Summary:





NtGdiBitBlt(>)  1 
NtGdiGetDIBitsInternal(>)  2 
NtFsControlFile(>)  7 
NtUserRegisterClassExWOW(>)  35 


NtGdiCreateCompatibleBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtUserCallNoParam(>)  7 
NtWaitForSingleObject(>)  35 


NtGdiCreateDIBitmapInternal(>)  1 
NtGdiStretchDIBitsInternal(>)  2 
NtCreateSemaphore(>)  8 
NtQueryDebugFilterState(>)  36 


NtGdiInit(>)  1 
NtNotifyChangeKey(>)  2 
NtQueryDefaultLocale(>)  8 
NtUserGetClassInfo(>)  36 


NtGdiQueryFontAssocInfo(>)  1 
NtOpenDirectoryObject(>)  2 
NtReadFile(>)  8 
NtCreateEvent(>)  44 


NtOpenKeyedEvent(>)  1 
NtOpenProcessToken(>)  2 
NtUserSystemParametersInfo(>)  8 
NtOpenSection(>)  50 


NtOpenProcess(>)  1 
NtQueryInstallUILanguage(>)  2 
NtDuplicateObject(>)  9 
NtQueryVirtualMemory(>)  52 


NtOpenSymbolicLinkObject(>)  1 
NtQuerySystemTime(>)  2 
NtCreateMutant(>)  10 
NtCreateSection(>)  55 


NtQueryEvent(>)  1 
NtReleaseSemaphore(>)  2 
NtOpenThreadToken(>)  10 
NtOpenFile(>)  73 


NtQueryObject(>)  1 
NtUserCreateWindowEx(>)  2 
NtWriteFile(>)  11 
NtMapViewOfSection(>)  78 


NtQuerySymbolicLinkObject(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtGdiSelectBitmap(>)  12 
NtQueryAttributesFile(>)  120 


NtQueryTimerResolution(>)  1 
NtUserGetThreadDesktop(>)  2 
NtOpenProcessTokenEx(>)  12 
NtContinue(>)  135 


NtSecureConnectPort(>)  1 
NtUserMessageCall(>)  2 
NtOpenThreadTokenEx(>)  12 
NtOpenKey(>)  143 


NtSetEvent(>)  1 
NtAddAtom(>)  3 
NtQueryDefaultUILanguage(>)  14 
NtResumeThread(>)  148 


NtUserGetAncestor(>)  1 
NtDeleteValueKey(>)  3 
NtQueryInformationToken(>)  15 
NtCreateThread(>)  165 


NtUserGetClassName(>)  1 
NtOpenEvent(>)  3 
NtSetInformationFile(>)  15 
NtQueryInformationThread(>)  171 


NtUserGetGUIThreadInfo(>)  1 
NtSetInformationObject(>)  3 
NtQueryDirectoryFile(>)  16 
NtTestAlert(>)  171 


NtUserGetIconInfo(>)  1 
NtCreateIoCompletion(>)  4 
NtDeviceIoControlFile(>)  18 
NtRegisterThreadTerminatePort(>)  172 


NtUserGetIconSize(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtUserGetWindowDC(>)  20 
NtRequestWaitReplyPort(>)  173 


NtUserRemoveProp(>)  1 
NtSetValueKey(>)  4 
NtFlushInstructionCache(>)  22 
NtProtectVirtualMemory(>)  191 


NtUserSetCursorIconData(>)  1 
NtUserGetObjectInformation(>)  4 
NtUserCallOneParam(>)  22 
NtOpenMutant(>)  198 


NtUserSetProp(>)  1 
NtGdiDeleteObjectApp(>)  5 
NtSetEventBoostPriority(>)  26 
NtSetInformationThread(>)  265 


NtUserSetWindowPos(>)  1 
NtGdiExtGetObjectW(>)  5 
NtCreateFile(>)  27 
NtQueryValueKey(>)  266 


NtCallbackReturn(>)  2 
NtGdiGetStockObject(>)  5 
NtUserFindExistingCursorIcon(>)  27 
NtClose(>)  269 


NtConnectPort(>)  2 
NtQueryVolumeInformationFile(>)  5 
NtQueryInformationFile(>)  28 
NtAllocateVirtualMemory(>)  593 


NtGdiCreateBitmap(>)  2 
NtQueryInformationProcess(>)  6 
NtFreeVirtualMemory(>)  29 
NtDelayExecution(>)  692 


NtGdiCreatePatternBrushInternal(>)  2 
NtUserGetDC(>)  6 
NtQuerySystemInformation(>)  32 


NtGdiCreateSolidBrush(>)  2 
NtUserRegisterWindowMessage(>)  6 
NtUnmapViewOfSection(>)  32 


NtGdiDoPalette(>)  2 



Trace:

