Summary:





NtAccessCheck(>)  1 
NtReleaseSemaphore(>)  2 
NtGdiCreateCompatibleDC(>)  5 
NtCreateSection(>)  31 


NtAddAtom(>)  1 
NtUserCreateWindowEx(>)  2 
NtGdiGetStockObject(>)  5 
NtUserGetWindowDC(>)  32 


NtCallbackReturn(>)  1 
NtUserGetAncestor(>)  2 
NtQueryInformationProcess(>)  5 
NtOpenSection(>)  33 


NtDelayExecution(>)  1 
NtUserGetClassName(>)  2 
NtSetInformationFile(>)  5 
NtUserGetClassInfo(>)  39 


NtEnumerateValueKey(>)  1 
NtUserGetGUIThreadInfo(>)  2 
NtUserGetDC(>)  5 
NtUserCallOneParam(>)  40 


NtFsControlFile(>)  1 
NtUserGetIconSize(>)  2 
NtWriteFile(>)  5 
NtOpenFile(>)  41 


NtGdiInit(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtGdiExtGetObjectW(>)  6 
NtUserFindExistingCursorIcon(>)  54 


NtGdiQueryFontAssocInfo(>)  1 
NtUserRemoveProp(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtMapViewOfSection(>)  55 


NtOpenKeyedEvent(>)  1 
NtUserSetCursorIconData(>)  2 
NtUserGetObjectInformation(>)  6 
NtUserRegisterClassExWOW(>)  65 


NtOpenProcess(>)  1 
NtUserSetProp(>)  2 
NtUserCallNoParam(>)  7 
NtQueryAttributesFile(>)  75 


NtOpenSymbolicLinkObject(>)  1 
NtUserSetWindowPos(>)  2 
NtCreateFile(>)  8 
NtContinue(>)  84 


NtQueryObject(>)  1 
NtCreateSemaphore(>)  3 
NtCreateMutant(>)  8 
NtCreateEvent(>)  98 


NtQuerySymbolicLinkObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtFlushInstructionCache(>)  8 
NtOpenKey(>)  117 


NtSecureConnectPort(>)  1 
NtGdiCreateBitmap(>)  3 
NtQueryDebugFilterState(>)  8 
NtResumeThread(>)  125 


NtSetEvent(>)  1 
NtGdiCreatePatternBrushInternal(>)  3 
NtOpenProcessTokenEx(>)  9 
NtCreateThread(>)  127 


NtSetInformationThread(>)  1 
NtOpenProcessToken(>)  3 
NtOpenThreadTokenEx(>)  9 
NtQueryInformationThread(>)  137 


NtUserGetIconInfo(>)  1 
NtQueryDefaultLocale(>)  3 
NtConnectPort(>)  10 
NtProtectVirtualMemory(>)  141 


NtGdiBitBlt(>)  2 
NtSetInformationObject(>)  3 
NtGdiDeleteObjectApp(>)  10 
NtTestAlert(>)  159 


NtGdiCreateCompatibleBitmap(>)  2 
NtUserGetThreadDesktop(>)  3 
NtQueryInformationFile(>)  11 
NtRegisterThreadTerminatePort(>)  163 


NtGdiCreateDIBitmapInternal(>)  2 
NtUserRegisterWindowMessage(>)  3 
NtQueryInformationToken(>)  11 
NtRequestWaitReplyPort(>)  167 


NtGdiCreateSolidBrush(>)  2 
NtGdiDoPalette(>)  4 
NtUserSystemParametersInfo(>)  11 
NtDuplicateObject(>)  170 


NtNotifyChangeKey(>)  2 
NtGdiGetDIBitsInternal(>)  4 
NtCreateKey(>)  14 
NtQueryValueKey(>)  223 


NtOpenDirectoryObject(>)  2 
NtGdiHfontCreate(>)  4 
NtQueryDirectoryFile(>)  14 
NtClose(>)  232 


NtOpenThreadToken(>)  2 
NtGdiStretchDIBitsInternal(>)  4 
NtDeviceIoControlFile(>)  16 
NtOpenMutant(>)  249 


NtQueryEvent(>)  2 
NtOpenEvent(>)  4 
NtGdiSelectBitmap(>)  17 
NtAllocateVirtualMemory(>)  367 


NtQueryInstallUILanguage(>)  2 
NtQueryVolumeInformationFile(>)  4 
NtQuerySection(>)  17 
NtSetEventBoostPriority(>)  671 


NtQuerySystemTime(>)  2 
NtSetValueKey(>)  4 
NtUnmapViewOfSection(>)  17 
NtWaitForSingleObject(>)  902 


NtQueryVirtualMemory(>)  2 
NtUserMessageCall(>)  4 
NtQuerySystemInformation(>)  30 



Trace:

