForSingleObject  (132, 0, 0x0, ...
 01047   468   NtProtectVirtualMemory  ... (0x13fe000), 4096, 4, ) == 0x0
 01049   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 184, {460, 744}, ) == 0x0
 01050   468   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=460,Tid=744,}, 0x0, ) == 0x0
 01051   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1524, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\314\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 460, 468, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\314\1\0\0\350\2\0\0" )  ... {28, 56, reply, 0, 460, 468, 1525, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\314\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 460, 468, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\314\1\0\0\350\2\0\0" )  ) == 0x0
 01052   468   NtResumeThread  (184, ... 1, ) == 0x0
 01053   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20971520, 1048576, ) == 0x0
 01054   744   NtWaitForSingleObject  (132, 0, 0x0, ...
 01055   468   NtAllocateVirtualMemory  (-1, 22011904, 0, 8192, 4096, 4, ... 22011904, 8192, ) == 0x0
 01056   468   NtProtectVirtualMemory  (-1, (0x14fe000), 4096, 260, ... (0x14fe000), 4096, 4, ) == 0x0
 01057   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 188, {460, 676}, ) == 0x0
 01058   468   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=460,Tid=676,}, 0x0, ) == 0x0
 01059   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1525, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\314\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 460, 468, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\314\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 460, 468, 1526, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\314\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 460, 468, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\0\0\0\314\1\0\0\244\2\0\0" )  ) == 0x0
 01060   468   NtResumeThread  (188, ... 1, ) == 0x0
 01061   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22020096, 1048576, ) == 0x0
 01062   468   NtAllocateVirtualMemory  (-1, 23060480, 0, 8192, 4096, 4, ... 23060480, 8192, ) == 0x0
 01063   468   NtProtectVirtualMemory  (-1, (0x15fe000), 4096, 260, ...
 01064   676   NtWaitForSingleObject  (132, 0, 0x0, ...
 01063   468   NtProtectVirtualMemory  ... (0x15fe000), 4096, 4, ) == 0x0
 01065   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 192, {460, 788}, ) == 0x0
 01066   468   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=460,Tid=788,}, 0x0, ) == 0x0
 01067   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1526, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\314\1\0\0\24\3\0\0" ...  ...
 01016   584   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1527, 0}  ... {28, 56, reply, 0, 460, 468, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0\314\1\0\0\24\3\0\0" )  ) == 0x0
 01068   468   NtResumeThread  (192, ... 1, ) == 0x0
 01069   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23068672, 1048576, ) == 0x0
 01070   468   NtAllocateVirtualMemory  (-1, 24109056, 0, 8192, 4096, 4, ... 24109056, 8192, ) == 0x0
 01071   468   NtProtectVirtualMemory  (-1, (0x16fe000), 4096, 260, ... (0x16fe000), 4096, 4, ) == 0x0
 01072   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 196, {460, 784}, ) == 0x0
 01073   584   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 15723680, ... }, 15723680, ...
 01074   788   NtWaitForSingleObject  (132, 0, 0x0, ...
 01075   468   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=460,Tid=784,}, 0x0, ) == 0x0
 01076   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1527, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\314\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 460, 468, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\314\1\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1528, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\314\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 460, 468, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\314\1\0\0\20\3\0\0" )  ) == 0x0
 01077   468   NtResumeThread  (196, ... 1, ) == 0x0
 01078   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24117248, 1048576, ) == 0x0
 01079   468   NtAllocateVirtualMemory  (-1, 25157632, 0, 8192, 4096, 4, ... 25157632, 8192, ) == 0x0
 01080   468   NtProtectVirtualMemory  (-1, (0x17fe000), 4096, 260, ...
 01081   784   NtWaitForSingleObject  (132, 0, 0x0, ...
 01080   468   NtProtectVirtualMemory  ... (0x17fe000), 4096, 4, ) == 0x0
 01082   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 200, {460, 308}, ) == 0x0
 01083   468   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=460,Tid=308,}, 0x0, ) == 0x0
 01084   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1528, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\314\1\0\04\1\0\0" ... {28, 56, reply, 0, 460, 468, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\314\1\0\04\1\0\0" )  ... {28, 56, reply, 0, 460, 468, 1529, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\314\1\0\04\1\0\0" ... {28, 56, reply, 0, 460, 468, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0\314\1\0\04\1\0\0" )  ) == 0x0
 01085   468   NtResumeThread  (200, ... 1, ) == 0x0
 01086   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25165824, 1048576, ) == 0x0
 01087   308   NtWaitForSingleObject  (132, 0, 0x0, ...
 01088   468   NtAllocateVirtualMemory  (-1, 26206208, 0, 8192, 4096, 4, ... 26206208, 8192, ) == 0x0
 01089   468   NtProtectVirtualMemory  (-1, (0x18fe000), 4096, 260, ... (0x18fe000), 4096, 4, ) == 0x0
 01090   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 204, {460, 812}, ) == 0x0
 01073   584   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 15723680, ... ) }, 15723680, ... ) == 0x0
 01092   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01093   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 01094   584   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01095   584   NtClose  (208, ...
 01096   468   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=460,Tid=812,}, 0x0, ) == 0x0
 01097   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1529, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\314\1\0\0,\3\0\0" ... {28, 56, reply, 0, 460, 468, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\314\1\0\0,\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1530, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\314\1\0\0,\3\0\0" ... {28, 56, reply, 0, 460, 468, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\314\1\0\0,\3\0\0" )  ) == 0x0
 01098   468   NtResumeThread  (204, ... 1, ) == 0x0
 01099   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26214400, 1048576, ) == 0x0
 01100   468   NtAllocateVirtualMemory  (-1, 27254784, 0, 8192, 4096, 4, ... 27254784, 8192, ) == 0x0
 01101   468   NtProtectVirtualMemory  (-1, (0x19fe000), 4096, 260, ...
 01095   584   NtClose  ... ) == 0x0
 01102   812   NtWaitForSingleObject  (132, 0, 0x0, ...
 01103   584   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01104   584   NtClose  (212, ... ) == 0x0
 01105   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) , 0, ... 212, 2, ) == 0x0
 01106   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 01107   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... }, ...
 01101   468   NtProtectVirtualMemory  ... (0x19fe000), 4096, 4, ) == 0x0
 01109   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 216, {460, 804}, ) == 0x0
 01110   468   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=460,Tid=804,}, 0x0, ) == 0x0
 01111   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1530, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\314\1\0\0$\3\0\0" ... {28, 56, reply, 0, 460, 468, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\314\1\0\0$\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1531, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\314\1\0\0$\3\0\0" ... {28, 56, reply, 0, 460, 468, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\314\1\0\0$\3\0\0" )  ) == 0x0
 01112   468   NtResumeThread  (216, ... 1, ) == 0x0
 01113   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27262976, 1048576, ) == 0x0
 01108   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   804   NtWaitForSingleObject  (132, 0, 0x0, ...
 01115   584   NtQueryValueKey  (208,  (208, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01116   584   NtQueryValueKey  (212,  (212, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   584   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   584   NtQueryValueKey  (212,  (212, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01119   584   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   584   NtQueryValueKey  (212,  (212, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01121   468   NtAllocateVirtualMemory  (-1, 28303360, 0, 8192, 4096, 4, ... 28303360, 8192, ) == 0x0
 01122   468   NtProtectVirtualMemory  (-1, (0x1afe000), 4096, 260, ... (0x1afe000), 4096, 4, ) == 0x0
 01123   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 220, {460, 716}, ) == 0x0
 01124   468   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=460,Tid=716,}, 0x0, ) == 0x0
 01125   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1531, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\314\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 460, 468, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\314\1\0\0\314\2\0\0" )  ... {28, 56, reply, 0, 460, 468, 1532, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\314\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 460, 468, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\0\0\0\314\1\0\0\314\2\0\0" )  ) == 0x0
 01126   468   NtResumeThread  (220, ...
 01120   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   584   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   584   NtQueryValueKey  (212,  (212, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   584   NtQueryValueKey  (208,  (208, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   584   NtQueryValueKey  (208,  (208, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131   584   NtQueryValueKey  (208,  (208, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   584   NtQueryValueKey  (208,  (208, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 01126   468   NtResumeThread  ... 1, ) == 0x0
 01133   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28311552, 1048576, ) == 0x0
 01134   468   NtAllocateVirtualMemory  (-1, 29351936, 0, 8192, 4096, 4, ... 29351936, 8192, ) == 0x0
 01135   468   NtProtectVirtualMemory  (-1, (0x1bfe000), 4096, 260, ... (0x1bfe000), 4096, 4, ) == 0x0
 01136   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 224, {460, 844}, ) == 0x0
 01137   468   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=460,Tid=844,}, 0x0, ) == 0x0
 01138   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1532, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\314\1\0\0L\3\0\0" ...  ...
 01132   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   716   NtWaitForSingleObject  (132, 0, 0x0, ...
 01140   584   NtQueryValueKey  (208,  (208, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   584   NtQueryValueKey  (208,  (208, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01142   584   NtQueryValueKey  (208,  (208, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143   584   NtQueryValueKey  (212,  (212, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   584   NtQueryValueKey  (208,  (208, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   584   NtQueryValueKey  (208,  (208, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 01138   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1533, 0}  ... {28, 56, reply, 0, 460, 468, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\314\1\0\0L\3\0\0" )  ) == 0x0
 01146   468   NtResumeThread  (224, ... 1, ) == 0x0
 01147   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29360128, 1048576, ) == 0x0
 01148   468   NtAllocateVirtualMemory  (-1, 30400512, 0, 8192, 4096, 4, ... 30400512, 8192, ) == 0x0
 01149   468   NtProtectVirtualMemory  (-1, (0x1cfe000), 4096, 260, ... (0x1cfe000), 4096, 4, ) == 0x0
 01150   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 228, {460, 864}, ) == 0x0
 01145   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   844   NtWaitForSingleObject  (132, 0, 0x0, ...
 01152   584   NtQueryValueKey  (212,  (212, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   584   NtQueryValueKey  (208,  (208, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   584   NtQueryValueKey  (212,  (212, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   584   NtQueryValueKey  (208,  (208, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   584   NtQueryValueKey  (212,  (212, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   584   NtQueryValueKey  (208,  (208, "RegistrationOverwritesInConflict", Partial, 144, ... , Partial, 144, ...
 01158   468   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=460,Tid=864,}, 0x0, ) == 0x0
 01159   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1533, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\314\1\0\0`\3\0\0" ... {28, 56, reply, 0, 460, 468, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\314\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1534, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\314\1\0\0`\3\0\0" ... {28, 56, reply, 0, 460, 468, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\314\1\0\0`\3\0\0" )  ) == 0x0
 01160   468   NtResumeThread  (228, ... 1, ) == 0x0
 01161   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30408704, 1048576, ) == 0x0
 01162   468   NtAllocateVirtualMemory  (-1, 31449088, 0, 8192, 4096, 4, ... 31449088, 8192, ) == 0x0
 01163   468   NtProtectVirtualMemory  (-1, (0x1dfe000), 4096, 260, ...
 01157   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   864   NtWaitForSingleObject  (132, 0, 0x0, ...
 01165   584   NtQueryValueKey  (212,  (212, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   584   NtQueryValueKey  (208,  (208, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   584   NtQueryValueKey  (212,  (212, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   584   NtQueryValueKey  (208,  (208, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   584   NtQueryValueKey  (212,  (212, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   584   NtQueryValueKey  (208,  (208, "RegistrationMaxAddressCount", Partial, 144, ... , Partial, 144, ...
 01163   468   NtProtectVirtualMemory  ... (0x1dfe000), 4096, 4, ) == 0x0
 01171   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 232, {460, 868}, ) == 0x0
 01172   468   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=460,Tid=868,}, 0x0, ) == 0x0
 01173   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1534, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\314\1\0\0d\3\0\0" ... {28, 56, reply, 0, 460, 468, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\314\1\0\0d\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1535, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\314\1\0\0d\3\0\0" ... {28, 56, reply, 0, 460, 468, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\314\1\0\0d\3\0\0" )  ) == 0x0
 01174   468   NtResumeThread  (232, ... 1, ) == 0x0
 01175   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31457280, 1048576, ) == 0x0
 01170   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   868   NtWaitForSingleObject  (132, 0, 0x0, ...
 01177   584   NtQueryValueKey  (212,  (212, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   584   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01179   584   NtQueryValueKey  (212,  (212, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   584   NtQueryValueKey  (208,  (208, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   584   NtQueryValueKey  (208,  (208, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   584   NtQueryValueKey  (208,  (208, "DnsTest", Partial, 144, ... , Partial, 144, ...
 01183   468   NtAllocateVirtualMemory  (-1, 32497664, 0, 8192, 4096, 4, ... 32497664, 8192, ) == 0x0
 01184   468   NtProtectVirtualMemory  (-1, (0x1efe000), 4096, 260, ... (0x1efe000), 4096, 4, ) == 0x0
 01185   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 236, {460, 872}, ) == 0x0
 01186   468   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=460,Tid=872,}, 0x0, ) == 0x0
 01187   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1535, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\314\1\0\0h\3\0\0" ... {28, 56, reply, 0, 460, 468, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\314\1\0\0h\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1536, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\314\1\0\0h\3\0\0" ... {28, 56, reply, 0, 460, 468, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\314\1\0\0h\3\0\0" )  ) == 0x0
 01188   468   NtResumeThread  (236, ...
 01182   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   584   NtQueryValueKey  (208,  (208, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   584   NtQueryValueKey  (208,  (208, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   584   NtQueryValueKey  (208,  (208, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   584   NtQueryValueKey  (208,  (208, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   584   NtQueryValueKey  (208,  (208, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   584   NtQueryValueKey  (208,  (208, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 01188   468   NtResumeThread  ... 1, ) == 0x0
 01195   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32505856, 1048576, ) == 0x0
 01196   468   NtAllocateVirtualMemory  (-1, 33546240, 0, 8192, 4096, 4, ... 33546240, 8192, ) == 0x0
 01197   468   NtProtectVirtualMemory  (-1, (0x1ffe000), 4096, 260, ... (0x1ffe000), 4096, 4, ) == 0x0
 01198   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 240, {460, 876}, ) == 0x0
 01199   468   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=460,Tid=876,}, 0x0, ) == 0x0
 01200   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1536, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\314\1\0\0l\3\0\0" ...  ...
 01194   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   872   NtWaitForSingleObject  (132, 0, 0x0, ...
 01202   584   NtQueryValueKey  (208,  (208, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   584   NtQueryValueKey  (208,  (208, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   584   NtQueryValueKey  (208,  (208, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   584   NtQueryValueKey  (208,  (208, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 01207   584   NtQueryValueKey  (244,  (244, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ...
 01200   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1537, 0}  ... {28, 56, reply, 0, 460, 468, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\314\1\0\0l\3\0\0" )  ) == 0x0
 01208   468   NtResumeThread  (240, ... 1, ) == 0x0
 01209   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33554432, 1048576, ) == 0x0
 01210   468   NtAllocateVirtualMemory  (-1, 34594816, 0, 8192, 4096, 4, ... 34594816, 8192, ) == 0x0
 01211   468   NtProtectVirtualMemory  (-1, (0x20fe000), 4096, 260, ... (0x20fe000), 4096, 4, ) == 0x0
 01212   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 248, {460, 880}, ) == 0x0
 01207   584   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01213   876   NtWaitForSingleObject  (132, 0, 0x0, ...
 01214   584   NtClose  (244, ... ) == 0x0
 01215   584   NtClose  (212, ... ) == 0x0
 01216   584   NtClose  (208, ... ) == 0x0
 01217   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 01218   584   NtQueryValueKey  (208,  (208, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   584   NtQueryValueKey  (208,  (208, "DnsQuickQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01220   468   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=460,Tid=880,}, 0x0, ) == 0x0
 01221   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1537, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\314\1\0\0p\3\0\0" ... {28, 56, reply, 0, 460, 468, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\314\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1538, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\314\1\0\0p\3\0\0" ... {28, 56, reply, 0, 460, 468, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\314\1\0\0p\3\0\0" )  ) == 0x0
 01222   468   NtResumeThread  (248, ... 1, ) == 0x0
 01223   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34603008, 1048576, ) == 0x0
 01224   468   NtAllocateVirtualMemory  (-1, 35643392, 0, 8192, 4096, 4, ... 35643392, 8192, ) == 0x0
 01225   468   NtProtectVirtualMemory  (-1, (0x21fe000), 4096, 260, ...
 01219   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   880   NtWaitForSingleObject  (132, 0, 0x0, ...
 01227   584   NtQueryValueKey  (208,  (208, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   584   NtClose  (208, ... ) == 0x0
 01229   584   NtSetEventBoostPriority  (132, ...
 01033   596   NtWaitForSingleObject  ... ) == 0x0
 01230   596   NtSetEventBoostPriority  (132, ...
 01035   588   NtWaitForSingleObject  ... ) == 0x0
 01231   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 12579952, ... ) }, 12579952, ... ) == 0x0
 01230   596   NtSetEventBoostPriority  ... ) == 0x0
 01229   584   NtSetEventBoostPriority  ... ) == 0x0
 01225   468   NtProtectVirtualMemory  ... (0x21fe000), 4096, 4, ) == 0x0
 01232   588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01233   584   NtWaitForSingleObject  (132, 0, 0x0, ...
 01234   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01232   588   NtOpenFile  ... 208, {status=0x0, info=1}, ) == 0x0
 01234   468   NtCreateThread  ... 212, {460, 884}, ) == 0x0
 01235   588   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 208, ...
 01236   468   NtQueryInformationThread  (212, Basic, 28, ...
 01235   588   NtCreateSection  ... 244, ) == 0x0
 01236   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=460,Tid=884,}, 0x0, ) == 0x0
 01237   588   NtClose  (208, ...
 01238   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1538, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\314\1\0\0t\3\0\0" ...  ...
 01237   588   NtClose  ... ) == 0x0
 01239   596   NtTestAlert  (...
 01238   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1539, 0}  ... {28, 56, reply, 0, 460, 468, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\314\1\0\0t\3\0\0" )  ) == 0x0
 01239   596   NtTestAlert  ... ) == 0x0
 01240   468   NtResumeThread  (212, ...
 01241   596   NtContinue  (17825072, 1, ...
 01240   468   NtResumeThread  ... 1, ) == 0x0
 01242   596   NtRegisterThreadTerminatePort  (24, ...
 01243   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01242   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01243   468   NtAllocateVirtualMemory  ... 35651584, 1048576, ) == 0x0
 01244   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01245   588   NtMapViewOfSection  (244, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01246   884   NtWaitForSingleObject  (132, 0, 0x0, ...
 01247   468   NtAllocateVirtualMemory  (-1, 36691968, 0, 8192, 4096, 4, ...
 01245   588   NtMapViewOfSection  ... (0x2300000), 0x0, 20480, ) == 0x0
 01247   468   NtAllocateVirtualMemory  ... 36691968, 8192, ) == 0x0
 01248   588   NtClose  (244, ...
 01249   468   NtProtectVirtualMemory  (-1, (0x22fe000), 4096, 260, ...
 01248   588   NtClose  ... ) == 0x0
 01249   468   NtProtectVirtualMemory  ... (0x22fe000), 4096, 4, ) == 0x0
 01250   588   NtUnmapViewOfSection  (-1, 0x2300000, ...
 01251   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01250   588   NtUnmapViewOfSection  ... ) == 0x0
 01251   468   NtCreateThread  ... 244, {460, 888}, ) == 0x0
 01244   596   NtDuplicateObject  ... 208, ) == 0x0
 01252   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 12580268, ... }, 12580268, ...
 01253   596   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01252   588   NtQueryAttributesFile  ... ) == 0x0
 01253   596   NtWaitForSingleObject  ... ) == 0x102
 01254   588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01255   596   NtWaitForSingleObject  (160, 0, 0x0, ...
 01254   588   NtOpenFile  ... 252, {status=0x0, info=1}, ) == 0x0
 01256   588   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 256, ) == 0x0
 01257   588   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01258   588   NtClose  (252, ... ) == 0x0
 01259   588   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01260   468   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=460,Tid=888,}, 0x0, ) == 0x0
 01261   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1539, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\314\1\0\0x\3\0\0" ... {28, 56, reply, 0, 460, 468, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\314\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1540, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\314\1\0\0x\3\0\0" ... {28, 56, reply, 0, 460, 468, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\314\1\0\0x\3\0\0" )  ) == 0x0
 01262   468   NtResumeThread  (244, ... 1, ) == 0x0
 01263   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36700160, 1048576, ) == 0x0
 01264   468   NtAllocateVirtualMemory  (-1, 37740544, 0, 8192, 4096, 4, ... 37740544, 8192, ) == 0x0
 01265   468   NtProtectVirtualMemory  (-1, (0x23fe000), 4096, 260, ...
 01266   588   NtClose  (256, ...
 01267   888   NtWaitForSingleObject  (132, 0, 0x0, ...
 01266   588   NtClose  ... ) == 0x0
 01268   588   NtSetEventBoostPriority  (132, ...
 01038   636   NtWaitForSingleObject  ... ) == 0x0
 01269   636   NtSetEventBoostPriority  (132, ...
 01048   732   NtWaitForSingleObject  ... ) == 0x0
 01270   732   NtSetEventBoostPriority  (132, ...
 01054   744   NtWaitForSingleObject  ... ) == 0x0
 01271   744   NtSetEventBoostPriority  (132, ...
 01064   676   NtWaitForSingleObject  ... ) == 0x0
 01272   676   NtSetEventBoostPriority  (132, ...
 01074   788   NtWaitForSingleObject  ... ) == 0x0
 01273   788   NtSetEventBoostPriority  (132, ...
 01081   784   NtWaitForSingleObject  ... ) == 0x0
 01274   784   NtSetEventBoostPriority  (132, ...
 01087   308   NtWaitForSingleObject  ... ) == 0x0
 01275   308   NtSetEventBoostPriority  (132, ...
 01102   812   NtWaitForSingleObject  ... ) == 0x0
 01276   812   NtSetEventBoostPriority  (132, ...
 01114   804   NtWaitForSingleObject  ... ) == 0x0
 01277   804   NtAllocateVirtualMemory  (-1, 3948544, 0, 4096, 4096, 4, ... 3948544, 4096, ) == 0x0
 01276   812   NtSetEventBoostPriority  ... ) == 0x0
 01275   308   NtSetEventBoostPriority  ... ) == 0x0
 01274   784   NtSetEventBoostPriority  ... ) == 0x0
 01273   788   NtSetEventBoostPriority  ... ) == 0x0
 01272   676   NtSetEventBoostPriority  ... ) == 0x0
 01271   744   NtSetEventBoostPriority  ... ) == 0x0
 01270   732   NtSetEventBoostPriority  ... ) == 0x0
 01269   636   NtSetEventBoostPriority  ... ) == 0x0
 01268   588   NtSetEventBoostPriority  ... ) == 0x0
 01265   468   NtProtectVirtualMemory  ... (0x23fe000), 4096, 4, ) == 0x0
 01278   804   NtSetEventBoostPriority  (132, ...
 01279   812   NtTestAlert  (...
 01280   308   NtTestAlert  (...
 01281   784   NtTestAlert  (...
 01282   788   NtTestAlert  (...
 01283   676   NtTestAlert  (...
 01284   744   NtTestAlert  (...
 01285   732   NtTestAlert  (...
 01286   588   NtClose  (172, ...
 01287   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01139   716   NtWaitForSingleObject  ... ) == 0x0
 01278   804   NtSetEventBoostPriority  ... ) == 0x0
 01279   812   NtTestAlert  ... ) == 0x0
 01280   308   NtTestAlert  ... ) == 0x0
 01281   784   NtTestAlert  ... ) == 0x0
 01282   788   NtTestAlert  ... ) == 0x0
 01283   676   NtTestAlert  ... ) == 0x0
 01284   744   NtTestAlert  ... ) == 0x0
 01285   732   NtTestAlert  ... ) == 0x0
 01286   588   NtClose  ... ) == 0x0
 01288   716   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ...
 01287   468   NtCreateThread  ... 172, {460, 892}, ) == 0x0
 01289   804   NtTestAlert  (...
 01290   812   NtContinue  (26213680, 1, ...
 01291   308   NtContinue  (25165104, 1, ...
 01292   784   NtContinue  (24116528, 1, ...
 01293   788   NtContinue  (23067952, 1, ...
 01294   676   NtContinue  (22019376, 1, ...
 01295   744   NtContinue  (20970800, 1, ...
 01296   732   NtContinue  (19922224, 1, ...
 01297   636   NtTestAlert  (...
 01288   716   NtAllocateVirtualMemory  ... 1363968, 4096, ) == 0x0
 01298   468   NtQueryInformationThread  (172, Basic, 28, ...
 01289   804   NtTestAlert  ... ) == 0x0
 01299   812   NtRegisterThreadTerminatePort  (24, ...
 01300   308   NtRegisterThreadTerminatePort  (24, ...
 01301   784   NtRegisterThreadTerminatePort  (24, ...
 01302   788   NtRegisterThreadTerminatePort  (24, ...
 01303   676   NtRegisterThreadTerminatePort  (24, ...
 01304   744   NtRegisterThreadTerminatePort  (24, ...
 01305   732   NtRegisterThreadTerminatePort  (24, ...
 01297   636   NtTestAlert  ... ) == 0x0
 01306   588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01298   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=460,Tid=892,}, 0x0, ) == 0x0
 01307   804   NtContinue  (27262256, 1, ...
 01299   812   NtRegisterThreadTerminatePort  ... ) == 0x0
 01300   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01301   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01302   788   NtRegisterThreadTerminatePort  ... ) == 0x0
 01303   676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01304   744   NtRegisterThreadTerminatePort  ... ) == 0x0
 01305   732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01308   636   NtContinue  (18873648, 1, ...
 01309   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1540, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\314\1\0\0|\3\0\0" ...  ...
 01310   804   NtRegisterThreadTerminatePort  (24, ...
 01311   812   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01312   308   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01313   784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01314   788   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01315   676   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01316   744   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01317   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01318   636   NtRegisterThreadTerminatePort  (24, ...
 01319   716   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01309   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1541, 0}  ... {28, 56, reply, 0, 460, 468, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\314\1\0\0|\3\0\0" )  ) == 0x0
 01310   804   NtRegisterThreadTerminatePort  ... ) == 0x0
 01311   812   NtCreateEvent  ... 256, ) == 0x0
 01312   308   NtCreateEvent  ... 252, ) == 0x0
 01313   784   NtCreateEvent  ... 260, ) == 0x0
 01314   788   NtCreateEvent  ... 264, ) == 0x0
 01315   676   NtCreateEvent  ... 268, ) == 0x0
 01316   744   NtCreateEvent  ... 272, ) == 0x0
 01318   636   NtRegisterThreadTerminatePort  ... ) == 0x0
 01319   716   NtCreateEvent  ... 276, ) == 0x0
 01320   468   NtResumeThread  (172, ...
 01321   804   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01322   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 01323   308   NtClose  (252, ...
 01324   784   NtClose  (260, ...
 01325   788   NtClose  (264, ...
 01326   676   NtClose  (268, ...
 01327   744   NtClose  (272, ...
 01328   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 01329   716   NtClose  (276, ...
 01320   468   NtResumeThread  ... 1, ) == 0x0
 01321   804   NtCreateEvent  ... 280, ) == 0x0
 01323   308   NtClose  ... ) == 0x0
 01324   784   NtClose  ... ) == 0x0
 01325   788   NtClose  ... ) == 0x0
 01326   676   NtClose  ... ) == 0x0
 01327   744   NtClose  ... ) == 0x0
 01317   732   NtCreateEvent  ... 272, ) == 0x0
 01330   892   NtWaitForSingleObject  (132, 0, 0x0, ...
 01329   716   NtClose  ... ) == 0x0
 01331   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01332   804   NtClose  (280, ...
 01333   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 01334   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01335   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 01336   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 01337   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 01338   732   NtClose  (272, ...
 01339   716   NtSetEventBoostPriority  (256, ...
 01331   468   NtAllocateVirtualMemory  ... 37748736, 1048576, ) == 0x0
 01332   804   NtClose  ... ) == 0x0
 01338   732   NtClose  ... ) == 0x0
 01322   812   NtWaitForSingleObject  ... ) == 0x0
 01339   716   NtSetEventBoostPriority  ... ) == 0x0
 01340   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 01341   812   NtSetEventBoostPriority  (256, ...
 01342   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 01343   468   NtAllocateVirtualMemory  (-1, 38789120, 0, 8192, 4096, 4, ...
 01344   716   NtSetEventBoostPriority  (132, ...
 01333   308   NtWaitForSingleObject  ... ) == 0x0
 01341   812   NtSetEventBoostPriority  ... ) == 0x0
 01343   468   NtAllocateVirtualMemory  ... 38789120, 8192, ) == 0x0
 01345   308   NtSetEventBoostPriority  (256, ...
 01151   844   NtWaitForSingleObject  ... ) == 0x0
 01344   716   NtSetEventBoostPriority  ... ) == 0x0
 01334   784   NtWaitForSingleObject  ... ) == 0x0
 01346   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 01345   308   NtSetEventBoostPriority  ... ) == 0x0
 01347   468   NtProtectVirtualMemory  (-1, (0x24fe000), 4096, 260, ...
 01348   784   NtSetEventBoostPriority  (256, ...
 01349   716   NtTestAlert  (...
 01350   812   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01335   788   NtWaitForSingleObject  ... ) == 0x0
 01348   784   NtSetEventBoostPriority  ... ) == 0x0
 01347   468   NtProtectVirtualMemory  ... (0x24fe000), 4096, 4, ) == 0x0
 01349   716   NtTestAlert  ... ) == 0x0
 01351   788   NtSetEventBoostPriority  (256, ...
 01350   812   NtDuplicateObject  ... 272, ) == 0x0
 01352   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01353   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01336   676   NtWaitForSingleObject  ... ) == 0x0
 01351   788   NtSetEventBoostPriority  ... ) == 0x0
 01354   716   NtContinue  (28310832, 1, ...
 01355   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 01352   308   NtDuplicateObject  ... 280, ) == 0x0
 01356   676   NtSetEventBoostPriority  (256, ...
 01353   468   NtCreateThread  ... 276, {460, 896}, ) == 0x0
 01357   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01358   716   NtRegisterThreadTerminatePort  (24, ...
 01337   744   NtWaitForSingleObject  ... ) == 0x0
 01356   676   NtSetEventBoostPriority  ... ) == 0x0
 01359   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 01360   788   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01357   784   NtDuplicateObject  ... 268, ) == 0x0
 01361   468   NtQueryInformationThread  (276, Basic, 28, ...
 01362   744   NtSetEventBoostPriority  (256, ...
 01358   716   NtRegisterThreadTerminatePort  ... ) == 0x0
 01360   788   NtDuplicateObject  ... 264, ) == 0x0
 01363   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01328   636   NtWaitForSingleObject  ... ) == 0x0
 01362   744   NtSetEventBoostPriority  ... ) == 0x0
 01361   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=460,Tid=896,}, 0x0, ) == 0x0
 01364   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 01365   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 01366   636   NtSetEventBoostPriority  (256, ...