 00001   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   460   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 4521984, 2097152, ) == 0x0
 00005   460   NtAllocateVirtualMemory  (-1, 4521984, 0, 4096, 4096, 4, ... 4521984, 4096, ) == 0x0
 00006   460   NtAllocateVirtualMemory  (-1, 4526080, 0, 8192, 4096, 4, ... 4526080, 8192, ) == 0x0
 00007   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   460   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   460   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   460   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   460   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   460   NtClose  (12, ... ) == 0x0
 00014   460   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   460   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   460   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   460   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   460   NtClose  (16, ... ) == 0x0
 00021   460   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   460   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   460   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   460   NtClose  (16, ... ) == 0x0
 00026   460   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   460   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   460   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   460   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1487, 0} "\360S\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 456, 460, 1487, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1487, 0} "\360S\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   460   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   460   NtClose  (16, ... ) == 0x0
 00036   460   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   460   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   460   NtClose  (28, ... ) == 0x0
 00041   460   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   460   NtClose  (28, ... ) == 0x0
 00045   460   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   460   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   460   NtClose  (28, ... ) == 0x0
 00049   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   460   NtClose  (28, ... ) == 0x0
 00052   460   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1489, 0} "xB\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1489, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1489, 0} "xB\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   460   NtProtectVirtualMemory  (-1, (0x408000), 65536, 4, ... (0x408000), 65536, 128, ) == 0x0
 00057   460   NtProtectVirtualMemory  (-1, (0x408000), 65536, 128, ... (0x408000), 65536, 4, ) == 0x0
 00058   460   NtFlushInstructionCache  (-1, 4227072, 65536, ... ) == 0x0
 00059   460   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   460   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   460   NtClose  (28, ... ) == 0x0
 00062   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   460   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   460   NtClose  (28, ... ) == 0x0
 00065   460   NtTestAlert  (... ) == 0x0
 00066   460   NtContinue  (2293040, 1, ...
 00067   460   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x418000,}, 4, ... ) == 0x0
 00068   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   460   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   460   NtClose  (28, ... ) == 0x0
 00071   460   NtAllocateVirtualMemory  (-1, 4534272, 0, 4096, 4096, 4, ... 4534272, 4096, ) == 0x0
 00072   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00073   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00074   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == 0x0
 00076   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00077   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00078   460   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00079   460   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00080   460   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   460   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00082   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00083   460   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   460   NtClose  (40, ... ) == 0x0
 00085   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00086   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00087   460   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00088   460   NtClose  (40, ... ) == 0x0
 00089   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   460   NtClose  (36, ... ) == 0x0
 00091   460   NtClose  (28, ... ) == 0x0
 00092   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73d90000), 0x0, 159744, ) == 0x0
 00093   460   NtClose  (32, ... ) == 0x0
 00094   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2288964, ... ) }, 2288964, ... ) == 0x0
 00095   460   NtAllocateVirtualMemory  (-1, 4538368, 0, 4096, 4096, 4, ... 4538368, 4096, ) == 0x0
 00096   460   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00097   460   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 456, 460, 1501, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 456, 460, 1501, 0}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 456, 460, 1501, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00098   460   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 456, 460, 1501, 0}  (24, {40, 68, new_msg, 0, 456, 460, 1501, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 456, 460, 1502, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 456, 460, 1502, 0}  (24, {40, 68, new_msg, 0, 456, 460, 1501, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 456, 460, 1502, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00099   460   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 32, ) }, ... 32, ) == 0x0
 00100   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx5"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx6"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx7"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx8"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx9"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx10"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx11"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx12"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx13"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx14"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx15"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx16"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx17"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx18"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx19"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx20"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00121   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx25"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx26"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx28"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx31"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx35"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx37"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00136   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx41"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx43"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00143   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx47"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx49"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00148   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx50"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx51"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx53"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx54"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx55"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx56"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx57"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx58"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx59"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx62"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00161   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx64"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx65"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx66"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00165   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx67"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx68"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx69"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx70"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00169   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx71"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx72"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00171   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx73"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx74"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx75"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx76"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx77"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx78"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx79"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx80"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx81"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx82"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx83"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx84"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx85"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx87"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx88"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx89"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx90"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx91"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx92"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx93"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx94"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx95"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx96"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx97"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx98"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   460   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx99"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 6619136, 2097152, ) == 0x0
 00199   460   NtAllocateVirtualMemory  (-1, 8708096, 0, 8192, 4096, 4, ... 8708096, 8192, ) == 0x0
 00200   460   NtProtectVirtualMemory  (-1, (0x84e000), 4096, 260, ... (0x84e000), 4096, 4, ) == 0x0
 00201   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292500, 2293216, 1, ... 28, {456, 584}, ) == 0x0
 00202   460   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=456,Tid=584,}, 0x0, ) == 0x0
 00203   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0\310\1\0\0H\2\0\0" ... {28, 56, reply, 0, 456, 460, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\310\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1503, 0}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0\310\1\0\0H\2\0\0" ... {28, 56, reply, 0, 456, 460, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\310\1\0\0H\2\0\0" )  ) == 0x0
 00204   460   NtResumeThread  (28, ... 1, ) == 0x0
 00205   584   NtTestAlert  (... ) == 0x0
 00206   584   NtContinue  (8715568, 1, ...
 00207   584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00208   460   NtContinue  (2292976, 0, ...
 00209   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00210   584   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00211   584   NtClose  (36, ... ) == 0x0
 00212   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00213   584   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00214   584   NtClose  (36, ... ) == 0x0
 00215   460   NtAllocateVirtualMemory  (-1, 0, 0, 2398, 4096, 64, ... 3276800, 4096, ) == 0x0
 00216   460   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 36, ) == 0x0
 00217   460   NtWaitForSingleObject  (36, 0, 0x0, ...
 00218   584   NtAllocateVirtualMemory  (-1, 8704000, 0, 4096, 4096, 260, ... 8704000, 4096, ) == 0x0
 00219   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00220   584   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00221   584   NtClose  (40, ... ) == 0x0
 00222   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00223   584   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00224   584   NtClose  (40, ... ) == 0x0
 00225   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 40, ) }, ... 40, ) == 0x0
 00226   584   NtQueryValueKey  (40,  (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00227   584   NtQueryValueKey  (40,  (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00228   584   NtClose  (40, ... ) == 0x0
 00229   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 40, ) }, ... 40, ) == 0x0
 00230   584   NtQueryValueKey  (40,  (40, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   584   NtClose  (40, ... ) == 0x0
 00232   584   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 40, ) }, ... 40, ) == 0x0
 00233   584   NtSetInformationObject  (40, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00234   584   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   584   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00236   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147343352, 2294988, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 2294988, 0} "\210\6\31\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 456, 584, 1504, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 456, 584, 1504, 0}  (24, {28, 56, new_msg, 0, 2, 2147343352, 2294988, 0} "\210\6\31\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 456, 584, 1504, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00237   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   584   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 1060864, ) == 0x0
 00239   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00240   584   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00241   584   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00242   584   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00243   584   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00244   584   NtClose  (-2147482032, ... ) == 0x0
 00245   584   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 9830400, 4096, ) == 0x0
 00246   584   NtFreeVirtualMemory  (-1, (0x960000), 4096, 32768, ... (0x960000), 4096, ) == 0x0
 00247   584   NtDuplicateObject  (-1, 52, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00248   584   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00249   584   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   584   NtClose  (-2147482032, ... ) == 0x0
 00251   584   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00252   584   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   584   NtClose  (-2147482032, ... ) == 0x0
 00254   584   NtQueryDefaultLocale  (0, -128865780, ... ) == 0x0
 00255   584   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00256   584   NtUserCallNoParam  (24, ... ) == 0x0
 00257   584   NtGdiCreateCompatibleDC  (0, ...
 00258   584   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9830400, 4096, ) == 0x0
 00257   584   NtGdiCreateCompatibleDC  ... ) == 0x110103c7
 00259   584   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00260   584   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00261   584   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x120503cd
 00262   584   NtGdiCreateSolidBrush  (0, 0, ...
 00263   584   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13041664, 4096, ) == 0x0
 00262   584   NtGdiCreateSolidBrush  ... ) == 0x121003d0
 00264   584   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00265   584   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00266   584   NtGdiSelectBitmap  (1040253964, 302318541, ... ) == 0x185000f
 00267   584   NtUserGetThreadDesktop  (584, 0, ... ) == 0x38
 00268   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 64, ) }, ... 64, ) == 0x0
 00269   584   NtQueryValueKey  (64,  (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00270   584   NtClose  (64, ... ) == 0x0
 00271   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00272   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 673, 128, 0, ... ) == 0x810cc017
 00273   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00274   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 674, 128, 0, ... ) == 0x810cc01c
 00275   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00276   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 675, 128, 0, ... ) == 0x810cc01e
 00277   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00278   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 676, 128, 0, ... ) == 0x810c8002
 00279   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10013
 00280   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 677, 128, 0, ... ) == 0x810cc018
 00281   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00282   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 678, 128, 0, ... ) == 0x810cc01a
 00283   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00284   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 679, 128, 0, ... ) == 0x810cc01d
 00285   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00286   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 681, 128, 0, ... ) == 0x810cc026
 00287   584   NtUserFindExistingCursorIcon  (8711620, 8711636, 8712204, ... ) == 0x10011
 00288   584   NtUserRegisterClassExWOW  (8712140, 8712220, 8712204, 8712236, 680, 128, 0, ... ) == 0x810cc019
 00289   584   NtUserRegisterClassExWOW  (8712092, 8712172, 8712156, 8712188, 0, 128, 0, ...
 00290   584   NtAllocateVirtualMemory  (-1, 9990144, 0, 4096, 4096, 32, ... 9990144, 4096, ) == 0x0
 00289   584   NtUserRegisterClassExWOW  ... ) == 0x810cc020
 00291   584   NtUserRegisterClassExWOW  (8712092, 8712168, 8712184, 8712156, 0, 130, 0, ... ) == 0x810cc022
 00292   584   NtUserRegisterClassExWOW  (8712092, 8712172, 8712156, 8712188, 0, 128, 0, ... ) == 0x810cc023
 00293   584   NtUserRegisterClassExWOW  (8712092, 8712168, 8712184, 8712156, 0, 130, 0, ... ) == 0x810cc024
 00294   584   NtUserRegisterClassExWOW  (8712092, 8712172, 8712156, 8712188, 0, 128, 0, ... ) == 0x810cc025
 00295   584   NtCallbackReturn  (0, 0, 0, ...
 00296   584   NtGdiInit  (... ) == 0x1
 00297   584   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00298   584   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00299   584   NtSetEventBoostPriority  (36, ...
 00217   460   NtWaitForSingleObject  ... ) == 0x0
 00300   460   NtAllocateVirtualMemory  (-1, 0, 0, 27136, 4096, 64, ... 13107200, 28672, ) == 0x0
 00301   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2291552, ... }, 2291552, ...
 00299   584   NtSetEventBoostPriority  ... ) == 0x0
 00303   584   NtWaitForSingleObject  (36, 0, 0x0, ...
 00302   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == 0x0
 00306   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00307   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00308   460   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00309   460   NtClose  (64, ... ) == 0x0
 00310   460   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00311   460   NtClose  (68, ... ) == 0x0
 00312   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00313   460   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00314   460   NtClose  (68, ... ) == 0x0
 00315   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == 0x0
 00319   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00320   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00321   460   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00322   460   NtClose  (68, ... ) == 0x0
 00323   460   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00324   460   NtClose  (64, ... ) == 0x0
 00325   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00326   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13172736, 65536, ) == 0x0
 00327   460   NtAllocateVirtualMemory  (-1, 13172736, 0, 4096, 4096, 4, ... 13172736, 4096, ) == 0x0
 00328   460   NtAllocateVirtualMemory  (-1, 13176832, 0, 8192, 4096, 4, ... 13176832, 8192, ) == 0x0
 00329   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 64, ) }, ... 64, ) == 0x0
 00330   460   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xca0000), 0x0, 12288, ) == 0x0
 00331   460   NtClose  (64, ... ) == 0x0
 00332   460   NtAllocateVirtualMemory  (-1, 13185024, 0, 4096, 4096, 4, ... 13185024, 4096, ) == 0x0
 00333   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00334   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00335   460   NtSetEventBoostPriority  (36, ...
 00303   584   NtWaitForSingleObject  ... ) == 0x0
 00336   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00337   584   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00338   584   NtClose  (64, ... ) == 0x0
 00339   584   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00340   584   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00335   460   NtSetEventBoostPriority  ... ) == 0x0
 00341   584   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00342   584   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00343   584   NtClose  (64, ... ) == 0x0
 00344   584   NtAllocateVirtualMemory  (-1, 4542464, 0, 4096, 4096, 4, ... 4542464, 4096, ) == 0x0
 00345   584   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00346   584   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00347   460   NtWaitForSingleObject  (36, 0, 0x0, ...
 00348   584   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00349   584   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00350   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00351   584   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00352   584   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   584   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   584   NtClose  (64, ... ) == 0x0
 00355   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00356   584   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   584   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00358   584   NtClose  (64, ... ) == 0x0
 00359   584   NtOpenEvent  (0x1f0003, {24, 32, 0x0, 0, 0,  (0x1f0003, {24, 32, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   584   NtSetEventBoostPriority  (36, ...
 00347   460   NtWaitForSingleObject  ... ) == 0x0
 00361   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00362   460   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00363   460   NtClose  (64, ... ) == 0x0
 00364   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00365   460   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00360   584   NtSetEventBoostPriority  ... ) == 0x0
 00366   584   NtWaitForSingleObject  (36, 0, 0x0, ...
 00365   460   NtMapViewOfSection  ... (0x772d0000), 0x0, 405504, ) == 0x0
 00367   460   NtClose  (64, ... ) == 0x0
 00368   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00369   460   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00370   460   NtClose  (64, ... ) == 0x0
 00371   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00372   460   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00373   460   NtClose  (64, ... ) == 0x0
 00374   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00375   460   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00376   460   NtClose  (64, ... ) == 0x0
 00377   460   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379   460   NtAllocateVirtualMemory  (-1, 4546560, 0, 4096, 4096, 4, ... 4546560, 4096, ) == 0x0
 00380   460   NtAllocateVirtualMemory  (-1, 4550656, 0, 4096, 4096, 4, ... 4550656, 4096, ) == 0x0
 00381   460   NtAllocateVirtualMemory  (-1, 4554752, 0, 4096, 4096, 4, ... 4554752, 4096, ) == 0x0
 00382   460   NtCreateEvent  (0x1f0003, {24, 32, 0x80, 2291684, 0,  (0x1f0003, {24, 32, 0x80, 2291684, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00383   460   NtOpenEvent  (0x100000, {24, 32, 0x0, 0, 0,  (0x100000, {24, 32, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 64, ) }, ... 64, ) == 0x0
 00384   460   NtAllocateVirtualMemory  (-1, 4558848, 0, 4096, 4096, 4, ... 4558848, 4096, ) == 0x0
 00385   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 68, ) == 0x0
 00386   460   NtCallbackReturn  (0, 0, 0, ...
 00387   460   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00388   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   460   NtOpenKey  (0x9, {24, 40, 0x40, 0, 0,  (0x9, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391   460   NtAllocateVirtualMemory  (-1, 4562944, 0, 8192, 4096, 4, ... 4562944, 8192, ) == 0x0
 00392   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00393   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00394   460   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00395   460   NtClose  (72, ... ) == 0x0
 00396   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 72, ) }, ... 72, ) == 0x0
 00397   460   NtSetInformationObject  (72, Handle, {Inherit=0,ProtectFromClose=1,}, 2228480, ... ) == 0x0
 00398   460   NtCreateKey  (0xf003f, {24, 72, 0x40, 0, 0,  (0xf003f, {24, 72, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00399   460   NtQueryDefaultUILanguage  (2289920, ...
 00400   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00401   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00402   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00403   460   NtClose  (-2147482032, ... ) == 0x0
 00404   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00405   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00407   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   460   NtClose  (-2147482044, ... ) == 0x0
 00409   460   NtClose  (-2147482032, ... ) == 0x0
 00399   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00410   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00411   460   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00412   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00413   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 84, ) == 0x0
 00414   460   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xcb0000), 0x0, 593920, ) == 0x0
 00415   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   460   NtQueryDefaultUILanguage  (2013024600, ...
 00417   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00418   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00419   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00420   460   NtClose  (-2147482032, ... ) == 0x0
 00421   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00422   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00424   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00425   460   NtClose  (-2147482044, ... ) == 0x0
 00426   460   NtClose  (-2147482032, ... ) == 0x0
 00416   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00427   460   NtAllocateVirtualMemory  (-1, 2277376, 0, 4096, 4096, 260, ... 2277376, 4096, ) == 0x0
 00428   460   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00429   460   NtQueryDefaultLocale  (1, 2287956, ... ) == 0x0
 00430   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2288812, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2288812, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1505, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363 (24, {128, 156, new_msg, 0, 2288812, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1505, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1505, 0}  (24, {128, 156, new_msg, 0, 2288812, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1505, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363 (24, {128, 156, new_msg, 0, 2288812, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1505, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1P\0\0\0\377\377\377\377\0\0\0\0P\275\322\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\254\363"\0\0\0\0\0" )  ) == 0x0
 00432   460   NtClose  (80, ... ) == 0x0
 00433   460   NtClose  (84, ... ) == 0x0
 00434   460   NtUnmapViewOfSection  (-1, 0xcb0000, ... ) == 0x0
 00435   460   NtUnmapViewOfSection  (-1, 0x22f3ac, ... ) == STATUS_NOT_MAPPED_VIEW
 00436   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00437   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00438   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00439   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00440   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2286496, ... ) }, 2286496, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00441   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00442   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00443   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00444   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2287088, ... ) }, 2287088, ... ) == 0x0
 00445   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 84, {status=0x0, info=1}, ) }, 3, 33, ... 84, {status=0x0, info=1}, ) == 0x0
 00446   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00447   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00448   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 88, ) == 0x0
 00449   460   NtClose  (80, ... ) == 0x0
 00450   460   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xd60000), 0x0, 921600, ) == 0x0
 00451   460   NtClose  (88, ... ) == 0x0
 00452   460   NtUnmapViewOfSection  (-1, 0xd60000, ... ) == 0x0
 00453   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00454   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 80, ) == 0x0
 00455   460   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00456   460   NtClose  (88, ... ) == 0x0
 00457   460   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00458   460   NtClose  (80, ... ) == 0x0
 00459   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00460   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00461   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00462   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00463   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00464   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00465   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00466   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00467   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00468   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00469   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00470   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00471   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00472   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00473   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00474   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00475   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00476   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00477   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00478   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00479   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00480   460   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 2288272, ... ) , 42, 2288272, ... ) == 0x0
 00481   460   NtQueryDefaultUILanguage  (2286988, ...
 00482   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00483   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00484   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00485   460   NtClose  (-2147482032, ... ) == 0x0
 00486   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00487   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00488   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00489   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00490   460   NtClose  (-2147482044, ... ) == 0x0
 00491   460   NtClose  (-2147482032, ... ) == 0x0
 00481   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00492   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2285840, ... ) }, 2285840, ... ) == 0x0
 00494   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00495   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 88, ) == 0x0
 00496   460   NtClose  (80, ... ) == 0x0
 00497   460   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xcb0000), 0x0, 4096, ) == 0x0
 00498   460   NtClose  (88, ... ) == 0x0
 00499   460   NtUnmapViewOfSection  (-1, 0xcb0000, ... ) == 0x0
 00500   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2285480, ... ) }, 2285480, ... ) == 0x0
 00501   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2286180,  (0x80100080, {24, 0, 0x40, 0, 2286180, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) == 0x0
 00502   460   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 88, ... 80, ) == 0x0
 00503   460   NtClose  (88, ... ) == 0x0
 00504   460   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xcb0000), {0, 0}, 4096, ) == 0x0
 00505   460   NtClose  (80, ... ) == 0x0
 00506   460   NtUnmapViewOfSection  (-1, 0xcb0000, ... ) == 0x0
 00507   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00508   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00509   460   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xcb0000), 0x0, 4096, ) == 0x0
 00510   460   NtQueryInformationFile  (80, 2285800, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00511   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00512   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2285880, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2285880, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\08\350"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1506, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\08\350"\0\0\0\0\0" ) \0\0\0\0\0 (24, {128, 156, new_msg, 0, 2285880, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\08\350"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1506, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\08\350"\0\0\0\0\0" ) h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\08\350 (24, {128, 156, new_msg, 0, 2285880, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\08\350"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1506, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1P\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\08\350"\0\0\0\0\0" )  ) == 0x0
 00513   460   NtClose  (80, ... ) == 0x0
 00514   460   NtClose  (88, ... ) == 0x0
 00515   460   NtUnmapViewOfSection  (-1, 0xcb0000, ... ) == 0x0
 00516   460   NtUnmapViewOfSection  (-1, 0x22e838, ... ) == STATUS_NOT_MAPPED_VIEW
 00517   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00518   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00519   460   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00520   460   NtUserGetDC  (0, ... ) == 0x1010051
 00521   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00522   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00523   460   NtContinue  (2285836, 0, ...
 00524   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00525   460   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 00526   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00527   460   NtUnmapViewOfSection  (-1, 0xd50000, ... ) == 0x0
 00528   460   NtClose  (84, ... ) == 0x0
 00529   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00530   460   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00531   460   NtClose  (84, ... ) == 0x0
 00532   460   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {456, 0}, ... 84, ) == 0x0
 00533   460   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00534   460   NtClose  (84, ... ) == 0x0
 00535   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00536   460   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00537   460   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00538   460   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "Control Panel\Desktop"}, ... 84, ) }, ... 84, ) == 0x0
 00539   460   NtQueryValueKey  (84,  (84, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540   460   NtClose  (84, ... ) == 0x0
 00541   460   NtUserSystemParametersInfo  (41, 500, 2288404, 0, ... ) == 0x1
 00542   460   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00543   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00544   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00545   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc03b
 00546   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00547   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc03d
 00548   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00549   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00550   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc03f
 00551   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00552   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00553   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc041
 00554   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00555   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00556   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc043
 00557   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00558   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc045
 00559   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00560   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00561   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc047
 00562   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00563   460   NtUserFindExistingCursorIcon  (2288192, 2288208, 2288776, ... ) == 0x10011
 00564   460   NtUserRegisterClassExWOW  (2288644, 2288724, 2288708, 2288740, 0, 384, 0, ... ) == 0x810cc049
 00565   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00566   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00567   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc04b
 00568   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00569   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00570   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc04d
 00571   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00572   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00573   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc04f
 00574   460   NtUserGetClassInfo  (1999896576, 2288816, 2288768, 2288844, 0, ... ) == 0x0
 00575   460   NtUserRegisterClassExWOW  (2288652, 2288732, 2288716, 2288748, 0, 384, 0, ... ) == 0x810cc051
 00576   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00577   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00578   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc053
 00579   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00580   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00581   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc055
 00582   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc057
 00583   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00584   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00585   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc059
 00586   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00587   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10013
 00588   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc05b
 00589   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00590   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00591   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc05d
 00592   460   NtUserGetClassInfo  (1999896576, 2288812, 2288764, 2288840, 0, ... ) == 0x0
 00593   460   NtUserFindExistingCursorIcon  (2288196, 2288212, 2288780, ... ) == 0x10011
 00594   460   NtUserRegisterClassExWOW  (2288648, 2288728, 2288712, 2288744, 0, 384, 0, ... ) == 0x810cc05f
 00595   460   NtCreateKey  (0x2001f, {24, 72, 0x40, 0, 0,  (0x2001f, {24, 72, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 84, 2, ) }, 0, 0x0, 0, ... 84, 2, ) == 0x0
 00596   460   NtSetEventBoostPriority  (36, ...
 00366   584   NtWaitForSingleObject  ... ) == 0x0
 00597   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00598   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 8713816, ... }, 8713816, ...
 00596   460   NtSetEventBoostPriority  ... ) == 0x0
 00599   460   NtWaitForSingleObject  (36, 0, 0x0, ...
 00598   584   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   584   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 8713816, ... ) }, 8713816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 8713816, ... ) }, 8713816, ... ) == 0x0
 00602   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00603   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 80, ) == 0x0
 00604   584   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00605   584   NtClose  (88, ... ) == 0x0
 00606   584   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 00607   584   NtClose  (80, ... ) == 0x0
 00608   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 8713012, ... ) }, 8713012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00610   584   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 8713012, ... ) }, 8713012, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 8713012, ... ) }, 8713012, ... ) == 0x0
 00612   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00613   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 88, ) == 0x0
 00614   584   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00615   584   NtClose  (80, ... ) == 0x0
 00616   584   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 00617   584   NtClose  (88, ... ) == 0x0
 00618   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 8712208, ... ) }, 8712208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   584   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 8712208, ... ) }, 8712208, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00621   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 8712208, ... ) }, 8712208, ... ) == 0x0
 00622   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00623   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 80, ) == 0x0
 00624   584   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00625   584   NtClose  (88, ... ) == 0x0
 00626   584   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 00627   584   NtClose  (80, ... ) == 0x0
 00628   584   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 80, ) }, ... 80, ) == 0x0
 00629   584   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 00630   584   NtClose  (80, ... ) == 0x0
 00631   584   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00632   584   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 13434880, 262144, ) == 0x0
 00633   584   NtAllocateVirtualMemory  (-1, 13434880, 0, 4096, 4096, 4, ... 13434880, 4096, ) == 0x0
 00634   584   NtAllocateVirtualMemory  (-1, 13438976, 0, 8192, 4096, 4, ... 13438976, 8192, ) == 0x0
 00635   584   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00636   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13697024, 1048576, ) == 0x0
 00637   584   NtAllocateVirtualMemory  (-1, 13697024, 0, 1048576, 4096, 4, ... 13697024, 1048576, ) == 0x0
 00638   584   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00639   584   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 88, ) == 0x0
 00640   584   NtCreateMutant  (0x1f0001, 0x0, 0, ... 92, ) == 0x0
 00641   584   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 96, ) == 0x0
 00642   584   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 100, ) == 0x0
 00643   584   NtSetEvent  (100, ... 0x0, ) == 0x0
 00644   584   NtSetEventBoostPriority  (36, ...
 00599   460   NtWaitForSingleObject  ... ) == 0x0
 00645   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00646   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 2291552, ... }, 2291552, ...
 00644   584   NtSetEventBoostPriority  ... ) == 0x0
 00647   584   NtWaitForSingleObject  (36, 0, 0x0, ...
 00646   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00648   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 2291552, ... ) }, 2291552, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00649   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 2291552, ... ) }, 2291552, ... ) == 0x0
 00650   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00651   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00652   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00653   460   NtClose  (104, ... ) == 0x0
 00654   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 00655   460   NtClose  (108, ... ) == 0x0
 00656   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 2290748, ... ) }, 2290748, ... ) == 0x0
 00660   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00661   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00662   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00663   460   NtClose  (108, ... ) == 0x0
 00664   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 00665   460   NtClose  (104, ... ) == 0x0
 00666   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00669   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 2289944, ... ) }, 2289944, ... ) == 0x0
 00670   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00671   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00672   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00673   460   NtClose  (104, ... ) == 0x0
 00674   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 00675   460   NtClose  (108, ... ) == 0x0
 00676   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00679   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00680   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00681   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00682   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00683   460   NtClose  (108, ... ) == 0x0
 00684   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 00685   460   NtClose  (104, ... ) == 0x0
 00686   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00687   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00688   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00689   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 2288336, ... ) }, 2288336, ... ) == 0x0
 00690   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00691   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00692   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00693   460   NtClose  (104, ... ) == 0x0
 00694   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 00695   460   NtClose  (108, ... ) == 0x0
 00696   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 2287532, ... ) }, 2287532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 2287532, ... ) }, 2287532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00699   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 2287532, ... ) }, 2287532, ... ) == 0x0
 00700   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00701   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00702   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00703   460   NtClose  (108, ... ) == 0x0
 00704   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00705   460   NtClose  (104, ... ) == 0x0
 00706   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 104, ) }, ... 104, ) == 0x0
 00707   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 00708   460   NtClose  (104, ... ) == 0x0
 00709   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00710   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00712   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 2288336, ... ) }, 2288336, ... ) == 0x0
 00713   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00714   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00715   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00716   460   NtClose  (104, ... ) == 0x0
 00717   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00718   460   NtClose  (108, ... ) == 0x0
 00719   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00720   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00722   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00723   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00724   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00725   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00726   460   NtClose  (108, ... ) == 0x0
 00727   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 00728   460   NtClose  (104, ... ) == 0x0
 00729   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00731   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00733   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00734   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00735   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00736   460   NtClose  (104, ... ) == 0x0
 00737   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 00738   460   NtClose  (108, ... ) == 0x0
 00739   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00740   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00743   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00744   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00745   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00746   460   NtClose  (108, ... ) == 0x0
 00747   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 00748   460   NtClose  (104, ... ) == 0x0
 00749   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00750   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00752   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 2289944, ... ) }, 2289944, ... ) == 0x0
 00753   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00754   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00755   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00756   460   NtClose  (104, ... ) == 0x0
 00757   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 00758   460   NtClose  (108, ... ) == 0x0
 00759   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00760   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00762   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00763   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00764   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00765   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00766   460   NtClose  (108, ... ) == 0x0
 00767   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 00768   460   NtClose  (104, ... ) == 0x0
 00769   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00772   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00773   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00774   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00775   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00776   460   NtClose  (104, ... ) == 0x0
 00777   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 00778   460   NtClose  (108, ... ) == 0x0
 00779   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00781   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 2288336, ... ) }, 2288336, ... ) == 0x0
 00783   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00784   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00785   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00786   460   NtClose  (108, ... ) == 0x0
 00787   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00788   460   NtClose  (104, ... ) == 0x0
 00789   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 104, ) }, ... 104, ) == 0x0
 00790   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00791   460   NtClose  (104, ... ) == 0x0
 00792   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 2289944, ... ) }, 2289944, ... ) == 0x0
 00796   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00797   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00798   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00799   460   NtClose  (104, ... ) == 0x0
 00800   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00801   460   NtClose  (108, ... ) == 0x0
 00802   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 2289944, ... ) }, 2289944, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00805   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 2289944, ... ) }, 2289944, ... ) == 0x0
 00806   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00807   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00808   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00809   460   NtClose  (108, ... ) == 0x0
 00810   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 00811   460   NtClose  (104, ... ) == 0x0
 00812   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00813   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00815   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00816   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00817   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00818   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00819   460   NtClose  (104, ... ) == 0x0
 00820   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 00821   460   NtClose  (108, ... ) == 0x0
 00822   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00826   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00827   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00828   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00829   460   NtClose  (108, ... ) == 0x0
 00830   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 00831   460   NtClose  (104, ... ) == 0x0
 00832   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 2288336, ... ) }, 2288336, ... ) == 0x0
 00836   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00837   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00838   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00839   460   NtClose  (104, ... ) == 0x0
 00840   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 00841   460   NtClose  (108, ... ) == 0x0
 00842   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 2289140, ... ) }, 2289140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 2289140, ... ) }, 2289140, ... ) == 0x0
 00846   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00847   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00848   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00849   460   NtClose  (108, ... ) == 0x0
 00850   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00851   460   NtClose  (104, ... ) == 0x0
 00852   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 2288336, ... ) }, 2288336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 2288336, ... ) }, 2288336, ... ) == 0x0
 00856   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00857   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00858   460   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00859   460   NtClose  (104, ... ) == 0x0