 00001   456   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   456   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 4521984, 2097152, ) == 0x0
 00005   456   NtAllocateVirtualMemory  (-1, 4521984, 0, 4096, 4096, 4, ... 4521984, 4096, ) == 0x0
 00006   456   NtAllocateVirtualMemory  (-1, 4526080, 0, 8192, 4096, 4, ... 4526080, 8192, ) == 0x0
 00007   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   456   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   456   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   456   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   456   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   456   NtClose  (12, ... ) == 0x0
 00014   456   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   456   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   456   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   456   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   456   NtClose  (16, ... ) == 0x0
 00021   456   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   456   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   456   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18219008}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18219008}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   456   NtClose  (16, ... ) == 0x0
 00026   456   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   456   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   456   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   456   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" ... {28, 56, reply, 0, 444, 456, 1490, 0} "p,\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" )  ... {28, 56, reply, 0, 444, 456, 1490, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" ... {28, 56, reply, 0, 444, 456, 1490, 0} "p,\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\26\1\4\0\0\0" )  ) == 0x0
 00032   456   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   456   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   456   NtClose  (16, ... ) == 0x0
 00036   456   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   456   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   456   NtClose  (28, ... ) == 0x0
 00041   456   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   456   NtClose  (28, ... ) == 0x0
 00045   456   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   456   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   456   NtClose  (28, ... ) == 0x0
 00049   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   456   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   456   NtClose  (28, ... ) == 0x0
 00052   456   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" ... {28, 56, reply, 0, 444, 456, 1493, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" )  ... {28, 56, reply, 0, 444, 456, 1493, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\26\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" ... {28, 56, reply, 0, 444, 456, 1493, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\26\18\6\0\0" )  ) == 0x0
 00056   456   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00057   456   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00058   456   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00059   456   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   456   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   456   NtClose  (28, ... ) == 0x0
 00062   456   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   456   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   456   NtClose  (28, ... ) == 0x0
 00065   456   NtTestAlert  (... ) == 0x0
 00066   456   NtContinue  (2293040, 1, ...
 00067   456   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00068   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   456   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   456   NtClose  (28, ... ) == 0x0
 00071   456   NtAllocateVirtualMemory  (-1, 4534272, 0, 4096, 4096, 4, ... 4534272, 4096, ) == 0x0
 00072   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00073   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00074   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == 0x0
 00076   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00077   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00078   456   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00079   456   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00080   456   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   456   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00082   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00083   456   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   456   NtClose  (40, ... ) == 0x0
 00085   456   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00086   456   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00087   456   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00088   456   NtClose  (40, ... ) == 0x0
 00089   456   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   456   NtClose  (36, ... ) == 0x0
 00091   456   NtClose  (28, ... ) == 0x0
 00092   456   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73d90000), 0x0, 159744, ) == 0x0
 00093   456   NtClose  (32, ... ) == 0x0
 00094   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2288964, ... ) }, 2288964, ... ) == 0x0
 00095   456   NtAllocateVirtualMemory  (-1, 4538368, 0, 4096, 4096, 4, ... 4538368, 4096, ) == 0x0
 00096   456   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00097   456   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 444, 456, 1505, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 444, 456, 1505, 0}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 444, 456, 1505, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00098   456   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 444, 456, 1505, 0}  (24, {40, 68, new_msg, 0, 444, 456, 1505, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 444, 456, 1506, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 444, 456, 1506, 0}  (24, {40, 68, new_msg, 0, 444, 456, 1505, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 444, 456, 1506, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00099   456   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 32, ) }, ... 32, ) == 0x0
 00100   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx5"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx6"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx7"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx8"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx9"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx10"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx11"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx12"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx13"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx14"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx15"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx16"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx17"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx18"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx19"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx20"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00121   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx25"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx26"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx28"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx31"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx35"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx37"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00136   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx41"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx43"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00143   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx47"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx49"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00148   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx50"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx51"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx53"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx54"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx55"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx56"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx57"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx58"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx59"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx62"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00161   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx64"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx65"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx66"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00165   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx67"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx68"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx69"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx70"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00169   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx71"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx72"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00171   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx73"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx74"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx75"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx76"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx77"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx78"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx79"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx80"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx81"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx82"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx83"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx84"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx85"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx87"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx88"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx89"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx90"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx91"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx92"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx93"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx94"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx95"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx96"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx97"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx98"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   456   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx99"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 6619136, 2097152, ) == 0x0
 00199   456   NtAllocateVirtualMemory  (-1, 8708096, 0, 8192, 4096, 4, ... 8708096, 8192, ) == 0x0
 00200   456   NtProtectVirtualMemory  (-1, (0x84e000), 4096, 260, ... (0x84e000), 4096, 4, ) == 0x0
 00201   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292500, 2293216, 1, ... 28, {444, 576}, ) == 0x0
 00202   456   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=444,Tid=576,}, 0x0, ) == 0x0
 00203   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0\274\1\0\0@\2\0\0" ... {28, 56, reply, 0, 444, 456, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\274\1\0\0@\2\0\0" )  ... {28, 56, reply, 0, 444, 456, 1507, 0}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0\274\1\0\0@\2\0\0" ... {28, 56, reply, 0, 444, 456, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\274\1\0\0@\2\0\0" )  ) == 0x0
 00204   456   NtResumeThread  (28, ... 1, ) == 0x0
 00205   576   NtTestAlert  (... ) == 0x0
 00206   576   NtContinue  (8715568, 1, ...
 00207   576   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00208   456   NtContinue  (2292976, 0, ...
 00209   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00210   576   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00211   576   NtClose  (36, ... ) == 0x0
 00212   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00213   576   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00214   576   NtClose  (36, ... ) == 0x0
 00215   456   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00216   456   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 36, ) == 0x0
 00217   456   NtWaitForSingleObject  (36, 0, 0x0, ...
 00218   576   NtAllocateVirtualMemory  (-1, 8704000, 0, 4096, 4096, 260, ... 8704000, 4096, ) == 0x0
 00219   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00220   576   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00221   576   NtClose  (40, ... ) == 0x0
 00222   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00223   576   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00224   576   NtClose  (40, ... ) == 0x0
 00225   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 40, ) }, ... 40, ) == 0x0
 00226   576   NtQueryValueKey  (40,  (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00227   576   NtQueryValueKey  (40,  (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00228   576   NtClose  (40, ... ) == 0x0
 00229   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 40, ) }, ... 40, ) == 0x0
 00230   576   NtQueryValueKey  (40,  (40, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   576   NtClose  (40, ... ) == 0x0
 00232   576   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 40, ) }, ... 40, ) == 0x0
 00233   576   NtSetInformationObject  (40, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00234   576   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   576   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00236   576   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147343352, 2294988, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 2294988, 0} "\210\6\26\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\26\1$\1\0\0" ... {28, 56, reply, 0, 444, 576, 1508, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\26\1$\1\0\0" )  ... {28, 56, reply, 0, 444, 576, 1508, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 2294988, 0} "\210\6\26\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\26\1$\1\0\0" ... {28, 56, reply, 0, 444, 576, 1508, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\26\1$\1\0\0" )  ) == 0x0
 00237   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   576   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 1060864, ) == 0x0
 00239   576   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00240   576   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00241   576   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00242   576   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00243   576   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00244   576   NtClose  (-2147482020, ... ) == 0x0
 00245   576   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 9830400, 4096, ) == 0x0
 00246   576   NtFreeVirtualMemory  (-1, (0x960000), 4096, 32768, ... (0x960000), 4096, ) == 0x0
 00247   576   NtDuplicateObject  (-1, 52, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00248   576   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00249   576   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   576   NtClose  (-2147482020, ... ) == 0x0
 00251   576   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00252   576   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   576   NtClose  (-2147482020, ... ) == 0x0
 00254   576   NtQueryDefaultLocale  (0, -136050164, ... ) == 0x0
 00255   576   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00256   576   NtUserCallNoParam  (24, ... ) == 0x0
 00257   576   NtGdiCreateCompatibleDC  (0, ...
 00258   576   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9830400, 4096, ) == 0x0
 00257   576   NtGdiCreateCompatibleDC  ... ) == 0x100103fb
 00259   576   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00260   576   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00261   576   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x1405040d
 00262   576   NtGdiCreateSolidBrush  (0, 0, ...
 00263   576   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13041664, 4096, ) == 0x0
 00262   576   NtGdiCreateSolidBrush  ... ) == 0x1010042e
 00264   576   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00265   576   NtGdiCreateCompatibleDC  (0, ... ) == 0xd010433
 00266   576   NtGdiSelectBitmap  (218170419, 335873037, ... ) == 0x185000f
 00267   576   NtUserGetThreadDesktop  (576, 0, ... ) == 0x38
 00268   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 64, ) }, ... 64, ) == 0x0
 00269   576   NtQueryValueKey  (64,  (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00270   576   NtClose  (64, ... ) == 0x0
 00271   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00272   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 673, 128, 0, ... ) == 0x810cc017
 00273   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00274   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 674, 128, 0, ... ) == 0x810cc01c
 00275   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00276   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 675, 128, 0, ... ) == 0x810cc01e
 00277   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00278   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 676, 128, 0, ... ) == 0x810c8002
 00279   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10013
 00280   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 677, 128, 0, ... ) == 0x810cc018
 00281   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00282   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 678, 128, 0, ... ) == 0x810cc01a
 00283   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00284   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 679, 128, 0, ... ) == 0x810cc01d
 00285   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00286   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 681, 128, 0, ... ) == 0x810cc026
 00287   576   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00288   576   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 680, 128, 0, ... ) == 0x810cc019
 00289   576   NtUserRegisterClassExWOW  (8712092, 8712172, 8712156, 8712188, 0, 128, 0, ...
 00290   576   NtAllocateVirtualMemory  (-1, 9990144, 0, 4096, 4096, 32, ... 9990144, 4096, ) == 0x0
 00289   576   NtUserRegisterClassExWOW  ... ) == 0x810cc020
 00291   576   NtUserRegisterClassExWOW  (8712092, 8712168, 8712184, 8712156, 0, 130, 0, ... ) == 0x810cc022
 00292   576   NtUserRegisterClassExWOW  (8712092, 8712172, 8712156, 8712188, 0, 128, 0, ... ) == 0x810cc023
 00293   576   NtUserRegisterClassExWOW  (8712092, 8712168, 8712184, 8712156, 0, 130, 0, ... ) == 0x810cc024
 00294   576   NtUserRegisterClassExWOW  (8712092, 8712172, 8712156, 8712188, 0, 128, 0, ... ) == 0x810cc025
 00295   576   NtCallbackReturn  (0, 0, 0, ...
 00296   576   NtGdiInit  (... ) == 0x1
 00297   576   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00298   576   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00299   576   NtSetEventBoostPriority  (36, ...
 00217   456   NtWaitForSingleObject  ... ) == 0x0
 00300   456   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 13107200, 28672, ) == 0x0
 00301   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2291552, ... }, 2291552, ...
 00299   576   NtSetEventBoostPriority  ... ) == 0x0
 00303   576   NtWaitForSingleObject  (36, 0, 0x0, ...
 00302   456   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == 0x0
 00306   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00307   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00308   456   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00309   456   NtClose  (64, ... ) == 0x0
 00310   456   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00311   456   NtClose  (68, ... ) == 0x0
 00312   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00313   456   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00314   456   NtClose  (68, ... ) == 0x0
 00315   456   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   456   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   456   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == 0x0
 00319   456   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00320   456   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00321   456   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00322   456   NtClose  (68, ... ) == 0x0
 00323   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00324   456   NtClose  (64, ... ) == 0x0
 00325   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00326   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13172736, 65536, ) == 0x0
 00327   456   NtAllocateVirtualMemory  (-1, 13172736, 0, 4096, 4096, 4, ... 13172736, 4096, ) == 0x0
 00328   456   NtAllocateVirtualMemory  (-1, 13176832, 0, 8192, 4096, 4, ... 13176832, 8192, ) == 0x0
 00329   456   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 64, ) }, ... 64, ) == 0x0
 00330   456   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xca0000), 0x0, 12288, ) == 0x0
 00331   456   NtClose  (64, ... ) == 0x0
 00332   456   NtAllocateVirtualMemory  (-1, 13185024, 0, 4096, 4096, 4, ... 13185024, 4096, ) == 0x0
 00333   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00334   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00335   456   NtSetEventBoostPriority  (36, ...
 00303   576   NtWaitForSingleObject  ... ) == 0x0
 00336   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00337   576   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00338   576   NtClose  (64, ... ) == 0x0
 00339   576   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00340   576   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00335   456   NtSetEventBoostPriority  ... ) == 0x0
 00341   576   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00342   576   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00343   576   NtClose  (64, ... ) == 0x0
 00344   576   NtAllocateVirtualMemory  (-1, 4542464, 0, 4096, 4096, 4, ... 4542464, 4096, ) == 0x0
 00345   576   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00346   576   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00347   456   NtWaitForSingleObject  (36, 0, 0x0, ...
 00348   576   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00349   576   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00350   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00351   576   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00352   576   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   576   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   576   NtClose  (64, ... ) == 0x0
 00355   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00356   576   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   576   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00358   576   NtClose  (64, ... ) == 0x0
 00359   576   NtOpenEvent  (0x1f0003, {24, 32, 0x0, 0, 0,  (0x1f0003, {24, 32, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   576   NtSetEventBoostPriority  (36, ...
 00347   456   NtWaitForSingleObject  ... ) == 0x0
 00361   456   NtFreeVirtualMemory  (-1, (0xc80000), 0, 32768, ... (0xc80000), 28672, ) == 0x0
 00362   456   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00363   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00364   456   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00365   456   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ...
 00360   576   NtSetEventBoostPriority  ... ) == 0x0
 00366   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00367   576   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00368   576   NtClose  (64, ... ) == 0x0
 00369   576   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00370   576   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365   456   NtAllocateVirtualMemory  ... 3276800, 4096, ) == 0x0
 00371   456   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00372   456   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13303808, 1048576, ) == 0x0
 00373   456   NtAllocateVirtualMemory  (-1, 13303808, 0, 32768, 4096, 4, ... 13303808, 32768, ) == 0x0
 00374   456   NtWaitForSingleObject  (36, 0, 0x0, ...
 00375   576   NtOpenKey  (0x9, {24, 40, 0x40, 0, 0,  (0x9, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   576   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   576   NtSetEventBoostPriority  (36, ...
 00374   456   NtWaitForSingleObject  ... ) == 0x0
 00378   456   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "Jobaka3"}, 0, ... 64, ) }, 0, ... 64, ) == 0x0
 00379   456   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 68, ) }, ... 68, ) == 0x0
 00380   456   NtQueryValueKey  (68,  (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00381   456   NtQueryValueKey  (68,  (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00377   576   NtSetEventBoostPriority  ... ) == 0x0
 00382   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00383   456   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Protocol_Catalog9"}, ... 76, ) }, ... 76, ) == 0x0
 00384   456   NtQueryValueKey  (76,  (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00385   456   NtNotifyChangeKey  (76, 72, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00386   456   NtQueryValueKey  (76,  (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00387   456   NtOpenKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 8713816, ... }, 8713816, ...
 00390   456   NtQueryValueKey  (76,  (76, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00391   456   NtQueryValueKey  (76,  (76, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00392   456   NtOpenKey  (0x2000000, {24, 76, 0x40, 0, 0,  (0x2000000, {24, 76, 0x40, 0, 0, "Catalog_Entries"}, ... 80, ) }, ... 80, ) == 0x0
 00393   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000001"}, ... 84, ) }, ... 84, ) == 0x0
 00394   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00395   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00396   456   NtAllocateVirtualMemory  (-1, 4546560, 0, 4096, 4096, 4, ... 4546560, 4096, ) == 0x0
 00397   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\205\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\216\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\0\0\0\0\30\0\0\0\14\0\0\0\244\366\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\16\0\314 E\0\0\0\0\0s\0f\0c\0.\0d\0l\0l\0w\0X\366\204\0\217\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\217\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\220\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\221\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\205\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\216\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\0\0\0\0\30\0\0\0\14\0\0\0\244\366\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\16\0\314 E\0\0\0\0\0s\0f\0c\0.\0d\0l\0l\0w\0X\366\204\0\217\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\217\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\220\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\221\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\220\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\221\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\205\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\216\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\0\0\0\0\30\0\0\0\14\0\0\0\244\366\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\16\0\314 E\0\0\0\0\0s\0f\0c\0.\0d\0l\0l\0w\0X\366\204\0\217\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\217\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\220\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\221\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00389   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   576   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 8713816, ... }, 8713816, ...
 00399   456   NtClose  (84, ... ) == 0x0
 00400   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000002"}, ... 84, ) }, ... 84, ) == 0x0
 00401   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00402   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00403   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\224\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\224\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\225\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\226\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\226\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\224\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\224\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\225\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\226\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\226\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\225\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\226\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\224\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\224\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\225\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\226\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\226\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00404   456   NtClose  (84, ... ) == 0x0
 00405   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000003"}, ... 84, ) }, ... 84, ) == 0x0
 00406   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00407   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00408   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\231\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\231\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\232\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\216\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\233\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0p\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\244\366\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\0\32\2\240 E\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0f\0c\0.\0d\0l\0l\0r\0X\366\204\0\233\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\231\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\231\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\232\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\216\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\233\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0p\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\244\366\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\0\32\2\240 E\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0f\0c\0.\0d\0l\0l\0r\0X\366\204\0\233\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\232\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\216\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\233\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0p\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\244\366\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\0\32\2\240 E\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0s\0f\0c\0.\0d\0l\0l\0r\0X\366\204\0\233\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"}, 900, ) == 0x0
 00409   456   NtClose  (84, ... ) == 0x0
 00410   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000004"}, ... 84, ) }, ... 84, ) == 0x0
 00398   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 8713816, ... ) }, 8713816, ... ) == 0x0
 00412   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00413   576   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00414   576   NtQuerySection  (92, Image, 48, ...
 00415   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00416   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00417   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\242\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\242\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\243\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\244\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\244\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\274\1\0\0@\2\0\0w\0\0\0\1\0\1\0\0\0\0\0D\0\0\0\0\0\0\0\1\0\0\00\0\0\0\0\0\273v\0\0\0\0\0\0\4\0\0\20\0\0\3\0\0\0\12\0\4\0\0\0\0\0\16!\0\0L\1\1\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\242\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\242\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\243\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\244\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\244\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\274\1\0\0@\2\0\0w\0\0\0\1\0\1\0\0\0\0\0D\0\0\0\0\0\0\0\1\0\0\00\0\0\0\0\0\273v\0\0\0\0\0\0\4\0\0\20\0\0\3\0\0\0\12\0\4\0\0\0\0\0\16!\0\0L\1\1\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\243\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\244\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\242\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\242\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\243\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\243\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\244\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\244\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\274\1\0\0@\2\0\0w\0\0\0\1\0\1\0\0\0\0\0D\0\0\0\0\0\0\0\1\0\0\00\0\0\0\0\0\273v\0\0\0\0\0\0\4\0\0\20\0\0\3\0\0\0\12\0\4\0\0\0\0\0\16!\0\0L\1\1\0"}, 900, ) }, 900, ) == 0x0
 00418   456   NtClose  (84, ... ) == 0x0
 00419   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000005"}, ... 84, ) }, ... 84, ) == 0x0
 00420   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414   576   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00421   576   NtClose  (88, ... ) == 0x0
 00422   576   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 00423   576   NtClose  (92, ... ) == 0x0
 00424   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 8713012, ... }, 8713012, ...
 00426   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00427   456   NtAllocateVirtualMemory  (-1, 4550656, 0, 4096, 4096, 4, ... 4550656, 4096, ) == 0x0
 00428   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\255\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\255\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\256\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\257\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\257\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\255\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\255\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\256\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\257\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\257\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\256\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\257\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\255\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\255\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\256\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\256\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\257\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\257\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\260\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00429   456   NtClose  (84, ... ) == 0x0
 00430   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000006"}, ... 84, ) }, ... 84, ) == 0x0
 00431   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00432   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00433   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\262\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\262\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\263\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\264\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\264\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\262\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\262\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\263\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\264\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\264\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\263\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\264\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\262\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\262\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\263\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\263\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\264\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\264\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\265\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00434   456   NtClose  (84, ... ) == 0x0
 00435   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000007"}, ... 84, ) }, ... 84, ) == 0x0
 00436   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00437   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00438   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\267\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\267\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\270\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\271\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\271\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\267\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\267\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\270\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\271\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\271\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\270\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\271\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\267\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\267\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\270\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\270\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\271\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\271\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\272\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00439   456   NtClose  (84, ... ) == 0x0
 00440   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000008"}, ... 84, ) }, ... 84, ) == 0x0
 00441   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00442   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00443   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\251\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\274\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0D\0\0\0\0\0\0\0\30\0\0\0\14\0\0\0\200\363\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\24\0\314 E\0\0\0\0\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\04\363\204\0\275\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\275\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\276\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\277\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\251\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\274\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0D\0\0\0\0\0\0\0\30\0\0\0\14\0\0\0\200\363\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\24\0\314 E\0\0\0\0\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\04\363\204\0\275\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\275\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\276\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\277\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\276\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\277\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\251\1\0\0\274\1\0\0@\2\0\0c\0\0\0\1\0\1\04\0\0\300\0\0\0\0\274\1\0\0\274\1\0\0@\2\0\0c\0\0\0\0\0\1\0\0\0\0\0D\0\0\0\0\0\0\0\30\0\0\0\14\0\0\0\200\363\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\0\24\0\314 E\0\0\0\0\0s\0f\0c\0_\0o\0s\0.\0d\0l\0l\04\363\204\0\275\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\275\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\276\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\276\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\277\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0"}, 900, ) }, 900, ) == 0x0
 00425   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   576   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 8713012, ... }, 8713012, ...
 00445   456   NtClose  (84, ... ) == 0x0
 00446   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000009"}, ... 84, ) }, ... 84, ) == 0x0
 00447   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00448   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00449   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\302\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\302\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\303\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\304\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\304\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\305\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\302\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\302\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\303\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\304\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\304\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\305\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\303\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\304\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\302\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\302\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\303\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\303\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\304\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\304\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\305\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00450   456   NtClose  (84, ... ) == 0x0
 00451   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000010"}, ... 84, ) }, ... 84, ) == 0x0
 00452   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00453   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00454   456   NtAllocateVirtualMemory  (-1, 4554752, 0, 4096, 4096, 4, ... 4554752, 4096, ) == 0x0
 00455   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\310\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\310\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\311\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\311\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\312\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\312\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\313\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\310\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\310\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\311\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\311\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\312\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\312\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\313\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\311\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\312\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0 (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\310\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\310\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\311\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0P\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0XWE\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\311\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0T\0\0\0\312\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\312\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\313\1\0\0\274\1\0\0\310\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0T\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00456   456   NtClose  (84, ... ) == 0x0
 00457   456   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "000000000011"}, ... 84, ) }, ... 84, ) == 0x0
 00458   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00459   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00444   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00460   456   NtQueryValueKey  (84,  (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\315\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\315\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\316\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\274\1\0\0\310\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\317\1\0\0\274\1\0\0\310\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\320\1\0\0\274\1\0\0\310\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\320\1\0\0\274\1\0\0\310\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\321\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0D\0\0\0\214\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0(VE\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (84, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\315\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0T\0\0\0\315\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\316\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0P\0\0\0\316\1\0\0\274\1\0\0\310\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\1\0\0\274\1\0\0\310\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\317\1\0\0\274\1\0\0\310\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\320\1\0\0\274\1\0\0\310\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\320\1\0\0\274\1\0\0\310\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0P\0\0\0\321\1\0\0\274\1\0\0\310\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0D\0\0\0\214\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0(VE\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0(VE\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00461   456   NtClose  (84, ... ) == 0x0
 00462   456   NtClose  (80, ... ) == 0x0
 00463   456   NtWaitForSingleObject  (72, 0, {0, 0}, ... ) == 0x102
 00464   456   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 00465   456   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "NameSpace_Catalog5"}, ... }, ...
 00466   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 8713012, ... ) }, 8713012, ... ) == 0x0
 00467   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00468   576   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 92, ) == 0x0
 00469   576   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00470   576   NtClose  (84, ... ) == 0x0
 00471   576   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 00465   456   NtOpenKey  ... 84, ) == 0x0
 00472   456   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00473   456   NtNotifyChangeKey  (84, 80, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00474   456   NtQueryValueKey  (84,  (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00475   456   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   456   NtQueryValueKey  (84,  (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00477   456   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Catalog_Entries"}, ... }, ...
 00478   576   NtClose  (92, ... ) == 0x0
 00479   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 8712208, ... }, 8712208, ...
 00477   456   NtOpenKey  ... 92, ) == 0x0
 00481   456   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000001"}, ... 88, ) }, ... 88, ) == 0x0
 00482   456   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00483   456   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00484   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00485   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00486   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00487   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00488   456   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00489   456   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00490   456   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00491   456   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00492   456   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00493   456   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00494   456   NtClose  (88, ... ) == 0x0
 00495   456   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000002"}, ... }, ...
 00480   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   576   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 8712208, ... }, 8712208, ...
 00495   456   NtOpenKey  ... 88, ) == 0x0
 00497   456   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00498   456   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00499   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00500   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00501   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00502   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00503   456   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00504   456   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00505   456   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00506   456   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00507   456   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00508   456   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... , Partial, 144, ...
 00496   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00509   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 8712208, ... ) }, 8712208, ... ) == 0x0
 00510   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00511   576   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00512   576   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00513   576   NtClose  (96, ... ) == 0x0
 00514   576   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00508   456   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00515   456   NtClose  (88, ... ) == 0x0