 01367   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01368   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1541, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\314\1\0\0\200\3\0\0" ...  ...
 01342   732   NtWaitForSingleObject  ... ) == 0x0
 01367   676   NtDuplicateObject  ... 260, ) == 0x0
 01368   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1542, 0}  ... {28, 56, reply, 0, 460, 468, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\314\1\0\0\200\3\0\0" )  ) == 0x0
 01369   732   NtSetEventBoostPriority  (256, ...
 01370   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 01371   468   NtResumeThread  (276, ...
 01340   804   NtWaitForSingleObject  ... ) == 0x0
 01369   732   NtSetEventBoostPriority  ... ) == 0x0
 01366   636   NtSetEventBoostPriority  ... ) == 0x0
 01372   744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01373   804   NtSetEventBoostPriority  (256, ...
 01371   468   NtResumeThread  ... 1, ) == 0x0
 01374   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01346   844   NtWaitForSingleObject  ... ) == 0x0
 01372   744   NtDuplicateObject  ... 252, ) == 0x0
 01375   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01376   844   NtSetEventBoostPriority  (256, ...
 01374   636   NtDuplicateObject  ... 284, ) == 0x0
 01377   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 01355   812   NtWaitForSingleObject  ... ) == 0x0
 01376   844   NtSetEventBoostPriority  ... ) == 0x0
 01375   468   NtAllocateVirtualMemory  ... 38797312, 1048576, ) == 0x0
 01373   804   NtSetEventBoostPriority  ... ) == 0x0
 01378   732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01379   896   NtWaitForSingleObject  (132, 0, 0x0, ...
 01380   812   NtSetEventBoostPriority  (256, ...
 01381   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 01382   468   NtAllocateVirtualMemory  (-1, 39837696, 0, 8192, 4096, 4, ...
 01383   804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01378   732   NtDuplicateObject  ... 288, ) == 0x0
 01359   308   NtWaitForSingleObject  ... ) == 0x0
 01380   812   NtSetEventBoostPriority  ... ) == 0x0
 01382   468   NtAllocateVirtualMemory  ... 39837696, 8192, ) == 0x0
 01383   804   NtDuplicateObject  ... 292, ) == 0x0
 01384   308   NtSetEventBoostPriority  (256, ...
 01385   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 01386   844   NtSetEventBoostPriority  (132, ...
 01387   468   NtProtectVirtualMemory  (-1, (0x25fe000), 4096, 260, ...
 01388   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 01363   784   NtWaitForSingleObject  ... ) == 0x0
 01384   308   NtSetEventBoostPriority  ... ) == 0x0
 01164   864   NtWaitForSingleObject  ... ) == 0x0
 01386   844   NtSetEventBoostPriority  ... ) == 0x0
 01389   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 01390   784   NtSetEventBoostPriority  (256, ...
 01387   468   NtProtectVirtualMemory  ... (0x25fe000), 4096, 4, ) == 0x0
 01391   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 01392   844   NtTestAlert  (...
 01364   716   NtWaitForSingleObject  ... ) == 0x0
 01390   784   NtSetEventBoostPriority  ... ) == 0x0
 01393   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01394   716   NtSetEventBoostPriority  (256, ...
 01392   844   NtTestAlert  ... ) == 0x0
 01395   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 01365   788   NtWaitForSingleObject  ... ) == 0x0
 01394   716   NtSetEventBoostPriority  ... ) == 0x0
 01393   468   NtCreateThread  ... 296, {460, 900}, ) == 0x0
 01396   844   NtContinue  (29359408, 1, ...
 01397   788   NtSetEventBoostPriority  (256, ...
 01398   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01399   468   NtQueryInformationThread  (296, Basic, 28, ...
 01370   676   NtWaitForSingleObject  ... ) == 0x0
 01397   788   NtSetEventBoostPriority  ... ) == 0x0
 01400   844   NtRegisterThreadTerminatePort  (24, ...
 01401   676   NtSetEventBoostPriority  (256, ...
 01399   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=460,Tid=900,}, 0x0, ) == 0x0
 01402   716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01403   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 01377   744   NtWaitForSingleObject  ... ) == 0x0
 01401   676   NtSetEventBoostPriority  ... ) == 0x0
 01404   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1542, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0\314\1\0\0\204\3\0\0" ...  ...
 01402   716   NtDuplicateObject  ... 300, ) == 0x0
 01405   744   NtSetEventBoostPriority  (256, ...
 01400   844   NtRegisterThreadTerminatePort  ... ) == 0x0
 01406   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 01381   636   NtWaitForSingleObject  ... ) == 0x0
 01405   744   NtSetEventBoostPriority  ... ) == 0x0
 01407   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 01408   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 01409   636   NtSetEventBoostPriority  (256, ...
 01404   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1543, 0}  ... {28, 56, reply, 0, 460, 468, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0\314\1\0\0\204\3\0\0" )  ) == 0x0
 01385   732   NtWaitForSingleObject  ... ) == 0x0
 01409   636   NtSetEventBoostPriority  ... ) == 0x0
 01410   732   NtSetEventBoostPriority  (256, ...
 01411   468   NtResumeThread  (296, ...
 01388   812   NtWaitForSingleObject  ... ) == 0x0
 01410   732   NtSetEventBoostPriority  ... ) == 0x0
 01412   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 01413   812   NtSetEventBoostPriority  (256, ...
 01411   468   NtResumeThread  ... 1, ) == 0x0
 01414   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 01415   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 01416   900   NtWaitForSingleObject  (132, 0, 0x0, ...
 01389   804   NtWaitForSingleObject  ... ) == 0x0
 01413   812   NtSetEventBoostPriority  ... ) == 0x0
 01417   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01418   804   NtSetEventBoostPriority  (256, ...
 01419   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 01391   864   NtWaitForSingleObject  ... ) == 0x0
 01418   804   NtSetEventBoostPriority  ... ) == 0x0
 01417   468   NtAllocateVirtualMemory  ... 39845888, 1048576, ) == 0x0
 01420   864   NtSetEventBoostPriority  (256, ...
 01421   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 01395   308   NtWaitForSingleObject  ... ) == 0x0
 01420   864   NtSetEventBoostPriority  ... ) == 0x0
 01422   468   NtAllocateVirtualMemory  (-1, 40886272, 0, 8192, 4096, 4, ...
 01423   308   NtSetEventBoostPriority  (256, ...
 01398   784   NtWaitForSingleObject  ... ) == 0x0
 01424   784   NtSetEventBoostPriority  (256, ...
 01403   788   NtWaitForSingleObject  ... ) == 0x0
 01425   788   NtSetEventBoostPriority  (256, ...
 01406   676   NtWaitForSingleObject  ... ) == 0x0
 01426   676   NtSetEventBoostPriority  (256, ...
 01407   716   NtWaitForSingleObject  ... ) == 0x0
 01427   716   NtSetEventBoostPriority  (256, ...
 01408   844   NtWaitForSingleObject  ... ) == 0x0
 01428   844   NtSetEventBoostPriority  (256, ...
 01414   744   NtWaitForSingleObject  ... ) == 0x0
 01429   744   NtSetEventBoostPriority  (256, ...
 01415   732   NtWaitForSingleObject  ... ) == 0x0
 01430   732   NtSetEventBoostPriority  (256, ...
 01412   636   NtWaitForSingleObject  ... ) == 0x0
 01431   636   NtSetEventBoostPriority  (256, ...
 01419   812   NtWaitForSingleObject  ... ) == 0x0
 01432   812   NtSetEventBoostPriority  (256, ...
 01421   804   NtWaitForSingleObject  ... ) == 0x0
 01433   804   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01434   804   NtWaitForSingleObject  (160, 0, 0x0, ...
 01430   732   NtSetEventBoostPriority  ... ) == 0x0
 01429   744   NtSetEventBoostPriority  ... ) == 0x0
 01428   844   NtSetEventBoostPriority  ... ) == 0x0
 01427   716   NtSetEventBoostPriority  ... ) == 0x0
 01426   676   NtSetEventBoostPriority  ... ) == 0x0
 01425   788   NtSetEventBoostPriority  ... ) == 0x0
 01424   784   NtSetEventBoostPriority  ... ) == 0x0
 01423   308   NtSetEventBoostPriority  ... ) == 0x0
 01422   468   NtAllocateVirtualMemory  ... 40886272, 8192, ) == 0x0
 01432   812   NtSetEventBoostPriority  ... ) == 0x0
 01431   636   NtSetEventBoostPriority  ... ) == 0x0
 01435   864   NtSetEventBoostPriority  (132, ...
 01436   732   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01437   744   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01438   844   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01439   676   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01440   788   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01441   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01442   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 01443   468   NtProtectVirtualMemory  (-1, (0x26fe000), 4096, 260, ...
 01444   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 01445   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 01176   868   NtWaitForSingleObject  ... ) == 0x0
 01435   864   NtSetEventBoostPriority  ... ) == 0x0
 01446   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 01436   732   NtWaitForSingleObject  ... ) == 0x102
 01438   844   NtDuplicateObject  ... 304, ) == 0x0
 01437   744   NtWaitForSingleObject  ... ) == 0x102
 01439   676   NtWaitForSingleObject  ... ) == 0x102
 01440   788   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01443   468   NtProtectVirtualMemory  ... (0x26fe000), 4096, 4, ) == 0x0
 01447   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 01448   864   NtTestAlert  (...
 01449   732   NtWaitForSingleObject  (160, 0, 0x0, ...
 01450   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 01451   744   NtWaitForSingleObject  (160, 0, 0x0, ...
 01452   676   NtWaitForSingleObject  (160, 0, 0x0, ...
 01453   788   NtSetEventBoostPriority  (256, ...
 01454   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01448   864   NtTestAlert  ... ) == 0x0
 01441   784   NtWaitForSingleObject  ... ) == 0x0
 01453   788   NtSetEventBoostPriority  ... ) == 0x0
 01454   468   NtCreateThread  ... 308, {460, 916}, ) == 0x0
 01455   784   NtSetEventBoostPriority  (256, ...
 01456   864   NtContinue  (30407984, 1, ...
 01457   788   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01444   812   NtWaitForSingleObject  ... ) == 0x0
 01458   864   NtRegisterThreadTerminatePort  (24, ...
 01457   788   NtCreateEvent  ... 312, ) == 0x0
 01459   812   NtSetEventBoostPriority  (256, ...
 01455   784   NtSetEventBoostPriority  ... ) == 0x0
 01460   468   NtQueryInformationThread  (308, Basic, 28, ...
 01461   788   NtWaitForSingleObject  (312, 0, 0x0, ...
 01445   636   NtWaitForSingleObject  ... ) == 0x0
 01459   812   NtSetEventBoostPriority  ... ) == 0x0
 01462   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01460   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=460,Tid=916,}, 0x0, ) == 0x0
 01458   864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01463   636   NtSetEventBoostPriority  (256, ...
 01464   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1543, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0\314\1\0\0\224\3\0\0" ...  ...
 01446   716   NtWaitForSingleObject  ... ) == 0x0
 01463   636   NtSetEventBoostPriority  ... ) == 0x0
 01465   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 01466   716   NtSetEventBoostPriority  (256, ...
 01464   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1544, 0}  ... {28, 56, reply, 0, 460, 468, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0\314\1\0\0\224\3\0\0" )  ) == 0x0
 01467   812   NtSetEventBoostPriority  (312, ...
 01447   868   NtWaitForSingleObject  ... ) == 0x0
 01466   716   NtSetEventBoostPriority  ... ) == 0x0
 01468   468   NtResumeThread  (308, ...
 01469   868   NtSetEventBoostPriority  (256, ...
 01461   788   NtWaitForSingleObject  ... ) == 0x0
 01467   812   NtSetEventBoostPriority  ... ) == 0x0
 01470   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 01471   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 01450   844   NtWaitForSingleObject  ... ) == 0x0
 01472   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 01469   868   NtSetEventBoostPriority  ... ) == 0x0
 01473   812   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01468   468   NtResumeThread  ... 1, ) == 0x0
 01474   844   NtSetEventBoostPriority  (256, ...
 01475   916   NtWaitForSingleObject  (132, 0, 0x0, ...
 01473   812   NtWaitForSingleObject  ... ) == 0x102
 01442   308   NtWaitForSingleObject  ... ) == 0x0
 01474   844   NtSetEventBoostPriority  ... ) == 0x0
 01476   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01477   308   NtSetEventBoostPriority  (256, ...
 01478   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 01479   868   NtSetEventBoostPriority  (132, ...
 01462   784   NtWaitForSingleObject  ... ) == 0x0
 01476   468   NtAllocateVirtualMemory  ... 40894464, 1048576, ) == 0x0
 01477   308   NtSetEventBoostPriority  ... ) == 0x0
 01480   844   NtWaitForSingleObject  (312, 0, 0x0, ...
 01201   872   NtWaitForSingleObject  ... ) == 0x0
 01479   868   NtSetEventBoostPriority  ... ) == 0x0
 01481   784   NtSetEventBoostPriority  (256, ...
 01482   468   NtAllocateVirtualMemory  (-1, 41934848, 0, 8192, 4096, 4, ...
 01483   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 01484   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 01485   868   NtTestAlert  (...
 01465   864   NtWaitForSingleObject  ... ) == 0x0
 01481   784   NtSetEventBoostPriority  ... ) == 0x0
 01482   468   NtAllocateVirtualMemory  ... 41934848, 8192, ) == 0x0
 01486   864   NtSetEventBoostPriority  (256, ...
 01485   868   NtTestAlert  ... ) == 0x0
 01472   788   NtWaitForSingleObject  ... ) == 0x0
 01486   864   NtSetEventBoostPriority  ... ) == 0x0
 01487   468   NtProtectVirtualMemory  (-1, (0x27fe000), 4096, 260, ...
 01488   788   NtSetEventBoostPriority  (256, ...
 01489   868   NtContinue  (31456560, 1, ...
 01490   784   NtWaitForSingleObject  (312, 0, 0x0, ...
 01491   864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01471   636   NtWaitForSingleObject  ... ) == 0x0
 01492   868   NtRegisterThreadTerminatePort  (24, ...
 01491   864   NtDuplicateObject  ... 316, ) == 0x0
 01493   636   NtSetEventBoostPriority  (256, ...
 01488   788   NtSetEventBoostPriority  ... ) == 0x0
 01487   468   NtProtectVirtualMemory  ... (0x27fe000), 4096, 4, ) == 0x0
 01494   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 01470   716   NtWaitForSingleObject  ... ) == 0x0
 01493   636   NtSetEventBoostPriority  ... ) == 0x0
 01492   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 01495   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01496   716   NtSetEventBoostPriority  (256, ...
 01497   636   NtWaitForSingleObject  (312, 0, 0x0, ...
 01498   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 01484   872   NtWaitForSingleObject  ... ) == 0x0
 01495   468   NtCreateThread  ... 320, {460, 920}, ) == 0x0
 01496   716   NtSetEventBoostPriority  ... ) == 0x0
 01499   788   NtSetEventBoostPriority  (312, ...
 01500   872   NtSetEventBoostPriority  (256, ...
 01501   468   NtQueryInformationThread  (320, Basic, 28, ...
 01502   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 01483   308   NtWaitForSingleObject  ... ) == 0x0
 01500   872   NtSetEventBoostPriority  ... ) == 0x0
 01480   844   NtWaitForSingleObject  ... ) == 0x0
 01499   788   NtSetEventBoostPriority  ... ) == 0x0
 01501   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=460,Tid=920,}, 0x0, ) == 0x0
 01503   308   NtSetEventBoostPriority  (256, ...
 01504   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 01505   788   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01478   812   NtWaitForSingleObject  ... ) == 0x0
 01503   308   NtSetEventBoostPriority  ... ) == 0x0
 01506   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1544, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\1\0\0\314\1\0\0\230\3\0\0" ...  ...
 01507   812   NtSetEventBoostPriority  (256, ...
 01505   788   NtWaitForSingleObject  ... ) == 0x102
 01508   872   NtSetEventBoostPriority  (132, ...
 01509   308   NtWaitForSingleObject  (312, 0, 0x0, ...
 01494   864   NtWaitForSingleObject  ... ) == 0x0
 01510   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 01213   876   NtWaitForSingleObject  ... ) == 0x0
 01508   872   NtSetEventBoostPriority  ... ) == 0x0
 01511   864   NtSetEventBoostPriority  (256, ...
 01507   812   NtSetEventBoostPriority  ... ) == 0x0
 01506   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1545, 0}  ... {28, 56, reply, 0, 460, 468, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\1\0\0\314\1\0\0\230\3\0\0" )  ) == 0x0
 01512   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 01513   872   NtTestAlert  (...
 01498   868   NtWaitForSingleObject  ... ) == 0x0
 01511   864   NtSetEventBoostPriority  ... ) == 0x0
 01514   812   NtWaitForSingleObject  (160, 0, 0x0, ...
 01515   468   NtResumeThread  (320, ...
 01516   868   NtSetEventBoostPriority  (256, ...
 01513   872   NtTestAlert  ... ) == 0x0
 01502   716   NtWaitForSingleObject  ... ) == 0x0
 01516   868   NtSetEventBoostPriority  ... ) == 0x0
 01515   468   NtResumeThread  ... 1, ) == 0x0
 01517   716   NtSetEventBoostPriority  (256, ...
 01518   872   NtContinue  (32505136, 1, ...
 01519   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 01520   920   NtWaitForSingleObject  (132, 0, 0x0, ...
 01504   844   NtWaitForSingleObject  ... ) == 0x0
 01517   716   NtSetEventBoostPriority  ... ) == 0x0
 01521   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01522   872   NtRegisterThreadTerminatePort  (24, ...
 01523   844   NtSetEventBoostPriority  (256, ...
 01524   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01521   468   NtAllocateVirtualMemory  ... 41943040, 1048576, ) == 0x0
 01525   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 01512   876   NtWaitForSingleObject  ... ) == 0x0
 01523   844   NtSetEventBoostPriority  ... ) == 0x0
 01524   868   NtDuplicateObject  ... 324, ) == 0x0
 01522   872   NtRegisterThreadTerminatePort  ... ) == 0x0
 01526   876   NtSetEventBoostPriority  (256, ...
 01527   468   NtAllocateVirtualMemory  (-1, 42983424, 0, 8192, 4096, 4, ...
 01528   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 01510   788   NtWaitForSingleObject  ... ) == 0x0
 01526   876   NtSetEventBoostPriority  ... ) == 0x0
 01529   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 01527   468   NtAllocateVirtualMemory  ... 42983424, 8192, ) == 0x0
 01530   788   NtSetEventBoostPriority  (256, ...
 01531   844   NtSetEventBoostPriority  (312, ...
 01519   864   NtWaitForSingleObject  ... ) == 0x0
 01532   468   NtProtectVirtualMemory  (-1, (0x28fe000), 4096, 260, ...
 01490   784   NtWaitForSingleObject  ... ) == 0x0
 01531   844   NtSetEventBoostPriority  ... ) == 0x0
 01533   864   NtSetEventBoostPriority  (256, ...
 01534   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01532   468   NtProtectVirtualMemory  ... (0x28fe000), 4096, 4, ) == 0x0
 01535   844   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01525   716   NtWaitForSingleObject  ... ) == 0x0
 01533   864   NtSetEventBoostPriority  ... ) == 0x0
 01536   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01537   716   NtSetEventBoostPriority  (256, ...
 01535   844   NtWaitForSingleObject  ... ) == 0x102
 01538   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 01528   868   NtWaitForSingleObject  ... ) == 0x0
 01537   716   NtSetEventBoostPriority  ... ) == 0x0
 01536   468   NtCreateThread  ... 328, {460, 924}, ) == 0x0
 01539   844   NtWaitForSingleObject  (160, 0, 0x0, ...
 01530   788   NtSetEventBoostPriority  ... ) == 0x0
 01540   876   NtSetEventBoostPriority  (132, ...
 01541   868   NtSetEventBoostPriority  (256, ...
 01542   716   NtWaitForSingleObject  (312, 0, 0x0, ...
 01543   468   NtQueryInformationThread  (328, Basic, 28, ...
 01544   788   NtWaitForSingleObject  (160, 0, 0x0, ...
 01529   872   NtWaitForSingleObject  ... ) == 0x0
 01541   868   NtSetEventBoostPriority  ... ) == 0x0
 01226   880   NtWaitForSingleObject  ... ) == 0x0
 01540   876   NtSetEventBoostPriority  ... ) == 0x0
 01543   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=460,Tid=924,}, 0x0, ) == 0x0
 01545   872   NtSetEventBoostPriority  (256, ...
 01546   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 01547   876   NtTestAlert  (...
 01534   784   NtWaitForSingleObject  ... ) == 0x0
 01545   872   NtSetEventBoostPriority  ... ) == 0x0
 01548   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1545, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\314\1\0\0\234\3\0\0" ...  ...
 01549   784   NtSetEventBoostPriority  (256, ...
 01547   876   NtTestAlert  ... ) == 0x0
 01550   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 01538   864   NtWaitForSingleObject  ... ) == 0x0
 01549   784   NtSetEventBoostPriority  ... ) == 0x0
 01548   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1546, 0}  ... {28, 56, reply, 0, 460, 468, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\314\1\0\0\234\3\0\0" )  ) == 0x0
 01551   876   NtContinue  (33553712, 1, ...
 01552   864   NtSetEventBoostPriority  (256, ...
 01553   872   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01554   468   NtResumeThread  (328, ...
 01546   880   NtWaitForSingleObject  ... ) == 0x0
 01555   876   NtRegisterThreadTerminatePort  (24, ...
 01553   872   NtDuplicateObject  ... 332, ) == 0x0
 01552   864   NtSetEventBoostPriority  ... ) == 0x0
 01556   784   NtSetEventBoostPriority  (312, ...
 01557   880   NtSetEventBoostPriority  (256, ...
 01554   468   NtResumeThread  ... 1, ) == 0x0
 01558   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 01559   864   NtWaitForSingleObject  (312, 0, 0x0, ...
 01550   868   NtWaitForSingleObject  ... ) == 0x0
 01557   880   NtSetEventBoostPriority  ... ) == 0x0
 01497   636   NtWaitForSingleObject  ... ) == 0x0
 01556   784   NtSetEventBoostPriority  ... ) == 0x0
 01560   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01561   868   NtSetEventBoostPriority  (256, ...
 01555   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01562   924   NtWaitForSingleObject  (132, 0, 0x0, ...
 01563   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 01564   784   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01558   872   NtWaitForSingleObject  ... ) == 0x0
 01561   868   NtSetEventBoostPriority  ... ) == 0x0
 01560   468   NtAllocateVirtualMemory  ... 42991616, 1048576, ) == 0x0
 01565   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 01566   872   NtSetEventBoostPriority  (256, ...
 01564   784   NtWaitForSingleObject  ... ) == 0x102
 01567   868   NtWaitForSingleObject  (312, 0, 0x0, ...
 01568   468   NtAllocateVirtualMemory  (-1, 44032000, 0, 8192, 4096, 4, ...
 01563   636   NtWaitForSingleObject  ... ) == 0x0
 01566   872   NtSetEventBoostPriority  ... ) == 0x0
 01569   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01570   880   NtSetEventBoostPriority  (132, ...
 01571   636   NtSetEventBoostPriority  (256, ...
 01568   468   NtAllocateVirtualMemory  ... 44032000, 8192, ) == 0x0
 01572   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 01565   876   NtWaitForSingleObject  ... ) == 0x0
 01233   584   NtWaitForSingleObject  ... ) == 0x0
 01570   880   NtSetEventBoostPriority  ... ) == 0x0
 01573   468   NtProtectVirtualMemory  (-1, (0x29fe000), 4096, 260, ...
 01574   584   NtSetEventBoostPriority  (132, ...
 01575   876   NtSetEventBoostPriority  (256, ...
 01576   880   NtTestAlert  (...
 01571   636   NtSetEventBoostPriority  ... ) == 0x0
 01246   884   NtWaitForSingleObject  ... ) == 0x0
 01574   584   NtSetEventBoostPriority  ... ) == 0x0
 01572   872   NtWaitForSingleObject  ... ) == 0x0
 01575   876   NtSetEventBoostPriority  ... ) == 0x0
 01576   880   NtTestAlert  ... ) == 0x0
 01573   468   NtProtectVirtualMemory  ... (0x29fe000), 4096, 4, ) == 0x0
 01577   884   NtWaitForSingleObject  (256, 0, 0x0, ...
 01578   636   NtSetEventBoostPriority  (312, ...
 01579   872   NtSetEventBoostPriority  (256, ...
 01580   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 01581   880   NtContinue  (34602288, 1, ...
 01582   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01569   784   NtWaitForSingleObject  ... ) == 0x0
 01579   872   NtSetEventBoostPriority  ... ) == 0x0
 01509   308   NtWaitForSingleObject  ... ) == 0x0
 01578   636   NtSetEventBoostPriority  ... ) == 0x0
 01583   880   NtRegisterThreadTerminatePort  (24, ...
 01584   784   NtSetEventBoostPriority  (256, ...
 01582   468   NtCreateThread  ... 336, {460, 928}, ) == 0x0
 01585   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 01586   872   NtWaitForSingleObject  (312, 0, 0x0, ...
 01587   636   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01588   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01577   884   NtWaitForSingleObject  ... ) == 0x0
 01589   468   NtQueryInformationThread  (336, Basic, 28, ...
 01584   784   NtSetEventBoostPriority  ... ) == 0x0
 01583   880   NtRegisterThreadTerminatePort  ... ) == 0x0
 01587   636   NtWaitForSingleObject  ... ) == 0x102
 01590   884   NtSetEventBoostPriority  (256, ...
 01588   876   NtDuplicateObject  ... 340, ) == 0x0
 01589   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=460,Tid=928,}, 0x0, ) == 0x0
 01591   784   NtWaitForSingleObject  (160, 0, 0x0, ...
 01592   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 01580   584   NtWaitForSingleObject  ... ) == 0x0
 01590   884   NtSetEventBoostPriority  ... ) == 0x0
 01593   636   NtWaitForSingleObject  (160, 0, 0x0, ...
 01594   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 01595   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1546, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\1\0\0\314\1\0\0\240\3\0\0" ...  ...
 01596   584   NtSetEventBoostPriority  (256, ...
 01597   884   NtSetEventBoostPriority  (132, ...
 01585   308   NtWaitForSingleObject  ... ) == 0x0
 01596   584   NtSetEventBoostPriority  ... ) == 0x0
 01598   308   NtSetEventBoostPriority  (256, ...
 01267   888   NtWaitForSingleObject  ... ) == 0x0
 01597   884   NtSetEventBoostPriority  ... ) == 0x0
 01592   880   NtWaitForSingleObject  ... ) == 0x0
 01599   888   NtWaitForSingleObject  (256, 0, 0x0, ...
 01598   308   NtSetEventBoostPriority  ... ) == 0x0
 01600   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 01601   880   NtSetEventBoostPriority  (256, ...
 01602   884   NtTestAlert  (...
 01595   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1547, 0}  ... {28, 56, reply, 0, 460, 468, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\1\0\0\314\1\0\0\240\3\0\0" )  ) == 0x0
 01603   308   NtSetEventBoostPriority  (312, ...
 01594   876   NtWaitForSingleObject  ... ) == 0x0
 01601   880   NtSetEventBoostPriority  ... ) == 0x0
 01602   884   NtTestAlert  ... ) == 0x0
 01604   468   NtResumeThread  (336, ...
 01605   876   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ...
 01542   716   NtWaitForSingleObject  ... ) == 0x0
 01603   308   NtSetEventBoostPriority  ... ) == 0x0
 01606   884   NtContinue  (35650864, 1, ...
 01605   876   NtAllocateVirtualMemory  ... 1372160, 4096, ) == 0x0
 01607   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 01604   468   NtResumeThread  ... 1, ) == 0x0
 01608   308   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01609   884   NtRegisterThreadTerminatePort  (24, ...
 01610   880   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01611   928   NtWaitForSingleObject  (132, 0, 0x0, ...
 01612   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01608   308   NtWaitForSingleObject  ... ) == 0x102
 01613   876   NtSetEventBoostPriority  (256, ...
 01610   880   NtDuplicateObject  ... 344, ) == 0x0
 01612   468   NtAllocateVirtualMemory  ... 44040192, 1048576, ) == 0x0
 01614   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 01599   888   NtWaitForSingleObject  ... ) == 0x0
 01613   876   NtSetEventBoostPriority  ... ) == 0x0
 01615   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 01609   884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01616   468   NtAllocateVirtualMemory  (-1, 45080576, 0, 8192, 4096, 4, ...
 01617   888   NtSetEventBoostPriority  (256, ...
 01618   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 01619   884   NtWaitForSingleObject  (256, 0, 0x0, ...
 01600   584   NtWaitForSingleObject  ... ) == 0x0
 01617   888   NtSetEventBoostPriority  ... ) == 0x0
 01616   468   NtAllocateVirtualMemory  ... 45080576, 8192, ) == 0x0
 01620   584   NtSetEventBoostPriority  (256, ...
 01607   716   NtWaitForSingleObject  ... ) == 0x0
 01621   716   NtSetEventBoostPriority  (256, ...
 01615   880   NtWaitForSingleObject  ... ) == 0x0
 01622   880   NtSetEventBoostPriority  (256, ...
 01618   876   NtWaitForSingleObject  ... ) == 0x0
 01623   876   NtSetEventBoostPriority  (256, ...
 01619   884   NtWaitForSingleObject  ... ) == 0x0
 01624   884   NtSetEventBoostPriority  (256, ...
 01614   308   NtWaitForSingleObject  ... ) == 0x0
 01625   308   NtWaitForSingleObject  (160, 0, 0x0, ...
 01624   884   NtSetEventBoostPriority  ... ) == 0x0
 01623   876   NtSetEventBoostPriority  ... ) == 0x0
 01622   880   NtSetEventBoostPriority  ... ) == 0x0
 01626   468   NtProtectVirtualMemory  (-1, (0x2afe000), 4096, 260, ...
 01621   716   NtSetEventBoostPriority  ... ) == 0x0
 01620   584   NtSetEventBoostPriority  ... ) == 0x0
 01627   888   NtSetEventBoostPriority  (132, ...
 01628   884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01629   876   NtWaitForSingleObject  (312, 0, 0x0, ...
 01626   468   NtProtectVirtualMemory  ... (0x2afe000), 4096, 4, ) == 0x0
 01630   880   NtWaitForSingleObject  (312, 0, 0x0, ...
 01631   584   NtQuerySystemInformation  (Basic, 44, ...
 01306   588   NtWaitForSingleObject  ... ) == 0x0
 01627   888   NtSetEventBoostPriority  ... ) == 0x0
 01628   884   NtDuplicateObject  ... 348, ) == 0x0
 01632   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01633   588   NtSetEventBoostPriority  (132, ...
 01631   584   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01634   888   NtTestAlert  (...
 01635   884   NtWaitForSingleObject  (312, 0, 0x0, ...