 00860   460   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 00861   460   NtClose  (108, ... ) == 0x0
 00862   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00863   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 104, ) }, ... 104, ) == 0x0
 00864   460   NtQueryValueKey  (104,  (104, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00865   460   NtClose  (104, ... ) == 0x0
 00866   460   NtQueryDefaultLocale  (1, 2291424, ... ) == 0x0
 00867   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00868   460   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14745600, 262144, ) == 0x0
 00869   460   NtAllocateVirtualMemory  (-1, 14745600, 0, 4096, 4096, 4, ... 14745600, 4096, ) == 0x0
 00870   460   NtAllocateVirtualMemory  (-1, 14749696, 0, 8192, 4096, 4, ... 14749696, 8192, ) == 0x0
 00871   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00872   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00873   460   NtQueryDefaultLocale  (1, 2291384, ... ) == 0x0
 00874   460   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00875   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\Setup"}, ... 104, ) }, ... 104, ) == 0x0
 00876   460   NtQueryValueKey  (104,  (104, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00877   460   NtClose  (104, ... ) == 0x0
 00878   460   NtUserGetProcessWindowStation  (... ) == 0x34
 00879   460   NtUserGetObjectInformation  (52, 1, 2291056, 12, 2291068, ... ) == 0x1
 00880   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 104, ) }, ... 104, ) == 0x0
 00881   460   NtQueryValueKey  (104,  (104, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 00882   460   NtClose  (104, ... ) == 0x0
 00883   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 104, ) }, ... 104, ) == 0x0
 00884   460   NtQueryValueKey  (104,  (104, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00885   460   NtQueryValueKey  (104,  (104, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00886   460   NtClose  (104, ... ) == 0x0
 00887   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 104, ) }, ... 104, ) == 0x0
 00888   460   NtQueryValueKey  (104,  (104, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00889   460   NtQueryValueKey  (104,  (104, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00890   460   NtClose  (104, ... ) == 0x0
 00891   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 104, ) }, ... 104, ) == 0x0
 00892   460   NtQueryValueKey  (104,  (104, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00893   460   NtQueryValueKey  (104,  (104, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00894   460   NtClose  (104, ... ) == 0x0
 00895   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 104, ) }, ... 104, ) == 0x0
 00896   460   NtQueryValueKey  (104,  (104, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00897   460   NtQueryValueKey  (104,  (104, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00898   460   NtClose  (104, ... ) == 0x0
 00899   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 104, ) }, ... 104, ) == 0x0
 00900   460   NtQueryValueKey  (104,  (104, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00901   460   NtQueryValueKey  (104,  (104, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00902   460   NtClose  (104, ... ) == 0x0
 00903   460   NtAllocateVirtualMemory  (-1, 4571136, 0, 4096, 4096, 4, ... 4571136, 4096, ) == 0x0
 00904   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 104, ) }, ... 104, ) == 0x0
 00905   460   NtQueryValueKey  (104,  (104, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 00906   460   NtClose  (104, ... ) == 0x0
 00907   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00908   460   NtCreateMutant  (0x1f0001, 0x0, 0, ... 112, ) == 0x0
 00909   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00910   460   NtCreateMutant  (0x1f0001, 0x0, 0, ... 120, ) == 0x0
 00911   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00912   460   NtCreateMutant  (0x1f0001, 0x0, 0, ... 128, ) == 0x0
 00913   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 132, ) }, ... 132, ) == 0x0
 00914   460   NtQueryValueKey  (132,  (132, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   460   NtQueryValueKey  (132,  (132, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   460   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   460   NtClose  (132, ... ) == 0x0
 00918   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 2290976, ... ) }, 2290976, ... ) == 0x0
 00919   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00920   460   NtQueryValueKey  (132,  (132, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00921   460   NtClose  (132, ... ) == 0x0
 00922   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 132, ) }, ... 132, ) == 0x0
 00923   460   NtQueryValueKey  (132,  (132, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (132, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (132, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 00924   460   NtClose  (132, ... ) == 0x0
 00925   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 132, ) }, ... 132, ) == 0x0
 00927   460   NtQueryValueKey  (132,  (132, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (132, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (132, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00928   460   NtClose  (132, ... ) == 0x0
 00929   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 00930   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 136, ) == 0x0
 00931   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 140, ) == 0x0
 00932   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 144, ) }, ... 144, ) == 0x0
 00933   460   NtQueryValueKey  (144,  (144, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   460   NtQueryValueKey  (144,  (144, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   460   NtQueryValueKey  (144,  (144, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   460   NtQueryValueKey  (144,  (144, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   460   NtQueryValueKey  (144,  (144, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   460   NtQueryValueKey  (144,  (144, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   460   NtQueryValueKey  (144,  (144, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   460   NtQueryValueKey  (144,  (144, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   460   NtQueryValueKey  (144,  (144, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   460   NtQueryValueKey  (144,  (144, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   460   NtQueryValueKey  (144,  (144, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   460   NtQueryValueKey  (144,  (144, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   460   NtQueryValueKey  (144,  (144, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   460   NtQueryValueKey  (144,  (144, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   460   NtQueryValueKey  (144,  (144, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   460   NtQueryValueKey  (144,  (144, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   460   NtQueryValueKey  (144,  (144, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   460   NtQueryValueKey  (144,  (144, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   460   NtQueryValueKey  (144,  (144, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   460   NtQueryValueKey  (144,  (144, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   460   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00954   460   NtQueryValueKey  (144,  (144, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   460   NtQueryValueKey  (144,  (144, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   460   NtQueryValueKey  (144,  (144, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   460   NtQueryValueKey  (144,  (144, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   460   NtQueryValueKey  (144,  (144, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   460   NtQueryValueKey  (144,  (144, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   460   NtQueryValueKey  (144,  (144, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   460   NtQueryValueKey  (144,  (144, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   460   NtQueryValueKey  (144,  (144, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   460   NtQueryValueKey  (144,  (144, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   460   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00965   460   NtOpenKey  (0xf003f, {24, 40, 0x40, 0, 0,  (0xf003f, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 148, ) }, ... 148, ) == 0x0
 00966   460   NtQueryValueKey  (148,  (148, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (148, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00967   460   NtClose  (148, ... ) == 0x0
 00968   460   NtCreateEvent  (0x1f0003, {24, 32, 0x80, 0, 0,  (0x1f0003, {24, 32, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00969   460   NtQueryValueKey  (144,  (144, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   460   NtQueryValueKey  (144,  (144, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   460   NtQueryValueKey  (144,  (144, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   460   NtQueryValueKey  (144,  (144, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   460   NtQueryValueKey  (144,  (144, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   460   NtQueryValueKey  (144,  (144, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   460   NtQueryValueKey  (144,  (144, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   460   NtQueryValueKey  (144,  (144, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977   460   NtQueryValueKey  (144,  (144, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   460   NtQueryValueKey  (144,  (144, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   460   NtQueryDefaultUILanguage  (2289944, ...
 00980   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00981   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00982   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00983   460   NtClose  (-2147482032, ... ) == 0x0
 00984   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00985   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00987   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   460   NtClose  (-2147482044, ... ) == 0x0
 00989   460   NtClose  (-2147482032, ... ) == 0x0
 00979   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00990   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 148, {status=0x0, info=1}, ) }, 1, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 00992   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 148, ... 152, ) == 0x0
 00993   460   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xe50000), 0x0, 163840, ) == 0x0
 00994   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   460   NtQueryDefaultLocale  (1, 2287980, ... ) == 0x0
 00996   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2288836, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2288836, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1507, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363 (24, {128, 156, new_msg, 0, 2288836, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1507, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1507, 0}  (24, {128, 156, new_msg, 0, 2288836, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1507, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363 (24, {128, 156, new_msg, 0, 2288836, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1507, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\224\0\0\0\377\377\377\377\0\0\0\0\360Z\347\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\363"\0\0\0\0\0" )  ) == 0x0
 00998   460   NtClose  (148, ... ) == 0x0
 00999   460   NtClose  (152, ... ) == 0x0
 01000   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01001   460   NtUnmapViewOfSection  (-1, 0x22f3c4, ... ) == STATUS_NOT_MAPPED_VIEW
 01002   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01003   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01005   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01006   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2287064, ... ) }, 2287064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01008   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01009   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01010   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2287656, ... ) }, 2287656, ... ) == 0x0
 01011   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 152, {status=0x0, info=1}, ) }, 3, 33, ... 152, {status=0x0, info=1}, ) == 0x0
 01012   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01013   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01014   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 156, ) == 0x0
 01015   460   NtClose  (148, ... ) == 0x0
 01016   460   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe50000), 0x0, 921600, ) == 0x0
 01017   460   NtClose  (156, ... ) == 0x0
 01018   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01019   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01020   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 148, ) == 0x0
 01021   460   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01022   460   NtClose  (156, ... ) == 0x0
 01023   460   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01024   460   NtClose  (148, ... ) == 0x0
 01025   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01026   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01027   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01028   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01029   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01030   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01031   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01032   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01033   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01034   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01035   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01036   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01037   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01038   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01039   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01040   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01041   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01042   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01043   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01044   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01045   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01046   460   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 2288840, ... ) , 42, 2288840, ... ) == 0x0
 01047   460   NtQueryDefaultUILanguage  (2287556, ...
 01048   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01049   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01050   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01051   460   NtClose  (-2147482032, ... ) == 0x0
 01052   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01053   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01055   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   460   NtClose  (-2147482044, ... ) == 0x0
 01057   460   NtClose  (-2147482032, ... ) == 0x0
 01047   460   NtQueryDefaultUILanguage  ... ) == 0x0
 01058   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286408, ... ) }, 2286408, ... ) == 0x0
 01060   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01061   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 156, ) == 0x0
 01062   460   NtClose  (148, ... ) == 0x0
 01063   460   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe50000), 0x0, 4096, ) == 0x0
 01064   460   NtClose  (156, ... ) == 0x0
 01065   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01066   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286048, ... ) }, 2286048, ... ) == 0x0
 01067   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2286748,  (0x80100080, {24, 0, 0x40, 0, 2286748, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01068   460   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 156, ... 148, ) == 0x0
 01069   460   NtClose  (156, ... ) == 0x0
 01070   460   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe50000), {0, 0}, 4096, ) == 0x0
 01071   460   NtClose  (148, ... ) == 0x0
 01072   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01073   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 148, {status=0x0, info=1}, ) }, 1, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01074   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 148, ... 156, ) == 0x0
 01075   460   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xe50000), 0x0, 4096, ) == 0x0
 01076   460   NtQueryInformationFile  (148, 2286368, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01077   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01078   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2286448, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2286448, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\224\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\352"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1508, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\224\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\352"\0\0\0\0\0" ) \0\0\0\0\0 (24, {128, 156, new_msg, 0, 2286448, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\224\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\352"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1508, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\224\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\352"\0\0\0\0\0" ) h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\224\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\352 (24, {128, 156, new_msg, 0, 2286448, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\224\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\352"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1508, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\224\0\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0p\352"\0\0\0\0\0" )  ) == 0x0
 01079   460   NtClose  (148, ... ) == 0x0
 01080   460   NtClose  (156, ... ) == 0x0
 01081   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01082   460   NtUnmapViewOfSection  (-1, 0x22ea70, ... ) == STATUS_NOT_MAPPED_VIEW
 01083   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01084   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01085   460   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01086   460   NtUserGetDC  (0, ... ) == 0x1010052
 01087   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01088   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01089   460   NtContinue  (2286412, 0, ...
 01090   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01091   460   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01092   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01093   460   NtUnmapViewOfSection  (-1, 0xcb0000, ... ) == 0x0
 01094   460   NtClose  (152, ... ) == 0x0
 01095   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 152, ) }, ... 152, ) == 0x0
 01096   460   NtQueryValueKey  (152,  (152, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   460   NtQueryValueKey  (152,  (152, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   460   NtClose  (152, ... ) == 0x0
 01099   460   NtCreateMutant  (0x1f0001, 0x0, 0, ... 152, ) == 0x0
 01100   460   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 4572536, 0,  (0x1f0001, {24, 32, 0x80, 4572536, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01101   460   NtOpenMutant  (0x100000, {24, 32, 0x0, 0, 0,  (0x100000, {24, 32, 0x0, 0, 0, "RasPbFile"}, ... 156, ) }, ... 156, ) == 0x0
 01102   460   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 148, ) == 0x0
 01103   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01104   460   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 164, ) == 0x0
 01105   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01106   460   NtQueryValueKey  (168,  (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01107   460   NtClose  (168, ... ) == 0x0
 01108   460   NtQueryDefaultUILanguage  (2289908, ...
 01109   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01110   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01111   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01112   460   NtClose  (-2147482032, ... ) == 0x0
 01113   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01114   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01116   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   460   NtClose  (-2147482044, ... ) == 0x0
 01118   460   NtClose  (-2147482032, ... ) == 0x0
 01108   460   NtQueryDefaultUILanguage  ... ) == 0x0
 01119   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 168, {status=0x0, info=1}, ) }, 1, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01121   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 168, ... 172, ) == 0x0
 01122   460   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xe70000), 0x0, 8323072, ) == 0x0
 01123   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   460   NtQueryDefaultLocale  (1, 2287944, ... ) == 0x0
 01125   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2288800, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2288800, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1509, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363 (24, {128, 156, new_msg, 0, 2288800, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1509, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1509, 0}  (24, {128, 156, new_msg, 0, 2288800, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1509, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363 (24, {128, 156, new_msg, 0, 2288800, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1509, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\357"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\250\0\0\0\377\377\377\377\0\0\0\0\20\311\36\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\240\363"\0\0\0\0\0" )  ) == 0x0
 01127   460   NtClose  (168, ... ) == 0x0
 01128   460   NtClose  (172, ... ) == 0x0
 01129   460   NtUnmapViewOfSection  (-1, 0xe70000, ... ) == 0x0
 01130   460   NtUnmapViewOfSection  (-1, 0x22f3a0, ... ) == STATUS_NOT_MAPPED_VIEW
 01131   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01132   460   NtAllocateVirtualMemory  (-1, 4575232, 0, 4096, 4096, 4, ... 4575232, 4096, ) == 0x0
 01133   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01135   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01136   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2287028, ... ) }, 2287028, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01138   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01139   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01140   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2287620, ... ) }, 2287620, ... ) == 0x0
 01141   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 172, {status=0x0, info=1}, ) }, 3, 33, ... 172, {status=0x0, info=1}, ) == 0x0
 01142   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01143   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01144   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 176, ) == 0x0
 01145   460   NtClose  (168, ... ) == 0x0
 01146   460   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe70000), 0x0, 921600, ) == 0x0
 01147   460   NtClose  (176, ... ) == 0x0
 01148   460   NtUnmapViewOfSection  (-1, 0xe70000, ... ) == 0x0
 01149   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01150   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 176, ... 168, ) == 0x0
 01151   460   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01152   460   NtClose  (176, ... ) == 0x0
 01153   460   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01154   460   NtClose  (168, ... ) == 0x0
 01155   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01156   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01157   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01158   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01159   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01160   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01161   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01162   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01163   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01164   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01165   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01166   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01167   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01168   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01169   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01170   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01171   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01172   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01173   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01174   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01175   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01176   460   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 2288804, ... ) , 42, 2288804, ... ) == 0x0
 01177   460   NtQueryDefaultUILanguage  (2287520, ...
 01178   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01179   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01180   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01181   460   NtClose  (-2147482032, ... ) == 0x0
 01182   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01183   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01185   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   460   NtClose  (-2147482044, ... ) == 0x0
 01187   460   NtClose  (-2147482032, ... ) == 0x0
 01177   460   NtQueryDefaultUILanguage  ... ) == 0x0
 01188   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286372, ... ) }, 2286372, ... ) == 0x0
 01190   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01191   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 176, ) == 0x0
 01192   460   NtClose  (168, ... ) == 0x0
 01193   460   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xe50000), 0x0, 4096, ) == 0x0
 01194   460   NtClose  (176, ... ) == 0x0
 01195   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01196   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286012, ... ) }, 2286012, ... ) == 0x0
 01197   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2286712,  (0x80100080, {24, 0, 0x40, 0, 2286712, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01198   460   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 176, ... 168, ) == 0x0
 01199   460   NtClose  (176, ... ) == 0x0
 01200   460   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xe50000), {0, 0}, 4096, ) == 0x0
 01201   460   NtClose  (168, ... ) == 0x0
 01202   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01203   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 168, {status=0x0, info=1}, ) }, 1, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01204   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 168, ... 176, ) == 0x0
 01205   460   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xe50000), 0x0, 4096, ) == 0x0
 01206   460   NtQueryInformationFile  (168, 2286332, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01207   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2286412, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2286412, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\250\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0L\352"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1510, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\250\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0L\352"\0\0\0\0\0" ) \0\0\0\0\0 (24, {128, 156, new_msg, 0, 2286412, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\250\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0L\352"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1510, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\250\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0L\352"\0\0\0\0\0" ) h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\250\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0L\352 (24, {128, 156, new_msg, 0, 2286412, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\250\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0L\352"\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1510, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\250\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0L\352"\0\0\0\0\0" )  ) == 0x0
 01209   460   NtClose  (168, ... ) == 0x0
 01210   460   NtClose  (176, ... ) == 0x0
 01211   460   NtUnmapViewOfSection  (-1, 0xe50000, ... ) == 0x0
 01212   460   NtUnmapViewOfSection  (-1, 0x22ea4c, ... ) == STATUS_NOT_MAPPED_VIEW
 01213   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01214   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01215   460   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01216   460   NtUserGetDC  (0, ... ) == 0x1010050
 01217   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01218   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01219   460   NtContinue  (2286376, 0, ...
 01220   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01221   460   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01222   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01223   460   NtUnmapViewOfSection  (-1, 0xcb0000, ... ) == 0x0
 01224   460   NtClose  (172, ... ) == 0x0
 01225   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc03b
 01226   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc03d
 01227   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc03f
 01228   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc041
 01229   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc043
 01230   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc045
 01231   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc047
 01232   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc049
 01233   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc04b
 01234   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc04d
 01235   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc04f
 01236   460   NtUserGetClassInfo  (1999896576, 2291648, 2291600, 2291676, 0, ... ) == 0xc051
 01237   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc053
 01238   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc055
 01239   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc059
 01240   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc05b
 01241   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc05d
 01242   460   NtUserGetClassInfo  (1999896576, 2291644, 2291596, 2291672, 0, ... ) == 0xc05f
 01243   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 172, ) == 0x0
 01244   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 176, ) == 0x0
 01245   460   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 168, 2, ) }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 168, 2, ) , 0, ... 168, 2, ) == 0x0
 01246   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 180, ) }, ... 180, ) == 0x0
 01247   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   460   NtQueryValueKey  (180,  (180, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   460   NtQueryValueKey  (168,  (168, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   460   NtQueryValueKey  (180,  (180, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   460   NtQueryValueKey  (168,  (168, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01253   460   NtQueryValueKey  (180,  (180, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   460   NtQueryValueKey  (168,  (168, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   460   NtQueryValueKey  (180,  (180, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   460   NtQueryValueKey  (168,  (168, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   460   NtQueryValueKey  (180,  (180, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   460   NtQueryValueKey  (180,  (180, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   460   NtQueryValueKey  (180,  (180, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   460   NtQueryValueKey  (180,  (180, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   460   NtQueryValueKey  (180,  (180, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   460   NtQueryValueKey  (180,  (180, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   460   NtQueryValueKey  (180,  (180, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   460   NtQueryValueKey  (168,  (168, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   460   NtQueryValueKey  (180,  (180, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266   460   NtQueryValueKey  (180,  (180, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   460   NtQueryValueKey  (168,  (168, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01268   460   NtQueryValueKey  (180,  (180, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   460   NtQueryValueKey  (168,  (168, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   460   NtQueryValueKey  (180,  (180, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01271   460   NtQueryValueKey  (168,  (168, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   460   NtQueryValueKey  (180,  (180, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   460   NtQueryValueKey  (168,  (168, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   460   NtQueryValueKey  (180,  (180, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   460   NtQueryValueKey  (168,  (168, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   460   NtQueryValueKey  (180,  (180, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   460   NtQueryValueKey  (168,  (168, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278   460   NtQueryValueKey  (180,  (180, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   460   NtQueryValueKey  (168,  (168, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   460   NtQueryValueKey  (180,  (180, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   460   NtQueryValueKey  (168,  (168, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   460   NtQueryValueKey  (180,  (180, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   460   NtQueryValueKey  (180,  (180, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   460   NtQueryValueKey  (180,  (180, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   460   NtQueryValueKey  (180,  (180, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286   460   NtQueryValueKey  (180,  (180, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   460   NtQueryValueKey  (180,  (180, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01288   460   NtQueryValueKey  (180,  (180, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01289   460   NtQueryValueKey  (180,  (180, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   460   NtQueryValueKey  (180,  (180, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   460   NtQueryValueKey  (180,  (180, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   460   NtQueryValueKey  (180,  (180, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   460   NtQueryValueKey  (180,  (180, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294   460   NtQueryValueKey  (180,  (180, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\Setup"}, ... 184, ) }, ... 184, ) == 0x0
 01296   460   NtQueryValueKey  (184,  (184, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01297   460   NtClose  (184, ... ) == 0x0
 01298   460   NtClose  (168, ... ) == 0x0
 01299   460   NtClose  (180, ... ) == 0x0
 01300   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 180, ) }, ... 180, ) == 0x0
 01301   460   NtQueryValueKey  (180,  (180, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   460   NtQueryValueKey  (180,  (180, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   460   NtQueryValueKey  (180,  (180, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   460   NtClose  (180, ... ) == 0x0
 01305   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01306   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 168, ) == 0x0
 01307   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 184, ) == 0x0
 01308   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01309   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13303808, 65536, ) == 0x0
 01310   460   NtAllocateVirtualMemory  (-1, 13303808, 0, 4096, 4096, 4, ... 13303808, 4096, ) == 0x0
 01311   460   NtAllocateVirtualMemory  (-1, 13307904, 0, 8192, 4096, 4, ... 13307904, 8192, ) == 0x0
 01312   460   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 188, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 188, {status=0x0, info=0}, ) == 0x0
 01313   460   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 192, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 192, {status=0x0, info=0}, ) == 0x0
 01314   460   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 196, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 196, {status=0x0, info=0}, ) == 0x0
 01315   460   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01316   460   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 2291508,  (0x20100080, {24, 0, 0x40, 0, 2291508, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01317   460   NtAllocateVirtualMemory  (-1, 13316096, 0, 36864, 4096, 4, ... 13316096, 36864, ) == 0x0
 01318   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01319   460   NtDeviceIoControlFile  (188, 208, 0x0, 0x0, 0x120003,  (188, 208, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (188, 208, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01320   460   NtClose  (208, ... ) == 0x0
 01321   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01322   460   NtDeviceIoControlFile  (188, 208, 0x0, 0x0, 0x120003,  (188, 208, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\08\326h\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (188, 208, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\08\326h\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01323   460   NtClose  (208, ... ) == 0x0
 01324   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01325   460   NtDeviceIoControlFile  (188, 208, 0x0, 0x0, 0x120003,  (188, 208, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0Y\326h\344"\360\1\0\304\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\353x\0\0\244\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (188, 208, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0Y\326h\344"\360\1\0\304\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\353x\0\0\244\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) \360\1\0\304\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\353x\0\0\244\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) == 0x0
 01326   460   NtClose  (208, ... ) == 0x0
 01327   460   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01328   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01329   460   NtDeviceIoControlFile  (188, 208, 0x0, 0x0, 0x120003,  (188, 208, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (188, 208, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01330   460   NtClose  (208, ... ) == 0x0
 01331   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01332   460   NtDeviceIoControlFile  (188, 208, 0x0, 0x0, 0x120003,  (188, 208, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (188, 208, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01333   460   NtClose  (208, ... ) == 0x0
 01334   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01335   460   NtDeviceIoControlFile  (188, 208, 0x0, 0x0, 0x120003,  (188, 208, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (188, 208, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01336   460   NtClose  (208, ... ) == 0x0
 01337   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01338   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01339   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01340   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01341   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01342   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01343   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01344   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01345   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01346   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01347   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01348   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01349   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01350   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01351   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01352   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01353   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01354   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01355   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01356   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01357   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01358   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01359   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01360   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01361   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01362   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01363   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01364   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01365   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01366   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01367   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01368   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01369   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01370   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01371   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01372   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01373   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01374   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01375   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01376   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01377   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01378   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01379   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01380   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01381   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01382   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01383   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01384   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01385   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01386   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01387   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01388   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01389   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01390   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01391   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01392   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01393   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01394   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01395   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01396   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01397   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01398   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01399   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01400   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01401   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01402   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01403   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01404   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01405   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01406   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01407   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01408   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01409   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01410   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01411   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01412   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01413   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01414   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01415   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01416   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01417   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01418   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01419   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01420   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01421   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01422   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01423   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01424   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01425   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01426   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01427   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01428   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01429   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01430   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01431   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01432   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01433   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01434   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01435   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01436   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01437   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01438   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01439   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01440   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01441   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01442   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01443   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01444   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01445   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01446   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01447   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01448   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01449   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01450   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01451   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01452   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01453   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01454   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01455   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01456   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01457   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 15007744, 65536, ) == 0x0
 01458   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01459   460   NtAllocateVirtualMemory  (-1, 15007744, 0, 1, 4096, 4, ... 15007744, 4096, ) == 0x0
 01460   460   NtQueryVirtualMemory  (-1, 0xe50000, Basic, 28, ... {BaseAddress=0xe50000,AllocationBase=0xe50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01461   460   NtFreeVirtualMemory  (-1, (0xe50000), 0, 32768, ... (0xe50000), 65536, ) == 0x0
 01462   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 208, ) }, ... 208, ) == 0x0
 01463   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 212, ) }, ... 212, ) == 0x0
 01464   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 216, ) }, ... 216, ) == 0x0
 01465   460   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 220, ) }, ... 220, ) == 0x0
 01466   460   NtQueryDefaultLocale  (1, 2291444, ... ) == 0x0
 01467   460   NtSetEventBoostPriority  (36, ...
 00647   584   NtWaitForSingleObject  ... ) == 0x0
 01468   584   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 224, ) }, ... 224, ) == 0x0
 01469   584   NtQueryEvent  (224, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01470   584   NtClose  (224, ... ) == 0x0
 01471   584   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 8714928, 140, ... 224, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 8714928, 140, ... 224, 0x0, 0x0, 256, 140, ) == 0x0
 01472   584   NtRequestWaitReplyPort  (224, {28, 52, new_msg, 0, 0, 0, 0, 0}  (224, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\376\1H\307E\0" ...  ...
 01467   460   NtSetEventBoostPriority  ... ) == 0x0
 01473   460   NtFreeVirtualMemory  (-1, (0xc80000), 0, 32768, ... (0xc80000), 28672, ) == 0x0
 01474   460   NtFreeVirtualMemory  (-1, (0x320147), 0, 32768, ... (0x320000), 4096, ) == 0x0
 01475   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01476   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 01472   584   NtRequestWaitReplyPort  ... {176, 200, reply, 0, 456, 584, 1512, 0}  ... {176, 200, reply, 0, 456, 584, 1512, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\376\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01477   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx5"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx6"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   460   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 01483   460   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 01484   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15204352, 1048576, ) == 0x0
 01485   460   NtAllocateVirtualMemory  (-1, 15204352, 0, 32768, 4096, 4, ... 15204352, 32768, ) == 0x0
 01486   460   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01487   460   NtQueryValueKey  (228,  (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01488   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx7"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx8"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx9"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx10"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx11"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx12"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   460   NtQueryValueKey  (228,  (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01495   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01496   460   NtOpenKey  (0x2000000, {24, 228, 0x40, 0, 0,  (0x2000000, {24, 228, 0x40, 0, 0, "Protocol_Catalog9"}, ... 236, ) }, ... 236, ) == 0x0
 01497   460   NtQueryValueKey  (236,  (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01498   460   NtNotifyChangeKey  (236, 232, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01499   460   NtQueryValueKey  (236,  (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01500   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx13"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx14"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx15"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx16"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx17"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx18"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   460   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   460   NtQueryValueKey  (236,  (236, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01508   460   NtQueryValueKey  (236,  (236, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01509   460   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "Catalog_Entries"}, ... 240, ) }, ... 240, ) == 0x0
 01510   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000001"}, ... 244, ) }, ... 244, ) == 0x0
 01511   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01512   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx19"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx20"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx21"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx22"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx23"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx24"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   460   NtAllocateVirtualMemory  (-1, 4579328, 0, 4096, 4096, 4, ... 4579328, 4096, ) == 0x0
 01519   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01520   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\361\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\361\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\362\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\362\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\363\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\363\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\364\5\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\361\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\361\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\362\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\362\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\363\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\363\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\364\5\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\362\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\363\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0 (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\361\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\361\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\362\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\362\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\363\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\363\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\364\5\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01521   460   NtClose  (244, ... ) == 0x0
 01522   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000002"}, ... 244, ) }, ... 244, ) == 0x0