 00516   456   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000003"}, ... 88, ) }, ... 88, ) == 0x0
 00517   456   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00518   456   NtQueryValueKey  (88,  (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00519   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00520   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00514   576   NtMapViewOfSection  ... (0x76c30000), 0x0, 176128, ) == 0x0
 00521   576   NtClose  (100, ... ) == 0x0
 00522   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 100, ) }, ... 100, ) == 0x0
 00523   576   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00524   576   NtClose  (100, ... ) == 0x0
 00525   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 100, ) }, ... 100, ) == 0x0
 00526   576   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00520   456   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00527   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00528   456   NtQueryValueKey  (88,  (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00529   456   NtQueryValueKey  (88,  (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00530   456   NtQueryValueKey  (88,  (88, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00531   456   NtQueryValueKey  (88,  (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00532   456   NtQueryValueKey  (88,  (88, "Enabled", Partial, 144, ... , Partial, 144, ...
 00526   576   NtMapViewOfSection  ... (0x762a0000), 0x0, 61440, ) == 0x0
 00533   576   NtClose  (100, ... ) == 0x0
 00534   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 100, ) }, ... 100, ) == 0x0
 00535   576   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 00536   576   NtClose  (100, ... ) == 0x0
 00537   576   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538   576   NtAllocateVirtualMemory  (-1, 4558848, 0, 4096, 4096, 4, ...
 00532   456   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00539   456   NtQueryValueKey  (88,  (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00540   456   NtQueryValueKey  (88,  (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00541   456   NtClose  (88, ... ) == 0x0
 00542   456   NtClose  (92, ... ) == 0x0
 00543   456   NtWaitForSingleObject  (80, 0, {0, 0}, ... ) == 0x102
 00538   576   NtAllocateVirtualMemory  ... 4558848, 4096, ) == 0x0
 00544   576   NtAllocateVirtualMemory  (-1, 4562944, 0, 4096, 4096, 4, ... 4562944, 4096, ) == 0x0
 00545   576   NtAllocateVirtualMemory  (-1, 4567040, 0, 4096, 4096, 4, ... 4567040, 4096, ) == 0x0
 00546   576   NtAllocateVirtualMemory  (-1, 4571136, 0, 4096, 4096, 4, ... 4571136, 4096, ) == 0x0
 00547   576   NtCreateEvent  (0x1f0003, {24, 32, 0x80, 8713948, 0,  (0x1f0003, {24, 32, 0x80, 8713948, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00548   576   NtOpenEvent  (0x100000, {24, 32, 0x0, 0, 0,  (0x100000, {24, 32, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00549   576   NtQuerySystemInformation  (Basic, 44, ...
 00550   456   NtClose  (68, ... ) == 0x0
 00551   456   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00552   456   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00553   456   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 68, ) }, ... 68, ) == 0x0
 00554   456   NtQueryValueKey  (68,  (68, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   456   NtClose  (68, ... ) == 0x0
 00549   576   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00556   576   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14352384, 262144, ) == 0x0
 00557   576   NtAllocateVirtualMemory  (-1, 14352384, 0, 4096, 4096, 4, ... 14352384, 4096, ) == 0x0
 00558   576   NtAllocateVirtualMemory  (-1, 14356480, 0, 8192, 4096, 4, ... 14356480, 8192, ) == 0x0
 00559   576   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00560   576   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14614528, 1048576, ) == 0x0
 00561   576   NtAllocateVirtualMemory  (-1, 14614528, 0, 1048576, 4096, 4, ...
 00562   456   NtAllocateVirtualMemory  (-1, 4575232, 0, 4096, 4096, 4, ... 4575232, 4096, ) == 0x0
 00563   456   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 68, ) == 0x0
 00564   456   NtWaitForSingleObject  (36, 0, 0x0, ...
 00561   576   NtAllocateVirtualMemory  ... 14614528, 1048576, ) == 0x0
 00565   576   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 00566   576   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 100, ) == 0x0
 00567   576   NtCreateMutant  (0x1f0001, 0x0, 0, ... 96, ) == 0x0
 00568   576   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 104, ) == 0x0
 00569   576   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 108, ) == 0x0
 00570   576   NtSetEvent  (108, ... 0x0, ) == 0x0
 00571   576   NtSetEventBoostPriority  (36, ...
 00564   456   NtWaitForSingleObject  ... ) == 0x0
 00572   456   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2290256,  (0x80100080, {24, 0, 0x40, 0, 2290256, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... }, 0x0, 0, 1, 1, 2097252, 0, 0, ...
 00571   576   NtSetEventBoostPriority  ... ) == 0x0
 00573   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 112, ) }, ... 112, ) == 0x0
 00574   576   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00575   576   NtClose  (112, ... ) == 0x0
 00576   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 112, ) }, ... 112, ) == 0x0
 00577   576   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00578   576   NtClose  (112, ... ) == 0x0
 00579   576   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580   576   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 112, ) }, ... 112, ) == 0x0
 00581   576   NtQueryValueKey  (112,  (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00582   576   NtClose  (112, ... ) == 0x0
 00583   576   NtQueryDefaultUILanguage  (8712172, ...
 00584   576   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00585   576   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00586   576   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00587   576   NtClose  (-2147482020, ... ) == 0x0
 00588   576   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00589   576   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00590   576   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00591   576   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   576   NtClose  (-2147482032, ... ) == 0x0
 00593   576   NtClose  (-2147482020, ... ) == 0x0
 00583   576   NtQueryDefaultUILanguage  ... ) == 0x0
 00594   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   576   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00596   576   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 112, {status=0x0, info=1}, ) }, 1, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00597   576   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 116, ) == 0x0
 00598   576   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xef0000), 0x0, 8323072, ) == 0x0
 00599   576   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   576   NtQueryDefaultUILanguage  (2013024600, ...
 00601   576   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00602   576   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00603   576   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00604   576   NtClose  (-2147482020, ... ) == 0x0
 00605   576   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00606   576   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   576   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00608   576   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   576   NtClose  (-2147482032, ... ) == 0x0
 00610   576   NtClose  (-2147482020, ... ) == 0x0
 00600   576   NtQueryDefaultUILanguage  ... ) == 0x0
 00611   576   NtAllocateVirtualMemory  (-1, 8699904, 0, 4096, 4096, 260, ... 8699904, 4096, ) == 0x0
 00612   576   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00613   576   NtQueryDefaultLocale  (1, 8710208, ... ) == 0x0
 00614   576   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   576   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 8711064, 1, 96, 0}  (24, {128, 156, new_msg, 0, 8711064, 1, 96, 0} "\210\6\26\1\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1p\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\230\362\204\0\0\0\0\0" ... {128, 156, reply, 0, 444, 576, 1509, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1p\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\230\362\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 576, 1509, 0}  (24, {128, 156, new_msg, 0, 8711064, 1, 96, 0} "\210\6\26\1\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1p\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\230\362\204\0\0\0\0\0" ... {128, 156, reply, 0, 444, 576, 1509, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\26\1p\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\26\1\0\0\0\0\0\0\0\0\230\362\204\0\0\0\0\0" )  ) == 0x0
 00616   576   NtClose  (112, ... ) == 0x0
 00617   576   NtClose  (116, ... ) == 0x0
 00618   576   NtUnmapViewOfSection  (-1, 0xef0000, ...
 00572   456   NtCreateFile  ... 116, {status=0x0, info=1}, ) == 0x0
 00619   456   NtQueryInformationFile  (116, 2291192, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00620   456   NtQueryInformationFile  (116, 2291164, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00621   456   NtQueryInformationFile  (116, 2291116, 40, Basic, ...
 00618   576   NtUnmapViewOfSection  ... ) == 0x0
 00622   576   NtUnmapViewOfSection  (-1, 0x84f298, ... ) == STATUS_NOT_MAPPED_VIEW
 00623   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00624   576   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00625   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00626   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00627   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 8709292, ... }, 8709292, ...
 00621   456   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 00628   456   NtAllocateVirtualMemory  (-1, 4579328, 0, 8192, 4096, 4, ... 4579328, 8192, ) == 0x0
 00629   456   NtQueryInformationFile  (116, 4579144, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00630   456   NtQueryInformationFile  (116, 2289660, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00631   456   NtQueryInformationFile  (116, 2289504, 4, Ea, ...
 00627   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00632   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00633   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00634   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00635   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 8709884, ... ) }, 8709884, ... ) == 0x0
 00636   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 00637   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00638   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00639   576   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 124, ) == 0x0
 00640   576   NtClose  (120, ... ) == 0x0
 00641   576   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xef0000), 0x0, 921600, ) == 0x0
 00642   576   NtClose  (124, ... ) == 0x0
 00643   576   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00644   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00645   576   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 124, ... 120, ) == 0x0
 00646   576   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00647   576   NtClose  (124, ... ) == 0x0
 00648   576   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00649   576   NtClose  (120, ... ) == 0x0
 00650   576   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00651   576   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00652   576   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00653   576   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00654   576   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00655   576   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00656   576   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00657   576   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00658   576   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00659   576   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00660   576   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00661   576   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00662   576   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00663   576   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00664   576   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00665   576   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00666   576   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00667   576   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00668   576   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00669   576   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00670   576   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00671   576   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 8711068, ... ) , 42, 8711068, ... ) == 0x0
 00672   576   NtQueryDefaultUILanguage  (8709784, ...
 00673   576   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 00631   456   NtQueryInformationFile  ... {status=0x0, info=4}, ) == 0x0
 00674   456   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2289512,  (0x40110080, {24, 0, 0x40, 0, 2289512, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00675   456   NtClose  (-2147482020, ... ) == 0x0
 00674   456   NtCreateFile  ... 120, {status=0x0, info=2}, ) == 0x0
 00676   456   NtQueryVolumeInformationFile  (120, 2288884, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00677   456   NtQueryInformationFile  (120, 2288844, 40, Basic, ...
 00673   576   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 00678   576   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00679   576   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00680   576   NtClose  (-2147482020, ... ) == 0x0
 00681   576   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00682   576   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   576   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... }, ...
 00677   456   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 00684   456   NtQueryVolumeInformationFile  (116, 2288884, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00685   456   NtQueryVolumeInformationFile  (116, 2288568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00683   576   NtOpenKey  ... -2147482032, ) == 0x0
 00686   576   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00687   576   NtClose  (-2147482032, ... ) == 0x0
 00688   576   NtClose  (-2147482020, ...
 00689   456   NtSetInformationFile  (120, 2288672, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00690   456   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 116, ...
 00688   576   NtClose  ... ) == 0x0
 00672   576   NtQueryDefaultUILanguage  ... ) == 0x0
 00691   576   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708636, ... ) }, 8708636, ... ) == 0x0
 00690   456   NtCreateSection  ... 124, ) == 0x0
 00693   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00694   576   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 00695   576   NtClose  (128, ... ) == 0x0
 00696   576   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xef0000), 0x0, 4096, ) == 0x0
 00697   576   NtClose  (132, ... ) == 0x0
 00698   576   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00699   456   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xef0000), {0, 0}, 131072, ) == 0x0
 00700   456   NtClose  (124, ... ) == 0x0
 00702   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708276, ... ) }, 8708276, ... ) == 0x0
 00701   456   NtWriteFile  (120, 0, 0, 0,  (120, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\6\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\2\0\4\0\0\0\0\0\0\0x\333\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\2\0\4\0\0\0\0\0\0\0x\333\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ...
 00703   576   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8708976,  (0x80100080, {24, 0, 0x40, 0, 8708976, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... }, 0x0, 0, 5, 1, 96, 0, 0, ...
 00701   456   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 00704   456   NtWriteFile  (120, 0, 0, 0,  (120, 0, 0, 0, "V\314\313\3137s<7r,1 w5\227\365\364;7s8\275s<\277k<\277{8\277#\334u\314\313\3137s07r\01\225%73\275s8\277k8\277;\277c0\334\324\303\313\3137s<7r<1\217\346\343\36\365\364;7s8\275s<\277k<\277{8\277#\334\213\303\313\3137s07r\201\245\347\262\337\365\364!7s<\275s0\225\\1775$53\225X\1775$5s0\225D\1775$5s<\225@\1775$5s8Ui\7\364\366<4m\265\3304$44\314$44\2610\20\114$44G\337\35\360\2610\20e\367ml\267\3647\365\3346\365\3246\114$44H*\275\326d\3570\20\2758\20\3570\20\334\364\313\313\313\275\340f\357(\20\2778\20\357(\20l\35\360\275\324\36344444ee\36744\5\364t\3668444d\355\10\20\2770\20;\216\0\20, 61440, 0x0, 0, ... , 61440, 0x0, 0, ...
 00703   576   NtCreateFile  ... 124, {status=0x0, info=1}, ) == 0x0
 00705   576   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 124, ... 132, ) == 0x0
 00706   576   NtClose  (124, ... ) == 0x0
 00707   576   NtMapViewOfSection  (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf10000), {0, 0}, 4096, ) == 0x0
 00708   576   NtClose  (132, ... ) == 0x0
 00709   576   NtUnmapViewOfSection  (-1, 0xf10000, ... ) == 0x0
 00710   576   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... }, 1, 96, ...
 00704   456   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 00711   456   NtWriteFile  (120, 0, 0, 0,  (120, 0, 0, 0, "0OD\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0%s\0\0w\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\6\0\0\0\2\0\0\0\5\0\0\0\4\0\0\0\6\0\0\0\6\0\0\0\1\0\0\0\7\0\0\0\10\0\0\0\3\0\0\0\11\0\0\0\2\0\0\0\7\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\6\0\0\0\2\0\0\0\3\0\0\0\1\0\0\0\11\0\0\0\1\0\0\0\4\0\0\0\1\0\0\0\7\0\0\0\7\0\0\0\6\0\0\0\3\0\0\0\10\0\0\0\6\0\0\0\6\0\0\0\5\0\0\0\10\0\0\0\3\0\0\0\5\0\0\0\5\0\0\0\6\0\0\0\11\0\0\0\10\0\0\0\3\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\11\0\0\0\6\0\0\0\2\0\0\0\6\0\0\0\10\0\0\0\7\0\0\0\11\0\0\0\11\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\1\0\0\0\2\0\0\0\7\0\0\0\4\0\0\0\5\0\0\0\4\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\11\0\0\0\2\0\0\0\6\0\0\0\3\0\0\0\7\0\0\0\2\0\0\0\5\0\0\0\7\0\0\0\4\0\0\0\5\0\0\0\11\0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\6\0\0\0\7\0\0\0\2\0\0\0\11\0\0\0\1\0\0\0\3\0\0\0\4\0\0\0\1\0\0\0\10\0\0\0\3\0\0\0", 7168, 0x0, 0, ... {status=0x0, info=7168}, ) , 7168, 0x0, 0, ... {status=0x0, info=7168}, ) == 0x0
 00712   456   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00713   456   NtSetInformationFile  (120, 2291116, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00714   456   NtClose  (116, ...
 00710   576   NtOpenFile  ... 132, {status=0x0, info=1}, ) == 0x0
 00715   576   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 132, ... 124, ) == 0x0
 00716   576   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xef0000), 0x0, 4096, ) == 0x0
 00717   576   NtQueryInformationFile  (132, 8708596, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00718   576   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719   576   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 8708676, 1, 96, 0}  (24, {128, 156, new_msg, 0, 8708676, 1, 96, 0} "\210\6\26\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1\204\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0D\351\204\0\0\0\0\0" ... {128, 156, reply, 0, 444, 576, 1510, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1\204\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0D\351\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 576, 1510, 0}  (24, {128, 156, new_msg, 0, 8708676, 1, 96, 0} "\210\6\26\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1\204\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0D\351\204\0\0\0\0\0" ... {128, 156, reply, 0, 444, 576, 1510, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\26\1\204\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\26\1\0\0\0\0\0\0\0\0D\351\204\0\0\0\0\0" )  ) == 0x0
 00720   576   NtClose  (132, ... ) == 0x0
 00721   576   NtClose  (124, ... ) == 0x0
 00722   576   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00723   576   NtUnmapViewOfSection  (-1, 0x84e944, ... ) == STATUS_NOT_MAPPED_VIEW
 00724   576   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00725   576   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00726   576   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00727   576   NtUserGetDC  (0, ... ) == 0x1010053
 00728   576   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00729   576   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00730   576   NtUserSystemParametersInfo  (66, 12, 8711088, 0, ... ) == 0x1
 00731   576   NtOpenProcessToken  (-1, 0x8, ... 124, ) == 0x0
 00732   576   NtAccessCheck  (4583720, 124, 0x1, 8710492, 8710436, 56, 8710520, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00733   576   NtClose  (124, ... ) == 0x0
 00734   576   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00735   576   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00736   576   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00737   576   NtClose  (124, ... ) == 0x0
 00738   576   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 124, ) }, ... 124, ) == 0x0
 00739   576   NtSetInformationObject  (124, Handle, {Inherit=0,ProtectFromClose=1,}, 8651008, ... ) == 0x0
 00740   576   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Control Panel\Desktop"}, ... 132, ) }, ... 132, ) == 0x0
 00741   576   NtQueryValueKey  (132,  (132, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742   576   NtClose  (132, ... ) == 0x0
 00743   576   NtUserSystemParametersInfo  (41, 500, 8710588, 0, ... ) == 0x1
 00744   576   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 132, ) }, ... 132, ) == 0x0
 00745   576   NtQueryValueKey  (132,  (132, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00746   576   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 116, ) }, ... 116, ) == 0x0
 00747   576   NtQueryValueKey  (116,  (116, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   576   NtClose  (116, ... ) == 0x0
 00749   576   NtClose  (132, ... ) == 0x0
 00750   576   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00751   576   NtUserSystemParametersInfo  (4130, 0, 8711112, 0, ... ) == 0x1
 00752   576   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 132, ) }, ... 132, ) == 0x0
 00753   576   NtEnumerateValueKey  (132, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00754   576   NtClose  (132, ... ) == 0x0
 00755   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00756   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc03b
 00757   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc03d
 00758   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00759   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc03f
 00760   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00761   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc041
 00762   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00763   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc043
 00764   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc045
 00765   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00766   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc047
 00767   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00768   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc049
 00769   576   NtUserGetClassInfo  (1905590272, 8711008, 8710960, 8711036, 0, ... ) == 0xc049
 00770   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00771   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc04b
 00772   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00773   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc04d
 00774   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00775   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc04f
 00776   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc051
 00777   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00778   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc053
 00779   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00780   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc055
 00781   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc057
 00782   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00783   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc059
 00784   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10013
 00785   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc05b
 00786   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00787   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc05d
 00788   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00789   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc05f
 00790   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00791   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc017
 00792   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00793   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc019
 00794   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10013
 00795   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc018
 00796   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00797   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc01a
 00798   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00799   576   NtUserRegisterClassExWOW  (8710844, 8710924, 8710908, 8710940, 0, 384, 0, ... ) == 0x810cc01c
 00800   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00801   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ...
 00802   576   NtAllocateVirtualMemory  (-1, 9994240, 0, 4096, 4096, 32, ... 9994240, 4096, ) == 0x0
 00801   576   NtUserRegisterClassExWOW  ... ) == 0x810cc01e
 00803   576   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00804   576   NtUserRegisterClassExWOW  (8710904, 8710984, 8710968, 8711000, 0, 384, 0, ... ) == 0x810cc01b
 00805   576   NtUserFindExistingCursorIcon  (8710388, 8710404, 8710972, ... ) == 0x10011
 00806   576   NtUserRegisterClassExWOW  (8710900, 8710980, 8710964, 8710996, 0, 384, 0, ... ) == 0x810cc068
 00807   576   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00808   576   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc06a
 00809   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 132, ) }, ... 132, ) == 0x0
 00810   576   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00811   576   NtClose  (132, ... ) == 0x0
 00812   576   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {444, 0}, ... 132, ) == 0x0
 00813   576   NtQueryInformationProcess  (132, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00814   576   NtClose  (132, ... ) == 0x0
 00815   576   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00816   576   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00817   576   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00818   576   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "Control Panel\Desktop"}, ... 132, ) }, ... 132, ) == 0x0
 00819   576   NtQueryValueKey  (132,  (132, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   576   NtClose  (132, ... ) == 0x0
 00821   576   NtUserSystemParametersInfo  (41, 500, 8711748, 0, ... ) == 0x1
 00822   576   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00823   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00824   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00825   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc03b
 00826   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00827   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc03d
 00828   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00829   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00830   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc03f
 00831   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00832   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00833   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc041
 00834   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00835   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00836   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc043
 00837   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00838   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc045
 00839   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00840   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00841   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc047
 00842   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00843   576   NtUserFindExistingCursorIcon  (8711536, 8711552, 8712120, ... ) == 0x10011
 00844   576   NtUserRegisterClassExWOW  (8711988, 8712068, 8712052, 8712084, 0, 384, 0, ... ) == 0x810cc049
 00845   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00846   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00847   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc04b
 00848   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00849   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00850   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc04d
 00851   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00852   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00853   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc04f
 00854   576   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00855   576   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc051
 00856   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00857   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00858   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc053
 00859   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00860   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00861   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc055
 00862   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc057
 00863   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00864   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00865   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc059
 00866   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00714   456   NtClose  ... ) == 0x0
 00867   456   NtClose  (120, ... ) == 0x0
 00868   456   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00869   456   NtSetValueKey  (120,  (120, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (120, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00870   456   NtSetInformationFile  (-2147482808, -135067852, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00871   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10013
 00872   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc05b
 00873   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00874   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00875   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc05d
 00876   576   NtUserGetClassInfo  (1999896576, 8712156, 8712108, 8712184, 0, ... ) == 0x0
 00877   456   NtSetInformationFile  (-2147482808, -135067944, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00878   456   NtSetInformationFile  (-2147482808, -135068252, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00869   456   NtSetValueKey  ... ) == 0x0
 00879   456   NtClose  (120, ... ) == 0x0
 00880   456   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 120, ) }, 0, ... 120, ) == 0x0
 00881   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 15794176, 2097152, ) == 0x0
 00882   456   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ...
 00883   576   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00884   576   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc05f
 00885   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc03b
 00886   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc03d
 00887   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc03f
 00888   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc041
 00882   456   NtAllocateVirtualMemory  ... 17883136, 8192, ) == 0x0
 00889   456   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ... (0x110e000), 4096, 4, ) == 0x0
 00890   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 132, {444, 596}, ) == 0x0
 00891   456   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=444,Tid=596,}, 0x0, ) == 0x0
 00892   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508}  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508} "\0\0\0\0\1\0\1\0C:\WINDO\204\0\0\0\274\1\0\0T\2\0\0" ... {28, 56, reply, 0, 444, 456, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0\274\1\0\0T\2\0\0" )  ... {28, 56, reply, 0, 444, 456, 1511, 0}  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508} "\0\0\0\0\1\0\1\0C:\WINDO\204\0\0\0\274\1\0\0T\2\0\0" ... {28, 56, reply, 0, 444, 456, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0\274\1\0\0T\2\0\0" )  ) == 0x0
 00893   456   NtResumeThread  (132, ... 1, ) == 0x0
 00894   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ...
 00895   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 00894   576   NtUserGetClassInfo  ... ) == 0xc043
 00896   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc045
 00897   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc047
 00898   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc049
 00899   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc04b
 00900   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc04d
 00901   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 17891328, 2097152, ) == 0x0
 00902   456   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 00903   456   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 00904   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 116, {444, 636}, ) == 0x0
 00905   456   NtQueryInformationThread  (116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=444,Tid=636,}, 0x0, ) == 0x0
 00906   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1511, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\0\0\0\274\1\0\0|\2\0\0" ...  ...
 00907   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc04f
 00908   576   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc051
 00909   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc053
 00906   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1512, 0}  ... {28, 56, reply, 0, 444, 456, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\0\0\0\274\1\0\0|\2\0\0" )  ) == 0x0
 00910   456   NtResumeThread  (116, ... 1, ) == 0x0
 00911   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 19988480, 2097152, ) == 0x0
 00912   456   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 00913   456   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 00914   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 128, {444, 732}, ) == 0x0
 00915   456   NtQueryInformationThread  (128, Basic, 28, ...
 00916   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ...
 00917   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 00916   576   NtUserGetClassInfo  ... ) == 0xc055
 00918   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc059
 00919   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc05b
 00920   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc05d
 00921   576   NtUserGetClassInfo  (1999896576, 8713908, 8713860, 8713936, 0, ... ) == 0xc05f
 00922   576   NtSetEventBoostPriority  (36, ...
 00895   596   NtWaitForSingleObject  ... ) == 0x0
 00923   596   NtSetEventBoostPriority  (36, ...
 00917   636   NtWaitForSingleObject  ... ) == 0x0
 00924   636   NtTestAlert  (... ) == 0x0
 00923   596   NtSetEventBoostPriority  ... ) == 0x0
 00922   576   NtSetEventBoostPriority  ... ) == 0x0
 00915   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=444,Tid=732,}, 0x0, ) == 0x0
 00925   636   NtContinue  (19987760, 1, ...
 00926   596   NtTestAlert  (...
 00927   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1512, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\274\1\0\0\334\2\0\0" ...  ...
 00928   636   NtRegisterThreadTerminatePort  (24, ...
 00926   596   NtTestAlert  ... ) == 0x0
 00927   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1513, 0}  ... {28, 56, reply, 0, 444, 456, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\0\0\0\274\1\0\0\334\2\0\0" )  ) == 0x0
 00928   636   NtRegisterThreadTerminatePort  ... ) == 0x0
 00929   596   NtContinue  (17890608, 1, ...
 00930   456   NtResumeThread  (128, ...
 00931   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00932   596   NtRegisterThreadTerminatePort  (24, ...
 00930   456   NtResumeThread  ... 1, ) == 0x0
 00931   636   NtDuplicateObject  ... 136, ) == 0x0
 00932   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 00933   576   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... }, ...
 00934   732   NtWaitForSingleObject  (36, 0, 0x0, ...
 00935   636   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 00936   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00933   576   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 00935   636   NtWaitForSingleObject  ... ) == 0x102
 00938   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 8713444, ... }, 8713444, ...
 00937   456   NtAllocateVirtualMemory  ... 22085632, 2097152, ) == 0x0
 00939   636   NtAllocateVirtualMemory  (-1, 19976192, 0, 4096, 4096, 260, ...
 00940   456   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ...
 00939   636   NtAllocateVirtualMemory  ... 19976192, 4096, ) == 0x0
 00940   456   NtAllocateVirtualMemory  ... 24174592, 8192, ) == 0x0
 00941   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 00942   456   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 00943   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 140, {444, 744}, ) == 0x0
 00944   456   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=444,Tid=744,}, 0x0, ) == 0x0
 00945   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1513, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\274\1\0\0\350\2\0\0" ...  ...
 00936   596   NtDuplicateObject  ... 144, ) == 0x0
 00946   596   NtWaitForSingleObject  (72, 0, {0, 0}, ... ) == 0x102
 00947   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 00945   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1514, 0}  ... {28, 56, reply, 0, 444, 456, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0\274\1\0\0\350\2\0\0" )  ) == 0x0
 00948   456   NtResumeThread  (140, ... 1, ) == 0x0
 00949   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 24182784, 2097152, ) == 0x0
 00950   456   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ...
 00951   744   NtWaitForSingleObject  (36, 0, 0x0, ...
 00950   456   NtAllocateVirtualMemory  ... 26271744, 8192, ) == 0x0
 00952   456   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 00953   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 148, {444, 308}, ) == 0x0
 00954   456   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=444,Tid=308,}, 0x0, ) == 0x0
 00955   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1514, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0\274\1\0\04\1\0\0" ... {28, 56, reply, 0, 444, 456, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0\274\1\0\04\1\0\0" )  ... {28, 56, reply, 0, 444, 456, 1515, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0\274\1\0\04\1\0\0" ... {28, 56, reply, 0, 444, 456, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0\274\1\0\04\1\0\0" )  ) == 0x0
 00956   456   NtResumeThread  (148, ... 1, ) == 0x0
 00957   308   NtWaitForSingleObject  (36, 0, 0x0, ...
 00958   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 26279936, 2097152, ) == 0x0
 00959   456   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 00960   456   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ... (0x1b0e000), 4096, 4, ) == 0x0
 00938   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   576   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 8713444, ... }, 8713444, ...
 00962   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 152, {444, 784}, ) == 0x0
 00963   456   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=444,Tid=784,}, 0x0, ) == 0x0
 00964   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1515, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\274\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 444, 456, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\274\1\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1516, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\274\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 444, 456, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0\274\1\0\0\20\3\0\0" )  ) == 0x0
 00965   456   NtResumeThread  (152, ... 1, ) == 0x0
 00966   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 28377088, 2097152, ) == 0x0
 00967   456   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ...
 00968   784   NtWaitForSingleObject  (36, 0, 0x0, ...
 00967   456   NtAllocateVirtualMemory  ... 30466048, 8192, ) == 0x0
 00969   456   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ... (0x1d0e000), 4096, 4, ) == 0x0
 00970   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 156, {444, 676}, ) == 0x0
 00971   456   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=444,Tid=676,}, 0x0, ) == 0x0
 00972   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1516, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\274\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 444, 456, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\274\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 444, 456, 1517, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\274\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 444, 456, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0\274\1\0\0\244\2\0\0" )  ) == 0x0
 00973   456   NtResumeThread  (156, ... 1, ) == 0x0
 00974   676   NtWaitForSingleObject  (36, 0, 0x0, ...
 00975   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 30474240, 2097152, ) == 0x0
 00976   456   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 00977   456   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ... (0x1f0e000), 4096, 4, ) == 0x0
 00978   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 160, {444, 796}, ) == 0x0
 00979   456   NtQueryInformationThread  (160, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=444,Tid=796,}, 0x0, ) == 0x0
 00980   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1517, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\274\1\0\0\34\3\0\0" ... {28, 56, reply, 0, 444, 456, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\274\1\0\0\34\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1518, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\274\1\0\0\34\3\0\0" ... {28, 56, reply, 0, 444, 456, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\0\0\0\274\1\0\0\34\3\0\0" )  ) == 0x0
 00981   456   NtResumeThread  (160, ... 1, ) == 0x0
 00982   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 32571392, 2097152, ) == 0x0
 00983   456   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ...
 00984   796   NtWaitForSingleObject  (36, 0, 0x0, ...
 00983   456   NtAllocateVirtualMemory  ... 34660352, 8192, ) == 0x0
 00985   456   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 00986   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 164, {444, 792}, ) == 0x0
 00987   456   NtQueryInformationThread  (164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=444,Tid=792,}, 0x0, ) == 0x0
 00988   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1518, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\274\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 444, 456, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\274\1\0\0\30\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1519, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\274\1\0\0\30\3\0\0" ... {28, 56, reply, 0, 444, 456, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\274\1\0\0\30\3\0\0" )  ) == 0x0
 00989   456   NtResumeThread  (164, ... 1, ) == 0x0
 00990   792   NtWaitForSingleObject  (36, 0, 0x0, ...
 00991   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 34668544, 2097152, ) == 0x0
 00992   456   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ... 36757504, 8192, ) == 0x0
 00993   456   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ... (0x230e000), 4096, 4, ) == 0x0
 00994   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 168, {444, 780}, ) == 0x0
 00995   456   NtQueryInformationThread  (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=444,Tid=780,}, 0x0, ) == 0x0
 00996   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1519, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\274\1\0\0\14\3\0\0" ... {28, 56, reply, 0, 444, 456, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\274\1\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1520, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\274\1\0\0\14\3\0\0" ... {28, 56, reply, 0, 444, 456, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\274\1\0\0\14\3\0\0" )  ) == 0x0
 00997   456   NtResumeThread  (168, ... 1, ) == 0x0
 00998   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 36765696, 2097152, ) == 0x0
 00999   456   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ...
 01000   780   NtWaitForSingleObject  (36, 0, 0x0, ...
 00999   456   NtAllocateVirtualMemory  ... 38854656, 8192, ) == 0x0
 01001   456   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ... (0x250e000), 4096, 4, ) == 0x0
 01002   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 172, {444, 716}, ) == 0x0
 01003   456   NtQueryInformationThread  (172, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=444,Tid=716,}, 0x0, ) == 0x0
 01004   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1520, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\274\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 444, 456, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\274\1\0\0\314\2\0\0" )  ... {28, 56, reply, 0, 444, 456, 1521, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\274\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 444, 456, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\0\0\0\274\1\0\0\314\2\0\0" )  ) == 0x0
 01005   456   NtResumeThread  (172, ... 1, ) == 0x0
 01006   716   NtWaitForSingleObject  (36, 0, 0x0, ...
 01007   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 38862848, 2097152, ) == 0x0
 01008   456   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ... 40951808, 8192, ) == 0x0
 01009   456   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ... (0x270e000), 4096, 4, ) == 0x0
 01010   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 176, {444, 844}, ) == 0x0
 01011   456   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=444,Tid=844,}, 0x0, ) == 0x0
 01012   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1521, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\274\1\0\0L\3\0\0" ... {28, 56, reply, 0, 444, 456, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\274\1\0\0L\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1522, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\274\1\0\0L\3\0\0" ... {28, 56, reply, 0, 444, 456, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\274\1\0\0L\3\0\0" )  ) == 0x0
 01013   456   NtResumeThread  (176, ... 1, ) == 0x0
 01014   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 40960000, 2097152, ) == 0x0
 01015   456   NtAllocateVirtualMemory  (-1, 43048960, 0, 8192, 4096, 4, ...
 00961   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016   844   NtWaitForSingleObject  (36, 0, 0x0, ...
 01017   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 8713444, ... }, 8713444, ...
 01015   456   NtAllocateVirtualMemory  ... 43048960, 8192, ) == 0x0
 01018   456   NtProtectVirtualMemory  (-1, (0x290e000), 4096, 260, ... (0x290e000), 4096, 4, ) == 0x0
 01019   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 180, {444, 864}, ) == 0x0
 01020   456   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=444,Tid=864,}, 0x0, ) == 0x0
 01021   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1522, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\274\1\0\0`\3\0\0" ... {28, 56, reply, 0, 444, 456, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\274\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1523, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\274\1\0\0`\3\0\0" ... {28, 56, reply, 0, 444, 456, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\274\1\0\0`\3\0\0" )  ) == 0x0
 01022   456   NtResumeThread  (180, ... 1, ) == 0x0
 01017   576   NtQueryAttributesFile  ... ) == 0x0
 01023   864   NtWaitForSingleObject  (36, 0, 0x0, ...
 01024   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01025   576   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 188, ) == 0x0
 01026   576   NtQuerySection  (188, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01027   576   NtClose  (184, ... ) == 0x0
 01028   576   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01029   576   NtClose  (188, ...
 01030   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 43057152, 2097152, ) == 0x0
 01031   456   NtAllocateVirtualMemory  (-1, 45146112, 0, 8192, 4096, 4, ... 45146112, 8192, ) == 0x0
 01032   456   NtProtectVirtualMemory  (-1, (0x2b0e000), 4096, 260, ... (0x2b0e000), 4096, 4, ) == 0x0
 01033   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 184, {444, 868}, ) == 0x0
 01034   456   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=444,Tid=868,}, 0x0, ) == 0x0
 01035   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1523, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\274\1\0\0d\3\0\0" ...  ...
 01029   576   NtClose  ... ) == 0x0
 01036   576   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 188, ) == 0x0