 01330   892   NtWaitForSingleObject  ... ) == 0x0
 01633   588   NtSetEventBoostPriority  ... ) == 0x0
 01632   468   NtCreateThread  ... 352, {460, 932}, ) == 0x0
 01636   716   NtSetEventBoostPriority  (312, ...
 01634   888   NtTestAlert  ... ) == 0x0
 01637   892   NtSetEventBoostPriority  (132, ...
 01638   588   NtWaitForSingleObject  (132, 0, 0x0, ...
 01639   584   NtWaitForSingleObject  (312, 0, 0x0, ...
 01559   864   NtWaitForSingleObject  ... ) == 0x0
 01636   716   NtSetEventBoostPriority  ... ) == 0x0
 01379   896   NtWaitForSingleObject  ... ) == 0x0
 01637   892   NtSetEventBoostPriority  ... ) == 0x0
 01640   888   NtContinue  (36699440, 1, ...
 01641   468   NtQueryInformationThread  (352, Basic, 28, ...
 01642   864   NtSetEventBoostPriority  (312, ...
 01643   896   NtSetEventBoostPriority  (132, ...
 01644   716   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01645   888   NtRegisterThreadTerminatePort  (24, ...
 01567   868   NtWaitForSingleObject  ... ) == 0x0
 01416   900   NtWaitForSingleObject  ... ) == 0x0
 01643   896   NtSetEventBoostPriority  ... ) == 0x0
 01642   864   NtSetEventBoostPriority  ... ) == 0x0
 01641   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=460,Tid=932,}, 0x0, ) == 0x0
 01644   716   NtWaitForSingleObject  ... ) == 0x102
 01646   892   NtTestAlert  (...
 01647   868   NtSetEventBoostPriority  (312, ...
 01648   900   NtSetEventBoostPriority  (132, ...
 01645   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01649   896   NtTestAlert  (...
 01650   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1547, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\314\1\0\0\244\3\0\0" ...  ...
 01651   716   NtWaitForSingleObject  (160, 0, 0x0, ...
 01586   872   NtWaitForSingleObject  ... ) == 0x0
 01475   916   NtWaitForSingleObject  ... ) == 0x0
 01648   900   NtSetEventBoostPriority  ... ) == 0x0
 01646   892   NtTestAlert  ... ) == 0x0
 01652   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01649   896   NtTestAlert  ... ) == 0x0
 01650   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1548, 0}  ... {28, 56, reply, 0, 460, 468, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\314\1\0\0\244\3\0\0" )  ) == 0x0
 01647   868   NtSetEventBoostPriority  ... ) == 0x0
 01653   864   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01654   916   NtSetEventBoostPriority  (132, ...
 01655   872   NtSetEventBoostPriority  (312, ...
 01656   892   NtContinue  (37748016, 1, ...
 01652   888   NtDuplicateObject  ... 356, ) == 0x0
 01657   896   NtContinue  (38796592, 1, ...
 01658   468   NtResumeThread  (352, ...
 01659   868   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01520   920   NtWaitForSingleObject  ... ) == 0x0
 01654   916   NtSetEventBoostPriority  ... ) == 0x0
 01653   864   NtWaitForSingleObject  ... ) == 0x102
 01629   876   NtWaitForSingleObject  ... ) == 0x0
 01660   892   NtRegisterThreadTerminatePort  (24, ...
 01661   888   NtWaitForSingleObject  (312, 0, 0x0, ...
 01662   896   NtRegisterThreadTerminatePort  (24, ...
 01658   468   NtResumeThread  ... 1, ) == 0x0
 01663   920   NtSetEventBoostPriority  (132, ...
 01659   868   NtWaitForSingleObject  ... ) == 0x102
 01655   872   NtSetEventBoostPriority  ... ) == 0x0
 01664   900   NtTestAlert  (...
 01665   932   NtWaitForSingleObject  (132, 0, 0x0, ...
 01666   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 01667   876   NtSetEventBoostPriority  (312, ...
 01660   892   NtRegisterThreadTerminatePort  ... ) == 0x0
 01662   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01562   924   NtWaitForSingleObject  ... ) == 0x0
 01663   920   NtSetEventBoostPriority  ... ) == 0x0
 01668   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01669   868   NtWaitForSingleObject  (160, 0, 0x0, ...
 01670   872   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01664   900   NtTestAlert  ... ) == 0x0
 01630   880   NtWaitForSingleObject  ... ) == 0x0
 01667   876   NtSetEventBoostPriority  ... ) == 0x0
 01671   892   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01672   924   NtSetEventBoostPriority  (132, ...
 01673   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01674   916   NtTestAlert  (...
 01668   468   NtAllocateVirtualMemory  ... 45088768, 1048576, ) == 0x0
 01675   880   NtSetEventBoostPriority  (312, ...
 01676   900   NtContinue  (39845168, 1, ...
 01677   876   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01678   920   NtTestAlert  (...
 01670   872   NtWaitForSingleObject  ... ) == 0x102
 01611   928   NtWaitForSingleObject  ... ) == 0x0
 01672   924   NtSetEventBoostPriority  ... ) == 0x0
 01671   892   NtDuplicateObject  ... 360, ) == 0x0
 01674   916   NtTestAlert  ... ) == 0x0
 01673   896   NtDuplicateObject  ... 364, ) == 0x0
 01635   884   NtWaitForSingleObject  ... ) == 0x0
 01675   880   NtSetEventBoostPriority  ... ) == 0x0
 01679   900   NtRegisterThreadTerminatePort  (24, ...
 01680   468   NtAllocateVirtualMemory  (-1, 46129152, 0, 8192, 4096, 4, ...
 01678   920   NtTestAlert  ... ) == 0x0
 01681   928   NtSetEventBoostPriority  (132, ...
 01682   872   NtWaitForSingleObject  (160, 0, 0x0, ...
 01677   876   NtWaitForSingleObject  ... ) == 0x102
 01683   892   NtWaitForSingleObject  (312, 0, 0x0, ...
 01684   916   NtContinue  (40893744, 1, ...
 01685   884   NtSetEventBoostPriority  (312, ...
 01686   896   NtWaitForSingleObject  (312, 0, 0x0, ...
 01687   880   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01679   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01680   468   NtAllocateVirtualMemory  ... 46129152, 8192, ) == 0x0
 01638   588   NtWaitForSingleObject  ... ) == 0x0
 01681   928   NtSetEventBoostPriority  ... ) == 0x0
 01688   920   NtContinue  (41942320, 1, ...
 01689   876   NtWaitForSingleObject  (160, 0, 0x0, ...
 01639   584   NtWaitForSingleObject  ... ) == 0x0
 01685   884   NtSetEventBoostPriority  ... ) == 0x0
 01690   916   NtRegisterThreadTerminatePort  (24, ...
 01691   924   NtTestAlert  (...
 01692   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01693   588   NtSetEventBoostPriority  (132, ...
 01694   468   NtProtectVirtualMemory  (-1, (0x2bfe000), 4096, 260, ...
 01687   880   NtWaitForSingleObject  ... ) == 0x102
 01695   920   NtRegisterThreadTerminatePort  (24, ...
 01696   584   NtSetEventBoostPriority  (312, ...
 01697   928   NtTestAlert  (...
 01690   916   NtRegisterThreadTerminatePort  ... ) == 0x0
 01691   924   NtTestAlert  ... ) == 0x0
 01698   884   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01665   932   NtWaitForSingleObject  ... ) == 0x0
 01694   468   NtProtectVirtualMemory  ... (0x2bfe000), 4096, 4, ) == 0x0
 01699   880   NtWaitForSingleObject  (160, 0, 0x0, ...
 01661   888   NtWaitForSingleObject  ... ) == 0x0
 01696   584   NtSetEventBoostPriority  ... ) == 0x0
 01695   920   NtRegisterThreadTerminatePort  ... ) == 0x0
 01697   928   NtTestAlert  ... ) == 0x0
 01700   916   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01701   924   NtContinue  (42990896, 1, ...
 01698   884   NtWaitForSingleObject  ... ) == 0x102
 01702   932   NtTestAlert  (...
 01703   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01704   888   NtSetEventBoostPriority  (312, ...
 01705   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01706   920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01707   928   NtContinue  (44039472, 1, ...
 01693   588   NtSetEventBoostPriority  ... ) == 0x0
 01692   900   NtDuplicateObject  ... 368, ) == 0x0
 01708   924   NtRegisterThreadTerminatePort  (24, ...
 01709   884   NtWaitForSingleObject  (160, 0, 0x0, ...
 01702   932   NtTestAlert  ... ) == 0x0
 01683   892   NtWaitForSingleObject  ... ) == 0x0
 01704   888   NtSetEventBoostPriority  ... ) == 0x0
 01703   468   NtCreateThread  ... 372, {460, 936}, ) == 0x0
 01700   916   NtDuplicateObject  ... 376, ) == 0x0
 01705   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710   928   NtRegisterThreadTerminatePort  (24, ...
 01711   588   NtWaitForSingleObject  (312, 0, 0x0, ...
 01712   900   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01708   924   NtRegisterThreadTerminatePort  ... ) == 0x0
 01706   920   NtDuplicateObject  ... 380, ) == 0x0
 01713   892   NtSetEventBoostPriority  (312, ...
 01714   932   NtContinue  (45088048, 1, ...
 01715   888   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01716   916   NtWaitForSingleObject  (256, 0, 0x0, ...
 01717   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01710   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01712   900   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01718   924   NtWaitForSingleObject  (256, 0, 0x0, ...
 01686   896   NtWaitForSingleObject  ... ) == 0x0
 01713   892   NtSetEventBoostPriority  ... ) == 0x0
 01719   920   NtWaitForSingleObject  (256, 0, 0x0, ...
 01720   932   NtRegisterThreadTerminatePort  (24, ...
 01715   888   NtWaitForSingleObject  ... ) == 0x102
 01717   584   NtOpenKey  ... 384, ) == 0x0
 01721   928   NtWaitForSingleObject  (256, 0, 0x0, ...
 01722   900   NtSetEventBoostPriority  (256, ...
 01723   468   NtQueryInformationThread  (372, Basic, 28, ...
 01724   896   NtWaitForSingleObject  (256, 0, 0x0, ...
 01720   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01725   888   NtWaitForSingleObject  (256, 0, 0x0, ...
 01726   584   NtQueryValueKey  (384,  (384, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01727   892   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01716   916   NtWaitForSingleObject  ... ) == 0x0
 01722   900   NtSetEventBoostPriority  ... ) == 0x0
 01723   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=460,Tid=936,}, 0x0, ) == 0x0
 01728   932   NtWaitForSingleObject  (256, 0, 0x0, ...
 01726   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01729   916   NtSetEventBoostPriority  (256, ...
 01727   892   NtWaitForSingleObject  ... ) == 0x102
 01730   900   NtWaitForSingleObject  (312, 0, 0x0, ...
 01731   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1548, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0\314\1\0\0\250\3\0\0" ...  ...
 01718   924   NtWaitForSingleObject  ... ) == 0x0
 01729   916   NtSetEventBoostPriority  ... ) == 0x0
 01732   584   NtClose  (384, ...
 01733   892   NtWaitForSingleObject  (256, 0, 0x0, ...
 01734   924   NtSetEventBoostPriority  (256, ...
 01731   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1549, 0}  ... {28, 56, reply, 0, 460, 468, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0\314\1\0\0\250\3\0\0" )  ) == 0x0
 01735   916   NtWaitForSingleObject  (256, 0, 0x0, ...
 01719   920   NtWaitForSingleObject  ... ) == 0x0
 01736   468   NtResumeThread  (372, ...
 01737   920   NtSetEventBoostPriority  (256, ...
 01734   924   NtSetEventBoostPriority  ... ) == 0x0
 01732   584   NtClose  ... ) == 0x0
 01724   896   NtWaitForSingleObject  ... ) == 0x0
 01737   920   NtSetEventBoostPriority  ... ) == 0x0
 01738   924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01739   896   NtSetEventBoostPriority  (256, ...
 01740   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01736   468   NtResumeThread  ... 1, ) == 0x0
 01725   888   NtWaitForSingleObject  ... ) == 0x0
 01739   896   NtSetEventBoostPriority  ... ) == 0x0
 01738   924   NtDuplicateObject  ... 384, ) == 0x0
 01740   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01741   888   NtSetEventBoostPriority  (256, ...
 01742   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01743   920   NtWaitForSingleObject  (256, 0, 0x0, ...
 01744   936   NtWaitForSingleObject  (256, 0, 0x0, ...
 01745   896   NtSetEventBoostPriority  (312, ...
 01728   932   NtWaitForSingleObject  ... ) == 0x0
 01741   888   NtSetEventBoostPriority  ... ) == 0x0
 01746   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 01742   468   NtAllocateVirtualMemory  ... 46137344, 1048576, ) == 0x0
 01747   932   NtSetEventBoostPriority  (256, ...
 01711   588   NtWaitForSingleObject  ... ) == 0x0
 01745   896   NtSetEventBoostPriority  ... ) == 0x0
 01748   924   NtWaitForSingleObject  (256, 0, 0x0, ...
 01721   928   NtWaitForSingleObject  ... ) == 0x0
 01749   588   NtWaitForSingleObject  (256, 0, 0x0, ...
 01747   932   NtSetEventBoostPriority  ... ) == 0x0
 01750   468   NtAllocateVirtualMemory  (-1, 47177728, 0, 8192, 4096, 4, ...
 01751   896   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01752   928   NtSetEventBoostPriority  (256, ...
 01753   888   NtWaitForSingleObject  (160, 0, 0x0, ...
 01750   468   NtAllocateVirtualMemory  ... 47177728, 8192, ) == 0x0
 01733   892   NtWaitForSingleObject  ... ) == 0x0
 01751   896   NtWaitForSingleObject  ... ) == 0x102
 01754   468   NtProtectVirtualMemory  (-1, (0x2cfe000), 4096, 260, ...
 01755   892   NtSetEventBoostPriority  (256, ...
 01756   896   NtWaitForSingleObject  (256, 0, 0x0, ...
 01752   928   NtSetEventBoostPriority  ... ) == 0x0
 01757   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01735   916   NtWaitForSingleObject  ... ) == 0x0
 01755   892   NtSetEventBoostPriority  ... ) == 0x0
 01754   468   NtProtectVirtualMemory  ... (0x2cfe000), 4096, 4, ) == 0x0
 01758   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01759   916   NtSetEventBoostPriority  (256, ...
 01757   932   NtDuplicateObject  ... 388, ) == 0x0
 01760   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01743   920   NtWaitForSingleObject  ... ) == 0x0
 01759   916   NtSetEventBoostPriority  ... ) == 0x0
 01758   928   NtDuplicateObject  ... 392, ) == 0x0
 01761   932   NtWaitForSingleObject  (256, 0, 0x0, ...
 01762   920   NtSetEventBoostPriority  (256, ...
 01760   468   NtCreateThread  ... 396, {460, 940}, ) == 0x0
 01763   916   NtWaitForSingleObject  (312, 0, 0x0, ...
 01764   892   NtWaitForSingleObject  (160, 0, 0x0, ...
 01744   936   NtWaitForSingleObject  ... ) == 0x0
 01762   920   NtSetEventBoostPriority  ... ) == 0x0
 01765   468   NtQueryInformationThread  (396, Basic, 28, ...
 01766   928   NtWaitForSingleObject  (256, 0, 0x0, ...
 01767   936   NtSetEventBoostPriority  (256, ...
 01768   920   NtWaitForSingleObject  (256, 0, 0x0, ...
 01765   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=460,Tid=940,}, 0x0, ) == 0x0
 01746   584   NtWaitForSingleObject  ... ) == 0x0
 01767   936   NtSetEventBoostPriority  ... ) == 0x0
 01769   584   NtSetEventBoostPriority  (256, ...
 01770   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1549, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\314\1\0\0\254\3\0\0" ...  ...
 01749   588   NtWaitForSingleObject  ... ) == 0x0
 01769   584   NtSetEventBoostPriority  ... ) == 0x0
 01771   936   NtTestAlert  (...
 01772   588   NtSetEventBoostPriority  (256, ...
 01770   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1550, 0}  ... {28, 56, reply, 0, 460, 468, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\314\1\0\0\254\3\0\0" )  ) == 0x0
 01748   924   NtWaitForSingleObject  ... ) == 0x0
 01772   588   NtSetEventBoostPriority  ... ) == 0x0
 01771   936   NtTestAlert  ... ) == 0x0
 01773   924   NtSetEventBoostPriority  (256, ...
 01774   468   NtResumeThread  (396, ...
 01775   584   NtWaitForSingleObject  (312, 0, 0x0, ...
 01756   896   NtWaitForSingleObject  ... ) == 0x0
 01773   924   NtSetEventBoostPriority  ... ) == 0x0
 01776   936   NtContinue  (46136624, 1, ...
 01774   468   NtResumeThread  ... 1, ) == 0x0
 01777   896   NtSetEventBoostPriority  (256, ...
 01778   924   NtWaitForSingleObject  (256, 0, 0x0, ...
 01779   936   NtRegisterThreadTerminatePort  (24, ...
 01761   932   NtWaitForSingleObject  ... ) == 0x0
 01780   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01777   896   NtSetEventBoostPriority  ... ) == 0x0
 01781   588   NtSetEventBoostPriority  (312, ...
 01782   940   NtWaitForSingleObject  (256, 0, 0x0, ...
 01779   936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01783   932   NtSetEventBoostPriority  (256, ...
 01780   468   NtAllocateVirtualMemory  ... 47185920, 1048576, ) == 0x0
 01784   896   NtWaitForSingleObject  (160, 0, 0x0, ...
 01730   900   NtWaitForSingleObject  ... ) == 0x0
 01781   588   NtSetEventBoostPriority  ... ) == 0x0
 01785   936   NtWaitForSingleObject  (256, 0, 0x0, ...
 01766   928   NtWaitForSingleObject  ... ) == 0x0
 01783   932   NtSetEventBoostPriority  ... ) == 0x0
 01786   900   NtWaitForSingleObject  (256, 0, 0x0, ...
 01787   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12582468, 67, ... }, 0x0, 0, 3, 3, 0, 12582468, 67, ...
 01788   468   NtAllocateVirtualMemory  (-1, 48226304, 0, 8192, 4096, 4, ...
 01789   928   NtSetEventBoostPriority  (256, ...
 01787   588   NtCreateFile  ... 400, {status=0x0, info=0}, ) == 0x0
 01768   920   NtWaitForSingleObject  ... ) == 0x0
 01789   928   NtSetEventBoostPriority  ... ) == 0x0
 01788   468   NtAllocateVirtualMemory  ... 48226304, 8192, ) == 0x0
 01790   920   NtSetEventBoostPriority  (256, ...
 01791   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x1207b,  (400, 136, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\0\262\24\0\17\346\367w", 16, 16, ... , 16, 16, ...
 01792   928   NtWaitForSingleObject  (256, 0, 0x0, ...
 01782   940   NtWaitForSingleObject  ... ) == 0x0
 01793   468   NtProtectVirtualMemory  (-1, (0x2dfe000), 4096, 260, ...
 01791   588   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\220\277\14\201", ) , ) == 0x0
 01790   920   NtSetEventBoostPriority  ... ) == 0x0
 01794   932   NtWaitForSingleObject  (256, 0, 0x0, ...
 01795   940   NtSetEventBoostPriority  (256, ...
 01793   468   NtProtectVirtualMemory  ... (0x2dfe000), 4096, 4, ) == 0x0
 01796   920   NtWaitForSingleObject  (312, 0, 0x0, ...
 01778   924   NtWaitForSingleObject  ... ) == 0x0
 01795   940   NtSetEventBoostPriority  ... ) == 0x0
 01797   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01798   924   NtSetEventBoostPriority  (256, ...
 01799   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x1207b,  (400, 136, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\220\277\14\201", 16, 16, ... , 16, 16, ...
 01785   936   NtWaitForSingleObject  ... ) == 0x0
 01797   468   NtCreateThread  ... 404, {460, 944}, ) == 0x0
 01799   588   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\220\277\14\201", ) , ) == 0x0
 01800   936   NtSetEventBoostPriority  (256, ...
 01798   924   NtSetEventBoostPriority  ... ) == 0x0
 01801   940   NtTestAlert  (...
 01802   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x12047,  (400, 136, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h\4\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01786   900   NtWaitForSingleObject  ... ) == 0x0
 01803   924   NtWaitForSingleObject  (312, 0, 0x0, ...
 01801   940   NtTestAlert  ... ) == 0x0
 01804   900   NtSetEventBoostPriority  (256, ...
 01802   588   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01792   928   NtWaitForSingleObject  ... ) == 0x0
 01805   940   NtContinue  (47185200, 1, ...
 01806   588   NtWaitForSingleObject  (256, 0, 0x0, ...
 01807   928   NtSetEventBoostPriority  (256, ...
 01808   940   NtRegisterThreadTerminatePort  (24, ...
 01794   932   NtWaitForSingleObject  ... ) == 0x0
 01808   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01809   932   NtSetEventBoostPriority  (256, ...
 01810   940   NtWaitForSingleObject  (256, 0, 0x0, ...
 01806   588   NtWaitForSingleObject  ... ) == 0x0
 01809   932   NtSetEventBoostPriority  ... ) == 0x0
 01807   928   NtSetEventBoostPriority  ... ) == 0x0
 01804   900   NtSetEventBoostPriority  ... ) == 0x0
 01800   936   NtSetEventBoostPriority  ... ) == 0x0
 01811   468   NtQueryInformationThread  (404, Basic, 28, ...
 01812   588   NtSetEventBoostPriority  (256, ...
 01813   932   NtWaitForSingleObject  (312, 0, 0x0, ...
 01814   928   NtWaitForSingleObject  (312, 0, 0x0, ...
 01815   936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01810   940   NtWaitForSingleObject  ... ) == 0x0
 01812   588   NtSetEventBoostPriority  ... ) == 0x0
 01811   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=460,Tid=944,}, 0x0, ) == 0x0
 01816   900   NtSetEventBoostPriority  (312, ...
 01817   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01815   936   NtDuplicateObject  ... 408, ) == 0x0
 01818   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1550, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\314\1\0\0\260\3\0\0" ...  ...
 01817   940   NtDuplicateObject  ... 412, ) == 0x0
 01763   916   NtWaitForSingleObject  ... ) == 0x0
 01816   900   NtSetEventBoostPriority  ... ) == 0x0
 01819   588   NtWaitForSingleObject  (92, 0, {0, 0}, ...
 01820   940   NtWaitForSingleObject  (312, 0, 0x0, ...
 01821   916   NtSetEventBoostPriority  (312, ...
 01818   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1551, 0}  ... {28, 56, reply, 0, 460, 468, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\314\1\0\0\260\3\0\0" )  ) == 0x0
 01822   900   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01775   584   NtWaitForSingleObject  ... ) == 0x0
 01819   588   NtWaitForSingleObject  ... ) == 0x102
 01823   468   NtResumeThread  (404, ...
 01822   900   NtWaitForSingleObject  ... ) == 0x102
 01824   584   NtSetEventBoostPriority  (312, ...
 01825   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x12003,  (400, 136, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01821   916   NtSetEventBoostPriority  ... ) == 0x0
 01826   936   NtWaitForSingleObject  (312, 0, 0x0, ...
 01827   900   NtWaitForSingleObject  (160, 0, 0x0, ...
 01796   920   NtWaitForSingleObject  ... ) == 0x0
 01824   584   NtSetEventBoostPriority  ... ) == 0x0
 01825   588   NtDeviceIoControlFile  ... {status=0x0, info=416},  ... {status=0x0, info=416}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01828   916   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01823   468   NtResumeThread  ... 1, ) == 0x0
 01829   920   NtSetEventBoostPriority  (312, ...
 01830   584   NtWaitForSingleObject  (312, 0, 0x0, ...
 01831   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x12047,  (400, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01803   924   NtWaitForSingleObject  ... ) == 0x0
 01829   920   NtSetEventBoostPriority  ... ) == 0x0
 01832   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01833   944   NtTestAlert  (...
 01828   916   NtWaitForSingleObject  ... ) == 0x102
 01834   924   NtSetEventBoostPriority  (312, ...
 01831   588   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01832   468   NtAllocateVirtualMemory  ... 48234496, 1048576, ) == 0x0
 01833   944   NtTestAlert  ... ) == 0x0
 01814   928   NtWaitForSingleObject  ... ) == 0x0
 01834   924   NtSetEventBoostPriority  ... ) == 0x0
 01835   916   NtWaitForSingleObject  (160, 0, 0x0, ...
 01836   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x1200b,  (400, 136, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 01837   468   NtAllocateVirtualMemory  (-1, 49274880, 0, 8192, 4096, 4, ...
 01838   928   NtSetEventBoostPriority  (312, ...
 01839   944   NtContinue  (48233776, 1, ...
 01840   920   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01836   588   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01813   932   NtWaitForSingleObject  ... ) == 0x0
 01838   928   NtSetEventBoostPriority  ... ) == 0x0
 01837   468   NtAllocateVirtualMemory  ... 49274880, 8192, ) == 0x0
 01841   944   NtRegisterThreadTerminatePort  (24, ...
 01840   920   NtWaitForSingleObject  ... ) == 0x102
 01842   932   NtSetEventBoostPriority  (312, ...
 01843   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x12047,  (400, 136, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0e\0t\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01844   924   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01845   468   NtProtectVirtualMemory  (-1, (0x2efe000), 4096, 260, ...
 01841   944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01820   940   NtWaitForSingleObject  ... ) == 0x0
 01846   920   NtWaitForSingleObject  (160, 0, 0x0, ...
 01843   588   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01844   924   NtWaitForSingleObject  ... ) == 0x102
 01842   932   NtSetEventBoostPriority  ... ) == 0x0
 01847   928   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01845   468   NtProtectVirtualMemory  ... (0x2efe000), 4096, 4, ) == 0x0
 01848   940   NtSetEventBoostPriority  (312, ...
 01849   588   NtDeviceIoControlFile  (400, 136, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01850   924   NtWaitForSingleObject  (160, 0, 0x0, ...
 01851   932   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01847   928   NtWaitForSingleObject  ... ) == 0x102
 01826   936   NtWaitForSingleObject  ... ) == 0x0
 01852   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01848   940   NtSetEventBoostPriority  ... ) == 0x0
 01853   944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01854   928   NtWaitForSingleObject  (160, 0, 0x0, ...
 01855   936   NtSetEventBoostPriority  (312, ...
 01852   468   NtCreateThread  ... 420, {460, 948}, ) == 0x0
 01849   588   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 01851   932   NtWaitForSingleObject  ... ) == 0x102
 01853   944   NtDuplicateObject  ... 424, ) == 0x0
 01830   584   NtWaitForSingleObject  ... ) == 0x0
 01855   936   NtSetEventBoostPriority  ... ) == 0x0
 01856   468   NtQueryInformationThread  (420, Basic, 28, ...
 01857   932   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01858   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 01859   944   NtWaitForSingleObject  (256, 0, 0x0, ...
 01860   936   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01856   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=460,Tid=948,}, 0x0, ) == 0x0
 01857   932   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01861   940   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01862   588   NtWaitForSingleObject  (136, 1, {-5000000, -1}, ...
 01863   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1551, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0\314\1\0\0\264\3\0\0" ...  ...
 01864   932   NtSetEventBoostPriority  (256, ...
 01861   940   NtWaitForSingleObject  ... ) == 0x102
 01860   936   NtWaitForSingleObject  ... ) == 0x102
 01858   584   NtWaitForSingleObject  ... ) == 0x0
 01864   932   NtSetEventBoostPriority  ... ) == 0x0
 01865   940   NtWaitForSingleObject  (256, 0, 0x0, ...
 01866   584   NtSetEventBoostPriority  (256, ...
 01867   936   NtWaitForSingleObject  (256, 0, 0x0, ...
 01868   932   NtWaitForSingleObject  (160, 0, 0x0, ...
 01859   944   NtWaitForSingleObject  ... ) == 0x0
 01866   584   NtSetEventBoostPriority  ... ) == 0x0
 01863   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1552, 0}  ... {28, 56, reply, 0, 460, 468, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0\314\1\0\0\264\3\0\0" )  ) == 0x0
 01869   944   NtSetEventBoostPriority  (256, ...
 01870   468   NtResumeThread  (420, ...
 01865   940   NtWaitForSingleObject  ... ) == 0x0
 01869   944   NtSetEventBoostPriority  ... ) == 0x0
 01871   940   NtSetEventBoostPriority  (256, ...
 01870   468   NtResumeThread  ... 1, ) == 0x0
 01872   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01867   936   NtWaitForSingleObject  ... ) == 0x0
 01871   940   NtSetEventBoostPriority  ... ) == 0x0
 01873   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01874   936   NtWaitForSingleObject  (160, 0, 0x0, ...
 01872   584   NtCreateEvent  ... 428, ) == 0x0
 01875   944   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01876   948   NtTestAlert  (...
 01873   468   NtAllocateVirtualMemory  ... 49283072, 1048576, ) == 0x0
 01877   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01875   944   NtWaitForSingleObject  ... ) == 0x102
 01876   948   NtTestAlert  ... ) == 0x0
 01878   940   NtWaitForSingleObject  (160, 0, 0x0, ...
 01877   584   NtCreateEvent  ... 432, ) == 0x0
 01879   944   NtWaitForSingleObject  (160, 0, 0x0, ...
 01880   948   NtContinue  (49282352, 1, ...
 01881   584   NtQuerySystemTime  (...
 01882   948   NtRegisterThreadTerminatePort  (24, ...
 01881   584   NtQuerySystemTime  ... {863696618, 29889242}, ) == 0x0
 01882   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01883   468   NtAllocateVirtualMemory  (-1, 50323456, 0, 8192, 4096, 4, ...
 01884   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01883   468   NtAllocateVirtualMemory  ... 50323456, 8192, ) == 0x0
 01884   584   NtCreateEvent  ... 436, ) == 0x0
 01885   468   NtProtectVirtualMemory  (-1, (0x2ffe000), 4096, 260, ...
 01886   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 01885   468   NtProtectVirtualMemory  ... (0x2ffe000), 4096, 4, ) == 0x0
 01886   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01888   584   NtQuerySystemInformation  (Performance, 312, ...
 01887   468   NtCreateThread  ... 440, {460, 952}, ) == 0x0
 01888   584   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01889   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01890   468   NtQueryInformationThread  (440, Basic, 28, ...
 01889   948   NtDuplicateObject  ... 444, ) == 0x0
 01890   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=460,Tid=952,}, 0x0, ) == 0x0
 01891   948   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01892   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1552, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\314\1\0\0\270\3\0\0" ...  ...
 01891   948   NtWaitForSingleObject  ... ) == 0x102
 01892   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1553, 0}  ... {28, 56, reply, 0, 460, 468, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\314\1\0\0\270\3\0\0" )  ) == 0x0
 01893   948   NtWaitForSingleObject  (160, 0, 0x0, ...
 01894   468   NtResumeThread  (440, ...