 01523   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01524   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx25"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx26"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx27"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx28"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx29"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx30"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01531   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\374\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\376\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\376\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\374\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\376\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\376\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\376\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0 (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\374\5\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\5\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\376\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\376\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\5\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01532   460   NtClose  (244, ... ) == 0x0
 01533   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000003"}, ... 244, ) }, ... 244, ) == 0x0
 01534   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01535   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01536   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx31"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01537   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx33"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx34"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01540   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx35"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx36"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01542   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\7\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\7\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\10\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\11\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\11\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\7\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\7\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\10\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\11\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\11\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\10\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\11\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0 (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\7\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\7\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\10\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\11\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\11\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01543   460   NtClose  (244, ... ) == 0x0
 01544   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000004"}, ... 244, ) }, ... 244, ) == 0x0
 01545   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01546   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01547   460   NtAllocateVirtualMemory  (-1, 4583424, 0, 4096, 4096, 4, ... 4583424, 4096, ) == 0x0
 01548   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx37"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx38"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx39"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx40"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx41"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx42"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\23\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\23\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\24\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\25\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\25\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\23\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\23\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\24\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\25\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\25\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\24\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\25\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0 (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\23\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\23\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\24\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\24\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\25\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\25\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\26\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01555   460   NtClose  (244, ... ) == 0x0
 01556   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000005"}, ... 244, ) }, ... 244, ) == 0x0
 01557   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01558   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01559   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\30\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\03\0\30\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0\31\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\04\0\31\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0\32\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\05\0\32\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0\33\6\0\0\310\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\30\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\03\0\30\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0\31\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\04\0\31\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0\32\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\05\0\32\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0\33\6\0\0\310\1\0\0"}, 900, ) }, 900, ) == 0x0
 01560   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx43"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01561   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx44"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01562   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx45"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx46"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx47"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx48"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566   460   NtClose  (244, ... ) == 0x0
 01567   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000006"}, ... 244, ) }, ... 244, ) == 0x0
 01568   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01569   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01570   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0#\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0#\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\09\0$\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0%\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\05\00\0%\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0&\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0#\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0#\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\04\09\0$\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0%\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\05\00\0%\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\0&\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01571   460   NtClose  (244, ... ) == 0x0
 01572   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx49"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx50"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx51"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx53"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx54"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000007"}, ... 244, ) }, ... 244, ) == 0x0
 01579   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01580   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01581   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0.\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0.\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0/\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0/\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\00\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\05\05\00\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\01\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0.\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0.\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0/\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0/\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\00\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\05\05\00\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\01\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0/\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\00\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0k\0k\0q\0-\0v\0x\0_\0m\0t\0x\05\05\00\6\0\0\310\1\0\0H\2\0\0R\0\0\0\1\0\1\04\0\0\300\0\0\0\01\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0"}, 900, ) == 0x0
 01582   460   NtClose  (244, ... ) == 0x0
 01583   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000008"}, ... 244, ) }, ... 244, ) == 0x0
 01584   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx55"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx56"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx57"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx58"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx59"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx60"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01591   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01592   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\09\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\09\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0:\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0;\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0;\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\09\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\09\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0:\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0;\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0;\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0:\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0;\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0 (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\09\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\09\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0:\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0;\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0;\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0<\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01593   460   NtClose  (244, ... ) == 0x0
 01594   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000009"}, ... 244, ) }, ... 244, ) == 0x0
 01595   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01596   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx61"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx62"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx63"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx64"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx65"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx66"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01603   460   NtAllocateVirtualMemory  (-1, 4587520, 0, 4096, 4096, 4, ... 4587520, 4096, ) == 0x0
 01604   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0E\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0E\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0F\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0G\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0G\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0E\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0E\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0F\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0G\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0G\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0F\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0G\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0 (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0E\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0E\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0F\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0F\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0G\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0G\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0H\6\0\0\310\1\0\0H\2\0\0R\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\1\0\37\0\0\0\0\0\30\0\0\0 \0\0\0\364\374\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\0\334\375\177\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01605   460   NtClose  (244, ... ) == 0x0
 01606   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000010"}, ... 244, ) }, ... 244, ) == 0x0
 01607   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01608   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx67"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx68"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx69"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx70"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx71"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx72"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01615   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0P\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0P\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0Q\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0R\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0R\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0P\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0P\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0Q\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0R\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0R\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0Q\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0R\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0 (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0P\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0P\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Q\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\360\0\0\0x\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\08\333E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0Q\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0R\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0R\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0S\6\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\364\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 01616   460   NtClose  (244, ... ) == 0x0
 01617   460   NtOpenKey  (0x20019, {24, 240, 0x40, 0, 0,  (0x20019, {24, 240, 0x40, 0, 0, "000000000011"}, ... 244, ) }, ... 244, ) == 0x0
 01618   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01619   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01620   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx73"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx74"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx75"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx76"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx77"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01625   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx78"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626   460   NtQueryValueKey  (244,  (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0[\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0[\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\360\0\0\0\\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\6\0\0\310\1\0\0\314\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0]\6\0\0\310\1\0\0\314\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0^\6\0\0\310\1\0\0\314\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0^\6\0\0\310\1\0\0\314\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\360\0\0\0_\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\344\0\0\0\224\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\10\333E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (244, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0[\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0[\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\360\0\0\0\\6\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\6\0\0\310\1\0\0\314\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0]\6\0\0\310\1\0\0\314\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0^\6\0\0\310\1\0\0\314\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0^\6\0\0\310\1\0\0\314\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\360\0\0\0_\6\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\344\0\0\0\224\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\10\333E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\10\333E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 01627   460   NtClose  (244, ... ) == 0x0
 01628   460   NtClose  (240, ... ) == 0x0
 01629   460   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 01630   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01631   460   NtOpenKey  (0x2000000, {24, 228, 0x40, 0, 0,  (0x2000000, {24, 228, 0x40, 0, 0, "NameSpace_Catalog5"}, ... }, ...
 01632   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx79"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01633   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx80"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx81"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01635   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx82"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx83"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx84"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   460   NtOpenKey  ... 244, ) == 0x0
 01638   460   NtQueryValueKey  (244,  (244, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01639   460   NtNotifyChangeKey  (244, 240, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01640   460   NtQueryValueKey  (244,  (244, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01641   460   NtOpenKey  (0x2000000, {24, 244, 0x40, 0, 0,  (0x2000000, {24, 244, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01642   460   NtQueryValueKey  (244,  (244, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01643   460   NtOpenKey  (0x2000000, {24, 244, 0x40, 0, 0,  (0x2000000, {24, 244, 0x40, 0, 0, "Catalog_Entries"}, ... }, ...
 01644   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx85"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx87"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01647   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx88"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx89"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx90"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01643   460   NtOpenKey  ... 248, ) == 0x0
 01650   460   NtOpenKey  (0x20019, {24, 248, 0x40, 0, 0,  (0x20019, {24, 248, 0x40, 0, 0, "000000000001"}, ... 252, ) }, ... 252, ) == 0x0
 01651   460   NtQueryValueKey  (252,  (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01652   460   NtQueryValueKey  (252,  (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01653   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01654   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01655   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... , Partial, 144, ...
 01656   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx91"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01657   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx92"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01658   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx93"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx94"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01660   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx95"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01661   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx96"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655   460   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01662   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01663   460   NtQueryValueKey  (252,  (252, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (252, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01664   460   NtQueryValueKey  (252,  (252, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01665   460   NtQueryValueKey  (252,  (252, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01666   460   NtQueryValueKey  (252,  (252, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01667   460   NtQueryValueKey  (252,  (252, "Version", Partial, 144, ... , Partial, 144, ...
 01668   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx97"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx98"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   584   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx99"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01671   584   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "kkq-vx_mtx1"}, 0, ... 256, ) }, 0, ... 256, ) == 0x0
 01672   584   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "kkq-vx_mtx2"}, 0, ... 260, ) }, 0, ... 260, ) == 0x0
 01673   584   NtUserFindExistingCursorIcon  (8715196, 8715212, 8715780, ... ) == 0x10011
 01667   460   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01674   460   NtQueryValueKey  (252,  (252, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01675   460   NtClose  (252, ... ) == 0x0
 01676   460   NtOpenKey  (0x20019, {24, 248, 0x40, 0, 0,  (0x20019, {24, 248, 0x40, 0, 0, "000000000002"}, ... 252, ) }, ... 252, ) == 0x0
 01677   460   NtQueryValueKey  (252,  (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01678   460   NtQueryValueKey  (252,  (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01679   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... , Partial, 144, ...
 01680   584   NtUserFindExistingCursorIcon  (8715196, 8715212, 8715780, ... ) == 0x10005
 01681   584   NtUserRegisterClassExWOW  (8715648, 8715724, 8715740, 8715712, 0, 386, 0, ... ) == 0x810cc0cb
 01682   584   NtUserCreateWindowEx  (-2147483648, 8715684, 8715496, "13238272, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 01683   584   NtUserGetIconSize  (65541, 0, 8714212, 8714220, ... ) == 0x1
 01684   584   NtUserGetIconInfo  (65541, 8714188, 8714180, 8714172, 8714208, 1, ... ) == 0x1
 01685   584   NtUserFindExistingCursorIcon  (8712920, 8712936, 8714152, ... ) == 0x10005
 01686   584   NtGdiExtGetObjectW  (402981899, 24, 8712928, ...
 01679   460   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01687   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01688   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01689   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01690   460   NtQueryValueKey  (252,  (252, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (252, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01691   460   NtQueryValueKey  (252,  (252, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01692   460   NtQueryValueKey  (252,  (252, "SupportedNameSpace", Partial, 144, ... , Partial, 144, ...
 01686   584   NtGdiExtGetObjectW  ... ) == 0x18
 01693   584   NtAllocateVirtualMemory  (-1, 4591616, 0, 4096, 4096, 4, ... 4591616, 4096, ) == 0x0
 01694   584   NtGdiGetDIBitsInternal  (285279175, 402981899, 0, 64, 4591368, 4591320, 0, 256, 0, ... ) == 0x40
 01695   584   NtUserGetDC  (0, ... ) == 0x1010054
 01696   584   NtGdiCreateDIBitmapInternal  (16842836, 16, 32, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1405040a
 01697   584   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01698   584   NtGdiSelectBitmap  (285279175, 335873034, ...
 01692   460   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01699   460   NtQueryValueKey  (252,  (252, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01700   460   NtQueryValueKey  (252,  (252, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01701   460   NtQueryValueKey  (252,  (252, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01702   460   NtClose  (252, ... ) == 0x0
 01703   460   NtOpenKey  (0x20019, {24, 248, 0x40, 0, 0,  (0x20019, {24, 248, 0x40, 0, 0, "000000000003"}, ... 252, ) }, ... 252, ) == 0x0
 01704   460   NtQueryValueKey  (252,  (252, "LibraryPath", Partial, 144, ... , Partial, 144, ...
 01698   584   NtGdiSelectBitmap  ... ) == 0x185000f
 01705   584   NtGdiDoPalette  (285279175, 0, 1, 8712780, 4, 0, ... ) == 0x1
 01706   584   NtGdiStretchDIBitsInternal  (285279175, 0, 0, 16, 32, 0, 0, 32, 64, 4591368, 4591632, 0, 13369376, 48, 256, 0, ... ) == 0x40
 01707   584   NtGdiSelectBitmap  (285279175, 25493519, ... ) == 0x1405040a
 01708   584   NtGdiCreateCompatibleDC  (285279175, ... ) == 0x1a010404
 01709   584   NtGdiExtGetObjectW  (335873034, 24, 8712804, ...
 01704   460   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01710   460   NtQueryValueKey  (252,  (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01711   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01712   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01713   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01714   460   NtQueryValueKey  (252,  (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01715   460   NtQueryValueKey  (252,  (252, "ProviderId", Partial, 144, ... , Partial, 144, ...
 01709   584   NtGdiExtGetObjectW  ... ) == 0x18
 01716   584   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0xd0503ff
 01717   584   NtGdiSelectBitmap  (285279175, 335873034, ... ) == 0x185000f
 01718   584   NtGdiSelectBitmap  (436274180, 218432511, ... ) == 0x185000f
 01719   584   NtGdiBitBlt  (436274180, 0, 0, 16, 32, 285279175, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01720   584   NtGdiSelectBitmap  (285279175, 25493519, ... ) == 0x1405040a
 01721   584   NtGdiSelectBitmap  (436274180, 25493519, ...
 01715   460   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01722   460   NtQueryValueKey  (252,  (252, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01723   460   NtQueryValueKey  (252,  (252, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01724   460   NtQueryValueKey  (252,  (252, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01725   460   NtQueryValueKey  (252,  (252, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01726   460   NtQueryValueKey  (252,  (252, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (252, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01727   460   NtClose  (252, ...
 01721   584   NtGdiSelectBitmap  ... ) == 0xd0503ff
 01728   584   NtGdiDeleteObjectApp  (335873034, ... ) == 0x1
 01729   584   NtGdiDeleteObjectApp  (436274180, ... ) == 0x1
 01730   584   NtGdiExtGetObjectW  (100991973, 24, 8712928, ... ) == 0x18
 01731   584   NtAllocateVirtualMemory  (-1, 4595712, 0, 8192, 4096, 4, ... 4595712, 8192, ) == 0x0
 01732   584   NtGdiGetDIBitsInternal  (285279175, 100991973, 0, 32, 4592428, 4592376, 0, 4096, 0, ... ) == 0x20
 01733   584   NtUserGetDC  (0, ...
 01727   460   NtClose  ... ) == 0x0
 01734   460   NtClose  (248, ... ) == 0x0
 01735   460   NtWaitForSingleObject  (240, 0, {0, 0}, ... ) == 0x102
 01736   460   NtClose  (228, ... ) == 0x0
 01737   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01738   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01733   584   NtUserGetDC  ... ) == 0x1010054
 01739   584   NtGdiCreateCompatibleBitmap  (16842836, 16, 16, ... ) == 0x1c050404
 01740   584   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01741   584   NtGdiSelectBitmap  (285279175, 470090756, ... ) == 0x185000f
 01742   584   NtGdiDoPalette  (285279175, 0, 1, 8712780, 4, 0, ... ) == 0x0
 01743   584   NtGdiStretchDIBitsInternal  (285279175, 0, 0, 16, 16, 0, 0, 32, 32, 4592428, 4591632, 0, 13369376, 40, 4096, 0, ... ) == 0x20
 01744   584   NtGdiSelectBitmap  (285279175, 25493519, ...
 01745   460   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01746   460   NtQueryValueKey  (228,  (228, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01747   460   NtClose  (228, ... ) == 0x0
 01748   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 228, ) == 0x0
 01749   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2290248,  (0x80100080, {24, 0, 0x40, 0, 2290248, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... }, 0x0, 0, 1, 1, 2097252, 0, 0, ...
 01744   584   NtGdiSelectBitmap  ... ) == 0x1c050404
 01750   584   NtGdiDeleteObjectApp  (402981899, ... ) == 0x1
 01751   584   NtGdiDeleteObjectApp  (100991973, ... ) == 0x1
 01752   584   NtUserCallOneParam  (0, 33, ... ) == 0x3004d
 01753   584   NtUserSetCursorIconData  (196685, 8712964, 8712980, 8714064, ... ) == 0x1
 01754   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711880, ... ) }, 8711880, ... ) == 0x0
 01755   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0
 01756   584   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 248, ... 252, ) == 0x0
 01757   584   NtClose  (248, ... ) == 0x0
 01758   584   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf80000), 0x0, 204800, ) == 0x0
 01759   584   NtClose  (252, ... ) == 0x0
 01760   584   NtUnmapViewOfSection  (-1, 0xf80000, ... ) == 0x0
 01761   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8712196, ... ) }, 8712196, ... ) == 0x0
 01762   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 01763   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 248, ) == 0x0
 01764   584   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01765   584   NtClose  (252, ... ) == 0x0
 01766   584   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01767   584   NtClose  (248, ...
 01749   460   NtCreateFile  ... 252, {status=0x0, info=1}, ) == 0x0
 01768   460   NtQueryInformationFile  (252, 2291184, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01769   460   NtQueryInformationFile  (252, 2291156, 24, Standard, ...
 01767   584   NtClose  ... ) == 0x0
 01770   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01771   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01772   584   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01773   584   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 248, ) == 0x0
 01774   584   NtQueryInformationToken  (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01775   584   NtClose  (248, ... ) == 0x0
 01776   584   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 248, ) }, ... 248, ) == 0x0
 01777   584   NtOpenKey  (0x1, {24, 248, 0x40, 0, 0,  (0x1, {24, 248, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 264, ) }, ... 264, ) == 0x0
 01778   584   NtQueryValueKey  (264,  (264, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   584   NtClose  (264, ... ) == 0x0
 01780   584   NtClose  (248, ... ) == 0x0
 01781   584   NtAllocateVirtualMemory  (-1, 13189120, 0, 4096, 4096, 4, ... 13189120, 4096, ) == 0x0
 01782   584   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01783   584   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 248, ) == 0x0
 01784   584   NtQueryInformationToken  (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01785   584   NtClose  (248, ... ) == 0x0
 01786   584   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 248, ) }, ... 248, ) == 0x0
 01787   584   NtOpenKey  (0x1, {24, 248, 0x40, 0, 0,  (0x1, {24, 248, 0x40, 0, 0, "Control Panel\Desktop"}, ... 264, ) }, ... 264, ) == 0x0
 01788   584   NtQueryValueKey  (264,  (264, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   584   NtClose  (264, ... ) == 0x0
 01790   584   NtClose  (248, ... ) == 0x0
 01791   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 8711696, ... }, 8711696, ...
 01769   460   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 01792   460   NtQueryInformationFile  (252, 2291108, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01793   460   NtQueryInformationFile  (252, 4597272, 4094, Stream, ...
 01791   584   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01794   584   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 8711696, ... }, 8711696, ...
 01793   460   NtQueryInformationFile  ... {status=0x0, info=38}, ) == 0x0
 01795   460   NtQueryInformationFile  (252, 2289652, 40, Basic, ...
 01794   584   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01796   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 8711696, ... ) }, 8711696, ... ) == 0x0
 01795   460   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 01797   460   NtQueryInformationFile  (252, 2289496, 4, Ea, ...
 01798   584   NtUserGetProcessWindowStation  (... ) == 0x34
 01799   584   NtUserGetObjectInformation  (52, 2, 0, 0, 8713992, ... ) == 0x0
 01800   584   NtUserGetObjectInformation  (52, 2, 4591296, 16, 8713992, ... ) == 0x1
 01801   584   NtUserGetGUIThreadInfo  (584, 8713948, ... ) == 0x1
 01802   584   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 8713768, 64, ... 248, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 8713768, 64, ... 248, 0x0, 0x0, 0x0, 64, ) == 0x0
 01803   584   NtRequestWaitReplyPort  (248, {32, 56, new_msg, 0, 0, 0, 0, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 584, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 584, 1514, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 584, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01804   584   NtRequestWaitReplyPort  (248, {32, 56, new_msg, 0, 0, 0, 0, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 584, 1515, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 584, 1515, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 584, 1515, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01805   584   NtUserCallNoParam  (29, ...
 01806   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711240, ... ) }, 8711240, ... ) == 0x0
 01805   584   NtUserCallNoParam  ... ) == 0x0
 01807   584   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01808   584   NtGdiHfontCreate  (8713320, 356, 0, 0, 4601448, ... ) == 0x1b0a040b
 01809   584   NtGdiHfontCreate  (8713320, 356, 0, 0, 4601440, ... ) == 0x2f0a040d
 01810   584   NtRequestWaitReplyPort  (248, {32, 56, new_msg, 0, 0, 0, 0, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 584, 1516, 0} "\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 584, 1516, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 584, 1516, 0} "\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01811   584   NtMapViewOfSection  (264, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf80000), {0, 0}, 331776, ) == 0x0
 01812   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01813   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01814   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01815   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01816   584   NtUserGetWindowDC  (0, ...
 01797   460   NtQueryInformationFile  ... {status=0x0, info=4}, ) == 0x0
 01816   584   NtUserGetWindowDC  ... ) == 0x1010053
 01817   460   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2289504,  (0x40110080, {24, 0, 0x40, 0, 2289504, "\??\C:\WINDOWS\lsasss.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01818   460   NtClose  (-2147482032, ... ) == 0x0
 01817   460   NtCreateFile  ... 268, {status=0x0, info=2}, ) == 0x0
 01819   460   NtQueryVolumeInformationFile  (268, 2288876, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01820   460   NtQueryInformationFile  (268, 2288836, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01821   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01822   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01823   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01824   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01825   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01826   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01827   460   NtQueryVolumeInformationFile  (252, 2288876, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01828   460   NtQueryVolumeInformationFile  (252, 2288560, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01829   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01830   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01831   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01832   460   NtSetInformationFile  (268, 2288664, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01833   460   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 252, ... 272, ) == 0x0
 01834   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 01835   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01836   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01837   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01838   584   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x8100407
 01839   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01840   584   NtUserCallNoParam  (29, ...
 01841   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710684, ... }, 8710684, ...
 01834   460   NtMapViewOfSection  ... (0xfe0000), {0, 0}, 131072, ) == 0x0
 01842   460   NtClose  (272, ... ) == 0x0
 01843   460   NtWriteFile  (268, 0, 0, 0,  (268, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0i8\366\222-Y\230\301-Y\230\301-Y\230\301\256Q\305\301/Y\230\301-Y\230\301.Y\230\301\305F\222\3017Y\230\301\256E\226\301&Y\230\301-Y\231\301}Y\230\301OF\213\301$Y\230\301\305F\223\301)Y\230\301Rich-Y\230\301\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\6\0\6\302\226@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0>\0\0\0"\0\0\0\0\0\0\0\200\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\2\0\4\0\0\0\0\0\0\0x\273\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 61440, 0x0, 0, ... \0\0\0\0\0\0\0\200\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\2\0\4\0\0\0\0\0\0\0x\273\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\200\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0p\0\0\0\20\0\0\02\0\0", 61440, 0x0, 0, ...
 01841   584   NtQueryAttributesFile  ... ) == 0x0
 01840   584   NtUserCallNoParam  ... ) == 0x0
 01844   584   NtUserCallNoParam  (29, ...
 01845   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710680, ... ) }, 8710680, ... ) == 0x0
 01844   584   NtUserCallNoParam  ... ) == 0x0
 01843   460   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01846   460   NtWriteFile  (268, 0, 0, 0, " (268, 0, 0, 0, ""\270\277\277C\7HC\6XET\3A\343\201\200OC\7L\311\7H\313\37H\313\17L\313W\250\1\270\277\277C\7DC\6tE\341QH\16\201\200UC\7H\311\7D\313\37D\313\17H\313\27L\250_\270\277\277CGC\6PE\302>\23\267\201\200FC\7D\311G\313_\313\17D\313\27H\250@\270\277\277C\7LC\6lEu\262z\375\201\200JCG\311\7L\313\37L\313O\313\27D\250\240\267\277\277C\7HC\6HE\373\222\227j\201\200OC\7L\311\7H\313\37H\313\17L\313W\250\377\267\277\277C\7DC\6dE\321\223\306\253\201\200UC\7H\311\7D\341(\13APAG\341,\13APA\7D\3410\13APA\7H\3414\13APA\7L!\35s\200\202H@\31\301\254@P@@m@P@@\305Dd}@P@@3\253i\204\305Dd\21\203\31\30\303\200C\201\250B\201\240B}@P@@<^\311\242\20\233Dd\311Ld\233Dd\250\200\277\277\277\311\224\22\233\d\313Ld\233\d\30i\204\311\240\207@@@@@\21\21\203@@q\200\0\202L@@@\20\231|d\313DdO\372tdH&\301Ld@B\231ld\31\310\240\303\240C\203\20\231|d\30\253\263\20\231|d\313Dd&\301Ld@C\253\240@@\31\301\254@P@@m@P@@\305Dd}@P@@3\253i\204\305Dd\277\241@@@\313\24dHq\200\371\277\277\277\277\307\272\262\356\267\231\315\11\277\313\4dH\326\313, 61440, 0x0, 0, ... , 61440, 0x0, 0, ...
 01847   584   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x84f814, 0, 670, 1, ... ) == 0x1
 01848   584   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x84f848, 0, 670, 1, ... ) == 0x0
 01849   584   NtUserGetClassName  (131250, 0, 8713472, ... ) == 0x6
 01850   584   NtUserRemoveProp  (131250, 43282, ... ) == 0x0
 01851   584   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 4194366, 8713064, 35020, 28}  (24, {24, 52, new_msg, 0, 4194366, 8713064, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0H\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 456, 584, 1517, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0H\2\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 456, 584, 1517, 0}  (24, {24, 52, new_msg, 0, 4194366, 8713064, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0H\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 456, 584, 1517, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0H\2\0\0\0\0\0\0" )  ) == 0x0
 01852   584   NtUserGetThreadDesktop  (584, 0, ... ) == 0x38
 01853   584   NtUserGetObjectInformation  (56, 2, 8713148, 520, 0, ... ) == 0x1
 01854   584   NtGdiDeleteObjectApp  (135267335, ... ) == 0x1
 01855   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01856   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01857   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01858   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01859   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01860   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01861   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01862   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01863   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01864   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01865   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01866   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01867   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01868   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01869   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01870   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01871   584   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01872   584   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x9100407
 01873   584   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01874   584   NtUserSetProp  (131250, 43288, 13190472, ... ) == 0x1
 01875   584   NtUserGetAncestor  (131250, 1, ... ) == 0x10014
 01876   584   NtUserSetWindowPos  (131250, 0, 0, 0, 123, 34, 1047, ... ) == 0x1
 01682   584   NtUserCreateWindowEx  ... ) == 0x200b2
 01846   460   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01877   460   NtWriteFile  (268, 0, 0, 0,  (268, 0, 0, 0, "0/D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0%s\0\0w\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\6\0\0\0\2\0\0\0\5\0\0\0\4\0\0\0\6\0\0\0\6\0\0\0\1\0\0\0\7\0\0\0\10\0\0\0\3\0\0\0\11\0\0\0\2\0\0\0\7\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\6\0\0\0\2\0\0\0\3\0\0\0\1\0\0\0\11\0\0\0\1\0\0\0\4\0\0\0\1\0\0\0\7\0\0\0\7\0\0\0\6\0\0\0\3\0\0\0\10\0\0\0\6\0\0\0\6\0\0\0\5\0\0\0\10\0\0\0\3\0\0\0\5\0\0\0\5\0\0\0\6\0\0\0\11\0\0\0\10\0\0\0\3\0\0\0\10\0\0\0\0\0\0\0\3\0\0\0\11\0\0\0\6\0\0\0\2\0\0\0\6\0\0\0\10\0\0\0\7\0\0\0\11\0\0\0\11\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\1\0\0\0\2\0\0\0\7\0\0\0\4\0\0\0\5\0\0\0\4\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\11\0\0\0\2\0\0\0\6\0\0\0\3\0\0\0\7\0\0\0\2\0\0\0\5\0\0\0\7\0\0\0\4\0\0\0\5\0\0\0\11\0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\6\0\0\0\7\0\0\0\2\0\0\0\11\0\0\0\1\0\0\0\3\0\0\0\4\0\0\0\1\0\0\0\10\0\0\0\3\0\0\0", 7168, 0x0, 0, ... {status=0x0, info=7168}, ) , 7168, 0x0, 0, ... {status=0x0, info=7168}, ) == 0x0
 01878   460   NtUnmapViewOfSection  (-1, 0xfe0000, ... ) == 0x0
 01879   460   NtSetInformationFile  (268, 2291108, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01880   460   NtClose  (252, ... ) == 0x0
 01881   460   NtClose  (268, ... ) == 0x0
 01882   460   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 268, ) }, ... 268, ) == 0x0
 01883   460   NtSetValueKey  (268,  (268, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 0, 1,  (268, "lsasss.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0l\0s\0a\0s\0s\0s\0.\0e\0x\0e\0\0\0", 44, ... , 44, ...
 01884   460   NtSetInformationFile  (-2147482808, -104224972, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01885   460   NtSetInformationFile  (-2147482808, -104225064, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01886   460   NtSetInformationFile  (-2147482808, -104225372, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01883   460   NtSetValueKey  ... ) == 0x0
 01887   460   NtClose  (268, ... ) == 0x0
 01888   460   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 268, ) }, ... 268, ) == 0x0
 01889   460   NtDeleteValueKey  (268,  (268, "ssgrate.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01890   460   NtClose  (268, ... ) == 0x0
 01891   460   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 268, ) }, ... 268, ) == 0x0
 01892   460   NtDeleteValueKey  (268,  (268, "drvsys.exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893   460   NtClose  (268, ... ) == 0x0
 01894   460   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 268, ) }, ... 268, ) == 0x0
 01895   460   NtDeleteValueKey  (268,  (268, "Drvddll_exe", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01896   460   NtClose  (268, ... ) == 0x0
 01897   460   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "SkynetNotice"}, 0, ... 268, ) }, 0, ... 268, ) == 0x0
 01898   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 16646144, 2097152, ) == 0x0
 01899   460   NtAllocateVirtualMemory  (-1, 18735104, 0, 8192, 4096, 4, ... 18735104, 8192, ) == 0x0
 01900   460   NtProtectVirtualMemory  (-1, (0x11de000), 4096, 260, ... (0x11de000), 4096, 4, ) == 0x0
 01901   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 252, {456, 728}, ) == 0x0
 01902   460   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=456,Tid=728,}, 0x0, ) == 0x0
 01903   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 252, 2147347448, 2292532, 2292588}  (24, {28, 56, new_msg, 0, 252, 2147347448, 2292532, 2292588} "\0\0\0\0\1\0\1\0C:\WINDO\374\0\0\0\310\1\0\0\330\2\0\0" ... {28, 56, reply, 0, 456, 460, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\310\1\0\0\330\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1518, 0}  (24, {28, 56, new_msg, 0, 252, 2147347448, 2292532, 2292588} "\0\0\0\0\1\0\1\0C:\WINDO\374\0\0\0\310\1\0\0\330\2\0\0" ... {28, 56, reply, 0, 456, 460, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\310\1\0\0\330\2\0\0" )  ) == 0x0
 01904   460   NtResumeThread  (252, ... 1, ) == 0x0
 01905   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 18743296, 2097152, ) == 0x0
 01906   460   NtAllocateVirtualMemory  (-1, 20832256, 0, 8192, 4096, 4, ...
 01907   728   NtTestAlert  (... ) == 0x0
 01908   728   NtContinue  (18742576, 1, ...
 01909   728   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01910   728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 272, ) == 0x0
 01911   728   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 01912   728   NtAllocateVirtualMemory  (-1, 18731008, 0, 4096, 4096, 260, ...
 01906   460   NtAllocateVirtualMemory  ... 20832256, 8192, ) == 0x0
 01913   460   NtProtectVirtualMemory  (-1, (0x13de000), 4096, 260, ... (0x13de000), 4096, 4, ) == 0x0
 01914   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 276, {456, 736}, ) == 0x0
 01915   460   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=456,Tid=736,}, 0x0, ) == 0x0
 01916   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1518, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\310\1\0\0\340\2\0\0" ... {28, 56, reply, 0, 456, 460, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\310\1\0\0\340\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1519, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1518, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\310\1\0\0\340\2\0\0" ... {28, 56, reply, 0, 456, 460, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\310\1\0\0\340\2\0\0" )  ) == 0x0
 01917   460   NtResumeThread  (276, ... 1, ) == 0x0
 01912   728   NtAllocateVirtualMemory  ... 18731008, 4096, ) == 0x0
 01918   736   NtWaitForSingleObject  (36, 0, 0x0, ...
 01919   728   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18739772, ... ) }, 18739772, ... ) == 0x0
 01920   728   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01921   728   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 280, ... 284, ) == 0x0
 01922   728   NtClose  (280, ... ) == 0x0
 01923   728   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x13e0000), 0x0, 229376, ) == 0x0
 01924   728   NtClose  (284, ...
 01925   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 21102592, 2097152, ) == 0x0
 01926   460   NtAllocateVirtualMemory  (-1, 23191552, 0, 8192, 4096, 4, ... 23191552, 8192, ) == 0x0
 01927   460   NtProtectVirtualMemory  (-1, (0x161e000), 4096, 260, ... (0x161e000), 4096, 4, ) == 0x0
 01928   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 280, {456, 676}, ) == 0x0
 01929   460   NtQueryInformationThread  (280, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=456,Tid=676,}, 0x0, ) == 0x0
 01930   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1519, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\310\1\0\0\244\2\0\0" ...  ...
 01924   728   NtClose  ... ) == 0x0
 01931   728   NtUnmapViewOfSection  (-1, 0x13e0000, ... ) == 0x0
 01932   728   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18740088, ... ) }, 18740088, ... ) == 0x0
 01933   728   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01930   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1520, 0}  ... {28, 56, reply, 0, 456, 460, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\310\1\0\0\244\2\0\0" )  ) == 0x0
 01934   460   NtResumeThread  (280, ... 1, ) == 0x0
 01935   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 23199744, 2097152, ) == 0x0
 01936   460   NtAllocateVirtualMemory  (-1, 25288704, 0, 8192, 4096, 4, ... 25288704, 8192, ) == 0x0
 01937   460   NtProtectVirtualMemory  (-1, (0x181e000), 4096, 260, ... (0x181e000), 4096, 4, ) == 0x0
 01938   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 284, {456, 804}, ) == 0x0
 01939   460   NtQueryInformationThread  (284, Basic, 28, ...
 01933   728   NtOpenFile  ... 288, {status=0x0, info=1}, ) == 0x0
 01940   676   NtWaitForSingleObject  (36, 0, 0x0, ...
 01941   728   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 292, ) == 0x0
 01942   728   NtQuerySection  (292, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01943   728   NtClose  (288, ... ) == 0x0
 01944   728   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01945   728   NtClose  (292, ... ) == 0x0
 01946   728   NtQuerySystemInformation  (Basic, 44, ...
 01939   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=456,Tid=804,}, 0x0, ) == 0x0
 01947   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1520, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\310\1\0\0$\3\0\0" ... {28, 56, reply, 0, 456, 460, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\310\1\0\0$\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1521, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\310\1\0\0$\3\0\0" ... {28, 56, reply, 0, 456, 460, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\310\1\0\0$\3\0\0" )  ) == 0x0
 01948   460   NtResumeThread  (284, ... 1, ) == 0x0
 01949   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 25296896, 2097152, ) == 0x0
 01950   460   NtAllocateVirtualMemory  (-1, 27385856, 0, 8192, 4096, 4, ... 27385856, 8192, ) == 0x0
 01951   460   NtProtectVirtualMemory  (-1, (0x1a1e000), 4096, 260, ... (0x1a1e000), 4096, 4, ) == 0x0
 01946   728   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01952   804   NtWaitForSingleObject  (36, 0, 0x0, ...
 01953   728   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01954   728   NtSetEventBoostPriority  (36, ...
 01918   736   NtWaitForSingleObject  ... ) == 0x0
 01955   736   NtSetEventBoostPriority  (36, ...
 01940   676   NtWaitForSingleObject  ... ) == 0x0
 01956   676   NtSetEventBoostPriority  (36, ...
 01952   804   NtWaitForSingleObject  ... ) == 0x0
 01957   804   NtTestAlert  (... ) == 0x0
 01956   676   NtSetEventBoostPriority  ... ) == 0x0
 01955   736   NtSetEventBoostPriority  ... ) == 0x0
 01954   728   NtSetEventBoostPriority  ... ) == 0x0
 01958   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01959   584   NtOpenThreadToken  (-2, 0xc, 1, ...
 01960   804   NtContinue  (25296176, 1, ...
 01961   676   NtTestAlert  (...
 01962   728   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01958   460   NtCreateThread  ... 292, {456, 800}, ) == 0x0
 01959   584   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01963   804   NtRegisterThreadTerminatePort  (24, ...
 01961   676   NtTestAlert  ... ) == 0x0
 01964   736   NtTestAlert  (...
 01965   460   NtQueryInformationThread  (292, Basic, 28, ...
 01966   584   NtCreateSemaphore  (0x1f0003, {24, 32, 0x80, 4576856, 0,  (0x1f0003, {24, 32, 0x80, 4576856, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... }, 0, 2147483647, ...
 01963   804   NtRegisterThreadTerminatePort  ... ) == 0x0
 01967   676   NtContinue  (23199024, 1, ...
 01964   736   NtTestAlert  ... ) == 0x0
 01965   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=456,Tid=800,}, 0x0, ) == 0x0
 01962   728   NtCreateEvent  ... 288, ) == 0x0
 01968   804   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01969   676   NtRegisterThreadTerminatePort  (24, ...
 01970   736   NtContinue  (20839728, 1, ...
 01971   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1521, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1521, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\310\1\0\0 \3\0\0" ...  ...
 01972   728   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18739416, ... }, 18739416, ...
 01969   676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01973   736   NtRegisterThreadTerminatePort  (24, ...
 01972   728   NtQueryAttributesFile  ... ) == 0x0
 01974   676   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01973   736   NtRegisterThreadTerminatePort  ... ) == 0x0
 01975   728   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01966   584   NtCreateSemaphore  ... 296, ) == STATUS_OBJECT_NAME_EXISTS
 01968   804   NtSetInformationThread  ... ) == 0x0
 01971   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1522, 0}  ... {28, 56, reply, 0, 456, 460, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\310\1\0\0 \3\0\0" )  ) == 0x0
 01976   736   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01975   728   NtOpenKey  ... 300, ) == 0x0
 01977   584   NtReleaseSemaphore  (296, 1, ...
 01978   460   NtResumeThread  (292, ...
 01979   728   NtQueryValueKey  (300,  (300, "Transports", Partial, 144, ... , Partial, 144, ...
 01977   584   NtReleaseSemaphore  ... 0, ) == 0x0
 01978   460   NtResumeThread  ... 1, ) == 0x0
 01980   584   NtWaitForSingleObject  (296, 0, {0, 0}, ...
 01981   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01980   584   NtWaitForSingleObject  ... ) == 0x0
 01981   460   NtAllocateVirtualMemory  ... 27394048, 2097152, ) == 0x0
 01979   728   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01982   800   NtTestAlert  (...
 01983   460   NtAllocateVirtualMemory  (-1, 29483008, 0, 8192, 4096, 4, ...
 01984   728   NtQueryValueKey  (300,  (300, "Transports", Partial, 144, ... , Partial, 144, ...
 01982   800   NtTestAlert  ... ) == 0x0
 01985   584   NtCreateKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01984   728   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01986   800   NtContinue  (27393328, 1, ...