 01037   576   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 192, ) == 0x0
 01038   576   NtSetEventBoostPriority  (36, ...
 01035   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1524, 0}  ... {28, 56, reply, 0, 444, 456, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\0\0\0\274\1\0\0d\3\0\0" )  ) == 0x0
 01039   456   NtResumeThread  (184, ... 1, ) == 0x0
 01040   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 45154304, 2097152, ) == 0x0
 01041   456   NtAllocateVirtualMemory  (-1, 47243264, 0, 8192, 4096, 4, ... 47243264, 8192, ) == 0x0
 01042   456   NtProtectVirtualMemory  (-1, (0x2d0e000), 4096, 260, ... (0x2d0e000), 4096, 4, ) == 0x0
 01043   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 196, {444, 872}, ) == 0x0
 01044   456   NtQueryInformationThread  (196, Basic, 28, ...
 00934   732   NtWaitForSingleObject  ... ) == 0x0
 01038   576   NtSetEventBoostPriority  ... ) == 0x0
 01045   868   NtWaitForSingleObject  (36, 0, 0x0, ...
 01046   732   NtSetEventBoostPriority  (36, ...
 01047   576   NtWaitForSingleObject  (36, 0, 0x0, ...
 00941   636   NtWaitForSingleObject  ... ) == 0x0
 01046   732   NtSetEventBoostPriority  ... ) == 0x0
 01048   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 19983404, ... }, 19983404, ...
 01044   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=444,Tid=872,}, 0x0, ) == 0x0
 01048   636   NtQueryAttributesFile  ... ) == 0x0
 01049   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1524, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\274\1\0\0h\3\0\0" ...  ...
 01050   732   NtTestAlert  (...
 01049   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1525, 0}  ... {28, 56, reply, 0, 444, 456, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0\274\1\0\0h\3\0\0" )  ) == 0x0
 01050   732   NtTestAlert  ... ) == 0x0
 01051   456   NtResumeThread  (196, ...
 01052   732   NtContinue  (22084912, 1, ...
 01051   456   NtResumeThread  ... 1, ) == 0x0
 01053   732   NtRegisterThreadTerminatePort  (24, ...
 01054   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01055   872   NtWaitForSingleObject  (36, 0, 0x0, ...
 01053   732   NtRegisterThreadTerminatePort  ... ) == 0x0
 01054   636   NtOpenFile  ... 200, {status=0x0, info=1}, ) == 0x0
 01056   732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01057   636   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 200, ...
 01058   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01057   636   NtCreateSection  ... 204, ) == 0x0
 01058   456   NtAllocateVirtualMemory  ... 47251456, 2097152, ) == 0x0
 01059   636   NtClose  (200, ...
 01060   456   NtAllocateVirtualMemory  (-1, 49340416, 0, 8192, 4096, 4, ...
 01059   636   NtClose  ... ) == 0x0
 01060   456   NtAllocateVirtualMemory  ... 49340416, 8192, ) == 0x0
 01056   732   NtDuplicateObject  ... 200, ) == 0x0
 01061   456   NtProtectVirtualMemory  (-1, (0x2f0e000), 4096, 260, ...
 01062   732   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01061   456   NtProtectVirtualMemory  ... (0x2f0e000), 4096, 4, ) == 0x0
 01062   732   NtWaitForSingleObject  ... ) == 0x102
 01063   636   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01064   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01063   636   NtMapViewOfSection  ... (0x2f10000), 0x0, 229376, ) == 0x0
 01064   732   NtCreateEvent  ... 208, ) == 0x0
 01065   636   NtClose  (204, ...
 01066   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01065   636   NtClose  ... ) == 0x0
 01066   456   NtCreateThread  ... 204, {444, 876}, ) == 0x0
 01067   636   NtUnmapViewOfSection  (-1, 0x2f10000, ...
 01068   456   NtQueryInformationThread  (204, Basic, 28, ...
 01067   636   NtUnmapViewOfSection  ... ) == 0x0
 01068   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=444,Tid=876,}, 0x0, ) == 0x0
 01069   732   NtWaitForSingleObject  (208, 0, 0x0, ...
 01070   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1525, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\274\1\0\0l\3\0\0" ... {28, 56, reply, 0, 444, 456, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\274\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1526, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\274\1\0\0l\3\0\0" ... {28, 56, reply, 0, 444, 456, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\0\0\0\274\1\0\0l\3\0\0" )  ) == 0x0
 01071   456   NtResumeThread  (204, ... 1, ) == 0x0
 01072   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 49348608, 2097152, ) == 0x0
 01073   456   NtAllocateVirtualMemory  (-1, 51437568, 0, 8192, 4096, 4, ...
 01074   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 19983720, ... }, 19983720, ...
 01075   876   NtWaitForSingleObject  (36, 0, 0x0, ...
 01074   636   NtQueryAttributesFile  ... ) == 0x0
 01076   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01077   636   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 216, ) == 0x0
 01078   636   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01079   636   NtClose  (212, ... ) == 0x0
 01080   636   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01073   456   NtAllocateVirtualMemory  ... 51437568, 8192, ) == 0x0
 01081   456   NtProtectVirtualMemory  (-1, (0x310e000), 4096, 260, ... (0x310e000), 4096, 4, ) == 0x0
 01082   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 212, {444, 880}, ) == 0x0
 01083   456   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=444,Tid=880,}, 0x0, ) == 0x0
 01084   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1526, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\274\1\0\0p\3\0\0" ... {28, 56, reply, 0, 444, 456, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\274\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1527, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\274\1\0\0p\3\0\0" ... {28, 56, reply, 0, 444, 456, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\274\1\0\0p\3\0\0" )  ) == 0x0
 01085   456   NtResumeThread  (212, ... 1, ) == 0x0
 01086   636   NtClose  (216, ...
 01087   880   NtWaitForSingleObject  (36, 0, 0x0, ...
 01086   636   NtClose  ... ) == 0x0
 01088   636   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01089   636   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01090   636   NtSetEventBoostPriority  (36, ...
 00947   596   NtWaitForSingleObject  ... ) == 0x0
 01091   596   NtAllocateVirtualMemory  (-1, 17879040, 0, 4096, 4096, 260, ... 17879040, 4096, ) == 0x0
 01092   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 17887804, ... ) }, 17887804, ... ) == 0x0
 01093   596   NtSetEventBoostPriority  (36, ...
 00951   744   NtWaitForSingleObject  ... ) == 0x0
 01094   744   NtSetEventBoostPriority  (36, ...
 00957   308   NtWaitForSingleObject  ... ) == 0x0
 01095   308   NtSetEventBoostPriority  (36, ...
 00968   784   NtWaitForSingleObject  ... ) == 0x0
 01096   784   NtSetEventBoostPriority  (36, ...
 00974   676   NtWaitForSingleObject  ... ) == 0x0
 01097   676   NtSetEventBoostPriority  (36, ...
 00984   796   NtWaitForSingleObject  ... ) == 0x0
 01098   796   NtSetEventBoostPriority  (36, ...
 00990   792   NtWaitForSingleObject  ... ) == 0x0
 01099   792   NtAllocateVirtualMemory  (-1, 13189120, 0, 4096, 4096, 4, ... 13189120, 4096, ) == 0x0
 01098   796   NtSetEventBoostPriority  ... ) == 0x0
 01097   676   NtSetEventBoostPriority  ... ) == 0x0
 01096   784   NtSetEventBoostPriority  ... ) == 0x0
 01095   308   NtSetEventBoostPriority  ... ) == 0x0
 01094   744   NtSetEventBoostPriority  ... ) == 0x0
 01093   596   NtSetEventBoostPriority  ... ) == 0x0
 01090   636   NtSetEventBoostPriority  ... ) == 0x0
 01100   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01101   792   NtSetEventBoostPriority  (36, ...
 01102   796   NtTestAlert  (...
 01103   676   NtTestAlert  (...
 01104   784   NtTestAlert  (...
 01105   308   NtTestAlert  (...
 01106   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 01107   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 01100   456   NtAllocateVirtualMemory  ... 51445760, 2097152, ) == 0x0
 01000   780   NtWaitForSingleObject  ... ) == 0x0
 01101   792   NtSetEventBoostPriority  ... ) == 0x0
 01102   796   NtTestAlert  ... ) == 0x0
 01103   676   NtTestAlert  ... ) == 0x0
 01104   784   NtTestAlert  ... ) == 0x0
 01105   308   NtTestAlert  ... ) == 0x0
 01108   780   NtSetEventBoostPriority  (36, ...
 01109   456   NtAllocateVirtualMemory  (-1, 53534720, 0, 8192, 4096, 4, ...
 01110   792   NtTestAlert  (...
 01111   796   NtContinue  (32570672, 1, ...
 01112   676   NtContinue  (30473520, 1, ...
 01113   784   NtContinue  (28376368, 1, ...
 01006   716   NtWaitForSingleObject  ... ) == 0x0
 01108   780   NtSetEventBoostPriority  ... ) == 0x0
 01114   308   NtContinue  (26279216, 1, ...
 01109   456   NtAllocateVirtualMemory  ... 53534720, 8192, ) == 0x0
 01110   792   NtTestAlert  ... ) == 0x0
 01115   796   NtRegisterThreadTerminatePort  (24, ...
 01116   676   NtRegisterThreadTerminatePort  (24, ...
 01117   716   NtSetEventBoostPriority  (36, ...
 01118   784   NtRegisterThreadTerminatePort  (24, ...
 01119   744   NtTestAlert  (...
 01120   308   NtRegisterThreadTerminatePort  (24, ...
 01121   456   NtProtectVirtualMemory  (-1, (0x330e000), 4096, 260, ...
 01122   792   NtContinue  (34667824, 1, ...
 01115   796   NtRegisterThreadTerminatePort  ... ) == 0x0
 01016   844   NtWaitForSingleObject  ... ) == 0x0
 01117   716   NtSetEventBoostPriority  ... ) == 0x0
 01116   676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01118   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01119   744   NtTestAlert  ... ) == 0x0
 01120   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01121   456   NtProtectVirtualMemory  ... (0x330e000), 4096, 4, ) == 0x0
 01123   792   NtRegisterThreadTerminatePort  (24, ...
 01124   844   NtSetEventBoostPriority  (36, ...
 01125   796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01126   780   NtTestAlert  (...
 01127   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01128   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01129   744   NtContinue  (24182064, 1, ...
 01130   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01131   716   NtTestAlert  (...
 01132   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01023   864   NtWaitForSingleObject  ... ) == 0x0
 01124   844   NtSetEventBoostPriority  ... ) == 0x0
 01123   792   NtRegisterThreadTerminatePort  ... ) == 0x0
 01126   780   NtTestAlert  ... ) == 0x0
 01125   796   NtDuplicateObject  ... 216, ) == 0x0
 01127   676   NtDuplicateObject  ... 220, ) == 0x0
 01133   744   NtRegisterThreadTerminatePort  (24, ...
 01128   784   NtDuplicateObject  ... 224, ) == 0x0
 01131   716   NtTestAlert  ... ) == 0x0
 01134   864   NtSetEventBoostPriority  (36, ...
 01132   456   NtCreateThread  ... 228, {444, 884}, ) == 0x0
 01130   308   NtDuplicateObject  ... 232, ) == 0x0
 01135   792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01136   780   NtContinue  (36764976, 1, ...
 01137   796   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01138   676   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01133   744   NtRegisterThreadTerminatePort  ... ) == 0x0
 01139   784   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01045   868   NtWaitForSingleObject  ... ) == 0x0
 01134   864   NtSetEventBoostPriority  ... ) == 0x0
 01140   716   NtContinue  (38862128, 1, ...
 01141   456   NtQueryInformationThread  (228, Basic, 28, ...
 01142   308   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01135   792   NtDuplicateObject  ... 236, ) == 0x0
 01143   780   NtRegisterThreadTerminatePort  (24, ...
 01137   796   NtWaitForSingleObject  ... ) == 0x102
 01138   676   NtWaitForSingleObject  ... ) == 0x102
 01144   744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01145   868   NtSetEventBoostPriority  (36, ...
 01139   784   NtWaitForSingleObject  ... ) == 0x102
 01146   844   NtTestAlert  (...
 01147   716   NtRegisterThreadTerminatePort  (24, ...
 01141   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=444,Tid=884,}, 0x0, ) == 0x0
 01142   308   NtWaitForSingleObject  ... ) == 0x102
 01148   792   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01143   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01149   796   NtWaitForSingleObject  (208, 0, 0x0, ...
 01150   676   NtWaitForSingleObject  (208, 0, 0x0, ...
 01151   864   NtTestAlert  (...
 01047   576   NtWaitForSingleObject  ... ) == 0x0
 01145   868   NtSetEventBoostPriority  ... ) == 0x0
 01152   784   NtWaitForSingleObject  (208, 0, 0x0, ...
 01146   844   NtTestAlert  ... ) == 0x0
 01147   716   NtRegisterThreadTerminatePort  ... ) == 0x0
 01153   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1527, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\274\1\0\0t\3\0\0" ...  ...
 01154   308   NtWaitForSingleObject  (208, 0, 0x0, ...
 01148   792   NtWaitForSingleObject  ... ) == 0x102
 01155   780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01156   576   NtSetEventBoostPriority  (36, ...
 01151   864   NtTestAlert  ... ) == 0x0
 01144   744   NtDuplicateObject  ... 240, ) == 0x0
 01157   844   NtContinue  (40959280, 1, ...
 01158   716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01159   868   NtTestAlert  (...
 01153   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1528, 0}  ... {28, 56, reply, 0, 444, 456, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\274\1\0\0t\3\0\0" )  ) == 0x0
 01160   792   NtWaitForSingleObject  (208, 0, 0x0, ...
 01055   872   NtWaitForSingleObject  ... ) == 0x0
 01156   576   NtSetEventBoostPriority  ... ) == 0x0
 01161   864   NtContinue  (43056432, 1, ...
 01162   744   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01163   844   NtRegisterThreadTerminatePort  (24, ...
 01155   780   NtDuplicateObject  ... 244, ) == 0x0
 01159   868   NtTestAlert  ... ) == 0x0
 01164   456   NtResumeThread  (228, ...
 01165   872   NtSetEventBoostPriority  (36, ...
 01158   716   NtDuplicateObject  ... 248, ) == 0x0
 01166   864   NtRegisterThreadTerminatePort  (24, ...
 01162   744   NtWaitForSingleObject  ... ) == 0x102
 01163   844   NtRegisterThreadTerminatePort  ... ) == 0x0
 01167   780   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01168   868   NtContinue  (45153584, 1, ...
 01075   876   NtWaitForSingleObject  ... ) == 0x0
 01165   872   NtSetEventBoostPriority  ... ) == 0x0
 01164   456   NtResumeThread  ... 1, ) == 0x0
 01169   716   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01166   864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01170   744   NtWaitForSingleObject  (208, 0, 0x0, ...
 01171   844   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01167   780   NtWaitForSingleObject  ... ) == 0x102
 01172   876   NtSetEventBoostPriority  (36, ...
 01173   868   NtRegisterThreadTerminatePort  (24, ...
 01174   576   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... }, ...
 01175   884   NtWaitForSingleObject  (36, 0, 0x0, ...
 01176   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01169   716   NtWaitForSingleObject  ... ) == 0x102
 01177   864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01178   872   NtTestAlert  (...
 01087   880   NtWaitForSingleObject  ... ) == 0x0
 01172   876   NtSetEventBoostPriority  ... ) == 0x0
 01179   780   NtWaitForSingleObject  (208, 0, 0x0, ...
 01173   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 01174   576   NtOpenEvent  ... 252, ) == 0x0
 01176   456   NtAllocateVirtualMemory  ... 53542912, 2097152, ) == 0x0
 01180   716   NtWaitForSingleObject  (208, 0, 0x0, ...
 01171   844   NtDuplicateObject  ... 256, ) == 0x0
 01181   880   NtSetEventBoostPriority  (36, ...
 01178   872   NtTestAlert  ... ) == 0x0
 01177   864   NtDuplicateObject  ... 260, ) == 0x0
 01182   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01183   576   NtQueryEvent  (252, Basic, 8, ...
 01184   456   NtAllocateVirtualMemory  (-1, 55631872, 0, 8192, 4096, 4, ...
 01106   596   NtWaitForSingleObject  ... ) == 0x0
 01181   880   NtSetEventBoostPriority  ... ) == 0x0
 01185   844   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01186   872   NtContinue  (47250736, 1, ...
 01187   864   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01188   876   NtTestAlert  (...
 01183   576   NtQueryEvent  ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01182   868   NtDuplicateObject  ... 264, ) == 0x0
 01189   596   NtSetEventBoostPriority  (36, ...
 01184   456   NtAllocateVirtualMemory  ... 55631872, 8192, ) == 0x0
 01185   844   NtWaitForSingleObject  ... ) == 0x102
 01190   872   NtRegisterThreadTerminatePort  (24, ...
 01187   864   NtWaitForSingleObject  ... ) == 0x102
 01188   876   NtTestAlert  ... ) == 0x0
 01191   576   NtClose  (252, ...
 01107   636   NtWaitForSingleObject  ... ) == 0x0
 01189   596   NtSetEventBoostPriority  ... ) == 0x0
 01192   868   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01193   456   NtProtectVirtualMemory  (-1, (0x350e000), 4096, 260, ...
 01194   844   NtWaitForSingleObject  (208, 0, 0x0, ...
 01190   872   NtRegisterThreadTerminatePort  ... ) == 0x0
 01195   864   NtWaitForSingleObject  (208, 0, 0x0, ...
 01196   876   NtContinue  (49347888, 1, ...
 01197   636   NtSetEventBoostPriority  (36, ...
 01191   576   NtClose  ... ) == 0x0
 01198   880   NtTestAlert  (...
 01192   868   NtWaitForSingleObject  ... ) == 0x102
 01193   456   NtProtectVirtualMemory  ... (0x350e000), 4096, 4, ) == 0x0
 01199   872   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01175   884   NtWaitForSingleObject  ... ) == 0x0
 01197   636   NtSetEventBoostPriority  ... ) == 0x0
 01200   876   NtRegisterThreadTerminatePort  (24, ...
 01201   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01198   880   NtTestAlert  ... ) == 0x0
 01202   868   NtWaitForSingleObject  (208, 0, 0x0, ...
 01203   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01204   576   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 8714928, 140, ... , {12, 2, 1, 0}, 0x0, 0x0, 8714928, 140, ...
 01205   884   NtTestAlert  (...
 01199   872   NtDuplicateObject  ... 252, ) == 0x0
 01200   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01201   596   NtCreateEvent  ... 268, ) == 0x0
 01206   880   NtContinue  (51445040, 1, ...
 01203   456   NtCreateThread  ... 272, {444, 888}, ) == 0x0
 01205   884   NtTestAlert  ... ) == 0x0
 01207   872   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01208   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01209   596   NtAllocateVirtualMemory  (-1, 4587520, 0, 4096, 4096, 4, ...
 01204   576   NtConnectPort  ... 276, 0x0, 0x0, 256, 140, ) == 0x0
 01210   880   NtRegisterThreadTerminatePort  (24, ...
 01211   456   NtQueryInformationThread  (272, Basic, 28, ...
 01212   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01207   872   NtWaitForSingleObject  ... ) == 0x102
 01213   884   NtContinue  (53542192, 1, ...
 01209   596   NtAllocateVirtualMemory  ... 4587520, 4096, ) == 0x0
 01214   576   NtRequestWaitReplyPort  (276, {28, 52, new_msg, 0, 0, 0, 0, 0}  (276, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\376\1 \363E\0" ...  ...
 01210   880   NtRegisterThreadTerminatePort  ... ) == 0x0
 01208   876   NtDuplicateObject  ... 280, ) == 0x0
 01212   636   NtCreateEvent  ... 284, ) == 0x0
 01215   872   NtWaitForSingleObject  (208, 0, 0x0, ...
 01216   884   NtRegisterThreadTerminatePort  (24, ...
 01217   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 17887448, ... }, 17887448, ...
 01218   880   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01219   876   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01214   576   NtRequestWaitReplyPort  ... {176, 200, reply, 0, 444, 576, 1530, 0}  ... {176, 200, reply, 0, 444, 576, 1530, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\376\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01220   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 01216   884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01217   596   NtQueryAttributesFile  ... ) == 0x0
 01211   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=444,Tid=888,}, 0x0, ) == 0x0
 01219   876   NtWaitForSingleObject  ... ) == 0x102
 01218   880   NtDuplicateObject  ... 288, ) == 0x0
 01221   884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01222   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx2"}, ... }, ...
 01223   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1528, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\274\1\0\0x\3\0\0" ...  ...
 01224   876   NtWaitForSingleObject  (208, 0, 0x0, ...
 01225   880   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01221   884   NtDuplicateObject  ... 292, ) == 0x0
 01222   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1531, 0}  ... {28, 56, reply, 0, 444, 456, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\274\1\0\0x\3\0\0" )  ) == 0x0
 01225   880   NtWaitForSingleObject  ... ) == 0x102
 01226   884   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01227   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx3"}, ... }, ...
 01228   456   NtResumeThread  (272, ...
 01229   880   NtWaitForSingleObject  (208, 0, 0x0, ...
 01230   596   NtSetEventBoostPriority  (36, ...
 01227   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   456   NtResumeThread  ... 1, ) == 0x0
 01220   636   NtWaitForSingleObject  ... ) == 0x0
 01230   596   NtSetEventBoostPriority  ... ) == 0x0
 01231   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx4"}, ... }, ...
 01226   884   NtWaitForSingleObject  ... ) == 0x102
 01232   888   NtWaitForSingleObject  (36, 0, 0x0, ...
 01233   636   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01234   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01231   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   884   NtWaitForSingleObject  (208, 0, 0x0, ...
 01233   636   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01234   596   NtOpenKey  ... 296, ) == 0x0
 01236   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01237   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx5"}, ... }, ...
 01238   596   NtQueryValueKey  (296,  (296, "Transports", Partial, 144, ... , Partial, 144, ...
 01236   456   NtAllocateVirtualMemory  ... 55640064, 2097152, ) == 0x0
 01237   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01238   596   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01239   456   NtAllocateVirtualMemory  (-1, 57729024, 0, 8192, 4096, 4, ...
 01240   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx6"}, ... }, ...
 01241   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 19983520, ... }, 19983520, ...
 01239   456   NtAllocateVirtualMemory  ... 57729024, 8192, ) == 0x0
 01240   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   456   NtProtectVirtualMemory  (-1, (0x370e000), 4096, 260, ...
 01243   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx7"}, ... }, ...
 01242   456   NtProtectVirtualMemory  ... (0x370e000), 4096, 4, ) == 0x0
 01243   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   596   NtQueryValueKey  (296,  (296, "Transports", Partial, 144, ... , Partial, 144, ...
 01245   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01244   596   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01245   456   NtCreateThread  ... 300, {444, 892}, ) == 0x0
 01246   596   NtClose  (296, ...
 01247   456   NtQueryInformationThread  (300, Basic, 28, ...
 01246   596   NtClose  ... ) == 0x0
 01247   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=444,Tid=892,}, 0x0, ) == 0x0
 01248   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01249   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1531, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0\274\1\0\0|\3\0\0" ...  ...
 01248   596   NtOpenKey  ... 296, ) == 0x0
 01249   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1532, 0}  ... {28, 56, reply, 0, 444, 456, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0\274\1\0\0|\3\0\0" )  ) == 0x0
 01250   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx8"}, ... }, ...
 01251   456   NtResumeThread  (300, ...
 01250   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   456   NtResumeThread  ... 1, ) == 0x0
 01252   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx9"}, ... }, ...
 01253   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01252   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01253   456   NtAllocateVirtualMemory  ... 57737216, 2097152, ) == 0x0
 01254   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx10"}, ... }, ...
 01255   456   NtAllocateVirtualMemory  (-1, 59826176, 0, 8192, 4096, 4, ...
 01254   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   596   NtQueryValueKey  (296,  (296, "Mapping", Partial, 144, ... , Partial, 144, ...
 01257   892   NtWaitForSingleObject  (36, 0, 0x0, ...
 01255   456   NtAllocateVirtualMemory  ... 59826176, 8192, ) == 0x0
 01241   636   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   596   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01258   456   NtProtectVirtualMemory  (-1, (0x390e000), 4096, 260, ...
 01259   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx11"}, ... }, ...
 01260   596   NtQueryValueKey  (296,  (296, "Mapping", Partial, 144, ... , Partial, 144, ...
 01258   456   NtProtectVirtualMemory  ... (0x390e000), 4096, 4, ) == 0x0
 01259   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   596   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01261   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01262   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx12"}, ... }, ...
 01263   596   NtQueryValueKey  (296,  (296, "Mapping", Partial, 152, ... , Partial, 152, ...
 01261   456   NtCreateThread  ... 304, {444, 896}, ) == 0x0
 01262   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   596   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01264   456   NtQueryInformationThread  (304, Basic, 28, ...
 01265   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx13"}, ... }, ...
 01266   636   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 19983520, ... }, 19983520, ...
 01267   596   NtClose  (296, ...
 01265   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   596   NtClose  ... ) == 0x0
 01264   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=444,Tid=896,}, 0x0, ) == 0x0
 01268   596   NtAllocateVirtualMemory  (-1, 4591616, 0, 4096, 4096, 4, ...
 01269   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1532, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\274\1\0\0\200\3\0\0" ...  ...
 01268   596   NtAllocateVirtualMemory  ... 4591616, 4096, ) == 0x0
 01269   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1533, 0}  ... {28, 56, reply, 0, 444, 456, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\274\1\0\0\200\3\0\0" )  ) == 0x0
 01270   596   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01271   456   NtResumeThread  (304, ...
 01270   596   NtOpenKey  ... 296, ) == 0x0
 01271   456   NtResumeThread  ... 1, ) == 0x0
 01272   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx14"}, ... }, ...
 01273   596   NtQueryValueKey  (296,  (296, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01274   896   NtWaitForSingleObject  (36, 0, 0x0, ...
 01272   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01275   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx15"}, ... }, ...
 01276   596   NtQueryValueKey  (296,  (296, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01275   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01277   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx16"}, ... }, ...
 01278   596   NtQueryValueKey  (296,  (296, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01277   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278   596   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01279   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01280   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx17"}, ... }, ...
 01279   456   NtAllocateVirtualMemory  ... 59834368, 2097152, ) == 0x0
 01280   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   456   NtAllocateVirtualMemory  (-1, 61923328, 0, 8192, 4096, 4, ...
 01282   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx18"}, ... }, ...
 01281   456   NtAllocateVirtualMemory  ... 61923328, 8192, ) == 0x0
 01282   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   456   NtProtectVirtualMemory  (-1, (0x3b0e000), 4096, 260, ...
 01284   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx19"}, ... }, ...
 01283   456   NtProtectVirtualMemory  ... (0x3b0e000), 4096, 4, ) == 0x0
 01284   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   596   NtQueryValueKey  (296,  (296, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01286   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01285   596   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01286   456   NtCreateThread  ... 308, {444, 900}, ) == 0x0
 01287   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 01288   456   NtQueryInformationThread  (308, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=444,Tid=900,}, 0x0, ) == 0x0
 01289   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1533, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0\274\1\0\0\204\3\0\0" ... {28, 56, reply, 0, 444, 456, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0\274\1\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1534, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0\274\1\0\0\204\3\0\0" ... {28, 56, reply, 0, 444, 456, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0\274\1\0\0\204\3\0\0" )  ) == 0x0
 01290   456   NtResumeThread  (308, ... 1, ) == 0x0
 01291   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 61931520, 2097152, ) == 0x0
 01292   456   NtAllocateVirtualMemory  (-1, 64020480, 0, 8192, 4096, 4, ...
 01293   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx20"}, ... }, ...
 01294   900   NtWaitForSingleObject  (36, 0, 0x0, ...
 01293   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx25"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   456   NtAllocateVirtualMemory  ... 64020480, 8192, ) == 0x0
 01300   456   NtProtectVirtualMemory  (-1, (0x3d0e000), 4096, 260, ... (0x3d0e000), 4096, 4, ) == 0x0
 01301   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 312, {444, 916}, ) == 0x0
 01302   456   NtQueryInformationThread  (312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=444,Tid=916,}, 0x0, ) == 0x0
 01303   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1534, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0\274\1\0\0\224\3\0\0" ... {28, 56, reply, 0, 444, 456, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0\274\1\0\0\224\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1535, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0\274\1\0\0\224\3\0\0" ... {28, 56, reply, 0, 444, 456, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0\274\1\0\0\224\3\0\0" )  ) == 0x0
 01304   456   NtResumeThread  (312, ... 1, ) == 0x0
 01305   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx26"}, ... }, ...
 01306   916   NtWaitForSingleObject  (36, 0, 0x0, ...
 01305   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx28"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx31"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 64028672, 2097152, ) == 0x0
 01313   456   NtAllocateVirtualMemory  (-1, 66117632, 0, 8192, 4096, 4, ... 66117632, 8192, ) == 0x0
 01314   456   NtProtectVirtualMemory  (-1, (0x3f0e000), 4096, 260, ... (0x3f0e000), 4096, 4, ) == 0x0
 01315   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 316, {444, 920}, ) == 0x0
 01316   456   NtQueryInformationThread  (316, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=444,Tid=920,}, 0x0, ) == 0x0
 01317   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1535, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\1\0\0\274\1\0\0\230\3\0\0" ...  ...
 01318   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1536, 0}  ... {28, 56, reply, 0, 444, 456, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\1\0\0\274\1\0\0\230\3\0\0" )  ) == 0x0
 01321   456   NtResumeThread  (316, ... 1, ) == 0x0
 01322   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 66125824, 2097152, ) == 0x0
 01323   456   NtAllocateVirtualMemory  (-1, 68214784, 0, 8192, 4096, 4, ... 68214784, 8192, ) == 0x0
 01324   456   NtProtectVirtualMemory  (-1, (0x410e000), 4096, 260, ... (0x410e000), 4096, 4, ) == 0x0
 01325   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 320, {444, 924}, ) == 0x0
 01326   456   NtQueryInformationThread  (320, Basic, 28, ...
 01327   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx35"}, ... }, ...
 01328   920   NtWaitForSingleObject  (36, 0, 0x0, ...
 01327   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx37"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01326   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=444,Tid=924,}, 0x0, ) == 0x0
 01334   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1536, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\1\0\0\274\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 444, 456, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\1\0\0\274\1\0\0\234\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1537, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\1\0\0\274\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 444, 456, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\1\0\0\274\1\0\0\234\3\0\0" )  ) == 0x0
 01335   456   NtResumeThread  (320, ... 1, ) == 0x0
 01336   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 68222976, 2097152, ) == 0x0
 01337   456   NtAllocateVirtualMemory  (-1, 70311936, 0, 8192, 4096, 4, ... 70311936, 8192, ) == 0x0
 01338   456   NtProtectVirtualMemory  (-1, (0x430e000), 4096, 260, ... (0x430e000), 4096, 4, ) == 0x0
 01339   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx41"}, ... }, ...
 01340   924   NtWaitForSingleObject  (36, 0, 0x0, ...
 01339   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01342   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx43"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 324, {444, 928}, ) == 0x0
 01347   456   NtQueryInformationThread  (324, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=444,Tid=928,}, 0x0, ) == 0x0
 01348   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1537, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\274\1\0\0\240\3\0\0" ... {28, 56, reply, 0, 444, 456, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\274\1\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1538, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\274\1\0\0\240\3\0\0" ... {28, 56, reply, 0, 444, 456, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\274\1\0\0\240\3\0\0" )  ) == 0x0
 01349   456   NtResumeThread  (324, ... 1, ) == 0x0
 01350   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 70320128, 2097152, ) == 0x0
 01351   456   NtAllocateVirtualMemory  (-1, 72409088, 0, 8192, 4096, 4, ...
 01352   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx47"}, ... }, ...
 01353   928   NtWaitForSingleObject  (36, 0, 0x0, ...
 01352   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01355   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx49"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx50"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01357   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx51"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   456   NtAllocateVirtualMemory  ... 72409088, 8192, ) == 0x0
 01359   456   NtProtectVirtualMemory  (-1, (0x450e000), 4096, 260, ... (0x450e000), 4096, 4, ) == 0x0
 01360   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 328, {444, 932}, ) == 0x0
 01361   456   NtQueryInformationThread  (328, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=444,Tid=932,}, 0x0, ) == 0x0
 01362   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1538, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\274\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 444, 456, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\274\1\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1539, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\274\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 444, 456, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\274\1\0\0\244\3\0\0" )  ) == 0x0
 01363   456   NtResumeThread  (328, ... 1, ) == 0x0
 01364   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx53"}, ... }, ...
 01365   932   NtWaitForSingleObject  (36, 0, 0x0, ...
 01364   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx54"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx55"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx56"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx57"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx58"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 72417280, 2097152, ) == 0x0
 01372   456   NtAllocateVirtualMemory  (-1, 74506240, 0, 8192, 4096, 4, ... 74506240, 8192, ) == 0x0
 01373   456   NtProtectVirtualMemory  (-1, (0x470e000), 4096, 260, ... (0x470e000), 4096, 4, ) == 0x0
 01374   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 332, {444, 936}, ) == 0x0
 01375   456   NtQueryInformationThread  (332, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=444,Tid=936,}, 0x0, ) == 0x0
 01376   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1539, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\1\0\0\274\1\0\0\250\3\0\0" ...  ...
 01377   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx59"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1540, 0}  ... {28, 56, reply, 0, 444, 456, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\1\0\0\274\1\0\0\250\3\0\0" )  ) == 0x0
 01380   456   NtResumeThread  (332, ... 1, ) == 0x0
 01381   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 74514432, 2097152, ) == 0x0
 01382   456   NtAllocateVirtualMemory  (-1, 76603392, 0, 8192, 4096, 4, ... 76603392, 8192, ) == 0x0
 01383   456   NtProtectVirtualMemory  (-1, (0x490e000), 4096, 260, ... (0x490e000), 4096, 4, ) == 0x0
 01384   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 336, {444, 940}, ) == 0x0
 01385   456   NtQueryInformationThread  (336, Basic, 28, ...
 01386   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx62"}, ... }, ...
 01387   936   NtWaitForSingleObject  (36, 0, 0x0, ...
 01386   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx64"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx65"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx66"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx67"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=444,Tid=940,}, 0x0, ) == 0x0
 01266   636   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1540, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\1\0\0\274\1\0\0\254\3\0\0" ...  ...
 01394   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 19983520, ... }, 19983520, ...
 01393   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1541, 0}  ... {28, 56, reply, 0, 444, 456, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\1\0\0\274\1\0\0\254\3\0\0" )  ) == 0x0
 01394   636   NtQueryAttributesFile  ... ) == 0x0
 01395   456   NtResumeThread  (336, ...
 01396   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 01395   456   NtResumeThread  ... 1, ) == 0x0
 01397   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx68"}, ... }, ...
 01396   636   NtOpenFile  ... 340, {status=0x0, info=1}, ) == 0x0
 01398   940   NtWaitForSingleObject  (36, 0, 0x0, ...
 01397   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01399   636   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 340, ...
 01400   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx69"}, ... }, ...
 01399   636   NtCreateSection  ... 344, ) == 0x0
 01400   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   636   NtQuerySection  (344, Image, 48, ...
 01402   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx70"}, ... }, ...
 01401   636   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01402   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   636   NtClose  (340, ...
 01404   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01405   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx71"}, ... }, ...
 01404   456   NtAllocateVirtualMemory  ... 76611584, 2097152, ) == 0x0
 01405   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   456   NtAllocateVirtualMemory  (-1, 78700544, 0, 8192, 4096, 4, ...
 01407   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx72"}, ... }, ...
 01406   456   NtAllocateVirtualMemory  ... 78700544, 8192, ) == 0x0
 01407   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408   456   NtProtectVirtualMemory  (-1, (0x4b0e000), 4096, 260, ...
 01409   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx73"}, ... }, ...
 01408   456   NtProtectVirtualMemory  ... (0x4b0e000), 4096, 4, ) == 0x0
 01409   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   636   NtClose  ... ) == 0x0
 01410   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01411   636   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01410   456   NtCreateThread  ... 340, {444, 944}, ) == 0x0
 01411   636   NtMapViewOfSection  ... (0x76f20000), 0x0, 151552, ) == 0x0
 01412   456   NtQueryInformationThread  (340, Basic, 28, ...
 01413   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx74"}, ... }, ...
 01412   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=444,Tid=944,}, 0x0, ) == 0x0
 01413   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01414   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1541, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\274\1\0\0\260\3\0\0" ...  ...
 01415   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx75"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx76"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx77"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx78"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx79"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01420   636   NtClose  (344, ...
 01414   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1542, 0}  ... {28, 56, reply, 0, 444, 456, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\274\1\0\0\260\3\0\0" )  ) == 0x0
 01420   636   NtClose  ... ) == 0x0
 01421   456   NtResumeThread  (340, ...
 01422   636   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01421   456   NtResumeThread  ... 1, ) == 0x0
 01422   636   NtCreateKey  ... 344, 2, ) == 0x0
 01423   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01424   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01423   456   NtAllocateVirtualMemory  ... 78708736, 2097152, ) == 0x0
 01424   636   NtOpenKey  ... 348, ) == 0x0
 01425   456   NtAllocateVirtualMemory  (-1, 80797696, 0, 8192, 4096, 4, ...
 01426   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx80"}, ... }, ...
 01427   944   NtWaitForSingleObject  (36, 0, 0x0, ...
 01428   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01426   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx81"}, ... }, ...
 01430   636   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... }, ...
 01429   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx82"}, ... }, ...
 01432   636   NtQueryValueKey  (348,  (348, "QueryAdapterName", Partial, 144, ... , Partial, 144, ...
 01431   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   456   NtAllocateVirtualMemory  ... 80797696, 8192, ) == 0x0
 01433   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx83"}, ... }, ...
 01434   456   NtProtectVirtualMemory  (-1, (0x4d0e000), 4096, 260, ...
 01433   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   456   NtProtectVirtualMemory  ... (0x4d0e000), 4096, 4, ) == 0x0
 01435   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx84"}, ... }, ...
 01436   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01435   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   456   NtCreateThread  ... 352, {444, 948}, ) == 0x0
 01437   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx85"}, ... }, ...
 01438   456   NtQueryInformationThread  (352, Basic, 28, ...
 01437   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   636   NtQueryValueKey  (344,  (344, "DisableAdapterDomainName", Partial, 144, ... , Partial, 144, ...
 01438   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=444,Tid=948,}, 0x0, ) == 0x0
 01439   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1542, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\274\1\0\0\264\3\0\0" ...  ...
 01441   636   NtQueryValueKey  (348,  (348, "UseDomainNameDevolution", Partial, 144, ... , Partial, 144, ...
 01440   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1543, 0}  ... {28, 56, reply, 0, 444, 456, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\274\1\0\0\264\3\0\0" )  ) == 0x0
 01441   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   456   NtResumeThread  (352, ...
 01443   636   NtQueryValueKey  (344,  (344, "UseDomainNameDevolution", Partial, 144, ... , Partial, 144, ...
 01442   456   NtResumeThread  ... 1, ) == 0x0
 01443   636   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01444   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx86"}, ... }, ...
 01445   948   NtWaitForSingleObject  (36, 0, 0x0, ...
 01446   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01444   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   456   NtAllocateVirtualMemory  ... 80805888, 2097152, ) == 0x0
 01447   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx87"}, ... }, ...
 01448   456   NtAllocateVirtualMemory  (-1, 82894848, 0, 8192, 4096, 4, ...
 01447   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   456   NtAllocateVirtualMemory  ... 82894848, 8192, ) == 0x0
 01449   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx88"}, ... }, ...
 01450   456   NtProtectVirtualMemory  (-1, (0x4f0e000), 4096, 260, ...
 01449   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   456   NtProtectVirtualMemory  ... (0x4f0e000), 4096, 4, ) == 0x0
 01451   636   NtQueryValueKey  (348,  (348, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01452   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx89"}, ... }, ...
 01451   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   636   NtQueryValueKey  (344,  (344, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01454   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx90"}, ... }, ...
 01453   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   636   NtQueryValueKey  (348,  (348, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 01456   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx91"}, ... }, ...
 01455   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01458   636   NtQueryValueKey  (344,  (344, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 01457   456   NtCreateThread  ... 356, {444, 952}, ) == 0x0
 01458   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   456   NtQueryInformationThread  (356, Basic, 28, ...
 01460   636   NtQueryValueKey  (348,  (348, "AppendToMultiLabelName", Partial, 144, ... , Partial, 144, ...
 01459   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=444,Tid=952,}, 0x0, ) == 0x0
 01460   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1543, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\274\1\0\0\270\3\0\0" ...  ...
 01462   636   NtQueryValueKey  (348,  (348, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   636   NtQueryValueKey  (348,  (348, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   636   NtQueryValueKey  (348,  (348, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   636   NtQueryValueKey  (348,  (348, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx92"}, ... }, ...
 01461   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1544, 0}  ... {28, 56, reply, 0, 444, 456, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\274\1\0\0\270\3\0\0" )  ) == 0x0
 01466   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467   456   NtResumeThread  (356, ...
 01468   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx93"}, ... }, ...
 01467   456   NtResumeThread  ... 1, ) == 0x0
 01468   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01470   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx94"}, ... }, ...
 01469   456   NtAllocateVirtualMemory  ... 82903040, 2097152, ) == 0x0
 01470   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   456   NtAllocateVirtualMemory  (-1, 84992000, 0, 8192, 4096, 4, ...
 01472   636   NtQueryValueKey  (348,  (348, "UseEdns", Partial, 144, ... , Partial, 144, ...
 01473   952   NtWaitForSingleObject  (36, 0, 0x0, ...
 01474   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx95"}, ... }, ...
 01472   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   636   NtQueryValueKey  (348,  (348, "RegistrationEnabled", Partial, 144, ... , Partial, 144, ...
 01476   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx96"}, ... }, ...
 01475   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   636   NtQueryValueKey  (344,  (344, "DisableDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 01478   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx97"}, ... }, ...
 01477   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   456   NtAllocateVirtualMemory  ... 84992000, 8192, ) == 0x0
 01479   636   NtQueryValueKey  (348,  (348, "RegisterPrimaryName", Partial, 144, ... , Partial, 144, ...
 01480   456   NtProtectVirtualMemory  (-1, (0x510e000), 4096, 260, ...
 01479   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   456   NtProtectVirtualMemory  ... (0x510e000), 4096, 4, ) == 0x0
 01481   636   NtQueryValueKey  (348,  (348, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 01482   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01481   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   456   NtCreateThread  ... 360, {444, 956}, ) == 0x0