 01895   584   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01896   584   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01897   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 448, ) == 0x0
 01898   584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 452, ) == 0x0
 01899   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 456, ) == 0x0
 01900   584   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01894   468   NtResumeThread  ... 1, ) == 0x0
 01901   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 50331648, 1048576, ) == 0x0
 01902   468   NtAllocateVirtualMemory  (-1, 51372032, 0, 8192, 4096, 4, ... 51372032, 8192, ) == 0x0
 01903   468   NtProtectVirtualMemory  (-1, (0x30fe000), 4096, 260, ... (0x30fe000), 4096, 4, ) == 0x0
 01904   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 460, {460, 956}, ) == 0x0
 01905   468   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=460,Tid=956,}, 0x0, ) == 0x0
 01906   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1553, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\314\1\0\0\274\3\0\0" ...  ...
 01907   584   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15724156, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 15724156, 112, ...
 01908   952   NtTestAlert  (... ) == 0x0
 01909   952   NtContinue  (50330928, 1, ...
 01910   952   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01907   584   NtConnectPort  ... 464, 0x0, 0x0, 0x0, 112, ) == 0x0
 01906   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1555, 0}  ... {28, 56, reply, 0, 460, 468, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\314\1\0\0\274\3\0\0" )  ) == 0x0
 01911   584   NtRequestWaitReplyPort  (464, {128, 152, new_msg, 0, 1310720, 126032, 1310720, 15723920}  (464, {128, 152, new_msg, 0, 1310720, 126032, 1310720, 15723920} "\0$\370w@\364\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0H \25\0\4\0\0\0H \25\0\20\344\314wH \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\30\35\25\0\260\1\24\0\360\37\25\0\200\0\0\0\310\37\25\0\0\0\0\0\0\0\0\0\0\0\0\0\360\37\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01912   468   NtResumeThread  (460, ... 1, ) == 0x0
 01913   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 51380224, 1048576, ) == 0x0
 01911   584   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 460, 584, 1556, 0}  ... {128, 152, reply, 0, 460, 584, 1556, 0} "\7$\370w@\364\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H \25\0\377\377\377\377H \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\30\35\25\0\260\1\24\0\360\37\25\0\200\0\0\0\310\37\25\0\0\0\0\0\0\0\0\0\0\0\0\0\360\37\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01914   952   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01915   956   NtTestAlert  (...
 01916   468   NtAllocateVirtualMemory  (-1, 52420608, 0, 8192, 4096, 4, ...
 01914   952   NtDuplicateObject  ... 468, ) == 0x0
 01915   956   NtTestAlert  ... ) == 0x0
 01916   468   NtAllocateVirtualMemory  ... 52420608, 8192, ) == 0x0
 01917   952   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01918   956   NtContinue  (51379504, 1, ...
 01919   468   NtProtectVirtualMemory  (-1, (0x31fe000), 4096, 260, ...
 01917   952   NtWaitForSingleObject  ... ) == 0x102
 01920   956   NtRegisterThreadTerminatePort  (24, ...
 01919   468   NtProtectVirtualMemory  ... (0x31fe000), 4096, 4, ) == 0x0
 01921   952   NtWaitForSingleObject  (160, 0, 0x0, ...
 01920   956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01922   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01923   584   NtRequestWaitReplyPort  (464, {64, 88, new_msg, 0, 0, 0, 0, 0}  (464, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01922   468   NtCreateThread  ... 472, {460, 960}, ) == 0x0
 01923   584   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 584, 1557, 0}  ... {52, 76, reply, 0, 460, 584, 1557, 0} "\2`\372\177\1\00\300\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01924   956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01925   584   NtClose  (456, ...
 01924   956   NtDuplicateObject  ... 476, ) == 0x0
 01925   584   NtClose  ... ) == 0x0
 01926   956   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01927   584   NtClose  (464, ...
 01926   956   NtWaitForSingleObject  ... ) == 0x102
 01928   468   NtQueryInformationThread  (472, Basic, 28, ...
 01929   956   NtWaitForSingleObject  (160, 0, 0x0, ...
 01928   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=460,Tid=960,}, 0x0, ) == 0x0
 01927   584   NtClose  ... ) == 0x0
 01930   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1555, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\314\1\0\0\300\3\0\0" ...  ...
 01931   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01930   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1559, 0}  ... {28, 56, reply, 0, 460, 468, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\314\1\0\0\300\3\0\0" )  ) == 0x0
 01931   584   NtCreateKey  ... 464, 2, ) == 0x0
 01932   468   NtResumeThread  (472, ...
 01933   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 456, ) }, ... 456, ) == 0x0
 01934   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   584   NtQueryValueKey  (464,  (464, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01936   584   NtQueryValueKey  (464,  (464, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01937   584   NtClose  (464, ...
 01932   468   NtResumeThread  ... 1, ) == 0x0
 01938   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52428800, 1048576, ) == 0x0
 01939   468   NtAllocateVirtualMemory  (-1, 53469184, 0, 8192, 4096, 4, ... 53469184, 8192, ) == 0x0
 01940   468   NtProtectVirtualMemory  (-1, (0x32fe000), 4096, 260, ... (0x32fe000), 4096, 4, ) == 0x0
 01941   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 480, {460, 964}, ) == 0x0
 01942   468   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=460,Tid=964,}, 0x0, ) == 0x0
 01943   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1559, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\314\1\0\0\304\3\0\0" ...  ...
 01937   584   NtClose  ... ) == 0x0
 01944   960   NtTestAlert  (...
 01945   584   NtClose  (456, ...
 01944   960   NtTestAlert  ... ) == 0x0
 01945   584   NtClose  ... ) == 0x0
 01946   960   NtContinue  (52428080, 1, ...
 01947   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01948   960   NtRegisterThreadTerminatePort  (24, ...
 01947   584   NtCreateEvent  ... 456, ) == 0x0
 01948   960   NtRegisterThreadTerminatePort  ... ) == 0x0
 01949   584   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15724020, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 15724020, 112, ...
 01943   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1560, 0}  ... {28, 56, reply, 0, 460, 468, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\314\1\0\0\304\3\0\0" )  ) == 0x0
 01950   960   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01951   468   NtResumeThread  (480, ...
 01950   960   NtDuplicateObject  ... 464, ) == 0x0
 01951   468   NtResumeThread  ... 1, ) == 0x0
 01952   960   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01953   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01952   960   NtWaitForSingleObject  ... ) == 0x102
 01953   468   NtAllocateVirtualMemory  ... 53477376, 1048576, ) == 0x0
 01954   960   NtWaitForSingleObject  (160, 0, 0x0, ...
 01949   584   NtConnectPort  ... 484, 0x0, 0x0, 0x0, 112, ) == 0x0
 01955   964   NtTestAlert  (...
 01956   468   NtAllocateVirtualMemory  (-1, 54517760, 0, 8192, 4096, 4, ...
 01957   584   NtRequestWaitReplyPort  (484, {128, 152, new_msg, 0, 1310720, 125896, 1310720, 15723784}  (484, {128, 152, new_msg, 0, 1310720, 125896, 1310720, 15723784} "\0$\370w\270\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0H \25\0\4\0\0\0H \25\0\20\344\314wH \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\30\35\25\0\0\0\0\0\320&\25\0?\360\367w\221\337\314w\0\0\0\0\0\0\357\0\364\356\357\0\320&\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01955   964   NtTestAlert  ... ) == 0x0
 01956   468   NtAllocateVirtualMemory  ... 54517760, 8192, ) == 0x0
 01958   964   NtContinue  (53476656, 1, ...
 01959   468   NtProtectVirtualMemory  (-1, (0x33fe000), 4096, 260, ...
 01957   584   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 460, 584, 1562, 0}  ... {128, 152, reply, 0, 460, 584, 1562, 0} "\7$\370w\270\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H \25\0\377\377\377\377H \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\30\35\25\0\0\0\0\0\320&\25\0?\360\367w\221\337\314w\0\0\0\0\0\0\357\0\364\356\357\0\320&\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01960   964   NtRegisterThreadTerminatePort  (24, ...
 01959   468   NtProtectVirtualMemory  ... (0x33fe000), 4096, 4, ) == 0x0
 01961   584   NtRequestWaitReplyPort  (484, {44, 68, new_msg, 0, 460, 584, 1557, 0}  (484, {44, 68, new_msg, 0, 460, 584, 1557, 0} "\1`\0\0A\2\4\0\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01960   964   NtRegisterThreadTerminatePort  ... ) == 0x0
 01962   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 488, {460, 968}, ) == 0x0
 01963   468   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=460,Tid=968,}, 0x0, ) == 0x0
 01964   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1560, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\314\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 460, 468, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\314\1\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1564, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\314\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 460, 468, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\314\1\0\0\310\3\0\0" )  ) == 0x0
 01965   468   NtResumeThread  (488, ...
 01966   964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01961   584   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 460, 584, 1563, 0}  ... {40, 64, reply, 0, 460, 584, 1563, 0} "\2`\372\177\4\00\300\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 01966   964   NtDuplicateObject  ... 492, ) == 0x0
 01967   584   NtRequestWaitReplyPort  (484, {64, 88, new_msg, 56, 0, 1, 0, 0}  (484, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\357\357\0@\0\314w8\34\25\0\274\357\357\0$\360\357\0\0\267\362v$\360\357\08\34\25\0\1\0\0\0\360)\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01968   964   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 01969   964   NtWaitForSingleObject  (160, 0, 0x0, ...
 01967   584   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 460, 584, 1565, 0}  ... {64, 88, reply, 56, 460, 584, 1565, 0} "\10\357\357\0@\0\314w8\34\25\0\274\357\357\0$\360\357\0\0\267\362v$\360\357\08\34\25\0\1\0\0\0\360)\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01965   468   NtResumeThread  ... 1, ) == 0x0
 01970   584   NtClose  (456, ...
 01971   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01972   968   NtTestAlert  (...
 01971   468   NtAllocateVirtualMemory  ... 54525952, 1048576, ) == 0x0
 01972   968   NtTestAlert  ... ) == 0x0
 01973   468   NtAllocateVirtualMemory  (-1, 55566336, 0, 8192, 4096, 4, ...
 01974   968   NtContinue  (54525232, 1, ...
 01973   468   NtAllocateVirtualMemory  ... 55566336, 8192, ) == 0x0
 01975   968   NtRegisterThreadTerminatePort  (24, ...
 01976   468   NtProtectVirtualMemory  (-1, (0x34fe000), 4096, 260, ...
 01975   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01970   584   NtClose  ... ) == 0x0
 01976   468   NtProtectVirtualMemory  ... (0x34fe000), 4096, 4, ) == 0x0
 01977   584   NtClose  (484, ...
 01978   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01977   584   NtClose  ... ) == 0x0
 01978   468   NtCreateThread  ... 484, {460, 992}, ) == 0x0
 01979   584   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01980   468   NtQueryInformationThread  (484, Basic, 28, ...
 01979   584   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01980   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=460,Tid=992,}, 0x0, ) == 0x0
 01981   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01982   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1564, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\314\1\0\0\340\3\0\0" ...  ...
 01983   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01981   584   NtCreateKey  ... 456, 2, ) == 0x0
 01983   968   NtDuplicateObject  ... 496, ) == 0x0
 01984   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01985   968   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01984   584   NtOpenKey  ... 500, ) == 0x0
 01985   968   NtWaitForSingleObject  ... ) == 0x102
 01986   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01987   968   NtWaitForSingleObject  (160, 0, 0x0, ...
 01986   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01982   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1567, 0}  ... {28, 56, reply, 0, 460, 468, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\314\1\0\0\340\3\0\0" )  ) == 0x0
 01988   584   NtQueryValueKey  (456,  (456, "Domain", Partial, 144, ... , Partial, 144, ...
 01989   468   NtResumeThread  (484, ... 1, ) == 0x0
 01990   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55574528, 1048576, ) == 0x0
 01991   468   NtAllocateVirtualMemory  (-1, 56614912, 0, 8192, 4096, 4, ... 56614912, 8192, ) == 0x0
 01992   468   NtProtectVirtualMemory  (-1, (0x35fe000), 4096, 260, ... (0x35fe000), 4096, 4, ) == 0x0
 01993   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 504, {460, 996}, ) == 0x0
 01988   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01994   992   NtTestAlert  (...
 01995   584   NtQueryValueKey  (456,  (456, "Domain", Partial, 144, ... , Partial, 144, ...
 01994   992   NtTestAlert  ... ) == 0x0
 01995   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01996   992   NtContinue  (55573808, 1, ...
 01997   584   NtClose  (456, ...
 01998   992   NtRegisterThreadTerminatePort  (24, ...
 01997   584   NtClose  ... ) == 0x0
 01998   992   NtRegisterThreadTerminatePort  ... ) == 0x0
 01999   584   NtClose  (500, ...
 02000   468   NtQueryInformationThread  (504, Basic, 28, ...
 02001   992   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02000   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=460,Tid=996,}, 0x0, ) == 0x0
 02001   992   NtDuplicateObject  ... 456, ) == 0x0
 02002   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1567, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\314\1\0\0\344\3\0\0" ...  ...
 02003   992   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02002   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1568, 0}  ... {28, 56, reply, 0, 460, 468, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\314\1\0\0\344\3\0\0" )  ) == 0x0
 02003   992   NtWaitForSingleObject  ... ) == 0x102
 02004   468   NtResumeThread  (504, ...
 02005   992   NtWaitForSingleObject  (160, 0, 0x0, ...
 01999   584   NtClose  ... ) == 0x0
 02004   468   NtResumeThread  ... 1, ) == 0x0
 02006   584   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02007   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02006   584   NtOpenKey  ... 500, ) == 0x0
 02007   468   NtAllocateVirtualMemory  ... 56623104, 1048576, ) == 0x0
 02008   584   NtQueryValueKey  (500,  (500, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02009   468   NtAllocateVirtualMemory  (-1, 57663488, 0, 8192, 4096, 4, ...
 02008   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009   468   NtAllocateVirtualMemory  ... 57663488, 8192, ) == 0x0
 02010   584   NtClose  (500, ...
 02011   468   NtProtectVirtualMemory  (-1, (0x36fe000), 4096, 260, ...
 02012   996   NtAllocateVirtualMemory  (-1, 3952640, 0, 4096, 4096, 4, ...
 02010   584   NtClose  ... ) == 0x0
 02012   996   NtAllocateVirtualMemory  ... 3952640, 4096, ) == 0x0
 02013   584   NtWaitForSingleObject  (132, 0, 0x0, ...
 02014   996   NtSetEventBoostPriority  (132, ...
 02013   584   NtWaitForSingleObject  ... ) == 0x0
 02015   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15723564, ... ) }, 15723564, ... ) == 0x0
 02014   996   NtSetEventBoostPriority  ... ) == 0x0
 02011   468   NtProtectVirtualMemory  ... (0x36fe000), 4096, 4, ) == 0x0
 02016   996   NtTestAlert  (...
 02017   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02018   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02017   468   NtCreateThread  ... 500, {460, 1016}, ) == 0x0
 02018   584   NtOpenFile  ... 508, {status=0x0, info=1}, ) == 0x0
 02019   468   NtQueryInformationThread  (500, Basic, 28, ...
 02020   584   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 508, ...
 02019   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=460,Tid=1016,}, 0x0, ) == 0x0
 02020   584   NtCreateSection  ... 512, ) == 0x0
 02021   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1568, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\314\1\0\0\370\3\0\0" ...  ...
 02022   584   NtClose  (508, ...
 02016   996   NtTestAlert  ... ) == 0x0
 02022   584   NtClose  ... ) == 0x0
 02023   996   NtContinue  (56622384, 1, ...
 02021   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1569, 0}  ... {28, 56, reply, 0, 460, 468, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\314\1\0\0\370\3\0\0" )  ) == 0x0
 02024   996   NtRegisterThreadTerminatePort  (24, ...
 02025   468   NtResumeThread  (500, ...
 02024   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 02025   468   NtResumeThread  ... 1, ) == 0x0
 02026   996   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02027   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02026   996   NtDuplicateObject  ... 508, ) == 0x0
 02027   468   NtAllocateVirtualMemory  ... 57671680, 1048576, ) == 0x0
 02028   584   NtMapViewOfSection  (512, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02029  1016   NtWaitForSingleObject  (132, 0, 0x0, ...
 02030   996   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02028   584   NtMapViewOfSection  ... (0x3800000), 0x0, 16384, ) == 0x0
 02030   996   NtWaitForSingleObject  ... ) == 0x102
 02031   584   NtClose  (512, ...
 02032   996   NtWaitForSingleObject  (160, 0, 0x0, ...
 02031   584   NtClose  ... ) == 0x0
 02033   584   NtUnmapViewOfSection  (-1, 0x3800000, ... ) == 0x0
 02034   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 15723880, ... ) }, 15723880, ... ) == 0x0
 02035   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 512, {status=0x0, info=1}, ) }, 5, 96, ... 512, {status=0x0, info=1}, ) == 0x0
 02036   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 512, ... 516, ) == 0x0
 02037   468   NtAllocateVirtualMemory  (-1, 58712064, 0, 8192, 4096, 4, ... 58712064, 8192, ) == 0x0
 02038   468   NtProtectVirtualMemory  (-1, (0x37fe000), 4096, 260, ... (0x37fe000), 4096, 4, ) == 0x0
 02039   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 520, {460, 1020}, ) == 0x0
 02040   468   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=460,Tid=1020,}, 0x0, ) == 0x0
 02041   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1569, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\314\1\0\0\374\3\0\0" ... {28, 56, reply, 0, 460, 468, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\314\1\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 460, 468, 1570, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\314\1\0\0\374\3\0\0" ... {28, 56, reply, 0, 460, 468, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\314\1\0\0\374\3\0\0" )  ) == 0x0
 02042   468   NtResumeThread  (520, ...
 02043   584   NtQuerySection  (516, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02044   584   NtClose  (512, ... ) == 0x0
 02045   584   NtMapViewOfSection  (516, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02046   584   NtClose  (516, ... ) == 0x0
 02047   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 516, ) }, ... 516, ) == 0x0
 02048   584   NtMapViewOfSection  (516, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02042   468   NtResumeThread  ... 1, ) == 0x0
 02049   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58720256, 1048576, ) == 0x0
 02050   468   NtAllocateVirtualMemory  (-1, 59760640, 0, 8192, 4096, 4, ... 59760640, 8192, ) == 0x0
 02051   468   NtProtectVirtualMemory  (-1, (0x38fe000), 4096, 260, ... (0x38fe000), 4096, 4, ) == 0x0
 02052   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 512, {460, 1024}, ) == 0x0
 02053   468   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=460,Tid=1024,}, 0x0, ) == 0x0
 02054   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1570, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\314\1\0\0\0\4\0\0" ...  ...
 02055   584   NtClose  (516, ...
 02056  1020   NtWaitForSingleObject  (132, 0, 0x0, ...
 02055   584   NtClose  ... ) == 0x0
 02057   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 516, ) == 0x0
 02058   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 524, ) }, ... 524, ) == 0x0
 02059   584   NtQueryValueKey  (524,  (524, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (524, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02060   584   NtClose  (524, ... ) == 0x0
 02061   584   NtSetEventBoostPriority  (132, ...
 02029  1016   NtWaitForSingleObject  ... ) == 0x0
 02062  1016   NtSetEventBoostPriority  (132, ...
 02056  1020   NtWaitForSingleObject  ... ) == 0x0
 02063  1020   NtTestAlert  (... ) == 0x0
 02062  1016   NtSetEventBoostPriority  ... ) == 0x0
 02061   584   NtSetEventBoostPriority  ... ) == 0x0
 02054   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1571, 0}  ... {28, 56, reply, 0, 460, 468, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\314\1\0\0\0\4\0\0" )  ) == 0x0
 02064  1020   NtContinue  (58719536, 1, ...
 02065  1016   NtTestAlert  (...
 02066   468   NtResumeThread  (512, ...
 02067  1020   NtRegisterThreadTerminatePort  (24, ...
 02065  1016   NtTestAlert  ... ) == 0x0
 02066   468   NtResumeThread  ... 1, ) == 0x0
 02067  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 02068  1016   NtContinue  (57670960, 1, ...
 02069   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02070  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02071  1016   NtRegisterThreadTerminatePort  (24, ...
 02069   468   NtAllocateVirtualMemory  ... 59768832, 1048576, ) == 0x0
 02070  1020   NtDuplicateObject  ... 524, ) == 0x0
 02071  1016   NtRegisterThreadTerminatePort  ... ) == 0x0
 02072   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 15723564, ... }, 15723564, ...
 02073  1024   NtWaitForSingleObject  (132, 0, 0x0, ...
 02074  1020   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02075  1016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02072   584   NtQueryAttributesFile  ... ) == 0x0
 02076   468   NtAllocateVirtualMemory  (-1, 60809216, 0, 8192, 4096, 4, ...
 02074  1020   NtWaitForSingleObject  ... ) == 0x102
 02077   584   NtSetEventBoostPriority  (132, ...
 02076   468   NtAllocateVirtualMemory  ... 60809216, 8192, ) == 0x0
 02078  1020   NtWaitForSingleObject  (160, 0, 0x0, ...
 02073  1024   NtWaitForSingleObject  ... ) == 0x0
 02077   584   NtSetEventBoostPriority  ... ) == 0x0
 02079   468   NtProtectVirtualMemory  (-1, (0x39fe000), 4096, 260, ...
 02080  1024   NtTestAlert  (...
 02081   584   NtQuerySystemInformation  (Basic, 44, ...
 02080  1024   NtTestAlert  ... ) == 0x0
 02079   468   NtProtectVirtualMemory  ... (0x39fe000), 4096, 4, ) == 0x0
 02081   584   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02075  1016   NtDuplicateObject  ... 528, ) == 0x0
 02082   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02083  1024   NtContinue  (59768112, 1, ...
 02084  1016   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02082   468   NtCreateThread  ... 532, {460, 1004}, ) == 0x0
 02085  1024   NtRegisterThreadTerminatePort  (24, ...
 02084  1016   NtWaitForSingleObject  ... ) == 0x102
 02086   584   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02085  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 02087  1016   NtWaitForSingleObject  (160, 0, 0x0, ...
 02086   584   NtAllocateVirtualMemory  ... 60817408, 65536, ) == 0x0
 02088  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02089   584   NtAllocateVirtualMemory  (-1, 60817408, 0, 4096, 4096, 4, ...
 02088  1024   NtDuplicateObject  ... 536, ) == 0x0
 02089   584   NtAllocateVirtualMemory  ... 60817408, 4096, ) == 0x0
 02090  1024   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02091   584   NtAllocateVirtualMemory  (-1, 60821504, 0, 8192, 4096, 4, ...
 02092   468   NtQueryInformationThread  (532, Basic, 28, ...
 02091   584   NtAllocateVirtualMemory  ... 60821504, 8192, ) == 0x0
 02092   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=460,Tid=1004,}, 0x0, ) == 0x0
 02090  1024   NtWaitForSingleObject  ... ) == 0x102
 02093   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1571, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\314\1\0\0\354\3\0\0" ...  ...
 02094  1024   NtWaitForSingleObject  (160, 0, 0x0, ...
 02093   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1572, 0}  ... {28, 56, reply, 0, 460, 468, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\314\1\0\0\354\3\0\0" )  ) == 0x0
 02095   468   NtResumeThread  (532, ... 1, ) == 0x0
 02096   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 60882944, 1048576, ) == 0x0
 02097   468   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ... 61923328, 8192, ) == 0x0
 02098   468   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ...
 02099   584   NtSetEventBoostPriority  (160, ...
 02100  1004   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01004   580   NtWaitForSingleObject  ... ) == 0x0
 02099   584   NtSetEventBoostPriority  ... ) == 0x0
 02101   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02100  1004   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 02102   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02103  1004   NtSetEventBoostPriority  (256, ...
 02101   580   NtWaitForSingleObject  ... ) == 0x0
 02104   580   NtSetEventBoostPriority  (256, ...
 02102   584   NtWaitForSingleObject  ... ) == 0x0
 02105   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 540, ) == 0x0
 02104   580   NtSetEventBoostPriority  ... ) == 0x0
 02103  1004   NtSetEventBoostPriority  ... ) == 0x0
 02098   468   NtProtectVirtualMemory  ... (0x3b0e000), 4096, 4, ) == 0x0
 02106   584   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15723852, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 15723852, 112, ...
 02107  1004   NtTestAlert  (...
 02108   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02106   584   NtConnectPort  ... 544, 0x0, 0x0, 0x0, 112, ) == 0x0
 02109   580   NtSetEventBoostPriority  (160, ...
 02108   468   NtCreateThread  ... 548, {460, 1032}, ) == 0x0
 02110   584   NtRequestWaitReplyPort  (544, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 15723616}  (544, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 15723616} "\0$\370w\20\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0H \25\0\4\0\0\0H \25\0\20\344\314wH \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\250J\25\0\20I\25\0\200J\25\0\0\0\0\0\0\0\0\0\0\0\0\0\250J\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01014   572   NtWaitForSingleObject  ... ) == 0x0
 02109   580   NtSetEventBoostPriority  ... ) == 0x0
 02111   468   NtQueryInformationThread  (548, Basic, 28, ...
 02112   572   NtSetEventBoostPriority  (160, ...
 02113   580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01020   576   NtWaitForSingleObject  ... ) == 0x0
 02112   572   NtSetEventBoostPriority  ... ) == 0x0
 02111   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=460,Tid=1032,}, 0x0, ) == 0x0
 02110   584   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 460, 584, 1574, 0}  ... {128, 152, reply, 0, 460, 584, 1574, 0} "\7$\370w\20\363\357\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H \25\0\377\377\377\377H \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1\24\0\0\0\0\0\250J\25\0\20I\25\0\200J\25\0\0\0\0\0\0\0\0\0\0\0\0\0\250J\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02114   576   NtSetEventBoostPriority  (160, ...
 02113   580   NtCreateEvent  ... 552, ) == 0x0
 02107  1004   NtTestAlert  ... ) == 0x0
 02115   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1572, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\314\1\0\0\10\4\0\0" ...  ...
 02116   572   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01255   596   NtWaitForSingleObject  ... ) == 0x0
 02114   576   NtSetEventBoostPriority  ... ) == 0x0
 02117   580   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 02118  1004   NtContinue  (60816688, 1, ...
 02119   584   NtRequestWaitReplyPort  (544, {64, 88, new_msg, 0, 460, 584, 1563, 0}  (544, {64, 88, new_msg, 0, 460, 584, 1563, 0} "\1`\0\0A\2\10\0\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02120   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 02116   572   NtCreateEvent  ... 556, ) == 0x0
 02115   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1575, 0}  ... {28, 56, reply, 0, 460, 468, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\314\1\0\0\10\4\0\0" )  ) == 0x0
 02117   580   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 02121  1004   NtRegisterThreadTerminatePort  (24, ...
 02122   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02123   468   NtResumeThread  (548, ...
 02119   584   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 584, 1576, 0}  ... {52, 76, reply, 0, 460, 584, 1576, 0} "\2\13,\370\1\0,\370B\271\325\371(\273\325\371\377\377\377\377\325\316\325\371\13\353\325\371\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02124   576   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02121  1004   NtRegisterThreadTerminatePort  ... ) == 0x0
 02123   468   NtResumeThread  ... 1, ) == 0x0
 02125   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02124   576   NtCreateEvent  ... 560, ) == 0x0
 02126  1004   NtWaitForSingleObject  (256, 0, 0x0, ...
 02127   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02128   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02127   468   NtAllocateVirtualMemory  ... 61931520, 1048576, ) == 0x0
 02129   580   NtSetEventBoostPriority  (256, ...
 02130  1032   NtWaitForSingleObject  (256, 0, 0x0, ...
 02120   596   NtWaitForSingleObject  ... ) == 0x0
 02129   580   NtSetEventBoostPriority  ... ) == 0x0
 02131   596   NtSetEventBoostPriority  (256, ...
 02122   572   NtWaitForSingleObject  ... ) == 0x0
 02132   572   NtSetEventBoostPriority  (256, ...
 02125   584   NtWaitForSingleObject  ... ) == 0x0
 02133   584   NtSetEventBoostPriority  (256, ...
 02126  1004   NtWaitForSingleObject  ... ) == 0x0
 02134  1004   NtSetEventBoostPriority  (256, ...
 02128   576   NtWaitForSingleObject  ... ) == 0x0
 02135   576   NtSetEventBoostPriority  (256, ...
 02130  1032   NtWaitForSingleObject  ... ) == 0x0
 02136  1032   NtTestAlert  (... ) == 0x0
 02135   576   NtSetEventBoostPriority  ... ) == 0x0
 02134  1004   NtSetEventBoostPriority  ... ) == 0x0
 02133   584   NtSetEventBoostPriority  ... ) == 0x0
 02132   572   NtSetEventBoostPriority  ... ) == 0x0
 02131   596   NtSetEventBoostPriority  ... ) == 0x0
 02137   580   NtAllocateVirtualMemory  (-1, 14667776, 0, 4096, 4096, 260, ...
 02138   468   NtAllocateVirtualMemory  (-1, 62971904, 0, 8192, 4096, 4, ...
 02139  1032   NtContinue  (61930800, 1, ...
 02140   576   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 02141  1004   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02142   584   NtClose  (540, ...
 02143   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02137   580   NtAllocateVirtualMemory  ... 14667776, 4096, ) == 0x0
 02138   468   NtAllocateVirtualMemory  ... 62971904, 8192, ) == 0x0
 02144  1032   NtRegisterThreadTerminatePort  (24, ...
 02140   576   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 02141  1004   NtDuplicateObject  ... 564, ) == 0x0
 02142   584   NtClose  ... ) == 0x0
 02145   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02146   468   NtProtectVirtualMemory  (-1, (0x3c0e000), 4096, 260, ...
 02144  1032   NtRegisterThreadTerminatePort  ... ) == 0x0
 02147   576   NtSetEventBoostPriority  (256, ...
 02148  1004   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02149   584   NtClose  (544, ...
 02146   468   NtProtectVirtualMemory  ... (0x3c0e000), 4096, 4, ) == 0x0
 02150  1032   NtWaitForSingleObject  (256, 0, 0x0, ...
 02143   572   NtWaitForSingleObject  ... ) == 0x0
 02147   576   NtSetEventBoostPriority  ... ) == 0x0
 02148  1004   NtWaitForSingleObject  ... ) == 0x102
 02149   584   NtClose  ... ) == 0x0
 02151   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02152   572   NtSetEventBoostPriority  (256, ...
 02153   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02154  1004   NtWaitForSingleObject  (160, 0, 0x0, ...
 02155   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02145   580   NtWaitForSingleObject  ... ) == 0x0
 02152   572   NtSetEventBoostPriority  ... ) == 0x0
 02151   468   NtCreateThread  ... 544, {460, 1048}, ) == 0x0
 02156   596   NtSetEventBoostPriority  (160, ...
 02157   580   NtSetEventBoostPriority  (256, ...