 01985   584   NtCreateKey  ... 304, 2, ) == 0x0
 01987   728   NtClose  (300, ...
 01988   800   NtRegisterThreadTerminatePort  (24, ...
 01989   584   NtQueryValueKey  (304,  (304, "Programs", Partial, 144, ... , Partial, 144, ...
 01987   728   NtClose  ... ) == 0x0
 01988   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01989   584   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0"}, 80, ) }, 80, ) == 0x0
 01990   728   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01983   460   NtAllocateVirtualMemory  ... 29483008, 8192, ) == 0x0
 01991   804   NtQueryValueKey  (84,  (84, "FromCacheTimeout", Partial, 144, ... , Partial, 144, ...
 01992   584   NtClose  (304, ...
 01993   800   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 01994   460   NtProtectVirtualMemory  (-1, (0x1c1e000), 4096, 260, ...
 01990   728   NtOpenKey  ... 300, ) == 0x0
 01974   676   NtSetInformationThread  ... ) == 0x0
 01976   736   NtSetInformationThread  ... ) == 0x0
 01992   584   NtClose  ... ) == 0x0
 01994   460   NtProtectVirtualMemory  ... (0x1c1e000), 4096, 4, ) == 0x0
 01995   728   NtQueryValueKey  (300,  (300, "Mapping", Partial, 144, ... , Partial, 144, ...
 01993   800   NtSetInformationThread  ... ) == 0x0
 01996   676   NtDelayExecution  (1, {0, 0}, ...
 01997   736   NtDelayExecution  (1, {0, 0}, ...
 01998   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01995   728   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01999   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs"}, 8714160, ... }, 8714160, ...
 02000   800   NtDelayExecution  (1, {0, 0}, ...
 01998   460   NtCreateThread  ... 304, {456, 712}, ) == 0x0
 02001   728   NtQueryValueKey  (300,  (300, "Mapping", Partial, 144, ... , Partial, 144, ...
 01999   584   NtQueryAttributesFile  ... ) == 0x0
 02002   460   NtQueryInformationThread  (304, Basic, 28, ...
 02001   728   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 02003   584   NtCreateKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02004   728   NtQueryValueKey  (300,  (300, "Mapping", Partial, 152, ... , Partial, 152, ...
 02003   584   NtCreateKey  ... 308, 2, ) == 0x0
 02002   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=456,Tid=712,}, 0x0, ) == 0x0
 02005   584   NtSetValueKey  (308,  (308, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... , 0, 1,  (308, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... , 110, ...
 02006   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1522, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1522, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\310\1\0\0\310\2\0\0" ...  ...
 02005   584   NtSetValueKey  ... ) == 0x0
 02006   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1523, 0}  ... {28, 56, reply, 0, 456, 460, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\1\0\0\310\1\0\0\310\2\0\0" )  ) == 0x0
 02004   728   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 02007   460   NtResumeThread  (304, ...
 02008   728   NtClose  (300, ...
 02007   460   NtResumeThread  ... 1, ) == 0x0
 02008   728   NtClose  ... ) == 0x0
 02009   584   NtClose  (308, ...
 02010   712   NtTestAlert  (...
 02011   728   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 02009   584   NtClose  ... ) == 0x0
 02010   712   NtTestAlert  ... ) == 0x0
 02011   728   NtOpenKey  ... 308, ) == 0x0
 02012   584   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\"}, 3, 16417, ... }, 3, 16417, ...
 02013   712   NtContinue  (29490480, 1, ...
 02014   728   NtQueryValueKey  (308,  (308, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02012   584   NtOpenFile  ... 300, {status=0x0, info=1}, ) == 0x0
 02015   712   NtRegisterThreadTerminatePort  (24, ...
 02016   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02017   584   NtQueryDirectoryFile  (300, 0, 0, 0, 8713576, 616, BothDirectory, 1,  (300, 0, 0, 0, 8713576, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02015   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 02016   460   NtAllocateVirtualMemory  ... 29491200, 2097152, ) == 0x0
 02017   584   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02014   728   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02018   460   NtAllocateVirtualMemory  (-1, 31580160, 0, 8192, 4096, 4, ...
 02019   712   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02020   728   NtQueryValueKey  (308,  (308, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 02018   460   NtAllocateVirtualMemory  ... 31580160, 8192, ) == 0x0
 02020   728   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02021   460   NtProtectVirtualMemory  (-1, (0x1e1e000), 4096, 260, ...
 02022   728   NtQueryValueKey  (308,  (308, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 02021   460   NtProtectVirtualMemory  ... (0x1e1e000), 4096, 4, ) == 0x0
 02022   728   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02023   584   NtQueryDirectoryFile  (300, 0, 0, 0, 4597272, 4096, BothDirectory, 0, 0x0, 0, ...
 02019   712   NtSetInformationThread  ... ) == 0x0
 02024   728   NtQueryValueKey  (308,  (308, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 02023   584   NtQueryDirectoryFile  ... {status=0x0, info=1118}, ) == 0x0
 02025   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02026   712   NtDelayExecution  (1, {0, 0}, ...
 02027   584   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\"}, 3, 16417, ... }, 3, 16417, ...
 02025   460   NtCreateThread  ... 312, {456, 852}, ) == 0x0
 02024   728   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02027   584   NtOpenFile  ... 316, {status=0x0, info=1}, ) == 0x0
 02028   460   NtQueryInformationThread  (312, Basic, 28, ...
 02029   728   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 18740336, ... }, 18740336, ...
 02030   584   NtQueryDirectoryFile  (316, 0, 0, 0, 8712928, 616, BothDirectory, 1,  (316, 0, 0, 0, 8712928, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02028   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=456,Tid=852,}, 0x0, ) == 0x0
 02029   728   NtQueryAttributesFile  ... ) == 0x0
 02030   584   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02031   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1523, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0\310\1\0\0T\3\0\0" ...  ...
 02032   728   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02033   728   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 324, ) == 0x0
 02034   728   NtClose  (320, ... ) == 0x0
 02035   728   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc80000), 0x0, 20480, ) == 0x0
 02036   728   NtClose  (324, ...
 02037   584   NtAllocateVirtualMemory  (-1, 4603904, 0, 8192, 4096, 4, ...
 02031   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1524, 0}  ... {28, 56, reply, 0, 456, 460, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0\310\1\0\0T\3\0\0" )  ) == 0x0
 02037   584   NtAllocateVirtualMemory  ... 4603904, 8192, ) == 0x0
 02038   460   NtResumeThread  (312, ...
 02039   584   NtQueryDirectoryFile  (316, 0, 0, 0, 4603632, 4096, BothDirectory, 0, 0x0, 0, ...
 02038   460   NtResumeThread  ... 1, ) == 0x0
 02039   584   NtQueryDirectoryFile  ... {status=0x0, info=1380}, ) == 0x0
 02040   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02041   584   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\"}, 3, 16417, ... }, 3, 16417, ...
 02040   460   NtAllocateVirtualMemory  ... 31588352, 2097152, ) == 0x0
 02041   584   NtOpenFile  ... 320, {status=0x0, info=1}, ) == 0x0
 02042   460   NtAllocateVirtualMemory  (-1, 33677312, 0, 8192, 4096, 4, ...
 02036   728   NtClose  ... ) == 0x0
 02043   852   NtWaitForSingleObject  (36, 0, 0x0, ...
 02044   584   NtQueryDirectoryFile  (320, 0, 0, 0, 8712280, 616, BothDirectory, 1,  (320, 0, 0, 0, 8712280, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02045   728   NtUnmapViewOfSection  (-1, 0xc80000, ...
 02044   584   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02045   728   NtUnmapViewOfSection  ... ) == 0x0
 02046   584   NtQueryDirectoryFile  (320, 0, 0, 0, 4607736, 4096, BothDirectory, 0, 0x0, 0, ...
 02047   728   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 18740652, ... }, 18740652, ...
 02046   584   NtQueryDirectoryFile  ... {status=0x0, info=220}, ) == 0x0
 02047   728   NtQueryAttributesFile  ... ) == 0x0
 02048   584   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\desktop.ini\"}, 3, 16417, ... }, 3, 16417, ...
 02049   728   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 02048   584   NtOpenFile  ... ) == STATUS_NOT_A_DIRECTORY
 02042   460   NtAllocateVirtualMemory  ... 33677312, 8192, ) == 0x0
 02049   728   NtOpenFile  ... 324, {status=0x0, info=1}, ) == 0x0
 02050   460   NtProtectVirtualMemory  (-1, (0x201e000), 4096, 260, ...
 02051   728   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 324, ...
 02050   460   NtProtectVirtualMemory  ... (0x201e000), 4096, 4, ) == 0x0
 02051   728   NtCreateSection  ... 328, ) == 0x0
 02052   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02053   728   NtQuerySection  (328, Image, 48, ...
 02052   460   NtCreateThread  ... 332, {456, 872}, ) == 0x0
 02053   728   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02054   460   NtQueryInformationThread  (332, Basic, 28, ...
 02055   728   NtClose  (324, ...
 02056   584   NtQueryDirectoryFile  (320, 0, 0, 0, 4607736, 4096, BothDirectory, 0, 0x0, 0, ...
 02054   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=456,Tid=872,}, 0x0, ) == 0x0
 02056   584   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 02057   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1524, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\1\0\0\310\1\0\0h\3\0\0" ...  ...
 02058   584   NtDelayExecution  (0, {-10000, -1}, ...
 02057   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1525, 0}  ... {28, 56, reply, 0, 456, 460, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\1\0\0\310\1\0\0h\3\0\0" )  ) == 0x0
 02059   460   NtResumeThread  (332, ... 1, ) == 0x0
 02060   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 33685504, 2097152, ) == 0x0
 02061   460   NtAllocateVirtualMemory  (-1, 35774464, 0, 8192, 4096, 4, ... 35774464, 8192, ) == 0x0
 02062   460   NtProtectVirtualMemory  (-1, (0x221e000), 4096, 260, ... (0x221e000), 4096, 4, ) == 0x0
 02055   728   NtClose  ... ) == 0x0
 02063   872   NtWaitForSingleObject  (36, 0, 0x0, ...
 02064   728   NtMapViewOfSection  (328, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 02065   728   NtClose  (328, ... ) == 0x0
 02066   728   NtSetEventBoostPriority  (36, ...
 02043   852   NtWaitForSingleObject  ... ) == 0x0
 02067   852   NtSetEventBoostPriority  (36, ...
 02063   872   NtWaitForSingleObject  ... ) == 0x0
 02068   872   NtTestAlert  (... ) == 0x0
 02067   852   NtSetEventBoostPriority  ... ) == 0x0
 02066   728   NtSetEventBoostPriority  ... ) == 0x0
 02069   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02070   872   NtContinue  (33684784, 1, ...
 02071   728   NtClose  (308, ...
 02069   460   NtCreateThread  ... 328, {456, 876}, ) == 0x0
 02072   872   NtRegisterThreadTerminatePort  (24, ...
 02071   728   NtClose  ... ) == 0x0
 02073   460   NtQueryInformationThread  (328, Basic, 28, ...
 02072   872   NtRegisterThreadTerminatePort  ... ) == 0x0
 02074   728   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18742852, 67, ... }, 0x0, 0, 3, 3, 0, 18742852, 67, ...
 02073   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=456,Tid=876,}, 0x0, ) == 0x0
 02075   872   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02074   728   NtCreateFile  ... 308, {status=0x0, info=0}, ) == 0x0
 02076   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1525, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\310\1\0\0l\3\0\0" ...  ...
 02077   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x1207b,  (308, 288, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0h;F\0\17\346\367w", 16, 16, ... , 16, 16, ...
 02076   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1526, 0}  ... {28, 56, reply, 0, 456, 460, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0\310\1\0\0l\3\0\0" )  ) == 0x0
 02078   852   NtTestAlert  (...
 02075   872   NtSetInformationThread  ... ) == 0x0
 02079   460   NtResumeThread  (328, ...
 02078   852   NtTestAlert  ... ) == 0x0
 02077   728   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\220\27\11\201", ) , ) == 0x0
 02079   460   NtResumeThread  ... 1, ) == 0x0
 02080   852   NtContinue  (31587632, 1, ...
 02081   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x1207b,  (308, 288, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\220\27\11\201", 16, 16, ... , 16, 16, ...
 02082   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02083   852   NtRegisterThreadTerminatePort  (24, ...
 02081   728   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\220\27\11\201", ) , ) == 0x0
 02082   460   NtAllocateVirtualMemory  ... 35782656, 2097152, ) == 0x0
 02083   852   NtRegisterThreadTerminatePort  ... ) == 0x0
 02084   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x12047,  (308, 288, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h;F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02085   460   NtAllocateVirtualMemory  (-1, 37871616, 0, 8192, 4096, 4, ...
 02086   852   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02084   728   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02087   872   NtDelayExecution  (1, {0, 0}, ...
 02088   876   NtTestAlert  (...
 02085   460   NtAllocateVirtualMemory  ... 37871616, 8192, ) == 0x0
 02089   728   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 02088   876   NtTestAlert  ... ) == 0x0
 02090   460   NtProtectVirtualMemory  (-1, (0x241e000), 4096, 260, ...
 02091   876   NtContinue  (35781936, 1, ...
 02090   460   NtProtectVirtualMemory  ... (0x241e000), 4096, 4, ) == 0x0
 02092   876   NtRegisterThreadTerminatePort  (24, ...
 02093   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02092   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 02093   460   NtCreateThread  ... 324, {456, 880}, ) == 0x0
 02089   728   NtWaitForSingleObject  ... ) == 0x102
 02094   460   NtQueryInformationThread  (324, Basic, 28, ...
 02095   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x12003,  (308, 288, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02096   876   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02095   728   NtDeviceIoControlFile  ... {status=0x0, info=336},  ... {status=0x0, info=336}, "\1\0\0\0\1\0\0\0\16\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02097   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x12047,  (308, 288, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02098   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x1200b,  (308, 288, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... {status=0x0, info=0}, 0x0, ) , 12, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02099   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x12047,  (308, 288, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0\3\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02100   728   NtDeviceIoControlFile  (308, 288, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 02094   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=456,Tid=880,}, 0x0, ) == 0x0
 02096   876   NtSetInformationThread  ... ) == 0x0
 02101   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1526, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\310\1\0\0p\3\0\0" ... {28, 56, reply, 0, 456, 460, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\310\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1527, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\310\1\0\0p\3\0\0" ... {28, 56, reply, 0, 456, 460, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0\310\1\0\0p\3\0\0" )  ) == 0x0
 02102   460   NtResumeThread  (324, ... 1, ) == 0x0
 02103   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 37879808, 2097152, ) == 0x0
 02104   460   NtAllocateVirtualMemory  (-1, 39968768, 0, 8192, 4096, 4, ... 39968768, 8192, ) == 0x0
 02105   460   NtProtectVirtualMemory  (-1, (0x261e000), 4096, 260, ... (0x261e000), 4096, 4, ) == 0x0
 02106   876   NtDelayExecution  (1, {0, 0}, ...
 02107   728   NtWaitForSingleObject  (288, 1, {-5000000, -1}, ...
 02108   880   NtTestAlert  (...
 02109   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02108   880   NtTestAlert  ... ) == 0x0
 02109   460   NtCreateThread  ... 340, {456, 884}, ) == 0x0
 02110   880   NtContinue  (37879088, 1, ...
 02111   460   NtQueryInformationThread  (340, Basic, 28, ...
 02112   880   NtRegisterThreadTerminatePort  (24, ...
 02111   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=456,Tid=884,}, 0x0, ) == 0x0
 02112   880   NtRegisterThreadTerminatePort  ... ) == 0x0
 02113   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1527, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\310\1\0\0t\3\0\0" ... {28, 56, reply, 0, 456, 460, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\310\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1528, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\310\1\0\0t\3\0\0" ... {28, 56, reply, 0, 456, 460, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\1\0\0\310\1\0\0t\3\0\0" )  ) == 0x0
 02114   460   NtResumeThread  (340, ... 1, ) == 0x0
 02115   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 39976960, 2097152, ) == 0x0
 02116   460   NtAllocateVirtualMemory  (-1, 42065920, 0, 8192, 4096, 4, ...
 02117   880   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02118   884   NtTestAlert  (... ) == 0x0
 02119   884   NtContinue  (39976240, 1, ...
 02120   884   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02121   884   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02116   460   NtAllocateVirtualMemory  ... 42065920, 8192, ) == 0x0
 02122   460   NtProtectVirtualMemory  (-1, (0x281e000), 4096, 260, ... (0x281e000), 4096, 4, ) == 0x0
 02123   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 344, {456, 888}, ) == 0x0
 02124   460   NtQueryInformationThread  (344, Basic, 28, ...
 02117   880   NtSetInformationThread  ... ) == 0x0
 02124   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=456,Tid=888,}, 0x0, ) == 0x0
 02125   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1528, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\310\1\0\0x\3\0\0" ... {28, 56, reply, 0, 456, 460, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\310\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1529, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\310\1\0\0x\3\0\0" ... {28, 56, reply, 0, 456, 460, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\1\0\0\310\1\0\0x\3\0\0" )  ) == 0x0
 02126   460   NtResumeThread  (344, ... 1, ) == 0x0
 02127   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 42074112, 2097152, ) == 0x0
 02128   460   NtAllocateVirtualMemory  (-1, 44163072, 0, 8192, 4096, 4, ... 44163072, 8192, ) == 0x0
 02129   460   NtProtectVirtualMemory  (-1, (0x2a1e000), 4096, 260, ... (0x2a1e000), 4096, 4, ) == 0x0
 02130   880   NtDelayExecution  (1, {0, 0}, ...
 02131   888   NtAllocateVirtualMemory  (-1, 13193216, 0, 4096, 4096, 4, ...
 02132   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02131   888   NtAllocateVirtualMemory  ... 13193216, 4096, ) == 0x0
 02132   460   NtCreateThread  ... 348, {456, 892}, ) == 0x0
 02133   888   NtTestAlert  (...
 02134   460   NtQueryInformationThread  (348, Basic, 28, ...
 02133   888   NtTestAlert  ... ) == 0x0
 02134   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=456,Tid=892,}, 0x0, ) == 0x0
 02135   888   NtContinue  (42073392, 1, ...
 02136   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1529, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\1\0\0\310\1\0\0|\3\0\0" ... {28, 56, reply, 0, 456, 460, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\1\0\0\310\1\0\0|\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1530, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1529, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\1\0\0\310\1\0\0|\3\0\0" ... {28, 56, reply, 0, 456, 460, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\1\0\0\310\1\0\0|\3\0\0" )  ) == 0x0
 02137   460   NtResumeThread  (348, ... 1, ) == 0x0
 02138   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 44171264, 2097152, ) == 0x0
 02139   460   NtAllocateVirtualMemory  (-1, 46260224, 0, 8192, 4096, 4, ...
 02140   888   NtRegisterThreadTerminatePort  (24, ...
 02141   892   NtTestAlert  (...
 02140   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 02141   892   NtTestAlert  ... ) == 0x0
 02142   888   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02143   892   NtContinue  (44170544, 1, ...
 02144   892   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02145   892   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02139   460   NtAllocateVirtualMemory  ... 46260224, 8192, ) == 0x0
 02146   460   NtProtectVirtualMemory  (-1, (0x2c1e000), 4096, 260, ... (0x2c1e000), 4096, 4, ) == 0x0
 02147   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 352, {456, 896}, ) == 0x0
 02148   460   NtQueryInformationThread  (352, Basic, 28, ...
 02142   888   NtSetInformationThread  ... ) == 0x0
 02148   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=456,Tid=896,}, 0x0, ) == 0x0
 02149   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1530, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\310\1\0\0\200\3\0\0" ... {28, 56, reply, 0, 456, 460, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\310\1\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1531, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\310\1\0\0\200\3\0\0" ... {28, 56, reply, 0, 456, 460, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\310\1\0\0\200\3\0\0" )  ) == 0x0
 02150   460   NtResumeThread  (352, ... 1, ) == 0x0
 02151   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 46268416, 2097152, ) == 0x0
 02152   460   NtAllocateVirtualMemory  (-1, 48357376, 0, 8192, 4096, 4, ... 48357376, 8192, ) == 0x0
 02153   460   NtProtectVirtualMemory  (-1, (0x2e1e000), 4096, 260, ... (0x2e1e000), 4096, 4, ) == 0x0
 02154   888   NtDelayExecution  (1, {0, 0}, ...
 02155   896   NtTestAlert  (...
 02156   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02155   896   NtTestAlert  ... ) == 0x0
 02156   460   NtCreateThread  ... 356, {456, 900}, ) == 0x0
 02157   896   NtContinue  (46267696, 1, ...
 02158   460   NtQueryInformationThread  (356, Basic, 28, ...
 02159   896   NtRegisterThreadTerminatePort  (24, ...
 02158   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=456,Tid=900,}, 0x0, ) == 0x0
 02159   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02160   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1531, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\310\1\0\0\204\3\0\0" ... {28, 56, reply, 0, 456, 460, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\310\1\0\0\204\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1532, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1531, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\310\1\0\0\204\3\0\0" ... {28, 56, reply, 0, 456, 460, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\1\0\0\310\1\0\0\204\3\0\0" )  ) == 0x0
 02161   460   NtResumeThread  (356, ... 1, ) == 0x0
 02162   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 48365568, 2097152, ) == 0x0
 02163   460   NtAllocateVirtualMemory  (-1, 50454528, 0, 8192, 4096, 4, ...
 02164   896   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02165   900   NtTestAlert  (... ) == 0x0
 02166   900   NtContinue  (48364848, 1, ...
 02167   900   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02168   900   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02163   460   NtAllocateVirtualMemory  ... 50454528, 8192, ) == 0x0
 02169   460   NtProtectVirtualMemory  (-1, (0x301e000), 4096, 260, ... (0x301e000), 4096, 4, ) == 0x0
 02170   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 360, {456, 904}, ) == 0x0
 02171   460   NtQueryInformationThread  (360, Basic, 28, ...
 02164   896   NtSetInformationThread  ... ) == 0x0
 02171   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=456,Tid=904,}, 0x0, ) == 0x0
 02172   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1532, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\310\1\0\0\210\3\0\0" ... {28, 56, reply, 0, 456, 460, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\310\1\0\0\210\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1533, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\310\1\0\0\210\3\0\0" ... {28, 56, reply, 0, 456, 460, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\310\1\0\0\210\3\0\0" )  ) == 0x0
 02173   460   NtResumeThread  (360, ... 1, ) == 0x0
 02174   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 50462720, 2097152, ) == 0x0
 02175   460   NtAllocateVirtualMemory  (-1, 52551680, 0, 8192, 4096, 4, ... 52551680, 8192, ) == 0x0
 02176   460   NtProtectVirtualMemory  (-1, (0x321e000), 4096, 260, ... (0x321e000), 4096, 4, ) == 0x0
 02177   896   NtDelayExecution  (1, {0, 0}, ...
 02178   904   NtTestAlert  (...
 02179   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02178   904   NtTestAlert  ... ) == 0x0
 02179   460   NtCreateThread  ... 364, {456, 908}, ) == 0x0
 02180   904   NtContinue  (50462000, 1, ...
 02181   460   NtQueryInformationThread  (364, Basic, 28, ...
 02182   904   NtRegisterThreadTerminatePort  (24, ...
 02181   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=456,Tid=908,}, 0x0, ) == 0x0
 02182   904   NtRegisterThreadTerminatePort  ... ) == 0x0
 02183   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1533, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\1\0\0\310\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 456, 460, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\1\0\0\310\1\0\0\214\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1534, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\1\0\0\310\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 456, 460, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\1\0\0\310\1\0\0\214\3\0\0" )  ) == 0x0
 02184   460   NtResumeThread  (364, ... 1, ) == 0x0
 02185   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 52559872, 2097152, ) == 0x0
 02186   460   NtAllocateVirtualMemory  (-1, 54648832, 0, 8192, 4096, 4, ...
 02187   904   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02188   908   NtTestAlert  (... ) == 0x0
 02189   908   NtContinue  (52559152, 1, ...
 02190   908   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02191   908   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02186   460   NtAllocateVirtualMemory  ... 54648832, 8192, ) == 0x0
 02192   460   NtProtectVirtualMemory  (-1, (0x341e000), 4096, 260, ... (0x341e000), 4096, 4, ) == 0x0
 02193   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 368, {456, 924}, ) == 0x0
 02194   460   NtQueryInformationThread  (368, Basic, 28, ...
 02187   904   NtSetInformationThread  ... ) == 0x0
 02194   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=456,Tid=924,}, 0x0, ) == 0x0
 02195   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1534, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\1\0\0\310\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 456, 460, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\1\0\0\310\1\0\0\234\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1535, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\1\0\0\310\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 456, 460, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\1\0\0\310\1\0\0\234\3\0\0" )  ) == 0x0
 02196   460   NtResumeThread  (368, ... 1, ) == 0x0
 02058   584   NtDelayExecution  ... ) == 0x0
 02197   904   NtDelayExecution  (1, {0, 0}, ...
 02198   924   NtTestAlert  (...
 02199   584   NtClose  (320, ...
 02200   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02198   924   NtTestAlert  ... ) == 0x0
 02200   460   NtAllocateVirtualMemory  ... 54657024, 2097152, ) == 0x0
 02201   924   NtContinue  (54656304, 1, ...
 02202   460   NtAllocateVirtualMemory  (-1, 56745984, 0, 8192, 4096, 4, ...
 02203   924   NtRegisterThreadTerminatePort  (24, ...
 02202   460   NtAllocateVirtualMemory  ... 56745984, 8192, ) == 0x0
 02203   924   NtRegisterThreadTerminatePort  ... ) == 0x0
 02204   460   NtProtectVirtualMemory  (-1, (0x361e000), 4096, 260, ...
 02199   584   NtClose  ... ) == 0x0
 02204   460   NtProtectVirtualMemory  ... (0x361e000), 4096, 4, ) == 0x0
 02205   584   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\"}, 3, 16417, ... }, 3, 16417, ...
 02206   924   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02205   584   NtOpenFile  ... 320, {status=0x0, info=1}, ) == 0x0
 02207   584   NtQueryDirectoryFile  (320, 0, 0, 0, 8712280, 616, BothDirectory, 1,  (320, 0, 0, 0, 8712280, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 02208   584   NtQueryDirectoryFile  (320, 0, 0, 0, 4607736, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=724}, ) == 0x0
 02209   584   NtAllocateVirtualMemory  (-1, 8699904, 0, 4096, 4096, 260, ... 8699904, 4096, ) == 0x0
 02210   584   NtAllocateVirtualMemory  (-1, 8695808, 0, 4096, 4096, 260, ... 8695808, 4096, ) == 0x0
 02211   584   NtAllocateVirtualMemory  (-1, 8691712, 0, 4096, 4096, 260, ...
 02212   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02206   924   NtSetInformationThread  ... ) == 0x0
 02212   460   NtCreateThread  ... 372, {456, 928}, ) == 0x0
 02211   584   NtAllocateVirtualMemory  ... 8691712, 4096, ) == 0x0
 02213   460   NtQueryInformationThread  (372, Basic, 28, ...
 02214   584   NtAllocateVirtualMemory  (-1, 8687616, 0, 4096, 4096, 260, ...
 02213   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=456,Tid=928,}, 0x0, ) == 0x0
 02214   584   NtAllocateVirtualMemory  ... 8687616, 4096, ) == 0x0
 02215   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1535, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0\310\1\0\0\240\3\0\0" ...  ...
 02216   584   NtAllocateVirtualMemory  (-1, 8683520, 0, 4096, 4096, 260, ... 8683520, 4096, ) == 0x0
 02217   584   NtAllocateVirtualMemory  (-1, 8679424, 0, 4096, 4096, 260, ... 8679424, 4096, ) == 0x0
 02218   584   NtAllocateVirtualMemory  (-1, 8675328, 0, 4096, 4096, 260, ... 8675328, 4096, ) == 0x0
 02219   584   NtAllocateVirtualMemory  (-1, 8671232, 0, 4096, 4096, 260, ... 8671232, 4096, ) == 0x0
 02220   584   NtAllocateVirtualMemory  (-1, 8667136, 0, 4096, 4096, 260, ...
 02221   924   NtDelayExecution  (1, {0, 0}, ...
 02215   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1536, 0}  ... {28, 56, reply, 0, 456, 460, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0\310\1\0\0\240\3\0\0" )  ) == 0x0
 02220   584   NtAllocateVirtualMemory  ... 8667136, 4096, ) == 0x0
 02222   460   NtResumeThread  (372, ...
 02223   584   NtAllocateVirtualMemory  (-1, 8663040, 0, 4096, 4096, 260, ...
 02222   460   NtResumeThread  ... 1, ) == 0x0
 02223   584   NtAllocateVirtualMemory  ... 8663040, 4096, ) == 0x0
 02224   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02225   584   NtAllocateVirtualMemory  (-1, 8658944, 0, 4096, 4096, 260, ...
 02224   460   NtAllocateVirtualMemory  ... 56754176, 2097152, ) == 0x0
 02225   584   NtAllocateVirtualMemory  ... 8658944, 4096, ) == 0x0
 02226   460   NtAllocateVirtualMemory  (-1, 58843136, 0, 8192, 4096, 4, ...
 02227   584   NtAllocateVirtualMemory  (-1, 8654848, 0, 4096, 4096, 260, ...
 02228   928   NtTestAlert  (...
 02226   460   NtAllocateVirtualMemory  ... 58843136, 8192, ) == 0x0
 02228   928   NtTestAlert  ... ) == 0x0
 02229   460   NtProtectVirtualMemory  (-1, (0x381e000), 4096, 260, ...
 02230   928   NtContinue  (56753456, 1, ...
 02229   460   NtProtectVirtualMemory  ... (0x381e000), 4096, 4, ) == 0x0
 02231   928   NtRegisterThreadTerminatePort  (24, ...
 02232   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02231   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 02232   460   NtCreateThread  ... 376, {456, 932}, ) == 0x0
 02227   584   NtAllocateVirtualMemory  ... 8654848, 4096, ) == 0x0
 02233   460   NtQueryInformationThread  (376, Basic, 28, ...
 02234   584   NtAllocateVirtualMemory  (-1, 8650752, 0, 4096, 4096, 260, ...
 02235   928   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02234   584   NtAllocateVirtualMemory  ... 8650752, 4096, ) == 0x0
 02236   584   NtAllocateVirtualMemory  (-1, 8646656, 0, 4096, 4096, 260, ... 8646656, 4096, ) == 0x0
 02237   584   NtAllocateVirtualMemory  (-1, 8642560, 0, 4096, 4096, 260, ... 8642560, 4096, ) == 0x0
 02238   584   NtAllocateVirtualMemory  (-1, 8638464, 0, 4096, 4096, 260, ... 8638464, 4096, ) == 0x0
 02239   584   NtAllocateVirtualMemory  (-1, 8634368, 0, 4096, 4096, 260, ... 8634368, 4096, ) == 0x0
 02240   584   NtAllocateVirtualMemory  (-1, 8630272, 0, 4096, 4096, 260, ...
 02233   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=456,Tid=932,}, 0x0, ) == 0x0
 02235   928   NtSetInformationThread  ... ) == 0x0
 02241   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1536, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\310\1\0\0\244\3\0\0" ...  ...
 02240   584   NtAllocateVirtualMemory  ... 8630272, 4096, ) == 0x0
 02241   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1537, 0}  ... {28, 56, reply, 0, 456, 460, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\1\0\0\310\1\0\0\244\3\0\0" )  ) == 0x0
 02242   584   NtCreateFile  (0x80100081, {24, 0, 0x40, 0, 8638840,  (0x80100081, {24, 0, 0x40, 0, 8638840, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk"}, 0x0, 0, 0, 1, 96, 0, 0, ... }, 0x0, 0, 0, 1, 96, 0, 0, ...
 02243   460   NtResumeThread  (376, ...
 02242   584   NtCreateFile  ... 380, {status=0x0, info=1}, ) == 0x0
 02243   460   NtResumeThread  ... 1, ) == 0x0
 02244   584   NtReadFile  (380, 0, 0, 0, 8191, 0x0, 0, ...
 02245   928   NtDelayExecution  (1, {0, 0}, ...
 02246   932   NtTestAlert  (...
 02247   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02246   932   NtTestAlert  ... ) == 0x0
 02247   460   NtAllocateVirtualMemory  ... 58851328, 2097152, ) == 0x0
 02248   932   NtContinue  (58850608, 1, ...
 02249   460   NtAllocateVirtualMemory  (-1, 60940288, 0, 8192, 4096, 4, ...
 02250   932   NtRegisterThreadTerminatePort  (24, ...
 02249   460   NtAllocateVirtualMemory  ... 60940288, 8192, ) == 0x0
 02250   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 02251   460   NtProtectVirtualMemory  (-1, (0x3a1e000), 4096, 260, ... (0x3a1e000), 4096, 4, ) == 0x0
 02252   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 384, {456, 936}, ) == 0x0
 02253   460   NtQueryInformationThread  (384, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=456,Tid=936,}, 0x0, ) == 0x0
 02254   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1537, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1537, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\310\1\0\0\250\3\0\0" ...  ...
 02255   932   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02254   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1538, 0}  ... {28, 56, reply, 0, 456, 460, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\1\0\0\310\1\0\0\250\3\0\0" )  ) == 0x0
 02256   460   NtResumeThread  (384, ... 1, ) == 0x0
 02257   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 60948480, 2097152, ) == 0x0
 02258   460   NtAllocateVirtualMemory  (-1, 63037440, 0, 8192, 4096, 4, ...
 02259   936   NtTestAlert  (... ) == 0x0
 02260   936   NtContinue  (60947760, 1, ...
 02261   936   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02262   936   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02258   460   NtAllocateVirtualMemory  ... 63037440, 8192, ) == 0x0
 02263   460   NtProtectVirtualMemory  (-1, (0x3c1e000), 4096, 260, ... (0x3c1e000), 4096, 4, ) == 0x0
 02264   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 388, {456, 940}, ) == 0x0
 02265   460   NtQueryInformationThread  (388, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=456,Tid=940,}, 0x0, ) == 0x0
 02266   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1538, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0\310\1\0\0\254\3\0\0" ... {28, 56, reply, 0, 456, 460, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0\310\1\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1539, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0\310\1\0\0\254\3\0\0" ... {28, 56, reply, 0, 456, 460, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0\310\1\0\0\254\3\0\0" )  ) == 0x0
 02267   460   NtResumeThread  (388, ... 1, ) == 0x0
 02268   940   NtTestAlert  (... ) == 0x0
 02269   940   NtContinue  (63044912, 1, ...
 02270   940   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02271   940   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02272   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 63045632, 2097152, ) == 0x0
 02273   460   NtAllocateVirtualMemory  (-1, 65134592, 0, 8192, 4096, 4, ... 65134592, 8192, ) == 0x0
 02274   460   NtProtectVirtualMemory  (-1, (0x3e1e000), 4096, 260, ... (0x3e1e000), 4096, 4, ) == 0x0
 02275   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 392, {456, 944}, ) == 0x0
 02276   460   NtQueryInformationThread  (392, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=456,Tid=944,}, 0x0, ) == 0x0
 02277   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1539, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\310\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 456, 460, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\310\1\0\0\260\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1540, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\310\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 456, 460, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\310\1\0\0\260\3\0\0" )  ) == 0x0
 02278   460   NtResumeThread  (392, ... 1, ) == 0x0
 02279   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 65142784, 2097152, ) == 0x0
 02280   460   NtAllocateVirtualMemory  (-1, 67231744, 0, 8192, 4096, 4, ...
 02281   944   NtTestAlert  (... ) == 0x0
 02282   944   NtContinue  (65142064, 1, ...
 02283   944   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02284   944   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02280   460   NtAllocateVirtualMemory  ... 67231744, 8192, ) == 0x0
 02285   460   NtProtectVirtualMemory  (-1, (0x401e000), 4096, 260, ... (0x401e000), 4096, 4, ) == 0x0
 02286   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 396, {456, 948}, ) == 0x0
 02287   460   NtQueryInformationThread  (396, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=456,Tid=948,}, 0x0, ) == 0x0
 02288   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1540, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\310\1\0\0\264\3\0\0" ... {28, 56, reply, 0, 456, 460, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\310\1\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1541, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\310\1\0\0\264\3\0\0" ... {28, 56, reply, 0, 456, 460, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\1\0\0\310\1\0\0\264\3\0\0" )  ) == 0x0
 02289   460   NtResumeThread  (396, ... 1, ) == 0x0
 02290   948   NtTestAlert  (... ) == 0x0
 02291   948   NtContinue  (67239216, 1, ...
 02292   948   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02293   948   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02294   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 67239936, 2097152, ) == 0x0
 02295   460   NtAllocateVirtualMemory  (-1, 69328896, 0, 8192, 4096, 4, ... 69328896, 8192, ) == 0x0
 02296   460   NtProtectVirtualMemory  (-1, (0x421e000), 4096, 260, ... (0x421e000), 4096, 4, ) == 0x0
 02297   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 400, {456, 952}, ) == 0x0
 02298   460   NtQueryInformationThread  (400, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=456,Tid=952,}, 0x0, ) == 0x0
 02299   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1541, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\310\1\0\0\270\3\0\0" ... {28, 56, reply, 0, 456, 460, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\310\1\0\0\270\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1542, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\310\1\0\0\270\3\0\0" ... {28, 56, reply, 0, 456, 460, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\1\0\0\310\1\0\0\270\3\0\0" )  ) == 0x0
 02300   460   NtResumeThread  (400, ... 1, ) == 0x0
 02301   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 69337088, 2097152, ) == 0x0
 02302   460   NtAllocateVirtualMemory  (-1, 71426048, 0, 8192, 4096, 4, ...
 02303   952   NtTestAlert  (... ) == 0x0
 02304   952   NtContinue  (69336368, 1, ...
 02305   952   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02306   952   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02302   460   NtAllocateVirtualMemory  ... 71426048, 8192, ) == 0x0
 02307   460   NtProtectVirtualMemory  (-1, (0x441e000), 4096, 260, ... (0x441e000), 4096, 4, ) == 0x0
 02308   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 404, {456, 956}, ) == 0x0
 02309   460   NtQueryInformationThread  (404, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=456,Tid=956,}, 0x0, ) == 0x0
 02310   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1542, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\310\1\0\0\274\3\0\0" ... {28, 56, reply, 0, 456, 460, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\310\1\0\0\274\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1543, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\310\1\0\0\274\3\0\0" ... {28, 56, reply, 0, 456, 460, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\310\1\0\0\274\3\0\0" )  ) == 0x0
 02311   460   NtResumeThread  (404, ... 1, ) == 0x0
 02312   956   NtTestAlert  (... ) == 0x0
 02313   956   NtContinue  (71433520, 1, ...
 02314   956   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02315   956   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02316   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 71434240, 2097152, ) == 0x0
 02317   460   NtAllocateVirtualMemory  (-1, 73523200, 0, 8192, 4096, 4, ... 73523200, 8192, ) == 0x0
 02318   460   NtProtectVirtualMemory  (-1, (0x461e000), 4096, 260, ... (0x461e000), 4096, 4, ) == 0x0
 02319   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 408, {456, 960}, ) == 0x0
 02320   460   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=456,Tid=960,}, 0x0, ) == 0x0
 02321   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1543, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0\310\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 456, 460, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0\310\1\0\0\300\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1544, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0\310\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 456, 460, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0\310\1\0\0\300\3\0\0" )  ) == 0x0
 02322   460   NtResumeThread  (408, ... 1, ) == 0x0
 02323   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 73531392, 2097152, ) == 0x0
 02324   460   NtAllocateVirtualMemory  (-1, 75620352, 0, 8192, 4096, 4, ...
 02325   960   NtTestAlert  (... ) == 0x0
 02326   960   NtContinue  (73530672, 1, ...
 02327   960   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02328   960   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02324   460   NtAllocateVirtualMemory  ... 75620352, 8192, ) == 0x0
 02329   460   NtProtectVirtualMemory  (-1, (0x481e000), 4096, 260, ... (0x481e000), 4096, 4, ) == 0x0
 02330   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 412, {456, 964}, ) == 0x0
 02331   460   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=456,Tid=964,}, 0x0, ) == 0x0
 02332   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1544, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\310\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 456, 460, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\310\1\0\0\304\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1545, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\310\1\0\0\304\3\0\0" ... {28, 56, reply, 0, 456, 460, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0\310\1\0\0\304\3\0\0" )  ) == 0x0
 02333   460   NtResumeThread  (412, ... 1, ) == 0x0
 02334   964   NtTestAlert  (... ) == 0x0
 02335   964   NtContinue  (75627824, 1, ...
 02336   964   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02337   964   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02338   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 75628544, 2097152, ) == 0x0
 02339   460   NtAllocateVirtualMemory  (-1, 77717504, 0, 8192, 4096, 4, ... 77717504, 8192, ) == 0x0
 02340   460   NtProtectVirtualMemory  (-1, (0x4a1e000), 4096, 260, ... (0x4a1e000), 4096, 4, ) == 0x0
 02341   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 416, {456, 968}, ) == 0x0
 02342   460   NtQueryInformationThread  (416, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=456,Tid=968,}, 0x0, ) == 0x0
 02343   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1545, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\1\0\0\310\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 456, 460, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\1\0\0\310\1\0\0\310\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1546, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\1\0\0\310\1\0\0\310\3\0\0" ... {28, 56, reply, 0, 456, 460, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\1\0\0\310\1\0\0\310\3\0\0" )  ) == 0x0
 02344   460   NtResumeThread  (416, ... 1, ) == 0x0
 02345   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 77725696, 2097152, ) == 0x0
 02346   460   NtAllocateVirtualMemory  (-1, 79814656, 0, 8192, 4096, 4, ...
 02347   968   NtTestAlert  (... ) == 0x0
 02348   968   NtContinue  (77724976, 1, ...
 02349   968   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02350   968   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02346   460   NtAllocateVirtualMemory  ... 79814656, 8192, ) == 0x0
 02351   460   NtProtectVirtualMemory  (-1, (0x4c1e000), 4096, 260, ... (0x4c1e000), 4096, 4, ) == 0x0
 02352   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 420, {456, 972}, ) == 0x0
 02353   460   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=456,Tid=972,}, 0x0, ) == 0x0
 02354   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1546, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0\310\1\0\0\314\3\0\0" ... {28, 56, reply, 0, 456, 460, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0\310\1\0\0\314\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1547, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0\310\1\0\0\314\3\0\0" ... {28, 56, reply, 0, 456, 460, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0\310\1\0\0\314\3\0\0" )  ) == 0x0
 02355   460   NtResumeThread  (420, ... 1, ) == 0x0
 02356   972   NtTestAlert  (... ) == 0x0
 02357   972   NtContinue  (79822128, 1, ...
 02358   972   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02359   972   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02360   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 79822848, 2097152, ) == 0x0
 02361   460   NtAllocateVirtualMemory  (-1, 81911808, 0, 8192, 4096, 4, ... 81911808, 8192, ) == 0x0
 02362   460   NtProtectVirtualMemory  (-1, (0x4e1e000), 4096, 260, ... (0x4e1e000), 4096, 4, ) == 0x0
 02363   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 424, {456, 976}, ) == 0x0
 02364   460   NtQueryInformationThread  (424, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=456,Tid=976,}, 0x0, ) == 0x0
 02365   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1547, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\1\0\0\310\1\0\0\320\3\0\0" ... {28, 56, reply, 0, 456, 460, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\1\0\0\310\1\0\0\320\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1548, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\1\0\0\310\1\0\0\320\3\0\0" ... {28, 56, reply, 0, 456, 460, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\1\0\0\310\1\0\0\320\3\0\0" )  ) == 0x0
 02366   460   NtResumeThread  (424, ... 1, ) == 0x0
 02367   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 81920000, 2097152, ) == 0x0
 02368   460   NtAllocateVirtualMemory  (-1, 84008960, 0, 8192, 4096, 4, ...
 02369   976   NtTestAlert  (... ) == 0x0
 02370   976   NtContinue  (81919280, 1, ...
 02371   976   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02372   976   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02368   460   NtAllocateVirtualMemory  ... 84008960, 8192, ) == 0x0
 02373   460   NtProtectVirtualMemory  (-1, (0x501e000), 4096, 260, ... (0x501e000), 4096, 4, ) == 0x0
 02374   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 428, {456, 1000}, ) == 0x0
 02375   460   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=456,Tid=1000,}, 0x0, ) == 0x0
 02376   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1548, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\1\0\0\310\1\0\0\350\3\0\0" ... {28, 56, reply, 0, 456, 460, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\1\0\0\310\1\0\0\350\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1549, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\1\0\0\310\1\0\0\350\3\0\0" ... {28, 56, reply, 0, 456, 460, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\1\0\0\310\1\0\0\350\3\0\0" )  ) == 0x0
 02377   460   NtResumeThread  (428, ... 1, ) == 0x0
 02378  1000   NtTestAlert  (... ) == 0x0
 02379  1000   NtContinue  (84016432, 1, ...
 02380  1000   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02381  1000   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02382   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 84017152, 2097152, ) == 0x0
 02383   460   NtAllocateVirtualMemory  (-1, 86106112, 0, 8192, 4096, 4, ... 86106112, 8192, ) == 0x0
 02384   460   NtProtectVirtualMemory  (-1, (0x521e000), 4096, 260, ... (0x521e000), 4096, 4, ) == 0x0
 02385   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 432, {456, 1004}, ) == 0x0
 02386   460   NtQueryInformationThread  (432, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=456,Tid=1004,}, 0x0, ) == 0x0
 02387   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1549, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\1\0\0\310\1\0\0\354\3\0\0" ... {28, 56, reply, 0, 456, 460, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\1\0\0\310\1\0\0\354\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1550, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\1\0\0\310\1\0\0\354\3\0\0" ... {28, 56, reply, 0, 456, 460, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\1\0\0\310\1\0\0\354\3\0\0" )  ) == 0x0
 02388   460   NtResumeThread  (432, ... 1, ) == 0x0
 02389   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 86114304, 2097152, ) == 0x0
 02390   460   NtAllocateVirtualMemory  (-1, 88203264, 0, 8192, 4096, 4, ...
 02391  1004   NtTestAlert  (... ) == 0x0
 02392  1004   NtContinue  (86113584, 1, ...
 02393  1004   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02394  1004   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02390   460   NtAllocateVirtualMemory  ... 88203264, 8192, ) == 0x0
 02395   460   NtProtectVirtualMemory  (-1, (0x541e000), 4096, 260, ... (0x541e000), 4096, 4, ) == 0x0
 02396   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 436, {456, 1024}, ) == 0x0
 02397   460   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=456,Tid=1024,}, 0x0, ) == 0x0
 02398   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1550, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\1\0\0\310\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 456, 460, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\1\0\0\310\1\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1551, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\1\0\0\310\1\0\0\0\4\0\0" ... {28, 56, reply, 0, 456, 460, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\1\0\0\310\1\0\0\0\4\0\0" )  ) == 0x0
 02399   460   NtResumeThread  (436, ... 1, ) == 0x0
 02400  1024   NtTestAlert  (... ) == 0x0
 02401  1024   NtContinue  (88210736, 1, ...
 02402  1024   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02403  1024   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02404   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 88211456, 2097152, ) == 0x0
 02405   460   NtAllocateVirtualMemory  (-1, 90300416, 0, 8192, 4096, 4, ... 90300416, 8192, ) == 0x0
 02406   460   NtProtectVirtualMemory  (-1, (0x561e000), 4096, 260, ... (0x561e000), 4096, 4, ) == 0x0
 02407   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 440, {456, 1028}, ) == 0x0
 02408   460   NtQueryInformationThread  (440, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=456,Tid=1028,}, 0x0, ) == 0x0
 02409   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1551, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\310\1\0\0\4\4\0\0" ... {28, 56, reply, 0, 456, 460, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\310\1\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1552, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\310\1\0\0\4\4\0\0" ... {28, 56, reply, 0, 456, 460, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\310\1\0\0\4\4\0\0" )  ) == 0x0
 02410   460   NtResumeThread  (440, ... 1, ) == 0x0
 02411   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 90308608, 2097152, ) == 0x0
 02412   460   NtAllocateVirtualMemory  (-1, 92397568, 0, 8192, 4096, 4, ...
 02413  1028   NtTestAlert  (... ) == 0x0
 02414  1028   NtContinue  (90307888, 1, ...
 02415  1028   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02416  1028   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02412   460   NtAllocateVirtualMemory  ... 92397568, 8192, ) == 0x0
 02417   460   NtProtectVirtualMemory  (-1, (0x581e000), 4096, 260, ... (0x581e000), 4096, 4, ) == 0x0
 02418   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 444, {456, 1032}, ) == 0x0
 02419   460   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=456,Tid=1032,}, 0x0, ) == 0x0
 02420   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1552, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\310\1\0\0\10\4\0\0" ... {28, 56, reply, 0, 456, 460, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\310\1\0\0\10\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1553, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\310\1\0\0\10\4\0\0" ... {28, 56, reply, 0, 456, 460, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\310\1\0\0\10\4\0\0" )  ) == 0x0
 02421   460   NtResumeThread  (444, ... 1, ) == 0x0
 02422  1032   NtTestAlert  (... ) == 0x0
 02423  1032   NtContinue  (92405040, 1, ...