 01483   636   NtQueryValueKey  (344,  (344, "EnableAdapterDomainNameRegistration", Partial, 144, ... , Partial, 144, ...
 01484   456   NtQueryInformationThread  (360, Basic, 28, ...
 01483   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx98"}, ... }, ...
 01484   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=444,Tid=956,}, 0x0, ) == 0x0
 01485   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1544, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\274\1\0\0\274\3\0\0" ...  ...
 01487   576   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx99"}, ... }, ...
 01486   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1545, 0}  ... {28, 56, reply, 0, 444, 456, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\274\1\0\0\274\3\0\0" )  ) == 0x0
 01487   576   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01488   456   NtResumeThread  (360, ...
 01489   576   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "kkq-vx_mtx1"}, 0, ... }, 0, ...
 01488   456   NtResumeThread  ... 1, ) == 0x0
 01489   576   NtCreateMutant  ... 364, ) == 0x0
 01490   636   NtQueryValueKey  (348,  (348, "RegisterReverseLookup", Partial, 144, ... , Partial, 144, ...
 01491   956   NtWaitForSingleObject  (36, 0, 0x0, ...
 01492   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01490   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   456   NtAllocateVirtualMemory  ... 85000192, 2097152, ) == 0x0
 01493   636   NtQueryValueKey  (344,  (344, "DisableReverseAddressRegistrations", Partial, 144, ... , Partial, 144, ...
 01494   456   NtAllocateVirtualMemory  (-1, 87089152, 0, 8192, 4096, 4, ...
 01493   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   456   NtAllocateVirtualMemory  ... 87089152, 8192, ) == 0x0
 01495   636   NtQueryValueKey  (348,  (348, "RegisterWanAdapters", Partial, 144, ... , Partial, 144, ...
 01496   456   NtProtectVirtualMemory  (-1, (0x530e000), 4096, 260, ...
 01495   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   456   NtProtectVirtualMemory  ... (0x530e000), 4096, 4, ) == 0x0
 01497   576   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "kkq-vx_mtx2"}, 0, ... }, 0, ...
 01498   636   NtQueryValueKey  (344,  (344, "DisableWanDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 01497   576   NtCreateMutant  ... 368, ) == 0x0
 01498   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   576   NtUserFindExistingCursorIcon  (8715196, 8715212, 8715780, ...
 01500   636   NtQueryValueKey  (348,  (348, "RegistrationOverwritesInConflict", Partial, 144, ... , Partial, 144, ...
 01499   576   NtUserFindExistingCursorIcon  ... ) == 0x10011
 01500   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501   576   NtUserFindExistingCursorIcon  (8715196, 8715212, 8715780, ...
 01502   636   NtQueryValueKey  (344,  (344, "DisableReplaceAddressesInConflicts", Partial, 144, ... , Partial, 144, ...
 01501   576   NtUserFindExistingCursorIcon  ... ) == 0x10005
 01502   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01504   576   NtUserRegisterClassExWOW  (8715648, 8715724, 8715740, 8715712, 0, 386, 0, ...
 01503   456   NtCreateThread  ... 372, {444, 960}, ) == 0x0
 01504   576   NtUserRegisterClassExWOW  ... ) == 0x810cc0d2
 01505   456   NtQueryInformationThread  (372, Basic, 28, ...
 01506   576   NtUserCreateWindowEx  (-2147483648, 8715684, 8715496, "13238272, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 01505   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=444,Tid=960,}, 0x0, ) == 0x0
 01507   576   NtUserGetIconSize  (65541, 0, 8714212, 8714220, ...
 01508   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1545, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0\274\1\0\0\300\3\0\0" ...  ...
 01507   576   NtUserGetIconSize  ... ) == 0x1
 01509   576   NtUserGetIconInfo  (65541, 8714188, 8714180, 8714172, 8714208, 1, ... ) == 0x1
 01510   576   NtWaitForSingleObject  (36, 0, 0x0, ...
 01511   636   NtQueryValueKey  (348,  (348, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01512   636   NtQueryValueKey  (344,  (344, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   636   NtQueryValueKey  (348,  (348, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1546, 0}  ... {28, 56, reply, 0, 444, 456, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0\274\1\0\0\300\3\0\0" )  ) == 0x0
 01514   456   NtResumeThread  (372, ... 1, ) == 0x0
 01515   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 87097344, 2097152, ) == 0x0
 01516   456   NtAllocateVirtualMemory  (-1, 89186304, 0, 8192, 4096, 4, ... 89186304, 8192, ) == 0x0
 01517   456   NtProtectVirtualMemory  (-1, (0x550e000), 4096, 260, ... (0x550e000), 4096, 4, ) == 0x0
 01518   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 376, {444, 964}, ) == 0x0
 01519   456   NtQueryInformationThread  (376, Basic, 28, ...
 01520   636   NtQueryValueKey  (344,  (344, "DefaultRegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 01521   960   NtWaitForSingleObject  (36, 0, 0x0, ...
 01520   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   636   NtQueryValueKey  (348,  (348, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   636   NtQueryValueKey  (344,  (344, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   636   NtQueryValueKey  (348,  (348, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   636   NtQueryValueKey  (344,  (344, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   636   NtQueryValueKey  (348,  (348, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=444,Tid=964,}, 0x0, ) == 0x0
 01527   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1546, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\274\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 444, 456, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\274\1\0\0\304\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1547, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\274\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 444, 456, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\274\1\0\0\304\3\0\0" )  ) == 0x0
 01528   456   NtResumeThread  (376, ... 1, ) == 0x0
 01529   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 89194496, 2097152, ) == 0x0
 01530   456   NtAllocateVirtualMemory  (-1, 91283456, 0, 8192, 4096, 4, ... 91283456, 8192, ) == 0x0
 01531   456   NtProtectVirtualMemory  (-1, (0x570e000), 4096, 260, ... (0x570e000), 4096, 4, ) == 0x0
 01532   636   NtQueryValueKey  (348,  (348, "UpdateTopLevelDomainZones", Partial, 144, ... , Partial, 144, ...
 01533   964   NtWaitForSingleObject  (36, 0, 0x0, ...
 01532   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   636   NtQueryValueKey  (348,  (348, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   636   NtQueryValueKey  (348,  (348, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   636   NtQueryValueKey  (348,  (348, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   636   NtQueryValueKey  (348,  (348, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   636   NtQueryValueKey  (348,  (348, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 380, {444, 968}, ) == 0x0
 01540   456   NtQueryInformationThread  (380, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=444,Tid=968,}, 0x0, ) == 0x0
 01541   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1547, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\274\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 444, 456, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\274\1\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1548, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\274\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 444, 456, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\274\1\0\0\310\3\0\0" )  ) == 0x0
 01542   456   NtResumeThread  (380, ... 1, ) == 0x0
 01543   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 91291648, 2097152, ) == 0x0
 01544   456   NtAllocateVirtualMemory  (-1, 93380608, 0, 8192, 4096, 4, ...
 01545   636   NtQueryValueKey  (348,  (348, "ServerPriorityTimeLimit", Partial, 144, ... , Partial, 144, ...
 01546   968   NtWaitForSingleObject  (36, 0, 0x0, ...
 01545   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   636   NtQueryValueKey  (348,  (348, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   636   NtQueryValueKey  (348,  (348, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549   636   NtQueryValueKey  (348,  (348, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   636   NtQueryValueKey  (348,  (348, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   636   NtQueryValueKey  (348,  (348, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   456   NtAllocateVirtualMemory  ... 93380608, 8192, ) == 0x0
 01552   456   NtProtectVirtualMemory  (-1, (0x590e000), 4096, 260, ... (0x590e000), 4096, 4, ) == 0x0
 01553   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 384, {444, 992}, ) == 0x0
 01554   456   NtQueryInformationThread  (384, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=444,Tid=992,}, 0x0, ) == 0x0
 01555   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1548, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\274\1\0\0\340\3\0\0" ... {28, 56, reply, 0, 444, 456, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\274\1\0\0\340\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1549, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\274\1\0\0\340\3\0\0" ... {28, 56, reply, 0, 444, 456, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\274\1\0\0\340\3\0\0" )  ) == 0x0
 01556   456   NtResumeThread  (384, ... 1, ) == 0x0
 01557   636   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\Setup"}, ... }, ...
 01558   992   NtWaitForSingleObject  (36, 0, 0x0, ...
 01557   636   NtOpenKey  ... 388, ) == 0x0
 01559   636   NtQueryValueKey  (388,  (388, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (388, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01560   636   NtClose  (388, ... ) == 0x0
 01561   636   NtClose  (344, ... ) == 0x0
 01562   636   NtClose  (348, ... ) == 0x0
 01563   636   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 01564   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 93388800, 2097152, ) == 0x0
 01565   456   NtAllocateVirtualMemory  (-1, 95477760, 0, 8192, 4096, 4, ... 95477760, 8192, ) == 0x0
 01566   456   NtProtectVirtualMemory  (-1, (0x5b0e000), 4096, 260, ... (0x5b0e000), 4096, 4, ) == 0x0
 01567   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 344, {444, 996}, ) == 0x0
 01568   456   NtQueryInformationThread  (344, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=444,Tid=996,}, 0x0, ) == 0x0
 01569   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1549, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\274\1\0\0\344\3\0\0" ...  ...
 01570   636   NtQueryValueKey  (348,  (348, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   636   NtQueryValueKey  (348,  (348, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   636   NtQueryValueKey  (348,  (348, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1550, 0}  ... {28, 56, reply, 0, 444, 456, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\274\1\0\0\344\3\0\0" )  ) == 0x0
 01573   456   NtResumeThread  (344, ... 1, ) == 0x0
 01574   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 95485952, 2097152, ) == 0x0
 01575   456   NtAllocateVirtualMemory  (-1, 97574912, 0, 8192, 4096, 4, ... 97574912, 8192, ) == 0x0
 01576   456   NtProtectVirtualMemory  (-1, (0x5d0e000), 4096, 260, ... (0x5d0e000), 4096, 4, ) == 0x0
 01577   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 388, {444, 1012}, ) == 0x0
 01578   456   NtQueryInformationThread  (388, Basic, 28, ...
 01579   636   NtClose  (348, ...
 01580   996   NtWaitForSingleObject  (36, 0, 0x0, ...
 01579   636   NtClose  ... ) == 0x0
 01581   636   NtSetEventBoostPriority  (36, ...
 01232   888   NtWaitForSingleObject  ... ) == 0x0
 01582   888   NtSetEventBoostPriority  (36, ...
 01257   892   NtWaitForSingleObject  ... ) == 0x0
 01583   892   NtSetEventBoostPriority  (36, ...
 01274   896   NtWaitForSingleObject  ... ) == 0x0
 01584   896   NtSetEventBoostPriority  (36, ...
 01287   596   NtWaitForSingleObject  ... ) == 0x0
 01585   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 17888368, ... ) }, 17888368, ... ) == 0x0
 01584   896   NtSetEventBoostPriority  ... ) == 0x0
 01583   892   NtSetEventBoostPriority  ... ) == 0x0
 01582   888   NtSetEventBoostPriority  ... ) == 0x0
 01581   636   NtSetEventBoostPriority  ... ) == 0x0
 01578   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=444,Tid=1012,}, 0x0, ) == 0x0
 01586   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01587   896   NtTestAlert  (...
 01588   892   NtTestAlert  (...
 01589   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 01590   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1550, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0\274\1\0\0\364\3\0\0" ...  ...
 01586   596   NtOpenFile  ... 348, {status=0x0, info=1}, ) == 0x0
 01587   896   NtTestAlert  ... ) == 0x0
 01588   892   NtTestAlert  ... ) == 0x0
 01590   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1551, 0}  ... {28, 56, reply, 0, 444, 456, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0\274\1\0\0\364\3\0\0" )  ) == 0x0
 01591   596   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 348, ...
 01592   896   NtContinue  (59833648, 1, ...
 01593   892   NtContinue  (57736496, 1, ...
 01594   456   NtResumeThread  (388, ...
 01591   596   NtCreateSection  ... 392, ) == 0x0
 01595   896   NtRegisterThreadTerminatePort  (24, ...
 01596   892   NtRegisterThreadTerminatePort  (24, ...
 01594   456   NtResumeThread  ... 1, ) == 0x0
 01597   596   NtClose  (348, ...
 01595   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01596   892   NtRegisterThreadTerminatePort  ... ) == 0x0
 01598   888   NtTestAlert  (...
 01599  1012   NtWaitForSingleObject  (36, 0, 0x0, ...
 01597   596   NtClose  ... ) == 0x0
 01600   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01601   892   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01598   888   NtTestAlert  ... ) == 0x0
 01602   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01603   596   NtMapViewOfSection  (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01600   896   NtDuplicateObject  ... 348, ) == 0x0
 01604   888   NtContinue  (55639344, 1, ...
 01602   456   NtAllocateVirtualMemory  ... 97583104, 2097152, ) == 0x0
 01603   596   NtMapViewOfSection  ... (0xef0000), 0x0, 20480, ) == 0x0
 01605   896   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01606   888   NtRegisterThreadTerminatePort  (24, ...
 01607   456   NtAllocateVirtualMemory  (-1, 99672064, 0, 8192, 4096, 4, ...
 01608   596   NtClose  (392, ...
 01605   896   NtWaitForSingleObject  ... ) == 0x102
 01606   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01607   456   NtAllocateVirtualMemory  ... 99672064, 8192, ) == 0x0
 01608   596   NtClose  ... ) == 0x0
 01609   896   NtWaitForSingleObject  (208, 0, 0x0, ...
 01610   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01611   456   NtProtectVirtualMemory  (-1, (0x5f0e000), 4096, 260, ...
 01612   596   NtUnmapViewOfSection  (-1, 0xef0000, ...
 01601   892   NtDuplicateObject  ... 392, ) == 0x0
 01611   456   NtProtectVirtualMemory  ... (0x5f0e000), 4096, 4, ) == 0x0
 01612   596   NtUnmapViewOfSection  ... ) == 0x0
 01613   892   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01610   888   NtDuplicateObject  ... 396, ) == 0x0
 01614   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01613   892   NtWaitForSingleObject  ... ) == 0x102
 01615   888   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01614   456   NtCreateThread  ... 400, {444, 1024}, ) == 0x0
 01616   892   NtWaitForSingleObject  (208, 0, 0x0, ...
 01615   888   NtWaitForSingleObject  ... ) == 0x102
 01617   456   NtQueryInformationThread  (400, Basic, 28, ...
 01618   888   NtWaitForSingleObject  (208, 0, 0x0, ...
 01617   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=444,Tid=1024,}, 0x0, ) == 0x0
 01619   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1551, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\274\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 444, 456, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\274\1\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 444, 456, 1552, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\274\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 444, 456, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\274\1\0\0\0\4\0\0" )  ) == 0x0
 01620   456   NtResumeThread  (400, ... 1, ) == 0x0
 01621   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 99680256, 2097152, ) == 0x0
 01622   456   NtAllocateVirtualMemory  (-1, 101769216, 0, 8192, 4096, 4, ...
 01623   596   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 17888684, ... }, 17888684, ...
 01624  1024   NtWaitForSingleObject  (36, 0, 0x0, ...
 01623   596   NtQueryAttributesFile  ... ) == 0x0
 01625   596   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 01626   596   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ... 408, ) == 0x0
 01627   596   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01628   596   NtClose  (404, ... ) == 0x0
 01629   596   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01622   456   NtAllocateVirtualMemory  ... 101769216, 8192, ) == 0x0
 01630   456   NtProtectVirtualMemory  (-1, (0x610e000), 4096, 260, ... (0x610e000), 4096, 4, ) == 0x0
 01631   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 404, {444, 1028}, ) == 0x0
 01632   456   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=444,Tid=1028,}, 0x0, ) == 0x0
 01633   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1552, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\274\1\0\0\4\4\0\0" ... {28, 56, reply, 0, 444, 456, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\274\1\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 444, 456, 1553, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\274\1\0\0\4\4\0\0" ... {28, 56, reply, 0, 444, 456, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\274\1\0\0\4\4\0\0" )  ) == 0x0
 01634   456   NtResumeThread  (404, ... 1, ) == 0x0
 01635   596   NtClose  (408, ...
 01636  1028   NtWaitForSingleObject  (36, 0, 0x0, ...
 01635   596   NtClose  ... ) == 0x0
 01637   596   NtSetEventBoostPriority  (36, ...
 01294   900   NtWaitForSingleObject  ... ) == 0x0
 01638   900   NtSetEventBoostPriority  (36, ...
 01306   916   NtWaitForSingleObject  ... ) == 0x0
 01639   916   NtSetEventBoostPriority  (36, ...
 01328   920   NtWaitForSingleObject  ... ) == 0x0
 01640   920   NtSetEventBoostPriority  (36, ...
 01340   924   NtWaitForSingleObject  ... ) == 0x0
 01641   924   NtSetEventBoostPriority  (36, ...
 01353   928   NtWaitForSingleObject  ... ) == 0x0
 01642   928   NtSetEventBoostPriority  (36, ...
 01365   932   NtWaitForSingleObject  ... ) == 0x0
 01643   932   NtSetEventBoostPriority  (36, ...
 01387   936   NtWaitForSingleObject  ... ) == 0x0
 01644   936   NtSetEventBoostPriority  (36, ...
 01398   940   NtWaitForSingleObject  ... ) == 0x0
 01645   940   NtSetEventBoostPriority  (36, ...
 01427   944   NtWaitForSingleObject  ... ) == 0x0
 01646   944   NtSetEventBoostPriority  (36, ...
 01445   948   NtWaitForSingleObject  ... ) == 0x0
 01647   948   NtSetEventBoostPriority  (36, ...
 01473   952   NtWaitForSingleObject  ... ) == 0x0
 01648   952   NtSetEventBoostPriority  (36, ...
 01491   956   NtWaitForSingleObject  ... ) == 0x0
 01649   956   NtSetEventBoostPriority  (36, ...
 01510   576   NtWaitForSingleObject  ... ) == 0x0
 01650   576   NtSetEventBoostPriority  (36, ...
 01521   960   NtWaitForSingleObject  ... ) == 0x0
 01651   960   NtSetEventBoostPriority  (36, ...
 01533   964   NtWaitForSingleObject  ... ) == 0x0
 01652   964   NtSetEventBoostPriority  (36, ...
 01546   968   NtWaitForSingleObject  ... ) == 0x0
 01653   968   NtSetEventBoostPriority  (36, ...
 01558   992   NtWaitForSingleObject  ... ) == 0x0
 01654   992   NtSetEventBoostPriority  (36, ...
 01580   996   NtWaitForSingleObject  ... ) == 0x0
 01655   996   NtAllocateVirtualMemory  (-1, 13193216, 0, 4096, 4096, 4, ... 13193216, 4096, ) == 0x0
 01654   992   NtSetEventBoostPriority  ... ) == 0x0
 01653   968   NtSetEventBoostPriority  ... ) == 0x0
 01652   964   NtSetEventBoostPriority  ... ) == 0x0
 01651   960   NtSetEventBoostPriority  ... ) == 0x0
 01649   956   NtSetEventBoostPriority  ... ) == 0x0
 01648   952   NtSetEventBoostPriority  ... ) == 0x0
 01647   948   NtSetEventBoostPriority  ... ) == 0x0
 01646   944   NtSetEventBoostPriority  ... ) == 0x0
 01645   940   NtSetEventBoostPriority  ... ) == 0x0
 01644   936   NtSetEventBoostPriority  ... ) == 0x0
 01643   932   NtSetEventBoostPriority  ... ) == 0x0
 01642   928   NtSetEventBoostPriority  ... ) == 0x0
 01641   924   NtSetEventBoostPriority  ... ) == 0x0
 01640   920   NtSetEventBoostPriority  ... ) == 0x0
 01639   916   NtSetEventBoostPriority  ... ) == 0x0
 01638   900   NtSetEventBoostPriority  ... ) == 0x0
 01637   596   NtSetEventBoostPriority  ... ) == 0x0
 01650   576   NtSetEventBoostPriority  ... ) == 0x0
 01656   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01657   996   NtSetEventBoostPriority  (36, ...
 01658   992   NtTestAlert  (...
 01659   968   NtTestAlert  (...
 01660   964   NtTestAlert  (...
 01661   960   NtTestAlert  (...
 01662   956   NtTestAlert  (...
 01663   952   NtTestAlert  (...
 01664   948   NtTestAlert  (...
 01665   944   NtTestAlert  (...
 01666   940   NtTestAlert  (...
 01667   936   NtTestAlert  (...
 01668   932   NtTestAlert  (...
 01669   928   NtTestAlert  (...
 01670   924   NtTestAlert  (...
 01671   920   NtTestAlert  (...
 01672   916   NtTestAlert  (...
 01673   596   NtClose  (296, ...
 01674   900   NtTestAlert  (...
 01656   456   NtAllocateVirtualMemory  ... 101777408, 2097152, ) == 0x0
 01589   636   NtWaitForSingleObject  ... ) == 0x0
 01657   996   NtSetEventBoostPriority  ... ) == 0x0
 01658   992   NtTestAlert  ... ) == 0x0
 01659   968   NtTestAlert  ... ) == 0x0
 01660   964   NtTestAlert  ... ) == 0x0
 01661   960   NtTestAlert  ... ) == 0x0
 01662   956   NtTestAlert  ... ) == 0x0
 01663   952   NtTestAlert  ... ) == 0x0
 01664   948   NtTestAlert  ... ) == 0x0
 01665   944   NtTestAlert  ... ) == 0x0
 01666   940   NtTestAlert  ... ) == 0x0
 01667   936   NtTestAlert  ... ) == 0x0
 01668   932   NtTestAlert  ... ) == 0x0
 01669   928   NtTestAlert  ... ) == 0x0
 01670   924   NtTestAlert  ... ) == 0x0
 01671   920   NtTestAlert  ... ) == 0x0
 01672   916   NtTestAlert  ... ) == 0x0
 01673   596   NtClose  ... ) == 0x0
 01674   900   NtTestAlert  ... ) == 0x0
 01675   636   NtSetEventBoostPriority  (36, ...
 01676   456   NtAllocateVirtualMemory  (-1, 103866368, 0, 8192, 4096, 4, ...
 01677   996   NtTestAlert  (...
 01678   992   NtContinue  (93388080, 1, ...
 01679   968   NtContinue  (91290928, 1, ...
 01680   964   NtContinue  (89193776, 1, ...
 01681   960   NtContinue  (87096624, 1, ...
 01682   956   NtContinue  (84999472, 1, ...
 01683   952   NtContinue  (82902320, 1, ...
 01684   948   NtContinue  (80805168, 1, ...
 01685   944   NtContinue  (78708016, 1, ...
 01686   940   NtContinue  (76610864, 1, ...
 01687   936   NtContinue  (74513712, 1, ...
 01688   932   NtContinue  (72416560, 1, ...
 01689   928   NtContinue  (70319408, 1, ...
 01690   924   NtContinue  (68222256, 1, ...
 01691   920   NtContinue  (66125104, 1, ...
 01692   916   NtContinue  (64027952, 1, ...
 01693   576   NtUserFindExistingCursorIcon  (8712920, 8712936, 8714152, ...
 01599  1012   NtWaitForSingleObject  ... ) == 0x0
 01675   636   NtSetEventBoostPriority  ... ) == 0x0
 01694   900   NtContinue  (61930800, 1, ...
 01676   456   NtAllocateVirtualMemory  ... 103866368, 8192, ) == 0x0
 01677   996   NtTestAlert  ... ) == 0x0
 01695   992   NtRegisterThreadTerminatePort  (24, ...
 01696   968   NtRegisterThreadTerminatePort  (24, ...
 01697   964   NtRegisterThreadTerminatePort  (24, ...
 01698   960   NtRegisterThreadTerminatePort  (24, ...
 01699   956   NtRegisterThreadTerminatePort  (24, ...
 01700   952   NtRegisterThreadTerminatePort  (24, ...
 01701   948   NtRegisterThreadTerminatePort  (24, ...
 01702   944   NtRegisterThreadTerminatePort  (24, ...
 01703   940   NtRegisterThreadTerminatePort  (24, ...
 01704   936   NtRegisterThreadTerminatePort  (24, ...
 01705   932   NtRegisterThreadTerminatePort  (24, ...
 01706   928   NtRegisterThreadTerminatePort  (24, ...
 01707   924   NtRegisterThreadTerminatePort  (24, ...
 01708   920   NtRegisterThreadTerminatePort  (24, ...
 01709   916   NtRegisterThreadTerminatePort  (24, ...
 01710  1012   NtSetEventBoostPriority  (36, ...
 01693   576   NtUserFindExistingCursorIcon  ... ) == 0x10005
 01711   596   NtWaitForSingleObject  (36, 0, 0x0, ...
 01712   900   NtRegisterThreadTerminatePort  (24, ...
 01713   456   NtProtectVirtualMemory  (-1, (0x630e000), 4096, 260, ...
 01714   996   NtContinue  (95485232, 1, ...
 01695   992   NtRegisterThreadTerminatePort  ... ) == 0x0
 01696   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01697   964   NtRegisterThreadTerminatePort  ... ) == 0x0
 01698   960   NtRegisterThreadTerminatePort  ... ) == 0x0
 01699   956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01700   952   NtRegisterThreadTerminatePort  ... ) == 0x0
 01701   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01702   944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01703   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01704   936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01705   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01706   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01707   924   NtRegisterThreadTerminatePort  ... ) == 0x0
 01708   920   NtRegisterThreadTerminatePort  ... ) == 0x0
 01624  1024   NtWaitForSingleObject  ... ) == 0x0
 01710  1012   NtSetEventBoostPriority  ... ) == 0x0
 01709   916   NtRegisterThreadTerminatePort  ... ) == 0x0
 01715   576   NtWaitForSingleObject  (36, 0, 0x0, ...
 01712   900   NtRegisterThreadTerminatePort  ... ) == 0x0
 01713   456   NtProtectVirtualMemory  ... (0x630e000), 4096, 4, ) == 0x0
 01716   996   NtRegisterThreadTerminatePort  (24, ...
 01717   992   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01718   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01719   964   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01720   960   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01721   956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01722   952   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01723   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01724   944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01725   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01726   936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01727   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01728   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01729   924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01730  1024   NtSetEventBoostPriority  (36, ...
 01731   920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01732   636   NtAllocateVirtualMemory  (-1, 4595712, 0, 4096, 4096, 4, ...
 01733   916   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01734   900   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01735  1012   NtTestAlert  (...
 01736   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01716   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 01717   992   NtDuplicateObject  ... 296, ) == 0x0
 01718   968   NtDuplicateObject  ... 408, ) == 0x0
 01719   964   NtDuplicateObject  ... 412, ) == 0x0
 01720   960   NtDuplicateObject  ... 416, ) == 0x0
 01721   956   NtDuplicateObject  ... 420, ) == 0x0
 01722   952   NtDuplicateObject  ... 424, ) == 0x0
 01723   948   NtDuplicateObject  ... 428, ) == 0x0
 01724   944   NtDuplicateObject  ... 432, ) == 0x0
 01725   940   NtDuplicateObject  ... 436, ) == 0x0
 01726   936   NtDuplicateObject  ... 440, ) == 0x0
 01727   932   NtDuplicateObject  ... 444, ) == 0x0
 01728   928   NtDuplicateObject  ... 448, ) == 0x0
 01636  1028   NtWaitForSingleObject  ... ) == 0x0
 01730  1024   NtSetEventBoostPriority  ... ) == 0x0
 01729   924   NtDuplicateObject  ... 452, ) == 0x0
 01732   636   NtAllocateVirtualMemory  ... 4595712, 4096, ) == 0x0
 01731   920   NtDuplicateObject  ... 456, ) == 0x0
 01733   916   NtCreateEvent  ... 460, ) == 0x0
 01735  1012   NtTestAlert  ... ) == 0x0
 01736   456   NtCreateThread  ... 464, {444, 1000}, ) == 0x0
 01737   996   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01738   992   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01739   968   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01740   964   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01741   960   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01742   956   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01743   952   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01744   948   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01745   944   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01746   940   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01747   936   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01748   932   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01749  1028   NtSetEventBoostPriority  (36, ...
 01750   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01734   900   NtCreateEvent  ... 468, ) == 0x0
 01751   924   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01752   636   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01753   920   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01754   916   NtWaitForSingleObject  (460, 0, 0x0, ...
 01755  1012   NtContinue  (97582384, 1, ...
 01756   456   NtQueryInformationThread  (464, Basic, 28, ...
 01737   996   NtCreateEvent  ... 472, ) == 0x0
 01738   992   NtCreateEvent  ... 476, ) == 0x0
 01739   968   NtCreateEvent  ... 480, ) == 0x0
 01740   964   NtCreateEvent  ... 484, ) == 0x0
 01741   960   NtCreateEvent  ... 488, ) == 0x0
 01742   956   NtCreateEvent  ... 492, ) == 0x0
 01743   952   NtCreateEvent  ... 496, ) == 0x0
 01744   948   NtCreateEvent  ... 500, ) == 0x0
 01745   944   NtCreateEvent  ... 504, ) == 0x0
 01746   940   NtCreateEvent  ... 508, ) == 0x0
 01747   936   NtCreateEvent  ... 512, ) == 0x0
 01711   596   NtWaitForSingleObject  ... ) == 0x0
 01749  1028   NtSetEventBoostPriority  ... ) == 0x0
 01748   932   NtCreateEvent  ... 516, ) == 0x0
 01750   928   NtCreateEvent  ... 520, ) == 0x0
 01757   900   NtClose  (468, ...
 01751   924   NtCreateEvent  ... 524, ) == 0x0
 01752   636   NtCreateEvent  ... 528, ) == 0x0
 01753   920   NtCreateEvent  ... 532, ) == 0x0
 01758  1012   NtRegisterThreadTerminatePort  (24, ...
 01756   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=444,Tid=1000,}, 0x0, ) == 0x0
 01759   996   NtClose  (472, ...
 01760   992   NtClose  (476, ...
 01761   968   NtClose  (480, ...
 01762   964   NtClose  (484, ...
 01763   960   NtClose  (488, ...
 01764   956   NtClose  (492, ...
 01765   952   NtClose  (496, ...
 01766   948   NtClose  (500, ...
 01767   944   NtClose  (504, ...
 01768   940   NtClose  (508, ...
 01769   596   NtSetEventBoostPriority  (36, ...
 01770   936   NtClose  (512, ...
 01771  1024   NtTestAlert  (...
 01772   932   NtClose  (516, ...
 01773   928   NtClose  (520, ...
 01757   900   NtClose  ... ) == 0x0
 01774   924   NtClose  (524, ...
 01775   636   NtClose  (528, ...
 01776   920   NtClose  (532, ...
 01758  1012   NtRegisterThreadTerminatePort  ... ) == 0x0
 01777   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1553, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\274\1\0\0\350\3\0\0" ...  ...
 01759   996   NtClose  ... ) == 0x0
 01760   992   NtClose  ... ) == 0x0
 01761   968   NtClose  ... ) == 0x0
 01762   964   NtClose  ... ) == 0x0
 01763   960   NtClose  ... ) == 0x0
 01764   956   NtClose  ... ) == 0x0
 01765   952   NtClose  ... ) == 0x0
 01766   948   NtClose  ... ) == 0x0
 01767   944   NtClose  ... ) == 0x0
 01715   576   NtWaitForSingleObject  ... ) == 0x0
 01769   596   NtSetEventBoostPriority  ... ) == 0x0
 01768   940   NtClose  ... ) == 0x0
 01770   936   NtClose  ... ) == 0x0
 01771  1024   NtTestAlert  ... ) == 0x0
 01772   932   NtClose  ... ) == 0x0
 01773   928   NtClose  ... ) == 0x0
 01778   900   NtWaitForSingleObject  (460, 0, 0x0, ...
 01774   924   NtClose  ... ) == 0x0
 01775   636   NtClose  ... ) == 0x0
 01776   920   NtClose  ... ) == 0x0
 01779  1012   NtWaitForSingleObject  (460, 0, 0x0, ...
 01780   996   NtWaitForSingleObject  (460, 0, 0x0, ...
 01781   992   NtWaitForSingleObject  (460, 0, 0x0, ...
 01782   968   NtWaitForSingleObject  (460, 0, 0x0, ...
 01783   964   NtWaitForSingleObject  (460, 0, 0x0, ...
 01784   960   NtWaitForSingleObject  (460, 0, 0x0, ...
 01785   956   NtWaitForSingleObject  (460, 0, 0x0, ...
 01786   952   NtWaitForSingleObject  (460, 0, 0x0, ...
 01787   948   NtWaitForSingleObject  (460, 0, 0x0, ...
 01788   576   NtGdiExtGetObjectW  (218432529, 24, 8712928, ...
 01789   944   NtWaitForSingleObject  (460, 0, 0x0, ...
 01790   596   NtWaitForSingleObject  (460, 0, 0x0, ...
 01791   940   NtWaitForSingleObject  (460, 0, 0x0, ...
 01792   936   NtWaitForSingleObject  (460, 0, 0x0, ...
 01793  1024   NtContinue  (99679536, 1, ...
 01794   932   NtWaitForSingleObject  (460, 0, 0x0, ...
 01795   928   NtWaitForSingleObject  (460, 0, 0x0, ...
 01796   924   NtWaitForSingleObject  (460, 0, 0x0, ...
 01797  1028   NtTestAlert  (...
 01777   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1554, 0}  ... {28, 56, reply, 0, 444, 456, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\274\1\0\0\350\3\0\0" )  ) == 0x0
 01798   920   NtWaitForSingleObject  (460, 0, 0x0, ...
 01799   636   NtSetEventBoostPriority  (460, ...
 01788   576   NtGdiExtGetObjectW  ... ) == 0x18
 01800  1024   NtRegisterThreadTerminatePort  (24, ...
 01797  1028   NtTestAlert  ... ) == 0x0
 01801   456   NtResumeThread  (464, ...
 01754   916   NtWaitForSingleObject  ... ) == 0x0
 01799   636   NtSetEventBoostPriority  ... ) == 0x0
 01800  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 01802  1028   NtContinue  (101776688, 1, ...
 01803   916   NtSetEventBoostPriority  (460, ...
 01801   456   NtResumeThread  ... 1, ) == 0x0
 01804   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 01805  1024   NtWaitForSingleObject  (460, 0, 0x0, ...
 01778   900   NtWaitForSingleObject  ... ) == 0x0
 01803   916   NtSetEventBoostPriority  ... ) == 0x0
 01806  1028   NtRegisterThreadTerminatePort  (24, ...
 01807   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01808   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 01809  1000   NtTestAlert  (...
 01810   900   NtSetEventBoostPriority  (460, ...
 01806  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 01807   456   NtAllocateVirtualMemory  ... 103874560, 2097152, ) == 0x0
 01779  1012   NtWaitForSingleObject  ... ) == 0x0
 01810   900   NtSetEventBoostPriority  ... ) == 0x0
 01809  1000   NtTestAlert  ... ) == 0x0
 01811  1028   NtWaitForSingleObject  (460, 0, 0x0, ...
 01812  1012   NtSetEventBoostPriority  (460, ...
 01813   456   NtAllocateVirtualMemory  (-1, 105963520, 0, 8192, 4096, 4, ...
 01814   916   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01815  1000   NtContinue  (103873840, 1, ...
 01816   900   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01780   996   NtWaitForSingleObject  ... ) == 0x0
 01812  1012   NtSetEventBoostPriority  ... ) == 0x0
 01814   916   NtDuplicateObject  ... 532, ) == 0x0
 01817  1000   NtRegisterThreadTerminatePort  (24, ...
 01816   900   NtDuplicateObject  ... 528, ) == 0x0
 01818   996   NtSetEventBoostPriority  (460, ...
 01819  1012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01820   916   NtWaitForSingleObject  (460, 0, 0x0, ...
 01817  1000   NtRegisterThreadTerminatePort  ... ) == 0x0
 01821   900   NtWaitForSingleObject  (460, 0, 0x0, ...
 01781   992   NtWaitForSingleObject  ... ) == 0x0
 01819  1012   NtDuplicateObject  ... 524, ) == 0x0
 01818   996   NtSetEventBoostPriority  ... ) == 0x0
 01813   456   NtAllocateVirtualMemory  ... 105963520, 8192, ) == 0x0
 01822   992   NtSetEventBoostPriority  (460, ...
 01823  1000   NtWaitForSingleObject  (460, 0, 0x0, ...
 01824   996   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01825   456   NtProtectVirtualMemory  (-1, (0x650e000), 4096, 260, ...
 01782   968   NtWaitForSingleObject  ... ) == 0x0
 01824   996   NtDuplicateObject  ... 520, ) == 0x0
 01825   456   NtProtectVirtualMemory  ... (0x650e000), 4096, 4, ) == 0x0
 01826   968   NtSetEventBoostPriority  (460, ...
 01822   992   NtSetEventBoostPriority  ... ) == 0x0
 01827  1012   NtWaitForSingleObject  (460, 0, 0x0, ...
 01828   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01783   964   NtWaitForSingleObject  ... ) == 0x0
 01829   992   NtWaitForSingleObject  (460, 0, 0x0, ...
 01828   456   NtCreateThread  ... 516, {444, 1032}, ) == 0x0
 01830   964   NtSetEventBoostPriority  (460, ...
 01831   456   NtQueryInformationThread  (516, Basic, 28, ...
 01784   960   NtWaitForSingleObject  ... ) == 0x0
 01830   964   NtSetEventBoostPriority  ... ) == 0x0
 01826   968   NtSetEventBoostPriority  ... ) == 0x0
 01832   996   NtWaitForSingleObject  (460, 0, 0x0, ...
 01833   960   NtSetEventBoostPriority  (460, ...
 01834   964   NtWaitForSingleObject  (460, 0, 0x0, ...
 01835   968   NtWaitForSingleObject  (460, 0, 0x0, ...
 01785   956   NtWaitForSingleObject  ... ) == 0x0
 01836   956   NtSetEventBoostPriority  (460, ...
 01786   952   NtWaitForSingleObject  ... ) == 0x0
 01837   952   NtSetEventBoostPriority  (460, ...
 01787   948   NtWaitForSingleObject  ... ) == 0x0
 01838   948   NtSetEventBoostPriority  (460, ...
 01789   944   NtWaitForSingleObject  ... ) == 0x0
 01839   944   NtSetEventBoostPriority  (460, ...
 01790   596   NtWaitForSingleObject  ... ) == 0x0
 01840   596   NtSetEventBoostPriority  (460, ...
 01791   940   NtWaitForSingleObject  ... ) == 0x0
 01841   940   NtSetEventBoostPriority  (460, ...
 01792   936   NtWaitForSingleObject  ... ) == 0x0
 01842   936   NtSetEventBoostPriority  (460, ...
 01794   932   NtWaitForSingleObject  ... ) == 0x0
 01843   932   NtSetEventBoostPriority  (460, ...
 01795   928   NtWaitForSingleObject  ... ) == 0x0
 01844   928   NtSetEventBoostPriority  (460, ...
 01796   924   NtWaitForSingleObject  ... ) == 0x0
 01845   924   NtSetEventBoostPriority  (460, ...
 01798   920   NtWaitForSingleObject  ... ) == 0x0
 01846   920   NtSetEventBoostPriority  (460, ...
 01804   636   NtWaitForSingleObject  ... ) == 0x0
 01847   636   NtSetEventBoostPriority  (460, ...
 01805  1024   NtWaitForSingleObject  ... ) == 0x0
 01848  1024   NtSetEventBoostPriority  (460, ...
 01808   576   NtWaitForSingleObject  ... ) == 0x0
 01849   576   NtSetEventBoostPriority  (460, ...
 01811  1028   NtWaitForSingleObject  ... ) == 0x0
 01850  1028   NtSetEventBoostPriority  (460, ...
 01820   916   NtWaitForSingleObject  ... ) == 0x0
 01851   916   NtSetEventBoostPriority  (460, ...
 01821   900   NtWaitForSingleObject  ... ) == 0x0
 01852   900   NtSetEventBoostPriority  (460, ...
 01823  1000   NtWaitForSingleObject  ... ) == 0x0
 01853  1000   NtSetEventBoostPriority  (460, ...
 01827  1012   NtWaitForSingleObject  ... ) == 0x0
 01854  1012   NtSetEventBoostPriority  (460, ...
 01829   992   NtWaitForSingleObject  ... ) == 0x0
 01855   992   NtSetEventBoostPriority  (460, ...
 01832   996   NtWaitForSingleObject  ... ) == 0x0
 01856   996   NtSetEventBoostPriority  (460, ...
 01834   964   NtWaitForSingleObject  ... ) == 0x0
 01857   964   NtSetEventBoostPriority  (460, ...
 01835   968   NtWaitForSingleObject  ... ) == 0x0
 01858   968   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01857   964   NtSetEventBoostPriority  ... ) == 0x0
 01856   996   NtSetEventBoostPriority  ... ) == 0x0
 01855   992   NtSetEventBoostPriority  ... ) == 0x0
 01854  1012   NtSetEventBoostPriority  ... ) == 0x0
 01853  1000   NtSetEventBoostPriority  ... ) == 0x0
 01852   900   NtSetEventBoostPriority  ... ) == 0x0
 01851   916   NtSetEventBoostPriority  ... ) == 0x0
 01849   576   NtSetEventBoostPriority  ... ) == 0x0
 01847   636   NtSetEventBoostPriority  ... ) == 0x0
 01850  1028   NtSetEventBoostPriority  ... ) == 0x0
 01848  1024   NtSetEventBoostPriority  ... ) == 0x0
 01846   920   NtSetEventBoostPriority  ... ) == 0x0
 01845   924   NtSetEventBoostPriority  ... ) == 0x0
 01844   928   NtSetEventBoostPriority  ... ) == 0x0
 01843   932   NtSetEventBoostPriority  ... ) == 0x0
 01842   936   NtSetEventBoostPriority  ... ) == 0x0
 01841   940   NtSetEventBoostPriority  ... ) == 0x0
 01840   596   NtSetEventBoostPriority  ... ) == 0x0
 01839   944   NtSetEventBoostPriority  ... ) == 0x0
 01838   948   NtSetEventBoostPriority  ... ) == 0x0
 01837   952   NtSetEventBoostPriority  ... ) == 0x0
 01836   956   NtSetEventBoostPriority  ... ) == 0x0
 01833   960   NtSetEventBoostPriority  ... ) == 0x0
 01831   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=444,Tid=1032,}, 0x0, ) == 0x0
 01858   968   NtWaitForSingleObject  ... ) == 0x102
 01859   996   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01860   964   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01861  1012   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01862  1000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01863   992   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01864   900   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01865   576   NtGdiGetDIBitsInternal  (268502011, 218432529, 0, 64, 4595680, 4595632, 0, 256, 0, ...
 01866   916   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 01867  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01868  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01869   920   NtAllocateVirtualMemory  (-1, 4599808, 0, 4096, 4096, 4, ...
 01870   924   NtWaitForSingleObject  (460, 0, 0x0, ...
 01871   928   NtWaitForSingleObject  (460, 0, 0x0, ...
 01872   932   NtWaitForSingleObject  (460, 0, 0x0, ...
 01873   936   NtWaitForSingleObject  (460, 0, 0x0, ...
 01874   940   NtWaitForSingleObject  (460, 0, 0x0, ...
 01875   596   NtWaitForSingleObject  (460, 0, 0x0, ...
 01876   944   NtWaitForSingleObject  (460, 0, 0x0, ...
 01877   948   NtWaitForSingleObject  (460, 0, 0x0, ...
 01878   952   NtWaitForSingleObject  (460, 0, 0x0, ...
 01879   956   NtWaitForSingleObject  (460, 0, 0x0, ...
 01880   960   NtWaitForSingleObject  (460, 0, 0x0, ...
 01881   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1554, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\274\1\0\0\10\4\0\0" ...  ...
 01882   968   NtWaitForSingleObject  (208, 0, 0x0, ...
 01883   636   NtQuerySystemInformation  (Basic, 44, ...
 01860   964   NtWaitForSingleObject  ... ) == 0x102
 01859   996   NtWaitForSingleObject  ... ) == 0x102
 01861  1012   NtWaitForSingleObject  ... ) == 0x102
 01863   992   NtWaitForSingleObject  ... ) == 0x102
 01864   900   NtWaitForSingleObject  ... ) == 0x102
 01862  1000   NtDuplicateObject  ... 512, ) == 0x0
 01866   916   NtWaitForSingleObject  ... ) == 0x102
 01867  1028   NtDuplicateObject  ... 508, ) == 0x0
 01868  1024   NtDuplicateObject  ... 504, ) == 0x0
 01869   920   NtAllocateVirtualMemory  ... 4599808, 4096, ) == 0x0
 01881   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1555, 0}  ... {28, 56, reply, 0, 444, 456, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\274\1\0\0\10\4\0\0" )  ) == 0x0
 01883   636   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01884   964   NtWaitForSingleObject  (208, 0, 0x0, ...
 01885   996   NtWaitForSingleObject  (208, 0, 0x0, ...
 01886  1012   NtWaitForSingleObject  (460, 0, 0x0, ...
 01887   992   NtWaitForSingleObject  (460, 0, 0x0, ...
 01888   900   NtWaitForSingleObject  (460, 0, 0x0, ...
 01889  1000   NtWaitForSingleObject  (460, 0, 0x0, ...
 01890   916   NtWaitForSingleObject  (460, 0, 0x0, ...
 01865   576   NtGdiGetDIBitsInternal  ... ) == 0x40
 01891  1028   NtWaitForSingleObject  (460, 0, 0x0, ...
 01892  1024   NtWaitForSingleObject  (460, 0, 0x0, ...
 01893   456   NtResumeThread  (516, ...
 01894   636   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01895   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 01893   456   NtResumeThread  ... 1, ) == 0x0
 01894   636   NtCreateEvent  ... 500, ) == 0x0
 01896   920   NtSetEventBoostPriority  (460, ...
 01897  1032   NtTestAlert  (...
 01898   636   NtWaitForSingleObject  (500, 0, 0x0, ...
 01870   924   NtWaitForSingleObject  ... ) == 0x0
 01896   920   NtSetEventBoostPriority  ... ) == 0x0
 01897  1032   NtTestAlert  ... ) == 0x0
 01899   924   NtSetEventBoostPriority  (460, ...
 01900   920   NtWaitForSingleObject  (500, 0, 0x0, ...
 01871   928   NtWaitForSingleObject  ... ) == 0x0
 01899   924   NtSetEventBoostPriority  ... ) == 0x0
 01901  1032   NtContinue  (105970992, 1, ...
 01902   928   NtSetEventBoostPriority  (460, ...
 01903   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01872   932   NtWaitForSingleObject  ... ) == 0x0
 01902   928   NtSetEventBoostPriority  ... ) == 0x0
 01904  1032   NtRegisterThreadTerminatePort  (24, ...
 01905   932   NtSetEventBoostPriority  (460, ...
 01903   456   NtAllocateVirtualMemory  ... 105971712, 2097152, ) == 0x0
 01906   924   NtWaitForSingleObject  (500, 0, 0x0, ...
 01873   936   NtWaitForSingleObject  ... ) == 0x0
 01905   932   NtSetEventBoostPriority  ... ) == 0x0
 01904  1032   NtRegisterThreadTerminatePort  ... ) == 0x0
 01907   456   NtAllocateVirtualMemory  (-1, 108060672, 0, 8192, 4096, 4, ...
 01908   936   NtSetEventBoostPriority  (460, ...
 01909   928   NtWaitForSingleObject  (500, 0, 0x0, ...
 01910   932   NtWaitForSingleObject  (500, 0, 0x0, ...
 01874   940   NtWaitForSingleObject  ... ) == 0x0
 01908   936   NtSetEventBoostPriority  ... ) == 0x0
 01907   456   NtAllocateVirtualMemory  ... 108060672, 8192, ) == 0x0
 01911   940   NtSetEventBoostPriority  (460, ...
 01912  1032   NtWaitForSingleObject  (460, 0, 0x0, ...
 01875   596   NtWaitForSingleObject  ... ) == 0x0
 01911   940   NtSetEventBoostPriority  ... ) == 0x0
 01913   456   NtProtectVirtualMemory  (-1, (0x670e000), 4096, 260, ...
 01914   596   NtSetEventBoostPriority  (460, ...
 01915   936   NtWaitForSingleObject  (500, 0, 0x0, ...
 01876   944   NtWaitForSingleObject  ... ) == 0x0
 01914   596   NtSetEventBoostPriority  ... ) == 0x0
 01913   456   NtProtectVirtualMemory  ... (0x670e000), 4096, 4, ) == 0x0
 01916   944   NtSetEventBoostPriority  (460, ...
 01917   940   NtWaitForSingleObject  (500, 0, 0x0, ...
 01918   596   NtSetEventBoostPriority  (500, ...
 01877   948   NtWaitForSingleObject  ... ) == 0x0
 01916   944   NtSetEventBoostPriority  ... ) == 0x0
 01919   948   NtSetEventBoostPriority  (460, ...
 01898   636   NtWaitForSingleObject  ... ) == 0x0
 01918   596   NtSetEventBoostPriority  ... ) == 0x0
 01920   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01878   952   NtWaitForSingleObject  ... ) == 0x0
 01921   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 01919   948   NtSetEventBoostPriority  ... ) == 0x0
 01922   596   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 17890884, 67, ... }, 0x0, 0, 3, 3, 0, 17890884, 67, ...
 01923   952   NtSetEventBoostPriority  (460, ...
 01920   456   NtCreateThread  ... 496, {444, 1048}, ) == 0x0
 01924   944   NtWaitForSingleObject  (500, 0, 0x0, ...
 01879   956   NtWaitForSingleObject  ... ) == 0x0
 01923   952   NtSetEventBoostPriority  ... ) == 0x0
 01922   596   NtCreateFile  ... 492, {status=0x0, info=0}, ) == 0x0
 01925   456   NtQueryInformationThread  (496, Basic, 28, ...
 01926   956   NtSetEventBoostPriority  (460, ...
 01927   948   NtWaitForSingleObject  (500, 0, 0x0, ...
 01928   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x1207b,  (492, 268, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\260\15F\0\17\346\367w", 16, 16, ... , 16, 16, ...
 01880   960   NtWaitForSingleObject  ... ) == 0x0
 01926   956   NtSetEventBoostPriority  ... ) == 0x0
 01925   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=444,Tid=1048,}, 0x0, ) == 0x0
 01929   960   NtSetEventBoostPriority  (460, ...
 01928   596   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\220\245\14\201", ) , ) == 0x0
 01930   952   NtWaitForSingleObject  (500, 0, 0x0, ...
 01886  1012   NtWaitForSingleObject  ... ) == 0x0
 01929   960   NtSetEventBoostPriority  ... ) == 0x0
 01931   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1555, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\1\0\0\274\1\0\0\30\4\0\0" ...  ...
 01932   956   NtWaitForSingleObject  (500, 0, 0x0, ...
 01933  1012   NtSetEventBoostPriority  (460, ...
 01934   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x1207b,  (492, 268, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\220\245\14\201", 16, 16, ... , 16, 16, ...
 01887   992   NtWaitForSingleObject  ... ) == 0x0
 01933  1012   NtSetEventBoostPriority  ... ) == 0x0
 01935   992   NtSetEventBoostPriority  (460, ...
 01934   596   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\220\245\14\201", ) , ) == 0x0
 01936   960   NtWaitForSingleObject  (500, 0, 0x0, ...
 01931   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1556, 0}  ... {28, 56, reply, 0, 444, 456, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\1\0\0\274\1\0\0\30\4\0\0" )  ) == 0x0
 01888   900   NtWaitForSingleObject  ... ) == 0x0
 01935   992   NtSetEventBoostPriority  ... ) == 0x0
 01937   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x12047,  (492, 268, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\2601F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01938   900   NtSetEventBoostPriority  (460, ...
 01939   456   NtResumeThread  (496, ...
 01940  1012   NtWaitForSingleObject  (208, 0, 0x0, ...
 01889  1000   NtWaitForSingleObject  ... ) == 0x0
 01938   900   NtSetEventBoostPriority  ... ) == 0x0