 02155   584   NtCreateKey  ... 540, 2, ) == 0x0
 02158   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02150  1032   NtWaitForSingleObject  ... ) == 0x0
 02157   580   NtSetEventBoostPriority  ... ) == 0x0
 01434   804   NtWaitForSingleObject  ... ) == 0x0
 02156   596   NtSetEventBoostPriority  ... ) == 0x0
 02159   468   NtQueryInformationThread  (544, Basic, 28, ...
 02160   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02161  1032   NtSetEventBoostPriority  (256, ...
 02162   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02163   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02159   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=460,Tid=1048,}, 0x0, ) == 0x0
 02153   576   NtWaitForSingleObject  ... ) == 0x0
 02161  1032   NtSetEventBoostPriority  ... ) == 0x0
 02160   584   NtOpenKey  ... 568, ) == 0x0
 02163   596   NtCreateEvent  ... 572, ) == 0x0
 02164   576   NtSetEventBoostPriority  (256, ...
 02165   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1575, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\314\1\0\0\30\4\0\0" ...  ...
 02166   580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02167   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02158   572   NtWaitForSingleObject  ... ) == 0x0
 02164   576   NtSetEventBoostPriority  ... ) == 0x0
 02168   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 02165   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1578, 0}  ... {28, 56, reply, 0, 460, 468, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\314\1\0\0\30\4\0\0" )  ) == 0x0
 02166   580   NtCreateEvent  ... 576, ) == 0x0
 02169   572   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02167   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170  1032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02171   468   NtResumeThread  (544, ...
 02169   572   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02172   580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02173   584   NtQueryValueKey  (540,  (540, "Hostname", Partial, 144, ... , Partial, 144, ...
 02170  1032   NtDuplicateObject  ... 580, ) == 0x0
 02174   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02175   572   NtSetEventBoostPriority  (256, ...
 02172   580   NtDuplicateObject  ... 584, ) == 0x0
 02173   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02176  1032   NtWaitForSingleObject  (256, 0, 0x0, ...
 02162   804   NtWaitForSingleObject  ... ) == 0x0
 02177   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02175   572   NtSetEventBoostPriority  ... ) == 0x0
 02171   468   NtResumeThread  ... 1, ) == 0x0
 02178   804   NtSetEventBoostPriority  (256, ...
 02179   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02180  1048   NtWaitForSingleObject  (256, 0, 0x0, ...
 02168   596   NtWaitForSingleObject  ... ) == 0x0
 02181   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02182   596   NtSetEventBoostPriority  (256, ...
 02181   468   NtAllocateVirtualMemory  ... 62980096, 1048576, ) == 0x0
 02174   576   NtWaitForSingleObject  ... ) == 0x0
 02182   596   NtSetEventBoostPriority  ... ) == 0x0
 02183   576   NtSetEventBoostPriority  (256, ...
 02184   468   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 02178   804   NtSetEventBoostPriority  ... ) == 0x0
 02185   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02176  1032   NtWaitForSingleObject  ... ) == 0x0
 02183   576   NtSetEventBoostPriority  ... ) == 0x0
 02184   468   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 02186   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 02187  1032   NtSetEventBoostPriority  (256, ...
 02188   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02189   468   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ...
 02177   580   NtWaitForSingleObject  ... ) == 0x0
 02187  1032   NtSetEventBoostPriority  ... ) == 0x0
 02190   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02191   580   NtSetEventBoostPriority  (256, ...
 02189   468   NtProtectVirtualMemory  ... (0x3d0e000), 4096, 4, ) == 0x0
 02179   584   NtWaitForSingleObject  ... ) == 0x0
 02191   580   NtSetEventBoostPriority  ... ) == 0x0
 02192   584   NtSetEventBoostPriority  (256, ...
 02193   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02194  1032   NtWaitForSingleObject  (256, 0, 0x0, ...
 02180  1048   NtWaitForSingleObject  ... ) == 0x0
 02192   584   NtSetEventBoostPriority  ... ) == 0x0
 02193   468   NtCreateThread  ... 588, {460, 1052}, ) == 0x0
 02195  1048   NtSetEventBoostPriority  (256, ...
 02196   584   NtQueryValueKey  (540,  (540, "Hostname", Partial, 144, ... , Partial, 144, ...
 02185   572   NtWaitForSingleObject  ... ) == 0x0
 02195  1048   NtSetEventBoostPriority  ... ) == 0x0
 02197   468   NtQueryInformationThread  (588, Basic, 28, ...
 02198   580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02199   572   NtSetEventBoostPriority  (256, ...
 02196   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02197   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=460,Tid=1052,}, 0x0, ) == 0x0
 02186   596   NtWaitForSingleObject  ... ) == 0x0
 02199   572   NtSetEventBoostPriority  ... ) == 0x0
 02198   580   NtCreateEvent  ... 592, ) == 0x0
 02200   584   NtClose  (540, ...
 02201   596   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02202   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1578, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\314\1\0\0\34\4\0\0" ...  ...
 02203   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02204   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02201   596   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02200   584   NtClose  ... ) == 0x0
 02205  1048   NtWaitForSingleObject  (256, 0, 0x0, ...
 02202   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1579, 0}  ... {28, 56, reply, 0, 460, 468, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\314\1\0\0\34\4\0\0" )  ) == 0x0
 02206   596   NtSetEventBoostPriority  (256, ...
 02207   584   NtClose  (568, ...
 02208   468   NtResumeThread  (588, ...
 02207   584   NtClose  ... ) == 0x0
 02208   468   NtResumeThread  ... 1, ) == 0x0
 02209   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02210   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02188   576   NtWaitForSingleObject  ... ) == 0x0
 02206   596   NtSetEventBoostPriority  ... ) == 0x0
 02211  1052   NtWaitForSingleObject  (132, 0, 0x0, ...
 02210   468   NtAllocateVirtualMemory  ... 64028672, 1048576, ) == 0x0
 02212   576   NtSetEventBoostPriority  (256, ...
 02213   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 02190   804   NtWaitForSingleObject  ... ) == 0x0
 02214   804   NtSetEventBoostPriority  (256, ...
 02194  1032   NtWaitForSingleObject  ... ) == 0x0
 02215  1032   NtSetEventBoostPriority  (256, ...
 02204   580   NtWaitForSingleObject  ... ) == 0x0
 02216   580   NtSetEventBoostPriority  (256, ...
 02205  1048   NtWaitForSingleObject  ... ) == 0x0
 02217  1048   NtSetEventBoostPriority  (256, ...
 02203   572   NtWaitForSingleObject  ... ) == 0x0
 02218   572   NtSetEventBoostPriority  (256, ...
 02209   584   NtWaitForSingleObject  ... ) == 0x0
 02219   584   NtSetEventBoostPriority  (256, ...
 02213   596   NtWaitForSingleObject  ... ) == 0x0
 02220   596   NtAllocateVirtualMemory  (-1, 17813504, 0, 4096, 4096, 260, ... 17813504, 4096, ) == 0x0
 02217  1048   NtSetEventBoostPriority  ... ) == 0x0
 02216   580   NtSetEventBoostPriority  ... ) == 0x0
 02215  1032   NtSetEventBoostPriority  ... ) == 0x0
 02214   804   NtSetEventBoostPriority  ... ) == 0x0
 02219   584   NtSetEventBoostPriority  ... ) == 0x0
 02218   572   NtSetEventBoostPriority  ... ) == 0x0
 02212   576   NtSetEventBoostPriority  ... ) == 0x0
 02221   468   NtAllocateVirtualMemory  (-1, 65069056, 0, 8192, 4096, 4, ...
 02222  1048   NtSetEventBoostPriority  (132, ...
 02223   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02224  1032   NtWaitForSingleObject  (312, 0, 0x0, ...
 02225   804   NtSetEventBoostPriority  (160, ...
 02226   584   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02227   572   NtAllocateVirtualMemory  (-1, 13619200, 0, 4096, 4096, 260, ...
 02228   576   NtAllocateVirtualMemory  (-1, 16764928, 0, 4096, 4096, 260, ...
 02221   468   NtAllocateVirtualMemory  ... 65069056, 8192, ) == 0x0
 02229   580   NtSetEventBoostPriority  (312, ...
 02223   596   NtCreateEvent  ... 568, ) == 0x0
 02211  1052   NtWaitForSingleObject  ... ) == 0x0
 02222  1048   NtSetEventBoostPriority  ... ) == 0x0
 02226   584   NtCreateKey  ... 540, 2, ) == 0x0
 02227   572   NtAllocateVirtualMemory  ... 13619200, 4096, ) == 0x0
 02228   576   NtAllocateVirtualMemory  ... 16764928, 4096, ) == 0x0
 02230   468   NtProtectVirtualMemory  (-1, (0x3e0e000), 4096, 260, ...
 02224  1032   NtWaitForSingleObject  ... ) == 0x0
 02229   580   NtSetEventBoostPriority  ... ) == 0x0
 02231   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02232  1052   NtTestAlert  (...
 02233  1048   NtTestAlert  (...
 01449   732   NtWaitForSingleObject  ... ) == 0x0
 02225   804   NtSetEventBoostPriority  ... ) == 0x0
 02234   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02235   572   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02236  1032   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02230   468   NtProtectVirtualMemory  ... (0x3e0e000), 4096, 4, ) == 0x0
 02237   580   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 14675276, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 14675276, 112, ...
 02231   596   NtDuplicateObject  ... 596, ) == 0x0
 02232  1052   NtTestAlert  ... ) == 0x0
 02233  1048   NtTestAlert  ... ) == 0x0
 02238   732   NtSetEventBoostPriority  (160, ...
 02239   804   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02234   584   NtOpenKey  ... 600, ) == 0x0
 02236  1032   NtWaitForSingleObject  ... ) == 0x102
 02235   572   NtCreateEvent  ... 604, ) == 0x0
 02240   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02241   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02237   580   NtConnectPort  ... 608, 0x0, 0x0, 0x0, 112, ) == 0x0
 02242   576   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02243  1048   NtContinue  (62979376, 1, ...
 01451   744   NtWaitForSingleObject  ... ) == 0x0
 02238   732   NtSetEventBoostPriority  ... ) == 0x0
 02239   804   NtCreateEvent  ... 612, ) == 0x0
 02244  1032   NtWaitForSingleObject  (160, 0, 0x0, ...
 02245   584   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02246   572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02240   468   NtCreateThread  ... 616, {460, 1072}, ) == 0x0
 02241   596   NtCreateEvent  ... 620, ) == 0x0
 02247   580   NtRequestWaitReplyPort  (608, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 14675040}  (608, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 14675040} "\0$\370w\20\363\337\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0H \25\0\4\0\0\0H \25\0\20\344\314wH \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\240\34\25\0\360H\25\0\0\0\0\0\1\0\0\0\17\0\0\0HF\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ...  ...
 02242   576   NtCreateEvent  ... 624, ) == 0x0
 02248   744   NtSetEventBoostPriority  (160, ...
 02249  1048   NtRegisterThreadTerminatePort  (24, ...
 02250  1052   NtContinue  (64027952, 1, ...
 02251   804   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02252   732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02245   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   572   NtDuplicateObject  ... 628, ) == 0x0
 02253   468   NtQueryInformationThread  (616, Basic, 28, ...
 02254   596   NtWaitForSingleObject  (620, 0, 0x0, ...
 01452   676   NtWaitForSingleObject  ... ) == 0x0
 02248   744   NtSetEventBoostPriority  ... ) == 0x0
 02255   576   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02249  1048   NtRegisterThreadTerminatePort  ... ) == 0x0
 02256  1052   NtRegisterThreadTerminatePort  (24, ...
 02251   804   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02252   732   NtCreateEvent  ... 632, ) == 0x0
 02257   584   NtQueryValueKey  (540,  (540, "Domain", Partial, 144, ... , Partial, 144, ...
 02258   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02253   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=460,Tid=1072,}, 0x0, ) == 0x0
 02259   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02247   580   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 460, 580, 1581, 0}  ... {128, 152, reply, 0, 460, 580, 1581, 0} "\7$\370w\20\363\337\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H \25\0\377\377\377\377H \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\240\34\25\0\360H\25\0\0\0\0\0\1\0\0\0\17\0\0\0HF\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 02255   576   NtDuplicateObject  ... 636, ) == 0x0
 02260   744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02256  1052   NtRegisterThreadTerminatePort  ... ) == 0x0
 02261   804   NtSetEventBoostPriority  (256, ...
 02262   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 02257   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02263   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1579, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\314\1\0\00\4\0\0" ...  ...
 02264   580   NtSetEventBoostPriority  (620, ...
 02265   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02260   744   NtCreateEvent  ... 640, ) == 0x0
 02266  1052   NtWaitForSingleObject  (256, 0, 0x0, ...
 02267  1048   NtWaitForSingleObject  (256, 0, 0x0, ...
 02258   572   NtWaitForSingleObject  ... ) == 0x0
 02261   804   NtSetEventBoostPriority  ... ) == 0x0
 02263   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1582, 0}  ... {28, 56, reply, 0, 460, 468, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\314\1\0\00\4\0\0" )  ) == 0x0
 02254   596   NtWaitForSingleObject  ... ) == 0x0
 02264   580   NtSetEventBoostPriority  ... ) == 0x0
 02268   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 02269   572   NtSetEventBoostPriority  (256, ...
 02270   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02271   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 02272   468   NtResumeThread  (616, ...
 02273   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02259   676   NtWaitForSingleObject  ... ) == 0x0
 02269   572   NtSetEventBoostPriority  ... ) == 0x0
 02274   584   NtQueryValueKey  (540,  (540, "Domain", Partial, 144, ... , Partial, 144, ...
 02275   676   NtSetEventBoostPriority  (256, ...
 02272   468   NtResumeThread  ... 1, ) == 0x0
 02262   732   NtWaitForSingleObject  ... ) == 0x0
 02275   676   NtSetEventBoostPriority  ... ) == 0x0
 02274   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02276   732   NtSetEventBoostPriority  (256, ...
 02277   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02278   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02279  1072   NtWaitForSingleObject  (256, 0, 0x0, ...
 02265   576   NtWaitForSingleObject  ... ) == 0x0
 02276   732   NtSetEventBoostPriority  ... ) == 0x0
 02280   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02277   468   NtAllocateVirtualMemory  ... 65077248, 1048576, ) == 0x0
 02281   576   NtSetEventBoostPriority  (256, ...
 02282   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02266  1052   NtWaitForSingleObject  ... ) == 0x0
 02281   576   NtSetEventBoostPriority  ... ) == 0x0
 02283   468   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ...
 02284  1052   NtSetEventBoostPriority  (256, ...
 02285   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 02267  1048   NtWaitForSingleObject  ... ) == 0x0
 02284  1052   NtSetEventBoostPriority  ... ) == 0x0
 02283   468   NtAllocateVirtualMemory  ... 66117632, 8192, ) == 0x0
 02286  1048   NtSetEventBoostPriority  (256, ...
 02287   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02268   744   NtWaitForSingleObject  ... ) == 0x0
 02286  1048   NtSetEventBoostPriority  ... ) == 0x0
 02288   468   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ...
 02289   744   NtSetEventBoostPriority  (256, ...
 02290  1048   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02291  1052   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02271   596   NtWaitForSingleObject  ... ) == 0x0
 02289   744   NtSetEventBoostPriority  ... ) == 0x0
 02288   468   NtProtectVirtualMemory  ... (0x3f0e000), 4096, 4, ) == 0x0
 02292   596   NtSetEventBoostPriority  (256, ...
 02291  1052   NtDuplicateObject  ... 644, ) == 0x0
 02290  1048   NtDuplicateObject  ... 648, ) == 0x0
 02270   804   NtWaitForSingleObject  ... ) == 0x0
 02292   596   NtSetEventBoostPriority  ... ) == 0x0
 02293   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02294  1052   NtWaitForSingleObject  (256, 0, 0x0, ...
 02295   804   NtSetEventBoostPriority  (256, ...
 02296  1048   NtWaitForSingleObject  (256, 0, 0x0, ...
 02297   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 02293   468   NtCreateThread  ... 652, {460, 1080}, ) == 0x0
 02273   580   NtWaitForSingleObject  ... ) == 0x0
 02295   804   NtSetEventBoostPriority  ... ) == 0x0
 02298   580   NtSetEventBoostPriority  (256, ...
 02299   468   NtQueryInformationThread  (652, Basic, 28, ...
 02300   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02278   572   NtWaitForSingleObject  ... ) == 0x0
 02298   580   NtSetEventBoostPriority  ... ) == 0x0
 02299   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=460,Tid=1080,}, 0x0, ) == 0x0
 02301   572   NtSetEventBoostPriority  (256, ...
 02300   596   NtCreateEvent  ... 656, ) == 0x0
 02302   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02279  1072   NtWaitForSingleObject  ... ) == 0x0
 02301   572   NtSetEventBoostPriority  ... ) == 0x0
 02303   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1582, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\314\1\0\08\4\0\0" ...  ...
 02304   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 02305  1072   NtSetEventBoostPriority  (256, ...
 02306   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02307   580   NtRequestWaitReplyPort  (608, {64, 88, new_msg, 0, 0, 0, 0, 0}  (608, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02280   584   NtWaitForSingleObject  ... ) == 0x0
 02305  1072   NtSetEventBoostPriority  ... ) == 0x0
 02303   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1583, 0}  ... {28, 56, reply, 0, 460, 468, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\314\1\0\08\4\0\0" )  ) == 0x0
 02308   584   NtSetEventBoostPriority  (256, ...
 02307   580   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 580, 1584, 0}  ... {52, 76, reply, 0, 460, 580, 1584, 0} "\2\13,\370\1\0,\370B\271\325\371(\273\325\371\377\377\377\377\325\316\325\371\13\353\325\371\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02282   676   NtWaitForSingleObject  ... ) == 0x0
 02308   584   NtSetEventBoostPriority  ... ) == 0x0
 02309   468   NtResumeThread  (652, ...
 02310   676   NtSetEventBoostPriority  (256, ...
 02311   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02312  1072   NtWaitForSingleObject  (256, 0, 0x0, ...
 02285   732   NtWaitForSingleObject  ... ) == 0x0
 02310   676   NtSetEventBoostPriority  ... ) == 0x0
 02309   468   NtResumeThread  ... 1, ) == 0x0
 02313   732   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 02314   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02313   732   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02315   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02316   584   NtClose  (540, ...
 02317  1080   NtWaitForSingleObject  (132, 0, 0x0, ...
 02318   732   NtSetEventBoostPriority  (256, ...
 02315   468   NtAllocateVirtualMemory  ... 66125824, 1048576, ) == 0x0
 02316   584   NtClose  ... ) == 0x0
 02287   576   NtWaitForSingleObject  ... ) == 0x0
 02318   732   NtSetEventBoostPriority  ... ) == 0x0
 02319   584   NtClose  (600, ...
 02320   576   NtSetEventBoostPriority  (256, ...
 02321   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 02319   584   NtClose  ... ) == 0x0
 02294  1052   NtWaitForSingleObject  ... ) == 0x0
 02320   576   NtSetEventBoostPriority  ... ) == 0x0
 02322  1052   NtSetEventBoostPriority  (256, ...
 02323   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02296  1048   NtWaitForSingleObject  ... ) == 0x0
 02322  1052   NtSetEventBoostPriority  ... ) == 0x0
 02324   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02325  1048   NtSetEventBoostPriority  (256, ...
 02326   468   NtAllocateVirtualMemory  (-1, 67166208, 0, 8192, 4096, 4, ...
 02327  1052   NtWaitForSingleObject  (256, 0, 0x0, ...
 02297   744   NtWaitForSingleObject  ... ) == 0x0
 02325  1048   NtSetEventBoostPriority  ... ) == 0x0
 02326   468   NtAllocateVirtualMemory  ... 67166208, 8192, ) == 0x0
 02328   744   NtSetEventBoostPriority  (256, ...
 02302   804   NtWaitForSingleObject  ... ) == 0x0
 02329   804   NtSetEventBoostPriority  (256, ...
 02304   596   NtWaitForSingleObject  ... ) == 0x0
 02330   596   NtSetEventBoostPriority  (256, ...
 02306   572   NtWaitForSingleObject  ... ) == 0x0
 02331   572   NtSetEventBoostPriority  (256, ...
 02311   580   NtWaitForSingleObject  ... ) == 0x0
 02332   580   NtSetEventBoostPriority  (256, ...
 02312  1072   NtWaitForSingleObject  ... ) == 0x0
 02333  1072   NtSetEventBoostPriority  (256, ...
 02314   676   NtWaitForSingleObject  ... ) == 0x0
 02334   676   NtSetEventBoostPriority  (256, ...
 02321   732   NtWaitForSingleObject  ... ) == 0x0
 02335   732   NtSetEventBoostPriority  (256, ...
 02323   584   NtWaitForSingleObject  ... ) == 0x0
 02336   584   NtSetEventBoostPriority  (256, ...
 02327  1052   NtWaitForSingleObject  ... ) == 0x0
 02337  1052   NtSetEventBoostPriority  (256, ...
 02324   576   NtWaitForSingleObject  ... ) == 0x0
 02338   576   NtWaitForSingleObject  (312, 0, 0x0, ...
 02337  1052   NtSetEventBoostPriority  ... ) == 0x0
 02339  1052   NtWaitForSingleObject  (312, 0, 0x0, ...
 02336   584   NtSetEventBoostPriority  ... ) == 0x0
 02335   732   NtSetEventBoostPriority  ... ) == 0x0
 02333  1072   NtSetEventBoostPriority  ... ) == 0x0
 02332   580   NtSetEventBoostPriority  ... ) == 0x0
 02330   596   NtSetEventBoostPriority  ... ) == 0x0
 02329   804   NtSetEventBoostPriority  ... ) == 0x0
 02328   744   NtSetEventBoostPriority  ... ) == 0x0
 02340   468   NtProtectVirtualMemory  (-1, (0x400e000), 4096, 260, ...
 02334   676   NtSetEventBoostPriority  ... ) == 0x0
 02331   572   NtSetEventBoostPriority  ... ) == 0x0
 02341  1048   NtWaitForSingleObject  (312, 0, 0x0, ...
 02342   584   NtWaitForSingleObject  (312, 0, 0x0, ...
 02343  1072   NtSetEventBoostPriority  (132, ...
 02344   732   NtAllocateVirtualMemory  (-1, 19910656, 0, 4096, 4096, 260, ...
 02345   580   NtWaitForSingleObject  (312, 0, 0x0, ...
 02346   804   NtAllocateVirtualMemory  (-1, 27250688, 0, 4096, 4096, 260, ...
 02347   744   NtAllocateVirtualMemory  (-1, 20959232, 0, 4096, 4096, 260, ...
 02340   468   NtProtectVirtualMemory  ... (0x400e000), 4096, 4, ) == 0x0
 02348   676   NtSetEventBoostPriority  (160, ...
 02349   572   NtWaitForSingleObject  (312, 0, 0x0, ...
 02350   596   NtSetEventBoostPriority  (312, ...
 02344   732   NtAllocateVirtualMemory  ... 19910656, 4096, ) == 0x0
 02317  1080   NtWaitForSingleObject  ... ) == 0x0
 02343  1072   NtSetEventBoostPriority  ... ) == 0x0
 02346   804   NtAllocateVirtualMemory  ... 27250688, 4096, ) == 0x0
 02351   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 01514   812   NtWaitForSingleObject  ... ) == 0x0
 02348   676   NtSetEventBoostPriority  ... ) == 0x0
 02338   576   NtWaitForSingleObject  ... ) == 0x0
 02350   596   NtSetEventBoostPriority  ... ) == 0x0
 02352   732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02353  1080   NtTestAlert  (...
 02354  1072   NtTestAlert  (...
 02355   804   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02356   812   NtSetEventBoostPriority  (160, ...
 02351   468   NtCreateThread  ... 600, {460, 1096}, ) == 0x0
 02347   744   NtAllocateVirtualMemory  ... 20959232, 4096, ) == 0x0
 02357   576   NtSetEventBoostPriority  (312, ...
 02358   596   NtRequestWaitReplyPort  (608, {64, 88, new_msg, 0, 4391026, 7667820, 7602291, 7471205}  (608, {64, 88, new_msg, 0, 4391026, 7667820, 7602291, 7471205} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02352   732   NtCreateEvent  ... 540, ) == 0x0
 02353  1080   NtTestAlert  ... ) == 0x0
 02354  1072   NtTestAlert  ... ) == 0x0
 01539   844   NtWaitForSingleObject  ... ) == 0x0
 02356   812   NtSetEventBoostPriority  ... ) == 0x0
 02355   804   NtCreateEvent  ... 660, ) == 0x0
 02359   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02339  1052   NtWaitForSingleObject  ... ) == 0x0
 02360   744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02361   732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02358   596   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 596, 1585, 0}  ... {52, 76, reply, 0, 460, 596, 1585, 0} "\2`\372\177\1\00\300\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02357   576   NtSetEventBoostPriority  ... ) == 0x0
 02362   468   NtQueryInformationThread  (600, Basic, 28, ...
 02363   844   NtSetEventBoostPriority  (160, ...
 02364  1072   NtContinue  (65076528, 1, ...
 02365  1080   NtContinue  (66125104, 1, ...
 02366   804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02359   676   NtCreateEvent  ... 664, ) == 0x0
 02367  1052   NtSetEventBoostPriority  (312, ...
 02360   744   NtCreateEvent  ... 668, ) == 0x0
 02361   732   NtDuplicateObject  ... 672, ) == 0x0
 02368   596   NtWaitForSingleObject  (312, 0, 0x0, ...
 02369   812   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01544   788   NtWaitForSingleObject  ... ) == 0x0
 02362   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=460,Tid=1096,}, 0x0, ) == 0x0
 02370  1072   NtRegisterThreadTerminatePort  (24, ...
 02371  1080   NtRegisterThreadTerminatePort  (24, ...
 02366   804   NtDuplicateObject  ... 676, ) == 0x0
 02372   676   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 02341  1048   NtWaitForSingleObject  ... ) == 0x0
 02373   744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02367  1052   NtSetEventBoostPriority  ... ) == 0x0
 02363   844   NtSetEventBoostPriority  ... ) == 0x0
 02374   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02375   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 02369   812   NtCreateEvent  ... 680, ) == 0x0
 02376   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02377   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1583, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\314\1\0\0H\4\0\0" ...  ...
 02370  1072   NtRegisterThreadTerminatePort  ... ) == 0x0
 02371  1080   NtRegisterThreadTerminatePort  ... ) == 0x0
 02378   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02372   676   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 02379  1048   NtWaitForSingleObject  (256, 0, 0x0, ...
 02373   744   NtDuplicateObject  ... 684, ) == 0x0
 02380  1052   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02381   844   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02382   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02377   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1586, 0}  ... {28, 56, reply, 0, 460, 468, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\314\1\0\0H\4\0\0" )  ) == 0x0
 02383  1080   NtWaitForSingleObject  (256, 0, 0x0, ...
 02384  1072   NtWaitForSingleObject  (256, 0, 0x0, ...
 02385   676   NtSetEventBoostPriority  (256, ...
 02386   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 02381   844   NtCreateEvent  ... 688, ) == 0x0
 02387   468   NtResumeThread  (600, ...
 02374   576   NtWaitForSingleObject  ... ) == 0x0
 02385   676   NtSetEventBoostPriority  ... ) == 0x0
 02380  1052   NtWaitForSingleObject  ... ) == 0x102
 02388   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02389   576   NtSetEventBoostPriority  (256, ...
 02387   468   NtResumeThread  ... 1, ) == 0x0
 02390  1052   NtWaitForSingleObject  (160, 0, 0x0, ...
 02375   732   NtWaitForSingleObject  ... ) == 0x0
 02389   576   NtSetEventBoostPriority  ... ) == 0x0
 02391   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02392   732   NtSetEventBoostPriority  (256, ...
 02393   576   NtWaitForSingleObject  (312, 0, 0x0, ...
 02376   788   NtWaitForSingleObject  ... ) == 0x0
 02392   732   NtSetEventBoostPriority  ... ) == 0x0
 02391   468   NtAllocateVirtualMemory  ... 67174400, 1048576, ) == 0x0
 02394   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02395  1096   NtWaitForSingleObject  (256, 0, 0x0, ...
 02396   788   NtSetEventBoostPriority  (256, ...
 02397   732   NtWaitForSingleObject  (312, 0, 0x0, ...
 02398   468   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ...
 02379  1048   NtWaitForSingleObject  ... ) == 0x0
 02396   788   NtSetEventBoostPriority  ... ) == 0x0
 02399  1048   NtSetEventBoostPriority  (256, ...
 02398   468   NtAllocateVirtualMemory  ... 68214784, 8192, ) == 0x0
 02382   812   NtWaitForSingleObject  ... ) == 0x0
 02399  1048   NtSetEventBoostPriority  ... ) == 0x0
 02400   812   NtSetEventBoostPriority  (256, ...
 02401   468   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ...
 02402   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02383  1080   NtWaitForSingleObject  ... ) == 0x0
 02400   812   NtSetEventBoostPriority  ... ) == 0x0
 02403  1048   NtSetEventBoostPriority  (312, ...
 02404  1080   NtSetEventBoostPriority  (256, ...
 02401   468   NtProtectVirtualMemory  ... (0x410e000), 4096, 4, ) == 0x0
 02384  1072   NtWaitForSingleObject  ... ) == 0x0
 02404  1080   NtSetEventBoostPriority  ... ) == 0x0
 02342   584   NtWaitForSingleObject  ... ) == 0x0
 02403  1048   NtSetEventBoostPriority  ... ) == 0x0
 02405  1072   NtSetEventBoostPriority  (256, ...
 02406   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02407   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02408   584   NtSetEventBoostPriority  (312, ...
 02378   804   NtWaitForSingleObject  ... ) == 0x0
 02405  1072   NtSetEventBoostPriority  ... ) == 0x0
 02409  1048   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02406   468   NtCreateThread  ... 692, {460, 1092}, ) == 0x0
 02345   580   NtWaitForSingleObject  ... ) == 0x0
 02410   804   NtSetEventBoostPriority  (256, ...
 02408   584   NtSetEventBoostPriority  ... ) == 0x0
 02411  1072   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02409  1048   NtWaitForSingleObject  ... ) == 0x102
 02412   580   NtSetEventBoostPriority  (312, ...
 02386   744   NtWaitForSingleObject  ... ) == 0x0
 02413   468   NtQueryInformationThread  (692, Basic, 28, ...
 02414   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02410   804   NtSetEventBoostPriority  ... ) == 0x0
 02415  1080   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02349   572   NtWaitForSingleObject  ... ) == 0x0
 02412   580   NtSetEventBoostPriority  ... ) == 0x0
 02416  1048   NtWaitForSingleObject  (160, 0, 0x0, ...
 02417   744   NtSetEventBoostPriority  (256, ...
 02413   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=460,Tid=1092,}, 0x0, ) == 0x0
 02411  1072   NtDuplicateObject  ... 696, ) == 0x0
 02418   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02419   572   NtSetEventBoostPriority  (312, ...
 02415  1080   NtDuplicateObject  ... 700, ) == 0x0
 02420   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02388   844   NtWaitForSingleObject  ... ) == 0x0
 02421   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1586, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\314\1\0\0D\4\0\0" ...  ...