 02424  1032   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02425  1032   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02426   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 92405760, 2097152, ) == 0x0
 02427   460   NtAllocateVirtualMemory  (-1, 94494720, 0, 8192, 4096, 4, ... 94494720, 8192, ) == 0x0
 02428   460   NtProtectVirtualMemory  (-1, (0x5a1e000), 4096, 260, ... (0x5a1e000), 4096, 4, ) == 0x0
 02429   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 448, {456, 1012}, ) == 0x0
 02430   460   NtQueryInformationThread  (448, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=456,Tid=1012,}, 0x0, ) == 0x0
 02431   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1553, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\1\0\0\310\1\0\0\364\3\0\0" ... {28, 56, reply, 0, 456, 460, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\1\0\0\310\1\0\0\364\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1554, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\1\0\0\310\1\0\0\364\3\0\0" ... {28, 56, reply, 0, 456, 460, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\1\0\0\310\1\0\0\364\3\0\0" )  ) == 0x0
 02432   460   NtResumeThread  (448, ... 1, ) == 0x0
 02433   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 94502912, 2097152, ) == 0x0
 02434   460   NtAllocateVirtualMemory  (-1, 96591872, 0, 8192, 4096, 4, ...
 02435  1012   NtTestAlert  (... ) == 0x0
 02436  1012   NtContinue  (94502192, 1, ...
 02437  1012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02438  1012   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02434   460   NtAllocateVirtualMemory  ... 96591872, 8192, ) == 0x0
 02439   460   NtProtectVirtualMemory  (-1, (0x5c1e000), 4096, 260, ... (0x5c1e000), 4096, 4, ) == 0x0
 02440   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 452, {456, 1036}, ) == 0x0
 02441   460   NtQueryInformationThread  (452, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=456,Tid=1036,}, 0x0, ) == 0x0
 02442   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1554, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\1\0\0\310\1\0\0\14\4\0\0" ... {28, 56, reply, 0, 456, 460, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\1\0\0\310\1\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1555, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\1\0\0\310\1\0\0\14\4\0\0" ... {28, 56, reply, 0, 456, 460, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\1\0\0\310\1\0\0\14\4\0\0" )  ) == 0x0
 02443   460   NtResumeThread  (452, ... 1, ) == 0x0
 02444  1036   NtTestAlert  (... ) == 0x0
 02445  1036   NtContinue  (96599344, 1, ...
 02446  1036   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02447  1036   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02448   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 96600064, 2097152, ) == 0x0
 02449   460   NtAllocateVirtualMemory  (-1, 98689024, 0, 8192, 4096, 4, ... 98689024, 8192, ) == 0x0
 02450   460   NtProtectVirtualMemory  (-1, (0x5e1e000), 4096, 260, ... (0x5e1e000), 4096, 4, ) == 0x0
 02451   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 456, {456, 308}, ) == 0x0
 02452   460   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=456,Tid=308,}, 0x0, ) == 0x0
 02453   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1555, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\1\0\0\310\1\0\04\1\0\0" ... {28, 56, reply, 0, 456, 460, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\1\0\0\310\1\0\04\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1556, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\1\0\0\310\1\0\04\1\0\0" ... {28, 56, reply, 0, 456, 460, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\1\0\0\310\1\0\04\1\0\0" )  ) == 0x0
 02454   460   NtResumeThread  (456, ... 1, ) == 0x0
 02455   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 98697216, 2097152, ) == 0x0
 02456   460   NtAllocateVirtualMemory  (-1, 100786176, 0, 8192, 4096, 4, ...
 02457   308   NtTestAlert  (... ) == 0x0
 02458   308   NtContinue  (98696496, 1, ...
 02459   308   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02460   308   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02456   460   NtAllocateVirtualMemory  ... 100786176, 8192, ) == 0x0
 02461   460   NtProtectVirtualMemory  (-1, (0x601e000), 4096, 260, ... (0x601e000), 4096, 4, ) == 0x0
 02462   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 460, {456, 1052}, ) == 0x0
 02463   460   NtQueryInformationThread  (460, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=456,Tid=1052,}, 0x0, ) == 0x0
 02464   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1556, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\310\1\0\0\34\4\0\0" ... {28, 56, reply, 0, 456, 460, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\310\1\0\0\34\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1557, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\310\1\0\0\34\4\0\0" ... {28, 56, reply, 0, 456, 460, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\1\0\0\310\1\0\0\34\4\0\0" )  ) == 0x0
 02465   460   NtResumeThread  (460, ... 1, ) == 0x0
 02466  1052   NtAllocateVirtualMemory  (-1, 13197312, 0, 4096, 4096, 4, ... 13197312, 4096, ) == 0x0
 02467  1052   NtTestAlert  (... ) == 0x0
 02468  1052   NtContinue  (100793648, 1, ...
 02469  1052   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02470  1052   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02471   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 100794368, 2097152, ) == 0x0
 02472   460   NtAllocateVirtualMemory  (-1, 102883328, 0, 8192, 4096, 4, ... 102883328, 8192, ) == 0x0
 02473   460   NtProtectVirtualMemory  (-1, (0x621e000), 4096, 260, ... (0x621e000), 4096, 4, ) == 0x0
 02474   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 464, {456, 1068}, ) == 0x0
 02475   460   NtQueryInformationThread  (464, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=456,Tid=1068,}, 0x0, ) == 0x0
 02476   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1557, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\310\1\0\0,\4\0\0" ... {28, 56, reply, 0, 456, 460, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\310\1\0\0,\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1558, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\310\1\0\0,\4\0\0" ... {28, 56, reply, 0, 456, 460, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0\310\1\0\0,\4\0\0" )  ) == 0x0
 02477   460   NtResumeThread  (464, ... 1, ) == 0x0
 02478   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 102891520, 2097152, ) == 0x0
 02479   460   NtAllocateVirtualMemory  (-1, 104980480, 0, 8192, 4096, 4, ...
 02480  1068   NtTestAlert  (... ) == 0x0
 02481  1068   NtContinue  (102890800, 1, ...
 02482  1068   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02483  1068   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02479   460   NtAllocateVirtualMemory  ... 104980480, 8192, ) == 0x0
 02484   460   NtProtectVirtualMemory  (-1, (0x641e000), 4096, 260, ... (0x641e000), 4096, 4, ) == 0x0
 02485   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 468, {456, 1076}, ) == 0x0
 02486   460   NtQueryInformationThread  (468, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=456,Tid=1076,}, 0x0, ) == 0x0
 02487   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1558, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\1\0\0\310\1\0\04\4\0\0" ... {28, 56, reply, 0, 456, 460, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\1\0\0\310\1\0\04\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1559, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\1\0\0\310\1\0\04\4\0\0" ... {28, 56, reply, 0, 456, 460, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\1\0\0\310\1\0\04\4\0\0" )  ) == 0x0
 02488   460   NtResumeThread  (468, ... 1, ) == 0x0
 02489  1076   NtTestAlert  (... ) == 0x0
 02490  1076   NtContinue  (104987952, 1, ...
 02491  1076   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02492  1076   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02493   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 104988672, 2097152, ) == 0x0
 02494   460   NtAllocateVirtualMemory  (-1, 107077632, 0, 8192, 4096, 4, ... 107077632, 8192, ) == 0x0
 02495   460   NtProtectVirtualMemory  (-1, (0x661e000), 4096, 260, ... (0x661e000), 4096, 4, ) == 0x0
 02496   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 472, {456, 1088}, ) == 0x0
 02497   460   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=456,Tid=1088,}, 0x0, ) == 0x0
 02498   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1559, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\310\1\0\0@\4\0\0" ... {28, 56, reply, 0, 456, 460, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\310\1\0\0@\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1560, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\310\1\0\0@\4\0\0" ... {28, 56, reply, 0, 456, 460, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0\310\1\0\0@\4\0\0" )  ) == 0x0
 02499   460   NtResumeThread  (472, ... 1, ) == 0x0
 02500   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 107085824, 2097152, ) == 0x0
 02501   460   NtAllocateVirtualMemory  (-1, 109174784, 0, 8192, 4096, 4, ...
 02502  1088   NtTestAlert  (... ) == 0x0
 02503  1088   NtContinue  (107085104, 1, ...
 02504  1088   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02505  1088   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02501   460   NtAllocateVirtualMemory  ... 109174784, 8192, ) == 0x0
 02506   460   NtProtectVirtualMemory  (-1, (0x681e000), 4096, 260, ... (0x681e000), 4096, 4, ) == 0x0
 02507   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 476, {456, 1056}, ) == 0x0
 02508   460   NtQueryInformationThread  (476, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=456,Tid=1056,}, 0x0, ) == 0x0
 02509   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1560, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\1\0\0\310\1\0\0 \4\0\0" ... {28, 56, reply, 0, 456, 460, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\1\0\0\310\1\0\0 \4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1561, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\1\0\0\310\1\0\0 \4\0\0" ... {28, 56, reply, 0, 456, 460, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\1\0\0\310\1\0\0 \4\0\0" )  ) == 0x0
 02510   460   NtResumeThread  (476, ... 1, ) == 0x0
 02511  1056   NtTestAlert  (... ) == 0x0
 02512  1056   NtContinue  (109182256, 1, ...
 02513  1056   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02514  1056   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02515   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 109182976, 2097152, ) == 0x0
 02516   460   NtAllocateVirtualMemory  (-1, 111271936, 0, 8192, 4096, 4, ... 111271936, 8192, ) == 0x0
 02517   460   NtProtectVirtualMemory  (-1, (0x6a1e000), 4096, 260, ... (0x6a1e000), 4096, 4, ) == 0x0
 02518   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 480, {456, 1112}, ) == 0x0
 02519   460   NtQueryInformationThread  (480, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=456,Tid=1112,}, 0x0, ) == 0x0
 02520   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1561, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\310\1\0\0X\4\0\0" ... {28, 56, reply, 0, 456, 460, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\310\1\0\0X\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1562, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\310\1\0\0X\4\0\0" ... {28, 56, reply, 0, 456, 460, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\310\1\0\0X\4\0\0" )  ) == 0x0
 02521   460   NtResumeThread  (480, ... 1, ) == 0x0
 02522   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 111280128, 2097152, ) == 0x0
 02523   460   NtAllocateVirtualMemory  (-1, 113369088, 0, 8192, 4096, 4, ...
 02524  1112   NtTestAlert  (... ) == 0x0
 02525  1112   NtContinue  (111279408, 1, ...
 02526  1112   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02527  1112   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02523   460   NtAllocateVirtualMemory  ... 113369088, 8192, ) == 0x0
 02528   460   NtProtectVirtualMemory  (-1, (0x6c1e000), 4096, 260, ... (0x6c1e000), 4096, 4, ) == 0x0
 02529   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 484, {456, 1092}, ) == 0x0
 02530   460   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=456,Tid=1092,}, 0x0, ) == 0x0
 02531   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1562, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\310\1\0\0D\4\0\0" ... {28, 56, reply, 0, 456, 460, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\310\1\0\0D\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1563, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\310\1\0\0D\4\0\0" ... {28, 56, reply, 0, 456, 460, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\1\0\0\310\1\0\0D\4\0\0" )  ) == 0x0
 02532   460   NtResumeThread  (484, ... 1, ) == 0x0
 02533  1092   NtTestAlert  (... ) == 0x0
 02534  1092   NtContinue  (113376560, 1, ...
 02535  1092   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02536  1092   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02537   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 113377280, 2097152, ) == 0x0
 02538   460   NtAllocateVirtualMemory  (-1, 115466240, 0, 8192, 4096, 4, ... 115466240, 8192, ) == 0x0
 02539   460   NtProtectVirtualMemory  (-1, (0x6e1e000), 4096, 260, ... (0x6e1e000), 4096, 4, ) == 0x0
 02540   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 488, {456, 1100}, ) == 0x0
 02541   460   NtQueryInformationThread  (488, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=456,Tid=1100,}, 0x0, ) == 0x0
 02542   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1563, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\310\1\0\0L\4\0\0" ... {28, 56, reply, 0, 456, 460, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\310\1\0\0L\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1564, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\310\1\0\0L\4\0\0" ... {28, 56, reply, 0, 456, 460, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\1\0\0\310\1\0\0L\4\0\0" )  ) == 0x0
 02543   460   NtResumeThread  (488, ... 1, ) == 0x0
 02544   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 115474432, 2097152, ) == 0x0
 02545   460   NtAllocateVirtualMemory  (-1, 117563392, 0, 8192, 4096, 4, ...
 02546  1100   NtTestAlert  (... ) == 0x0
 02547  1100   NtContinue  (115473712, 1, ...
 02548  1100   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02549  1100   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02545   460   NtAllocateVirtualMemory  ... 117563392, 8192, ) == 0x0
 02550   460   NtProtectVirtualMemory  (-1, (0x701e000), 4096, 260, ... (0x701e000), 4096, 4, ) == 0x0
 02551   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 492, {456, 1116}, ) == 0x0
 02552   460   NtQueryInformationThread  (492, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=456,Tid=1116,}, 0x0, ) == 0x0
 02553   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1564, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\310\1\0\0\\4\0\0" ... {28, 56, reply, 0, 456, 460, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\310\1\0\0\\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1565, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\310\1\0\0\\4\0\0" ... {28, 56, reply, 0, 456, 460, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0\310\1\0\0\\4\0\0" )  ) == 0x0
 02554   460   NtResumeThread  (492, ... 1, ) == 0x0
 02555  1116   NtTestAlert  (... ) == 0x0
 02556  1116   NtContinue  (117570864, 1, ...
 02557  1116   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02558  1116   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02559   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 117571584, 2097152, ) == 0x0
 02560   460   NtAllocateVirtualMemory  (-1, 119660544, 0, 8192, 4096, 4, ... 119660544, 8192, ) == 0x0
 02561   460   NtProtectVirtualMemory  (-1, (0x721e000), 4096, 260, ... (0x721e000), 4096, 4, ) == 0x0
 02562   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 496, {456, 1172}, ) == 0x0
 02563   460   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=456,Tid=1172,}, 0x0, ) == 0x0
 02564   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1565, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\1\0\0\310\1\0\0\224\4\0\0" ... {28, 56, reply, 0, 456, 460, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\1\0\0\310\1\0\0\224\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1566, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\1\0\0\310\1\0\0\224\4\0\0" ... {28, 56, reply, 0, 456, 460, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\1\0\0\310\1\0\0\224\4\0\0" )  ) == 0x0
 02565   460   NtResumeThread  (496, ... 1, ) == 0x0
 02566   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 119668736, 2097152, ) == 0x0
 02567   460   NtAllocateVirtualMemory  (-1, 121757696, 0, 8192, 4096, 4, ...
 02568  1172   NtTestAlert  (... ) == 0x0
 02569  1172   NtContinue  (119668016, 1, ...
 02570  1172   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02571  1172   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02567   460   NtAllocateVirtualMemory  ... 121757696, 8192, ) == 0x0
 02572   460   NtProtectVirtualMemory  (-1, (0x741e000), 4096, 260, ... (0x741e000), 4096, 4, ) == 0x0
 02573   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 500, {456, 1168}, ) == 0x0
 02574   460   NtQueryInformationThread  (500, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=456,Tid=1168,}, 0x0, ) == 0x0
 02575   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1566, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\310\1\0\0\220\4\0\0" ... {28, 56, reply, 0, 456, 460, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\310\1\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1567, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\310\1\0\0\220\4\0\0" ... {28, 56, reply, 0, 456, 460, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\1\0\0\310\1\0\0\220\4\0\0" )  ) == 0x0
 02576   460   NtResumeThread  (500, ... 1, ) == 0x0
 02577  1168   NtTestAlert  (... ) == 0x0
 02578  1168   NtContinue  (121765168, 1, ...
 02579  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02580  1168   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02581   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 121765888, 2097152, ) == 0x0
 02582   460   NtAllocateVirtualMemory  (-1, 123854848, 0, 8192, 4096, 4, ... 123854848, 8192, ) == 0x0
 02583   460   NtProtectVirtualMemory  (-1, (0x761e000), 4096, 260, ... (0x761e000), 4096, 4, ) == 0x0
 02584   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 504, {456, 1120}, ) == 0x0
 02585   460   NtQueryInformationThread  (504, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=456,Tid=1120,}, 0x0, ) == 0x0
 02586   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1567, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\310\1\0\0`\4\0\0" ...  ...
 02244   584   NtReadFile  ... {status=0x0, info=1443},  ... {status=0x0, info=1443}, "L\0\0\0\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\277\2\0\0 \0\0\0\0`\2370\16,\301\1\0\300\233'{8\307\1\0`\2370\16,\301\1\0\266\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\363\0\24\0\37P\340O\320 \352:i\20\242\330\10\0+00\235\31\0/C:\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\01\0\0\0\0\006T\10\20\0WINDOWS\0&\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0W\0I\0N\0D\0O\0W\0S\0\0\0\26\0@\01\0\0\0\0\006T\10\20\0system32\0\0(\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0s\0y\0s\0t\0e\0m\03\02\0\0\0\30\0H\02\0\0\266\0\0\27+\0\240 \0utilman.exe\0.\0\3\0\4\0\357\276\27+\0\240/6\0@\24\0\0\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0\32\0\0\0N\0\0\0\34\0\0\0\1\0\0\0\34\0\0\0-\0\0\0\0\0\0\0M\0\0\0\21\0\0\0\3\0\0\0\350\35\361<\20\0\0\0\0C:\WINDOWS\system32\utilman.exe\0\0)\0@\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0,\0-\02\02\05\07\07\0.\0.\0.\0\\0.\0.\0\\0.\0.", ) , ) == 0x0
 02587   584   NtClose  (380, ... ) == 0x0
 02588   584   NtDelayExecution  (0, {-10000, -1}, ...
 02586   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1568, 0}  ... {28, 56, reply, 0, 456, 460, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\310\1\0\0`\4\0\0" )  ) == 0x0
 02589   460   NtResumeThread  (504, ... 1, ) == 0x0
 02590   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 123863040, 2097152, ) == 0x0
 02591   460   NtAllocateVirtualMemory  (-1, 125952000, 0, 8192, 4096, 4, ...
 02592  1120   NtTestAlert  (... ) == 0x0
 02593  1120   NtContinue  (123862320, 1, ...
 02594  1120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02595  1120   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02591   460   NtAllocateVirtualMemory  ... 125952000, 8192, ) == 0x0
 02596   460   NtProtectVirtualMemory  (-1, (0x781e000), 4096, 260, ... (0x781e000), 4096, 4, ) == 0x0
 02597   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 380, {456, 1124}, ) == 0x0
 02598   460   NtQueryInformationThread  (380, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=456,Tid=1124,}, 0x0, ) == 0x0
 02599   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1568, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\310\1\0\0d\4\0\0" ... {28, 56, reply, 0, 456, 460, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\310\1\0\0d\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1569, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\310\1\0\0d\4\0\0" ... {28, 56, reply, 0, 456, 460, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\1\0\0\310\1\0\0d\4\0\0" )  ) == 0x0
 02600   460   NtResumeThread  (380, ... 1, ) == 0x0
 02601  1124   NtTestAlert  (... ) == 0x0
 02602  1124   NtContinue  (125959472, 1, ...
 02603  1124   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02604  1124   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02605   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 125960192, 2097152, ) == 0x0
 02606   460   NtAllocateVirtualMemory  (-1, 128049152, 0, 8192, 4096, 4, ... 128049152, 8192, ) == 0x0
 02607   460   NtProtectVirtualMemory  (-1, (0x7a1e000), 4096, 260, ... (0x7a1e000), 4096, 4, ) == 0x0
 02608   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 508, {456, 1176}, ) == 0x0
 02609   460   NtQueryInformationThread  (508, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=456,Tid=1176,}, 0x0, ) == 0x0
 02610   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1569, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\1\0\0\310\1\0\0\230\4\0\0" ... {28, 56, reply, 0, 456, 460, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\1\0\0\310\1\0\0\230\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1570, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\1\0\0\310\1\0\0\230\4\0\0" ... {28, 56, reply, 0, 456, 460, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\1\0\0\310\1\0\0\230\4\0\0" )  ) == 0x0
 02611   460   NtResumeThread  (508, ... 1, ) == 0x0
 02612   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 128057344, 2097152, ) == 0x0
 02613   460   NtAllocateVirtualMemory  (-1, 130146304, 0, 8192, 4096, 4, ...
 02614  1176   NtTestAlert  (... ) == 0x0
 02615  1176   NtContinue  (128056624, 1, ...
 02616  1176   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02617  1176   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02613   460   NtAllocateVirtualMemory  ... 130146304, 8192, ) == 0x0
 02618   460   NtProtectVirtualMemory  (-1, (0x7c1e000), 4096, 260, ... (0x7c1e000), 4096, 4, ) == 0x0
 02619   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 512, {456, 1180}, ) == 0x0
 02620   460   NtQueryInformationThread  (512, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=456,Tid=1180,}, 0x0, ) == 0x0
 02621   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1570, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\310\1\0\0\234\4\0\0" ... {28, 56, reply, 0, 456, 460, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\310\1\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1571, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\310\1\0\0\234\4\0\0" ... {28, 56, reply, 0, 456, 460, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\2\0\0\310\1\0\0\234\4\0\0" )  ) == 0x0
 02622   460   NtResumeThread  (512, ... 1, ) == 0x0
 02623  1180   NtTestAlert  (... ) == 0x0
 02624  1180   NtContinue  (130153776, 1, ...
 02625  1180   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02626  1180   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02627   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 130154496, 2097152, ) == 0x0
 02628   460   NtAllocateVirtualMemory  (-1, 132243456, 0, 8192, 4096, 4, ... 132243456, 8192, ) == 0x0
 02629   460   NtProtectVirtualMemory  (-1, (0x7e1e000), 4096, 260, ... (0x7e1e000), 4096, 4, ) == 0x0
 02630   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 516, {456, 1016}, ) == 0x0
 02631   460   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=456,Tid=1016,}, 0x0, ) == 0x0
 02632   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1571, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\310\1\0\0\370\3\0\0" ... {28, 56, reply, 0, 456, 460, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\310\1\0\0\370\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1572, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1571, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\310\1\0\0\370\3\0\0" ... {28, 56, reply, 0, 456, 460, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0\310\1\0\0\370\3\0\0" )  ) == 0x0
 02633   460   NtResumeThread  (516, ... 1, ) == 0x0
 02634   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 132251648, 2097152, ) == 0x0
 02635   460   NtAllocateVirtualMemory  (-1, 134340608, 0, 8192, 4096, 4, ...
 02636  1016   NtTestAlert  (... ) == 0x0
 02637  1016   NtContinue  (132250928, 1, ...
 02638  1016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02639  1016   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02635   460   NtAllocateVirtualMemory  ... 134340608, 8192, ) == 0x0
 02640   460   NtProtectVirtualMemory  (-1, (0x801e000), 4096, 260, ... (0x801e000), 4096, 4, ) == 0x0
 02641   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 520, {456, 1148}, ) == 0x0
 02642   460   NtQueryInformationThread  (520, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=456,Tid=1148,}, 0x0, ) == 0x0
 02643   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1572, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\310\1\0\0|\4\0\0" ... {28, 56, reply, 0, 456, 460, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\310\1\0\0|\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1573, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\310\1\0\0|\4\0\0" ... {28, 56, reply, 0, 456, 460, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0\310\1\0\0|\4\0\0" )  ) == 0x0
 02644   460   NtResumeThread  (520, ... 1, ) == 0x0
 02645  1148   NtTestAlert  (... ) == 0x0
 02646  1148   NtContinue  (134348080, 1, ...
 02647  1148   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02648  1148   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02649   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 134348800, 2097152, ) == 0x0
 02650   460   NtAllocateVirtualMemory  (-1, 136437760, 0, 8192, 4096, 4, ... 136437760, 8192, ) == 0x0
 02651   460   NtProtectVirtualMemory  (-1, (0x821e000), 4096, 260, ... (0x821e000), 4096, 4, ) == 0x0
 02652   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 524, {456, 320}, ) == 0x0
 02653   460   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=456,Tid=320,}, 0x0, ) == 0x0
 02654   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1573, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\310\1\0\0@\1\0\0" ... {28, 56, reply, 0, 456, 460, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\310\1\0\0@\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1574, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\310\1\0\0@\1\0\0" ... {28, 56, reply, 0, 456, 460, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\2\0\0\310\1\0\0@\1\0\0" )  ) == 0x0
 02655   460   NtResumeThread  (524, ... 1, ) == 0x0
 02656   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 136445952, 2097152, ) == 0x0
 02657   460   NtAllocateVirtualMemory  (-1, 138534912, 0, 8192, 4096, 4, ...
 02658   320   NtTestAlert  (... ) == 0x0
 02659   320   NtContinue  (136445232, 1, ...
 02660   320   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02661   320   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02657   460   NtAllocateVirtualMemory  ... 138534912, 8192, ) == 0x0
 02662   460   NtProtectVirtualMemory  (-1, (0x841e000), 4096, 260, ... (0x841e000), 4096, 4, ) == 0x0
 02663   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 528, {456, 324}, ) == 0x0
 02664   460   NtQueryInformationThread  (528, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=456,Tid=324,}, 0x0, ) == 0x0
 02665   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1574, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\2\0\0\310\1\0\0D\1\0\0" ... {28, 56, reply, 0, 456, 460, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\2\0\0\310\1\0\0D\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1575, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\2\0\0\310\1\0\0D\1\0\0" ... {28, 56, reply, 0, 456, 460, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\2\0\0\310\1\0\0D\1\0\0" )  ) == 0x0
 02666   460   NtResumeThread  (528, ... 1, ) == 0x0
 02667   324   NtTestAlert  (... ) == 0x0
 02668   324   NtContinue  (138542384, 1, ...
 02669   324   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02670   324   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02671   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 138543104, 2097152, ) == 0x0
 02672   460   NtAllocateVirtualMemory  (-1, 140632064, 0, 8192, 4096, 4, ... 140632064, 8192, ) == 0x0
 02673   460   NtProtectVirtualMemory  (-1, (0x861e000), 4096, 260, ... (0x861e000), 4096, 4, ) == 0x0
 02674   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 532, {456, 1184}, ) == 0x0
 02675   460   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=456,Tid=1184,}, 0x0, ) == 0x0
 02676   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1575, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\310\1\0\0\240\4\0\0" ... {28, 56, reply, 0, 456, 460, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\310\1\0\0\240\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1576, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\310\1\0\0\240\4\0\0" ... {28, 56, reply, 0, 456, 460, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0\310\1\0\0\240\4\0\0" )  ) == 0x0
 02677   460   NtResumeThread  (532, ... 1, ) == 0x0
 02678   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 140640256, 2097152, ) == 0x0
 02679   460   NtAllocateVirtualMemory  (-1, 142729216, 0, 8192, 4096, 4, ...
 02680  1184   NtTestAlert  (... ) == 0x0
 02681  1184   NtContinue  (140639536, 1, ...
 02682  1184   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02683  1184   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02679   460   NtAllocateVirtualMemory  ... 142729216, 8192, ) == 0x0
 02684   460   NtProtectVirtualMemory  (-1, (0x881e000), 4096, 260, ... (0x881e000), 4096, 4, ) == 0x0
 02685   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 536, {456, 1188}, ) == 0x0
 02686   460   NtQueryInformationThread  (536, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=456,Tid=1188,}, 0x0, ) == 0x0
 02687   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1576, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\2\0\0\310\1\0\0\244\4\0\0" ... {28, 56, reply, 0, 456, 460, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\2\0\0\310\1\0\0\244\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1577, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\2\0\0\310\1\0\0\244\4\0\0" ... {28, 56, reply, 0, 456, 460, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\2\0\0\310\1\0\0\244\4\0\0" )  ) == 0x0
 02688   460   NtResumeThread  (536, ... 1, ) == 0x0
 02689  1188   NtAllocateVirtualMemory  (-1, 4612096, 0, 4096, 4096, 4, ... 4612096, 4096, ) == 0x0
 02690  1188   NtTestAlert  (... ) == 0x0
 02691  1188   NtContinue  (142736688, 1, ...
 02692  1188   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02693  1188   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02694   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 142737408, 2097152, ) == 0x0
 02695   460   NtAllocateVirtualMemory  (-1, 144826368, 0, 8192, 4096, 4, ... 144826368, 8192, ) == 0x0
 02696   460   NtProtectVirtualMemory  (-1, (0x8a1e000), 4096, 260, ... (0x8a1e000), 4096, 4, ) == 0x0
 02697   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 540, {456, 1096}, ) == 0x0
 02698   460   NtQueryInformationThread  (540, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=456,Tid=1096,}, 0x0, ) == 0x0
 02699   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1577, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\310\1\0\0H\4\0\0" ... {28, 56, reply, 0, 456, 460, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\310\1\0\0H\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1578, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\310\1\0\0H\4\0\0" ... {28, 56, reply, 0, 456, 460, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\2\0\0\310\1\0\0H\4\0\0" )  ) == 0x0
 02700   460   NtResumeThread  (540, ... 1, ) == 0x0
 02701   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 144834560, 2097152, ) == 0x0
 02702   460   NtAllocateVirtualMemory  (-1, 146923520, 0, 8192, 4096, 4, ...
 02703  1096   NtTestAlert  (... ) == 0x0
 02704  1096   NtContinue  (144833840, 1, ...
 02705  1096   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02706  1096   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02702   460   NtAllocateVirtualMemory  ... 146923520, 8192, ) == 0x0
 02707   460   NtProtectVirtualMemory  (-1, (0x8c1e000), 4096, 260, ... (0x8c1e000), 4096, 4, ) == 0x0
 02708   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 544, {456, 1200}, ) == 0x0
 02709   460   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=456,Tid=1200,}, 0x0, ) == 0x0
 02710   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1578, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\310\1\0\0\260\4\0\0" ... {28, 56, reply, 0, 456, 460, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\310\1\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1579, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\310\1\0\0\260\4\0\0" ... {28, 56, reply, 0, 456, 460, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\310\1\0\0\260\4\0\0" )  ) == 0x0
 02711   460   NtResumeThread  (544, ... 1, ) == 0x0
 02712  1200   NtTestAlert  (... ) == 0x0
 02713  1200   NtContinue  (146930992, 1, ...
 02714  1200   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02715  1200   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02716   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 146931712, 2097152, ) == 0x0
 02717   460   NtAllocateVirtualMemory  (-1, 149020672, 0, 8192, 4096, 4, ... 149020672, 8192, ) == 0x0
 02718   460   NtProtectVirtualMemory  (-1, (0x8e1e000), 4096, 260, ... (0x8e1e000), 4096, 4, ) == 0x0
 02719   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 548, {456, 1212}, ) == 0x0
 02720   460   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=456,Tid=1212,}, 0x0, ) == 0x0
 02721   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1579, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\310\1\0\0\274\4\0\0" ... {28, 56, reply, 0, 456, 460, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\310\1\0\0\274\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1580, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1579, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\310\1\0\0\274\4\0\0" ... {28, 56, reply, 0, 456, 460, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\2\0\0\310\1\0\0\274\4\0\0" )  ) == 0x0
 02722   460   NtResumeThread  (548, ... 1, ) == 0x0
 02723   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 149028864, 2097152, ) == 0x0
 02724   460   NtAllocateVirtualMemory  (-1, 151117824, 0, 8192, 4096, 4, ...
 02725  1212   NtTestAlert  (... ) == 0x0
 02726  1212   NtContinue  (149028144, 1, ...
 02727  1212   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02728  1212   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02724   460   NtAllocateVirtualMemory  ... 151117824, 8192, ) == 0x0
 02729   460   NtProtectVirtualMemory  (-1, (0x901e000), 4096, 260, ... (0x901e000), 4096, 4, ) == 0x0
 02730   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 552, {456, 1220}, ) == 0x0
 02731   460   NtQueryInformationThread  (552, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=456,Tid=1220,}, 0x0, ) == 0x0
 02732   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1580, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\310\1\0\0\304\4\0\0" ... {28, 56, reply, 0, 456, 460, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\310\1\0\0\304\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1581, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\310\1\0\0\304\4\0\0" ... {28, 56, reply, 0, 456, 460, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\2\0\0\310\1\0\0\304\4\0\0" )  ) == 0x0
 02733   460   NtResumeThread  (552, ... 1, ) == 0x0
 02734  1220   NtTestAlert  (... ) == 0x0
 02735  1220   NtContinue  (151125296, 1, ...
 02736  1220   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02737  1220   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02738   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 151126016, 2097152, ) == 0x0
 02739   460   NtAllocateVirtualMemory  (-1, 153214976, 0, 8192, 4096, 4, ... 153214976, 8192, ) == 0x0
 02740   460   NtProtectVirtualMemory  (-1, (0x921e000), 4096, 260, ... (0x921e000), 4096, 4, ) == 0x0
 02741   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 556, {456, 1232}, ) == 0x0
 02742   460   NtQueryInformationThread  (556, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=456,Tid=1232,}, 0x0, ) == 0x0
 02743   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1581, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\310\1\0\0\320\4\0\0" ... {28, 56, reply, 0, 456, 460, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\310\1\0\0\320\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1582, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\310\1\0\0\320\4\0\0" ... {28, 56, reply, 0, 456, 460, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\310\1\0\0\320\4\0\0" )  ) == 0x0
 02744   460   NtResumeThread  (556, ... 1, ) == 0x0
 02745   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 153223168, 2097152, ) == 0x0
 02746   460   NtAllocateVirtualMemory  (-1, 155312128, 0, 8192, 4096, 4, ...
 02747  1232   NtTestAlert  (... ) == 0x0
 02748  1232   NtContinue  (153222448, 1, ...
 02749  1232   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02750  1232   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02746   460   NtAllocateVirtualMemory  ... 155312128, 8192, ) == 0x0
 02751   460   NtProtectVirtualMemory  (-1, (0x941e000), 4096, 260, ... (0x941e000), 4096, 4, ) == 0x0
 02752   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 560, {456, 1244}, ) == 0x0
 02753   460   NtQueryInformationThread  (560, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=456,Tid=1244,}, 0x0, ) == 0x0
 02754   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1582, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\310\1\0\0\334\4\0\0" ... {28, 56, reply, 0, 456, 460, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\310\1\0\0\334\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1583, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\310\1\0\0\334\4\0\0" ... {28, 56, reply, 0, 456, 460, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\310\1\0\0\334\4\0\0" )  ) == 0x0
 02755   460   NtResumeThread  (560, ... 1, ) == 0x0
 02756  1244   NtTestAlert  (... ) == 0x0
 02757  1244   NtContinue  (155319600, 1, ...
 02758  1244   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02759  1244   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02760   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 155320320, 2097152, ) == 0x0
 02761   460   NtAllocateVirtualMemory  (-1, 157409280, 0, 8192, 4096, 4, ... 157409280, 8192, ) == 0x0
 02762   460   NtProtectVirtualMemory  (-1, (0x961e000), 4096, 260, ... (0x961e000), 4096, 4, ) == 0x0
 02763   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 564, {456, 1248}, ) == 0x0
 02764   460   NtQueryInformationThread  (564, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=456,Tid=1248,}, 0x0, ) == 0x0
 02765   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1583, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\2\0\0\310\1\0\0\340\4\0\0" ... {28, 56, reply, 0, 456, 460, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\2\0\0\310\1\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1584, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\2\0\0\310\1\0\0\340\4\0\0" ... {28, 56, reply, 0, 456, 460, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\2\0\0\310\1\0\0\340\4\0\0" )  ) == 0x0
 02766   460   NtResumeThread  (564, ... 1, ) == 0x0
 02767   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 157417472, 2097152, ) == 0x0
 02768   460   NtAllocateVirtualMemory  (-1, 159506432, 0, 8192, 4096, 4, ...
 02769  1248   NtTestAlert  (... ) == 0x0
 02770  1248   NtContinue  (157416752, 1, ...
 02771  1248   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02772  1248   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02768   460   NtAllocateVirtualMemory  ... 159506432, 8192, ) == 0x0
 02773   460   NtProtectVirtualMemory  (-1, (0x981e000), 4096, 260, ... (0x981e000), 4096, 4, ) == 0x0
 02774   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 568, {456, 1252}, ) == 0x0
 02775   460   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=456,Tid=1252,}, 0x0, ) == 0x0
 02776   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1584, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\310\1\0\0\344\4\0\0" ... {28, 56, reply, 0, 456, 460, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\310\1\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1585, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\310\1\0\0\344\4\0\0" ... {28, 56, reply, 0, 456, 460, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\2\0\0\310\1\0\0\344\4\0\0" )  ) == 0x0
 02777   460   NtResumeThread  (568, ... 1, ) == 0x0
 02778  1252   NtTestAlert  (... ) == 0x0
 02779  1252   NtContinue  (159513904, 1, ...
 02780  1252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02781  1252   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02782   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 159514624, 2097152, ) == 0x0
 02783   460   NtAllocateVirtualMemory  (-1, 161603584, 0, 8192, 4096, 4, ... 161603584, 8192, ) == 0x0
 02784   460   NtProtectVirtualMemory  (-1, (0x9a1e000), 4096, 260, ... (0x9a1e000), 4096, 4, ) == 0x0
 02785   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 572, {456, 1256}, ) == 0x0
 02786   460   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=456,Tid=1256,}, 0x0, ) == 0x0
 02787   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1585, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\310\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 456, 460, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\310\1\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1586, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\310\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 456, 460, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\310\1\0\0\350\4\0\0" )  ) == 0x0
 02788   460   NtResumeThread  (572, ... 1, ) == 0x0
 02789   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 161611776, 2097152, ) == 0x0
 02790   460   NtAllocateVirtualMemory  (-1, 163700736, 0, 8192, 4096, 4, ...
 02791  1256   NtAllocateVirtualMemory  (-1, 13201408, 0, 4096, 4096, 4, ... 13201408, 4096, ) == 0x0
 02792  1256   NtTestAlert  (... ) == 0x0
 02793  1256   NtContinue  (161611056, 1, ...
 02794  1256   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02795  1256   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02790   460   NtAllocateVirtualMemory  ... 163700736, 8192, ) == 0x0
 02796   460   NtProtectVirtualMemory  (-1, (0x9c1e000), 4096, 260, ... (0x9c1e000), 4096, 4, ) == 0x0
 02797   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 576, {456, 1260}, ) == 0x0
 02798   460   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=456,Tid=1260,}, 0x0, ) == 0x0
 02799   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1586, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\310\1\0\0\354\4\0\0" ... {28, 56, reply, 0, 456, 460, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\310\1\0\0\354\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1587, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\310\1\0\0\354\4\0\0" ... {28, 56, reply, 0, 456, 460, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\310\1\0\0\354\4\0\0" )  ) == 0x0
 02800   460   NtResumeThread  (576, ... 1, ) == 0x0
 02801  1260   NtTestAlert  (... ) == 0x0
 02802  1260   NtContinue  (163708208, 1, ...
 02803  1260   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02804  1260   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02805   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 163708928, 2097152, ) == 0x0
 02806   460   NtAllocateVirtualMemory  (-1, 165797888, 0, 8192, 4096, 4, ... 165797888, 8192, ) == 0x0
 02807   460   NtProtectVirtualMemory  (-1, (0x9e1e000), 4096, 260, ... (0x9e1e000), 4096, 4, ) == 0x0
 02808   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 580, {456, 1264}, ) == 0x0
 02809   460   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=456,Tid=1264,}, 0x0, ) == 0x0
 02810   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1587, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\310\1\0\0\360\4\0\0" ... {28, 56, reply, 0, 456, 460, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\310\1\0\0\360\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1588, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\310\1\0\0\360\4\0\0" ... {28, 56, reply, 0, 456, 460, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0\310\1\0\0\360\4\0\0" )  ) == 0x0
 02811   460   NtResumeThread  (580, ... 1, ) == 0x0
 02812   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 165806080, 2097152, ) == 0x0
 02813   460   NtAllocateVirtualMemory  (-1, 167895040, 0, 8192, 4096, 4, ...
 02814  1264   NtTestAlert  (... ) == 0x0
 02815  1264   NtContinue  (165805360, 1, ...
 02816  1264   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02817  1264   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02813   460   NtAllocateVirtualMemory  ... 167895040, 8192, ) == 0x0
 02818   460   NtProtectVirtualMemory  (-1, (0xa01e000), 4096, 260, ... (0xa01e000), 4096, 4, ) == 0x0
 02819   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 584, {456, 1272}, ) == 0x0
 02820   460   NtQueryInformationThread  (584, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=456,Tid=1272,}, 0x0, ) == 0x0
 02821   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1588, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\310\1\0\0\370\4\0\0" ... {28, 56, reply, 0, 456, 460, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\310\1\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1589, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\310\1\0\0\370\4\0\0" ... {28, 56, reply, 0, 456, 460, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\310\1\0\0\370\4\0\0" )  ) == 0x0
 02822   460   NtResumeThread  (584, ... 1, ) == 0x0
 02823  1272   NtTestAlert  (... ) == 0x0
 02824  1272   NtContinue  (167902512, 1, ...
 02825  1272   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02826  1272   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02827   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 167903232, 2097152, ) == 0x0
 02828   460   NtAllocateVirtualMemory  (-1, 169992192, 0, 8192, 4096, 4, ... 169992192, 8192, ) == 0x0
 02829   460   NtProtectVirtualMemory  (-1, (0xa21e000), 4096, 260, ... (0xa21e000), 4096, 4, ) == 0x0
 02830   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 588, {456, 1276}, ) == 0x0
 02831   460   NtQueryInformationThread  (588, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=456,Tid=1276,}, 0x0, ) == 0x0
 02832   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1589, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\310\1\0\0\374\4\0\0" ... {28, 56, reply, 0, 456, 460, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\310\1\0\0\374\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1590, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\310\1\0\0\374\4\0\0" ... {28, 56, reply, 0, 456, 460, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\310\1\0\0\374\4\0\0" )  ) == 0x0
 02833   460   NtResumeThread  (588, ... 1, ) == 0x0
 02834   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 170000384, 2097152, ) == 0x0
 02835   460   NtAllocateVirtualMemory  (-1, 172089344, 0, 8192, 4096, 4, ...
 02836  1276   NtTestAlert  (... ) == 0x0
 02837  1276   NtContinue  (169999664, 1, ...
 02838  1276   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02839  1276   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02835   460   NtAllocateVirtualMemory  ... 172089344, 8192, ) == 0x0
 02840   460   NtProtectVirtualMemory  (-1, (0xa41e000), 4096, 260, ... (0xa41e000), 4096, 4, ) == 0x0
 02841   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 592, {456, 1296}, ) == 0x0
 02842   460   NtQueryInformationThread  (592, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=456,Tid=1296,}, 0x0, ) == 0x0
 02843   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1590, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\310\1\0\0\20\5\0\0" ... {28, 56, reply, 0, 456, 460, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\310\1\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1591, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\310\1\0\0\20\5\0\0" ... {28, 56, reply, 0, 456, 460, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\310\1\0\0\20\5\0\0" )  ) == 0x0
 02844   460   NtResumeThread  (592, ... 1, ) == 0x0
 02845  1296   NtTestAlert  (... ) == 0x0
 02846  1296   NtContinue  (172096816, 1, ...
 02847  1296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02848  1296   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02849   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 172097536, 2097152, ) == 0x0
 02850   460   NtAllocateVirtualMemory  (-1, 174186496, 0, 8192, 4096, 4, ... 174186496, 8192, ) == 0x0
 02851   460   NtProtectVirtualMemory  (-1, (0xa61e000), 4096, 260, ... (0xa61e000), 4096, 4, ) == 0x0
 02852   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 596, {456, 1300}, ) == 0x0
 02853   460   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=456,Tid=1300,}, 0x0, ) == 0x0
 02854   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1591, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\2\0\0\310\1\0\0\24\5\0\0" ...  ...
 02588   584   NtDelayExecution  ... ) == 0x0
 02854   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1592, 0}  ... {28, 56, reply, 0, 456, 460, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\2\0\0\310\1\0\0\24\5\0\0" )  ) == 0x0
 02855   460   NtResumeThread  (596, ... 1, ) == 0x0
 02856   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 174194688, 2097152, ) == 0x0
 02857   460   NtAllocateVirtualMemory  (-1, 176283648, 0, 8192, 4096, 4, ... 176283648, 8192, ) == 0x0
 02858   460   NtProtectVirtualMemory  (-1, (0xa81e000), 4096, 260, ... (0xa81e000), 4096, 4, ) == 0x0
 02859   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 600, {456, 708}, ) == 0x0
 02860   460   NtQueryInformationThread  (600, Basic, 28, ...
 02861   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02862  1300   NtTestAlert  (...
 02861   584   NtOpenKey  ... 604, ) == 0x0
 02862  1300   NtTestAlert  ... ) == 0x0
 02863   584   NtOpenKey  (0x20019, {24, 604, 0x40, 0, 0,  (0x20019, {24, 604, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02864  1300   NtContinue  (174193968, 1, ...
 02863   584   NtOpenKey  ... 608, ) == 0x0
 02865  1300   NtRegisterThreadTerminatePort  (24, ...
 02866   584   NtQueryValueKey  (608,  (608, "ComputerName", Full, 108, ... , Full, 108, ...
 02865  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02866   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02860   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=456,Tid=708,}, 0x0, ) == 0x0
 02867  1300   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02868   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1592, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\310\1\0\0\304\2\0\0" ... {28, 56, reply, 0, 456, 460, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\310\1\0\0\304\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1593, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\310\1\0\0\304\2\0\0" ... {28, 56, reply, 0, 456, 460, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\310\1\0\0\304\2\0\0" )  ) == 0x0
 02869   460   NtResumeThread  (600, ... 1, ) == 0x0
 02870   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 176291840, 2097152, ) == 0x0
 02871   460   NtAllocateVirtualMemory  (-1, 178380800, 0, 8192, 4096, 4, ... 178380800, 8192, ) == 0x0
 02872   460   NtProtectVirtualMemory  (-1, (0xaa1e000), 4096, 260, ... (0xaa1e000), 4096, 4, ) == 0x0
 02873   584   NtClose  (608, ...
 02867  1300   NtSetInformationThread  ... ) == 0x0
 02874   708   NtTestAlert  (...
 02873   584   NtClose  ... ) == 0x0
 02875   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02874   708   NtTestAlert  ... ) == 0x0
 02876   584   NtClose  (604, ...
 02875   460   NtCreateThread  ... 608, {456, 1284}, ) == 0x0
 02877   708   NtContinue  (176291120, 1, ...
 02876   584   NtClose  ... ) == 0x0
 02878   460   NtQueryInformationThread  (608, Basic, 28, ...
 02879   708   NtRegisterThreadTerminatePort  (24, ...
 02880   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02878   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=456,Tid=1284,}, 0x0, ) == 0x0
 02879   708   NtRegisterThreadTerminatePort  ... ) == 0x0
 02880   584   NtOpenKey  ... 604, ) == 0x0
 02881   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1593, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\310\1\0\0\4\5\0\0" ...  ...
 02882  1300   NtDelayExecution  (1, {0, 0}, ...
 02883   708   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02881   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1594, 0}  ... {28, 56, reply, 0, 456, 460, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\310\1\0\0\4\5\0\0" )  ) == 0x0
 02884   584   NtQueryValueKey  (604,  (604, "Hostname", Full, 128, ... , Full, 128, ...
 02885   460   NtResumeThread  (608, ...
 02884   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 02885   460   NtResumeThread  ... 1, ) == 0x0