 01937   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01939   456   NtResumeThread  ... 1, ) == 0x0
 01941  1000   NtSetEventBoostPriority  (460, ...
 01942   992   NtWaitForSingleObject  (208, 0, 0x0, ...
 01943  1048   NtTestAlert  (...
 01944   596   NtWaitForSingleObject  (460, 0, 0x0, ...
 01890   916   NtWaitForSingleObject  ... ) == 0x0
 01941  1000   NtSetEventBoostPriority  ... ) == 0x0
 01945   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01943  1048   NtTestAlert  ... ) == 0x0
 01946   916   NtSetEventBoostPriority  (460, ...
 01947   900   NtWaitForSingleObject  (208, 0, 0x0, ...
 01945   456   NtAllocateVirtualMemory  ... 108068864, 2097152, ) == 0x0
 01891  1028   NtWaitForSingleObject  ... ) == 0x0
 01946   916   NtSetEventBoostPriority  ... ) == 0x0
 01948  1048   NtContinue  (108068144, 1, ...
 01949  1028   NtSetEventBoostPriority  (460, ...
 01950   456   NtAllocateVirtualMemory  (-1, 110157824, 0, 8192, 4096, 4, ...
 01951  1000   NtWaitForSingleObject  (460, 0, 0x0, ...
 01892  1024   NtWaitForSingleObject  ... ) == 0x0
 01949  1028   NtSetEventBoostPriority  ... ) == 0x0
 01952  1048   NtRegisterThreadTerminatePort  (24, ...
 01953   916   NtWaitForSingleObject  (208, 0, 0x0, ...
 01954  1024   NtSetEventBoostPriority  (460, ...
 01955  1028   NtWaitForSingleObject  (460, 0, 0x0, ...
 01952  1048   NtRegisterThreadTerminatePort  ... ) == 0x0
 01895   576   NtWaitForSingleObject  ... ) == 0x0
 01954  1024   NtSetEventBoostPriority  ... ) == 0x0
 01950   456   NtAllocateVirtualMemory  ... 110157824, 8192, ) == 0x0
 01956   576   NtSetEventBoostPriority  (460, ...
 01957  1024   NtWaitForSingleObject  (460, 0, 0x0, ...
 01912  1032   NtWaitForSingleObject  ... ) == 0x0
 01956   576   NtSetEventBoostPriority  ... ) == 0x0
 01958   456   NtProtectVirtualMemory  (-1, (0x690e000), 4096, 260, ...
 01959  1048   NtWaitForSingleObject  (460, 0, 0x0, ...
 01960  1032   NtSetEventBoostPriority  (460, ...
 01958   456   NtProtectVirtualMemory  ... (0x690e000), 4096, 4, ) == 0x0
 01921   636   NtWaitForSingleObject  ... ) == 0x0
 01960  1032   NtSetEventBoostPriority  ... ) == 0x0
 01961   636   NtSetEventBoostPriority  (460, ...
 01962   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01944   596   NtWaitForSingleObject  ... ) == 0x0
 01961   636   NtSetEventBoostPriority  ... ) == 0x0
 01963  1032   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01964   596   NtSetEventBoostPriority  (460, ...
 01962   456   NtCreateThread  ... 488, {444, 1052}, ) == 0x0
 01965   576   NtUserGetDC  (0, ...
 01966   636   NtSetEventBoostPriority  (500, ...
 01951  1000   NtWaitForSingleObject  ... ) == 0x0
 01964   596   NtSetEventBoostPriority  ... ) == 0x0
 01967   456   NtQueryInformationThread  (488, Basic, 28, ...
 01965   576   NtUserGetDC  ... ) == 0x1010053
 01968  1000   NtSetEventBoostPriority  (460, ...
 01900   920   NtWaitForSingleObject  ... ) == 0x0
 01966   636   NtSetEventBoostPriority  ... ) == 0x0
 01963  1032   NtDuplicateObject  ... 484, ) == 0x0
 01969   596   NtWaitForSingleObject  (72, 0, {0, 0}, ...
 01955  1028   NtWaitForSingleObject  ... ) == 0x0
 01970   920   NtWaitForSingleObject  (460, 0, 0x0, ...
 01968  1000   NtSetEventBoostPriority  ... ) == 0x0
 01971   576   NtGdiCreateDIBitmapInternal  (16842835, 16, 32, 2, 0, 2010764464, 0, 48, 0, 0, 0, ...
 01972   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01973  1032   NtWaitForSingleObject  (460, 0, 0x0, ...
 01974  1028   NtSetEventBoostPriority  (460, ...
 01969   596   NtWaitForSingleObject  ... ) == 0x102
 01975  1000   NtWaitForSingleObject  (460, 0, 0x0, ...
 01971   576   NtGdiCreateDIBitmapInternal  ... ) == 0x1105042a
 01972   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01957  1024   NtWaitForSingleObject  ... ) == 0x0
 01976   596   NtWaitForSingleObject  (460, 0, 0x0, ...
 01974  1028   NtSetEventBoostPriority  ... ) == 0x0
 01967   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=444,Tid=1052,}, 0x0, ) == 0x0
 01977   576   NtUserCallOneParam  (16842835, 56, ...
 01978   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01979  1024   NtSetEventBoostPriority  (460, ...
 01980  1028   NtWaitForSingleObject  (460, 0, 0x0, ...
 01981   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1556, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\274\1\0\0\34\4\0\0" ...  ...
 01977   576   NtUserCallOneParam  ... ) == 0x1
 01978   636   NtOpenKey  ... 480, ) == 0x0
 01959  1048   NtWaitForSingleObject  ... ) == 0x0
 01981   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1557, 0}  ... {28, 56, reply, 0, 444, 456, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\274\1\0\0\34\4\0\0" )  ) == 0x0
 01979  1024   NtSetEventBoostPriority  ... ) == 0x0
 01982   576   NtGdiSelectBitmap  (268502011, 285541418, ...
 01983  1048   NtSetEventBoostPriority  (460, ...
 01984   456   NtResumeThread  (488, ...
 01985  1024   NtWaitForSingleObject  (460, 0, 0x0, ...
 01982   576   NtGdiSelectBitmap  ... ) == 0x185000f
 01970   920   NtWaitForSingleObject  ... ) == 0x0
 01983  1048   NtSetEventBoostPriority  ... ) == 0x0
 01984   456   NtResumeThread  ... 1, ) == 0x0
 01986   920   NtSetEventBoostPriority  (460, ...
 01987   576   NtGdiDoPalette  (268502011, 0, 1, 8712780, 4, 0, ...
 01988  1048   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01989   636   NtQueryValueKey  (480,  (480, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01990  1052   NtTestAlert  (...
 01973  1032   NtWaitForSingleObject  ... ) == 0x0
 01986   920   NtSetEventBoostPriority  ... ) == 0x0
 01987   576   NtGdiDoPalette  ... ) == 0x1
 01991   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01989   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01992  1032   NtSetEventBoostPriority  (460, ...
 01990  1052   NtTestAlert  ... ) == 0x0
 01988  1048   NtDuplicateObject  ... 476, ) == 0x0
 01993   576   NtGdiStretchDIBitsInternal  (268502011, 0, 0, 16, 32, 0, 0, 32, 64, 4595680, 4601408, 0, 13369376, 48, 256, 0, ...
 01991   456   NtAllocateVirtualMemory  ... 110166016, 2097152, ) == 0x0
 01976   596   NtWaitForSingleObject  ... ) == 0x0
 01992  1032   NtSetEventBoostPriority  ... ) == 0x0
 01994   636   NtClose  (480, ...
 01995  1052   NtContinue  (110165296, 1, ...
 01996  1048   NtWaitForSingleObject  (460, 0, 0x0, ...
 01993   576   NtGdiStretchDIBitsInternal  ... ) == 0x40
 01997   596   NtSetEventBoostPriority  (460, ...
 01998   456   NtAllocateVirtualMemory  (-1, 112254976, 0, 8192, 4096, 4, ...
 01999   920   NtSetEventBoostPriority  (500, ...
 01994   636   NtClose  ... ) == 0x0
 02000  1052   NtRegisterThreadTerminatePort  (24, ...
 02001  1032   NtWaitForSingleObject  (460, 0, 0x0, ...
 01980  1028   NtWaitForSingleObject  ... ) == 0x0
 01997   596   NtSetEventBoostPriority  ... ) == 0x0
 01998   456   NtAllocateVirtualMemory  ... 112254976, 8192, ) == 0x0
 01906   924   NtWaitForSingleObject  ... ) == 0x0
 01999   920   NtSetEventBoostPriority  ... ) == 0x0
 02002   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 02000  1052   NtRegisterThreadTerminatePort  ... ) == 0x0
 02003  1028   NtSetEventBoostPriority  (460, ...
 02004   576   NtGdiSelectBitmap  (268502011, 25493519, ...
 02005   924   NtWaitForSingleObject  (460, 0, 0x0, ...
 02006   456   NtProtectVirtualMemory  (-1, (0x6b0e000), 4096, 260, ...
 02007   920   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02002   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   596   NtWaitForSingleObject  (460, 0, 0x0, ...
 01975  1000   NtWaitForSingleObject  ... ) == 0x0
 02003  1028   NtSetEventBoostPriority  ... ) == 0x0
 02004   576   NtGdiSelectBitmap  ... ) == 0x1105042a
 02006   456   NtProtectVirtualMemory  ... (0x6b0e000), 4096, 4, ) == 0x0
 02007   920   NtWaitForSingleObject  ... ) == 0x102
 02009  1052   NtWaitForSingleObject  (460, 0, 0x0, ...
 02010  1000   NtSetEventBoostPriority  (460, ...
 02011   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 02012   576   NtGdiCreateCompatibleDC  (268502011, ...
 02013  1028   NtWaitForSingleObject  (500, 0, 0x0, ...
 02014   920   NtWaitForSingleObject  (208, 0, 0x0, ...
 01985  1024   NtWaitForSingleObject  ... ) == 0x0
 02012   576   NtGdiCreateCompatibleDC  ... ) == 0x801042b
 02010  1000   NtSetEventBoostPriority  ... ) == 0x0
 02015   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02016  1024   NtSetEventBoostPriority  (460, ...
 02017   576   NtGdiExtGetObjectW  (285541418, 24, 8712804, ...
 02018  1000   NtWaitForSingleObject  (500, 0, 0x0, ...
 02015   456   NtCreateThread  ... 480, {444, 1072}, ) == 0x0
 01996  1048   NtWaitForSingleObject  ... ) == 0x0
 02016  1024   NtSetEventBoostPriority  ... ) == 0x0
 02017   576   NtGdiExtGetObjectW  ... ) == 0x18
 02019  1048   NtSetEventBoostPriority  (460, ...
 02020   456   NtQueryInformationThread  (480, Basic, 28, ...
 02021  1024   NtWaitForSingleObject  (500, 0, 0x0, ...
 02001  1032   NtWaitForSingleObject  ... ) == 0x0
 02019  1048   NtSetEventBoostPriority  ... ) == 0x0
 02020   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=444,Tid=1072,}, 0x0, ) == 0x0
 02022  1032   NtSetEventBoostPriority  (460, ...
 02023   576   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ...
 02005   924   NtWaitForSingleObject  ... ) == 0x0
 02022  1032   NtSetEventBoostPriority  ... ) == 0x0
 02024   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1557, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\274\1\0\00\4\0\0" ...  ...
 02025   924   NtSetEventBoostPriority  (460, ...
 02023   576   NtGdiCreateBitmap  ... ) == 0x8050425
 02026  1032   NtWaitForSingleObject  (500, 0, 0x0, ...
 02008   596   NtWaitForSingleObject  ... ) == 0x0
 02025   924   NtSetEventBoostPriority  ... ) == 0x0
 02027   576   NtGdiSelectBitmap  (268502011, 285541418, ...
 02028  1048   NtWaitForSingleObject  (500, 0, 0x0, ...
 02024   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1558, 0}  ... {28, 56, reply, 0, 444, 456, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\274\1\0\00\4\0\0" )  ) == 0x0
 02029   596   NtSetEventBoostPriority  (460, ...
 02027   576   NtGdiSelectBitmap  ... ) == 0x185000f
 02009  1052   NtWaitForSingleObject  ... ) == 0x0
 02029   596   NtSetEventBoostPriority  ... ) == 0x0
 02030   456   NtResumeThread  (480, ...
 02031  1052   NtSetEventBoostPriority  (460, ...
 02032   576   NtGdiSelectBitmap  (134284331, 134546469, ...
 02033   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x12003,  (492, 268, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02011   636   NtWaitForSingleObject  ... ) == 0x0
 02031  1052   NtSetEventBoostPriority  ... ) == 0x0
 02030   456   NtResumeThread  ... 1, ) == 0x0
 02032   576   NtGdiSelectBitmap  ... ) == 0x185000f
 02034   924   NtSetEventBoostPriority  (500, ...
 02035  1072   NtTestAlert  (...
 02036   636   NtWaitForSingleObject  (500, 0, 0x0, ...
 02037  1052   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02038   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02033   596   NtDeviceIoControlFile  ... {status=0x0, info=472},  ... {status=0x0, info=472}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01909   928   NtWaitForSingleObject  ... ) == 0x0
 02034   924   NtSetEventBoostPriority  ... ) == 0x0
 02035  1072   NtTestAlert  ... ) == 0x0
 02039   576   NtGdiBitBlt  (134284331, 0, 0, 16, 32, 268502011, 0, 0, 13369376, -1, 0, ...
 02038   456   NtAllocateVirtualMemory  ... 112263168, 2097152, ) == 0x0
 02040   928   NtSetEventBoostPriority  (500, ...
 02041   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x12047,  (492, 268, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02042   924   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02043  1072   NtContinue  (112262448, 1, ...
 02039   576   NtGdiBitBlt  ... ) == 0x1
 01910   932   NtWaitForSingleObject  ... ) == 0x0
 02040   928   NtSetEventBoostPriority  ... ) == 0x0
 02044   456   NtAllocateVirtualMemory  (-1, 114352128, 0, 8192, 4096, 4, ...
 02041   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02042   924   NtWaitForSingleObject  ... ) == 0x102
 02045  1072   NtRegisterThreadTerminatePort  (24, ...
 02046   932   NtSetEventBoostPriority  (500, ...
 02047   576   NtGdiSelectBitmap  (268502011, 25493519, ...
 02048   928   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02037  1052   NtDuplicateObject  ... 468, ) == 0x0
 02049   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x1200b,  (492, 268, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 02050   924   NtWaitForSingleObject  (208, 0, 0x0, ...
 01915   936   NtWaitForSingleObject  ... ) == 0x0
 02046   932   NtSetEventBoostPriority  ... ) == 0x0
 02045  1072   NtRegisterThreadTerminatePort  ... ) == 0x0
 02047   576   NtGdiSelectBitmap  ... ) == 0x1105042a
 02044   456   NtAllocateVirtualMemory  ... 114352128, 8192, ) == 0x0
 02051  1052   NtWaitForSingleObject  (500, 0, 0x0, ...
 02049   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02048   928   NtWaitForSingleObject  ... ) == 0x102
 02052   936   NtSetEventBoostPriority  (500, ...
 02053   932   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02054   576   NtGdiSelectBitmap  (134284331, 25493519, ...
 02055   456   NtProtectVirtualMemory  (-1, (0x6d0e000), 4096, 260, ...
 02056   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x12047,  (492, 268, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0e\0t\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01917   940   NtWaitForSingleObject  ... ) == 0x0
 02052   936   NtSetEventBoostPriority  ... ) == 0x0
 02057   928   NtWaitForSingleObject  (208, 0, 0x0, ...
 02058  1072   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02054   576   NtGdiSelectBitmap  ... ) == 0x8050425
 02055   456   NtProtectVirtualMemory  ... (0x6d0e000), 4096, 4, ) == 0x0
 02053   932   NtWaitForSingleObject  ... ) == 0x102
 02059   940   NtSetEventBoostPriority  (500, ...
 02060   936   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02058  1072   NtDuplicateObject  ... 536, ) == 0x0
 02056   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02061   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01924   944   NtWaitForSingleObject  ... ) == 0x0
 02059   940   NtSetEventBoostPriority  ... ) == 0x0
 02062   932   NtWaitForSingleObject  (208, 0, 0x0, ...
 02063   576   NtGdiDeleteObjectApp  (285541418, ...
 02064  1072   NtAllocateVirtualMemory  (-1, 4603904, 0, 4096, 4096, 4, ...
 02065   596   NtDeviceIoControlFile  (492, 268, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02066   944   NtWaitForSingleObject  (460, 0, 0x0, ...
 02061   456   NtCreateThread  ... 540, {444, 1080}, ) == 0x0
 02067   940   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02063   576   NtGdiDeleteObjectApp  ... ) == 0x1
 02064  1072   NtAllocateVirtualMemory  ... 4603904, 4096, ) == 0x0
 02065   596   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02068   456   NtQueryInformationThread  (540, Basic, 28, ...
 02060   936   NtWaitForSingleObject  ... ) == 0x102
 02069   576   NtGdiDeleteObjectApp  (134284331, ...
 02070  1072   NtSetEventBoostPriority  (460, ...
 02067   940   NtWaitForSingleObject  ... ) == 0x102
 02071   936   NtWaitForSingleObject  (208, 0, 0x0, ...
 02069   576   NtGdiDeleteObjectApp  ... ) == 0x1
 02066   944   NtWaitForSingleObject  ... ) == 0x0
 02070  1072   NtSetEventBoostPriority  ... ) == 0x0
 02072   596   NtWaitForSingleObject  (268, 1, {-5000000, -1}, ...
 02073   940   NtWaitForSingleObject  (460, 0, 0x0, ...
 02074   944   NtSetEventBoostPriority  (460, ...
 02075   576   NtGdiExtGetObjectW  (621085566, 24, 8712928, ...
 02068   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=444,Tid=1080,}, 0x0, ) == 0x0
 02076  1072   NtWaitForSingleObject  (500, 0, 0x0, ...
 02074   944   NtSetEventBoostPriority  ... ) == 0x0
 02073   940   NtWaitForSingleObject  ... ) == 0x0
 02075   576   NtGdiExtGetObjectW  ... ) == 0x18
 02077   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1558, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\274\1\0\08\4\0\0" ...  ...
 02078   940   NtWaitForSingleObject  (208, 0, 0x0, ...
 02079   944   NtSetEventBoostPriority  (500, ...
 02077   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1559, 0}  ... {28, 56, reply, 0, 444, 456, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\274\1\0\08\4\0\0" )  ) == 0x0
 02080   576   NtAllocateVirtualMemory  (-1, 4608000, 0, 8192, 4096, 4, ...
 01927   948   NtWaitForSingleObject  ... ) == 0x0
 02079   944   NtSetEventBoostPriority  ... ) == 0x0
 02081   456   NtResumeThread  (540, ...
 02082   948   NtWaitForSingleObject  (460, 0, 0x0, ...
 02080   576   NtAllocateVirtualMemory  ... 4608000, 8192, ) == 0x0
 02083   944   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02081   456   NtResumeThread  ... 1, ) == 0x0
 02084   576   NtSetEventBoostPriority  (460, ...
 02083   944   NtWaitForSingleObject  ... ) == 0x102
 02085  1080   NtTestAlert  (...
 02082   948   NtWaitForSingleObject  ... ) == 0x0
 02084   576   NtSetEventBoostPriority  ... ) == 0x0
 02086   944   NtWaitForSingleObject  (460, 0, 0x0, ...
 02087   948   NtSetEventBoostPriority  (460, ...
 02085  1080   NtTestAlert  ... ) == 0x0
 02088   576   NtGdiGetDIBitsInternal  (268502011, 621085566, 0, 32, 4604172, 4604120, 0, 4096, 0, ...
 02089   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02087   948   NtSetEventBoostPriority  ... ) == 0x0
 02090  1080   NtContinue  (114359600, 1, ...
 02088   576   NtGdiGetDIBitsInternal  ... ) == 0x20
 02089   456   NtAllocateVirtualMemory  ... 114360320, 2097152, ) == 0x0
 02086   944   NtWaitForSingleObject  ... ) == 0x0
 02091  1080   NtRegisterThreadTerminatePort  (24, ...
 02092   948   NtSetEventBoostPriority  (500, ...
 02093   456   NtAllocateVirtualMemory  (-1, 116449280, 0, 8192, 4096, 4, ...
 02094   944   NtWaitForSingleObject  (208, 0, 0x0, ...
 02091  1080   NtRegisterThreadTerminatePort  ... ) == 0x0
 01930   952   NtWaitForSingleObject  ... ) == 0x0
 02092   948   NtSetEventBoostPriority  ... ) == 0x0
 02093   456   NtAllocateVirtualMemory  ... 116449280, 8192, ) == 0x0
 02095   576   NtUserGetDC  (0, ...
 02096   952   NtSetEventBoostPriority  (500, ...
 02097   948   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02098   456   NtProtectVirtualMemory  (-1, (0x6f0e000), 4096, 260, ...
 01932   956   NtWaitForSingleObject  ... ) == 0x0
 02096   952   NtSetEventBoostPriority  ... ) == 0x0
 02095   576   NtUserGetDC  ... ) == 0x1010053
 02097   948   NtWaitForSingleObject  ... ) == 0x102
 02099   956   NtSetEventBoostPriority  (500, ...
 02098   456   NtProtectVirtualMemory  ... (0x6f0e000), 4096, 4, ) == 0x0
 02100   952   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02101   576   NtGdiCreateCompatibleBitmap  (16842835, 16, 16, ...
 01936   960   NtWaitForSingleObject  ... ) == 0x0
 02099   956   NtSetEventBoostPriority  ... ) == 0x0
 02102   948   NtWaitForSingleObject  (208, 0, 0x0, ...
 02103  1080   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02104   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02105   960   NtSetEventBoostPriority  (500, ...
 02101   576   NtGdiCreateCompatibleBitmap  ... ) == 0xa05042b
 02106   956   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02100   952   NtWaitForSingleObject  ... ) == 0x102
 02103  1080   NtDuplicateObject  ... 544, ) == 0x0
 02013  1028   NtWaitForSingleObject  ... ) == 0x0
 02105   960   NtSetEventBoostPriority  ... ) == 0x0
 02104   456   NtCreateThread  ... 548, {444, 1084}, ) == 0x0
 02107   576   NtUserCallOneParam  (16842835, 56, ...
 02108   952   NtWaitForSingleObject  (208, 0, 0x0, ...
 02109  1028   NtSetEventBoostPriority  (500, ...
 02110  1080   NtWaitForSingleObject  (500, 0, 0x0, ...
 02111   960   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02112   456   NtQueryInformationThread  (548, Basic, 28, ...
 02107   576   NtUserCallOneParam  ... ) == 0x1
 02018  1000   NtWaitForSingleObject  ... ) == 0x0
 02109  1028   NtSetEventBoostPriority  ... ) == 0x0
 02106   956   NtWaitForSingleObject  ... ) == 0x102
 02112   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=444,Tid=1084,}, 0x0, ) == 0x0
 02111   960   NtWaitForSingleObject  ... ) == 0x102
 02113  1000   NtSetEventBoostPriority  (500, ...
 02114  1028   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02115   956   NtWaitForSingleObject  (208, 0, 0x0, ...
 02116   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1559, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\274\1\0\0<\4\0\0" ...  ...
 02021  1024   NtWaitForSingleObject  ... ) == 0x0
 02113  1000   NtSetEventBoostPriority  ... ) == 0x0
 02117   960   NtWaitForSingleObject  (208, 0, 0x0, ...
 02118   576   NtGdiSelectBitmap  (268502011, 168100907, ...
 02119  1024   NtSetEventBoostPriority  (500, ...
 02116   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1560, 0}  ... {28, 56, reply, 0, 444, 456, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\274\1\0\0<\4\0\0" )  ) == 0x0
 02114  1028   NtWaitForSingleObject  ... ) == 0x102
 02026  1032   NtWaitForSingleObject  ... ) == 0x0
 02119  1024   NtSetEventBoostPriority  ... ) == 0x0
 02118   576   NtGdiSelectBitmap  ... ) == 0x185000f
 02120   456   NtResumeThread  (548, ...
 02121  1032   NtSetEventBoostPriority  (500, ...
 02122  1028   NtWaitForSingleObject  (208, 0, 0x0, ...
 02123  1024   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02124   576   NtGdiDoPalette  (268502011, 0, 1, 8712780, 4, 0, ...
 02028  1048   NtWaitForSingleObject  ... ) == 0x0
 02120   456   NtResumeThread  ... 1, ) == 0x0
 02121  1032   NtSetEventBoostPriority  ... ) == 0x0
 02125  1000   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02126  1084   NtTestAlert  (...
 02124   576   NtGdiDoPalette  ... ) == 0x0
 02127  1048   NtSetEventBoostPriority  (500, ...
 02128   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02129  1032   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02125  1000   NtWaitForSingleObject  ... ) == 0x102
 02126  1084   NtTestAlert  ... ) == 0x0
 02130   576   NtGdiStretchDIBitsInternal  (268502011, 0, 0, 16, 16, 0, 0, 32, 32, 4604172, 4601408, 0, 13369376, 40, 4096, 0, ...
 02036   636   NtWaitForSingleObject  ... ) == 0x0
 02127  1048   NtSetEventBoostPriority  ... ) == 0x0
 02128   456   NtAllocateVirtualMemory  ... 116457472, 2097152, ) == 0x0
 02131  1000   NtWaitForSingleObject  (208, 0, 0x0, ...
 02132  1084   NtContinue  (116456752, 1, ...
 02133   636   NtSetEventBoostPriority  (500, ...
 02130   576   NtGdiStretchDIBitsInternal  ... ) == 0x20
 02134  1048   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02135   456   NtAllocateVirtualMemory  (-1, 118546432, 0, 8192, 4096, 4, ...
 02051  1052   NtWaitForSingleObject  ... ) == 0x0
 02133   636   NtSetEventBoostPriority  ... ) == 0x0
 02136  1084   NtRegisterThreadTerminatePort  (24, ...
 02123  1024   NtWaitForSingleObject  ... ) == 0x102
 02129  1032   NtWaitForSingleObject  ... ) == 0x102
 02137   576   NtGdiSelectBitmap  (268502011, 25493519, ...
 02134  1048   NtWaitForSingleObject  ... ) == 0x102
 02138  1052   NtSetEventBoostPriority  (500, ...
 02135   456   NtAllocateVirtualMemory  ... 118546432, 8192, ) == 0x0
 02136  1084   NtRegisterThreadTerminatePort  ... ) == 0x0
 02139  1024   NtWaitForSingleObject  (208, 0, 0x0, ...
 02140  1032   NtWaitForSingleObject  (208, 0, 0x0, ...
 02137   576   NtGdiSelectBitmap  ... ) == 0xa05042b
 02076  1072   NtWaitForSingleObject  ... ) == 0x0
 02138  1052   NtSetEventBoostPriority  ... ) == 0x0
 02141  1048   NtWaitForSingleObject  (208, 0, 0x0, ...
 02142   456   NtProtectVirtualMemory  (-1, (0x710e000), 4096, 260, ...
 02143   636   NtWaitForSingleObject  (500, 0, 0x0, ...
 02144  1072   NtSetEventBoostPriority  (500, ...
 02145   576   NtGdiDeleteObjectApp  (218432529, ...
 02146  1084   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02142   456   NtProtectVirtualMemory  ... (0x710e000), 4096, 4, ) == 0x0
 02110  1080   NtWaitForSingleObject  ... ) == 0x0
 02144  1072   NtSetEventBoostPriority  ... ) == 0x0
 02145   576   NtGdiDeleteObjectApp  ... ) == 0x1
 02146  1084   NtDuplicateObject  ... 552, ) == 0x0
 02147  1080   NtSetEventBoostPriority  (500, ...
 02148   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02149  1072   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02150   576   NtGdiDeleteObjectApp  (621085566, ...
 02143   636   NtWaitForSingleObject  ... ) == 0x0
 02147  1080   NtSetEventBoostPriority  ... ) == 0x0
 02151  1084   NtWaitForSingleObject  (500, 0, 0x0, ...
 02148   456   NtCreateThread  ... 556, {444, 1100}, ) == 0x0
 02152  1052   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02153   636   NtSetEventBoostPriority  (500, ...
 02150   576   NtGdiDeleteObjectApp  ... ) == 0x1
 02149  1072   NtWaitForSingleObject  ... ) == 0x102
 02154   456   NtQueryInformationThread  (556, Basic, 28, ...
 02151  1084   NtWaitForSingleObject  ... ) == 0x0
 02153   636   NtSetEventBoostPriority  ... ) == 0x0
 02152  1052   NtWaitForSingleObject  ... ) == 0x102
 02155  1080   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02156  1072   NtWaitForSingleObject  (208, 0, 0x0, ...
 02157   576   NtUserCallOneParam  (0, 33, ...
 02158  1084   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02159   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02160  1052   NtWaitForSingleObject  (208, 0, 0x0, ...
 02155  1080   NtWaitForSingleObject  ... ) == 0x102
 02157   576   NtUserCallOneParam  ... ) == 0x3004d
 02154   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=444,Tid=1100,}, 0x0, ) == 0x0
 02161  1080   NtWaitForSingleObject  (208, 0, 0x0, ...
 02162   576   NtUserSetCursorIconData  (196685, 8712964, 8712980, 8714064, ...
 02163   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1560, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\274\1\0\0L\4\0\0" ...  ...
 02162   576   NtUserSetCursorIconData  ... ) == 0x1
 02163   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1561, 0}  ... {28, 56, reply, 0, 444, 456, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\274\1\0\0L\4\0\0" )  ) == 0x0
 02164   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711880, ... }, 8711880, ...
 02165   456   NtResumeThread  (556, ...
 02164   576   NtQueryAttributesFile  ... ) == 0x0
 02165   456   NtResumeThread  ... 1, ) == 0x0
 02159   636   NtCreateEvent  ... 560, ) == 0x0
 02158  1084   NtWaitForSingleObject  ... ) == 0x102
 02166   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... }, 5, 96, ...
 02167  1100   NtWaitForSingleObject  (36, 0, 0x0, ...
 02168   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02169  1084   NtWaitForSingleObject  (208, 0, 0x0, ...
 02166   576   NtOpenFile  ... 564, {status=0x0, info=1}, ) == 0x0
 02168   636   NtCreateEvent  ... 568, ) == 0x0
 02170   576   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 564, ...
 02171   636   NtQuerySystemTime  (...
 02170   576   NtCreateSection  ... 572, ) == 0x0
 02171   636   NtQuerySystemTime  ... {796480422, 29882643}, ) == 0x0
 02172   576   NtClose  (564, ...
 02173   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02172   576   NtClose  ... ) == 0x0
 02174   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02173   636   NtCreateEvent  ... 564, ) == 0x0
 02174   456   NtAllocateVirtualMemory  ... 118554624, 2097152, ) == 0x0
 02175   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 02176   456   NtAllocateVirtualMemory  (-1, 120643584, 0, 8192, 4096, 4, ...
 02175   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02176   456   NtAllocateVirtualMemory  ... 120643584, 8192, ) == 0x0
 02177   636   NtQuerySystemInformation  (Performance, 312, ...
 02178   456   NtProtectVirtualMemory  (-1, (0x730e000), 4096, 260, ...
 02177   636   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02178   456   NtProtectVirtualMemory  ... (0x730e000), 4096, 4, ) == 0x0
 02179   636   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 02180   576   NtMapViewOfSection  (572, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02181   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02180   576   NtMapViewOfSection  ... (0x7310000), 0x0, 204800, ) == 0x0
 02181   456   NtCreateThread  ... 576, {444, 1088}, ) == 0x0
 02182   576   NtClose  (572, ...
 02183   456   NtQueryInformationThread  (576, Basic, 28, ...
 02182   576   NtClose  ... ) == 0x0
 02183   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=444,Tid=1088,}, 0x0, ) == 0x0
 02184   576   NtUnmapViewOfSection  (-1, 0x7310000, ...
 02185   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1561, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\274\1\0\0@\4\0\0" ...  ...
 02184   576   NtUnmapViewOfSection  ... ) == 0x0
 02185   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1562, 0}  ... {28, 56, reply, 0, 444, 456, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\274\1\0\0@\4\0\0" )  ) == 0x0
 02179   636   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02186   456   NtResumeThread  (576, ...
 02187   636   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 02186   456   NtResumeThread  ... 1, ) == 0x0
 02187   636   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02188   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02189   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 02188   456   NtAllocateVirtualMemory  ... 120651776, 2097152, ) == 0x0
 02190   456   NtAllocateVirtualMemory  (-1, 122740736, 0, 8192, 4096, 4, ... 122740736, 8192, ) == 0x0
 02191   456   NtProtectVirtualMemory  (-1, (0x750e000), 4096, 260, ... (0x750e000), 4096, 4, ) == 0x0
 02192   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 572, {444, 1104}, ) == 0x0
 02193   456   NtQueryInformationThread  (572, Basic, 28, ...
 02194   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8712196, ... }, 8712196, ...
 02195  1088   NtWaitForSingleObject  (36, 0, 0x0, ...
 02194   576   NtQueryAttributesFile  ... ) == 0x0
 02196   576   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 580, {status=0x0, info=1}, ) }, 5, 96, ... 580, {status=0x0, info=1}, ) == 0x0
 02197   576   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 580, ... 584, ) == 0x0
 02198   576   NtQuerySection  (584, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02199   576   NtClose  (580, ... ) == 0x0
 02200   576   NtMapViewOfSection  (584, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 02193   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=444,Tid=1104,}, 0x0, ) == 0x0
 02201   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1562, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\274\1\0\0P\4\0\0" ... {28, 56, reply, 0, 444, 456, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\274\1\0\0P\4\0\0" )  ... {28, 56, reply, 0, 444, 456, 1563, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\274\1\0\0P\4\0\0" ... {28, 56, reply, 0, 444, 456, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\274\1\0\0P\4\0\0" )  ) == 0x0
 02202   456   NtResumeThread  (572, ... 1, ) == 0x0
 02203   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 122748928, 2097152, ) == 0x0
 02204   456   NtAllocateVirtualMemory  (-1, 124837888, 0, 8192, 4096, 4, ... 124837888, 8192, ) == 0x0
 02205   456   NtProtectVirtualMemory  (-1, (0x770e000), 4096, 260, ... (0x770e000), 4096, 4, ) == 0x0
 02206   576   NtClose  (584, ...
 02207  1104   NtWaitForSingleObject  (36, 0, 0x0, ...
 02206   576   NtClose  ... ) == 0x0
 02208   576   NtUserGetWindowDC  (0, ... ) == 0x1010050
 02209   576   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 02210   576   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02211   576   NtOpenProcessTokenEx  (-1, 0x20008, 512, ...
 02212   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 584, {444, 1108}, ) == 0x0
 02213   456   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=444,Tid=1108,}, 0x0, ) == 0x0
 02214   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1563, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\274\1\0\0T\4\0\0" ... {28, 56, reply, 0, 444, 456, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\274\1\0\0T\4\0\0" )  ... {28, 56, reply, 0, 444, 456, 1564, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\274\1\0\0T\4\0\0" ... {28, 56, reply, 0, 444, 456, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\274\1\0\0T\4\0\0" )  ) == 0x0
 02215   456   NtResumeThread  (584, ... 1, ) == 0x0
 02216   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 124846080, 2097152, ) == 0x0
 02217   456   NtAllocateVirtualMemory  (-1, 126935040, 0, 8192, 4096, 4, ...
 02211   576   NtOpenProcessTokenEx  ... 580, ) == 0x0
 02218  1108   NtWaitForSingleObject  (36, 0, 0x0, ...
 02219   576   NtQueryInformationToken  (580, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02220   576   NtClose  (580, ... ) == 0x0
 02221   576   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 580, ) }, ... 580, ) == 0x0
 02222   576   NtOpenKey  (0x1, {24, 580, 0x40, 0, 0,  (0x1, {24, 580, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 588, ) }, ... 588, ) == 0x0
 02223   576   NtQueryValueKey  (588,  (588, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   576   NtClose  (588, ...
 02217   456   NtAllocateVirtualMemory  ... 126935040, 8192, ) == 0x0
 02225   456   NtProtectVirtualMemory  (-1, (0x790e000), 4096, 260, ... (0x790e000), 4096, 4, ) == 0x0
 02226   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 592, {444, 1160}, ) == 0x0
 02227   456   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=444,Tid=1160,}, 0x0, ) == 0x0
 02228   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1564, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\274\1\0\0\210\4\0\0" ... {28, 56, reply, 0, 444, 456, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\274\1\0\0\210\4\0\0" )  ... {28, 56, reply, 0, 444, 456, 1565, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\274\1\0\0\210\4\0\0" ... {28, 56, reply, 0, 444, 456, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\274\1\0\0\210\4\0\0" )  ) == 0x0
 02229   456   NtResumeThread  (592, ... 1, ) == 0x0
 02224   576   NtClose  ... ) == 0x0
 02230  1160   NtWaitForSingleObject  (36, 0, 0x0, ...
 02231   576   NtClose  (580, ... ) == 0x0
 02232   576   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02233   576   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 580, ) == 0x0
 02234   576   NtQueryInformationToken  (580, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02235   576   NtClose  (580, ... ) == 0x0
 02236   576   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... }, ...
 02237   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 126943232, 2097152, ) == 0x0
 02238   456   NtAllocateVirtualMemory  (-1, 129032192, 0, 8192, 4096, 4, ... 129032192, 8192, ) == 0x0
 02239   456   NtProtectVirtualMemory  (-1, (0x7b0e000), 4096, 260, ... (0x7b0e000), 4096, 4, ) == 0x0
 02240   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 580, {444, 1156}, ) == 0x0
 02241   456   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=444,Tid=1156,}, 0x0, ) == 0x0
 02242   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1565, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\274\1\0\0\204\4\0\0" ...  ...
 02236   576   NtOpenKey  ... 588, ) == 0x0
 02243   576   NtOpenKey  (0x1, {24, 588, 0x40, 0, 0,  (0x1, {24, 588, 0x40, 0, 0, "Control Panel\Desktop"}, ... 596, ) }, ... 596, ) == 0x0
 02244   576   NtQueryValueKey  (596,  (596, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02245   576   NtClose  (596, ...
 02242   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1566, 0}  ... {28, 56, reply, 0, 444, 456, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\274\1\0\0\204\4\0\0" )  ) == 0x0
 02246   456   NtResumeThread  (580, ... 1, ) == 0x0
 02247   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 129040384, 2097152, ) == 0x0
 02248   456   NtAllocateVirtualMemory  (-1, 131129344, 0, 8192, 4096, 4, ... 131129344, 8192, ) == 0x0
 02249   456   NtProtectVirtualMemory  (-1, (0x7d0e000), 4096, 260, ... (0x7d0e000), 4096, 4, ) == 0x0
 02250   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 600, {444, 1112}, ) == 0x0
 02251   456   NtQueryInformationThread  (600, Basic, 28, ...
 02245   576   NtClose  ... ) == 0x0
 02252  1156   NtWaitForSingleObject  (36, 0, 0x0, ...
 02253   576   NtClose  (588, ... ) == 0x0
 02254   576   NtSetEventBoostPriority  (36, ...
 02167  1100   NtWaitForSingleObject  ... ) == 0x0
 02255  1100   NtSetEventBoostPriority  (36, ...
 02189   636   NtWaitForSingleObject  ... ) == 0x0
 02256   636   NtSetEventBoostPriority  (36, ...
 02195  1088   NtWaitForSingleObject  ... ) == 0x0
 02257  1088   NtSetEventBoostPriority  (36, ...
 02207  1104   NtWaitForSingleObject  ... ) == 0x0
 02258  1104   NtSetEventBoostPriority  (36, ...
 02218  1108   NtWaitForSingleObject  ... ) == 0x0
 02259  1108   NtSetEventBoostPriority  (36, ...
 02230  1160   NtWaitForSingleObject  ... ) == 0x0
 02260  1160   NtSetEventBoostPriority  (36, ...
 02252  1156   NtWaitForSingleObject  ... ) == 0x0
 02261  1156   NtTestAlert  (... ) == 0x0
 02260  1160   NtSetEventBoostPriority  ... ) == 0x0
 02259  1108   NtSetEventBoostPriority  ... ) == 0x0
 02258  1104   NtSetEventBoostPriority  ... ) == 0x0
 02257  1088   NtSetEventBoostPriority  ... ) == 0x0
 02256   636   NtSetEventBoostPriority  ... ) == 0x0
 02255  1100   NtSetEventBoostPriority  ... ) == 0x0
 02254   576   NtSetEventBoostPriority  ... ) == 0x0
 02251   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=444,Tid=1112,}, 0x0, ) == 0x0
 02262  1156   NtContinue  (129039664, 1, ...
 02263  1160   NtTestAlert  (...
 02264  1108   NtTestAlert  (...
 02265  1104   NtTestAlert  (...
 02266  1088   NtTestAlert  (...
 02267   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02268   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 8711696, ... }, 8711696, ...
 02269   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1566, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\274\1\0\0X\4\0\0" ...  ...
 02270  1156   NtRegisterThreadTerminatePort  (24, ...
 02263  1160   NtTestAlert  ... ) == 0x0
 02264  1108   NtTestAlert  ... ) == 0x0
 02265  1104   NtTestAlert  ... ) == 0x0
 02266  1088   NtTestAlert  ... ) == 0x0
 02267   636   NtCreateEvent  ... 588, ) == 0x0
 02271  1100   NtTestAlert  (...
 02269   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1567, 0}  ... {28, 56, reply, 0, 444, 456, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\274\1\0\0X\4\0\0" )  ) == 0x0
 02270  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02272  1160   NtContinue  (126942512, 1, ...
 02273  1108   NtContinue  (124845360, 1, ...
 02274  1104   NtContinue  (122748208, 1, ...
 02275  1088   NtContinue  (120651056, 1, ...
 02276   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02271  1100   NtTestAlert  ... ) == 0x0
 02277   456   NtResumeThread  (600, ...
 02278  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02279  1160   NtRegisterThreadTerminatePort  (24, ...
 02280  1108   NtRegisterThreadTerminatePort  (24, ...
 02281  1104   NtRegisterThreadTerminatePort  (24, ...
 02282  1088   NtRegisterThreadTerminatePort  (24, ...
 02276   636   NtDuplicateObject  ... 596, ) == 0x0
 02283  1100   NtContinue  (118553904, 1, ...
 02277   456   NtResumeThread  ... 1, ) == 0x0
 02278  1156   NtDuplicateObject  ... 604, ) == 0x0
 02279  1160   NtRegisterThreadTerminatePort  ... ) == 0x0
 02280  1108   NtRegisterThreadTerminatePort  ... ) == 0x0
 02281  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02282  1088   NtRegisterThreadTerminatePort  ... ) == 0x0
 02284   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02285  1100   NtRegisterThreadTerminatePort  (24, ...
 02286  1112   NtWaitForSingleObject  (36, 0, 0x0, ...
 02287  1156   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02288  1160   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02289  1108   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02290  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02291  1088   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02284   636   NtCreateEvent  ... 608, ) == 0x0
 02285  1100   NtRegisterThreadTerminatePort  ... ) == 0x0
 02292   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02287  1156   NtWaitForSingleObject  ... ) == 0x102
 02288  1160   NtDuplicateObject  ... 612, ) == 0x0
 02289  1108   NtDuplicateObject  ... 616, ) == 0x0
 02290  1104   NtDuplicateObject  ... 620, ) == 0x0
 02291  1088   NtDuplicateObject  ... 624, ) == 0x0
 02293  1100   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02292   456   NtAllocateVirtualMemory  ... 131137536, 2097152, ) == 0x0
 02294  1156   NtWaitForSingleObject  (208, 0, 0x0, ...
 02295  1160   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02296  1108   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02297  1104   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02298  1088   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02299   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 19983996, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 19983996, 112, ...
 02300   456   NtAllocateVirtualMemory  (-1, 133226496, 0, 8192, 4096, 4, ...
 02295  1160   NtWaitForSingleObject  ... ) == 0x102
 02296  1108   NtWaitForSingleObject  ... ) == 0x102
 02297  1104   NtWaitForSingleObject  ... ) == 0x102
 02298  1088   NtWaitForSingleObject  ... ) == 0x102
 02300   456   NtAllocateVirtualMemory  ... 133226496, 8192, ) == 0x0
 02301  1160   NtWaitForSingleObject  (208, 0, 0x0, ...
 02299   636   NtConnectPort  ... 628, 0x0, 0x0, 0x0, 112, ) == 0x0
 02302  1108   NtWaitForSingleObject  (208, 0, 0x0, ...
 02303  1104   NtWaitForSingleObject  (208, 0, 0x0, ...
 02304  1088   NtWaitForSingleObject  (208, 0, 0x0, ...
 02305   456   NtProtectVirtualMemory  (-1, (0x7f0e000), 4096, 260, ...
 02306   636   NtRequestWaitReplyPort  (628, {128, 152, new_msg, 0, 4521984, 126032, 4521984, 19983760}  (628, {128, 152, new_msg, 0, 4521984, 126032, 4521984, 19983760} "\0$\370w@\3640\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320`F\0\4\0\0\0\320`F\0\20\344\314w\320`F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1E\0\0\0\0\0x`F\0XPF\0P`F\0\0\0\0\0\0\0\0\0\0\0\0\0x`F\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02305   456   NtProtectVirtualMemory  ... (0x7f0e000), 4096, 4, ) == 0x0
 02306   636   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 444, 636, 1569, 0}  ... {128, 152, reply, 0, 444, 636, 1569, 0} "\7$\370w@\3640\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320`F\0\377\377\377\377\320`F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1E\0\0\0\0\0x`F\0XPF\0P`F\0\0\0\0\0\0\0\0\0\0\0\0\0x`F\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02293  1100   NtDuplicateObject  ... 632, ) == 0x0
 02307   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02268   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02308  1100   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02307   456   NtCreateThread  ... 636, {444, 1004}, ) == 0x0
 02309   576   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 8711696, ... }, 8711696, ...
 02308  1100   NtWaitForSingleObject  ... ) == 0x102
 02310   456   NtQueryInformationThread  (636, Basic, 28, ...
 02311   636   NtRequestWaitReplyPort  (628, {64, 88, new_msg, 0, 0, 0, 0, 0}  (628, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02312  1100   NtWaitForSingleObject  (208, 0, 0x0, ...
 02310   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=444,Tid=1004,}, 0x0, ) == 0x0
 02313   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1567, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\274\1\0\0\354\3\0\0" ... {28, 56, reply, 0, 444, 456, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\274\1\0\0\354\3\0\0" )  ... {28, 56, reply, 0, 444, 456, 1571, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\274\1\0\0\354\3\0\0" ... {28, 56, reply, 0, 444, 456, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\274\1\0\0\354\3\0\0" )  ) == 0x0
 02314   456   NtResumeThread  (636, ... 1, ) == 0x0
 02315   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 133234688, 2097152, ) == 0x0
 02316   456   NtAllocateVirtualMemory  (-1, 135323648, 0, 8192, 4096, 4, ...
 02317  1004   NtWaitForSingleObject  (36, 0, 0x0, ...
 02316   456   NtAllocateVirtualMemory  ... 135323648, 8192, ) == 0x0
 02318   456   NtProtectVirtualMemory  (-1, (0x810e000), 4096, 260, ... (0x810e000), 4096, 4, ) == 0x0
 02319   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 640, {444, 1168}, ) == 0x0
 02320   456   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=444,Tid=1168,}, 0x0, ) == 0x0
 02321   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1571, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\274\1\0\0\220\4\0\0" ... {28, 56, reply, 0, 444, 456, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\274\1\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 444, 456, 1572, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\274\1\0\0\220\4\0\0" ... {28, 56, reply, 0, 444, 456, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\274\1\0\0\220\4\0\0" )  ) == 0x0
 02322   456   NtResumeThread  (640, ... 1, ) == 0x0
 02323  1168   NtWaitForSingleObject  (36, 0, 0x0, ...
 02324   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 135331840, 2097152, ) == 0x0
 02325   456   NtAllocateVirtualMemory  (-1, 137420800, 0, 8192, 4096, 4, ... 137420800, 8192, ) == 0x0
 02326   456   NtProtectVirtualMemory  (-1, (0x830e000), 4096, 260, ... (0x830e000), 4096, 4, ) == 0x0
 02311   636   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 444, 636, 1570, 0}  ... {52, 76, reply, 0, 444, 636, 1570, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200W\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02327   636   NtClose  (608, ... ) == 0x0
 02328   636   NtClose  (628, ... ) == 0x0
 02329   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 02330   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 628, {444, 1076}, ) == 0x0
 02331   456   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=444,Tid=1076,}, 0x0, ) == 0x0
 02332   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1572, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\274\1\0\04\4\0\0" ... {28, 56, reply, 0, 444, 456, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\274\1\0\04\4\0\0" )  ... {28, 56, reply, 0, 444, 456, 1574, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\274\1\0\04\4\0\0" ... {28, 56, reply, 0, 444, 456, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\274\1\0\04\4\0\0" )  ) == 0x0
 02333   456   NtResumeThread  (628, ... 1, ) == 0x0
 02334   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 137428992, 2097152, ) == 0x0
 02335   456   NtAllocateVirtualMemory  (-1, 139517952, 0, 8192, 4096, 4, ...
 02336  1076   NtWaitForSingleObject  (36, 0, 0x0, ...
 02335   456   NtAllocateVirtualMemory  ... 139517952, 8192, ) == 0x0
 02337   456   NtProtectVirtualMemory  (-1, (0x850e000), 4096, 260, ... (0x850e000), 4096, 4, ) == 0x0
 02338   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 608, {444, 1172}, ) == 0x0
 02339   456   NtQueryInformationThread  (608, Basic, 28, ...
 02309   576   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02340   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 8711696, ... ) }, 8711696, ... ) == 0x0
 02341   576   NtSetEventBoostPriority  (36, ...
 02286  1112   NtWaitForSingleObject  ... ) == 0x0
 02342  1112   NtSetEventBoostPriority  (36, ...
 02317  1004   NtWaitForSingleObject  ... ) == 0x0
 02343  1004   NtSetEventBoostPriority  (36, ...
 02323  1168   NtWaitForSingleObject  ... ) == 0x0
 02344  1168   NtSetEventBoostPriority  (36, ...
 02329   636   NtWaitForSingleObject  ... ) == 0x0
 02345   636   NtSetEventBoostPriority  (36, ...
 02336  1076   NtWaitForSingleObject  ... ) == 0x0
 02346  1076   NtTestAlert  (... ) == 0x0
 02344  1168   NtSetEventBoostPriority  ... ) == 0x0
 02343  1004   NtSetEventBoostPriority  ... ) == 0x0
 02342  1112   NtSetEventBoostPriority  ... ) == 0x0
 02341   576   NtSetEventBoostPriority  ... ) == 0x0
 02345   636   NtSetEventBoostPriority  ... ) == 0x0
 02339   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=444,Tid=1172,}, 0x0, ) == 0x0
 02347  1076   NtContinue  (137428272, 1, ...
 02348  1168   NtTestAlert  (...
 02349  1004   NtTestAlert  (...
 02350  1112   NtTestAlert  (...
 02351   576   NtUserGetProcessWindowStation  (...
 02352   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1574, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\274\1\0\0\224\4\0\0" ...  ...
 02353  1076   NtRegisterThreadTerminatePort  (24, ...
 02348  1168   NtTestAlert  ... ) == 0x0
 02349  1004   NtTestAlert  ... ) == 0x0
 02350  1112   NtTestAlert  ... ) == 0x0
 02351   576   NtUserGetProcessWindowStation  ... ) == 0x34
 02352   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1575, 0}  ... {28, 56, reply, 0, 444, 456, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\274\1\0\0\224\4\0\0" )  ) == 0x0
 02353  1076   NtRegisterThreadTerminatePort  ... ) == 0x0
 02354  1168   NtContinue  (135331120, 1, ...
 02355  1004   NtContinue  (133233968, 1, ...
 02356  1112   NtContinue  (131136816, 1, ...
 02357   576   NtUserGetObjectInformation  (52, 2, 0, 0, 8713992, ...
 02358   456   NtResumeThread  (608, ...
 02359  1076   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02360  1168   NtRegisterThreadTerminatePort  (24, ...
 02361  1004   NtRegisterThreadTerminatePort  (24, ...
 02362  1112   NtRegisterThreadTerminatePort  (24, ...
 02357   576   NtUserGetObjectInformation  ... ) == 0x0
 02358   456   NtResumeThread  ... 1, ) == 0x0
 02359  1076   NtDuplicateObject  ... 644, ) == 0x0
 02360  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02361  1004   NtRegisterThreadTerminatePort  ... ) == 0x0
 02362  1112   NtRegisterThreadTerminatePort  ... ) == 0x0
 02363   576   NtUserGetObjectInformation  (52, 2, 4557808, 16, 8713992, ...
 02364   636   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02365  1172   NtTestAlert  (...