 02422  1072   NtWaitForSingleObject  (312, 0, 0x0, ...
 02368   596   NtWaitForSingleObject  ... ) == 0x0
 02419   572   NtSetEventBoostPriority  ... ) == 0x0
 02423  1080   NtWaitForSingleObject  (256, 0, 0x0, ...
 02417   744   NtSetEventBoostPriority  ... ) == 0x0
 02424   844   NtSetEventBoostPriority  (256, ...
 02425   596   NtSetEventBoostPriority  (312, ...
 02421   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1587, 0}  ... {28, 56, reply, 0, 460, 468, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\314\1\0\0D\4\0\0" )  ) == 0x0
 02426   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 02393   576   NtWaitForSingleObject  ... ) == 0x0
 02394   676   NtWaitForSingleObject  ... ) == 0x0
 02424   844   NtSetEventBoostPriority  ... ) == 0x0
 02427   468   NtResumeThread  (692, ...
 02428   676   NtSetEventBoostPriority  (256, ...
 02429   576   NtSetEventBoostPriority  (312, ...
 02430   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02395  1096   NtWaitForSingleObject  ... ) == 0x0
 02428   676   NtSetEventBoostPriority  ... ) == 0x0
 02427   468   NtResumeThread  ... 1, ) == 0x0
 02397   732   NtWaitForSingleObject  ... ) == 0x0
 02429   576   NtSetEventBoostPriority  ... ) == 0x0
 02425   596   NtSetEventBoostPriority  ... ) == 0x0
 02431   572   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02432  1092   NtWaitForSingleObject  (132, 0, 0x0, ...
 02433  1096   NtSetEventBoostPriority  (256, ...
 02434   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02435   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02436   732   NtSetEventBoostPriority  (312, ...
 02437   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02438   596   NtClose  (592, ...
 02431   572   NtCreateEvent  ... 704, ) == 0x0
 02402   788   NtWaitForSingleObject  ... ) == 0x0
 02433  1096   NtSetEventBoostPriority  ... ) == 0x0
 02435   468   NtAllocateVirtualMemory  ... 68222976, 1048576, ) == 0x0
 02422  1072   NtWaitForSingleObject  ... ) == 0x0
 02438   596   NtClose  ... ) == 0x0
 02439   788   NtSetEventBoostPriority  (256, ...
 02440   572   NtWaitForSingleObject  (704, 0, 0x0, ...
 02436   732   NtSetEventBoostPriority  ... ) == 0x0
 02441  1096   NtWaitForSingleObject  (256, 0, 0x0, ...
 02442  1072   NtWaitForSingleObject  (256, 0, 0x0, ...
 02443   468   NtAllocateVirtualMemory  (-1, 69263360, 0, 8192, 4096, 4, ...
 02407   812   NtWaitForSingleObject  ... ) == 0x0
 02439   788   NtSetEventBoostPriority  ... ) == 0x0
 02444   732   NtWaitForSingleObject  (704, 0, 0x0, ...
 02445   812   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ...
 02443   468   NtAllocateVirtualMemory  ... 69263360, 8192, ) == 0x0
 02446   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02445   812   NtAllocateVirtualMemory  ... 1425408, 4096, ) == 0x0
 02447   468   NtProtectVirtualMemory  (-1, (0x420e000), 4096, 260, ...
 02448   596   NtWaitForSingleObject  (312, 0, 0x0, ...
 02449   812   NtSetEventBoostPriority  (256, ...
 02447   468   NtProtectVirtualMemory  ... (0x420e000), 4096, 4, ) == 0x0
 02450   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ... 592, {460, 1100}, ) == 0x0
 02451   468   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=460,Tid=1100,}, 0x0, ) == 0x0
 02452   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1587, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\314\1\0\0L\4\0\0" ... {28, 56, reply, 0, 460, 468, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\314\1\0\0L\4\0\0" )  ... {28, 56, reply, 0, 460, 468, 1588, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\314\1\0\0L\4\0\0" ... {28, 56, reply, 0, 460, 468, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\314\1\0\0L\4\0\0" )  ) == 0x0
 02453   468   NtResumeThread  (592, ...
 02414   584   NtWaitForSingleObject  ... ) == 0x0
 02449   812   NtSetEventBoostPriority  ... ) == 0x0
 02454   584   NtSetEventBoostPriority  (256, ...
 02455   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02418   804   NtWaitForSingleObject  ... ) == 0x0
 02456   804   NtSetEventBoostPriority  (256, ...
 02420   580   NtWaitForSingleObject  ... ) == 0x0
 02457   580   NtSetEventBoostPriority  (256, ...
 02423  1080   NtWaitForSingleObject  ... ) == 0x0
 02458  1080   NtSetEventBoostPriority  (256, ...
 02426   744   NtWaitForSingleObject  ... ) == 0x0
 02459   744   NtSetEventBoostPriority  (256, ...
 02430   844   NtWaitForSingleObject  ... ) == 0x0
 02460   844   NtSetEventBoostPriority  (256, ...
 02437   576   NtWaitForSingleObject  ... ) == 0x0
 02461   576   NtSetEventBoostPriority  (256, ...
 02434   676   NtWaitForSingleObject  ... ) == 0x0
 02462   676   NtSetEventBoostPriority  (256, ...
 02441  1096   NtWaitForSingleObject  ... ) == 0x0
 02463  1096   NtSetEventBoostPriority  (256, ...
 02442  1072   NtWaitForSingleObject  ... ) == 0x0
 02464  1072   NtSetEventBoostPriority  (256, ...
 02446   788   NtWaitForSingleObject  ... ) == 0x0
 02465   788   NtSetEventBoostPriority  (256, ...
 02455   812   NtWaitForSingleObject  ... ) == 0x0
 02466   812   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 02464  1072   NtSetEventBoostPriority  ... ) == 0x0
 02463  1096   NtSetEventBoostPriority  ... ) == 0x0
 02461   576   NtSetEventBoostPriority  ... ) == 0x0
 02459   744   NtSetEventBoostPriority  ... ) == 0x0
 02458  1080   NtSetEventBoostPriority  ... ) == 0x0
 02456   804   NtSetEventBoostPriority  ... ) == 0x0
 02465   788   NtSetEventBoostPriority  ... ) == 0x0
 02462   676   NtSetEventBoostPriority  ... ) == 0x0
 02460   844   NtSetEventBoostPriority  ... ) == 0x0
 02457   580   NtSetEventBoostPriority  ... ) == 0x0
 02454   584   NtSetEventBoostPriority  ... ) == 0x0
 02453   468   NtResumeThread  ... 1, ) == 0x0
 02467   812   NtAllocateVirtualMemory  (-1, 26202112, 0, 4096, 4096, 260, ...
 02468  1100   NtWaitForSingleObject  (132, 0, 0x0, ...
 02469  1096   NtSetEventBoostPriority  (132, ...
 02470  1072   NtSetEventBoostPriority  (312, ...
 02471   576   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02472   744   NtWaitForSingleObject  (312, 0, 0x0, ...
 02473  1080   NtWaitForSingleObject  (312, 0, 0x0, ...
 02474   788   NtSetEventBoostPriority  (160, ...
 02475   676   NtAllocateVirtualMemory  (-1, 22007808, 0, 4096, 4096, 260, ...
 02476   844   NtAllocateVirtualMemory  (-1, 29347840, 0, 4096, 4096, 260, ...
 02477   580   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02478   584   NtWaitForSingleObject  (312, 0, 0x0, ...
 02479   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02467   812   NtAllocateVirtualMemory  ... 26202112, 4096, ) == 0x0
 02480   804   NtWaitForSingleObject  (312, 0, 0x0, ...
 02448   596   NtWaitForSingleObject  ... ) == 0x0
 02470  1072   NtSetEventBoostPriority  ... ) == 0x0
 02471   576   NtCreateEvent  ... 708, ) == 0x0
 01591   784   NtWaitForSingleObject  ... ) == 0x0
 02474   788   NtSetEventBoostPriority  ... ) == 0x0
 02475   676   NtAllocateVirtualMemory  ... 22007808, 4096, ) == 0x0
 02476   844   NtAllocateVirtualMemory  ... 29347840, 4096, ) == 0x0
 02477   580   NtCreateKey  ... 712, 2, ) == 0x0
 02479   468   NtAllocateVirtualMemory  ... 69271552, 1048576, ) == 0x0
 02481   812   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02482   596   NtSetEventBoostPriority  (312, ...
 02483  1072   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02484   784   NtSetEventBoostPriority  (160, ...
 02485   576   NtWaitForSingleObject  (312, 0, 0x0, ...
 02432  1092   NtWaitForSingleObject  ... ) == 0x0
 02469  1096   NtSetEventBoostPriority  ... ) == 0x0
 02486   788   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02487   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02488   844   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02489   468   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ...
 02472   744   NtWaitForSingleObject  ... ) == 0x0
 02482   596   NtSetEventBoostPriority  ... ) == 0x0
 02481   812   NtCreateEvent  ... 716, ) == 0x0
 01593   636   NtWaitForSingleObject  ... ) == 0x0
 02484   784   NtSetEventBoostPriority  ... ) == 0x0
 02483  1072   NtWaitForSingleObject  ... ) == 0x102
 02490  1092   NtSetEventBoostPriority  (132, ...
 02491  1096   NtTestAlert  (...
 02486   788   NtCreateEvent  ... 720, ) == 0x0
 02487   676   NtCreateEvent  ... 724, ) == 0x0
 02488   844   NtCreateEvent  ... 728, ) == 0x0
 02492   744   NtSetEventBoostPriority  (312, ...
 02489   468   NtAllocateVirtualMemory  ... 70311936, 8192, ) == 0x0
 02493   596   NtClose  (656, ...
 02494   636   NtSetEventBoostPriority  (160, ...
 02495   812   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02496   580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02497  1072   NtWaitForSingleObject  (160, 0, 0x0, ...
 02468  1100   NtWaitForSingleObject  ... ) == 0x0
 02490  1092   NtSetEventBoostPriority  ... ) == 0x0
 02491  1096   NtTestAlert  ... ) == 0x0
 02498   788   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ...
 02499   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02473  1080   NtWaitForSingleObject  ... ) == 0x0
 02492   744   NtSetEventBoostPriority  ... ) == 0x0
 02500   844   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02501   468   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ...
 02502   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01625   308   NtWaitForSingleObject  ... ) == 0x0
 02495   812   NtDuplicateObject  ... 732, ) == 0x0
 02496   580   NtOpenKey  ... 736, ) == 0x0
 02494   636   NtSetEventBoostPriority  ... ) == 0x0
 02493   596   NtClose  ... ) == 0x0
 02503  1100   NtWaitForSingleObject  (256, 0, 0x0, ...
 02504  1096   NtContinue  (67173680, 1, ...
 02498   788   NtAllocateVirtualMemory  ... 1433600, 4096, ) == 0x0
 02505  1080   NtWaitForSingleObject  (256, 0, 0x0, ...
 02499   676   NtDuplicateObject  ... 656, ) == 0x0
 02506   744   NtWaitForSingleObject  (704, 0, 0x0, ...
 02500   844   NtDuplicateObject  ... 740, ) == 0x0
 02507  1092   NtTestAlert  (...
 02508   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02502   784   NtCreateEvent  ... 744, ) == 0x0
 02501   468   NtProtectVirtualMemory  ... (0x430e000), 4096, 4, ) == 0x0
 02509   580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02510   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02511   596   NtClose  (608, ...
 02512  1096   NtRegisterThreadTerminatePort  (24, ...
 02513   788   NtSetEventBoostPriority  (256, ...
 02514   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02515   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02516   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02507  1092   NtTestAlert  ... ) == 0x0
 02517   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02518   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02509   580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02510   636   NtCreateEvent  ... 748, ) == 0x0
 02511   596   NtClose  ... ) == 0x0
 02512  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02503  1100   NtWaitForSingleObject  ... ) == 0x0
 02513   788   NtSetEventBoostPriority  ... ) == 0x0
 02519  1092   NtContinue  (68222256, 1, ...
 02518   468   NtCreateThread  ... 608, {460, 1104}, ) == 0x0
 02520   580   NtQueryValueKey  (712,  (712, "Hostname", Partial, 144, ... , Partial, 144, ...
 02521   596   NtClose  (620, ...
 02522   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02523  1100   NtSetEventBoostPriority  (256, ...
 02524  1096   NtWaitForSingleObject  (256, 0, 0x0, ...
 02525  1092   NtRegisterThreadTerminatePort  (24, ...
 02526   468   NtQueryInformationThread  (608, Basic, 28, ...
 02520   580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02521   596   NtClose  ... ) == 0x0
 02505  1080   NtWaitForSingleObject  ... ) == 0x0
 02523  1100   NtSetEventBoostPriority  ... ) == 0x0
 02525  1092   NtRegisterThreadTerminatePort  ... ) == 0x0
 02526   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=460,Tid=1104,}, 0x0, ) == 0x0
 02527   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02528  1080   NtSetEventBoostPriority  (256, ...
 02529   596   NtWaitForSingleObject  (312, 0, 0x0, ...
 02530   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02531  1092   NtWaitForSingleObject  (256, 0, 0x0, ...
 02532   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1588, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\314\1\0\0P\4\0\0" ...  ...
 02508   308   NtWaitForSingleObject  ... ) == 0x0
 02528  1080   NtSetEventBoostPriority  ... ) == 0x0
 02533  1100   NtWaitForSingleObject  (256, 0, 0x0, ...
 02534   308   NtSetEventBoostPriority  (256, ...
 02532   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1590, 0}  ... {28, 56, reply, 0, 460, 468, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\314\1\0\0P\4\0\0" )  ) == 0x0
 02514   676   NtWaitForSingleObject  ... ) == 0x0
 02535   468   NtResumeThread  (608, ...
 02536   676   NtSetEventBoostPriority  (256, ...
 02535   468   NtResumeThread  ... 1, ) == 0x0
 02515   812   NtWaitForSingleObject  ... ) == 0x0
 02536   676   NtSetEventBoostPriority  ... ) == 0x0
 02537   812   NtSetEventBoostPriority  (256, ...
 02538   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02534   308   NtSetEventBoostPriority  ... ) == 0x0
 02539  1080   NtSetEventBoostPriority  (312, ...
 02540  1104   NtWaitForSingleObject  (132, 0, 0x0, ...
 02516   844   NtWaitForSingleObject  ... ) == 0x0
 02537   812   NtSetEventBoostPriority  ... ) == 0x0
 02538   468   NtAllocateVirtualMemory  ... 70320128, 1048576, ) == 0x0
 02541   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02478   584   NtWaitForSingleObject  ... ) == 0x0
 02539  1080   NtSetEventBoostPriority  ... ) == 0x0
 02542   844   NtSetEventBoostPriority  (256, ...
 02543   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02544   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02545   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02517   784   NtWaitForSingleObject  ... ) == 0x0
 02542   844   NtSetEventBoostPriority  ... ) == 0x0
 02546  1080   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02547   468   NtAllocateVirtualMemory  (-1, 71360512, 0, 8192, 4096, 4, ...
 02548   784   NtSetEventBoostPriority  (256, ...
 02546  1080   NtWaitForSingleObject  ... ) == 0x102
 02522   636   NtWaitForSingleObject  ... ) == 0x0
 02548   784   NtSetEventBoostPriority  ... ) == 0x0
 02547   468   NtAllocateVirtualMemory  ... 71360512, 8192, ) == 0x0
 02549   636   NtSetEventBoostPriority  (256, ...
 02550  1080   NtWaitForSingleObject  (160, 0, 0x0, ...
 02551   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02524  1096   NtWaitForSingleObject  ... ) == 0x0
 02549   636   NtSetEventBoostPriority  ... ) == 0x0
 02552   468   NtProtectVirtualMemory  (-1, (0x440e000), 4096, 260, ...
 02553   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02554  1096   NtSetEventBoostPriority  (256, ...
 02555   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02552   468   NtProtectVirtualMemory  ... (0x440e000), 4096, 4, ) == 0x0
 02527   788   NtWaitForSingleObject  ... ) == 0x0
 02554  1096   NtSetEventBoostPriority  ... ) == 0x0
 02556   788   NtSetEventBoostPriority  (256, ...
 02557   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02530   580   NtWaitForSingleObject  ... ) == 0x0
 02556   788   NtSetEventBoostPriority  ... ) == 0x0
 02558  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02559   580   NtSetEventBoostPriority  (256, ...
 02557   468   NtCreateThread  ... 620, {460, 320}, ) == 0x0
 02560   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02531  1092   NtWaitForSingleObject  ... ) == 0x0
 02559   580   NtSetEventBoostPriority  ... ) == 0x0
 02558  1096   NtDuplicateObject  ... 752, ) == 0x0
 02561   468   NtQueryInformationThread  (620, Basic, 28, ...
 02562  1092   NtSetEventBoostPriority  (256, ...
 02563   580   NtQueryValueKey  (712,  (712, "Hostname", Partial, 144, ... , Partial, 144, ...
 02564  1096   NtWaitForSingleObject  (256, 0, 0x0, ...
 02533  1100   NtWaitForSingleObject  ... ) == 0x0
 02561   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=460,Tid=320,}, 0x0, ) == 0x0
 02562  1092   NtSetEventBoostPriority  ... ) == 0x0
 02565  1100   NtSetEventBoostPriority  (256, ...
 02566   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1590, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\2\0\0\314\1\0\0@\1\0\0" ...  ...
 02567  1092   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02541   676   NtWaitForSingleObject  ... ) == 0x0
 02565  1100   NtSetEventBoostPriority  ... ) == 0x0
 02566   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1591, 0}  ... {28, 56, reply, 0, 460, 468, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\2\0\0\314\1\0\0@\1\0\0" )  ) == 0x0
 02568   676   NtSetEventBoostPriority  (256, ...
 02567  1092   NtDuplicateObject  ... 756, ) == 0x0
 02569  1100   NtSetEventBoostPriority  (132, ...
 02545   584   NtWaitForSingleObject  ... ) == 0x0
 02568   676   NtSetEventBoostPriority  ... ) == 0x0
 02570   468   NtResumeThread  (620, ...
 02563   580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02571  1092   NtWaitForSingleObject  (256, 0, 0x0, ...
 02572   584   NtSetEventBoostPriority  (256, ...
 02573   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02540  1104   NtWaitForSingleObject  ... ) == 0x0
 02569  1100   NtSetEventBoostPriority  ... ) == 0x0
 02574   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02544   308   NtWaitForSingleObject  ... ) == 0x0
 02572   584   NtSetEventBoostPriority  ... ) == 0x0
 02570   468   NtResumeThread  ... 1, ) == 0x0
 02575  1104   NtWaitForSingleObject  (256, 0, 0x0, ...
 02576  1100   NtTestAlert  (...
 02577   308   NtSetEventBoostPriority  (256, ...
 02578   320   NtWaitForSingleObject  (132, 0, 0x0, ...
 02579   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02543   812   NtWaitForSingleObject  ... ) == 0x0
 02577   308   NtSetEventBoostPriority  ... ) == 0x0
 02576  1100   NtTestAlert  ... ) == 0x0
 02580   812   NtSetEventBoostPriority  (256, ...
 02579   468   NtAllocateVirtualMemory  ... 71368704, 1048576, ) == 0x0
 02581   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02551   844   NtWaitForSingleObject  ... ) == 0x0
 02582  1100   NtContinue  (69270832, 1, ...
 02583   468   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ...
 02580   812   NtSetEventBoostPriority  ... ) == 0x0
 02584   584   NtSetEventBoostPriority  (312, ...
 02585   844   NtSetEventBoostPriority  (256, ...
 02586  1100   NtRegisterThreadTerminatePort  (24, ...
 02583   468   NtAllocateVirtualMemory  ... 72409088, 8192, ) == 0x0
 02587   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02480   804   NtWaitForSingleObject  ... ) == 0x0
 02584   584   NtSetEventBoostPriority  ... ) == 0x0
 02553   784   NtWaitForSingleObject  ... ) == 0x0
 02585   844   NtSetEventBoostPriority  ... ) == 0x0
 02586  1100   NtRegisterThreadTerminatePort  ... ) == 0x0
 02588   468   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ...
 02589   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02590   784   NtSetEventBoostPriority  (256, ...
 02591   584   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02592   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02593  1100   NtWaitForSingleObject  (256, 0, 0x0, ...
 02555   636   NtWaitForSingleObject  ... ) == 0x0
 02590   784   NtSetEventBoostPriority  ... ) == 0x0
 02591   584   NtWaitForSingleObject  ... ) == 0x102
 02588   468   NtProtectVirtualMemory  ... (0x450e000), 4096, 4, ) == 0x0
 02594   636   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ...
 02595   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02596   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02594   636   NtAllocateVirtualMemory  ... 1437696, 4096, ) == 0x0
 02597   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02598   636   NtSetEventBoostPriority  (256, ...
 02560   788   NtWaitForSingleObject  ... ) == 0x0
 02599   788   NtSetEventBoostPriority  (256, ...
 02564  1096   NtWaitForSingleObject  ... ) == 0x0
 02600  1096   NtSetEventBoostPriority  (256, ...
 02571  1092   NtWaitForSingleObject  ... ) == 0x0
 02601  1092   NtSetEventBoostPriority  (256, ...
 02574   580   NtWaitForSingleObject  ... ) == 0x0
 02602   580   NtSetEventBoostPriority  (256, ...
 02573   676   NtWaitForSingleObject  ... ) == 0x0
 02603   676   NtSetEventBoostPriority  (256, ...
 02575  1104   NtWaitForSingleObject  ... ) == 0x0
 02604  1104   NtSetEventBoostPriority  (256, ...
 02587   812   NtWaitForSingleObject  ... ) == 0x0
 02605   812   NtSetEventBoostPriority  (256, ...
 02581   308   NtWaitForSingleObject  ... ) == 0x0
 02606   308   NtSetEventBoostPriority  (256, ...
 02589   804   NtWaitForSingleObject  ... ) == 0x0
 02607   804   NtSetEventBoostPriority  (256, ...
 02593  1100   NtWaitForSingleObject  ... ) == 0x0
 02608  1100   NtSetEventBoostPriority  (256, ...
 02592   844   NtWaitForSingleObject  ... ) == 0x0
 02609   844   NtSetEventBoostPriority  (256, ...
 02595   784   NtWaitForSingleObject  ... ) == 0x0
 02610   784   NtSetEventBoostPriority  (256, ... ) == 0x0
 02611   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02608  1100   NtSetEventBoostPriority  ... ) == 0x0
 02612  1100   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02607   804   NtSetEventBoostPriority  ... ) == 0x0
 02605   812   NtSetEventBoostPriority  ... ) == 0x0
 02604  1104   NtSetEventBoostPriority  ... ) == 0x0
 02602   580   NtSetEventBoostPriority  ... ) == 0x0
 02601  1092   NtSetEventBoostPriority  ... ) == 0x0
 02600  1096   NtSetEventBoostPriority  ... ) == 0x0
 02597   468   NtCreateThread  ... 760, {460, 324}, ) == 0x0
 02609   844   NtSetEventBoostPriority  ... ) == 0x0
 02606   308   NtSetEventBoostPriority  ... ) == 0x0
 02603   676   NtSetEventBoostPriority  ... ) == 0x0
 02599   788   NtSetEventBoostPriority  ... ) == 0x0
 02598   636   NtSetEventBoostPriority  ... ) == 0x0
 02611   784   NtWaitForSingleObject  ... ) == 0x0
 02612  1100   NtDuplicateObject  ... 764, ) == 0x0
 02613   804   NtSetEventBoostPriority  (312, ...
 02614   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02615  1104   NtWaitForSingleObject  (256, 0, 0x0, ...
 02616  1092   NtWaitForSingleObject  (256, 0, 0x0, ...
 02617   580   NtClose  (712, ...
 02618   468   NtQueryInformationThread  (760, Basic, 28, ...
 02619   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02620   308   NtSetEventBoostPriority  (160, ...
 02621   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02622   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02623  1096   NtWaitForSingleObject  (312, 0, 0x0, ...
 02624   784   NtSetEventBoostPriority  (256, ...
 02625  1100   NtWaitForSingleObject  (256, 0, 0x0, ...
 02485   576   NtWaitForSingleObject  ... ) == 0x0
 02613   804   NtSetEventBoostPriority  ... ) == 0x0
 02626   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02617   580   NtClose  ... ) == 0x0
 02618   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=460,Tid=324,}, 0x0, ) == 0x0
 01651   716   NtWaitForSingleObject  ... ) == 0x0
 02620   308   NtSetEventBoostPriority  ... ) == 0x0
 02596   584   NtWaitForSingleObject  ... ) == 0x0
 02624   784   NtSetEventBoostPriority  ... ) == 0x0
 02627   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02628   804   NtWaitForSingleObject  (704, 0, 0x0, ...
 02629   580   NtClose  (736, ...
 02630   716   NtSetEventBoostPriority  (160, ...
 02631   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1591, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\314\1\0\0D\1\0\0" ...  ...
 02632   584   NtSetEventBoostPriority  (256, ...
 02633   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 01666   864   NtWaitForSingleObject  ... ) == 0x0
 02629   580   NtClose  ... ) == 0x0
 02630   716   NtSetEventBoostPriority  ... ) == 0x0
 02634   308   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02614   812   NtWaitForSingleObject  ... ) == 0x0
 02635   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 02636   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02637   716   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02634   308   NtCreateEvent  ... 736, ) == 0x0
 02638   812   NtSetEventBoostPriority  (256, ...
 02637   716   NtCreateEvent  ... 712, ) == 0x0
 02639   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02615  1104   NtWaitForSingleObject  ... ) == 0x0
 02638   812   NtSetEventBoostPriority  ... ) == 0x0
 02632   584   NtSetEventBoostPriority  ... ) == 0x0
 02631   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1592, 0}  ... {28, 56, reply, 0, 460, 468, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\314\1\0\0D\1\0\0" )  ) == 0x0
 02640  1104   NtSetEventBoostPriority  (256, ...
 02641   812   NtWaitForSingleObject  (312, 0, 0x0, ...
 02642   584   NtWaitForSingleObject  (160, 0, 0x0, ...
 02619   844   NtWaitForSingleObject  ... ) == 0x0
 02640  1104   NtSetEventBoostPriority  ... ) == 0x0
 02643   468   NtResumeThread  (760, ...
 02644   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 02645   844   NtSetEventBoostPriority  (256, ...
 02646  1104   NtSetEventBoostPriority  (132, ...
 02643   468   NtResumeThread  ... 1, ) == 0x0
 02621   676   NtWaitForSingleObject  ... ) == 0x0
 02645   844   NtSetEventBoostPriority  ... ) == 0x0
 02647   324   NtWaitForSingleObject  (132, 0, 0x0, ...
 02648   676   NtSetEventBoostPriority  (256, ...
 02649   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02578   320   NtWaitForSingleObject  ... ) == 0x0
 02646  1104   NtSetEventBoostPriority  ... ) == 0x0
 02622   788   NtWaitForSingleObject  ... ) == 0x0
 02648   676   NtSetEventBoostPriority  ... ) == 0x0
 02649   468   NtAllocateVirtualMemory  ... 72417280, 1048576, ) == 0x0
 02650   320   NtWaitForSingleObject  (256, 0, 0x0, ...
 02651   788   NtSetEventBoostPriority  (256, ...
 02652  1104   NtTestAlert  (...
 02653   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02654   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02625  1100   NtWaitForSingleObject  ... ) == 0x0
 02651   788   NtSetEventBoostPriority  ... ) == 0x0
 02652  1104   NtTestAlert  ... ) == 0x0
 02655  1100   NtSetEventBoostPriority  (256, ...
 02656   468   NtAllocateVirtualMemory  (-1, 73457664, 0, 8192, 4096, 4, ...
 02626   636   NtWaitForSingleObject  ... ) == 0x0
 02655  1100   NtSetEventBoostPriority  ... ) == 0x0
 02657  1104   NtContinue  (70319408, 1, ...
 02658   636   NtSetEventBoostPriority  (256, ...
 02656   468   NtAllocateVirtualMemory  ... 73457664, 8192, ) == 0x0
 02659   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02616  1092   NtWaitForSingleObject  ... ) == 0x0
 02658   636   NtSetEventBoostPriority  ... ) == 0x0
 02660  1104   NtRegisterThreadTerminatePort  (24, ...
 02661   468   NtProtectVirtualMemory  (-1, (0x460e000), 4096, 260, ...
 02662  1092   NtSetEventBoostPriority  (256, ...
 02663   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02660  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02627   576   NtWaitForSingleObject  ... ) == 0x0
 02661   468   NtProtectVirtualMemory  ... (0x460e000), 4096, 4, ) == 0x0
 02662  1092   NtSetEventBoostPriority  ... ) == 0x0
 02664  1100   NtWaitForSingleObject  (312, 0, 0x0, ...
 02665   576   NtSetEventBoostPriority  (256, ...
 02666   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02667  1092   NtWaitForSingleObject  (312, 0, 0x0, ...
 02633   784   NtWaitForSingleObject  ... ) == 0x0
 02665   576   NtSetEventBoostPriority  ... ) == 0x0
 02666   468   NtCreateThread  ... 768, {460, 1160}, ) == 0x0
 02668   784   NtSetEventBoostPriority  (256, ...
 02669  1104   NtWaitForSingleObject  (256, 0, 0x0, ...
 02670   576   NtSetEventBoostPriority  (312, ...
 02635   864   NtWaitForSingleObject  ... ) == 0x0
 02668   784   NtSetEventBoostPriority  ... ) == 0x0
 02671   864   NtSetEventBoostPriority  (256, ...
 02529   596   NtWaitForSingleObject  ... ) == 0x0
 02670   576   NtSetEventBoostPriority  ... ) == 0x0
 02672   468   NtQueryInformationThread  (768, Basic, 28, ...
 02636   580   NtWaitForSingleObject  ... ) == 0x0
 02673   596   NtSetEventBoostPriority  (312, ...
 02671   864   NtSetEventBoostPriority  ... ) == 0x0
 02674   576   NtSetEventBoostPriority  (704, ...
 02675   580   NtSetEventBoostPriority  (256, ...
 02623  1096   NtWaitForSingleObject  ... ) == 0x0
 02672   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=460,Tid=1160,}, 0x0, ) == 0x0
 02673   596   NtSetEventBoostPriority  ... ) == 0x0
 02676   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02639   308   NtWaitForSingleObject  ... ) == 0x0
 02675   580   NtSetEventBoostPriority  ... ) == 0x0
 02440   572   NtWaitForSingleObject  ... ) == 0x0
 02674   576   NtSetEventBoostPriority  ... ) == 0x0
 02677  1096   NtSetEventBoostPriority  (312, ...
 02678   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1592, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\314\1\0\0\210\4\0\0" ...  ...
 02679   596   NtWaitForSingleObject  (312, 0, 0x0, ...
 02680   308   NtSetEventBoostPriority  (256, ...
 02681   864   NtSetEventBoostPriority  (160, ...