 02886   584   NtClose  (604, ...
 02887   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02886   584   NtClose  ... ) == 0x0
 02887   460   NtAllocateVirtualMemory  ... 178388992, 2097152, ) == 0x0
 02888   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... }, ...
 02889   460   NtAllocateVirtualMemory  (-1, 180477952, 0, 8192, 4096, 4, ...
 02888   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02883   708   NtSetInformationThread  ... ) == 0x0
 02890  1284   NtTestAlert  (...
 02889   460   NtAllocateVirtualMemory  ... 180477952, 8192, ) == 0x0
 02891   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02890  1284   NtTestAlert  ... ) == 0x0
 02892   460   NtProtectVirtualMemory  (-1, (0xac1e000), 4096, 260, ...
 02891   584   NtOpenKey  ... 604, ) == 0x0
 02893  1284   NtContinue  (178388272, 1, ...
 02892   460   NtProtectVirtualMemory  ... (0xac1e000), 4096, 4, ) == 0x0
 02894   584   NtQueryValueKey  (604,  (604, "Domain", Full, 128, ... , Full, 128, ...
 02895  1284   NtRegisterThreadTerminatePort  (24, ...
 02896   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02894   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02895  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 02896   460   NtCreateThread  ... 612, {456, 1316}, ) == 0x0
 02897   584   NtClose  (604, ...
 02898   708   NtDelayExecution  (1, {0, 0}, ...
 02899   460   NtQueryInformationThread  (612, Basic, 28, ...
 02897   584   NtClose  ... ) == 0x0
 02900  1284   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02899   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=456,Tid=1316,}, 0x0, ) == 0x0
 02901   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1594, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\310\1\0\0$\5\0\0" ... {28, 56, reply, 0, 456, 460, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\310\1\0\0$\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1595, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\310\1\0\0$\5\0\0" ... {28, 56, reply, 0, 456, 460, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\310\1\0\0$\5\0\0" )  ) == 0x0
 02902   460   NtResumeThread  (612, ... 1, ) == 0x0
 02903   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 180486144, 2097152, ) == 0x0
 02904   460   NtAllocateVirtualMemory  (-1, 182575104, 0, 8192, 4096, 4, ... 182575104, 8192, ) == 0x0
 02905   460   NtProtectVirtualMemory  (-1, (0xae1e000), 4096, 260, ... (0xae1e000), 4096, 4, ) == 0x0
 02906   584   NtQuerySystemInformation  (Basic, 44, ...
 02900  1284   NtSetInformationThread  ... ) == 0x0
 02907  1316   NtTestAlert  (...
 02906   584   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02908   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02907  1316   NtTestAlert  ... ) == 0x0
 02909   584   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 02908   460   NtCreateThread  ... 604, {456, 1288}, ) == 0x0
 02910  1316   NtContinue  (180485424, 1, ...
 02909   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02911   460   NtQueryInformationThread  (604, Basic, 28, ...
 02912  1316   NtRegisterThreadTerminatePort  (24, ...
 02913   584   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 02911   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=456,Tid=1288,}, 0x0, ) == 0x0
 02912  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 02913   584   NtOpenKey  ... 616, ) == 0x0
 02914   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1595, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\2\0\0\310\1\0\0\10\5\0\0" ...  ...
 02915  1284   NtDelayExecution  (1, {0, 0}, ...
 02916  1316   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02914   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1596, 0}  ... {28, 56, reply, 0, 456, 460, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\2\0\0\310\1\0\0\10\5\0\0" )  ) == 0x0
 02917   584   NtQueryValueKey  (616,  (616, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 02918   460   NtResumeThread  (604, ...
 02917   584   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02918   460   NtResumeThread  ... 1, ) == 0x0
 02919   584   NtClose  (616, ...
 02920   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02919   584   NtClose  ... ) == 0x0
 02920   460   NtAllocateVirtualMemory  ... 182583296, 2097152, ) == 0x0
 02921   584   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 02922   460   NtAllocateVirtualMemory  (-1, 184672256, 0, 8192, 4096, 4, ...
 02921   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02916  1316   NtSetInformationThread  ... ) == 0x0
 02923  1288   NtTestAlert  (...
 02922   460   NtAllocateVirtualMemory  ... 184672256, 8192, ) == 0x0
 02924   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02923  1288   NtTestAlert  ... ) == 0x0
 02925   460   NtProtectVirtualMemory  (-1, (0xb01e000), 4096, 260, ...
 02924   584   NtCreateEvent  ... 616, ) == 0x0
 02926  1288   NtContinue  (182582576, 1, ...
 02925   460   NtProtectVirtualMemory  ... (0xb01e000), 4096, 4, ) == 0x0
 02927   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02928  1288   NtRegisterThreadTerminatePort  (24, ...
 02929   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02927   584   NtCreateEvent  ... 620, ) == 0x0
 02928  1288   NtRegisterThreadTerminatePort  ... ) == 0x0
 02929   460   NtCreateThread  ... 624, {456, 1320}, ) == 0x0
 02930   584   NtQuerySystemTime  (...
 02931  1316   NtDelayExecution  (1, {0, 0}, ...
 02932   460   NtQueryInformationThread  (624, Basic, 28, ...
 02930   584   NtQuerySystemTime  ... {-2081454758, 29889222}, ) == 0x0
 02933  1288   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02932   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=456,Tid=1320,}, 0x0, ) == 0x0
 02934   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1596, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\310\1\0\0(\5\0\0" ... {28, 56, reply, 0, 456, 460, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\310\1\0\0(\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1597, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\310\1\0\0(\5\0\0" ... {28, 56, reply, 0, 456, 460, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\310\1\0\0(\5\0\0" )  ) == 0x0
 02935   460   NtResumeThread  (624, ... 1, ) == 0x0
 02936   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 184680448, 2097152, ) == 0x0
 02937   460   NtAllocateVirtualMemory  (-1, 186769408, 0, 8192, 4096, 4, ... 186769408, 8192, ) == 0x0
 02938   460   NtProtectVirtualMemory  (-1, (0xb21e000), 4096, 260, ... (0xb21e000), 4096, 4, ) == 0x0
 02939   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02933  1288   NtSetInformationThread  ... ) == 0x0
 02940  1320   NtTestAlert  (...
 02939   584   NtCreateEvent  ... 628, ) == 0x0
 02941   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02940  1320   NtTestAlert  ... ) == 0x0
 02942   584   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 02941   460   NtCreateThread  ... 632, {456, 1328}, ) == 0x0
 02943  1320   NtContinue  (184679728, 1, ...
 02942   584   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02944   460   NtQueryInformationThread  (632, Basic, 28, ...
 02945  1320   NtRegisterThreadTerminatePort  (24, ...
 02946   584   NtQuerySystemInformation  (Performance, 312, ...
 02944   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=456,Tid=1328,}, 0x0, ) == 0x0
 02945  1320   NtRegisterThreadTerminatePort  ... ) == 0x0
 02946   584   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02947   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1597, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\2\0\0\310\1\0\00\5\0\0" ...  ...
 02948  1288   NtDelayExecution  (1, {0, 0}, ...
 02949  1320   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02947   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1598, 0}  ... {28, 56, reply, 0, 456, 460, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\2\0\0\310\1\0\00\5\0\0" )  ) == 0x0
 02950   584   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 02951   460   NtResumeThread  (632, ...
 02950   584   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02951   460   NtResumeThread  ... 1, ) == 0x0
 02952   584   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 02953   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02952   584   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02953   460   NtAllocateVirtualMemory  ... 186777600, 2097152, ) == 0x0
 02954   584   NtAllocateVirtualMemory  (-1, 8626176, 0, 4096, 4096, 260, ...
 02955   460   NtAllocateVirtualMemory  (-1, 188866560, 0, 8192, 4096, 4, ...
 02954   584   NtAllocateVirtualMemory  ... 8626176, 4096, ) == 0x0
 02949  1320   NtSetInformationThread  ... ) == 0x0
 02956  1328   NtWaitForSingleObject  (36, 0, 0x0, ...
 02955   460   NtAllocateVirtualMemory  ... 188866560, 8192, ) == 0x0
 02957   584   NtSetEventBoostPriority  (36, ...
 02958   460   NtProtectVirtualMemory  (-1, (0xb41e000), 4096, 260, ...
 02956  1328   NtWaitForSingleObject  ... ) == 0x0
 02957   584   NtSetEventBoostPriority  ... ) == 0x0
 02959  1328   NtTestAlert  (...
 02958   460   NtProtectVirtualMemory  ... (0xb41e000), 4096, 4, ) == 0x0
 02959  1328   NtTestAlert  ... ) == 0x0
 02960   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02961   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02962  1320   NtDelayExecution  (1, {0, 0}, ...
 02960   584   NtCreateEvent  ... 636, ) == 0x0
 02961   460   NtCreateThread  ... 640, {456, 1340}, ) == 0x0
 02963  1328   NtContinue  (186776880, 1, ...
 02964   584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02965   460   NtQueryInformationThread  (640, Basic, 28, ...
 02966  1328   NtRegisterThreadTerminatePort  (24, ...
 02964   584   NtDuplicateObject  ... 644, ) == 0x0
 02966  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02965   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=456,Tid=1340,}, 0x0, ) == 0x0
 02967  1328   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02968   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1598, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\310\1\0\0<\5\0\0" ... {28, 56, reply, 0, 456, 460, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\310\1\0\0<\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1599, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\310\1\0\0<\5\0\0" ... {28, 56, reply, 0, 456, 460, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\310\1\0\0<\5\0\0" )  ) == 0x0
 02969   460   NtResumeThread  (640, ... 1, ) == 0x0
 02970   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 188874752, 2097152, ) == 0x0
 02971   460   NtAllocateVirtualMemory  (-1, 190963712, 0, 8192, 4096, 4, ... 190963712, 8192, ) == 0x0
 02972   460   NtProtectVirtualMemory  (-1, (0xb61e000), 4096, 260, ... (0xb61e000), 4096, 4, ) == 0x0
 02973   584   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02967  1328   NtSetInformationThread  ... ) == 0x0
 02974  1340   NtTestAlert  (...
 02973   584   NtOpenKey  ... 648, ) == 0x0
 02975   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02974  1340   NtTestAlert  ... ) == 0x0
 02976   584   NtOpenKey  (0x20019, {24, 648, 0x40, 0, 0,  (0x20019, {24, 648, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02975   460   NtCreateThread  ... 652, {456, 1348}, ) == 0x0
 02977  1340   NtContinue  (188874032, 1, ...
 02976   584   NtOpenKey  ... 656, ) == 0x0
 02978   460   NtQueryInformationThread  (652, Basic, 28, ...
 02979  1340   NtRegisterThreadTerminatePort  (24, ...
 02980   584   NtQueryValueKey  (656,  (656, "ComputerName", Full, 108, ... , Full, 108, ...
 02978   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=456,Tid=1348,}, 0x0, ) == 0x0
 02979  1340   NtRegisterThreadTerminatePort  ... ) == 0x0
 02980   584   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02981   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1599, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\310\1\0\0D\5\0\0" ...  ...
 02982  1328   NtDelayExecution  (1, {0, 0}, ...
 02983  1340   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02981   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1600, 0}  ... {28, 56, reply, 0, 456, 460, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\310\1\0\0D\5\0\0" )  ) == 0x0
 02984   584   NtClose  (656, ...
 02985   460   NtResumeThread  (652, ...
 02984   584   NtClose  ... ) == 0x0
 02985   460   NtResumeThread  ... 1, ) == 0x0
 02986   584   NtClose  (648, ...
 02987   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02986   584   NtClose  ... ) == 0x0
 02987   460   NtAllocateVirtualMemory  ... 190971904, 2097152, ) == 0x0
 02988   584   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 02989   460   NtAllocateVirtualMemory  (-1, 193060864, 0, 8192, 4096, 4, ...
 02988   584   NtCreateIoCompletion  ... 648, ) == 0x0
 02983  1340   NtSetInformationThread  ... ) == 0x0
 02990  1348   NtTestAlert  (...
 02989   460   NtAllocateVirtualMemory  ... 193060864, 8192, ) == 0x0
 02991   584   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02990  1348   NtTestAlert  ... ) == 0x0
 02992   460   NtProtectVirtualMemory  (-1, (0xb81e000), 4096, 260, ...
 02991   584   NtCreateIoCompletion  ... 656, ) == 0x0
 02993  1348   NtContinue  (190971184, 1, ...
 02992   460   NtProtectVirtualMemory  ... (0xb81e000), 4096, 4, ) == 0x0
 02994   584   NtDuplicateObject  (-1, 648, -1, 0x0, 0, 2, ...
 02995  1348   NtRegisterThreadTerminatePort  (24, ...
 02996   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02994   584   NtDuplicateObject  ... 660, ) == 0x0
 02995  1348   NtRegisterThreadTerminatePort  ... ) == 0x0
 02996   460   NtCreateThread  ... 664, {456, 1344}, ) == 0x0
 02997   584   NtAllocateVirtualMemory  (-1, 4616192, 0, 4096, 4096, 4, ...
 02998  1340   NtDelayExecution  (1, {0, 0}, ...
 02999   460   NtQueryInformationThread  (664, Basic, 28, ...
 02997   584   NtAllocateVirtualMemory  ... 4616192, 4096, ) == 0x0
 03000  1348   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02999   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=456,Tid=1344,}, 0x0, ) == 0x0
 03001   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1600, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\310\1\0\0@\5\0\0" ... {28, 56, reply, 0, 456, 460, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\310\1\0\0@\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1601, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\310\1\0\0@\5\0\0" ... {28, 56, reply, 0, 456, 460, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\310\1\0\0@\5\0\0" )  ) == 0x0
 03002   460   NtResumeThread  (664, ... 1, ) == 0x0
 03003   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 193069056, 2097152, ) == 0x0
 03004   460   NtAllocateVirtualMemory  (-1, 195158016, 0, 8192, 4096, 4, ... 195158016, 8192, ) == 0x0
 03005   460   NtProtectVirtualMemory  (-1, (0xba1e000), 4096, 260, ... (0xba1e000), 4096, 4, ) == 0x0
 03006   584   NtOpenThreadToken  (-2, 0xc, 1, ...
 03000  1348   NtSetInformationThread  ... ) == 0x0
 03007  1344   NtTestAlert  (...
 03006   584   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 03008   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03007  1344   NtTestAlert  ... ) == 0x0
 03009   584   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03008   460   NtCreateThread  ... 668, {456, 1352}, ) == 0x0
 03010  1344   NtContinue  (193068336, 1, ...
 03009   584   NtCreateEvent  ... 672, ) == 0x0
 03011   460   NtQueryInformationThread  (668, Basic, 28, ...
 03012  1344   NtRegisterThreadTerminatePort  (24, ...
 03013   584   NtOpenThreadToken  (-2, 0xc, 1, ...
 03011   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=456,Tid=1352,}, 0x0, ) == 0x0
 03012  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 03013   584   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 03014   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1601, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\2\0\0\310\1\0\0H\5\0\0" ...  ...
 03015  1348   NtDelayExecution  (1, {0, 0}, ...
 03016  1344   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03014   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1602, 0}  ... {28, 56, reply, 0, 456, 460, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\2\0\0\310\1\0\0H\5\0\0" )  ) == 0x0
 03017   584   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03018   460   NtResumeThread  (668, ...
 03017   584   NtSetInformationThread  ... ) == 0x0
 03018   460   NtResumeThread  ... 1, ) == 0x0
 03019   584   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 8635936,  (0xc0100080, {24, 0, 0x40, 0, 8635936, "\??\PIPE\SfcApi"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 03020   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03019   584   NtCreateFile  ... 676, {status=0x0, info=1}, ) == 0x0
 03020   460   NtAllocateVirtualMemory  ... 195166208, 2097152, ) == 0x0
 03021   584   NtSetInformationFile  (676, 8635992, 8, Pipe, ...
 03022   460   NtAllocateVirtualMemory  (-1, 197255168, 0, 8192, 4096, 4, ...
 03021   584   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03016  1344   NtSetInformationThread  ... ) == 0x0
 03023  1352   NtTestAlert  (...
 03022   460   NtAllocateVirtualMemory  ... 197255168, 8192, ) == 0x0
 03024   584   NtSetInformationFile  (676, 8635984, 8, Completion, ...
 03023  1352   NtTestAlert  ... ) == 0x0
 03025   460   NtProtectVirtualMemory  (-1, (0xbc1e000), 4096, 260, ...
 03024   584   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03026  1352   NtContinue  (195165488, 1, ...
 03025   460   NtProtectVirtualMemory  ... (0xbc1e000), 4096, 4, ) == 0x0
 03027   584   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 03028  1352   NtRegisterThreadTerminatePort  (24, ...
 03029   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03027   584   NtSetInformationThread  ... ) == 0x0
 03028  1352   NtRegisterThreadTerminatePort  ... ) == 0x0
 03029   460   NtCreateThread  ... 680, {456, 1360}, ) == 0x0
 03030   584   NtWriteFile  (676, 637, 0, 0,  (676, 637, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\0|\332\203O\350\322\21\230\7\0\300O\216\310P\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 03031  1344   NtDelayExecution  (1, {0, 0}, ...
 03032   460   NtQueryInformationThread  (680, Basic, 28, ...
 03030   584   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 03033  1352   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03032   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=456,Tid=1360,}, 0x0, ) == 0x0
 03034   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1602, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\310\1\0\0P\5\0\0" ... {28, 56, reply, 0, 456, 460, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\310\1\0\0P\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1603, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\310\1\0\0P\5\0\0" ... {28, 56, reply, 0, 456, 460, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\310\1\0\0P\5\0\0" )  ) == 0x0
 03035   460   NtResumeThread  (680, ... 1, ) == 0x0
 03036   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 197263360, 2097152, ) == 0x0
 03037   460   NtAllocateVirtualMemory  (-1, 199352320, 0, 8192, 4096, 4, ... 199352320, 8192, ) == 0x0
 03038   460   NtProtectVirtualMemory  (-1, (0xbe1e000), 4096, 260, ... (0xbe1e000), 4096, 4, ) == 0x0
 03039   584   NtReadFile  (676, 637, 0, 0, 1024, {0, 0}, 0, ...
 03033  1352   NtSetInformationThread  ... ) == 0x0
 03040  1360   NtTestAlert  (...
 03039   584   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\313\35\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03041   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03040  1360   NtTestAlert  ... ) == 0x0
 03042   584   NtFsControlFile  (676, 637, 0x0, 0x0, 0x11c017,  (676, 637, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0h\0\0\0\1\0\0\0P\0\0\0\0\0\1\0\306\317\203\0 \0\0\0\0\0\0\0 \0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0", 104, 1024, ... , 104, 1024, ...
 03041   460   NtCreateThread  ... 684, {456, 1324}, ) == 0x0
 03043  1360   NtContinue  (197262640, 1, ...
 03042   584   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\313\35\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03044   460   NtQueryInformationThread  (684, Basic, 28, ...
 03045  1360   NtRegisterThreadTerminatePort  (24, ...
 03046   584   NtFsControlFile  (676, 637, 0x0, 0x0, 0x11c017,  (676, 637, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0l\0\0\0\2\0\0\0T\0\0\0\0\0\2\0`{F\0 \0\0\0\0\0\0\0 \0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0\377\377\377\377", 108, 1024, ... , 108, 1024, ...
 03044   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=456,Tid=1324,}, 0x0, ) == 0x0
 03045  1360   NtRegisterThreadTerminatePort  ... ) == 0x0
 03046   584   NtFsControlFile  ... {status=0x103, info=28},  ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03047   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1603, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\2\0\0\310\1\0\0,\5\0\0" ...  ...
 03048  1352   NtDelayExecution  (1, {0, 0}, ...
 03049  1360   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03047   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1604, 0}  ... {28, 56, reply, 0, 456, 460, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\2\0\0\310\1\0\0,\5\0\0" )  ) == 0x0
 03050   584   NtAllocateVirtualMemory  (-1, 8622080, 0, 4096, 4096, 260, ...
 03051   460   NtResumeThread  (684, ...
 03050   584   NtAllocateVirtualMemory  ... 8622080, 4096, ) == 0x0
 03051   460   NtResumeThread  ... 1, ) == 0x0
 03052   584   NtAllocateVirtualMemory  (-1, 8617984, 0, 4096, 4096, 260, ...
 03053   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03052   584   NtAllocateVirtualMemory  ... 8617984, 4096, ) == 0x0
 03053   460   NtAllocateVirtualMemory  ... 199360512, 2097152, ) == 0x0
 03054   584   NtAllocateVirtualMemory  (-1, 8613888, 0, 4096, 4096, 260, ...
 03055   460   NtAllocateVirtualMemory  (-1, 201449472, 0, 8192, 4096, 4, ...
 03054   584   NtAllocateVirtualMemory  ... 8613888, 4096, ) == 0x0
 03049  1360   NtSetInformationThread  ... ) == 0x0
 03056  1324   NtTestAlert  (...
 03055   460   NtAllocateVirtualMemory  ... 201449472, 8192, ) == 0x0
 03057   584   NtAllocateVirtualMemory  (-1, 8609792, 0, 4096, 4096, 260, ...
 03056  1324   NtTestAlert  ... ) == 0x0
 03058   460   NtProtectVirtualMemory  (-1, (0xc01e000), 4096, 260, ...
 03057   584   NtAllocateVirtualMemory  ... 8609792, 4096, ) == 0x0
 03059  1324   NtContinue  (199359792, 1, ...
 03058   460   NtProtectVirtualMemory  ... (0xc01e000), 4096, 4, ) == 0x0
 03060   584   NtAllocateVirtualMemory  (-1, 8605696, 0, 4096, 4096, 260, ...
 03061  1324   NtRegisterThreadTerminatePort  (24, ...
 03062   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03060   584   NtAllocateVirtualMemory  ... 8605696, 4096, ) == 0x0
 03061  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 03062   460   NtCreateThread  ... 688, {456, 1364}, ) == 0x0
 03063   584   NtAllocateVirtualMemory  (-1, 8601600, 0, 4096, 4096, 260, ...
 03064  1360   NtDelayExecution  (1, {0, 0}, ...
 03065   460   NtQueryInformationThread  (688, Basic, 28, ...
 03063   584   NtAllocateVirtualMemory  ... 8601600, 4096, ) == 0x0
 03066  1324   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03065   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=456,Tid=1364,}, 0x0, ) == 0x0
 03067   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1604, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\310\1\0\0T\5\0\0" ... {28, 56, reply, 0, 456, 460, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\310\1\0\0T\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1605, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\310\1\0\0T\5\0\0" ... {28, 56, reply, 0, 456, 460, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\310\1\0\0T\5\0\0" )  ) == 0x0
 03068   460   NtResumeThread  (688, ... 1, ) == 0x0
 03069   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 201457664, 2097152, ) == 0x0
 03070   460   NtAllocateVirtualMemory  (-1, 203546624, 0, 8192, 4096, 4, ... 203546624, 8192, ) == 0x0
 03071   460   NtProtectVirtualMemory  (-1, (0xc21e000), 4096, 260, ... (0xc21e000), 4096, 4, ) == 0x0
 03072   584   NtAllocateVirtualMemory  (-1, 8597504, 0, 4096, 4096, 260, ...
 03066  1324   NtSetInformationThread  ... ) == 0x0
 03073  1364   NtTestAlert  (...
 03072   584   NtAllocateVirtualMemory  ... 8597504, 4096, ) == 0x0
 03074   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03073  1364   NtTestAlert  ... ) == 0x0
 03075   584   NtAllocateVirtualMemory  (-1, 8593408, 0, 4096, 4096, 260, ...
 03074   460   NtCreateThread  ... 692, {456, 1132}, ) == 0x0
 03076  1364   NtContinue  (201456944, 1, ...
 03075   584   NtAllocateVirtualMemory  ... 8593408, 4096, ) == 0x0
 03077   460   NtQueryInformationThread  (692, Basic, 28, ...
 03078  1364   NtRegisterThreadTerminatePort  (24, ...
 03079   584   NtAllocateVirtualMemory  (-1, 8589312, 0, 4096, 4096, 260, ...
 03077   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=456,Tid=1132,}, 0x0, ) == 0x0
 03078  1364   NtRegisterThreadTerminatePort  ... ) == 0x0
 03079   584   NtAllocateVirtualMemory  ... 8589312, 4096, ) == 0x0
 03080   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1605, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\310\1\0\0l\4\0\0" ...  ...
 03081  1324   NtDelayExecution  (1, {0, 0}, ...
 03082  1364   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03080   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1606, 0}  ... {28, 56, reply, 0, 456, 460, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\310\1\0\0l\4\0\0" )  ) == 0x0
 03083   584   NtAllocateVirtualMemory  (-1, 8585216, 0, 4096, 4096, 260, ...
 03084   460   NtResumeThread  (692, ...
 03083   584   NtAllocateVirtualMemory  ... 8585216, 4096, ) == 0x0
 03084   460   NtResumeThread  ... 1, ) == 0x0
 03085   584   NtAllocateVirtualMemory  (-1, 8581120, 0, 4096, 4096, 260, ...
 03086   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03085   584   NtAllocateVirtualMemory  ... 8581120, 4096, ) == 0x0
 03086   460   NtAllocateVirtualMemory  ... 203554816, 2097152, ) == 0x0
 03087   584   NtAllocateVirtualMemory  (-1, 8577024, 0, 4096, 4096, 260, ...
 03088   460   NtAllocateVirtualMemory  (-1, 205643776, 0, 8192, 4096, 4, ...
 03087   584   NtAllocateVirtualMemory  ... 8577024, 4096, ) == 0x0
 03082  1364   NtSetInformationThread  ... ) == 0x0
 03089  1132   NtTestAlert  (...
 03088   460   NtAllocateVirtualMemory  ... 205643776, 8192, ) == 0x0
 03090   584   NtAllocateVirtualMemory  (-1, 8572928, 0, 4096, 4096, 260, ...
 03089  1132   NtTestAlert  ... ) == 0x0
 03091   460   NtProtectVirtualMemory  (-1, (0xc41e000), 4096, 260, ...
 03090   584   NtAllocateVirtualMemory  ... 8572928, 4096, ) == 0x0
 03092  1132   NtContinue  (203554096, 1, ...
 03091   460   NtProtectVirtualMemory  ... (0xc41e000), 4096, 4, ) == 0x0
 03093   584   NtAllocateVirtualMemory  (-1, 8568832, 0, 4096, 4096, 260, ...
 03094  1132   NtRegisterThreadTerminatePort  (24, ...
 03095   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03093   584   NtAllocateVirtualMemory  ... 8568832, 4096, ) == 0x0
 03094  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 03095   460   NtCreateThread  ... 696, {456, 1336}, ) == 0x0
 03096   584   NtAllocateVirtualMemory  (-1, 8564736, 0, 4096, 4096, 260, ...
 03097  1364   NtDelayExecution  (1, {0, 0}, ...
 03098   460   NtQueryInformationThread  (696, Basic, 28, ...
 03096   584   NtAllocateVirtualMemory  ... 8564736, 4096, ) == 0x0
 03099  1132   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03098   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=456,Tid=1336,}, 0x0, ) == 0x0
 03100   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1606, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\310\1\0\08\5\0\0" ... {28, 56, reply, 0, 456, 460, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\310\1\0\08\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1607, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\310\1\0\08\5\0\0" ... {28, 56, reply, 0, 456, 460, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\310\1\0\08\5\0\0" )  ) == 0x0
 03101   460   NtResumeThread  (696, ... 1, ) == 0x0
 03102   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 205651968, 2097152, ) == 0x0
 03103   460   NtAllocateVirtualMemory  (-1, 207740928, 0, 8192, 4096, 4, ... 207740928, 8192, ) == 0x0
 03104   460   NtProtectVirtualMemory  (-1, (0xc61e000), 4096, 260, ... (0xc61e000), 4096, 4, ) == 0x0
 03105   584   NtAllocateVirtualMemory  (-1, 8560640, 0, 4096, 4096, 260, ...
 03099  1132   NtSetInformationThread  ... ) == 0x0
 03106  1336   NtTestAlert  (...
 03105   584   NtAllocateVirtualMemory  ... 8560640, 4096, ) == 0x0
 03107   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03106  1336   NtTestAlert  ... ) == 0x0
 03108   584   NtAllocateVirtualMemory  (-1, 8556544, 0, 4096, 4096, 260, ...
 03107   460   NtCreateThread  ... 700, {456, 1452}, ) == 0x0
 03109  1336   NtContinue  (205651248, 1, ...
 03108   584   NtAllocateVirtualMemory  ... 8556544, 4096, ) == 0x0
 03110   460   NtQueryInformationThread  (700, Basic, 28, ...
 03111  1336   NtRegisterThreadTerminatePort  (24, ...
 03112   584   NtAllocateVirtualMemory  (-1, 8552448, 0, 4096, 4096, 260, ...
 03110   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=456,Tid=1452,}, 0x0, ) == 0x0
 03111  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 03112   584   NtAllocateVirtualMemory  ... 8552448, 4096, ) == 0x0
 03113   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1607, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\310\1\0\0\254\5\0\0" ...  ...
 03114  1132   NtDelayExecution  (1, {0, 0}, ...
 03115  1336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03113   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1608, 0}  ... {28, 56, reply, 0, 456, 460, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\310\1\0\0\254\5\0\0" )  ) == 0x0
 03116   584   NtAllocateVirtualMemory  (-1, 8548352, 0, 4096, 4096, 260, ...
 03117   460   NtResumeThread  (700, ...
 03116   584   NtAllocateVirtualMemory  ... 8548352, 4096, ) == 0x0
 03117   460   NtResumeThread  ... 1, ) == 0x0
 03118   584   NtAllocateVirtualMemory  (-1, 8544256, 0, 4096, 4096, 260, ...
 03119   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03118   584   NtAllocateVirtualMemory  ... 8544256, 4096, ) == 0x0
 03119   460   NtAllocateVirtualMemory  ... 207749120, 2097152, ) == 0x0
 03120   584   NtAllocateVirtualMemory  (-1, 8540160, 0, 4096, 4096, 260, ...
 03121   460   NtAllocateVirtualMemory  (-1, 209838080, 0, 8192, 4096, 4, ...
 03120   584   NtAllocateVirtualMemory  ... 8540160, 4096, ) == 0x0
 03115  1336   NtSetInformationThread  ... ) == 0x0
 03122  1452   NtTestAlert  (...
 03121   460   NtAllocateVirtualMemory  ... 209838080, 8192, ) == 0x0
 03123   584   NtAllocateVirtualMemory  (-1, 8536064, 0, 4096, 4096, 260, ...
 03122  1452   NtTestAlert  ... ) == 0x0
 03124   460   NtProtectVirtualMemory  (-1, (0xc81e000), 4096, 260, ...
 03123   584   NtAllocateVirtualMemory  ... 8536064, 4096, ) == 0x0
 03125  1452   NtContinue  (207748400, 1, ...
 03124   460   NtProtectVirtualMemory  ... (0xc81e000), 4096, 4, ) == 0x0
 03126   584   NtAllocateVirtualMemory  (-1, 8531968, 0, 4096, 4096, 260, ...
 03127  1452   NtRegisterThreadTerminatePort  (24, ...
 03128   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03126   584   NtAllocateVirtualMemory  ... 8531968, 4096, ) == 0x0
 03127  1452   NtRegisterThreadTerminatePort  ... ) == 0x0
 03128   460   NtCreateThread  ... 704, {456, 1236}, ) == 0x0
 03129   584   NtAllocateVirtualMemory  (-1, 8527872, 0, 4096, 4096, 260, ...
 03130  1336   NtDelayExecution  (1, {0, 0}, ...
 03131   460   NtQueryInformationThread  (704, Basic, 28, ...
 03129   584   NtAllocateVirtualMemory  ... 8527872, 4096, ) == 0x0
 03132  1452   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03131   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=456,Tid=1236,}, 0x0, ) == 0x0
 03133   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1608, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\310\1\0\0\324\4\0\0" ... {28, 56, reply, 0, 456, 460, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\310\1\0\0\324\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1609, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\310\1\0\0\324\4\0\0" ... {28, 56, reply, 0, 456, 460, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\310\1\0\0\324\4\0\0" )  ) == 0x0
 03134   460   NtResumeThread  (704, ... 1, ) == 0x0
 03135   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 209846272, 2097152, ) == 0x0
 03136   460   NtAllocateVirtualMemory  (-1, 211935232, 0, 8192, 4096, 4, ... 211935232, 8192, ) == 0x0
 03137   460   NtProtectVirtualMemory  (-1, (0xca1e000), 4096, 260, ... (0xca1e000), 4096, 4, ) == 0x0
 03138   584   NtAllocateVirtualMemory  (-1, 8523776, 0, 4096, 4096, 260, ...
 03132  1452   NtSetInformationThread  ... ) == 0x0
 03139  1236   NtTestAlert  (...
 03138   584   NtAllocateVirtualMemory  ... 8523776, 4096, ) == 0x0
 03140   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03139  1236   NtTestAlert  ... ) == 0x0
 03141   584   NtAllocateVirtualMemory  (-1, 8519680, 0, 4096, 4096, 260, ...
 03140   460   NtCreateThread  ... 708, {456, 1476}, ) == 0x0
 03142  1236   NtContinue  (209845552, 1, ...
 03141   584   NtAllocateVirtualMemory  ... 8519680, 4096, ) == 0x0
 03143   460   NtQueryInformationThread  (708, Basic, 28, ...
 03144  1236   NtRegisterThreadTerminatePort  (24, ...
 03145   584   NtAllocateVirtualMemory  (-1, 8515584, 0, 4096, 4096, 260, ...
 03143   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=456,Tid=1476,}, 0x0, ) == 0x0
 03144  1236   NtRegisterThreadTerminatePort  ... ) == 0x0
 03145   584   NtAllocateVirtualMemory  ... 8515584, 4096, ) == 0x0
 03146   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1609, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\2\0\0\310\1\0\0\304\5\0\0" ...  ...
 03147  1452   NtDelayExecution  (1, {0, 0}, ...
 03148  1236   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03146   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1610, 0}  ... {28, 56, reply, 0, 456, 460, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\2\0\0\310\1\0\0\304\5\0\0" )  ) == 0x0
 03149   584   NtAllocateVirtualMemory  (-1, 8511488, 0, 4096, 4096, 260, ...
 03150   460   NtResumeThread  (708, ...
 03149   584   NtAllocateVirtualMemory  ... 8511488, 4096, ) == 0x0
 03150   460   NtResumeThread  ... 1, ) == 0x0
 03151   584   NtAllocateVirtualMemory  (-1, 8507392, 0, 4096, 4096, 260, ...
 03152   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03151   584   NtAllocateVirtualMemory  ... 8507392, 4096, ) == 0x0
 03152   460   NtAllocateVirtualMemory  ... 211943424, 2097152, ) == 0x0
 03153   584   NtAllocateVirtualMemory  (-1, 8503296, 0, 4096, 4096, 260, ...
 03154   460   NtAllocateVirtualMemory  (-1, 214032384, 0, 8192, 4096, 4, ...
 03153   584   NtAllocateVirtualMemory  ... 8503296, 4096, ) == 0x0
 03148  1236   NtSetInformationThread  ... ) == 0x0
 03155  1476   NtTestAlert  (...
 03154   460   NtAllocateVirtualMemory  ... 214032384, 8192, ) == 0x0
 03156   584   NtAllocateVirtualMemory  (-1, 8499200, 0, 4096, 4096, 260, ...
 03155  1476   NtTestAlert  ... ) == 0x0
 03157   460   NtProtectVirtualMemory  (-1, (0xcc1e000), 4096, 260, ...
 03156   584   NtAllocateVirtualMemory  ... 8499200, 4096, ) == 0x0
 03158  1476   NtContinue  (211942704, 1, ...
 03157   460   NtProtectVirtualMemory  ... (0xcc1e000), 4096, 4, ) == 0x0
 03159   584   NtAllocateVirtualMemory  (-1, 8495104, 0, 4096, 4096, 260, ...
 03160  1476   NtRegisterThreadTerminatePort  (24, ...
 03161   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03159   584   NtAllocateVirtualMemory  ... 8495104, 4096, ) == 0x0
 03160  1476   NtRegisterThreadTerminatePort  ... ) == 0x0
 03161   460   NtCreateThread  ... 712, {456, 1480}, ) == 0x0
 03162   584   NtAllocateVirtualMemory  (-1, 8491008, 0, 4096, 4096, 260, ...
 03163  1236   NtDelayExecution  (1, {0, 0}, ...
 03164   460   NtQueryInformationThread  (712, Basic, 28, ...
 03162   584   NtAllocateVirtualMemory  ... 8491008, 4096, ) == 0x0
 03165  1476   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03164   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=456,Tid=1480,}, 0x0, ) == 0x0
 03166   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1610, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\310\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 456, 460, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\310\1\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1611, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\310\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 456, 460, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\310\1\0\0\310\5\0\0" )  ) == 0x0
 03167   460   NtResumeThread  (712, ... 1, ) == 0x0
 03168   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 214040576, 2097152, ) == 0x0
 03169   460   NtAllocateVirtualMemory  (-1, 216129536, 0, 8192, 4096, 4, ... 216129536, 8192, ) == 0x0
 03170   460   NtProtectVirtualMemory  (-1, (0xce1e000), 4096, 260, ... (0xce1e000), 4096, 4, ) == 0x0
 03171   584   NtAllocateVirtualMemory  (-1, 8486912, 0, 4096, 4096, 260, ...
 03165  1476   NtSetInformationThread  ... ) == 0x0
 03172  1480   NtTestAlert  (...
 03171   584   NtAllocateVirtualMemory  ... 8486912, 4096, ) == 0x0
 03173   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03172  1480   NtTestAlert  ... ) == 0x0
 03174   584   NtAllocateVirtualMemory  (-1, 8482816, 0, 4096, 4096, 260, ...
 03173   460   NtCreateThread  ... 716, {456, 1484}, ) == 0x0
 03175  1480   NtContinue  (214039856, 1, ...
 03174   584   NtAllocateVirtualMemory  ... 8482816, 4096, ) == 0x0
 03176   460   NtQueryInformationThread  (716, Basic, 28, ...
 03177  1480   NtRegisterThreadTerminatePort  (24, ...
 03178   584   NtAllocateVirtualMemory  (-1, 8478720, 0, 4096, 4096, 260, ...
 03176   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=456,Tid=1484,}, 0x0, ) == 0x0
 03177  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 03178   584   NtAllocateVirtualMemory  ... 8478720, 4096, ) == 0x0
 03179   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1611, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\310\1\0\0\314\5\0\0" ...  ...
 03180  1476   NtDelayExecution  (1, {0, 0}, ...
 03181  1480   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03179   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1612, 0}  ... {28, 56, reply, 0, 456, 460, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\310\1\0\0\314\5\0\0" )  ) == 0x0
 03182   584   NtAllocateVirtualMemory  (-1, 8474624, 0, 4096, 4096, 260, ...
 03183   460   NtResumeThread  (716, ...
 03182   584   NtAllocateVirtualMemory  ... 8474624, 4096, ) == 0x0
 03183   460   NtResumeThread  ... 1, ) == 0x0
 03184   584   NtAllocateVirtualMemory  (-1, 8470528, 0, 4096, 4096, 260, ...
 03185   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03184   584   NtAllocateVirtualMemory  ... 8470528, 4096, ) == 0x0
 03185   460   NtAllocateVirtualMemory  ... 216137728, 2097152, ) == 0x0
 03186   584   NtAllocateVirtualMemory  (-1, 8466432, 0, 4096, 4096, 260, ...
 03187   460   NtAllocateVirtualMemory  (-1, 218226688, 0, 8192, 4096, 4, ...
 03186   584   NtAllocateVirtualMemory  ... 8466432, 4096, ) == 0x0
 03181  1480   NtSetInformationThread  ... ) == 0x0
 03188  1484   NtTestAlert  (...
 03187   460   NtAllocateVirtualMemory  ... 218226688, 8192, ) == 0x0
 03189   584   NtAllocateVirtualMemory  (-1, 8462336, 0, 4096, 4096, 260, ...
 03188  1484   NtTestAlert  ... ) == 0x0
 03190   460   NtProtectVirtualMemory  (-1, (0xd01e000), 4096, 260, ...
 03189   584   NtAllocateVirtualMemory  ... 8462336, 4096, ) == 0x0
 03191  1484   NtContinue  (216137008, 1, ...
 03190   460   NtProtectVirtualMemory  ... (0xd01e000), 4096, 4, ) == 0x0
 03192   584   NtAllocateVirtualMemory  (-1, 8458240, 0, 4096, 4096, 260, ...
 03193  1484   NtRegisterThreadTerminatePort  (24, ...
 03194   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03192   584   NtAllocateVirtualMemory  ... 8458240, 4096, ) == 0x0
 03193  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 03194   460   NtCreateThread  ... 720, {456, 1488}, ) == 0x0
 03195   584   NtAllocateVirtualMemory  (-1, 8454144, 0, 4096, 4096, 260, ...
 03196  1480   NtDelayExecution  (1, {0, 0}, ...
 03197   460   NtQueryInformationThread  (720, Basic, 28, ...
 03195   584   NtAllocateVirtualMemory  ... 8454144, 4096, ) == 0x0
 03198  1484   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03197   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=456,Tid=1488,}, 0x0, ) == 0x0
 03199   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1612, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\310\1\0\0\320\5\0\0" ... {28, 56, reply, 0, 456, 460, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\310\1\0\0\320\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1613, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\310\1\0\0\320\5\0\0" ... {28, 56, reply, 0, 456, 460, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\310\1\0\0\320\5\0\0" )  ) == 0x0
 03200   460   NtResumeThread  (720, ... 1, ) == 0x0
 03201   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 218234880, 2097152, ) == 0x0
 03202   460   NtAllocateVirtualMemory  (-1, 220323840, 0, 8192, 4096, 4, ... 220323840, 8192, ) == 0x0
 03203   460   NtProtectVirtualMemory  (-1, (0xd21e000), 4096, 260, ... (0xd21e000), 4096, 4, ) == 0x0
 03204   584   NtAllocateVirtualMemory  (-1, 8450048, 0, 4096, 4096, 260, ...
 03198  1484   NtSetInformationThread  ... ) == 0x0
 03205  1488   NtTestAlert  (...
 03204   584   NtAllocateVirtualMemory  ... 8450048, 4096, ) == 0x0
 03206   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03205  1488   NtTestAlert  ... ) == 0x0
 03207   584   NtAllocateVirtualMemory  (-1, 8445952, 0, 4096, 4096, 260, ...
 03206   460   NtCreateThread  ... 724, {456, 1492}, ) == 0x0
 03208  1488   NtContinue  (218234160, 1, ...
 03207   584   NtAllocateVirtualMemory  ... 8445952, 4096, ) == 0x0
 03209   460   NtQueryInformationThread  (724, Basic, 28, ...
 03210  1488   NtRegisterThreadTerminatePort  (24, ...
 03211   584   NtAllocateVirtualMemory  (-1, 8441856, 0, 4096, 4096, 260, ...
 03209   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=456,Tid=1492,}, 0x0, ) == 0x0
 03210  1488   NtRegisterThreadTerminatePort  ... ) == 0x0
 03211   584   NtAllocateVirtualMemory  ... 8441856, 4096, ) == 0x0
 03212   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1613, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\310\1\0\0\324\5\0\0" ...  ...
 03213  1484   NtDelayExecution  (1, {0, 0}, ...
 03214  1488   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03212   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1614, 0}  ... {28, 56, reply, 0, 456, 460, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\310\1\0\0\324\5\0\0" )  ) == 0x0
 03215   584   NtAllocateVirtualMemory  (-1, 8437760, 0, 4096, 4096, 260, ...
 03216   460   NtResumeThread  (724, ...
 03215   584   NtAllocateVirtualMemory  ... 8437760, 4096, ) == 0x0
 03216   460   NtResumeThread  ... 1, ) == 0x0
 03217   584   NtAllocateVirtualMemory  (-1, 8433664, 0, 4096, 4096, 260, ...
 03218   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03217   584   NtAllocateVirtualMemory  ... 8433664, 4096, ) == 0x0
 03218   460   NtAllocateVirtualMemory  ... 220332032, 2097152, ) == 0x0
 03219   584   NtAllocateVirtualMemory  (-1, 8429568, 0, 4096, 4096, 260, ...
 03220   460   NtAllocateVirtualMemory  (-1, 222420992, 0, 8192, 4096, 4, ...
 03219   584   NtAllocateVirtualMemory  ... 8429568, 4096, ) == 0x0
 03214  1488   NtSetInformationThread  ... ) == 0x0
 03221  1492   NtAllocateVirtualMemory  (-1, 13205504, 0, 4096, 4096, 4, ...
 03220   460   NtAllocateVirtualMemory  ... 222420992, 8192, ) == 0x0
 03222   584   NtAllocateVirtualMemory  (-1, 8425472, 0, 4096, 4096, 260, ...
 03221  1492   NtAllocateVirtualMemory  ... 13205504, 4096, ) == 0x0
 03223   460   NtProtectVirtualMemory  (-1, (0xd41e000), 4096, 260, ...
 03222   584   NtAllocateVirtualMemory  ... 8425472, 4096, ) == 0x0
 03224  1492   NtTestAlert  (...
 03223   460   NtProtectVirtualMemory  ... (0xd41e000), 4096, 4, ) == 0x0
 03225   584   NtCreateFile  (0xc0100081, {24, 0, 0x40, 0, 8433136,  (0xc0100081, {24, 0, 0x40, 0, 8433136, "\??\C:\WINDOWS\system32\utilman.exe"}, 0x0, 0, 0, 1, 96, 0, 0, ... }, 0x0, 0, 0, 1, 96, 0, 0, ...
 03224  1492   NtTestAlert  ... ) == 0x0
 03226   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03225   584   NtCreateFile  ... 728, {status=0x0, info=1}, ) == 0x0
 03227  1492   NtContinue  (220331312, 1, ...
 03226   460   NtCreateThread  ... 732, {456, 1496}, ) == 0x0
 03228   584   NtQueryInformationFile  (728, 8433188, 24, Standard, ...
 03229  1488   NtDelayExecution  (1, {0, 0}, ...
 03230   460   NtQueryInformationThread  (732, Basic, 28, ...
 03228   584   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03231  1492   NtRegisterThreadTerminatePort  (24, ...
 03230   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=456,Tid=1496,}, 0x0, ) == 0x0
 03231  1492   NtRegisterThreadTerminatePort  ... ) == 0x0
 03232   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1614, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\310\1\0\0\330\5\0\0" ...  ...
 03233  1492   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03232   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1615, 0}  ... {28, 56, reply, 0, 456, 460, 1615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\310\1\0\0\330\5\0\0" )  ) == 0x0
 03234   460   NtResumeThread  (732, ... 1, ) == 0x0
 03235   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 222429184, 2097152, ) == 0x0
 03236   460   NtAllocateVirtualMemory  (-1, 224518144, 0, 8192, 4096, 4, ... 224518144, 8192, ) == 0x0
 03237   460   NtProtectVirtualMemory  (-1, (0xd61e000), 4096, 260, ... (0xd61e000), 4096, 4, ) == 0x0
 03238   584   NtAllocateVirtualMemory  (-1, 4620288, 0, 241664, 4096, 4, ...
 03233  1492   NtSetInformationThread  ... ) == 0x0
 03239  1496   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03238   584   NtAllocateVirtualMemory  ... 4620288, 241664, ) == 0x0
 03240   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03239  1496   NtCreateEvent  ... 736, ) == 0x0
 03241   584   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03240   460   NtCreateThread  ... 740, {456, 796}, ) == 0x0
 03242  1496   NtWaitForSingleObject  (736, 0, 0x0, ...
 03241   584   NtCreateEvent  ... 744, ) == 0x0
 03243   460   NtQueryInformationThread  (740, Basic, 28, ...
 03244   584   NtClose  (744, ...
 03243   460   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=456,Tid=796,}, 0x0, ) == 0x0
 03244   584   NtClose  ... ) == 0x0
 03245   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1615, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\2\0\0\310\1\0\0\34\3\0\0" ...  ...
 03246  1492   NtDelayExecution  (1, {0, 0}, ...
 03245   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1616, 0}  ... {28, 56, reply, 0, 456, 460, 1616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\2\0\0\310\1\0\0\34\3\0\0" )  ) == 0x0
 03247   584   NtSetEventBoostPriority  (736, ...
 03248   460   NtResumeThread  (740, ...
 03242  1496   NtWaitForSingleObject  ... ) == 0x0
 03247   584   NtSetEventBoostPriority  ... ) == 0x0
 03249  1496   NtTestAlert  (...
 03248   460   NtResumeThread  ... 1, ) == 0x0
 03249  1496   NtTestAlert  ... ) == 0x0
 03250   584   NtReadFile  (728, 0, 0, 0, 46592, 0x0, 0, ...
 03251   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03252   796   NtTestAlert  (...
 03251   460   NtAllocateVirtualMemory  ... 224526336, 2097152, ) == 0x0
 03252   796   NtTestAlert  ... ) == 0x0
 03253   460   NtAllocateVirtualMemory  (-1, 226615296, 0, 8192, 4096, 4, ...
 03254   796   NtContinue  (224525616, 1, ...
 03255  1496   NtContinue  (222428464, 1, ...
 03256   796   NtRegisterThreadTerminatePort  (24, ...
 03257  1496   NtRegisterThreadTerminatePort  (24, ...
 03256   796   NtRegisterThreadTerminatePort  ... ) == 0x0
 03257  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 03253   460   NtAllocateVirtualMemory  ... 226615296, 8192, ) == 0x0
 03258  1496   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03259   460   NtProtectVirtualMemory  (-1, (0xd81e000), 4096, 260, ... (0xd81e000), 4096, 4, ) == 0x0
 03260   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 744, {456, 1368}, ) == 0x0
 03261   460   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=456,Tid=1368,}, 0x0, ) == 0x0
 03262   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1616, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\310\1\0\0X\5\0\0" ... {28, 56, reply, 0, 456, 460, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\310\1\0\0X\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1617, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\310\1\0\0X\5\0\0" ... {28, 56, reply, 0, 456, 460, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\310\1\0\0X\5\0\0" )  ) == 0x0
 03263   460   NtResumeThread  (744, ... 1, ) == 0x0
 03264   796   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03258  1496   NtSetInformationThread  ... ) == 0x0
 03265  1368   NtTestAlert  (...
 03264   796   NtSetInformationThread  ... ) == 0x0
 03266   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03265  1368   NtTestAlert  ... ) == 0x0
 03267  1496   NtDelayExecution  (1, {0, 0}, ...
 03266   460   NtAllocateVirtualMemory  ... 226623488, 2097152, ) == 0x0
 03268  1368   NtContinue  (226622768, 1, ...
 03269   796   NtDelayExecution  (1, {0, 0}, ...
 03270   460   NtAllocateVirtualMemory  (-1, 228712448, 0, 8192, 4096, 4, ...
 03271  1368   NtRegisterThreadTerminatePort  (24, ...
 03270   460   NtAllocateVirtualMemory  ... 228712448, 8192, ) == 0x0
 03271  1368   NtRegisterThreadTerminatePort  ... ) == 0x0
 03272   460   NtProtectVirtualMemory  (-1, (0xda1e000), 4096, 260, ... (0xda1e000), 4096, 4, ) == 0x0
 03273   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 748, {456, 1504}, ) == 0x0
 03274   460   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=456,Tid=1504,}, 0x0, ) == 0x0
 03275   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1617, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\2\0\0\310\1\0\0\340\5\0\0" ...  ...
 03276  1368   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03275   460   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 456, 460, 1618, 0}  ... {28, 56, reply, 0, 456, 460, 1618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\2\0\0\310\1\0\0\340\5\0\0" )  ) == 0x0
 03277   460   NtResumeThread  (748, ... 1, ) == 0x0
 03278   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 228720640, 2097152, ) == 0x0
 03279   460   NtAllocateVirtualMemory  (-1, 230809600, 0, 8192, 4096, 4, ...
 03280  1504   NtTestAlert  (... ) == 0x0
 03281  1504   NtContinue  (228719920, 1, ...
 03282  1504   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03283  1504   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03279   460   NtAllocateVirtualMemory  ... 230809600, 8192, ) == 0x0
 03284   460   NtProtectVirtualMemory  (-1, (0xdc1e000), 4096, 260, ... (0xdc1e000), 4096, 4, ) == 0x0
 03285   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 752, {456, 1512}, ) == 0x0
 03286   460   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=456,Tid=1512,}, 0x0, ) == 0x0
 03287   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1618, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\310\1\0\0\350\5\0\0" ... {28, 56, reply, 0, 456, 460, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\310\1\0\0\350\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1619, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\310\1\0\0\350\5\0\0" ... {28, 56, reply, 0, 456, 460, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\310\1\0\0\350\5\0\0" )  ) == 0x0
 03288   460   NtResumeThread  (752, ... 1, ) == 0x0
 03289  1512   NtTestAlert  (... ) == 0x0
 03290  1512   NtContinue  (230817072, 1, ...
 03291  1512   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03292  1512   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03293   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 230817792, 2097152, ) == 0x0
 03294   460   NtAllocateVirtualMemory  (-1, 232906752, 0, 8192, 4096, 4, ... 232906752, 8192, ) == 0x0
 03295   460   NtProtectVirtualMemory  (-1, (0xde1e000), 4096, 260, ... (0xde1e000), 4096, 4, ) == 0x0
 03296   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 756, {456, 1516}, ) == 0x0
 03297   460   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=456,Tid=1516,}, 0x0, ) == 0x0
 03298   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1619, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\310\1\0\0\354\5\0\0" ... {28, 56, reply, 0, 456, 460, 1620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\310\1\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1620, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\310\1\0\0\354\5\0\0" ... {28, 56, reply, 0, 456, 460, 1620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\310\1\0\0\354\5\0\0" )  ) == 0x0
 03299   460   NtResumeThread  (756, ... 1, ) == 0x0
 03300   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 232914944, 2097152, ) == 0x0
 03301   460   NtAllocateVirtualMemory  (-1, 235003904, 0, 8192, 4096, 4, ...
 03302  1516   NtTestAlert  (... ) == 0x0
 03303  1516   NtContinue  (232914224, 1, ...
 03304  1516   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03305  1516   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03301   460   NtAllocateVirtualMemory  ... 235003904, 8192, ) == 0x0
 03306   460   NtProtectVirtualMemory  (-1, (0xe01e000), 4096, 260, ... (0xe01e000), 4096, 4, ) == 0x0
 03307   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 760, {456, 1520}, ) == 0x0
 03308   460   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=456,Tid=1520,}, 0x0, ) == 0x0
 03309   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1620, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\310\1\0\0\360\5\0\0" ... {28, 56, reply, 0, 456, 460, 1621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\310\1\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1621, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\310\1\0\0\360\5\0\0" ... {28, 56, reply, 0, 456, 460, 1621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\310\1\0\0\360\5\0\0" )  ) == 0x0
 03310   460   NtResumeThread  (760, ... 1, ) == 0x0
 03311  1520   NtTestAlert  (... ) == 0x0
 03312  1520   NtContinue  (235011376, 1, ...
 03313  1520   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03314  1520   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03315   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 235012096, 2097152, ) == 0x0