 02366  1076   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02367  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02368  1004   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02369  1112   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02363   576   NtUserGetObjectInformation  ... ) == 0x1
 02364   636   NtCreateKey  ... 648, 2, ) == 0x0
 02365  1172   NtTestAlert  ... ) == 0x0
 02370   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02366  1076   NtWaitForSingleObject  ... ) == 0x102
 02367  1168   NtDuplicateObject  ... 652, ) == 0x0
 02368  1004   NtDuplicateObject  ... 656, ) == 0x0
 02369  1112   NtDuplicateObject  ... 660, ) == 0x0
 02371   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02372  1172   NtContinue  (139525424, 1, ...
 02370   456   NtAllocateVirtualMemory  ... 139526144, 2097152, ) == 0x0
 02373  1076   NtWaitForSingleObject  (208, 0, 0x0, ...
 02374  1168   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02375  1004   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02376  1112   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02371   636   NtOpenKey  ... 664, ) == 0x0
 02377  1172   NtRegisterThreadTerminatePort  (24, ...
 02378   456   NtAllocateVirtualMemory  (-1, 141615104, 0, 8192, 4096, 4, ...
 02374  1168   NtWaitForSingleObject  ... ) == 0x102
 02375  1004   NtWaitForSingleObject  ... ) == 0x102
 02376  1112   NtWaitForSingleObject  ... ) == 0x102
 02379   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02377  1172   NtRegisterThreadTerminatePort  ... ) == 0x0
 02378   456   NtAllocateVirtualMemory  ... 141615104, 8192, ) == 0x0
 02380  1168   NtWaitForSingleObject  (208, 0, 0x0, ...
 02381  1004   NtWaitForSingleObject  (208, 0, 0x0, ...
 02382  1112   NtWaitForSingleObject  (208, 0, 0x0, ...
 02379   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02383   576   NtUserGetGUIThreadInfo  (576, 8713948, ...
 02384   456   NtProtectVirtualMemory  (-1, (0x870e000), 4096, 260, ...
 02385  1172   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02383   576   NtUserGetGUIThreadInfo  ... ) == 0x1
 02384   456   NtProtectVirtualMemory  ... (0x870e000), 4096, 4, ) == 0x0
 02385  1172   NtDuplicateObject  ... 668, ) == 0x0
 02386   576   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 8713768, 64, ... , {12, 2, 1, 1}, 0x0, 0x0, 8713768, 64, ...
 02387   636   NtQueryValueKey  (648,  (648, "Hostname", Partial, 144, ... , Partial, 144, ...
 02388  1172   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02387   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02388  1172   NtWaitForSingleObject  ... ) == 0x102
 02386   576   NtConnectPort  ... 672, 0x0, 0x0, 0x0, 64, ) == 0x0
 02389   636   NtQueryValueKey  (648,  (648, "Hostname", Partial, 144, ... , Partial, 144, ...
 02390  1172   NtWaitForSingleObject  (208, 0, 0x0, ...
 02391   576   NtRequestWaitReplyPort  (672, {32, 56, new_msg, 0, 0, 0, 0, 0}  (672, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02389   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02392   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02393   636   NtClose  (648, ...
 02392   456   NtCreateThread  ... 676, {444, 320}, ) == 0x0
 02393   636   NtClose  ... ) == 0x0
 02394   456   NtQueryInformationThread  (676, Basic, 28, ...
 02391   576   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 444, 576, 1577, 0}  ... {32, 56, reply, 0, 444, 576, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02394   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=444,Tid=320,}, 0x0, ) == 0x0
 02395   576   NtRequestWaitReplyPort  (672, {32, 56, new_msg, 0, 0, 0, 0, 0}  (672, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02396   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1575, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\274\1\0\0@\1\0\0" ...  ...
 02395   576   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 444, 576, 1578, 0}  ... {32, 56, reply, 0, 444, 576, 1578, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02397   576   NtUserCallNoParam  (29, ...
 02398   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711240, ... ) }, 8711240, ... ) == 0x0
 02397   576   NtUserCallNoParam  ... ) == 0x0
 02399   576   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 02400   576   NtGdiHfontCreate  (8713320, 356, 0, 0, 4615272, ...
 02401   636   NtClose  (664, ...
 02396   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1579, 0}  ... {28, 56, reply, 0, 444, 456, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\274\1\0\0@\1\0\0" )  ) == 0x0
 02401   636   NtClose  ... ) == 0x0
 02402   456   NtResumeThread  (676, ...
 02403   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02402   456   NtResumeThread  ... 1, ) == 0x0
 02403   636   NtCreateEvent  ... 664, ) == 0x0
 02404   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02405   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 19983860, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 19983860, 112, ...
 02404   456   NtAllocateVirtualMemory  ... 141623296, 2097152, ) == 0x0
 02406   456   NtAllocateVirtualMemory  (-1, 143712256, 0, 8192, 4096, 4, ...
 02400   576   NtGdiHfontCreate  ... ) == 0x100a0411
 02407   320   NtTestAlert  (...
 02408   576   NtGdiHfontCreate  (8713320, 356, 0, 0, 4615264, ...
 02407   320   NtTestAlert  ... ) == 0x0
 02408   576   NtGdiHfontCreate  ... ) == 0x3e0a0409
 02409   320   NtContinue  (141622576, 1, ...
 02410   576   NtRequestWaitReplyPort  (672, {32, 56, new_msg, 0, 0, 0, 0, 0}  (672, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02411   320   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02410   576   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 444, 576, 1581, 0}  ... {32, 56, reply, 0, 444, 576, 1581, 0} "\0\0\0\0\0\0\0\0\210\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02406   456   NtAllocateVirtualMemory  ... 143712256, 8192, ) == 0x0
 02405   636   NtConnectPort  ... 680, 0x0, 0x0, 0x0, 112, ) == 0x0
 02412   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02413   456   NtProtectVirtualMemory  (-1, (0x890e000), 4096, 260, ...
 02414   636   NtRequestWaitReplyPort  (680, {128, 152, new_msg, 0, 4521984, 125896, 4521984, 19983624}  (680, {128, 152, new_msg, 0, 4521984, 125896, 4521984, 19983624} "\0$\370w\270\3630\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320`F\0\4\0\0\0\320`F\0\20\344\314w\320`F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\220lF\0\0\0\0\0\0mF\0\260lF\0\330lF\0\0\0\0\0\0\0\0\0\0\0\0\0\0mF\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02412   320   NtDuplicateObject  ... 684, ) == 0x0
 02413   456   NtProtectVirtualMemory  ... (0x890e000), 4096, 4, ) == 0x0
 02415   320   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02416   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02415   320   NtWaitForSingleObject  ... ) == 0x102
 02416   456   NtCreateThread  ... 688, {444, 324}, ) == 0x0
 02417   320   NtWaitForSingleObject  (208, 0, 0x0, ...
 02418   456   NtQueryInformationThread  (688, Basic, 28, ...
 02419   576   NtMapViewOfSection  (648, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 02414   636   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 444, 636, 1582, 0}  ... {128, 152, reply, 0, 444, 636, 1582, 0} "\7$\370w\270\3630\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320`F\0\377\377\377\377\320`F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\220lF\0\0\0\0\0\0mF\0\260lF\0\330lF\0\0\0\0\0\0\0\0\0\0\0\0\0\0mF\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02419   576   NtMapViewOfSection  ... (0x8910000), {0, 0}, 331776, ) == 0x0
 02420   636   NtRequestWaitReplyPort  (680, {44, 68, new_msg, 0, 444, 636, 1570, 0}  (680, {44, 68, new_msg, 0, 444, 636, 1570, 0} "\1\0\0\0A\2\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02421   576   NtAllocateVirtualMemory  (-1, 13197312, 0, 4096, 4096, 4, ... 13197312, 4096, ) == 0x0
 02422   576   NtUserGetWindowDC  (0, ... ) == 0x1010050
 02418   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=444,Tid=324,}, 0x0, ) == 0x0
 02423   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1579, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\274\1\0\0D\1\0\0" ... {28, 56, reply, 0, 444, 456, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\274\1\0\0D\1\0\0" )  ... {28, 56, reply, 0, 444, 456, 1584, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\274\1\0\0D\1\0\0" ... {28, 56, reply, 0, 444, 456, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\274\1\0\0D\1\0\0" )  ) == 0x0
 02424   456   NtResumeThread  (688, ... 1, ) == 0x0
 02425   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 144113664, 2097152, ) == 0x0
 02426   456   NtAllocateVirtualMemory  (-1, 146202624, 0, 8192, 4096, 4, ... 146202624, 8192, ) == 0x0
 02427   456   NtProtectVirtualMemory  (-1, (0x8b6e000), 4096, 260, ... (0x8b6e000), 4096, 4, ) == 0x0
 02428   576   NtUserCallOneParam  (16842832, 56, ...
 02429   324   NtTestAlert  (...
 02428   576   NtUserCallOneParam  ... ) == 0x1
 02429   324   NtTestAlert  ... ) == 0x0
 02430   576   NtUserGetWindowDC  (0, ...
 02431   324   NtContinue  (143719728, 1, ...
 02430   576   NtUserGetWindowDC  ... ) == 0x1010050
 02432   324   NtRegisterThreadTerminatePort  (24, ...
 02433   576   NtUserCallOneParam  (16842832, 56, ...
 02432   324   NtRegisterThreadTerminatePort  ... ) == 0x0
 02433   576   NtUserCallOneParam  ... ) == 0x1
 02434   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02435   324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02434   456   NtCreateThread  ... 692, {444, 1224}, ) == 0x0
 02435   324   NtDuplicateObject  ... 696, ) == 0x0
 02436   456   NtQueryInformationThread  (692, Basic, 28, ...
 02437   324   NtAllocateVirtualMemory  (-1, 4616192, 0, 4096, 4096, 4, ...
 02436   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=444,Tid=1224,}, 0x0, ) == 0x0
 02437   324   NtAllocateVirtualMemory  ... 4616192, 4096, ) == 0x0
 02438   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1584, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\274\1\0\0\310\4\0\0" ...  ...
 02439   324   NtWaitForSingleObject  (80, 0, {0, 0}, ... ) == 0x102
 02440   324   NtWaitForSingleObject  (208, 0, 0x0, ...
 02441   576   NtUserGetWindowDC  (0, ... ) == 0x1010050
 02442   576   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 02443   576   NtUserGetWindowDC  (0, ... ) == 0x1010050
 02438   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1585, 0}  ... {28, 56, reply, 0, 444, 456, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\274\1\0\0\310\4\0\0" )  ) == 0x0
 02444   456   NtResumeThread  (692, ... 1, ) == 0x0
 02445   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 146210816, 2097152, ) == 0x0
 02446   456   NtAllocateVirtualMemory  (-1, 148299776, 0, 8192, 4096, 4, ... 148299776, 8192, ) == 0x0
 02447   456   NtProtectVirtualMemory  (-1, (0x8d6e000), 4096, 260, ... (0x8d6e000), 4096, 4, ) == 0x0
 02448   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 700, {444, 1232}, ) == 0x0
 02449   456   NtQueryInformationThread  (700, Basic, 28, ...
 02450   576   NtUserCallOneParam  (16842832, 56, ...
 02420   636   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 444, 636, 1583, 0}  ... {40, 64, reply, 0, 444, 636, 1583, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02451  1224   NtTestAlert  (...
 02450   576   NtUserCallOneParam  ... ) == 0x1
 02452   636   NtRequestWaitReplyPort  (680, {64, 88, new_msg, 56, 0, 1, 0, 0}  (680, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\3570\1@\0\314wXOF\0\274\3570\1$\3600\1\0\267\362v$\3600\1XOF\0\1\0\0\0\250pF\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02451  1224   NtTestAlert  ... ) == 0x0
 02453   576   NtUserGetWindowDC  (0, ...
 02454  1224   NtContinue  (146210096, 1, ...
 02453   576   NtUserGetWindowDC  ... ) == 0x1010050
 02452   636   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 444, 636, 1586, 0}  ... {64, 88, reply, 56, 444, 636, 1586, 0} "\10\3570\1@\0\314wXOF\0\274\3570\1$\3600\1\0\267\362v$\3600\1XOF\0\1\0\0\0\250pF\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02455  1224   NtRegisterThreadTerminatePort  (24, ...
 02456   576   NtUserCallOneParam  (16842832, 56, ...
 02457   636   NtClose  (664, ...
 02455  1224   NtRegisterThreadTerminatePort  ... ) == 0x0
 02456   576   NtUserCallOneParam  ... ) == 0x1
 02457   636   NtClose  ... ) == 0x0
 02449   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=444,Tid=1232,}, 0x0, ) == 0x0
 02458  1224   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02459   576   NtUserGetWindowDC  (0, ...
 02460   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1585, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\274\1\0\0\320\4\0\0" ...  ...
 02458  1224   NtDuplicateObject  ... 664, ) == 0x0
 02459   576   NtUserGetWindowDC  ... ) == 0x1010050
 02460   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1587, 0}  ... {28, 56, reply, 0, 444, 456, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\274\1\0\0\320\4\0\0" )  ) == 0x0
 02461  1224   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02462   576   NtUserCallOneParam  (16842832, 56, ...
 02463   456   NtResumeThread  (700, ...
 02461  1224   NtWaitForSingleObject  ... ) == 0x102
 02462   576   NtUserCallOneParam  ... ) == 0x1
 02463   456   NtResumeThread  ... 1, ) == 0x0
 02464  1224   NtWaitForSingleObject  (208, 0, 0x0, ...
 02465   576   NtUserGetWindowDC  (0, ...
 02466   636   NtClose  (680, ...
 02467  1232   NtTestAlert  (...
 02468   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02465   576   NtUserGetWindowDC  ... ) == 0x1010050
 02466   636   NtClose  ... ) == 0x0
 02467  1232   NtTestAlert  ... ) == 0x0
 02468   456   NtAllocateVirtualMemory  ... 148307968, 2097152, ) == 0x0
 02469   636   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02470  1232   NtContinue  (148307248, 1, ...
 02471   456   NtAllocateVirtualMemory  (-1, 150396928, 0, 8192, 4096, 4, ...
 02469   636   NtCreateKey  ... 680, 2, ) == 0x0
 02472  1232   NtRegisterThreadTerminatePort  (24, ...
 02471   456   NtAllocateVirtualMemory  ... 150396928, 8192, ) == 0x0
 02473   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02472  1232   NtRegisterThreadTerminatePort  ... ) == 0x0
 02474   456   NtProtectVirtualMemory  (-1, (0x8f6e000), 4096, 260, ...
 02473   636   NtOpenKey  ... 704, ) == 0x0
 02475   576   NtUserCallOneParam  (16842832, 56, ...
 02474   456   NtProtectVirtualMemory  ... (0x8f6e000), 4096, 4, ) == 0x0
 02476  1232   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02475   576   NtUserCallOneParam  ... ) == 0x1
 02477   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02476  1232   NtDuplicateObject  ... 708, ) == 0x0
 02478   576   NtUserGetWindowDC  (0, ...
 02477   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02479  1232   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02478   576   NtUserGetWindowDC  ... ) == 0x1010050
 02480   636   NtQueryValueKey  (680,  (680, "Domain", Partial, 144, ... , Partial, 144, ...
 02479  1232   NtWaitForSingleObject  ... ) == 0x102
 02481   576   NtUserCallOneParam  (16842832, 56, ...
 02480   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02482  1232   NtWaitForSingleObject  (208, 0, 0x0, ...
 02481   576   NtUserCallOneParam  ... ) == 0x1
 02483   636   NtQueryValueKey  (680,  (680, "Domain", Partial, 144, ... , Partial, 144, ...
 02484   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02483   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02484   456   NtCreateThread  ... 712, {444, 1236}, ) == 0x0
 02485   576   NtUserGetWindowDC  (0, ...
 02486   456   NtQueryInformationThread  (712, Basic, 28, ...
 02485   576   NtUserGetWindowDC  ... ) == 0x1010050
 02486   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=444,Tid=1236,}, 0x0, ) == 0x0
 02487   576   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ...
 02488   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1587, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\274\1\0\0\324\4\0\0" ...  ...
 02487   576   NtGdiCreatePatternBrushInternal  ... ) == 0x4e10037f
 02489   576   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 02490   576   NtUserCallNoParam  (29, ...
 02491   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710684, ... ) }, 8710684, ... ) == 0x0
 02490   576   NtUserCallNoParam  ... ) == 0x0
 02492   576   NtUserCallNoParam  (29, ...
 02493   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710680, ... }, 8710680, ...
 02494   636   NtClose  (680, ...
 02488   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1589, 0}  ... {28, 56, reply, 0, 444, 456, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\274\1\0\0\324\4\0\0" )  ) == 0x0
 02494   636   NtClose  ... ) == 0x0
 02495   456   NtResumeThread  (712, ...
 02496   636   NtClose  (704, ...
 02495   456   NtResumeThread  ... 1, ) == 0x0
 02496   636   NtClose  ... ) == 0x0
 02497   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02498   636   NtWaitForSingleObject  (36, 0, 0x0, ...
 02497   456   NtAllocateVirtualMemory  ... 150405120, 2097152, ) == 0x0
 02499   456   NtAllocateVirtualMemory  (-1, 152494080, 0, 8192, 4096, 4, ... 152494080, 8192, ) == 0x0
 02500   456   NtProtectVirtualMemory  (-1, (0x916e000), 4096, 260, ... (0x916e000), 4096, 4, ) == 0x0
 02501   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 704, {444, 1240}, ) == 0x0
 02502   456   NtQueryInformationThread  (704, Basic, 28, ...
 02493   576   NtQueryAttributesFile  ... ) == 0x0
 02503  1236   NtWaitForSingleObject  (36, 0, 0x0, ...
 02504   576   NtSetEventBoostPriority  (36, ...
 02498   636   NtWaitForSingleObject  ... ) == 0x0
 02505   636   NtSetEventBoostPriority  (36, ...
 02503  1236   NtWaitForSingleObject  ... ) == 0x0
 02506  1236   NtTestAlert  (... ) == 0x0
 02505   636   NtSetEventBoostPriority  ... ) == 0x0
 02504   576   NtSetEventBoostPriority  ... ) == 0x0
 02502   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=444,Tid=1240,}, 0x0, ) == 0x0
 02507  1236   NtContinue  (150404400, 1, ...
 02492   576   NtUserCallNoParam  ... ) == 0x0
 02508   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1589, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\274\1\0\0\330\4\0\0" ...  ...
 02509  1236   NtRegisterThreadTerminatePort  (24, ...
 02510   576   NtUserMessageCall  (0x200be, WM_NCCREATE, 0x0, 0x84f814, 0, 670, 1, ...
 02508   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1590, 0}  ... {28, 56, reply, 0, 444, 456, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\274\1\0\0\330\4\0\0" )  ) == 0x0
 02509  1236   NtRegisterThreadTerminatePort  ... ) == 0x0
 02510   576   NtUserMessageCall  ... ) == 0x1
 02511   456   NtResumeThread  (704, ...
 02512  1236   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02513   636   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02511   456   NtResumeThread  ... 1, ) == 0x0
 02512  1236   NtDuplicateObject  ... 680, ) == 0x0
 02513   636   NtOpenKey  ... 716, ) == 0x0
 02514   576   NtUserMessageCall  (0x200be, WM_NCCALCSIZE, 0x0, 0x84f848, 0, 670, 1, ...
 02515  1240   NtTestAlert  (...
 02516  1236   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02517   636   NtQueryValueKey  (716,  (716, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02514   576   NtUserMessageCall  ... ) == 0x0
 02515  1240   NtTestAlert  ... ) == 0x0
 02518   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02517   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02519   576   NtUserGetClassName  (131262, 0, 8713472, ...
 02520  1240   NtContinue  (152501552, 1, ...
 02518   456   NtAllocateVirtualMemory  ... 152502272, 2097152, ) == 0x0
 02521   636   NtClose  (716, ...
 02516  1236   NtWaitForSingleObject  ... ) == 0x102
 02522  1240   NtRegisterThreadTerminatePort  (24, ...
 02523   456   NtAllocateVirtualMemory  (-1, 154591232, 0, 8192, 4096, 4, ...
 02521   636   NtClose  ... ) == 0x0
 02524  1236   NtWaitForSingleObject  (208, 0, 0x0, ...
 02522  1240   NtRegisterThreadTerminatePort  ... ) == 0x0
 02523   456   NtAllocateVirtualMemory  ... 154591232, 8192, ) == 0x0
 02519   576   NtUserGetClassName  ... ) == 0x6
 02525   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 19983404, ... }, 19983404, ...
 02526   456   NtProtectVirtualMemory  (-1, (0x936e000), 4096, 260, ...
 02527   576   NtUserRemoveProp  (131262, 43282, ...
 02525   636   NtQueryAttributesFile  ... ) == 0x0
 02526   456   NtProtectVirtualMemory  ... (0x936e000), 4096, 4, ) == 0x0
 02527   576   NtUserRemoveProp  ... ) == 0x0
 02528   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02529  1240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02530   576   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 4194366, 8713064, 35020, 28}  (24, {24, 52, new_msg, 0, 4194366, 8713064, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0@\2\0\0\0\0\0\0" ...  ...
 02528   636   NtOpenFile  ... 716, {status=0x0, info=1}, ) == 0x0
 02529  1240   NtDuplicateObject  ... 720, ) == 0x0
 02530   576   NtRequestWaitReplyPort  ... {24, 52, reply, 0, 444, 576, 1591, 0}  ... {24, 52, reply, 0, 444, 576, 1591, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0@\2\0\0\0\0\0\0" )  ) == 0x0
 02531   636   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 716, ...
 02532  1240   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02533   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02531   636   NtCreateSection  ... 724, ) == 0x0
 02532  1240   NtWaitForSingleObject  ... ) == 0x102
 02533   456   NtCreateThread  ... 728, {444, 1248}, ) == 0x0
 02534   576   NtUserGetThreadDesktop  (576, 0, ...
 02535  1240   NtWaitForSingleObject  (208, 0, 0x0, ...
 02536   456   NtQueryInformationThread  (728, Basic, 28, ...
 02534   576   NtUserGetThreadDesktop  ... ) == 0x38
 02537   636   NtClose  (716, ...
 02536   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=444,Tid=1248,}, 0x0, ) == 0x0
 02538   576   NtUserGetObjectInformation  (56, 2, 8713148, 520, 0, ...
 02537   636   NtClose  ... ) == 0x0
 02539   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1590, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\274\1\0\0\340\4\0\0" ...  ...
 02538   576   NtUserGetObjectInformation  ... ) == 0x1
 02540   636   NtMapViewOfSection  (724, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02541   576   NtGdiDeleteObjectApp  (1309672319, ...
 02540   636   NtMapViewOfSection  ... (0xef0000), 0x0, 16384, ) == 0x0
 02541   576   NtGdiDeleteObjectApp  ... ) == 0x1
 02542   636   NtClose  (724, ...
 02539   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1592, 0}  ... {28, 56, reply, 0, 444, 456, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\274\1\0\0\340\4\0\0" )  ) == 0x0
 02542   636   NtClose  ... ) == 0x0
 02543   456   NtResumeThread  (728, ...
 02544   576   NtUserGetWindowDC  (0, ...
 02543   456   NtResumeThread  ... 1, ) == 0x0
 02544   576   NtUserGetWindowDC  ... ) == 0x1010050
 02545   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02546   576   NtUserCallOneParam  (16842832, 56, ...
 02545   456   NtAllocateVirtualMemory  ... 154599424, 2097152, ) == 0x0
 02546   576   NtUserCallOneParam  ... ) == 0x1
 02547   456   NtAllocateVirtualMemory  (-1, 156688384, 0, 8192, 4096, 4, ...
 02548   576   NtUserGetWindowDC  (0, ...
 02549   636   NtUnmapViewOfSection  (-1, 0xef0000, ...
 02550  1248   NtWaitForSingleObject  (36, 0, 0x0, ...
 02548   576   NtUserGetWindowDC  ... ) == 0x1010050
 02549   636   NtUnmapViewOfSection  ... ) == 0x0
 02547   456   NtAllocateVirtualMemory  ... 156688384, 8192, ) == 0x0
 02551   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 19983720, ... }, 19983720, ...
 02552   456   NtProtectVirtualMemory  (-1, (0x956e000), 4096, 260, ...
 02551   636   NtQueryAttributesFile  ... ) == 0x0
 02552   456   NtProtectVirtualMemory  ... (0x956e000), 4096, 4, ) == 0x0
 02553   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02554   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02553   636   NtOpenFile  ... 724, {status=0x0, info=1}, ) == 0x0
 02554   456   NtCreateThread  ... 716, {444, 1252}, ) == 0x0
 02555   576   NtUserCallOneParam  (16842832, 56, ...
 02556   456   NtQueryInformationThread  (716, Basic, 28, ...
 02555   576   NtUserCallOneParam  ... ) == 0x1
 02557   636   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 724, ...
 02558   576   NtUserGetWindowDC  (0, ...
 02557   636   NtCreateSection  ... 732, ) == 0x0
 02558   576   NtUserGetWindowDC  ... ) == 0x1010050
 02559   636   NtQuerySection  (732, Image, 48, ...
 02560   576   NtUserCallOneParam  (16842832, 56, ...
 02559   636   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02560   576   NtUserCallOneParam  ... ) == 0x1
 02561   636   NtClose  (724, ...
 02556   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=444,Tid=1252,}, 0x0, ) == 0x0
 02561   636   NtClose  ... ) == 0x0
 02562   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1592, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\274\1\0\0\344\4\0\0" ...  ...
 02563   576   NtUserGetWindowDC  (0, ...
 02562   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1593, 0}  ... {28, 56, reply, 0, 444, 456, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\274\1\0\0\344\4\0\0" )  ) == 0x0
 02563   576   NtUserGetWindowDC  ... ) == 0x1010050
 02564   456   NtResumeThread  (716, ...
 02565   576   NtUserCallOneParam  (16842832, 56, ...
 02564   456   NtResumeThread  ... 1, ) == 0x0
 02565   576   NtUserCallOneParam  ... ) == 0x1
 02566   636   NtMapViewOfSection  (732, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02567  1252   NtWaitForSingleObject  (36, 0, 0x0, ...
 02568   576   NtUserGetWindowDC  (0, ...
 02566   636   NtMapViewOfSection  ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02568   576   NtUserGetWindowDC  ... ) == 0x1010050
 02569   636   NtClose  (732, ...
 02570   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02569   636   NtClose  ... ) == 0x0
 02570   456   NtAllocateVirtualMemory  ... 156696576, 2097152, ) == 0x0
 02571   636   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 02572   456   NtAllocateVirtualMemory  (-1, 158785536, 0, 8192, 4096, 4, ...
 02571   636   NtOpenSection  ... 732, ) == 0x0
 02572   456   NtAllocateVirtualMemory  ... 158785536, 8192, ) == 0x0
 02573   576   NtUserCallOneParam  (16842832, 56, ...
 02574   456   NtProtectVirtualMemory  (-1, (0x976e000), 4096, 260, ...
 02573   576   NtUserCallOneParam  ... ) == 0x1
 02574   456   NtProtectVirtualMemory  ... (0x976e000), 4096, 4, ) == 0x0
 02575   576   NtUserGetWindowDC  (0, ...
 02576   636   NtMapViewOfSection  (732, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 02575   576   NtUserGetWindowDC  ... ) == 0x1010050
 02576   636   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 02577   576   NtUserCallOneParam  (16842832, 56, ...
 02578   636   NtClose  (732, ...
 02577   576   NtUserCallOneParam  ... ) == 0x1
 02578   636   NtClose  ... ) == 0x0
 02579   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02580   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02579   456   NtCreateThread  ... 732, {444, 1256}, ) == 0x0
 02580   636   NtCreateEvent  ... 724, ) == 0x0
 02581   456   NtQueryInformationThread  (732, Basic, 28, ...
 02582   576   NtUserGetWindowDC  (0, ...
 02581   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=444,Tid=1256,}, 0x0, ) == 0x0
 02582   576   NtUserGetWindowDC  ... ) == 0x1010050
 02583   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1593, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\274\1\0\0\350\4\0\0" ...  ...
 02584   576   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 02585   576   NtUserGetWindowDC  (0, ... ) == 0x1010050
 02586   576   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 02587   576   NtUserGetWindowDC  (0, ... ) == 0x1010050
 02588   576   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x4f10037f
 02589   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... }, ...
 02583   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1594, 0}  ... {28, 56, reply, 0, 444, 456, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\274\1\0\0\350\4\0\0" )  ) == 0x0
 02590   456   NtResumeThread  (732, ... 1, ) == 0x0
 02591   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 158793728, 2097152, ) == 0x0
 02592   456   NtAllocateVirtualMemory  (-1, 160882688, 0, 8192, 4096, 4, ... 160882688, 8192, ) == 0x0
 02593   456   NtProtectVirtualMemory  (-1, (0x996e000), 4096, 260, ... (0x996e000), 4096, 4, ) == 0x0
 02594   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02589   636   NtOpenKey  ... 736, ) == 0x0
 02595   636   NtQueryValueKey  (736,  (736, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (736, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02596   636   NtClose  (736, ... ) == 0x0
 02597   636   NtSetEventBoostPriority  (36, ...
 02550  1248   NtWaitForSingleObject  ... ) == 0x0
 02598  1248   NtSetEventBoostPriority  (36, ...
 02567  1252   NtWaitForSingleObject  ... ) == 0x0
 02599  1252   NtTestAlert  (... ) == 0x0
 02598  1248   NtSetEventBoostPriority  ... ) == 0x0
 02597   636   NtSetEventBoostPriority  ... ) == 0x0
 02594   456   NtCreateThread  ... 736, {444, 1260}, ) == 0x0
 02600   576   NtUserCallOneParam  (16842832, 56, ...
 02601  1256   NtTestAlert  (...
 02602  1252   NtContinue  (156695856, 1, ...
 02603   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 19983404, ... }, 19983404, ...
 02604   456   NtQueryInformationThread  (736, Basic, 28, ...
 02600   576   NtUserCallOneParam  ... ) == 0x1
 02601  1256   NtTestAlert  ... ) == 0x0
 02605  1252   NtRegisterThreadTerminatePort  (24, ...
 02603   636   NtQueryAttributesFile  ... ) == 0x0
 02606  1248   NtTestAlert  (...
 02607   576   NtUserSetProp  (131262, 43288, 13199184, ...
 02608  1256   NtContinue  (158793008, 1, ...
 02605  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02604   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=444,Tid=1260,}, 0x0, ) == 0x0
 02606  1248   NtTestAlert  ... ) == 0x0
 02607   576   NtUserSetProp  ... ) == 0x1
 02609  1256   NtRegisterThreadTerminatePort  (24, ...
 02610  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02611   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1594, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\2\0\0\274\1\0\0\354\4\0\0" ...  ...
 02612  1248   NtContinue  (154598704, 1, ...
 02613   576   NtUserGetAncestor  (131262, 1, ...
 02609  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 02610  1252   NtDuplicateObject  ... 740, ) == 0x0
 02611   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1595, 0}  ... {28, 56, reply, 0, 444, 456, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\2\0\0\274\1\0\0\354\4\0\0" )  ) == 0x0
 02614  1248   NtRegisterThreadTerminatePort  (24, ...
 02613   576   NtUserGetAncestor  ... ) == 0x10014
 02615   636   NtQuerySystemInformation  (Basic, 44, ...
 02616  1252   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02617   456   NtResumeThread  (736, ...
 02614  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 02618  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02615   636   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02619   576   NtUserSetWindowPos  (131262, 0, 0, 0, 123, 34, 1047, ...
 02617   456   NtResumeThread  ... 1, ) == 0x0
 02620  1248   NtAllocateVirtualMemory  (-1, 4620288, 0, 4096, 4096, 4, ...
 02618  1256   NtDuplicateObject  ... 744, ) == 0x0
 02621   636   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02619   576   NtUserSetWindowPos  ... ) == 0x1
 02616  1252   NtWaitForSingleObject  ... ) == 0x102
 02622  1260   NtWaitForSingleObject  (460, 0, 0x0, ...
 02623   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02624  1256   NtWaitForSingleObject  (460, 0, 0x0, ...
 02621   636   NtAllocateVirtualMemory  ... 15663104, 65536, ) == 0x0
 01506   576   NtUserCreateWindowEx  ... ) == 0x200be
 02625  1252   NtWaitForSingleObject  (460, 0, 0x0, ...
 02623   456   NtAllocateVirtualMemory  ... 160890880, 2097152, ) == 0x0
 02626   636   NtAllocateVirtualMemory  (-1, 15663104, 0, 4096, 4096, 4, ...
 02627   456   NtAllocateVirtualMemory  (-1, 162979840, 0, 8192, 4096, 4, ...
 02626   636   NtAllocateVirtualMemory  ... 15663104, 4096, ) == 0x0
 02627   456   NtAllocateVirtualMemory  ... 162979840, 8192, ) == 0x0
 02620  1248   NtAllocateVirtualMemory  ... 4620288, 4096, ) == 0x0
 02628   576   NtOpenThreadToken  (-2, 0xc, 1, ...
 02629   456   NtProtectVirtualMemory  (-1, (0x9b6e000), 4096, 260, ...
 02630  1248   NtSetEventBoostPriority  (460, ...
 02628   576   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02629   456   NtProtectVirtualMemory  ... (0x9b6e000), 4096, 4, ) == 0x0
 02622  1260   NtWaitForSingleObject  ... ) == 0x0
 02630  1248   NtSetEventBoostPriority  ... ) == 0x0
 02631   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02632   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 02633  1260   NtSetEventBoostPriority  (460, ...
 02634  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02635   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02624  1256   NtWaitForSingleObject  ... ) == 0x0
 02633  1260   NtSetEventBoostPriority  ... ) == 0x0
 02634  1248   NtDuplicateObject  ... 748, ) == 0x0
 02636  1256   NtSetEventBoostPriority  (460, ...
 02635   456   NtCreateThread  ... 752, {444, 1268}, ) == 0x0
 02625  1252   NtWaitForSingleObject  ... ) == 0x0
 02636  1256   NtSetEventBoostPriority  ... ) == 0x0
 02637  1248   NtWaitForSingleObject  (460, 0, 0x0, ...
 02638  1252   NtSetEventBoostPriority  (460, ...
 02639   456   NtQueryInformationThread  (752, Basic, 28, ...
 02640  1260   NtTestAlert  (...
 02641  1256   NtWaitForSingleObject  (460, 0, 0x0, ...
 02632   636   NtWaitForSingleObject  ... ) == 0x0
 02638  1252   NtSetEventBoostPriority  ... ) == 0x0
 02639   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=444,Tid=1268,}, 0x0, ) == 0x0
 02640  1260   NtTestAlert  ... ) == 0x0
 02642   636   NtSetEventBoostPriority  (460, ...
 02643   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1595, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\274\1\0\0\364\4\0\0" ...  ...
 02631   576   NtWaitForSingleObject  ... ) == 0x0
 02642   636   NtSetEventBoostPriority  ... ) == 0x0
 02644  1260   NtContinue  (160890160, 1, ...
 02645   576   NtSetEventBoostPriority  (460, ...
 02646   636   NtAllocateVirtualMemory  (-1, 15667200, 0, 8192, 4096, 4, ...
 02641  1256   NtWaitForSingleObject  ... ) == 0x0
 02647  1260   NtRegisterThreadTerminatePort  (24, ...
 02645   576   NtSetEventBoostPriority  ... ) == 0x0
 02648  1252   NtWaitForSingleObject  (208, 0, 0x0, ...
 02643   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1596, 0}  ... {28, 56, reply, 0, 444, 456, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\274\1\0\0\364\4\0\0" )  ) == 0x0
 02649  1256   NtSetEventBoostPriority  (460, ...
 02647  1260   NtRegisterThreadTerminatePort  ... ) == 0x0
 02650   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02651   456   NtResumeThread  (752, ...
 02637  1248   NtWaitForSingleObject  ... ) == 0x0
 02649  1256   NtSetEventBoostPriority  ... ) == 0x0
 02652  1260   NtWaitForSingleObject  (460, 0, 0x0, ...
 02653  1248   NtSetEventBoostPriority  (460, ...
 02651   456   NtResumeThread  ... 1, ) == 0x0
 02654  1256   NtWaitForSingleObject  (460, 0, 0x0, ...
 02646   636   NtAllocateVirtualMemory  ... 15667200, 8192, ) == 0x0
 02655  1268   NtWaitForSingleObject  (460, 0, 0x0, ...
 02650   576   NtWaitForSingleObject  ... ) == 0x0
 02656   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02653  1248   NtSetEventBoostPriority  ... ) == 0x0
 02657   636   NtWaitForSingleObject  (500, 0, 0x0, ...
 02658   576   NtSetEventBoostPriority  (460, ...
 02656   456   NtAllocateVirtualMemory  ... 162988032, 2097152, ) == 0x0
 02659  1248   NtWaitForSingleObject  (460, 0, 0x0, ...
 02652  1260   NtWaitForSingleObject  ... ) == 0x0
 02658   576   NtSetEventBoostPriority  ... ) == 0x0
 02660   456   NtAllocateVirtualMemory  (-1, 165076992, 0, 8192, 4096, 4, ...
 02661  1260   NtSetEventBoostPriority  (460, ...
 02662   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02655  1268   NtWaitForSingleObject  ... ) == 0x0
 02663  1268   NtSetEventBoostPriority  (460, ...
 02659  1248   NtWaitForSingleObject  ... ) == 0x0
 02664  1248   NtSetEventBoostPriority  (460, ...
 02654  1256   NtWaitForSingleObject  ... ) == 0x0
 02665  1256   NtSetEventBoostPriority  (460, ...
 02662   576   NtWaitForSingleObject  ... ) == 0x0
 02666   576   NtCreateSemaphore  (0x1f0003, {24, 32, 0x80, 4620360, 0,  (0x1f0003, {24, 32, 0x80, 4620360, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 756, ) }, 0, 2147483647, ... 756, ) == STATUS_OBJECT_NAME_EXISTS
 02667   576   NtReleaseSemaphore  (756, 1, ...
 02664  1248   NtSetEventBoostPriority  ... ) == 0x0
 02663  1268   NtSetEventBoostPriority  ... ) == 0x0
 02665  1256   NtSetEventBoostPriority  ... ) == 0x0
 02661  1260   NtSetEventBoostPriority  ... ) == 0x0
 02660   456   NtAllocateVirtualMemory  ... 165076992, 8192, ) == 0x0
 02667   576   NtReleaseSemaphore  ... 0, ) == 0x0
 02668  1248   NtWaitForSingleObject  (500, 0, 0x0, ...
 02669  1256   NtSetEventBoostPriority  (500, ...
 02670  1260   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02671   456   NtProtectVirtualMemory  (-1, (0x9d6e000), 4096, 260, ...
 02672   576   NtWaitForSingleObject  (756, 0, {0, 0}, ...
 02657   636   NtWaitForSingleObject  ... ) == 0x0
 02669  1256   NtSetEventBoostPriority  ... ) == 0x0
 02670  1260   NtDuplicateObject  ... 760, ) == 0x0
 02671   456   NtProtectVirtualMemory  ... (0x9d6e000), 4096, 4, ) == 0x0
 02673   636   NtSetEventBoostPriority  (500, ...
 02672   576   NtWaitForSingleObject  ... ) == 0x0
 02674  1268   NtTestAlert  (...
 02675  1256   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02668  1248   NtWaitForSingleObject  ... ) == 0x0
 02673   636   NtSetEventBoostPriority  ... ) == 0x0
 02676   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02677   576   NtCreateKey  (0x2000000, {24, 124, 0x40, 0, 0,  (0x2000000, {24, 124, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02674  1268   NtTestAlert  ... ) == 0x0
 02678  1248   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02675  1256   NtWaitForSingleObject  ... ) == 0x102
 02679  1260   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02676   456   NtCreateThread  ... 764, {444, 1284}, ) == 0x0
 02677   576   NtCreateKey  ... 768, 2, ) == 0x0
 02678  1248   NtWaitForSingleObject  ... ) == 0x102
 02680  1268   NtContinue  (162987312, 1, ...
 02681  1256   NtWaitForSingleObject  (208, 0, 0x0, ...
 02679  1260   NtWaitForSingleObject  ... ) == 0x102
 02682   456   NtQueryInformationThread  (764, Basic, 28, ...
 02683   636   NtSetEventBoostPriority  (208, ...
 02684   576   NtQueryValueKey  (768,  (768, "Programs", Partial, 144, ... , Partial, 144, ...
 02685  1268   NtRegisterThreadTerminatePort  (24, ...
 02686  1260   NtWaitForSingleObject  (208, 0, 0x0, ...
 02687  1248   NtWaitForSingleObject  (208, 0, 0x0, ...
 01069   732   NtWaitForSingleObject  ... ) == 0x0
 02683   636   NtSetEventBoostPriority  ... ) == 0x0
 02684   576   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0"}, 80, ) }, 80, ) == 0x0
 02685  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02688   732   NtSetEventBoostPriority  (208, ...
 02689   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02690   576   NtClose  (768, ...
 01149   796   NtWaitForSingleObject  ... ) == 0x0
 02688   732   NtSetEventBoostPriority  ... ) == 0x0
 02691  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02689   636   NtCreateEvent  ... 772, ) == 0x0
 02692   796   NtSetEventBoostPriority  (208, ...
 02690   576   NtClose  ... ) == 0x0
 02693   732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02682   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=444,Tid=1284,}, 0x0, ) == 0x0
 01150   676   NtWaitForSingleObject  ... ) == 0x0
 02692   796   NtSetEventBoostPriority  ... ) == 0x0
 02694   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 19983692, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 19983692, 112, ...
 02695   576   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs"}, 8714160, ... }, 8714160, ...
 02691  1268   NtDuplicateObject  ... 768, ) == 0x0
 02696   676   NtSetEventBoostPriority  (208, ...
 02697   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1596, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\274\1\0\0\4\5\0\0" ...  ...
 02693   732   NtCreateEvent  ... 776, ) == 0x0
 02695   576   NtQueryAttributesFile  ... ) == 0x0
 01152   784   NtWaitForSingleObject  ... ) == 0x0
 02696   676   NtSetEventBoostPriority  ... ) == 0x0
 02698  1268   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02697   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1598, 0}  ... {28, 56, reply, 0, 444, 456, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\274\1\0\0\4\5\0\0" )  ) == 0x0
 02699   732   NtAllocateVirtualMemory  (-1, 4624384, 0, 4096, 4096, 4, ...
 02700   796   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02694   636   NtConnectPort  ... 780, 0x0, 0x0, 0x0, 112, ) == 0x0
 02701   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02702   576   NtCreateKey  (0x2000000, {24, 124, 0x40, 0, 0,  (0x2000000, {24, 124, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02698  1268   NtWaitForSingleObject  ... ) == 0x102
 02703   456   NtResumeThread  (764, ...
 02699   732   NtAllocateVirtualMemory  ... 4624384, 4096, ) == 0x0
 02700   796   NtCreateEvent  ... 784, ) == 0x0
 02704   636   NtRequestWaitReplyPort  (780, {128, 152, new_msg, 0, 4521984, 125728, 4521984, 19983456}  (780, {128, 152, new_msg, 0, 4521984, 125728, 4521984, 19983456} "\0$\370w\20\3630\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320`F\0\4\0\0\0\320`F\0\20\344\314w\320`F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1E\0\0\0\0\0@\210F\0\30\206F\0\30\210F\0\0\0\0\0\0\0\0\0\0\0\0\0@\210F\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02702   576   NtCreateKey  ... 788, 2, ) == 0x0
 02705  1268   NtWaitForSingleObject  (208, 0, 0x0, ...
 02703   456   NtResumeThread  ... 1, ) == 0x0
 02706   732   NtSetEventBoostPriority  (460, ...
 02707   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02708   576   NtSetValueKey  (788,  (788, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... , 0, 1,  (788, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... , 110, ...
 02704   636   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 444, 636, 1599, 0}  ... {128, 152, reply, 0, 444, 636, 1599, 0} "\7$\370w\20\3630\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320`F\0\377\377\377\377\320`F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1E\0\0\0\0\0@\210F\0\30\206F\0\30\210F\0\0\0\0\0\0\0\0\0\0\0\0\0@\210F\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02709   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02710  1284   NtWaitForSingleObject  (460, 0, 0x0, ...
 02701   784   NtWaitForSingleObject  ... ) == 0x0
 02706   732   NtSetEventBoostPriority  ... ) == 0x0
 02708   576   NtSetValueKey  ... ) == 0x0
 02711   636   NtRequestWaitReplyPort  (780, {64, 88, new_msg, 0, 444, 636, 1583, 0}  (780, {64, 88, new_msg, 0, 444, 636, 1583, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02709   676   NtCreateEvent  ... 792, ) == 0x0
 02712   784   NtSetEventBoostPriority  (460, ...
 02713   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02714   576   NtClose  (788, ...
 02707   796   NtWaitForSingleObject  ... ) == 0x0
 02712   784   NtSetEventBoostPriority  ... ) == 0x0
 02715   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02716   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02717   796   NtSetEventBoostPriority  (460, ...
 02714   576   NtClose  ... ) == 0x0
 02711   636   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 444, 636, 1600, 0}  ... {52, 76, reply, 0, 444, 636, 1600, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02710  1284   NtWaitForSingleObject  ... ) == 0x0
 02717   796   NtSetEventBoostPriority  ... ) == 0x0
 02716   456   NtAllocateVirtualMemory  ... 165085184, 2097152, ) == 0x0
 02718   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02719  1284   NtSetEventBoostPriority  (460, ...
 02720   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 02721   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02722   456   NtAllocateVirtualMemory  (-1, 167174144, 0, 8192, 4096, 4, ...
 02713   732   NtWaitForSingleObject  ... ) == 0x0
 02719  1284   NtSetEventBoostPriority  ... ) == 0x0
 02723   732   NtSetEventBoostPriority  (460, ...
 02722   456   NtAllocateVirtualMemory  ... 167174144, 8192, ) == 0x0
 02724   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02715   676   NtWaitForSingleObject  ... ) == 0x0
 02725   456   NtProtectVirtualMemory  (-1, (0x9f6e000), 4096, 260, ...
 02726   676   NtSetEventBoostPriority  (460, ...
 02725   456   NtProtectVirtualMemory  ... (0x9f6e000), 4096, 4, ) == 0x0
 02718   784   NtWaitForSingleObject  ... ) == 0x0
 02726   676   NtSetEventBoostPriority  ... ) == 0x0
 02723   732   NtSetEventBoostPriority  ... ) == 0x0
 02727  1284   NtTestAlert  (...
 02728   784   NtSetEventBoostPriority  (460, ...
 02729   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02730   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02720   636   NtWaitForSingleObject  ... ) == 0x0
 02728   784   NtSetEventBoostPriority  ... ) == 0x0
 02727  1284   NtTestAlert  ... ) == 0x0
 02729   456   NtCreateThread  ... 788, {444, 712}, ) == 0x0
 02731   636   NtSetEventBoostPriority  (460, ...
 02732   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02733  1284   NtContinue  (165084464, 1, ...
 02721   576   NtWaitForSingleObject  ... ) == 0x0
 02731   636   NtSetEventBoostPriority  ... ) == 0x0
 02734   456   NtQueryInformationThread  (788, Basic, 28, ...
 02735   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02736   576   NtSetEventBoostPriority  (460, ...
 02737  1284   NtRegisterThreadTerminatePort  (24, ...
 02734   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=444,Tid=712,}, 0x0, ) == 0x0
 02724   796   NtWaitForSingleObject  ... ) == 0x0
 02736   576   NtSetEventBoostPriority  ... ) == 0x0
 02737  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 02738   796   NtAllocateVirtualMemory  (-1, 4628480, 0, 4096, 4096, 4, ...
 02739   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1598, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\274\1\0\0\310\2\0\0" ...  ...
 02740   576   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\"}, 3, 16417, ... }, 3, 16417, ...
 02738   796   NtAllocateVirtualMemory  ... 4628480, 4096, ) == 0x0
 02741  1284   NtWaitForSingleObject  (460, 0, 0x0, ...
 02739   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1601, 0}  ... {28, 56, reply, 0, 444, 456, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\274\1\0\0\310\2\0\0" )  ) == 0x0
 02742   636   NtClose  (772, ...
 02743   796   NtSetEventBoostPriority  (460, ...
 02740   576   NtOpenFile  ... 796, {status=0x0, info=1}, ) == 0x0
 02744   456   NtResumeThread  (788, ...
 02742   636   NtClose  ... ) == 0x0
 02745   576   NtQueryDirectoryFile  (796, 0, 0, 0, 8713576, 616, BothDirectory, 1,  (796, 0, 0, 0, 8713576, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02744   456   NtResumeThread  ... 1, ) == 0x0
 02746   636   NtClose  (780, ...
 02745   576   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02747   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02746   636   NtClose  ... ) == 0x0
 02748   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02747   456   NtAllocateVirtualMemory  ... 167182336, 2097152, ) == 0x0
 02749   636   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02750   456   NtAllocateVirtualMemory  (-1, 169271296, 0, 8192, 4096, 4, ...
 02749   636   NtCreateKey  ... 780, 2, ) == 0x0
 02730   732   NtWaitForSingleObject  ... ) == 0x0
 02743   796   NtSetEventBoostPriority  ... ) == 0x0
 02751   712   NtTestAlert  (...
 02750   456   NtAllocateVirtualMemory  ... 169271296, 8192, ) == 0x0
 02752   732   NtSetEventBoostPriority  (460, ...
 02753   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02751   712   NtTestAlert  ... ) == 0x0
 02754   456   NtProtectVirtualMemory  (-1, (0xa16e000), 4096, 260, ...
 02732   784   NtWaitForSingleObject  ... ) == 0x0
 02752   732   NtSetEventBoostPriority  ... ) == 0x0
 02755   712   NtContinue  (167181616, 1, ...
 02756   784   NtSetEventBoostPriority  (460, ...
 02754   456   NtProtectVirtualMemory  ... (0xa16e000), 4096, 4, ) == 0x0
 02757   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02735   676   NtWaitForSingleObject  ... ) == 0x0
 02758   712   NtRegisterThreadTerminatePort  (24, ...
 02759   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02757   636   NtOpenKey  ... 772, ) == 0x0
 02760   676   NtSetEventBoostPriority  (460, ...
 02758   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02759   456   NtCreateThread  ... 800, {444, 1292}, ) == 0x0
 02761   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02741  1284   NtWaitForSingleObject  ... ) == 0x0
 02760   676   NtSetEventBoostPriority  ... ) == 0x0
 02756   784   NtSetEventBoostPriority  ... ) == 0x0
 02762   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02763   456   NtQueryInformationThread  (800, Basic, 28, ...
 02764  1284   NtSetEventBoostPriority  (460, ...
 02761   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02765   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02766   784   NtSetEventBoostPriority  (208, ...
 02767   712   NtWaitForSingleObject  (460, 0, 0x0, ...
 02748   576   NtWaitForSingleObject  ... ) == 0x0
 02768   636   NtQueryValueKey  (780,  (780, "Hostname", Partial, 144, ... , Partial, 144, ...
 02764  1284   NtSetEventBoostPriority  ... ) == 0x0
 02763   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=444,Tid=1292,}, 0x0, ) == 0x0
 01154   308   NtWaitForSingleObject  ... ) == 0x0
 02766   784   NtSetEventBoostPriority  ... ) == 0x0
 02769   576   NtAllocateVirtualMemory  (-1, 4632576, 0, 8192, 4096, 4, ...