 02682   572   NtSetEventBoostPriority  (704, ...
 02683   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02641   812   NtWaitForSingleObject  ... ) == 0x0
 02677  1096   NtSetEventBoostPriority  ... ) == 0x0
 02678   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1593, 0}  ... {28, 56, reply, 0, 460, 468, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\314\1\0\0\210\4\0\0" )  ) == 0x0
 02644   716   NtWaitForSingleObject  ... ) == 0x0
 02680   308   NtSetEventBoostPriority  ... ) == 0x0
 02444   732   NtWaitForSingleObject  ... ) == 0x0
 02682   572   NtSetEventBoostPriority  ... ) == 0x0
 01669   868   NtWaitForSingleObject  ... ) == 0x0
 02681   864   NtSetEventBoostPriority  ... ) == 0x0
 02684   812   NtSetEventBoostPriority  (312, ...
 02685  1096   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02686   716   NtSetEventBoostPriority  (256, ...
 02687   468   NtResumeThread  (768, ...
 02688   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02689   732   NtSetEventBoostPriority  (704, ...
 02690   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02691   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 02664  1100   NtWaitForSingleObject  ... ) == 0x0
 02692   864   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02684   812   NtSetEventBoostPriority  ... ) == 0x0
 02693   572   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02650   320   NtWaitForSingleObject  ... ) == 0x0
 02686   716   NtSetEventBoostPriority  ... ) == 0x0
 02685  1096   NtWaitForSingleObject  ... ) == 0x102
 02506   744   NtWaitForSingleObject  ... ) == 0x0
 02689   732   NtSetEventBoostPriority  ... ) == 0x0
 02694  1100   NtSetEventBoostPriority  (312, ...
 02692   864   NtCreateEvent  ... 772, ) == 0x0
 02695   812   NtWaitForSingleObject  (704, 0, 0x0, ...
 02696   320   NtSetEventBoostPriority  (256, ...
 02693   572   NtCreateEvent  ... 776, ) == 0x0
 02697   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 02698   744   NtSetEventBoostPriority  (704, ...
 02699  1096   NtWaitForSingleObject  (160, 0, 0x0, ...
 02687   468   NtResumeThread  ... 1, ) == 0x0
 02667  1092   NtWaitForSingleObject  ... ) == 0x0
 02694  1100   NtSetEventBoostPriority  ... ) == 0x0
 02700   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 02653   844   NtWaitForSingleObject  ... ) == 0x0
 02696   320   NtSetEventBoostPriority  ... ) == 0x0
 02701   572   NtWaitForSingleObject  (776, 0, 0x0, ...
 02702   732   NtWaitForSingleObject  (776, 0, 0x0, ...
 02703  1160   NtWaitForSingleObject  (132, 0, 0x0, ...
 02628   804   NtWaitForSingleObject  ... ) == 0x0
 02704  1092   NtSetEventBoostPriority  (312, ...
 02705   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02706  1100   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02707   844   NtSetEventBoostPriority  (256, ...
 02698   744   NtSetEventBoostPriority  ... ) == 0x0
 02679   596   NtWaitForSingleObject  ... ) == 0x0
 02704  1092   NtSetEventBoostPriority  ... ) == 0x0
 02708   804   NtSetEventBoostPriority  (704, ...
 02705   468   NtAllocateVirtualMemory  ... 73465856, 1048576, ) == 0x0
 02709   320   NtSetEventBoostPriority  (132, ...
 02654   676   NtWaitForSingleObject  ... ) == 0x0
 02707   844   NtSetEventBoostPriority  ... ) == 0x0
 02710   596   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02711   744   NtWaitForSingleObject  (776, 0, 0x0, ...
 02706  1100   NtWaitForSingleObject  ... ) == 0x102
 02695   812   NtWaitForSingleObject  ... ) == 0x0
 02708   804   NtSetEventBoostPriority  ... ) == 0x0
 02712   468   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ...
 02713   676   NtSetEventBoostPriority  (256, ...
 02647   324   NtWaitForSingleObject  ... ) == 0x0
 02709   320   NtSetEventBoostPriority  ... ) == 0x0
 02710   596   NtCreateKey  ... 780, 2, ) == 0x0
 02714   844   NtWaitForSingleObject  (704, 0, 0x0, ...
 02715   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02716  1100   NtWaitForSingleObject  (160, 0, 0x0, ...
 02717  1092   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02659   788   NtWaitForSingleObject  ... ) == 0x0
 02718   324   NtWaitForSingleObject  (256, 0, 0x0, ...
 02713   676   NtSetEventBoostPriority  ... ) == 0x0
 02712   468   NtAllocateVirtualMemory  ... 74506240, 8192, ) == 0x0
 02719   320   NtTestAlert  (...
 02720   804   NtWaitForSingleObject  (776, 0, 0x0, ...
 02721   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02722   788   NtSetEventBoostPriority  (256, ...
 02717  1092   NtWaitForSingleObject  ... ) == 0x102
 02723   676   NtWaitForSingleObject  (256, 0, 0x0, ...
 02724   468   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ...
 02719   320   NtTestAlert  ... ) == 0x0
 02663   636   NtWaitForSingleObject  ... ) == 0x0
 02722   788   NtSetEventBoostPriority  ... ) == 0x0
 02721   596   NtOpenKey  ... 784, ) == 0x0
 02725  1092   NtWaitForSingleObject  (256, 0, 0x0, ...
 02726   636   NtSetEventBoostPriority  (256, ...
 02727   320   NtContinue  (71367984, 1, ...
 02728   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02729   596   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02669  1104   NtWaitForSingleObject  ... ) == 0x0
 02730   320   NtRegisterThreadTerminatePort  (24, ...
 02726   636   NtSetEventBoostPriority  ... ) == 0x0
 02724   468   NtProtectVirtualMemory  ... (0x470e000), 4096, 4, ) == 0x0
 02729   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02731  1104   NtSetEventBoostPriority  (256, ...
 02732   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02733   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02734   596   NtQueryValueKey  (780,  (780, "Hostname", Partial, 144, ... , Partial, 144, ...
 02676   784   NtWaitForSingleObject  ... ) == 0x0
 02731  1104   NtSetEventBoostPriority  ... ) == 0x0
 02733   468   NtCreateThread  ... 788, {460, 1156}, ) == 0x0
 02735   784   NtSetEventBoostPriority  (256, ...
 02734   596   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02736  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02683   576   NtWaitForSingleObject  ... ) == 0x0
 02735   784   NtSetEventBoostPriority  ... ) == 0x0
 02737   468   NtQueryInformationThread  (788, Basic, 28, ...
 02730   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 02738   596   NtQueryValueKey  (780,  (780, "Hostname", Partial, 144, ... , Partial, 144, ...
 02739   576   NtSetEventBoostPriority  (256, ...
 02740   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02737   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=460,Tid=1156,}, 0x0, ) == 0x0
 02741   320   NtWaitForSingleObject  (256, 0, 0x0, ...
 02688   580   NtWaitForSingleObject  ... ) == 0x0
 02739   576   NtSetEventBoostPriority  ... ) == 0x0
 02738   596   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02736  1104   NtDuplicateObject  ... 792, ) == 0x0
 02742   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1593, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\314\1\0\0\204\4\0\0" ...  ...
 02743   580   NtSetEventBoostPriority  (256, ...
 02744   596   NtClose  (780, ...
 02745  1104   NtWaitForSingleObject  (256, 0, 0x0, ...
 02746   576   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 16772428, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 16772428, 112, ...
 02691   868   NtWaitForSingleObject  ... ) == 0x0
 02743   580   NtSetEventBoostPriority  ... ) == 0x0
 02744   596   NtClose  ... ) == 0x0
 02747   868   NtSetEventBoostPriority  (256, ...
 02748   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02690   308   NtWaitForSingleObject  ... ) == 0x0
 02747   868   NtSetEventBoostPriority  ... ) == 0x0
 02749   596   NtClose  (784, ...
 02742   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1595, 0}  ... {28, 56, reply, 0, 460, 468, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\314\1\0\0\204\4\0\0" )  ) == 0x0
 02746   576   NtConnectPort  ... 780, 0x0, 0x0, 0x0, 112, ) == 0x0
 02750   308   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ...
 02749   596   NtClose  ... ) == 0x0
 02751   468   NtResumeThread  (788, ...
 02750   308   NtAllocateVirtualMemory  ... 1441792, 4096, ) == 0x0
 02752   576   NtRequestWaitReplyPort  (780, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 16772192}  (780, {128, 152, new_msg, 0, 1310720, 125728, 1310720, 16772192} "\0$\370w\20\363\377\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0H \25\0\4\0\0\0H \25\0\20\344\314wH \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0X\341\25\08\246\25\0@\377\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\341\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02753   868   NtSetEventBoostPriority  (160, ...
 02754   308   NtSetEventBoostPriority  (256, ...
 02751   468   NtResumeThread  ... 1, ) == 0x0
 01682   872   NtWaitForSingleObject  ... ) == 0x0
 02753   868   NtSetEventBoostPriority  ... ) == 0x0
 02755   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02756  1156   NtWaitForSingleObject  (132, 0, 0x0, ...
 02752   576   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 460, 576, 1596, 0}  ... {128, 152, reply, 0, 460, 576, 1596, 0} "\7$\370w\20\363\377\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H \25\0\377\377\377\377H \25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0X\341\25\08\246\25\0@\377\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\341\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02757   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 02758   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02759   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02755   596   NtCreateEvent  ... 784, ) == 0x0
 02700   864   NtWaitForSingleObject  ... ) == 0x0
 02754   308   NtSetEventBoostPriority  ... ) == 0x0
 02758   468   NtAllocateVirtualMemory  ... 74514432, 1048576, ) == 0x0
 02759   868   NtCreateEvent  ... 796, ) == 0x0
 02760   596   NtWaitForSingleObject  (784, 0, 0x0, ...
 02761   864   NtSetEventBoostPriority  (256, ...
 02762   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02763   576   NtSetEventBoostPriority  (776, ...
 02764   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 02697   716   NtWaitForSingleObject  ... ) == 0x0
 02761   864   NtSetEventBoostPriority  ... ) == 0x0
 02701   572   NtWaitForSingleObject  ... ) == 0x0
 02763   576   NtSetEventBoostPriority  ... ) == 0x0
 02765   716   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ...
 02766   468   NtAllocateVirtualMemory  (-1, 75554816, 0, 8192, 4096, 4, ...
 02767   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02765   716   NtAllocateVirtualMemory  ... 1445888, 4096, ) == 0x0
 02768   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 02769   716   NtSetEventBoostPriority  (256, ...
 02766   468   NtAllocateVirtualMemory  ... 75554816, 8192, ) == 0x0
 02715   812   NtWaitForSingleObject  ... ) == 0x0
 02770   812   NtSetEventBoostPriority  (256, ...
 02718   324   NtWaitForSingleObject  ... ) == 0x0
 02771   324   NtSetEventBoostPriority  (256, ...
 02723   676   NtWaitForSingleObject  ... ) == 0x0
 02772   676   NtSetEventBoostPriority  (256, ...
 02725  1092   NtWaitForSingleObject  ... ) == 0x0
 02773  1092   NtSetEventBoostPriority  (256, ...
 02728   788   NtWaitForSingleObject  ... ) == 0x0
 02774   788   NtSetEventBoostPriority  (256, ...
 02732   636   NtWaitForSingleObject  ... ) == 0x0
 02775   636   NtSetEventBoostPriority  (256, ...
 02741   320   NtWaitForSingleObject  ... ) == 0x0
 02776   320   NtSetEventBoostPriority  (256, ...
 02740   784   NtWaitForSingleObject  ... ) == 0x0
 02777   784   NtSetEventBoostPriority  (256, ...
 02745  1104   NtWaitForSingleObject  ... ) == 0x0
 02778  1104   NtSetEventBoostPriority  (256, ...
 02748   580   NtWaitForSingleObject  ... ) == 0x0
 02779   580   NtSetEventBoostPriority  (256, ...
 02757   872   NtWaitForSingleObject  ... ) == 0x0
 02780   872   NtSetEventBoostPriority  (256, ...
 02762   308   NtWaitForSingleObject  ... ) == 0x0
 02781   308   NtSetEventBoostPriority  (256, ...
 02764   868   NtWaitForSingleObject  ... ) == 0x0
 02782   868   NtSetEventBoostPriority  (256, ...
 02767   572   NtWaitForSingleObject  ... ) == 0x0
 02783   572   NtSetEventBoostPriority  (256, ...
 02768   576   NtWaitForSingleObject  ... ) == 0x0
 02784   576   NtRequestWaitReplyPort  (780, {64, 88, new_msg, 0, 0, 0, 0, 0}  (780, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02783   572   NtSetEventBoostPriority  ... ) == 0x0
 02782   868   NtSetEventBoostPriority  ... ) == 0x0
 02781   308   NtSetEventBoostPriority  ... ) == 0x0
 02780   872   NtSetEventBoostPriority  ... ) == 0x0
 02778  1104   NtSetEventBoostPriority  ... ) == 0x0
 02776   320   NtSetEventBoostPriority  ... ) == 0x0
 02775   636   NtSetEventBoostPriority  ... ) == 0x0
 02773  1092   NtSetEventBoostPriority  ... ) == 0x0
 02771   324   NtSetEventBoostPriority  ... ) == 0x0
 02770   812   NtSetEventBoostPriority  ... ) == 0x0
 02785   468   NtProtectVirtualMemory  (-1, (0x480e000), 4096, 260, ...
 02779   580   NtSetEventBoostPriority  ... ) == 0x0
 02777   784   NtSetEventBoostPriority  ... ) == 0x0
 02774   788   NtSetEventBoostPriority  ... ) == 0x0
 02772   676   NtSetEventBoostPriority  ... ) == 0x0
 02769   716   NtSetEventBoostPriority  ... ) == 0x0
 02786   864   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ...
 02787   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02784   576   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 576, 1597, 0}  ... {52, 76, reply, 0, 460, 576, 1597, 0} "\2`\372\177\1\00\300\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02788   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 02789   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02790   872   NtSetEventBoostPriority  (160, ...
 02791  1104   NtWaitForSingleObject  (256, 0, 0x0, ...
 02792   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02793   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02794  1092   NtWaitForSingleObject  (160, 0, 0x0, ...
 02795   324   NtSetEventBoostPriority  (132, ...
 02785   468   NtProtectVirtualMemory  ... (0x480e000), 4096, 4, ) == 0x0
 02796   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02797   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02798   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02799   676   NtWaitForSingleObject  (704, 0, 0x0, ...
 02800   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02786   864   NtAllocateVirtualMemory  ... 1449984, 4096, ) == 0x0
 02787   572   NtCreateEvent  ... 800, ) == 0x0
 02801   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 01689   876   NtWaitForSingleObject  ... ) == 0x0
 02790   872   NtSetEventBoostPriority  ... ) == 0x0
 02792   320   NtDuplicateObject  ... 804, ) == 0x0
 02703  1160   NtWaitForSingleObject  ... ) == 0x0
 02795   324   NtSetEventBoostPriority  ... ) == 0x0
 02802   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02803   864   NtSetEventBoostPriority  (256, ...
 02804   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02805   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 02806   872   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02807  1160   NtWaitForSingleObject  (256, 0, 0x0, ...
 02808   320   NtWaitForSingleObject  (256, 0, 0x0, ...
 02809   324   NtTestAlert  (...
 02802   468   NtCreateThread  ... 808, {460, 1164}, ) == 0x0
 02788   868   NtWaitForSingleObject  ... ) == 0x0
 02803   864   NtSetEventBoostPriority  ... ) == 0x0
 02806   872   NtCreateEvent  ... 812, ) == 0x0
 02809   324   NtTestAlert  ... ) == 0x0
 02810   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 02811   868   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ...
 02812   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 02813   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 02814   324   NtContinue  (72416560, 1, ...
 02811   868   NtAllocateVirtualMemory  ... 1454080, 4096, ) == 0x0
 02815   868   NtSetEventBoostPriority  (256, ...
 02816   324   NtRegisterThreadTerminatePort  (24, ...
 02817   468   NtQueryInformationThread  (808, Basic, 28, ...
 02789   308   NtWaitForSingleObject  ... ) == 0x0
 02815   868   NtSetEventBoostPriority  ... ) == 0x0
 02817   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=460,Tid=1164,}, 0x0, ) == 0x0
 02818   308   NtSetEventBoostPriority  (256, ...
 02819   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 02820   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1595, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\314\1\0\0\214\4\0\0" ...  ...
 02791  1104   NtWaitForSingleObject  ... ) == 0x0
 02818   308   NtSetEventBoostPriority  ... ) == 0x0
 02821  1104   NtSetEventBoostPriority  (256, ...
 02820   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1598, 0}  ... {28, 56, reply, 0, 460, 468, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\314\1\0\0\214\4\0\0" )  ) == 0x0
 02793   636   NtWaitForSingleObject  ... ) == 0x0
 02821  1104   NtSetEventBoostPriority  ... ) == 0x0
 02822   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02823   636   NtSetEventBoostPriority  (256, ...
 02824   468   NtResumeThread  (808, ...
 02825  1104   NtWaitForSingleObject  (256, 0, 0x0, ...
 02816   324   NtRegisterThreadTerminatePort  ... ) == 0x0
 02796   580   NtWaitForSingleObject  ... ) == 0x0
 02823   636   NtSetEventBoostPriority  ... ) == 0x0
 02824   468   NtResumeThread  ... 1, ) == 0x0
 02826   580   NtSetEventBoostPriority  (256, ...
 02827   324   NtWaitForSingleObject  (256, 0, 0x0, ...
 02828   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02797   784   NtWaitForSingleObject  ... ) == 0x0
 02826   580   NtSetEventBoostPriority  ... ) == 0x0
 02829   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02830  1164   NtWaitForSingleObject  (132, 0, 0x0, ...
 02831   784   NtSetEventBoostPriority  (256, ...
 02829   468   NtAllocateVirtualMemory  ... 75563008, 1048576, ) == 0x0
 02798   788   NtWaitForSingleObject  ... ) == 0x0
 02831   784   NtSetEventBoostPriority  ... ) == 0x0
 02832   788   NtSetEventBoostPriority  (256, ...
 02833   468   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ...
 02834   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02800   812   NtWaitForSingleObject  ... ) == 0x0
 02832   788   NtSetEventBoostPriority  ... ) == 0x0
 02833   468   NtAllocateVirtualMemory  ... 76603392, 8192, ) == 0x0
 02835   812   NtSetEventBoostPriority  (256, ...
 02836   784   NtAllocateVirtualMemory  (-1, 24104960, 0, 4096, 4096, 260, ...
 02801   576   NtWaitForSingleObject  ... ) == 0x0
 02835   812   NtSetEventBoostPriority  ... ) == 0x0
 02837   468   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ...
 02838   576   NtSetEventBoostPriority  (256, ...
 02836   784   NtAllocateVirtualMemory  ... 24104960, 4096, ) == 0x0
 02839   812   NtSetEventBoostPriority  (704, ...
 02840   788   NtAllocateVirtualMemory  (-1, 23056384, 0, 4096, 4096, 260, ...
 02805   876   NtWaitForSingleObject  ... ) == 0x0
 02838   576   NtSetEventBoostPriority  ... ) == 0x0
 02841   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02837   468   NtProtectVirtualMemory  ... (0x490e000), 4096, 4, ) == 0x0
 02842   876   NtSetEventBoostPriority  (256, ...
 02840   788   NtAllocateVirtualMemory  ... 23056384, 4096, ) == 0x0
 02714   844   NtWaitForSingleObject  ... ) == 0x0
 02839   812   NtSetEventBoostPriority  ... ) == 0x0
 02804   572   NtWaitForSingleObject  ... ) == 0x0
 02842   876   NtSetEventBoostPriority  ... ) == 0x0
 02843   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02844   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02845   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 02846   572   NtSetEventBoostPriority  (256, ...
 02847   812   NtWaitForSingleObject  (776, 0, 0x0, ...
 02848   576   NtWaitForSingleObject  (704, 0, 0x0, ...
 02843   468   NtCreateThread  ... 816, {460, 1116}, ) == 0x0
 02807  1160   NtWaitForSingleObject  ... ) == 0x0
 02846   572   NtSetEventBoostPriority  ... ) == 0x0
 02849  1160   NtSetEventBoostPriority  (256, ...
 02850   468   NtQueryInformationThread  (816, Basic, 28, ...
 02851   876   NtSetEventBoostPriority  (160, ...
 02808   320   NtWaitForSingleObject  ... ) == 0x0
 02849  1160   NtSetEventBoostPriority  ... ) == 0x0
 02850   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=460,Tid=1116,}, 0x0, ) == 0x0
 02852   320   NtSetEventBoostPriority  (256, ...
 01699   880   NtWaitForSingleObject  ... ) == 0x0
 02851   876   NtSetEventBoostPriority  ... ) == 0x0
 02853   572   NtSetEventBoostPriority  (776, ...
 02810   716   NtWaitForSingleObject  ... ) == 0x0
 02854   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 02852   320   NtSetEventBoostPriority  ... ) == 0x0
 02855   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1598, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\314\1\0\0\\4\0\0" ...  ...
 02856   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02857   716   NtSetEventBoostPriority  (256, ...
 02702   732   NtWaitForSingleObject  ... ) == 0x0
 02853   572   NtSetEventBoostPriority  ... ) == 0x0
 02858  1160   NtWaitForSingleObject  (256, 0, 0x0, ...
 02859   320   NtWaitForSingleObject  (256, 0, 0x0, ...
 02812   864   NtWaitForSingleObject  ... ) == 0x0
 02860   732   NtSetEventBoostPriority  (776, ...
 02857   716   NtSetEventBoostPriority  ... ) == 0x0
 02856   876   NtCreateEvent  ... 820, ) == 0x0
 02861   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02862   864   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ...
 02711   744   NtWaitForSingleObject  ... ) == 0x0
 02860   732   NtSetEventBoostPriority  ... ) == 0x0
 02863   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 02864   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 02862   864   NtAllocateVirtualMemory  ... 1458176, 4096, ) == 0x0
 02865   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 02866   732   NtRequestWaitReplyPort  (780, {64, 88, new_msg, 0, 460, 576, 1597, 0}  (780, {64, 88, new_msg, 0, 460, 576, 1597, 0} "\1`\0\0A\2\10\0\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02855   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1599, 0}  ... {28, 56, reply, 0, 460, 468, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\314\1\0\0\\4\0\0" )  ) == 0x0
 02867   864   NtSetEventBoostPriority  (256, ...
 02868   468   NtResumeThread  (816, ...
 02813   872   NtWaitForSingleObject  ... ) == 0x0
 02867   864   NtSetEventBoostPriority  ... ) == 0x0
 02869   872   NtSetEventBoostPriority  (256, ...
 02868   468   NtResumeThread  ... 1, ) == 0x0
 02819   868   NtWaitForSingleObject  ... ) == 0x0
 02869   872   NtSetEventBoostPriority  ... ) == 0x0
 02870   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 02871   868   NtSetEventBoostPriority  (256, ...
 02872   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02866   732   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 732, 1600, 0}  ... {52, 76, reply, 0, 460, 732, 1600, 0} "\2\13,\370\1\0,\370B\271\325\371(\273\325\371\377\377\377\377\325\316\325\371\13\353\325\371\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02873  1116   NtWaitForSingleObject  (132, 0, 0x0, ...
 02822   308   NtWaitForSingleObject  ... ) == 0x0
 02871   868   NtSetEventBoostPriority  ... ) == 0x0
 02872   468   NtAllocateVirtualMemory  ... 76611584, 1048576, ) == 0x0
 02874   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 02875   308   NtSetEventBoostPriority  (256, ...
 02876   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 02877   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 02827   324   NtWaitForSingleObject  ... ) == 0x0
 02878   324   NtSetEventBoostPriority  (256, ...
 02825  1104   NtWaitForSingleObject  ... ) == 0x0
 02879  1104   NtSetEventBoostPriority  (256, ...
 02828   636   NtWaitForSingleObject  ... ) == 0x0
 02880   636   NtSetEventBoostPriority  (256, ...
 02834   580   NtWaitForSingleObject  ... ) == 0x0
 02881   580   NtSetEventBoostPriority  (256, ...
 02841   784   NtWaitForSingleObject  ... ) == 0x0
 02882   784   NtSetEventBoostPriority  (256, ...
 02844   788   NtWaitForSingleObject  ... ) == 0x0
 02883   788   NtSetEventBoostPriority  (256, ...
 02845   844   NtWaitForSingleObject  ... ) == 0x0
 02884   844   NtSetEventBoostPriority  (256, ...
 02854   880   NtWaitForSingleObject  ... ) == 0x0
 02885   880   NtSetEventBoostPriority  (256, ...
 02858  1160   NtWaitForSingleObject  ... ) == 0x0
 02886  1160   NtSetEventBoostPriority  (256, ...
 02859   320   NtWaitForSingleObject  ... ) == 0x0
 02887   320   NtSetEventBoostPriority  (256, ...
 02861   572   NtWaitForSingleObject  ... ) == 0x0
 02888   572   NtSetEventBoostPriority  (256, ...
 02864   876   NtWaitForSingleObject  ... ) == 0x0
 02889   876   NtSetEventBoostPriority  (256, ...
 02863   716   NtWaitForSingleObject  ... ) == 0x0
 02890   716   NtSetEventBoostPriority  (256, ...
 02865   744   NtWaitForSingleObject  ... ) == 0x0
 02891   744   NtSetEventBoostPriority  (256, ...
 02870   864   NtWaitForSingleObject  ... ) == 0x0
 02892   864   NtSetEventBoostPriority  (256, ...
 02874   732   NtWaitForSingleObject  ... ) == 0x0
 02893   732   NtSetEventBoostPriority  (256, ...
 02876   872   NtWaitForSingleObject  ... ) == 0x0
 02894   872   NtSetEventBoostPriority  (256, ...
 02877   868   NtWaitForSingleObject  ... ) == 0x0
 02895   868   NtAllocateVirtualMemory  (-1, 31444992, 0, 4096, 4096, 260, ... 31444992, 4096, ) == 0x0
 02896   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02894   872   NtSetEventBoostPriority  ... ) == 0x0
 02893   732   NtSetEventBoostPriority  ... ) == 0x0
 02892   864   NtSetEventBoostPriority  ... ) == 0x0
 02891   744   NtSetEventBoostPriority  ... ) == 0x0
 02889   876   NtSetEventBoostPriority  ... ) == 0x0
 02888   572   NtSetEventBoostPriority  ... ) == 0x0
 02887   320   NtSetEventBoostPriority  ... ) == 0x0
 02886  1160   NtSetEventBoostPriority  ... ) == 0x0
 02885   880   NtSetEventBoostPriority  ... ) == 0x0
 02883   788   NtSetEventBoostPriority  ... ) == 0x0
 02882   784   NtSetEventBoostPriority  ... ) == 0x0
 02881   580   NtSetEventBoostPriority  ... ) == 0x0
 02878   324   NtSetEventBoostPriority  ... ) == 0x0
 02890   716   NtSetEventBoostPriority  ... ) == 0x0
 02884   844   NtSetEventBoostPriority  ... ) == 0x0
 02880   636   NtSetEventBoostPriority  ... ) == 0x0
 02879  1104   NtSetEventBoostPriority  ... ) == 0x0
 02875   308   NtSetEventBoostPriority  ... ) == 0x0
 02897   468   NtAllocateVirtualMemory  (-1, 77651968, 0, 8192, 4096, 4, ...
 02898   872   NtAllocateVirtualMemory  (-1, 32493568, 0, 4096, 4096, 260, ...
 02896   868   NtCreateEvent  ... 824, ) == 0x0
 02899   732   NtWaitForSingleObject  (704, 0, 0x0, ...
 02900   864   NtAllocateVirtualMemory  (-1, 30396416, 0, 4096, 4096, 260, ...
 02901   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02902   876   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ...
 02903   320   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02904  1160   NtSetEventBoostPriority  (132, ...
 02905   572   NtRequestWaitReplyPort  (780, {64, 88, new_msg, 0, 0, 0, 0, 0}  (780, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02906   880   NtSetEventBoostPriority  (160, ...
 02907   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02908   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 02909   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02910   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 02911   324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02912   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02913  1104   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02914   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02897   468   NtAllocateVirtualMemory  ... 77651968, 8192, ) == 0x0
 02915   844   NtSetEventBoostPriority  (704, ...
 02916   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02900   864   NtAllocateVirtualMemory  ... 30396416, 4096, ) == 0x0
 02901   744   NtCreateEvent  ... 828, ) == 0x0
 02902   876   NtAllocateVirtualMemory  ... 1462272, 4096, ) == 0x0
 02898   872   NtAllocateVirtualMemory  ... 32493568, 4096, ) == 0x0
 02903   320   NtWaitForSingleObject  ... ) == 0x102
 01709   884   NtWaitForSingleObject  ... ) == 0x0
 02906   880   NtSetEventBoostPriority  ... ) == 0x0
 02905   572   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 572, 1601, 0}  ... {52, 76, reply, 0, 460, 572, 1601, 0} "\2`\372\177\1\00\300\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02756  1156   NtWaitForSingleObject  ... ) == 0x0
 02904  1160   NtSetEventBoostPriority  ... ) == 0x0
 02911   324   NtDuplicateObject  ... 832, ) == 0x0
 02917   468   NtProtectVirtualMemory  (-1, (0x4a0e000), 4096, 260, ...
 02799   676   NtWaitForSingleObject  ... ) == 0x0
 02915   844   NtSetEventBoostPriority  ... ) == 0x0
 02916   868   NtDuplicateObject  ... 836, ) == 0x0
 02918   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 02919   744   NtSetEventBoostPriority  (776, ...
 02920   876   NtSetEventBoostPriority  (256, ...
 02921   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 02922   884   NtSetEventBoostPriority  (160, ...
 02923   320   NtWaitForSingleObject  (160, 0, 0x0, ...
 02924   880   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02925   572   NtWaitForSingleObject  (256, 0, 0x0, ...
 02926  1156   NtWaitForSingleObject  (256, 0, 0x0, ...
 02927  1160   NtTestAlert  (...
 02928   324   NtWaitForSingleObject  (256, 0, 0x0, ...
 02929   676   NtSetEventBoostPriority  (704, ...
 02917   468   NtProtectVirtualMemory  ... (0x4a0e000), 4096, 4, ) == 0x0
 02930   844   NtWaitForSingleObject  (776, 0, 0x0, ...
 02931   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 02720   804   NtWaitForSingleObject  ... ) == 0x0
 02919   744   NtSetEventBoostPriority  ... ) == 0x0
 02907   788   NtWaitForSingleObject  ... ) == 0x0
 02920   876   NtSetEventBoostPriority  ... ) == 0x0
 01753   888   NtWaitForSingleObject  ... ) == 0x0
 02922   884   NtSetEventBoostPriority  ... ) == 0x0
 02924   880   NtCreateEvent  ... 840, ) == 0x0
 02927  1160   NtTestAlert  ... ) == 0x0
 02848   576   NtWaitForSingleObject  ... ) == 0x0
 02929   676   NtSetEventBoostPriority  ... ) == 0x0
 02932   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02933   804   NtSetEventBoostPriority  (776, ...
 02934   788   NtSetEventBoostPriority  (256, ...
 02935   744   NtWaitForSingleObject  (256, 0, 0x0, ...
 02936   888   NtWaitForSingleObject  (256, 0, 0x0, ...
 02937   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 02913  1104   NtWaitForSingleObject  ... ) == 0x102
 02938   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 02939   576   NtSetEventBoostPriority  (704, ...
 02940  1160   NtContinue  (73465136, 1, ...
 02941   884   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02847   812   NtWaitForSingleObject  ... ) == 0x0
 02909   784   NtWaitForSingleObject  ... ) == 0x0
 02934   788   NtSetEventBoostPriority  ... ) == 0x0
 02933   804   NtSetEventBoostPriority  ... ) == 0x0
 02932   468   NtCreateThread  ... 844, {460, 1008}, ) == 0x0
 02942  1104   NtWaitForSingleObject  (160, 0, 0x0, ...
 02899   732   NtWaitForSingleObject  ... ) == 0x0
 02939   576   NtSetEventBoostPriority  ... ) == 0x0
 02943  1160   NtRegisterThreadTerminatePort  (24, ...
 02944   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 02945   784   NtSetEventBoostPriority  (256, ...
 02941   884   NtCreateEvent  ... 848, ) == 0x0
 02946   788   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02947   804   NtRequestWaitReplyPort  (780, {64, 88, new_msg, 0, 460, 732, 1600, 0}  (780, {64, 88, new_msg, 0, 460, 732, 1600, 0} "\1\13\0\0A\2\10\0B\271\325\371(\273\325\371\377\377\377\377\325\316\325\371\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02948   676   NtWaitForSingleObject  (776, 0, 0x0, ...
 02949   732   NtWaitForSingleObject  (312, 0, 0x0, ...
 02950   576   NtWaitForSingleObject  (312, 0, 0x0, ...
 02910   716   NtWaitForSingleObject  ... ) == 0x0
 02945   784   NtSetEventBoostPriority  ... ) == 0x0
 02943  1160   NtRegisterThreadTerminatePort  ... ) == 0x0
 02951   884   NtWaitForSingleObject  (256, 0, 0x0, ...
 02952   468   NtQueryInformationThread  (844, Basic, 28, ...
 02946   788   NtCreateEvent  ... 852, ) == 0x0
 02947   804   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 804, 1602, 0}  ... {52, 76, reply, 0, 460, 804, 1602, 0} "\2\13,\370\1\0,\370B\271\325\371(\273\325\371\377\377\377\377\325\316\325\371\13\353\325\371\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02953   716   NtSetEventBoostPriority  (256, ...
 02954   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02952   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=460,Tid=1008,}, 0x0, ) == 0x0
 02955   788   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02912   636   NtWaitForSingleObject  ... ) == 0x0
 02953   716   NtSetEventBoostPriority  ... ) == 0x0
 02956   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 02957  1160   NtWaitForSingleObject  (256, 0, 0x0, ...
 02958   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1599, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\314\1\0\0\360\3\0\0" ...  ...
 02959   636   NtSetEventBoostPriority  (256, ...
 02955   788   NtDuplicateObject  ... 856, ) == 0x0
 02954   784   NtCreateEvent  ... 860, ) == 0x0
 02914   308   NtWaitForSingleObject  ... ) == 0x0
 02959   636   NtSetEventBoostPriority  ... ) == 0x0
 02958   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1603, 0}  ... {28, 56, reply, 0, 460, 468, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\314\1\0\0\360\3\0\0" )  ) == 0x0
 02960   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 02961   308   NtSetEventBoostPriority  (256, ...
 02962   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02963   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 02964   468   NtResumeThread  (844, ...
 02918   864   NtWaitForSingleObject  ... ) == 0x0
 02961   308   NtSetEventBoostPriority  ... ) == 0x0
 02962   784   NtDuplicateObject  ... 864, ) == 0x0
 02965   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02966   864   NtSetEventBoostPriority  (256, ...
 02964   468   NtResumeThread  ... 1, ) == 0x0
 02967   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 02921   872   NtWaitForSingleObject  ... ) == 0x0
 02966   864   NtSetEventBoostPriority  ... ) == 0x0
 02968   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02969   872   NtSetEventBoostPriority  (256, ...
 02970   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 02971  1008   NtWaitForSingleObject  (132, 0, 0x0, ...
 02925   572   NtWaitForSingleObject  ... ) == 0x0
 02969   872   NtSetEventBoostPriority  ... ) == 0x0
 02968   468   NtAllocateVirtualMemory  ... 77660160, 1048576, ) == 0x0
 02972   572   NtSetEventBoostPriority  (256, ...
 02973   864   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02926  1156   NtWaitForSingleObject  ... ) == 0x0
 02972   572   NtSetEventBoostPriority  ... ) == 0x0
 02974   468   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ...
 02975  1156   NtSetEventBoostPriority  (256, ...
 02973   864   NtCreateEvent  ... 868, ) == 0x0
 02976   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 02928   324   NtWaitForSingleObject  ... ) == 0x0
 02975  1156   NtSetEventBoostPriority  ... ) == 0x0
 02974   468   NtAllocateVirtualMemory  ... 78700544, 8192, ) == 0x0
 02977   864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02978   324   NtSetEventBoostPriority  (256, ...
 02979   572   NtWaitForSingleObject  (776, 0, 0x0, ...
 02980   468   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ...
 02931   868   NtWaitForSingleObject  ... ) == 0x0
 02978   324   NtSetEventBoostPriority  ... ) == 0x0
 02977   864   NtDuplicateObject  ... 872, ) == 0x0
 02981  1156   NtSetEventBoostPriority  (132, ...
 02982   868   NtSetEventBoostPriority  (256, ...
 02980   468   NtProtectVirtualMemory  ... (0x4b0e000), 4096, 4, ) == 0x0
 02983   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 02908   580   NtWaitForSingleObject  ... ) == 0x0
 02982   868   NtSetEventBoostPriority  ... ) == 0x0
 02830  1164   NtWaitForSingleObject  ... ) == 0x0
 02981  1156   NtSetEventBoostPriority  ... ) == 0x0
 02984   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 02985   580   NtSetEventBoostPriority  (256, ...
 02986   324   NtWaitForSingleObject  (256, 0, 0x0, ...
 02987  1164   NtWaitForSingleObject  (256, 0, 0x0, ...
 02988  1156   NtTestAlert  (...
 02936   888   NtWaitForSingleObject  ... ) == 0x0
 02984   468   NtCreateThread  ... 876, {460, 1120}, ) == 0x0
 02989   888   NtSetEventBoostPriority  (256, ...
 02988  1156   NtTestAlert  ... ) == 0x0
 02935   744   NtWaitForSingleObject  ... ) == 0x0
 02989   888   NtSetEventBoostPriority  ... ) == 0x0
 02990   468   NtQueryInformationThread  (876, Basic, 28, ...
 02991   744   NtSetEventBoostPriority  (256, ...
 02992  1156   NtContinue  (74513712, 1, ...
 02985   580   NtSetEventBoostPriority  ... ) == 0x0
 02993   868   NtSetEventBoostPriority  (312, ...
 02937   876   NtWaitForSingleObject  ... ) == 0x0
 02991   744   NtSetEventBoostPriority  ... ) == 0x0
 02990   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=460,Tid=1120,}, 0x0, ) == 0x0
 02994  1156   NtRegisterThreadTerminatePort  (24, ...
 02995   580   NtSetEventBoostPriority  (784, ...
 02996   876   NtSetEventBoostPriority  (256, ...
 02949   732   NtWaitForSingleObject  ... ) == 0x0
 02993   868   NtSetEventBoostPriority  ... ) == 0x0
 02997   888   NtSetEventBoostPriority  (160, ...
 02998   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1603, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\3\0\0\314\1\0\0`\4\0\0" ...  ...
 02999   744   NtRequestWaitReplyPort  (780, {64, 88, new_msg, 0, 0, 0, 0, 0}  (780, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02938   880   NtWaitForSingleObject  ... ) == 0x0
 03000   732   NtSetEventBoostPriority  (312, ...
 02996   876   NtSetEventBoostPriority  ... ) == 0x0
 02760   596   NtWaitForSingleObject  ... ) == 0x0
 02995   580   NtSetEventBoostPriority  ... ) == 0x0
 03001   868   NtWaitForSingleObject  (256, 0, 0x0, ...
 01764   892   NtWaitForSingleObject  ... ) == 0x0
 02997   888   NtSetEventBoostPriority  ... ) == 0x0
 02994  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 03002   880   NtSetEventBoostPriority  (256, ...
 02950   576   NtWaitForSingleObject  ... ) == 0x0
 03000   732   NtSetEventBoostPriority  ... ) == 0x0
 02999   744   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 744, 1604, 0}  ... {52, 76, reply, 0, 460, 744, 1604, 0} "\2`\372\177\1\00\300\0\0\0\0\265\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02998   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1605, 0}  ... {28, 56, reply, 0, 460, 468, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\3\0\0\314\1\0\0`\4\0\0" )  ) == 0x0
 03003   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 03004   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 03005   892   NtSetEventBoostPriority  (160, ...
 03006   888   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02944   812   NtWaitForSingleObject  ... ) == 0x0
 03007   576   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03002   880   NtSetEventBoostPriority  ... ) == 0x0
 03008  1156   NtWaitForSingleObject  (256, 0, 0x0, ...
 03009   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 03010   744   NtWaitForSingleObject  (776, 0, 0x0, ...
 03011   468   NtResumeThread  (876, ...
 01784   896   NtWaitForSingleObject  ... ) == 0x0
 03005   892   NtSetEventBoostPriority  ... ) == 0x0
 03012   812   NtSetEventBoostPriority  (256, ...
 03007   576   NtCreateKey  ... 880, 2, ) == 0x0
 03006   888   NtCreateEvent  ... 884, ) == 0x0
 03013   732   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03014   896   NtWaitForSingleObject  (256, 0, 0x0, ...
 03011   468   NtResumeThread  ... 1, ) == 0x0
 02951   884   NtWaitForSingleObject  ... ) == 0x0
 03015   576   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03012   812   NtSetEventBoostPriority  ... ) == 0x0
 03016   892   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03017   888   NtWaitForSingleObject  (256, 0, 0x0, ...
 03013   732   NtCreateKey  ... 888, 2, ) == 0x0
 03018   884   NtSetEventBoostPriority  (256, ...
 03015   576   NtOpenKey  ... 892, ) == 0x0
 03019   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03020   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 03021  1120   NtWaitForSingleObject  (132, 0, 0x0, ...
 03022   812   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02956   804   NtWaitForSingleObject  ... ) == 0x0
 03018   884   NtSetEventBoostPriority  ... ) == 0x0
 03023   732   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03016   892   NtCreateEvent  ... 896, ) == 0x0
 03019   468   NtAllocateVirtualMemory  ... 78708736, 1048576, ) == 0x0
 03024   804   NtSetEventBoostPriority  (256, ...
 03022   812   NtCreateEvent  ... 900, ) == 0x0
 03025   576   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03023   732   NtOpenKey  ... 904, ) == 0x0
 03026   892   NtWaitForSingleObject  (256, 0, 0x0, ...
 03027   884   NtWaitForSingleObject  (256, 0, 0x0, ...
 02957  1160   NtWaitForSingleObject  ... ) == 0x0
 03024   804   NtSetEventBoostPriority  ... ) == 0x0
 03028   812   NtSetEventBoostPriority  (776, ...
 03025   576   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03029   732   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03030  1160   NtSetEventBoostPriority  (256, ...
 03031   468   NtAllocateVirtualMemory  (-1, 79749120, 0, 8192, 4096, 4, ...
 02930   844   NtWaitForSingleObject  ... ) == 0x0
 03028   812   NtSetEventBoostPriority  ... ) == 0x0
 03032   576   NtQueryValueKey  (880,  (880, "Hostname", Partial, 144, ... , Partial, 144, ...
 02960   788   NtWaitForSingleObject  ... ) == 0x0
 03030  1160   NtSetEventBoostPriority  ... ) == 0x0
 03029   732   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03033   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 03031   468   NtAllocateVirtualMemory  ... 79749120, 8192, ) == 0x0
 03034   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 03035   788   NtSetEventBoostPriority  (256, ...
 03032   576   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03036  1160   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03037   804   NtWaitForSingleObject  (704, 0, 0x0, ...
 03038   468   NtProtectVirtualMemory  (-1, (0x4c0e000), 4096, 260, ...
 02963   716   NtWaitForSingleObject  ... ) == 0x0
 03035   788   NtSetEventBoostPriority  ... ) == 0x0
 03039   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 03040   732   NtQueryValueKey  (888,  (888, "Hostname", Partial, 144, ... , Partial, 144, ...
 03041   716   NtSetEventBoostPriority  (256, ...
 03038   468   NtProtectVirtualMemory  ... (0x4c0e000), 4096, 4, ) == 0x0
 03036  1160   NtDuplicateObject  ... 908, ) == 0x0
 02965   636   NtWaitForSingleObject  ... ) == 0x0
 03041   716   NtSetEventBoostPriority  ... ) == 0x0
 03040   732   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03042   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 03043   636   NtSetEventBoostPriority  (256, ...
 03044  1160   NtWaitForSingleObject  (256, 0, 0x0, ...
 03045   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 03046   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 02967   784   NtWaitForSingleObject  ... ) == 0x0
 03043   636   NtSetEventBoostPriority  ... ) == 0x0
 03042   468   NtCreateThread  ... 912, {460, 1140}, ) == 0x0
 03047   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 03048   784   NtSetEventBoostPriority  (256, ...
 03049   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 02970   308   NtWaitForSingleObject  ... ) == 0x0
 03048   784   NtSetEventBoostPriority  ... ) == 0x0
 03050   468   NtQueryInformationThread  (912, Basic, 28, ...
 03051   308   NtSetEventBoostPriority  (256, ...
 02976   872   NtWaitForSingleObject  ... ) == 0x0
 03052   872   NtSetEventBoostPriority  (256, ...
 02983   864   NtWaitForSingleObject  ... ) == 0x0
 03053   864   NtSetEventBoostPriority  (256, ...
 02987  1164   NtWaitForSingleObject  ... ) == 0x0
 03054  1164   NtSetEventBoostPriority  (256, ...
 02986   324   NtWaitForSingleObject  ... ) == 0x0
 03055   324   NtSetEventBoostPriority  (256, ...
 03001   868   NtWaitForSingleObject  ... ) == 0x0
 03056   868   NtSetEventBoostPriority  (256, ...
 03003   596   NtWaitForSingleObject  ... ) == 0x0
 03057   596   NtSetEventBoostPriority  (256, ...
 03004   876   NtWaitForSingleObject  ... ) == 0x0
 03058   876   NtSetEventBoostPriority  (256, ...
 03008  1156   NtWaitForSingleObject  ... ) == 0x0
 03059  1156   NtSetEventBoostPriority  (256, ...
 03009   580   NtWaitForSingleObject  ... ) == 0x0
 03060   580   NtSetEventBoostPriority  (256, ...
 03014   896   NtWaitForSingleObject  ... ) == 0x0
 03061   896   NtSetEventBoostPriority  (256, ...
 03017   888   NtWaitForSingleObject  ... ) == 0x0
 03062   888   NtSetEventBoostPriority  (256, ...
 03020   880   NtWaitForSingleObject  ... ) == 0x0
 03063   880   NtAllocateVirtualMemory  (-1, 1466368, 0, 4096, 4096, 4, ... 1466368, 4096, ) == 0x0
 03064   880   NtSetEventBoostPriority  (256, ...
 03062   888   NtSetEventBoostPriority  ... ) == 0x0
 03061   896   NtSetEventBoostPriority  ... ) == 0x0
 03060   580   NtSetEventBoostPriority  ... ) == 0x0
 03059  1156   NtSetEventBoostPriority  ... ) == 0x0
 03058   876   NtSetEventBoostPriority  ... ) == 0x0
 03057   596   NtSetEventBoostPriority  ... ) == 0x0
 03056   868   NtSetEventBoostPriority  ... ) == 0x0
 03055   324   NtSetEventBoostPriority  ... ) == 0x0
 03054  1164   NtSetEventBoostPriority  ... ) == 0x0
 03053   864   NtSetEventBoostPriority  ... ) == 0x0
 03052   872   NtSetEventBoostPriority  ... ) == 0x0
 03051   308   NtSetEventBoostPriority  ... ) == 0x0
 03050   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=460,Tid=1140,}, 0x0, ) == 0x0
 03065   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 03026   892   NtWaitForSingleObject  ... ) == 0x0
 03064   880   NtSetEventBoostPriority  ... ) == 0x0
 03066   888   NtWaitForSingleObject  (256, 0, 0x0, ...
 03067   580   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03068   896   NtWaitForSingleObject  (256, 0, 0x0, ...
 03069   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 03070  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03071   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 03072   324   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03073   868   NtSetEventBoostPriority  (704, ...
 03074  1164   NtSetEventBoostPriority  (132, ...
 03075   872   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03076   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 03077   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1605, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\314\1\0\0t\4\0\0" ...  ...
 03078   892   NtSetEventBoostPriority  (256, ...
 03079   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 03080   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 03067   580   NtCreateKey  ... 916, 2, ) == 0x0
 03070  1156   NtDuplicateObject  ... 920, ) == 0x0
 03037   804   NtWaitForSingleObject  ... ) == 0x0
 03073   868   NtSetEventBoostPriority  ... ) == 0x0
 02873  1116   NtWaitForSingleObject  ... ) == 0x0
 03074  1164   NtSetEventBoostPriority  ... ) == 0x0
 03072   324   NtWaitForSingleObject  ... ) == 0x102
 03075   872   NtCreateEvent  ... 924, ) == 0x0
 03077   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1606, 0}  ... {28, 56, reply, 0, 460, 468, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\314\1\0\0t\4\0\0" )  ) == 0x0
 03027   884   NtWaitForSingleObject  ... ) == 0x0
 03078   892   NtSetEventBoostPriority  ... ) == 0x0
 03081   580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03082   804   NtWaitForSingleObject  (256, 0, 0x0, ...
 03083  1156   NtWaitForSingleObject  (256, 0, 0x0, ...
 03084  1116   NtWaitForSingleObject  (256, 0, 0x0, ...
 03085   868   NtWaitForSingleObject  (776, 0, 0x0, ...
 03086  1164   NtTestAlert  (...
 03087   324   NtWaitForSingleObject  (160, 0, 0x0, ...
 03088   872   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03089   884   NtSetEventBoostPriority  (256, ...
 03090   468   NtResumeThread  (912, ...
 03081   580   NtOpenKey  ... 928, ) == 0x0
 03086  1164   NtTestAlert  ... ) == 0x0
 03033   844   NtWaitForSingleObject  ... ) == 0x0
 03089   884   NtSetEventBoostPriority  ... ) == 0x0
 03088   872   NtDuplicateObject  ... 932, ) == 0x0
 03091   892   NtWaitForSingleObject  (256, 0, 0x0, ...
 03092   580   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03093   844   NtSetEventBoostPriority  (256, ...
 03094  1164   NtContinue  (75562288, 1, ...
 03095   884   NtWaitForSingleObject  (256, 0, 0x0, ...
 03096   872   NtWaitForSingleObject  (256, 0, 0x0, ...
 03034   812   NtWaitForSingleObject  ... ) == 0x0
 03093   844   NtSetEventBoostPriority  ... ) == 0x0
 03092   580   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03097  1164   NtRegisterThreadTerminatePort  (24, ...
 03090   468   NtResumeThread  ... 1, ) == 0x0
 03098   812   NtSetEventBoostPriority  (256, ...
 03099  1140   NtWaitForSingleObject  (132, 0, 0x0, ...
 03100   580   NtQueryValueKey  (916,  (916, "Domain", Partial, 144, ... , Partial, 144, ...
 03101   844   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03039   576   NtWaitForSingleObject  ... ) == 0x0
 03098   812   NtSetEventBoostPriority  ... ) == 0x0
 03102   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03097  1164   NtRegisterThreadTerminatePort  ... ) == 0x0
 03103   576   NtSetEventBoostPriority  (256, ...
 03101   844   NtCreateEvent  ... 936, ) == 0x0
 03100   580   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03102   468   NtAllocateVirtualMemory  ... 79757312, 1048576, ) == 0x0
 03044  1160   NtWaitForSingleObject  ... ) == 0x0
 03103   576   NtSetEventBoostPriority  ... ) == 0x0
 03104  1164   NtWaitForSingleObject  (256, 0, 0x0, ...
 03105   844   NtWaitForSingleObject  (256, 0, 0x0, ...
 03106   580   NtWaitForSingleObject  (256, 0, 0x0, ...
 03107  1160   NtSetEventBoostPriority  (256, ...
 03108   468   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ...
 03109   812   NtRequestWaitReplyPort  (780, {64, 88, new_msg, 0, 0, 0, 0, 0}  (780, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03046   732   NtWaitForSingleObject  ... ) == 0x0
 03107  1160   NtSetEventBoostPriority  ... ) == 0x0
 03108   468   NtAllocateVirtualMemory  ... 80797696, 8192, ) == 0x0
 03110   732   NtSetEventBoostPriority  (256, ...
 03109   812   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 460, 812, 1607, 0}  ... {52, 76, reply, 0, 460, 812, 1607, 0} "\2\13,\370\1\0,\370B\271\325\371(\273\325\371\377\377\377\377\325\316\325\371\13\353\325\371\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03111   576   NtQueryValueKey  (880,  (880, "Hostname", Partial, 144, ... , Partial, 144, ...
 03045   716   NtWaitForSingleObject  ... ) == 0x0
 03110   732   NtSetEventBoostPriority  ... ) == 0x0
 03112   468   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ...
 03113   812   NtWaitForSingleObject  (256, 0, 0x0, ...
 03114   716   NtSetEventBoostPriority  (256, ...
 03111   576   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03115  1160   NtWaitForSingleObject  (312, 0, 0x0, ...
 03116   732   NtQueryValueKey  (888,  (888, "Hostname", Partial, 144, ... , Partial, 144, ...
 03047   788   NtWaitForSingleObject  ... ) == 0x0
 03117   576   NtWaitForSingleObject  (256, 0, 0x0, ...
 03116   732   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03118   788   NtSetEventBoostPriority  (256, ...
 03119   732   NtWaitForSingleObject  (256, 0, 0x0, ...
 03049   636   NtWaitForSingleObject  ... ) == 0x0
 03118   788   NtSetEventBoostPriority  ... ) == 0x0
 03120   636   NtSetEventBoostPriority  (256, ...
 03065   784   NtWaitForSingleObject  ... ) == 0x0
 03121   784   NtSetEventBoostPriority  (256, ...
 03066   888   NtWaitForSingleObject  ... ) == 0x0
 03122   888   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ... 1470464, 4096, ) == 0x0
 03123   888   NtSetEventBoostPriority  (256, ...
 03121   784   NtSetEventBoostPriority  ... ) == 0x0
 03124   788   NtWaitForSingleObject  (256, 0, 0x0, ...
 03120   636   NtSetEventBoostPriority  ... ) == 0x0
 03114   716   NtSetEventBoostPriority  ... ) == 0x0
 03112   468   NtProtectVirtualMemory  ... (0x4d0e000), 4096, 4, ) == 0x0
 03125   784   NtWaitForSingleObject  (256, 0, 0x0, ...
 03068   896   NtWaitForSingleObject  ... ) == 0x0
 03123   888   NtSetEventBoostPriority  ... ) == 0x0
 03126   636   NtAllocateVirtualMemory  (-1, 18862080, 0, 4096, 4096, 260, ...
 03127   716   NtWaitForSingleObject  (256, 0, 0x0, ...
 03128   468   NtCreateThread  (0x1f03ff, 0x0, -1, 1244124, 1244840, 1, ...
 03129   896   NtSetEventBoostPriority  (256, ...
 03130   888   NtWaitForSingleObject  (256, 0, 0x0, ...
 03126   636   NtAllocateVirtualMemory  ... 18862080, 4096, ) == 0x0
 03128   468   NtCreateThread  ... 940, {460, 1168}, ) == 0x0
 03071   596   NtWaitForSingleObject  ... ) == 0x0
 03129   896   NtSetEventBoostPriority  ... ) == 0x0
 03131   596   NtSetEventBoostPriority  (256, ...
 03132   468   NtQueryInformationThread  (940, Basic, 28, ...
 03069   876   NtWaitForSingleObject  ... ) == 0x0
 03131   596   NtSetEventBoostPriority  ... ) == 0x0
 03133   896   NtSetEventBoostPriority  (160, ...
 03134   876   NtSetEventBoostPriority  (256, ...
 03132   468   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=460,Tid=1168,}, 0x0, ) == 0x0
 03135   596   NtWaitForSingleObject  (256, 0, 0x0, ...
 03136   636   NtWaitForSingleObject  (256, 0, 0x0, ...
 03079   880   NtWaitForSingleObject  ... ) == 0x0
 03137   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 468, 1606, 0}  (24, {28, 56, new_msg, 0, 460, 468, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\3\0\0\314\1\0\0\220\4\0\0" ...  ...
 03134   876   NtSetEventBoostPriority  ... ) == 0x0
 01827   900   NtWaitForSingleObject  ... ) == 0x0
 03133   896   NtSetEventBoostPriority  ... ) == 0x0
 03138   880   NtSetEventBoostPriority  (256, ...
 03139   876   NtWaitForSingleObject  (256, 0, 0x0, ...
 03140   900   NtWaitForSingleObject  (256, 0, 0x0, ...
 03141   896   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03080   864   NtWaitForSingleObject  ... ) == 0x0
 03138   880   NtSetEventBoostPriority  ... ) == 0x0
 03142   864   NtSetEventBoostPriority  (256, ...
 03141   896   NtCreateEvent  ... 944, ) == 0x0
 03137   468   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 460, 468, 1608, 0}  ... {28, 56, reply, 0, 460, 468, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\3\0\0\314\1\0\0\220\4\0\0" )  ) == 0x0
 03076   308   NtWaitForSingleObject  ... ) == 0x0
 03142   864   NtSetEventBoostPriority  ... ) == 0x0
 03143   896   NtWaitForSingleObject  (256, 0, 0x0, ...
 03144   308   NtSetEventBoostPriority  (256, ...
 03145   468   NtResumeThread  (940, ...
 03146   864   NtWaitForSingleObject  (256, 0, 0x0, ...
 03082   804   NtWaitForSingleObject  ... ) == 0x0
 03145   468   NtResumeThread  ... 1, ) == 0x0
 03144   308   NtSetEventBoostPriority  ... ) == 0x0
 03147   880   NtWaitForSingleObject  (256, 0, 0x0, ...
 03148   804   NtSetEventBoostPriority  (256, ...
 03149   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03150   308   NtWaitForSingleObject  (256, 0, 0x0, ...
 03084  1116   NtWaitForSingleObject  ... ) == 0x0
 03148   804   NtSetEventBoostPriority  ... ) == 0x0
 03149   468   NtAllocateVirtualMemory  ... 80805888, 1048576, ) == 0x0
 03151  1116   NtSetEventBoostPriority  (256, ...
 03152  1168   NtWaitForSingleObject  (132, 0, 0x0, ...
NtCallbackReturn(>)	1	NtQuerySystemTime(>)	2	NtQueryInformationFile(>)	7	NtMapViewOfSection(>)	34
NtFsControlFile(>)	1	NtSetValueKey(>)	2	NtQueryInformationToken(>)	7	NtUserRegisterClassExWOW(>)	34
NtGdiCreatePaletteInternal(>)	1	NtCreateSemaphore(>)	3	NtUserSetCursorIconData(>)	7	NtQueryAttributesFile(>)	38
NtGdiInit(>)	1	NtFreeVirtualMemory(>)	3	NtUserSystemParametersInfo(>)	7	NtReleaseMutant(>)	38
NtGdiQueryFontAssocInfo(>)	1	NtGdiHfontCreate(>)	3	NtGdiCreateBitmap(>)	8	NtUserFindExistingCursorIcon(>)	47
NtOpenEvent(>)	1	NtNotifyChangeKey(>)	3	NtCreateFile(>)	9	NtGdiSelectBitmap(>)	57
NtOpenKeyedEvent(>)	1	NtOpenProcessToken(>)	3	NtConnectPort(>)	10	NtContinue(>)	82
NtOpenProcess(>)	1	NtOpenProcessTokenEx(>)	3	NtGdiCreateCompatibleDC(>)	10	NtCreateThread(>)	105
NtOpenSymbolicLinkObject(>)	1	NtOpenThreadTokenEx(>)	3	NtGdiExtGetObjectW(>)	10	NtQueryInformationThread(>)	105
NtQueryObject(>)	1	NtQueryVirtualMemory(>)	3	NtQuerySection(>)	10	NtOpenKey(>)	106
NtQuerySymbolicLinkObject(>)	1	NtSetInformationObject(>)	3	NtUserGetDC(>)	10	NtResumeThread(>)	111
NtSecureConnectPort(>)	1	NtQueryInformationProcess(>)	4	NtFlushInstructionCache(>)	11	NtTestAlert(>)	118
NtSetInformationThread(>)	1	NtQueryVolumeInformationFile(>)	4	NtGdiDeleteObjectApp(>)	14	NtRegisterThreadTerminatePort(>)	121
NtUserCallNoParam(>)	1	NtUserRegisterWindowMessage(>)	4	NtUserSelectPalette(>)	14	NtProtectVirtualMemory(>)	132
NtUserEnumDisplayMonitors(>)	1	NtSetInformationFile(>)	6	NtCreateSection(>)	16	NtCreateEvent(>)	147
NtUserGetKeyboardLayoutList(>)	1	NtUnmapViewOfSection(>)	6	NtDeviceIoControlFile(>)	16	NtRequestWaitReplyPort(>)	151
NtUserGetThreadDesktop(>)	1	NtGdiBitBlt(>)	7	NtOpenFile(>)	16	NtDuplicateObject(>)	152
NtUserSetWindowsHookEx(>)	1	NtGdiCreateDIBitmapInternal(>)	7	NtReadFile(>)	18	NtClose(>)	174
NtAddAtom(>)	2	NtGdiGetDCObject(>)	7	NtUserGetClassInfo(>)	18	NtQueryValueKey(>)	207
NtCreateMutant(>)	2	NtGdiGetDCforBitmap(>)	7	NtCreateKey(>)	19	NtAllocateVirtualMemory(>)	337
NtGdiCreateSolidBrush(>)	2	NtGdiGetStockObject(>)	7	NtUserCallOneParam(>)	19	NtSetEventBoostPriority(>)	1016
NtOpenDirectoryObject(>)	2	NtGdiRestoreDC(>)	7	NtWriteFile(>)	22	NtWaitForSingleObject(>)	1218
NtOpenMutant(>)	2	NtGdiSaveDC(>)	7	NtOpenSection(>)	23
NtQueryDefaultLocale(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7