 02768   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02770  1284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02771   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02772   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1601, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\274\1\0\0\14\5\0\0" ...  ...
 02769   576   NtAllocateVirtualMemory  ... 4632576, 8192, ) == 0x0
 02773   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02770  1284   NtDuplicateObject  ... 804, ) == 0x0
 02772   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1603, 0}  ... {28, 56, reply, 0, 444, 456, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\274\1\0\0\14\5\0\0" )  ) == 0x0
 02774   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 02773   784   NtCreateEvent  ... 808, ) == 0x0
 02775   576   NtSetEventBoostPriority  (460, ...
 02776   456   NtResumeThread  (800, ...
 02777   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02753   796   NtWaitForSingleObject  ... ) == 0x0
 02775   576   NtSetEventBoostPriority  ... ) == 0x0
 02776   456   NtResumeThread  ... 1, ) == 0x0
 02778   796   NtSetEventBoostPriority  (460, ...
 02779   576   NtQueryDirectoryFile  (796, 0, 0, 0, 4632104, 4096, BothDirectory, 0, 0x0, 0, ...
 02780  1284   NtWaitForSingleObject  (460, 0, 0x0, ...
 02781  1292   NtTestAlert  (...
 02762   732   NtWaitForSingleObject  ... ) == 0x0
 02778   796   NtSetEventBoostPriority  ... ) == 0x0
 02779   576   NtQueryDirectoryFile  ... {status=0x0, info=1118}, ) == 0x0
 02782   732   NtSetEventBoostPriority  (460, ...
 02781  1292   NtTestAlert  ... ) == 0x0
 02783   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02767   712   NtWaitForSingleObject  ... ) == 0x0
 02782   732   NtSetEventBoostPriority  ... ) == 0x0
 02784   576   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\"}, 3, 16417, ... }, 3, 16417, ...
 02785  1292   NtContinue  (169278768, 1, ...
 02786   712   NtSetEventBoostPriority  (460, ...
 02783   456   NtAllocateVirtualMemory  ... 169279488, 2097152, ) == 0x0
 02787   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02784   576   NtOpenFile  ... 812, {status=0x0, info=1}, ) == 0x0
 02765   676   NtWaitForSingleObject  ... ) == 0x0
 02786   712   NtSetEventBoostPriority  ... ) == 0x0
 02788  1292   NtRegisterThreadTerminatePort  (24, ...
 02789   456   NtAllocateVirtualMemory  (-1, 171368448, 0, 8192, 4096, 4, ...
 02790   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02791   676   NtSetEventBoostPriority  (460, ...
 02792   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02788  1292   NtRegisterThreadTerminatePort  ... ) == 0x0
 02789   456   NtAllocateVirtualMemory  ... 171368448, 8192, ) == 0x0
 02771   308   NtWaitForSingleObject  ... ) == 0x0
 02791   676   NtSetEventBoostPriority  ... ) == 0x0
 02793   576   NtQueryDirectoryFile  (812, 0, 0, 0, 8712928, 616, BothDirectory, 1,  (812, 0, 0, 0, 8712928, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02792   712   NtDuplicateObject  ... 816, ) == 0x0
 02794   308   NtSetEventBoostPriority  (460, ...
 02795   456   NtProtectVirtualMemory  (-1, (0xa36e000), 4096, 260, ...
 02796   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02793   576   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02774   636   NtWaitForSingleObject  ... ) == 0x0
 02794   308   NtSetEventBoostPriority  ... ) == 0x0
 02797   712   NtWaitForSingleObject  (460, 0, 0x0, ...
 02795   456   NtProtectVirtualMemory  ... (0xa36e000), 4096, 4, ) == 0x0
 02798   636   NtSetEventBoostPriority  (460, ...
 02799   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02800  1292   NtWaitForSingleObject  (460, 0, 0x0, ...
 02801   308   NtSetEventBoostPriority  (208, ...
 02777   784   NtWaitForSingleObject  ... ) == 0x0
 02798   636   NtSetEventBoostPriority  ... ) == 0x0
 02802   784   NtSetEventBoostPriority  (460, ...
 01160   792   NtWaitForSingleObject  ... ) == 0x0
 02801   308   NtSetEventBoostPriority  ... ) == 0x0
 02780  1284   NtWaitForSingleObject  ... ) == 0x0
 02803   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 02802   784   NtSetEventBoostPriority  ... ) == 0x0
 02804   636   NtQueryValueKey  (780,  (780, "Hostname", Partial, 144, ... , Partial, 144, ...
 02805  1284   NtSetEventBoostPriority  (460, ...
 02806   308   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02807   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02808   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02787   732   NtWaitForSingleObject  ... ) == 0x0
 02805  1284   NtSetEventBoostPriority  ... ) == 0x0
 02806   308   NtCreateEvent  ... 820, ) == 0x0
 02807   456   NtCreateThread  ... 824, {444, 1272}, ) == 0x0
 02809   732   NtSetEventBoostPriority  (460, ...
 02810  1284   NtWaitForSingleObject  (460, 0, 0x0, ...
 02811   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02790   796   NtWaitForSingleObject  ... ) == 0x0
 02812   456   NtQueryInformationThread  (824, Basic, 28, ...
 02809   732   NtSetEventBoostPriority  ... ) == 0x0
 02804   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02813   796   NtSetEventBoostPriority  (460, ...
 02812   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=444,Tid=1272,}, 0x0, ) == 0x0
 02814   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02815   636   NtClose  (780, ...
 02796   676   NtWaitForSingleObject  ... ) == 0x0
 02813   796   NtSetEventBoostPriority  ... ) == 0x0
 02816   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1603, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\274\1\0\0\370\4\0\0" ...  ...
 02817   676   NtSetEventBoostPriority  (460, ...
 02815   636   NtClose  ... ) == 0x0
 02818   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02797   712   NtWaitForSingleObject  ... ) == 0x0
 02817   676   NtSetEventBoostPriority  ... ) == 0x0
 02819   636   NtClose  (772, ...
 02816   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1604, 0}  ... {28, 56, reply, 0, 444, 456, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\274\1\0\0\370\4\0\0" )  ) == 0x0
 02820   712   NtSetEventBoostPriority  (460, ...
 02819   636   NtClose  ... ) == 0x0
 02799   576   NtWaitForSingleObject  ... ) == 0x0
 02820   712   NtSetEventBoostPriority  ... ) == 0x0
 02821   456   NtResumeThread  (824, ...
 02822   576   NtSetEventBoostPriority  (460, ...
 02823   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 02824   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02800  1292   NtWaitForSingleObject  ... ) == 0x0
 02822   576   NtSetEventBoostPriority  ... ) == 0x0
 02821   456   NtResumeThread  ... 1, ) == 0x0
 02825   712   NtWaitForSingleObject  (460, 0, 0x0, ...
 02826  1292   NtSetEventBoostPriority  (460, ...
 02827  1272   NtTestAlert  (...
 02828   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02803   792   NtWaitForSingleObject  ... ) == 0x0
 02826  1292   NtSetEventBoostPriority  ... ) == 0x0
 02827  1272   NtTestAlert  ... ) == 0x0
 02829   792   NtSetEventBoostPriority  (460, ...
 02828   456   NtAllocateVirtualMemory  ... 171376640, 2097152, ) == 0x0
 02830  1292   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02808   784   NtWaitForSingleObject  ... ) == 0x0
 02829   792   NtSetEventBoostPriority  ... ) == 0x0
 02831  1272   NtContinue  (171375920, 1, ...
 02832   456   NtAllocateVirtualMemory  (-1, 173465600, 0, 8192, 4096, 4, ...
 02833   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02834   784   NtAllocateVirtualMemory  (-1, 4640768, 0, 4096, 4096, 4, ...
 02830  1292   NtDuplicateObject  ... 772, ) == 0x0
 02835  1272   NtRegisterThreadTerminatePort  (24, ...
 02836   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 02834   784   NtAllocateVirtualMemory  ... 4640768, 4096, ) == 0x0
 02837  1292   NtWaitForSingleObject  (460, 0, 0x0, ...
 02835  1272   NtRegisterThreadTerminatePort  ... ) == 0x0
 02838   784   NtSetEventBoostPriority  (460, ...
 02832   456   NtAllocateVirtualMemory  ... 173465600, 8192, ) == 0x0
 02839  1272   NtWaitForSingleObject  (460, 0, 0x0, ...
 02840   456   NtProtectVirtualMemory  (-1, (0xa56e000), 4096, 260, ... (0xa56e000), 4096, 4, ) == 0x0
 02841   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 780, {444, 1308}, ) == 0x0
 02842   456   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=444,Tid=1308,}, 0x0, ) == 0x0
 02843   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1604, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\274\1\0\0\34\5\0\0" ... {28, 56, reply, 0, 444, 456, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\274\1\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 444, 456, 1605, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\274\1\0\0\34\5\0\0" ... {28, 56, reply, 0, 444, 456, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\274\1\0\0\34\5\0\0" )  ) == 0x0
 02844   456   NtResumeThread  (780, ... 1, ) == 0x0
 02811   308   NtWaitForSingleObject  ... ) == 0x0
 02838   784   NtSetEventBoostPriority  ... ) == 0x0
 02845  1308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02846   308   NtSetEventBoostPriority  (460, ...
 02847   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02814   732   NtWaitForSingleObject  ... ) == 0x0
 02846   308   NtSetEventBoostPriority  ... ) == 0x0
 02848   732   NtSetEventBoostPriority  (460, ...
 02849   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02810  1284   NtWaitForSingleObject  ... ) == 0x0
 02848   732   NtSetEventBoostPriority  ... ) == 0x0
 02850  1284   NtSetEventBoostPriority  (460, ...
 02849   456   NtAllocateVirtualMemory  ... 173473792, 2097152, ) == 0x0
 02851   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02818   796   NtWaitForSingleObject  ... ) == 0x0
 02852   456   NtAllocateVirtualMemory  (-1, 175562752, 0, 8192, 4096, 4, ...
 02853   796   NtSetEventBoostPriority  (460, ...
 02852   456   NtAllocateVirtualMemory  ... 175562752, 8192, ) == 0x0
 02824   676   NtWaitForSingleObject  ... ) == 0x0
 02854   456   NtProtectVirtualMemory  (-1, (0xa76e000), 4096, 260, ...
 02855   676   NtSetEventBoostPriority  (460, ...
 02854   456   NtProtectVirtualMemory  ... (0xa76e000), 4096, 4, ) == 0x0
 02823   636   NtWaitForSingleObject  ... ) == 0x0
 02855   676   NtSetEventBoostPriority  ... ) == 0x0
 02853   796   NtSetEventBoostPriority  ... ) == 0x0
 02850  1284   NtSetEventBoostPriority  ... ) == 0x0
 02856   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02857   636   NtSetEventBoostPriority  (460, ...
 02858   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02859   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02860  1284   NtWaitForSingleObject  (460, 0, 0x0, ...
 02825   712   NtWaitForSingleObject  ... ) == 0x0
 02857   636   NtSetEventBoostPriority  ... ) == 0x0
 02861   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02862   712   NtSetEventBoostPriority  (460, ...
 02863   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 02861   456   NtCreateThread  ... 828, {444, 1312}, ) == 0x0
 02833   576   NtWaitForSingleObject  ... ) == 0x0
 02862   712   NtSetEventBoostPriority  ... ) == 0x0
 02864   576   NtAllocateVirtualMemory  (-1, 4644864, 0, 8192, 4096, 4, ...
 02865   456   NtQueryInformationThread  (828, Basic, 28, ...
 02864   576   NtAllocateVirtualMemory  ... 4644864, 8192, ) == 0x0
 02866   712   NtWaitForSingleObject  (460, 0, 0x0, ...
 02867   576   NtSetEventBoostPriority  (460, ...
 02865   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=444,Tid=1312,}, 0x0, ) == 0x0
 02868   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1605, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\274\1\0\0 \5\0\0" ... {28, 56, reply, 0, 444, 456, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\274\1\0\0 \5\0\0" )  ... {28, 56, reply, 0, 444, 456, 1606, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\274\1\0\0 \5\0\0" ... {28, 56, reply, 0, 444, 456, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\274\1\0\0 \5\0\0" )  ) == 0x0
 02869   456   NtResumeThread  (828, ... 1, ) == 0x0
 02870   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 175570944, 2097152, ) == 0x0
 02871   456   NtAllocateVirtualMemory  (-1, 177659904, 0, 8192, 4096, 4, ...
 02836   792   NtWaitForSingleObject  ... ) == 0x0
 02867   576   NtSetEventBoostPriority  ... ) == 0x0
 02872  1312   NtWaitForSingleObject  (36, 0, 0x0, ...
 02873   792   NtSetEventBoostPriority  (460, ...
 02874   576   NtQueryDirectoryFile  (812, 0, 0, 0, 4642984, 4096, BothDirectory, 0, 0x0, 0, ...
 02837  1292   NtWaitForSingleObject  ... ) == 0x0
 02873   792   NtSetEventBoostPriority  ... ) == 0x0
 02875  1292   NtSetEventBoostPriority  (460, ...
 02874   576   NtQueryDirectoryFile  ... {status=0x0, info=1380}, ) == 0x0
 02839  1272   NtWaitForSingleObject  ... ) == 0x0
 02875  1292   NtSetEventBoostPriority  ... ) == 0x0
 02876   792   NtSetEventBoostPriority  (208, ...
 02877  1272   NtSetEventBoostPriority  (460, ...
 02878   576   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\"}, 3, 16417, ... }, 3, 16417, ...
 02871   456   NtAllocateVirtualMemory  ... 177659904, 8192, ) == 0x0
 02879  1292   NtWaitForSingleObject  (460, 0, 0x0, ...
 02845  1308   NtWaitForSingleObject  ... ) == 0x0
 02877  1272   NtSetEventBoostPriority  ... ) == 0x0
 02878   576   NtOpenFile  ... 832, {status=0x0, info=1}, ) == 0x0
 02880   456   NtProtectVirtualMemory  (-1, (0xa96e000), 4096, 260, ...
 02881  1308   NtSetEventBoostPriority  (460, ...
 02882  1272   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02883   576   NtQueryDirectoryFile  (832, 0, 0, 0, 8712280, 616, BothDirectory, 1,  (832, 0, 0, 0, 8712280, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02847   784   NtWaitForSingleObject  ... ) == 0x0
 02881  1308   NtSetEventBoostPriority  ... ) == 0x0
 02880   456   NtProtectVirtualMemory  ... (0xa96e000), 4096, 4, ) == 0x0
 01170   744   NtWaitForSingleObject  ... ) == 0x0
 02876   792   NtSetEventBoostPriority  ... ) == 0x0
 02882  1272   NtDuplicateObject  ... 836, ) == 0x0
 02884   784   NtSetEventBoostPriority  (460, ...
 02883   576   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02885   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02886   744   NtSetEventBoostPriority  (208, ...
 02887   792   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02851   308   NtWaitForSingleObject  ... ) == 0x0
 02884   784   NtSetEventBoostPriority  ... ) == 0x0
 02888  1272   NtWaitForSingleObject  (460, 0, 0x0, ...
 02889   576   NtWaitForSingleObject  (500, 0, 0x0, ...
 02885   456   NtCreateThread  ... 840, {444, 1120}, ) == 0x0
 01179   780   NtWaitForSingleObject  ... ) == 0x0
 02886   744   NtSetEventBoostPriority  ... ) == 0x0
 02890   308   NtSetEventBoostPriority  (460, ...
 02887   792   NtCreateEvent  ... 844, ) == 0x0
 02891  1308   NtSetEventBoostPriority  (36, ...
 02892   780   NtWaitForSingleObject  (460, 0, 0x0, ...
 02893   456   NtQueryInformationThread  (840, Basic, 28, ...
 02894   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02856   732   NtWaitForSingleObject  ... ) == 0x0
 02890   308   NtSetEventBoostPriority  ... ) == 0x0
 02895   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 02872  1312   NtWaitForSingleObject  ... ) == 0x0
 02891  1308   NtSetEventBoostPriority  ... ) == 0x0
 02896   744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02897   732   NtSetEventBoostPriority  (460, ...
 02898   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02899  1312   NtAllocateVirtualMemory  (-1, 13201408, 0, 4096, 4096, 4, ...
 02900  1308   NtTestAlert  (...
 02859   796   NtWaitForSingleObject  ... ) == 0x0
 02897   732   NtSetEventBoostPriority  ... ) == 0x0
 02896   744   NtCreateEvent  ... 848, ) == 0x0
 02893   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=444,Tid=1120,}, 0x0, ) == 0x0
 02899  1312   NtAllocateVirtualMemory  ... 13201408, 4096, ) == 0x0
 02901   796   NtSetEventBoostPriority  (460, ...
 02900  1308   NtTestAlert  ... ) == 0x0
 02902   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02903   744   NtWaitForSingleObject  (460, 0, 0x0, ...
 02904   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1606, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\274\1\0\0`\4\0\0" ...  ...
 02860  1284   NtWaitForSingleObject  ... ) == 0x0
 02901   796   NtSetEventBoostPriority  ... ) == 0x0
 02905  1308   NtContinue  (173473072, 1, ...
 02906  1312   NtWaitForSingleObject  (460, 0, 0x0, ...
 02907  1284   NtSetEventBoostPriority  (460, ...
 02904   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1607, 0}  ... {28, 56, reply, 0, 444, 456, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\274\1\0\0`\4\0\0" )  ) == 0x0
 02908  1308   NtRegisterThreadTerminatePort  (24, ...
 02863   636   NtWaitForSingleObject  ... ) == 0x0
 02907  1284   NtSetEventBoostPriority  ... ) == 0x0
 02909   456   NtResumeThread  (840, ...
 02910   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02911   636   NtSetEventBoostPriority  (460, ...
 02908  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02909   456   NtResumeThread  ... 1, ) == 0x0
 02858   676   NtWaitForSingleObject  ... ) == 0x0
 02911   636   NtSetEventBoostPriority  ... ) == 0x0
 02912  1308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02913  1284   NtSetEventBoostPriority  (500, ...
 02914  1120   NtWaitForSingleObject  (36, 0, 0x0, ...
 02915   676   NtSetEventBoostPriority  (460, ...
 02916   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02889   576   NtWaitForSingleObject  ... ) == 0x0
 02913  1284   NtSetEventBoostPriority  ... ) == 0x0
 02866   712   NtWaitForSingleObject  ... ) == 0x0
 02917   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02916   456   NtAllocateVirtualMemory  ... 177668096, 2097152, ) == 0x0
 02918  1284   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02919   712   NtSetEventBoostPriority  (460, ...
 02920   456   NtAllocateVirtualMemory  (-1, 179757056, 0, 8192, 4096, 4, ...
 02918  1284   NtWaitForSingleObject  ... ) == 0x102
 02879  1292   NtWaitForSingleObject  ... ) == 0x0
 02920   456   NtAllocateVirtualMemory  ... 179757056, 8192, ) == 0x0
 02921  1284   NtWaitForSingleObject  (208, 0, 0x0, ...
 02922  1292   NtSetEventBoostPriority  (460, ...
 02923   456   NtProtectVirtualMemory  (-1, (0xab6e000), 4096, 260, ...
 02919   712   NtSetEventBoostPriority  ... ) == 0x0
 02915   676   NtSetEventBoostPriority  ... ) == 0x0
 02924   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 02888  1272   NtWaitForSingleObject  ... ) == 0x0
 02922  1292   NtSetEventBoostPriority  ... ) == 0x0
 02923   456   NtProtectVirtualMemory  ... (0xab6e000), 4096, 4, ) == 0x0
 02925   712   NtWaitForSingleObject  (500, 0, 0x0, ...
 02926   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02927  1272   NtSetEventBoostPriority  (460, ...
 02928  1292   NtWaitForSingleObject  (500, 0, 0x0, ...
 02892   780   NtWaitForSingleObject  ... ) == 0x0
 02927  1272   NtSetEventBoostPriority  ... ) == 0x0
 02929   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02930   780   NtSetEventBoostPriority  (460, ...
 02894   784   NtWaitForSingleObject  ... ) == 0x0
 02931   784   NtSetEventBoostPriority  (460, ...
 02895   792   NtWaitForSingleObject  ... ) == 0x0
 02932   792   NtSetEventBoostPriority  (460, ...
 02898   308   NtWaitForSingleObject  ... ) == 0x0
 02933   308   NtSetEventBoostPriority  (460, ...
 02903   744   NtWaitForSingleObject  ... ) == 0x0
 02934   744   NtSetEventBoostPriority  (460, ...
 02902   732   NtWaitForSingleObject  ... ) == 0x0
 02935   732   NtSetEventBoostPriority  (460, ...
 02906  1312   NtWaitForSingleObject  ... ) == 0x0
 02936  1312   NtSetEventBoostPriority  (460, ...
 02910   796   NtWaitForSingleObject  ... ) == 0x0
 02937   796   NtSetEventBoostPriority  (460, ...
 02912  1308   NtWaitForSingleObject  ... ) == 0x0
 02938  1308   NtSetEventBoostPriority  (460, ...
 02917   576   NtWaitForSingleObject  ... ) == 0x0
 02939   576   NtSetEventBoostPriority  (460, ...
 02924   636   NtWaitForSingleObject  ... ) == 0x0
 02940   636   NtSetEventBoostPriority  (460, ...
 02926   676   NtWaitForSingleObject  ... ) == 0x0
 02941   676   NtAllocateVirtualMemory  (-1, 30461952, 0, 4096, 4096, 260, ... 30461952, 4096, ) == 0x0
 02940   636   NtSetEventBoostPriority  ... ) == 0x0
 02939   576   NtSetEventBoostPriority  ... ) == 0x0
 02938  1308   NtSetEventBoostPriority  ... ) == 0x0
 02937   796   NtSetEventBoostPriority  ... ) == 0x0
 02936  1312   NtSetEventBoostPriority  ... ) == 0x0
 02934   744   NtSetEventBoostPriority  ... ) == 0x0
 02932   792   NtSetEventBoostPriority  ... ) == 0x0
 02931   784   NtSetEventBoostPriority  ... ) == 0x0
 02930   780   NtSetEventBoostPriority  ... ) == 0x0
 02929   456   NtCreateThread  ... 852, {444, 1336}, ) == 0x0
 02935   732   NtSetEventBoostPriority  ... ) == 0x0
 02933   308   NtSetEventBoostPriority  ... ) == 0x0
 02942  1272   NtWaitForSingleObject  (500, 0, 0x0, ...
 02943   636   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02944   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02945   576   NtSetEventBoostPriority  (500, ...
 02946   796   NtAllocateVirtualMemory  (-1, 32559104, 0, 4096, 4096, 260, ...
 02947  1312   NtSetEventBoostPriority  (36, ...
 02948  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02949   744   NtAllocateVirtualMemory  (-1, 4653056, 0, 4096, 4096, 4, ...
 02950   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02951   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 02952   456   NtQueryInformationThread  (852, Basic, 28, ...
 02953   732   NtAllocateVirtualMemory  (-1, 22073344, 0, 4096, 4096, 260, ...
 02954   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02955   780   NtSetEventBoostPriority  (208, ...
 02944   676   NtCreateEvent  ... 856, ) == 0x0
 02925   712   NtWaitForSingleObject  ... ) == 0x0
 02945   576   NtSetEventBoostPriority  ... ) == 0x0
 02943   636   NtCreateKey  ... 860, 2, ) == 0x0
 02946   796   NtAllocateVirtualMemory  ... 32559104, 4096, ) == 0x0
 02948  1308   NtDuplicateObject  ... 864, ) == 0x0
 02949   744   NtAllocateVirtualMemory  ... 4653056, 4096, ) == 0x0
 02914  1120   NtWaitForSingleObject  ... ) == 0x0
 02947  1312   NtSetEventBoostPriority  ... ) == 0x0
 02952   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=444,Tid=1336,}, 0x0, ) == 0x0
 02953   732   NtAllocateVirtualMemory  ... 22073344, 4096, ) == 0x0
 01180   716   NtWaitForSingleObject  ... ) == 0x0
 02955   780   NtSetEventBoostPriority  ... ) == 0x0
 02956   712   NtSetEventBoostPriority  (500, ...
 02957   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02958   576   NtWaitForSingleObject  (460, 0, 0x0, ...
 02959   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02960   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 02961  1308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02962   744   NtSetEventBoostPriority  (460, ...
 02963  1120   NtWaitForSingleObject  (460, 0, 0x0, ...
 02964  1312   NtTestAlert  (...
 02965   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1607, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\274\1\0\08\5\0\0" ...  ...
 02966   716   NtWaitForSingleObject  (460, 0, 0x0, ...
 02928  1292   NtWaitForSingleObject  ... ) == 0x0
 02956   712   NtSetEventBoostPriority  ... ) == 0x0
 02967   780   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02957   676   NtDuplicateObject  ... 868, ) == 0x0
 02959   636   NtOpenKey  ... 872, ) == 0x0
 02951   792   NtWaitForSingleObject  ... ) == 0x0
 02962   744   NtSetEventBoostPriority  ... ) == 0x0
 02964  1312   NtTestAlert  ... ) == 0x0
 02968  1292   NtWaitForSingleObject  (460, 0, 0x0, ...
 02965   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1608, 0}  ... {28, 56, reply, 0, 444, 456, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\274\1\0\08\5\0\0" )  ) == 0x0
 02969   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 02967   780   NtCreateEvent  ... 876, ) == 0x0
 02970   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 02971   792   NtSetEventBoostPriority  (460, ...
 02972   636   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02973   744   NtWaitForSingleObject  (460, 0, 0x0, ...
 02974  1312   NtContinue  (175570224, 1, ...
 02975   456   NtResumeThread  (852, ...
 02976   780   NtWaitForSingleObject  (460, 0, 0x0, ...
 02954   308   NtWaitForSingleObject  ... ) == 0x0
 02971   792   NtSetEventBoostPriority  ... ) == 0x0
 02972   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02977  1312   NtRegisterThreadTerminatePort  (24, ...
 02975   456   NtResumeThread  ... 1, ) == 0x0
 02978   308   NtSetEventBoostPriority  (460, ...
 02979   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 02980   636   NtQueryValueKey  (860,  (860, "Domain", Partial, 144, ... , Partial, 144, ...
 02977  1312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02950   784   NtWaitForSingleObject  ... ) == 0x0
 02978   308   NtSetEventBoostPriority  ... ) == 0x0
 02981   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02982   712   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 02983  1336   NtWaitForSingleObject  (36, 0, 0x0, ...
 02980   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02984   784   NtSetEventBoostPriority  (460, ...
 02985  1312   NtWaitForSingleObject  (460, 0, 0x0, ...
 02981   456   NtAllocateVirtualMemory  ... 179765248, 2097152, ) == 0x0
 02982   712   NtWaitForSingleObject  ... ) == 0x102
 02958   576   NtWaitForSingleObject  ... ) == 0x0
 02986   636   NtQueryValueKey  (860,  (860, "Domain", Partial, 144, ... , Partial, 144, ...
 02987   456   NtAllocateVirtualMemory  (-1, 181854208, 0, 8192, 4096, 4, ...
 02988   712   NtWaitForSingleObject  (208, 0, 0x0, ...
 02989   576   NtAllocateVirtualMemory  (-1, 4657152, 0, 8192, 4096, 4, ...
 02986   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02984   784   NtSetEventBoostPriority  ... ) == 0x0
 02990   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02989   576   NtAllocateVirtualMemory  ... 4657152, 8192, ) == 0x0
 02991   636   NtClose  (860, ...
 02992   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 02987   456   NtAllocateVirtualMemory  ... 181854208, 8192, ) == 0x0
 02991   636   NtClose  ... ) == 0x0
 02993   456   NtProtectVirtualMemory  (-1, (0xad6e000), 4096, 260, ...
 02994   636   NtClose  (872, ...
 02993   456   NtProtectVirtualMemory  ... (0xad6e000), 4096, 4, ) == 0x0
 02995   576   NtSetEventBoostPriority  (460, ...
 02996   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02960   796   NtWaitForSingleObject  ... ) == 0x0
 02995   576   NtSetEventBoostPriority  ... ) == 0x0
 02997   796   NtSetEventBoostPriority  (460, ...
 02996   456   NtCreateThread  ... 860, {444, 1340}, ) == 0x0
 02961  1308   NtWaitForSingleObject  ... ) == 0x0
 02997   796   NtSetEventBoostPriority  ... ) == 0x0
 02998   576   NtQueryDirectoryFile  (832, 0, 0, 0, 4655768, 4096, BothDirectory, 0, 0x0, 0, ...
 02999  1308   NtSetEventBoostPriority  (460, ...
 03000   456   NtQueryInformationThread  (860, Basic, 28, ...
 02994   636   NtClose  ... ) == 0x0
 02963  1120   NtWaitForSingleObject  ... ) == 0x0
 02999  1308   NtSetEventBoostPriority  ... ) == 0x0
 02998   576   NtQueryDirectoryFile  ... {status=0x0, info=220}, ) == 0x0
 03001   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 03002  1120   NtSetEventBoostPriority  (460, ...
 03003   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 03000   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=444,Tid=1340,}, 0x0, ) == 0x0
 03004   576   NtWaitForSingleObject  (500, 0, 0x0, ...
 02966   716   NtWaitForSingleObject  ... ) == 0x0
 03002  1120   NtSetEventBoostPriority  ... ) == 0x0
 03005   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1608, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\274\1\0\0<\5\0\0" ...  ...
 03006   716   NtSetEventBoostPriority  (460, ...
 03007  1308   NtWaitForSingleObject  (460, 0, 0x0, ...
 02968  1292   NtWaitForSingleObject  ... ) == 0x0
 03006   716   NtSetEventBoostPriority  ... ) == 0x0
 03005   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1609, 0}  ... {28, 56, reply, 0, 444, 456, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\274\1\0\0<\5\0\0" )  ) == 0x0
 03008  1292   NtSetEventBoostPriority  (460, ...
 03009  1120   NtSetEventBoostPriority  (36, ...
 02969   732   NtWaitForSingleObject  ... ) == 0x0
 03010   456   NtResumeThread  (860, ...
 02983  1336   NtWaitForSingleObject  ... ) == 0x0
 03009  1120   NtSetEventBoostPriority  ... ) == 0x0
 03011   732   NtSetEventBoostPriority  (460, ...
 03012  1336   NtTestAlert  (...
 03010   456   NtResumeThread  ... 1, ) == 0x0
 03013  1120   NtTestAlert  (...
 03012  1336   NtTestAlert  ... ) == 0x0
 02970   676   NtWaitForSingleObject  ... ) == 0x0
 03011   732   NtSetEventBoostPriority  ... ) == 0x0
 03008  1292   NtSetEventBoostPriority  ... ) == 0x0
 03014   716   NtSetEventBoostPriority  (208, ...
 03015  1340   NtWaitForSingleObject  (460, 0, 0x0, ...
 03013  1120   NtTestAlert  ... ) == 0x0
 03016   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03017   676   NtSetEventBoostPriority  (460, ...
 03018   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 03019  1336   NtContinue  (179764528, 1, ...
 01194   844   NtWaitForSingleObject  ... ) == 0x0
 03014   716   NtSetEventBoostPriority  ... ) == 0x0
 03020  1120   NtContinue  (177667376, 1, ...
 02973   744   NtWaitForSingleObject  ... ) == 0x0
 03017   676   NtSetEventBoostPriority  ... ) == 0x0
 03016   456   NtAllocateVirtualMemory  ... 181862400, 2097152, ) == 0x0
 03021  1292   NtSetEventBoostPriority  (500, ...
 03022   844   NtWaitForSingleObject  (460, 0, 0x0, ...
 03023  1336   NtRegisterThreadTerminatePort  (24, ...
 03024   716   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03025   744   NtSetEventBoostPriority  (460, ...
 03026  1120   NtRegisterThreadTerminatePort  (24, ...
 03027   456   NtAllocateVirtualMemory  (-1, 183951360, 0, 8192, 4096, 4, ...
 02942  1272   NtWaitForSingleObject  ... ) == 0x0
 03021  1292   NtSetEventBoostPriority  ... ) == 0x0
 03023  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02976   780   NtWaitForSingleObject  ... ) == 0x0
 03025   744   NtSetEventBoostPriority  ... ) == 0x0
 03024   716   NtCreateEvent  ... 872, ) == 0x0
 03028   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 03029  1272   NtWaitForSingleObject  (460, 0, 0x0, ...
 03027   456   NtAllocateVirtualMemory  ... 183951360, 8192, ) == 0x0
 03030  1292   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 03031   780   NtSetEventBoostPriority  (460, ...
 03032  1336   NtWaitForSingleObject  (460, 0, 0x0, ...
 03026  1120   NtRegisterThreadTerminatePort  ... ) == 0x0
 03033   716   NtWaitForSingleObject  (460, 0, 0x0, ...
 03034   456   NtProtectVirtualMemory  (-1, (0xaf6e000), 4096, 260, ...
 02979   792   NtWaitForSingleObject  ... ) == 0x0
 03031   780   NtSetEventBoostPriority  ... ) == 0x0
 03030  1292   NtWaitForSingleObject  ... ) == 0x102
 03035  1120   NtWaitForSingleObject  (460, 0, 0x0, ...
 03036   792   NtSetEventBoostPriority  (460, ...
 03034   456   NtProtectVirtualMemory  ... (0xaf6e000), 4096, 4, ) == 0x0
 03037   744   NtWaitForSingleObject  (460, 0, 0x0, ...
 03038  1292   NtWaitForSingleObject  (460, 0, 0x0, ...
 02985  1312   NtWaitForSingleObject  ... ) == 0x0
 03036   792   NtSetEventBoostPriority  ... ) == 0x0
 03039   780   NtWaitForSingleObject  (460, 0, 0x0, ...
 03040   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03041  1312   NtSetEventBoostPriority  (460, ...
 03042   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 03040   456   NtCreateThread  ... 880, {444, 1344}, ) == 0x0
 02990   308   NtWaitForSingleObject  ... ) == 0x0
 03041  1312   NtSetEventBoostPriority  ... ) == 0x0
 03043   308   NtSetEventBoostPriority  (460, ...
 03044   456   NtQueryInformationThread  (880, Basic, 28, ...
 02992   784   NtWaitForSingleObject  ... ) == 0x0
 03043   308   NtSetEventBoostPriority  ... ) == 0x0
 03045  1312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03046   784   NtSetEventBoostPriority  (460, ...
 03047   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 03044   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=444,Tid=1344,}, 0x0, ) == 0x0
 03001   796   NtWaitForSingleObject  ... ) == 0x0
 03046   784   NtSetEventBoostPriority  ... ) == 0x0
 03045  1312   NtDuplicateObject  ... 884, ) == 0x0
 03048   796   NtSetEventBoostPriority  (460, ...
 03049   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1609, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\3\0\0\274\1\0\0@\5\0\0" ...  ...
 03003   636   NtWaitForSingleObject  ... ) == 0x0
 03048   796   NtSetEventBoostPriority  ... ) == 0x0
 03050  1312   NtWaitForSingleObject  (460, 0, 0x0, ...
 03051   636   NtSetEventBoostPriority  (460, ...
 03049   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1610, 0}  ... {28, 56, reply, 0, 444, 456, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\3\0\0\274\1\0\0@\5\0\0" )  ) == 0x0
 03052   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 03007  1308   NtWaitForSingleObject  ... ) == 0x0
 03051   636   NtSetEventBoostPriority  ... ) == 0x0
 03053   456   NtResumeThread  (880, ...
 03054   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 03055  1308   NtSetEventBoostPriority  (460, ...
 03053   456   NtResumeThread  ... 1, ) == 0x0
 03015  1340   NtWaitForSingleObject  ... ) == 0x0
 03055  1308   NtSetEventBoostPriority  ... ) == 0x0
 03056   636   NtWaitForSingleObject  (460, 0, 0x0, ...
 03057  1344   NtWaitForSingleObject  (36, 0, 0x0, ...
 03058  1340   NtSetEventBoostPriority  (460, ...
 03059  1308   NtWaitForSingleObject  (500, 0, 0x0, ...
 03018   732   NtWaitForSingleObject  ... ) == 0x0
 03058  1340   NtSetEventBoostPriority  ... ) == 0x0
 03060   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03061   732   NtSetEventBoostPriority  (460, ...
 03022   844   NtWaitForSingleObject  ... ) == 0x0
 03062   844   NtSetEventBoostPriority  (460, ...
 03029  1272   NtWaitForSingleObject  ... ) == 0x0
 03063  1272   NtSetEventBoostPriority  (460, ...
 03028   676   NtWaitForSingleObject  ... ) == 0x0
 03064   676   NtSetEventBoostPriority  (460, ...
 03032  1336   NtWaitForSingleObject  ... ) == 0x0
 03065  1336   NtSetEventBoostPriority  (460, ...
 03033   716   NtWaitForSingleObject  ... ) == 0x0
 03066   716   NtAllocateVirtualMemory  (-1, 4665344, 0, 4096, 4096, 4, ... 4665344, 4096, ) == 0x0
 03065  1336   NtSetEventBoostPriority  ... ) == 0x0
 03064   676   NtSetEventBoostPriority  ... ) == 0x0
 03063  1272   NtSetEventBoostPriority  ... ) == 0x0
 03062   844   NtSetEventBoostPriority  ... ) == 0x0
 03060   456   NtAllocateVirtualMemory  ... 183959552, 2097152, ) == 0x0
 03061   732   NtSetEventBoostPriority  ... ) == 0x0
 03067  1340   NtSetEventBoostPriority  (36, ...
 03068   716   NtSetEventBoostPriority  (460, ...
 03069   676   NtWaitForSingleObject  (500, 0, 0x0, ...
 03070  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03071  1272   NtSetEventBoostPriority  (500, ...
 03072   456   NtAllocateVirtualMemory  (-1, 186048512, 0, 8192, 4096, 4, ...
 03073   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 03057  1344   NtWaitForSingleObject  ... ) == 0x0
 03067  1340   NtSetEventBoostPriority  ... ) == 0x0
 03035  1120   NtWaitForSingleObject  ... ) == 0x0
 03068   716   NtSetEventBoostPriority  ... ) == 0x0
 03074   844   NtSetEventBoostPriority  (208, ...
 03070  1336   NtDuplicateObject  ... 888, ) == 0x0
 03004   576   NtWaitForSingleObject  ... ) == 0x0
 03071  1272   NtSetEventBoostPriority  ... ) == 0x0
 03072   456   NtAllocateVirtualMemory  ... 186048512, 8192, ) == 0x0
 03075  1344   NtTestAlert  (...
 03076  1120   NtSetEventBoostPriority  (460, ...
 03077  1340   NtTestAlert  (...
 03078   716   NtWaitForSingleObject  (460, 0, 0x0, ...
 01195   864   NtWaitForSingleObject  ... ) == 0x0
 03074   844   NtSetEventBoostPriority  ... ) == 0x0
 03079   576   NtSetEventBoostPriority  (500, ...
 03080  1336   NtWaitForSingleObject  (460, 0, 0x0, ...
 03081  1272   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 03075  1344   NtTestAlert  ... ) == 0x0
 03037   744   NtWaitForSingleObject  ... ) == 0x0
 03076  1120   NtSetEventBoostPriority  ... ) == 0x0
 03082   456   NtProtectVirtualMemory  (-1, (0xb16e000), 4096, 260, ...
 03077  1340   NtTestAlert  ... ) == 0x0
 03083   864   NtWaitForSingleObject  (460, 0, 0x0, ...
 03059  1308   NtWaitForSingleObject  ... ) == 0x0
 03079   576   NtSetEventBoostPriority  ... ) == 0x0
 03084   844   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03081  1272   NtWaitForSingleObject  ... ) == 0x102
 03085   744   NtSetEventBoostPriority  (460, ...
 03086  1344   NtContinue  (183958832, 1, ...
 03082   456   NtProtectVirtualMemory  ... (0xb16e000), 4096, 4, ) == 0x0
 03087  1308   NtWaitForSingleObject  (460, 0, 0x0, ...
 03088  1340   NtContinue  (181861680, 1, ...
 03089  1120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03084   844   NtCreateEvent  ... 892, ) == 0x0
 03039   780   NtWaitForSingleObject  ... ) == 0x0
 03085   744   NtSetEventBoostPriority  ... ) == 0x0
 03090  1272   NtWaitForSingleObject  (208, 0, 0x0, ...
 03091  1344   NtRegisterThreadTerminatePort  (24, ...
 03092   576   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\desktop.ini\"}, 3, 16417, ... }, 3, 16417, ...
 03093  1340   NtRegisterThreadTerminatePort  (24, ...
 03089  1120   NtDuplicateObject  ... 896, ) == 0x0
 03094   780   NtSetEventBoostPriority  (460, ...
 03095   844   NtWaitForSingleObject  (460, 0, 0x0, ...
 03096   744   NtWaitForSingleObject  (460, 0, 0x0, ...
 03097   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03091  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 03092   576   NtOpenFile  ... ) == STATUS_NOT_A_DIRECTORY
 03042   792   NtWaitForSingleObject  ... ) == 0x0
 03094   780   NtSetEventBoostPriority  ... ) == 0x0
 03098  1120   NtWaitForSingleObject  (460, 0, 0x0, ...
 03093  1340   NtRegisterThreadTerminatePort  ... ) == 0x0
 03097   456   NtCreateThread  ... 900, {444, 1348}, ) == 0x0
 03099  1344   NtWaitForSingleObject  (460, 0, 0x0, ...
 03100   792   NtSetEventBoostPriority  (460, ...
 03101   576   NtQueryDirectoryFile  (832, 0, 0, 0, 4655768, 4096, BothDirectory, 0, 0x0, 0, ...
 03102   780   NtWaitForSingleObject  (460, 0, 0x0, ...
 03103  1340   NtWaitForSingleObject  (460, 0, 0x0, ...
 03104   456   NtQueryInformationThread  (900, Basic, 28, ...
 03038  1292   NtWaitForSingleObject  ... ) == 0x0
 03100   792   NtSetEventBoostPriority  ... ) == 0x0
 03101   576   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03105  1292   NtSetEventBoostPriority  (460, ...
 03104   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=444,Tid=1348,}, 0x0, ) == 0x0
 03047   308   NtWaitForSingleObject  ... ) == 0x0
 03106   576   NtDelayExecution  (0, {-10000, -1}, ...
 03107   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1610, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\3\0\0\274\1\0\0D\5\0\0" ...  ...
 03108   308   NtSetEventBoostPriority  (460, ...
 03050  1312   NtWaitForSingleObject  ... ) == 0x0
 03109  1312   NtSetEventBoostPriority  (460, ...
 03052   796   NtWaitForSingleObject  ... ) == 0x0
 03110   796   NtSetEventBoostPriority  (460, ...
 03054   784   NtWaitForSingleObject  ... ) == 0x0
 03111   784   NtSetEventBoostPriority  (460, ...
 03056   636   NtWaitForSingleObject  ... ) == 0x0
 03112   636   NtSetEventBoostPriority  (460, ...
 03073   732   NtWaitForSingleObject  ... ) == 0x0
 03113   732   NtSetEventBoostPriority  (460, ...
 03078   716   NtWaitForSingleObject  ... ) == 0x0
 03114   716   NtAllocateVirtualMemory  (-1, 4669440, 0, 4096, 4096, 4, ... 4669440, 4096, ) == 0x0
 03113   732   NtSetEventBoostPriority  ... ) == 0x0
 03112   636   NtSetEventBoostPriority  ... ) == 0x0
 03111   784   NtSetEventBoostPriority  ... ) == 0x0
 03109  1312   NtSetEventBoostPriority  ... ) == 0x0
 03110   796   NtSetEventBoostPriority  ... ) == 0x0
 03108   308   NtSetEventBoostPriority  ... ) == 0x0
 03105  1292   NtSetEventBoostPriority  ... ) == 0x0
 03115   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 03107   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1611, 0}  ... {28, 56, reply, 0, 444, 456, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\3\0\0\274\1\0\0D\5\0\0" )  ) == 0x0
 03116   716   NtSetEventBoostPriority  (460, ...
 03117   636   NtWaitForSingleObject  (500, 0, 0x0, ...
 03118   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 03119   732   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03120   796   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03121   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 03122  1292   NtWaitForSingleObject  (208, 0, 0x0, ...
 03123   456   NtResumeThread  (900, ...
 03080  1336   NtWaitForSingleObject  ... ) == 0x0
 03116   716   NtSetEventBoostPriority  ... ) == 0x0
 03124  1312   NtWaitForSingleObject  (460, 0, 0x0, ...
 03119   732   NtCreateEvent  ... 904, ) == 0x0
 03120   796   NtCreateEvent  ... 908, ) == 0x0
 03125  1336   NtSetEventBoostPriority  (460, ...
 03123   456   NtResumeThread  ... 1, ) == 0x0
 03126   716   NtWaitForSingleObject  (460, 0, 0x0, ...
 03127   732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03128  1348   NtWaitForSingleObject  (460, 0, 0x0, ...
 03083   864   NtWaitForSingleObject  ... ) == 0x0
 03125  1336   NtSetEventBoostPriority  ... ) == 0x0
 03129   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03127   732   NtDuplicateObject  ... 912, ) == 0x0
 03130   864   NtSetEventBoostPriority  (460, ...
 03131   796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03129   456   NtAllocateVirtualMemory  ... 186056704, 2097152, ) == 0x0
 03087  1308   NtWaitForSingleObject  ... ) == 0x0
 03130   864   NtSetEventBoostPriority  ... ) == 0x0
 03132   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 03131   796   NtDuplicateObject  ... 916, ) == 0x0
 03133  1308   NtSetEventBoostPriority  (460, ...
 03134   456   NtAllocateVirtualMemory  (-1, 188145664, 0, 8192, 4096, 4, ...
 03135  1336   NtWaitForSingleObject  (460, 0, 0x0, ...
 03095   844   NtWaitForSingleObject  ... ) == 0x0
 03136   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 03133  1308   NtSetEventBoostPriority  ... ) == 0x0
 03137   864   NtSetEventBoostPriority  (208, ...
 03138   844   NtSetEventBoostPriority  (460, ...
 03134   456   NtAllocateVirtualMemory  ... 188145664, 8192, ) == 0x0
 01202   868   NtWaitForSingleObject  ... ) == 0x0
 03137   864   NtSetEventBoostPriority  ... ) == 0x0
 03098  1120   NtWaitForSingleObject  ... ) == 0x0
 03138   844   NtSetEventBoostPriority  ... ) == 0x0
 03139   868   NtWaitForSingleObject  (460, 0, 0x0, ...
 03140   456   NtProtectVirtualMemory  (-1, (0xb36e000), 4096, 260, ...
 03141  1120   NtSetEventBoostPriority  (460, ...
 03142   864   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03143  1308   NtSetEventBoostPriority  (500, ...
 03099  1344   NtWaitForSingleObject  ... ) == 0x0
 03141  1120   NtSetEventBoostPriority  ... ) == 0x0
 03140   456   NtProtectVirtualMemory  ... (0xb36e000), 4096, 4, ) == 0x0
 03142   864   NtCreateEvent  ... 920, ) == 0x0
 03144  1344   NtSetEventBoostPriority  (460, ...
 03069   676   NtWaitForSingleObject  ... ) == 0x0
 03143  1308   NtSetEventBoostPriority  ... ) == 0x0
 03145   844   NtWaitForSingleObject  (460, 0, 0x0, ...
 03146   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03096   744   NtWaitForSingleObject  ... ) == 0x0
 03147   676   NtWaitForSingleObject  (460, 0, 0x0, ...
 03144  1344   NtSetEventBoostPriority  ... ) == 0x0
 03148   864   NtWaitForSingleObject  (460, 0, 0x0, ...
 03149  1308   NtWaitForSingleObject  (80, 0, {0, 0}, ...
 03150   744   NtSetEventBoostPriority  (460, ...
 03146   456   NtCreateThread  ... 924, {444, 1320}, ) == 0x0
 03151  1120   NtWaitForSingleObject  (460, 0, 0x0, ...
 03103  1340   NtWaitForSingleObject  ... ) == 0x0
 03149  1308   NtWaitForSingleObject  ... ) == 0x102
 03152   456   NtQueryInformationThread  (924, Basic, 28, ...
 03153  1340   NtSetEventBoostPriority  (460, ...
 03154  1308   NtWaitForSingleObject  (460, 0, 0x0, ...
 03150   744   NtSetEventBoostPriority  ... ) == 0x0
 03155  1344   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03102   780   NtWaitForSingleObject  ... ) == 0x0
 03153  1340   NtSetEventBoostPriority  ... ) == 0x0
 03152   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=444,Tid=1320,}, 0x0, ) == 0x0
 03156   744   NtWaitForSingleObject  (460, 0, 0x0, ...
 03157   780   NtSetEventBoostPriority  (460, ...
 03155  1344   NtDuplicateObject  ... 928, ) == 0x0
 03158   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1611, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\3\0\0\274\1\0\0(\5\0\0" ...  ...
 03115   792   NtWaitForSingleObject  ... ) == 0x0
 03159  1344   NtWaitForSingleObject  (460, 0, 0x0, ...
 03158   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1612, 0}  ... {28, 56, reply, 0, 444, 456, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\3\0\0\274\1\0\0(\5\0\0" )  ) == 0x0
 03160   792   NtSetEventBoostPriority  (460, ...
 03161   456   NtResumeThread  (924, ...
 03121   308   NtWaitForSingleObject  ... ) == 0x0
 03160   792   NtSetEventBoostPriority  ... ) == 0x0
 03162   308   NtSetEventBoostPriority  (460, ...
 03161   456   NtResumeThread  ... 1, ) == 0x0
 03124  1312   NtWaitForSingleObject  ... ) == 0x0
 03162   308   NtSetEventBoostPriority  ... ) == 0x0
 03163   792   NtWaitForSingleObject  (460, 0, 0x0, ...
 03157   780   NtSetEventBoostPriority  ... ) == 0x0
 03164  1340   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03165  1320   NtWaitForSingleObject  (36, 0, 0x0, ...
 03166  1312   NtSetEventBoostPriority  (460, ...
 03167   456   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03168   308   NtWaitForSingleObject  (460, 0, 0x0, ...
 03169   780   NtWaitForSingleObject  (460, 0, 0x0, ...
 03164  1340   NtDuplicateObject  ... 932, ) == 0x0
 03118   784   NtWaitForSingleObject  ... ) == 0x0
 03166  1312   NtSetEventBoostPriority  ... ) == 0x0
 03167   456   NtAllocateVirtualMemory  ... 188153856, 2097152, ) == 0x0
 03170   784   NtSetEventBoostPriority  (460, ...
 03171  1340   NtWaitForSingleObject  (460, 0, 0x0, ...
 03172  1312   NtWaitForSingleObject  (500, 0, 0x0, ...
 03126   716   NtWaitForSingleObject  ... ) == 0x0
 03173   456   NtAllocateVirtualMemory  (-1, 190242816, 0, 8192, 4096, 4, ...
 03170   784   NtSetEventBoostPriority  ... ) == 0x0
 03174   716   NtSetEventBoostPriority  (460, ...
 03173   456   NtAllocateVirtualMemory  ... 190242816, 8192, ) == 0x0
 03175   784   NtAllocateVirtualMemory  (-1, 28364800, 0, 4096, 4096, 260, ...
 03128  1348   NtWaitForSingleObject  ... ) == 0x0
 03174   716   NtSetEventBoostPriority  ... ) == 0x0
 03176   456   NtProtectVirtualMemory  (-1, (0xb56e000), 4096, 260, ...
 03177  1348   NtSetEventBoostPriority  (460, ...
 03175   784   NtAllocateVirtualMemory  ... 28364800, 4096, ) == 0x0
 03132   732   NtWaitForSingleObject  ... ) == 0x0
 03177  1348   NtSetEventBoostPriority  ... ) == 0x0
 03176   456   NtProtectVirtualMemory  ... (0xb56e000), 4096, 4, ) == 0x0
 03178   716   NtWaitForSingleObject  (460, 0, 0x0, ...
 03179   732   NtSetEventBoostPriority  (460, ...
 03180   784   NtWaitForSingleObject  (460, 0, 0x0, ...
 03181  1348   NtSetEventBoostPriority  (36, ...
 03135  1336   NtWaitForSingleObject  ... ) == 0x0
 03179   732   NtSetEventBoostPriority  ... ) == 0x0
 03182  1336   NtSetEventBoostPriority  (460, ...
 03165  1320   NtWaitForSingleObject  ... ) == 0x0
 03181  1348   NtSetEventBoostPriority  ... ) == 0x0
 03183   456   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03136   796   NtWaitForSingleObject  ... ) == 0x0
 03184  1320   NtWaitForSingleObject  (460, 0, 0x0, ...
 03182  1336   NtSetEventBoostPriority  ... ) == 0x0
 03185  1348   NtTestAlert  (...
 03186   796   NtSetEventBoostPriority  (460, ...
 03183   456   NtCreateThread  ... 936, {444, 1356}, ) == 0x0
 03187  1336   NtWaitForSingleObject  (500, 0, 0x0, ...
 03139   868   NtWaitForSingleObject  ... ) == 0x0
 03186   796   NtSetEventBoostPriority  ... ) == 0x0
 03185  1348   NtTestAlert  ... ) == 0x0
 03188   456   NtQueryInformationThread  (936, Basic, 28, ...
 03189   732   NtWaitForSingleObject  (460, 0, 0x0, ...
 03190   868   NtSetEventBoostPriority  (460, ...
 03191  1348   NtContinue  (186055984, 1, ...
 03188   456   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=444,Tid=1356,}, 0x0, ) == 0x0
 03145   844   NtWaitForSingleObject  ... ) == 0x0
 03190   868   NtSetEventBoostPriority  ... ) == 0x0
 03192  1348   NtRegisterThreadTerminatePort  (24, ...
 03193   844   NtSetEventBoostPriority  (460, ...
 03194   456   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 444, 456, 1612, 0}  (24, {28, 56, new_msg, 0, 444, 456, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\3\0\0\274\1\0\0L\5\0\0" ...  ...
 03195   796   NtWaitForSingleObject  (460, 0, 0x0, ...
 03196   868   NtSetEventBoostPriority  (208, ...
 03147   676   NtWaitForSingleObject  ... ) == 0x0
 03193   844   NtSetEventBoostPriority  ... ) == 0x0
 03197   676   NtSetEventBoostPriority  (460, ...
 01215   872   NtWaitForSingleObject  ... ) == 0x0
 03196   868   NtSetEventBoostPriority  ... ) == 0x0
 03148   864   NtWaitForSingleObject  ... ) == 0x0
 03198   872   NtWaitForSingleObject  (460, 0, 0x0, ...
 03199   844   NtWaitForSingleObject  (460, 0, 0x0, ...
 03200   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03201   864   NtSetEventBoostPriority  (460, ...
 03197   676   NtSetEventBoostPriority  ... ) == 0x0
 03192  1348   NtRegisterThreadTerminatePort  ... ) == 0x0
 03194   456   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 444, 456, 1613, 0}  ... {28, 56, reply, 0, 444, 456, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\3\0\0\274\1\0\0L\5\0\0" )  ) == 0x0
 03200   868   NtCreateEvent  ... 940, ) == 0x0
 03151  1120   NtWaitForSingleObject  ... ) == 0x0
 03201   864   NtSetEventBoostPriority  ... ) == 0x0
 03202  1348   NtWaitForSingleObject  (460, 0, 0x0, ...
 03203   456   NtResumeThread  (936, ...
 03204  1120   NtSetEventBoostPriority  (460, ...