 03316   460   NtAllocateVirtualMemory  (-1, 237101056, 0, 8192, 4096, 4, ... 237101056, 8192, ) == 0x0
 03317   460   NtProtectVirtualMemory  (-1, (0xe21e000), 4096, 260, ... (0xe21e000), 4096, 4, ) == 0x0
 03318   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 764, {456, 1524}, ) == 0x0
 03319   460   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=456,Tid=1524,}, 0x0, ) == 0x0
 03320   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1621, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\310\1\0\0\364\5\0\0" ... {28, 56, reply, 0, 456, 460, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\310\1\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1622, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1621, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\310\1\0\0\364\5\0\0" ... {28, 56, reply, 0, 456, 460, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\310\1\0\0\364\5\0\0" )  ) == 0x0
 03321   460   NtResumeThread  (764, ... 1, ) == 0x0
 03322   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 237109248, 2097152, ) == 0x0
 03323   460   NtAllocateVirtualMemory  (-1, 239198208, 0, 8192, 4096, 4, ...
 03324  1524   NtTestAlert  (... ) == 0x0
 03325  1524   NtContinue  (237108528, 1, ...
 03326  1524   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03327  1524   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03323   460   NtAllocateVirtualMemory  ... 239198208, 8192, ) == 0x0
 03328   460   NtProtectVirtualMemory  (-1, (0xe41e000), 4096, 260, ... (0xe41e000), 4096, 4, ) == 0x0
 03329   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 768, {456, 1528}, ) == 0x0
 03330   460   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=456,Tid=1528,}, 0x0, ) == 0x0
 03331   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1622, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\310\1\0\0\370\5\0\0" ... {28, 56, reply, 0, 456, 460, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\310\1\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1623, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\310\1\0\0\370\5\0\0" ... {28, 56, reply, 0, 456, 460, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\310\1\0\0\370\5\0\0" )  ) == 0x0
 03332   460   NtResumeThread  (768, ... 1, ) == 0x0
 03333  1528   NtTestAlert  (... ) == 0x0
 03334  1528   NtContinue  (239205680, 1, ...
 03335  1528   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03336  1528   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03337   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 239206400, 2097152, ) == 0x0
 03338   460   NtAllocateVirtualMemory  (-1, 241295360, 0, 8192, 4096, 4, ... 241295360, 8192, ) == 0x0
 03339   460   NtProtectVirtualMemory  (-1, (0xe61e000), 4096, 260, ... (0xe61e000), 4096, 4, ) == 0x0
 03340   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 772, {456, 1532}, ) == 0x0
 03341   460   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=456,Tid=1532,}, 0x0, ) == 0x0
 03342   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1623, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\310\1\0\0\374\5\0\0" ... {28, 56, reply, 0, 456, 460, 1624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\310\1\0\0\374\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1624, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1623, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\310\1\0\0\374\5\0\0" ... {28, 56, reply, 0, 456, 460, 1624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\310\1\0\0\374\5\0\0" )  ) == 0x0
 03343   460   NtResumeThread  (772, ... 1, ) == 0x0
 03344   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 241303552, 2097152, ) == 0x0
 03345   460   NtAllocateVirtualMemory  (-1, 243392512, 0, 8192, 4096, 4, ...
 03346  1532   NtTestAlert  (... ) == 0x0
 03347  1532   NtContinue  (241302832, 1, ...
 03348  1532   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03349  1532   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03345   460   NtAllocateVirtualMemory  ... 243392512, 8192, ) == 0x0
 03350   460   NtProtectVirtualMemory  (-1, (0xe81e000), 4096, 260, ... (0xe81e000), 4096, 4, ) == 0x0
 03351   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 776, {456, 340}, ) == 0x0
 03352   460   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=456,Tid=340,}, 0x0, ) == 0x0
 03353   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1624, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\310\1\0\0T\1\0\0" ... {28, 56, reply, 0, 456, 460, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\310\1\0\0T\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1625, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1624, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\310\1\0\0T\1\0\0" ... {28, 56, reply, 0, 456, 460, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\310\1\0\0T\1\0\0" )  ) == 0x0
 03354   460   NtResumeThread  (776, ... 1, ) == 0x0
 03355   340   NtTestAlert  (... ) == 0x0
 03356   340   NtContinue  (243399984, 1, ...
 03357   340   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03358   340   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03359   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 243400704, 2097152, ) == 0x0
 03360   460   NtAllocateVirtualMemory  (-1, 245489664, 0, 8192, 4096, 4, ... 245489664, 8192, ) == 0x0
 03361   460   NtProtectVirtualMemory  (-1, (0xea1e000), 4096, 260, ... (0xea1e000), 4096, 4, ) == 0x0
 03362   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 780, {456, 1540}, ) == 0x0
 03363   460   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=456,Tid=1540,}, 0x0, ) == 0x0
 03364   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1625, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\310\1\0\0\4\6\0\0" ... {28, 56, reply, 0, 456, 460, 1626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\310\1\0\0\4\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1626, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\310\1\0\0\4\6\0\0" ... {28, 56, reply, 0, 456, 460, 1626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\310\1\0\0\4\6\0\0" )  ) == 0x0
 03365   460   NtResumeThread  (780, ... 1, ) == 0x0
 03366   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 245497856, 2097152, ) == 0x0
 03367   460   NtAllocateVirtualMemory  (-1, 247586816, 0, 8192, 4096, 4, ...
 03368  1540   NtTestAlert  (... ) == 0x0
 03369  1540   NtContinue  (245497136, 1, ...
 03370  1540   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03371  1540   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03367   460   NtAllocateVirtualMemory  ... 247586816, 8192, ) == 0x0
 03372   460   NtProtectVirtualMemory  (-1, (0xec1e000), 4096, 260, ... (0xec1e000), 4096, 4, ) == 0x0
 03373   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 784, {456, 1544}, ) == 0x0
 03374   460   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=456,Tid=1544,}, 0x0, ) == 0x0
 03375   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1626, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\310\1\0\0\10\6\0\0" ... {28, 56, reply, 0, 456, 460, 1627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\310\1\0\0\10\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1627, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1626, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\310\1\0\0\10\6\0\0" ... {28, 56, reply, 0, 456, 460, 1627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\310\1\0\0\10\6\0\0" )  ) == 0x0
 03376   460   NtResumeThread  (784, ... 1, ) == 0x0
 03377  1544   NtTestAlert  (... ) == 0x0
 03378  1544   NtContinue  (247594288, 1, ...
 03379  1544   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03380  1544   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03381   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 247595008, 2097152, ) == 0x0
 03382   460   NtAllocateVirtualMemory  (-1, 249683968, 0, 8192, 4096, 4, ... 249683968, 8192, ) == 0x0
 03383   460   NtProtectVirtualMemory  (-1, (0xee1e000), 4096, 260, ... (0xee1e000), 4096, 4, ) == 0x0
 03384   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 788, {456, 1460}, ) == 0x0
 03385   460   NtQueryInformationThread  (788, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=456,Tid=1460,}, 0x0, ) == 0x0
 03386   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1627, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\310\1\0\0\264\5\0\0" ... {28, 56, reply, 0, 456, 460, 1628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\310\1\0\0\264\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1628, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\310\1\0\0\264\5\0\0" ... {28, 56, reply, 0, 456, 460, 1628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\310\1\0\0\264\5\0\0" )  ) == 0x0
 03387   460   NtResumeThread  (788, ... 1, ) == 0x0
 03388   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 249692160, 2097152, ) == 0x0
 03389   460   NtAllocateVirtualMemory  (-1, 251781120, 0, 8192, 4096, 4, ...
 03390  1460   NtTestAlert  (... ) == 0x0
 03391  1460   NtContinue  (249691440, 1, ...
 03392  1460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03393  1460   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03389   460   NtAllocateVirtualMemory  ... 251781120, 8192, ) == 0x0
 03394   460   NtProtectVirtualMemory  (-1, (0xf01e000), 4096, 260, ... (0xf01e000), 4096, 4, ) == 0x0
 03395   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 792, {456, 1564}, ) == 0x0
 03396   460   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=456,Tid=1564,}, 0x0, ) == 0x0
 03397   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1628, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\310\1\0\0\34\6\0\0" ... {28, 56, reply, 0, 456, 460, 1629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\310\1\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1629, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1628, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\310\1\0\0\34\6\0\0" ... {28, 56, reply, 0, 456, 460, 1629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\310\1\0\0\34\6\0\0" )  ) == 0x0
 03398   460   NtResumeThread  (792, ... 1, ) == 0x0
 03399  1564   NtTestAlert  (... ) == 0x0
 03400  1564   NtContinue  (251788592, 1, ...
 03401  1564   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03402  1564   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03403   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 251789312, 2097152, ) == 0x0
 03404   460   NtAllocateVirtualMemory  (-1, 253878272, 0, 8192, 4096, 4, ... 253878272, 8192, ) == 0x0
 03405   460   NtProtectVirtualMemory  (-1, (0xf21e000), 4096, 260, ... (0xf21e000), 4096, 4, ) == 0x0
 03406   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 796, {456, 1620}, ) == 0x0
 03407   460   NtQueryInformationThread  (796, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=456,Tid=1620,}, 0x0, ) == 0x0
 03408   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1629, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\310\1\0\0T\6\0\0" ... {28, 56, reply, 0, 456, 460, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\310\1\0\0T\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1630, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1629, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\310\1\0\0T\6\0\0" ... {28, 56, reply, 0, 456, 460, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\310\1\0\0T\6\0\0" )  ) == 0x0
 03409   460   NtResumeThread  (796, ... 1, ) == 0x0
 03410   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 253886464, 2097152, ) == 0x0
 03411   460   NtAllocateVirtualMemory  (-1, 255975424, 0, 8192, 4096, 4, ...
 03412  1620   NtTestAlert  (... ) == 0x0
 03413  1620   NtContinue  (253885744, 1, ...
 03414  1620   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03415  1620   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03411   460   NtAllocateVirtualMemory  ... 255975424, 8192, ) == 0x0
 03416   460   NtProtectVirtualMemory  (-1, (0xf41e000), 4096, 260, ... (0xf41e000), 4096, 4, ) == 0x0
 03417   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 800, {456, 1624}, ) == 0x0
 03418   460   NtQueryInformationThread  (800, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=456,Tid=1624,}, 0x0, ) == 0x0
 03419   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1630, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\310\1\0\0X\6\0\0" ... {28, 56, reply, 0, 456, 460, 1631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\310\1\0\0X\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1631, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\310\1\0\0X\6\0\0" ... {28, 56, reply, 0, 456, 460, 1631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\310\1\0\0X\6\0\0" )  ) == 0x0
 03420   460   NtResumeThread  (800, ... 1, ) == 0x0
 03421  1624   NtTestAlert  (... ) == 0x0
 03422  1624   NtContinue  (255982896, 1, ...
 03423  1624   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03424  1624   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03425   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 255983616, 2097152, ) == 0x0
 03426   460   NtAllocateVirtualMemory  (-1, 258072576, 0, 8192, 4096, 4, ... 258072576, 8192, ) == 0x0
 03427   460   NtProtectVirtualMemory  (-1, (0xf61e000), 4096, 260, ... (0xf61e000), 4096, 4, ) == 0x0
 03428   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 804, {456, 1628}, ) == 0x0
 03429   460   NtQueryInformationThread  (804, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=456,Tid=1628,}, 0x0, ) == 0x0
 03430   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1631, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\310\1\0\0\\6\0\0" ... {28, 56, reply, 0, 456, 460, 1632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\310\1\0\0\\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1632, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1631, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\310\1\0\0\\6\0\0" ... {28, 56, reply, 0, 456, 460, 1632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\310\1\0\0\\6\0\0" )  ) == 0x0
 03431   460   NtResumeThread  (804, ... 1, ) == 0x0
 03432   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 258080768, 2097152, ) == 0x0
 03433   460   NtAllocateVirtualMemory  (-1, 260169728, 0, 8192, 4096, 4, ...
 03434  1628   NtTestAlert  (... ) == 0x0
 03435  1628   NtContinue  (258080048, 1, ...
 03436  1628   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03437  1628   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03433   460   NtAllocateVirtualMemory  ... 260169728, 8192, ) == 0x0
 03438   460   NtProtectVirtualMemory  (-1, (0xf81e000), 4096, 260, ... (0xf81e000), 4096, 4, ) == 0x0
 03439   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 808, {456, 1656}, ) == 0x0
 03440   460   NtQueryInformationThread  (808, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=456,Tid=1656,}, 0x0, ) == 0x0
 03441   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1632, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\310\1\0\0x\6\0\0" ... {28, 56, reply, 0, 456, 460, 1633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\310\1\0\0x\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1633, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\310\1\0\0x\6\0\0" ... {28, 56, reply, 0, 456, 460, 1633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\310\1\0\0x\6\0\0" )  ) == 0x0
 03442   460   NtResumeThread  (808, ... 1, ) == 0x0
 03443  1656   NtTestAlert  (... ) == 0x0
 03444  1656   NtContinue  (260177200, 1, ...
 03445  1656   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03446  1656   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03447   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 260177920, 2097152, ) == 0x0
 03448   460   NtAllocateVirtualMemory  (-1, 262266880, 0, 8192, 4096, 4, ... 262266880, 8192, ) == 0x0
 03449   460   NtProtectVirtualMemory  (-1, (0xfa1e000), 4096, 260, ... (0xfa1e000), 4096, 4, ) == 0x0
 03450   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 812, {456, 1660}, ) == 0x0
 03451   460   NtQueryInformationThread  (812, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=456,Tid=1660,}, 0x0, ) == 0x0
 03452   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1633, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\310\1\0\0|\6\0\0" ... {28, 56, reply, 0, 456, 460, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\310\1\0\0|\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1634, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1633, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\310\1\0\0|\6\0\0" ... {28, 56, reply, 0, 456, 460, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\310\1\0\0|\6\0\0" )  ) == 0x0
 03453   460   NtResumeThread  (812, ... 1, ) == 0x0
 03454   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 262275072, 2097152, ) == 0x0
 03455   460   NtAllocateVirtualMemory  (-1, 264364032, 0, 8192, 4096, 4, ...
 03456  1660   NtTestAlert  (... ) == 0x0
 03457  1660   NtContinue  (262274352, 1, ...
 03458  1660   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03459  1660   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03455   460   NtAllocateVirtualMemory  ... 264364032, 8192, ) == 0x0
 03460   460   NtProtectVirtualMemory  (-1, (0xfc1e000), 4096, 260, ... (0xfc1e000), 4096, 4, ) == 0x0
 03461   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 816, {456, 1664}, ) == 0x0
 03462   460   NtQueryInformationThread  (816, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=456,Tid=1664,}, 0x0, ) == 0x0
 03463   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1634, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\310\1\0\0\200\6\0\0" ... {28, 56, reply, 0, 456, 460, 1635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\310\1\0\0\200\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1635, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\310\1\0\0\200\6\0\0" ... {28, 56, reply, 0, 456, 460, 1635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\310\1\0\0\200\6\0\0" )  ) == 0x0
 03464   460   NtResumeThread  (816, ... 1, ) == 0x0
 03465  1664   NtTestAlert  (... ) == 0x0
 03466  1664   NtContinue  (264371504, 1, ...
 03467  1664   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03468  1664   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03469   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 264372224, 2097152, ) == 0x0
 03470   460   NtAllocateVirtualMemory  (-1, 266461184, 0, 8192, 4096, 4, ... 266461184, 8192, ) == 0x0
 03471   460   NtProtectVirtualMemory  (-1, (0xfe1e000), 4096, 260, ... (0xfe1e000), 4096, 4, ) == 0x0
 03472   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 820, {456, 1684}, ) == 0x0
 03473   460   NtQueryInformationThread  (820, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=456,Tid=1684,}, 0x0, ) == 0x0
 03474   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1635, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\310\1\0\0\224\6\0\0" ... {28, 56, reply, 0, 456, 460, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\310\1\0\0\224\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1636, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1635, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\310\1\0\0\224\6\0\0" ... {28, 56, reply, 0, 456, 460, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\310\1\0\0\224\6\0\0" )  ) == 0x0
 03475   460   NtResumeThread  (820, ... 1, ) == 0x0
 03476   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 266469376, 2097152, ) == 0x0
 03477   460   NtAllocateVirtualMemory  (-1, 268558336, 0, 8192, 4096, 4, ...
 03478  1684   NtTestAlert  (... ) == 0x0
 03479  1684   NtContinue  (266468656, 1, ...
 03480  1684   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03481  1684   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03477   460   NtAllocateVirtualMemory  ... 268558336, 8192, ) == 0x0
 03482   460   NtProtectVirtualMemory  (-1, (0x1001e000), 4096, 260, ... (0x1001e000), 4096, 4, ) == 0x0
 03483   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 824, {456, 1688}, ) == 0x0
 03484   460   NtQueryInformationThread  (824, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=456,Tid=1688,}, 0x0, ) == 0x0
 03485   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1636, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\310\1\0\0\230\6\0\0" ... {28, 56, reply, 0, 456, 460, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\310\1\0\0\230\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1637, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\310\1\0\0\230\6\0\0" ... {28, 56, reply, 0, 456, 460, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\310\1\0\0\230\6\0\0" )  ) == 0x0
 03486   460   NtResumeThread  (824, ... 1, ) == 0x0
 03487  1688   NtTestAlert  (... ) == 0x0
 03488  1688   NtContinue  (268565808, 1, ...
 03489  1688   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03490  1688   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03491   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 268566528, 2097152, ) == 0x0
 03492   460   NtAllocateVirtualMemory  (-1, 270655488, 0, 8192, 4096, 4, ... 270655488, 8192, ) == 0x0
 03493   460   NtProtectVirtualMemory  (-1, (0x1021e000), 4096, 260, ... (0x1021e000), 4096, 4, ) == 0x0
 03494   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 828, {456, 1692}, ) == 0x0
 03495   460   NtQueryInformationThread  (828, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=456,Tid=1692,}, 0x0, ) == 0x0
 03496   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1637, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\310\1\0\0\234\6\0\0" ... {28, 56, reply, 0, 456, 460, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\310\1\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1638, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\310\1\0\0\234\6\0\0" ... {28, 56, reply, 0, 456, 460, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\310\1\0\0\234\6\0\0" )  ) == 0x0
 03497   460   NtResumeThread  (828, ... 1, ) == 0x0
 03498   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 270663680, 2097152, ) == 0x0
 03499   460   NtAllocateVirtualMemory  (-1, 272752640, 0, 8192, 4096, 4, ...
 03500  1692   NtTestAlert  (... ) == 0x0
 03501  1692   NtContinue  (270662960, 1, ...
 03502  1692   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03503  1692   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03499   460   NtAllocateVirtualMemory  ... 272752640, 8192, ) == 0x0
 03504   460   NtProtectVirtualMemory  (-1, (0x1041e000), 4096, 260, ... (0x1041e000), 4096, 4, ) == 0x0
 03505   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 832, {456, 1152}, ) == 0x0
 03506   460   NtQueryInformationThread  (832, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=456,Tid=1152,}, 0x0, ) == 0x0
 03507   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1638, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\310\1\0\0\200\4\0\0" ... {28, 56, reply, 0, 456, 460, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\310\1\0\0\200\4\0\0" )  ... {28, 56, reply, 0, 456, 460, 1639, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\310\1\0\0\200\4\0\0" ... {28, 56, reply, 0, 456, 460, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\310\1\0\0\200\4\0\0" )  ) == 0x0
 03508   460   NtResumeThread  (832, ... 1, ) == 0x0
 03509  1152   NtTestAlert  (... ) == 0x0
 03510  1152   NtContinue  (272760112, 1, ...
 03511  1152   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03512  1152   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03513   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 272760832, 2097152, ) == 0x0
 03514   460   NtAllocateVirtualMemory  (-1, 274849792, 0, 8192, 4096, 4, ... 274849792, 8192, ) == 0x0
 03515   460   NtProtectVirtualMemory  (-1, (0x1061e000), 4096, 260, ... (0x1061e000), 4096, 4, ) == 0x0
 03516   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 836, {456, 1332}, ) == 0x0
 03517   460   NtQueryInformationThread  (836, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=456,Tid=1332,}, 0x0, ) == 0x0
 03518   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1639, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\310\1\0\04\5\0\0" ... {28, 56, reply, 0, 456, 460, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\310\1\0\04\5\0\0" )  ... {28, 56, reply, 0, 456, 460, 1640, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\310\1\0\04\5\0\0" ... {28, 56, reply, 0, 456, 460, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\310\1\0\04\5\0\0" )  ) == 0x0
 03519   460   NtResumeThread  (836, ... 1, ) == 0x0
 03520   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 274857984, 2097152, ) == 0x0
 03521   460   NtAllocateVirtualMemory  (-1, 276946944, 0, 8192, 4096, 4, ...
 03522  1332   NtTestAlert  (... ) == 0x0
 03523  1332   NtContinue  (274857264, 1, ...
 03524  1332   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03525  1332   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03521   460   NtAllocateVirtualMemory  ... 276946944, 8192, ) == 0x0
 03526   460   NtProtectVirtualMemory  (-1, (0x1081e000), 4096, 260, ... (0x1081e000), 4096, 4, ) == 0x0
 03527   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 840, {456, 1592}, ) == 0x0
 03528   460   NtQueryInformationThread  (840, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=456,Tid=1592,}, 0x0, ) == 0x0
 03529   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1640, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\310\1\0\08\6\0\0" ... {28, 56, reply, 0, 456, 460, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\310\1\0\08\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1641, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\310\1\0\08\6\0\0" ... {28, 56, reply, 0, 456, 460, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\310\1\0\08\6\0\0" )  ) == 0x0
 03530   460   NtResumeThread  (840, ... 1, ) == 0x0
 03531  1592   NtTestAlert  (... ) == 0x0
 03532  1592   NtContinue  (276954416, 1, ...
 03533  1592   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03534  1592   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03535   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 276955136, 2097152, ) == 0x0
 03536   460   NtAllocateVirtualMemory  (-1, 279044096, 0, 8192, 4096, 4, ... 279044096, 8192, ) == 0x0
 03537   460   NtProtectVirtualMemory  (-1, (0x10a1e000), 4096, 260, ... (0x10a1e000), 4096, 4, ) == 0x0
 03538   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 844, {456, 1600}, ) == 0x0
 03539   460   NtQueryInformationThread  (844, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=456,Tid=1600,}, 0x0, ) == 0x0
 03540   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1641, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\310\1\0\0@\6\0\0" ... {28, 56, reply, 0, 456, 460, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\310\1\0\0@\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1642, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\310\1\0\0@\6\0\0" ... {28, 56, reply, 0, 456, 460, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\310\1\0\0@\6\0\0" )  ) == 0x0
 03541   460   NtResumeThread  (844, ... 1, ) == 0x0
 03542   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 279052288, 2097152, ) == 0x0
 03543   460   NtAllocateVirtualMemory  (-1, 281141248, 0, 8192, 4096, 4, ...
 03544  1600   NtAllocateVirtualMemory  (-1, 13209600, 0, 4096, 4096, 4, ... 13209600, 4096, ) == 0x0
 03545  1600   NtTestAlert  (... ) == 0x0
 03546  1600   NtContinue  (279051568, 1, ...
 03547  1600   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03548  1600   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03543   460   NtAllocateVirtualMemory  ... 281141248, 8192, ) == 0x0
 03549   460   NtProtectVirtualMemory  (-1, (0x10c1e000), 4096, 260, ... (0x10c1e000), 4096, 4, ) == 0x0
 03550   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 848, {456, 1632}, ) == 0x0
 03551   460   NtQueryInformationThread  (848, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=456,Tid=1632,}, 0x0, ) == 0x0
 03552   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1642, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\310\1\0\0`\6\0\0" ... {28, 56, reply, 0, 456, 460, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\310\1\0\0`\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1643, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\310\1\0\0`\6\0\0" ... {28, 56, reply, 0, 456, 460, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\310\1\0\0`\6\0\0" )  ) == 0x0
 03553   460   NtResumeThread  (848, ... 1, ) == 0x0
 03554  1632   NtTestAlert  (... ) == 0x0
 03555  1632   NtContinue  (281148720, 1, ...
 03556  1632   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03557  1632   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03558   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 281149440, 2097152, ) == 0x0
 03559   460   NtAllocateVirtualMemory  (-1, 283238400, 0, 8192, 4096, 4, ... 283238400, 8192, ) == 0x0
 03560   460   NtProtectVirtualMemory  (-1, (0x10e1e000), 4096, 260, ... (0x10e1e000), 4096, 4, ) == 0x0
 03561   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 852, {456, 1748}, ) == 0x0
 03562   460   NtQueryInformationThread  (852, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=456,Tid=1748,}, 0x0, ) == 0x0
 03563   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1643, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\310\1\0\0\324\6\0\0" ... {28, 56, reply, 0, 456, 460, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\310\1\0\0\324\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1644, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\310\1\0\0\324\6\0\0" ... {28, 56, reply, 0, 456, 460, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\310\1\0\0\324\6\0\0" )  ) == 0x0
 03564   460   NtResumeThread  (852, ... 1, ) == 0x0
 03565   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 283246592, 2097152, ) == 0x0
 03566   460   NtAllocateVirtualMemory  (-1, 285335552, 0, 8192, 4096, 4, ...
 03567  1748   NtTestAlert  (... ) == 0x0
 03568  1748   NtContinue  (283245872, 1, ...
 03569  1748   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03570  1748   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03566   460   NtAllocateVirtualMemory  ... 285335552, 8192, ) == 0x0
 03571   460   NtProtectVirtualMemory  (-1, (0x1101e000), 4096, 260, ... (0x1101e000), 4096, 4, ) == 0x0
 03572   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 856, {456, 1588}, ) == 0x0
 03573   460   NtQueryInformationThread  (856, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=456,Tid=1588,}, 0x0, ) == 0x0
 03574   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1644, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\310\1\0\04\6\0\0" ... {28, 56, reply, 0, 456, 460, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\310\1\0\04\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1645, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\310\1\0\04\6\0\0" ... {28, 56, reply, 0, 456, 460, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\310\1\0\04\6\0\0" )  ) == 0x0
 03575   460   NtResumeThread  (856, ... 1, ) == 0x0
 03576  1588   NtTestAlert  (... ) == 0x0
 03577  1588   NtContinue  (285343024, 1, ...
 03578  1588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03579  1588   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03580   460   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 285343744, 2097152, ) == 0x0
 03581   460   NtAllocateVirtualMemory  (-1, 287432704, 0, 8192, 4096, 4, ... 287432704, 8192, ) == 0x0
 03582   460   NtProtectVirtualMemory  (-1, (0x1121e000), 4096, 260, ... (0x1121e000), 4096, 4, ) == 0x0
 03583   460   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 860, {456, 1640}, ) == 0x0
 03584   460   NtQueryInformationThread  (860, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=456,Tid=1640,}, 0x0, ) == 0x0
 03585   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1645, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\310\1\0\0h\6\0\0" ... {28, 56, reply, 0, 456, 460, 1646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\310\1\0\0h\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1646, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\310\1\0\0h\6\0\0" ... {28, 56, reply, 0, 456, 460, 1646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\310\1\0\0h\6\0\0" )  ) == 0x0
 03586   460   NtResumeThread  (860, ... 1, ) == 0x0
 03587   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 864, ) == 0x0
 03588   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03589  1640   NtTestAlert  (... ) == 0x0
 03590  1640   NtContinue  (287440176, 1, ...
 03591  1640   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03592  1640   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 03588   460   NtDuplicateObject  ... 868, ) == 0x0
 03593   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03594   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 872, ) == 0x0
 03595   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03596   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03597   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2291792,  (0xc0100080, {24, 0, 0x40, 0, 2291792, "\??\PIPE\InitShutdown"}, 0x0, 0, 3, 1, 64, 0, 0, ... 876, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 876, {status=0x0, info=1}, ) == 0x0
 03598   460   NtSetInformationFile  (876, 2291848, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03599   460   NtSetInformationFile  (876, 2291840, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03600   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03601   460   NtWriteFile  (876, 865, 0, 0,  (876, 865, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\300\340M\211U\15\323\21\243"\0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03602   460   NtAllocateVirtualMemory  (-1, 4861952, 0, 4096, 4096, 4, ... 4861952, 4096, ) == 0x0
 03603   460   NtReadFile  (876, 865, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (876, 865, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\314\35\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03604   460   NtFsControlFile  (876, 865, 0x0, 0x0, 0x11c017,  (876, 865, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\340\376"\0X'", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\314\35\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0X' (876, 865, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\340\376"\0X'", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\314\35\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\314\35\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03605   460   NtClose  (872, ... ) == 0x0
 03606   460   NtClose  (876, ... ) == 0x0
 03607   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03608   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 876, ) == 0x0
 03609   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03610   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03611   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2291788,  (0xc0100080, {24, 0, 0x40, 0, 2291788, "\??\PIPE\winreg"}, 0x0, 0, 3, 1, 64, 0, 0, ... 872, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 872, {status=0x0, info=1}, ) == 0x0
 03612   460   NtSetInformationFile  (872, 2291844, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03613   460   NtSetInformationFile  (872, 2291836, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03614   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03615   460   NtWriteFile  (872, 865, 0, 0,  (872, 865, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\1\320\2143D"\3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03616   460   NtReadFile  (872, 865, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (872, 865, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\356$\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03617   460   NtFsControlFile  (872, 865, 0x0, 0x0, 0x11c017,  (872, 865, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\324\376"\0X'", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\356$\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0X' (872, 865, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\324\376"\0X'", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\356$\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\356$\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03250   584   NtReadFile  ... {status=0x0, info=46592},  ... {status=0x0, info=46592}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\373\225\346S\277\364\210\0\277\364\210\0\277\364\210\0E\327\310\0\275\364\210\0\277\364\211\0$\364\210\0E\327\221\0\252\364\210\0e\327\225\0\275\364\210\0(\327\315\0\276\364\210\0e\327\224\0\251\364\210\0E\327\265\0\276\364\210\0Rich\277\364\210\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\08\204};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0H\0\0\0n\0\0\0\0\0\0\34F\0\0\0\20\0\0\0`\0\0\0\0\0\1\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\0\0\0\4\0\0\246\20\1\0\2\0\0\200\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0XJ\0\0\334\0\0\0\0p\0\0@f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\2\0\0\324\0\0\0\0\20\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0jG\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03618   460   NtWaitForSingleObject  (865, 0, 0x0, ... ) == 0x0
 03619   460   NtClose  (876, ... ) == 0x0
 03620   460   NtClose  (872, ... ) == 0x0
 03621   460   NtDelayExecution  (0, {-10000000, -1}, ...
 03622   584   NtClose  (728, ... ) == 0x0
 03623   584   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 8433136,  (0x40100080, {24, 0, 0x40, 0, 8433136, "\??\C:\WINDOWS\system32\utilman.ivr"}, 0x0, 0, 0, 5, 96, 0, 0, ... }, 0x0, 0, 0, 5, 96, 0, 0, ...
 03624   584   NtClose  (-2147482064, ... ) == 0x0
 03623   584   NtCreateFile  ... 728, {status=0x0, info=2}, ) == 0x0
 03625   584   NtWriteFile  (728, 0, 0, 0,  (728, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\373\225\346S\277\364\210\0\277\364\210\0\277\364\210\0E\327\310\0\275\364\210\0\277\364\211\0$\364\210\0E\327\221\0\252\364\210\0e\327\225\0\275\364\210\0(\327\315\0\276\364\210\0e\327\224\0\251\364\210\0E\327\265\0\276\364\210\0Rich\277\364\210\0\0\0\0\0\0\0\0\0PE\0\0L\1\7\08\204};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0H\0\0\0n\0\0\0\0\0\0\0\340\0\0\0\20\0\0\0`\0\0\0\0\0\1\0\20\0\0\0\2\0\0\5\0\1\0\15\0\2\0\4\0\0\0\0\0\0\0x\33\4\0\0\4\0\0\246\20\1\0\2\0\0\200\0\0\24\0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0XJ\0\0\334\0\0\0\0p\0\0@f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\2\0\0\324\0\0\0\0\20\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0jG\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 160768, 0x0, 0, ... {status=0x0, info=160768}, ) , 160768, 0x0, 0, ... {status=0x0, info=160768}, ) == 0x0
 03626   584   NtClose  (728, ... ) == 0x0
 03627   584   NtFreeVirtualMemory  (-1, (0x468000), 237568, 16384, ... (0x468000), 237568, ) == 0x0
 03628   584   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8432072,  (0x80100080, {24, 0, 0x40, 0, 8432072, "\??\C:\WINDOWS\system32\utilman.ivr"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 728, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 728, {status=0x0, info=1}, ) == 0x0
 03629   584   NtQueryInformationFile  (728, 8433008, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 03630   584   NtQueryInformationFile  (728, 8432980, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03631   584   NtQueryInformationFile  (728, 8432932, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03632   584   NtAllocateVirtualMemory  (-1, 4620288, 0, 8192, 4096, 4, ... 4620288, 8192, ) == 0x0
 03633   584   NtQueryInformationFile  (728, 4619616, 4094, Stream, ... ) == STATUS_INVALID_PARAMETER
 03634   584   NtQueryInformationFile  (728, 8431476, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03635   584   NtAllocateVirtualMemory  (-1, 8421376, 0, 4096, 4096, 260, ... 8421376, 4096, ) == 0x0
 03636   584   NtQueryInformationFile  (728, 8431320, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 03637   584   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 8431328,  (0x40110080, {24, 0, 0x40, 0, 8431328, "\??\C:\WINDOWS\system32\utilman.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 03638   584   NtClose  (-2147482064, ... ) == 0x0
 03639   584   NtQueryVolumeInformationFile  (-2147482068, -128867704, 32, FullSize, ... {status=0x0, info=32}, ) == 0x0
 03640   584   NtQueryInformationFile  (-2147482068, -128867424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03641   584   NtQueryInformationFile  (-2147482068, -128867472, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03642   584   NtQueryInformationFile  (-2147482068, -519708672, 4096, Stream, ... ) == STATUS_INVALID_PARAMETER
 03643   584   NtQueryInformationFile  (-2147482068, -128867780, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01991   804   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03644   804   NtQueryValueKey  (84,  (84, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03645   804   NtQueryValueKey  (84,  (84, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03646   804   NtQueryValueKey  (84,  (84, "DisableKeepAlive", Partial, 144, ... , Partial, 144, ...
 01996   676   NtDelayExecution  ... ) == 0x0
 01997   736   NtDelayExecution  ... ) == 0x0
 02000   800   NtDelayExecution  ... ) == 0x0
 02026   712   NtDelayExecution  ... ) == 0x0
 02086   852   NtSetInformationThread  ... ) == 0x0
 02087   872   NtDelayExecution  ... ) == 0x0
 02106   876   NtDelayExecution  ... ) == 0x0
 02121   884   NtSetInformationThread  ... ) == 0x0
 02130   880   NtDelayExecution  ... ) == 0x0
 02145   892   NtSetInformationThread  ... ) == 0x0
 02154   888   NtDelayExecution  ... ) == 0x0
 02168   900   NtSetInformationThread  ... ) == 0x0
 02177   896   NtDelayExecution  ... ) == 0x0
 02191   908   NtSetInformationThread  ... ) == 0x0
 02197   904   NtDelayExecution  ... ) == 0x0
 02221   924   NtDelayExecution  ... ) == 0x0
 02245   928   NtDelayExecution  ... ) == 0x0
 02255   932   NtSetInformationThread  ... ) == 0x0
 02262   936   NtSetInformationThread  ... ) == 0x0
 02271   940   NtSetInformationThread  ... ) == 0x0
 02284   944   NtSetInformationThread  ... ) == 0x0
 02293   948   NtSetInformationThread  ... ) == 0x0
 02306   952   NtSetInformationThread  ... ) == 0x0
 02315   956   NtSetInformationThread  ... ) == 0x0
 02328   960   NtSetInformationThread  ... ) == 0x0
 02337   964   NtSetInformationThread  ... ) == 0x0
 02350   968   NtSetInformationThread  ... ) == 0x0
 02359   972   NtSetInformationThread  ... ) == 0x0
 02372   976   NtSetInformationThread  ... ) == 0x0
 02381  1000   NtSetInformationThread  ... ) == 0x0
 02394  1004   NtSetInformationThread  ... ) == 0x0
 02403  1024   NtSetInformationThread  ... ) == 0x0
 02416  1028   NtSetInformationThread  ... ) == 0x0
 02425  1032   NtSetInformationThread  ... ) == 0x0
 02438  1012   NtSetInformationThread  ... ) == 0x0
 02447  1036   NtSetInformationThread  ... ) == 0x0
 02460   308   NtSetInformationThread  ... ) == 0x0
 02470  1052   NtSetInformationThread  ... ) == 0x0
 02483  1068   NtSetInformationThread  ... ) == 0x0
 02492  1076   NtSetInformationThread  ... ) == 0x0
 02505  1088   NtSetInformationThread  ... ) == 0x0
 02514  1056   NtSetInformationThread  ... ) == 0x0
 02527  1112   NtSetInformationThread  ... ) == 0x0
 02536  1092   NtSetInformationThread  ... ) == 0x0
 02549  1100   NtSetInformationThread  ... ) == 0x0
 02558  1116   NtSetInformationThread  ... ) == 0x0
 02571  1172   NtSetInformationThread  ... ) == 0x0
 02580  1168   NtSetInformationThread  ... ) == 0x0
 02595  1120   NtSetInformationThread  ... ) == 0x0
 02604  1124   NtSetInformationThread  ... ) == 0x0
 02617  1176   NtSetInformationThread  ... ) == 0x0
 02626  1180   NtSetInformationThread  ... ) == 0x0
 02639  1016   NtSetInformationThread  ... ) == 0x0
 02648  1148   NtSetInformationThread  ... ) == 0x0
 02661   320   NtSetInformationThread  ... ) == 0x0
 02670   324   NtSetInformationThread  ... ) == 0x0
 02683  1184   NtSetInformationThread  ... ) == 0x0
 02693  1188   NtSetInformationThread  ... ) == 0x0
 02706  1096   NtSetInformationThread  ... ) == 0x0
 02715  1200   NtSetInformationThread  ... ) == 0x0
 02728  1212   NtSetInformationThread  ... ) == 0x0
 02737  1220   NtSetInformationThread  ... ) == 0x0
 02750  1232   NtSetInformationThread  ... ) == 0x0
 02759  1244   NtSetInformationThread  ... ) == 0x0
 02772  1248   NtSetInformationThread  ... ) == 0x0
 02781  1252   NtSetInformationThread  ... ) == 0x0
 02795  1256   NtSetInformationThread  ... ) == 0x0
 02804  1260   NtSetInformationThread  ... ) == 0x0
 02817  1264   NtSetInformationThread  ... ) == 0x0
 02826  1272   NtSetInformationThread  ... ) == 0x0
 02839  1276   NtSetInformationThread  ... ) == 0x0
 02848  1296   NtSetInformationThread  ... ) == 0x0
 02882  1300   NtDelayExecution  ... ) == 0x0
 02898   708   NtDelayExecution  ... ) == 0x0
 02915  1284   NtDelayExecution  ... ) == 0x0
 02931  1316   NtDelayExecution  ... ) == 0x0
 02948  1288   NtDelayExecution  ... ) == 0x0
 02962  1320   NtDelayExecution  ... ) == 0x0
 02982  1328   NtDelayExecution  ... ) == 0x0
 02998  1340   NtDelayExecution  ... ) == 0x0
 03015  1348   NtDelayExecution  ... ) == 0x0
 03031  1344   NtDelayExecution  ... ) == 0x0
 03048  1352   NtDelayExecution  ... ) == 0x0
 03064  1360   NtDelayExecution  ... ) == 0x0
 03081  1324   NtDelayExecution  ... ) == 0x0
 03097  1364   NtDelayExecution  ... ) == 0x0
 03114  1132   NtDelayExecution  ... ) == 0x0
 03130  1336   NtDelayExecution  ... ) == 0x0
 03147  1452   NtDelayExecution  ... ) == 0x0
 03163  1236   NtDelayExecution  ... ) == 0x0
 03180  1476   NtDelayExecution  ... ) == 0x0
 03196  1480   NtDelayExecution  ... ) == 0x0
 03213  1484   NtDelayExecution  ... ) == 0x0
 03229  1488   NtDelayExecution  ... ) == 0x0
 03246  1492   NtDelayExecution  ... ) == 0x0
 03267  1496   NtDelayExecution  ... ) == 0x0
 03269   796   NtDelayExecution  ... ) == 0x0
 03276  1368   NtSetInformationThread  ... ) == 0x0
 03283  1504   NtSetInformationThread  ... ) == 0x0
 03292  1512   NtSetInformationThread  ... ) == 0x0
 03305  1516   NtSetInformationThread  ... ) == 0x0
 03314  1520   NtSetInformationThread  ... ) == 0x0
 03327  1524   NtSetInformationThread  ... ) == 0x0
 03336  1528   NtSetInformationThread  ... ) == 0x0
 03349  1532   NtSetInformationThread  ... ) == 0x0
 03358   340   NtSetInformationThread  ... ) == 0x0
 03371  1540   NtSetInformationThread  ... ) == 0x0
 03380  1544   NtSetInformationThread  ... ) == 0x0
 03393  1460   NtSetInformationThread  ... ) == 0x0
 03402  1564   NtSetInformationThread  ... ) == 0x0
 03415  1620   NtSetInformationThread  ... ) == 0x0
 03424  1624   NtSetInformationThread  ... ) == 0x0
 03437  1628   NtSetInformationThread  ... ) == 0x0
 03446  1656   NtSetInformationThread  ... ) == 0x0
 03459  1660   NtSetInformationThread  ... ) == 0x0
 03468  1664   NtSetInformationThread  ... ) == 0x0
 03481  1684   NtSetInformationThread  ... ) == 0x0
 03490  1688   NtSetInformationThread  ... ) == 0x0
 03647   584   NtQueryInformationFile  (-2147482072, -128867820, 40, Basic, ...
 03503  1692   NtSetInformationThread  ... ) == 0x0
 03512  1152   NtSetInformationThread  ... ) == 0x0
 03525  1332   NtSetInformationThread  ... ) == 0x0
 03534  1592   NtSetInformationThread  ... ) == 0x0
 03548  1600   NtSetInformationThread  ... ) == 0x0
 03557  1632   NtSetInformationThread  ... ) == 0x0
 03570  1748   NtSetInformationThread  ... ) == 0x0
 03579  1588   NtSetInformationThread  ... ) == 0x0
 03592  1640   NtSetInformationThread  ... ) == 0x0
 03648   676   NtDelayExecution  (1, {0, 0}, ...
 03649   736   NtDelayExecution  (1, {0, 0}, ...
 03650   800   NtDelayExecution  (1, {0, 0}, ...
 03651   712   NtDelayExecution  (1, {0, 0}, ...
 03652   852   NtDelayExecution  (1, {0, 0}, ...
 03653   872   NtDelayExecution  (1, {0, 0}, ...
 03654   876   NtDelayExecution  (1, {0, 0}, ...
 03655   884   NtDelayExecution  (1, {0, 0}, ...
 03656   880   NtDelayExecution  (1, {0, 0}, ...
 03657   892   NtDelayExecution  (1, {0, 0}, ...
 03658   888   NtDelayExecution  (1, {0, 0}, ...
 03659   900   NtDelayExecution  (1, {0, 0}, ...
 03660   896   NtDelayExecution  (1, {0, 0}, ...
 03661   908   NtDelayExecution  (1, {0, 0}, ...
 03662   904   NtDelayExecution  (1, {0, 0}, ...
 03663   924   NtDelayExecution  (1, {0, 0}, ...
 03664   928   NtDelayExecution  (1, {0, 0}, ...
 03665   932   NtDelayExecution  (1, {0, 0}, ...
 03666   936   NtDelayExecution  (1, {0, 0}, ...
 03667   940   NtDelayExecution  (1, {0, 0}, ...
 03668   944   NtDelayExecution  (1, {0, 0}, ...
 03669   948   NtDelayExecution  (1, {0, 0}, ...
 03670   952   NtDelayExecution  (1, {0, 0}, ...
 03671   956   NtDelayExecution  (1, {0, 0}, ...
 03672   960   NtDelayExecution  (1, {0, 0}, ...
 03673   964   NtDelayExecution  (1, {0, 0}, ...
 03674   968   NtDelayExecution  (1, {0, 0}, ...
 03675   972   NtDelayExecution  (1, {0, 0}, ...
 03676   976   NtDelayExecution  (1, {0, 0}, ...
 03677  1000   NtDelayExecution  (1, {0, 0}, ...
 03678  1004   NtDelayExecution  (1, {0, 0}, ...
 03679  1024   NtDelayExecution  (1, {0, 0}, ...
 03680  1028   NtDelayExecution  (1, {0, 0}, ...
 03681  1032   NtDelayExecution  (1, {0, 0}, ...
 03682  1012   NtDelayExecution  (1, {0, 0}, ...
 03683  1036   NtDelayExecution  (1, {0, 0}, ...
 03684   308   NtDelayExecution  (1, {0, 0}, ...
 03685  1052   NtDelayExecution  (1, {0, 0}, ...
 03686  1068   NtDelayExecution  (1, {0, 0}, ...
 03687  1076   NtDelayExecution  (1, {0, 0}, ...
 03688  1088   NtDelayExecution  (1, {0, 0}, ...
 03689  1056   NtDelayExecution  (1, {0, 0}, ...
 03690  1112   NtDelayExecution  (1, {0, 0}, ...
 03691  1092   NtDelayExecution  (1, {0, 0}, ...
 03692  1100   NtDelayExecution  (1, {0, 0}, ...
 03693  1116   NtDelayExecution  (1, {0, 0}, ...
 03694  1172   NtDelayExecution  (1, {0, 0}, ...
 03695  1168   NtDelayExecution  (1, {0, 0}, ...
 03696  1120   NtDelayExecution  (1, {0, 0}, ...
 03697  1124   NtDelayExecution  (1, {0, 0}, ...
 03698  1176   NtDelayExecution  (1, {0, 0}, ...
 03699  1180   NtDelayExecution  (1, {0, 0}, ...
 03700  1016   NtDelayExecution  (1, {0, 0}, ...
 03701  1148   NtDelayExecution  (1, {0, 0}, ...
 03702   320   NtDelayExecution  (1, {0, 0}, ...
 03703   324   NtDelayExecution  (1, {0, 0}, ...
 03704  1184   NtDelayExecution  (1, {0, 0}, ...
 03705  1188   NtDelayExecution  (1, {0, 0}, ...
 03706  1096   NtDelayExecution  (1, {0, 0}, ...
 03707  1200   NtDelayExecution  (1, {0, 0}, ...
 03708  1212   NtDelayExecution  (1, {0, 0}, ...
 03709  1220   NtDelayExecution  (1, {0, 0}, ...
 03710  1232   NtDelayExecution  (1, {0, 0}, ...
 03711  1244   NtDelayExecution  (1, {0, 0}, ...
 03712  1248   NtDelayExecution  (1, {0, 0}, ...
 03713  1252   NtDelayExecution  (1, {0, 0}, ...
 03714  1256   NtDelayExecution  (1, {0, 0}, ...
 03715  1260   NtDelayExecution  (1, {0, 0}, ...
 03716  1264   NtDelayExecution  (1, {0, 0}, ...
 03717  1272   NtDelayExecution  (1, {0, 0}, ...
 03718  1276   NtDelayExecution  (1, {0, 0}, ...
 03719  1296   NtDelayExecution  (1, {0, 0}, ...
 03720  1300   NtDelayExecution  (1, {0, 0}, ...
 03721   708   NtDelayExecution  (1, {0, 0}, ...
 03722  1284   NtDelayExecution  (1, {0, 0}, ...
 03723  1316   NtDelayExecution  (1, {0, 0}, ...
 03724  1288   NtDelayExecution  (1, {0, 0}, ...
 03725  1320   NtDelayExecution  (1, {0, 0}, ...
 03726  1328   NtDelayExecution  (1, {0, 0}, ...
 03727  1340   NtDelayExecution  (1, {0, 0}, ...
 03728  1348   NtDelayExecution  (1, {0, 0}, ...
 03729  1344   NtDelayExecution  (1, {0, 0}, ...
 03730  1352   NtDelayExecution  (1, {0, 0}, ...
 03731  1360   NtDelayExecution  (1, {0, 0}, ...
 03732  1324   NtDelayExecution  (1, {0, 0}, ...
 03733  1364   NtDelayExecution  (1, {0, 0}, ...
 03734  1132   NtDelayExecution  (1, {0, 0}, ...
 03735  1336   NtDelayExecution  (1, {0, 0}, ...
 03736  1452   NtDelayExecution  (1, {0, 0}, ...
 03737  1236   NtDelayExecution  (1, {0, 0}, ...
 03738  1476   NtDelayExecution  (1, {0, 0}, ...
 03739  1480   NtDelayExecution  (1, {0, 0}, ...
 03740  1484   NtDelayExecution  (1, {0, 0}, ...
 03741  1488   NtDelayExecution  (1, {0, 0}, ...
 03742  1492   NtDelayExecution  (1, {0, 0}, ...
 03743  1496   NtDelayExecution  (1, {0, 0}, ...
 03744   796   NtDelayExecution  (1, {0, 0}, ...
 03745  1368   NtDelayExecution  (1, {0, 0}, ...
 03746  1504   NtDelayExecution  (1, {0, 0}, ...
 03747  1512   NtDelayExecution  (1, {0, 0}, ...
 03748  1516   NtDelayExecution  (1, {0, 0}, ...
 03749  1520   NtDelayExecution  (1, {0, 0}, ...
 03750  1524   NtDelayExecution  (1, {0, 0}, ...
 03751  1528   NtDelayExecution  (1, {0, 0}, ...
 03752  1532   NtDelayExecution  (1, {0, 0}, ...
 03753   340   NtDelayExecution  (1, {0, 0}, ...
 03754  1540   NtDelayExecution  (1, {0, 0}, ...
 03755  1544   NtDelayExecution  (1, {0, 0}, ...
 03756  1460   NtDelayExecution  (1, {0, 0}, ...
 03757  1564   NtDelayExecution  (1, {0, 0}, ...
 03758  1620   NtDelayExecution  (1, {0, 0}, ...
 03759  1624   NtDelayExecution  (1, {0, 0}, ...
 03760  1628   NtDelayExecution  (1, {0, 0}, ...
 03761  1656   NtDelayExecution  (1, {0, 0}, ...
 03762  1660   NtDelayExecution  (1, {0, 0}, ...
 03763  1664   NtDelayExecution  (1, {0, 0}, ...
 03764  1684   NtDelayExecution  (1, {0, 0}, ...
 03647   584   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 03765  1688   NtDelayExecution  (1, {0, 0}, ...
 03766  1692   NtDelayExecution  (1, {0, 0}, ...
 03767  1152   NtDelayExecution  (1, {0, 0}, ...
 03768  1332   NtDelayExecution  (1, {0, 0}, ...
 03769  1592   NtDelayExecution  (1, {0, 0}, ...
 03770  1600   NtDelayExecution  (1, {0, 0}, ...
 03771  1632   NtDelayExecution  (1, {0, 0}, ...
 03772  1748   NtDelayExecution  (1, {0, 0}, ...
 03773  1588   NtDelayExecution  (1, {0, 0}, ...
 03774  1640   NtDelayExecution  (1, {0, 0}, ...
 03775   584   NtSetInformationFile  (-2147482072, -128867740, 8, EndOfFile, ...
 03646   804   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03776   804   NtQueryValueKey  (84,  (84, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03777   804   NtQueryValueKey  (84,  (84, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03778   804   NtQueryValueKey  (84,  (84, "EnableHttp1_1", Partial, 144, ... , Partial, 144, ...
 03648   676   NtDelayExecution  ... ) == 0x0
 03649   736   NtDelayExecution  ... ) == 0x0
 03650   800   NtDelayExecution  ... ) == 0x0
 03651   712   NtDelayExecution  ... ) == 0x0
 03652   852   NtDelayExecution  ... ) == 0x0
 03653   872   NtDelayExecution  ... ) == 0x0
 03654   876   NtDelayExecution  ... ) == 0x0
 03655   884   NtDelayExecution  ... ) == 0x0
 03656   880   NtDelayExecution  ... ) == 0x0
 03657   892   NtDelayExecution  ... ) == 0x0
 03658   888   NtDelayExecution  ... ) == 0x0
 03659   900   NtDelayExecution  ... ) == 0x0
 03660   896   NtDelayExecution  ... ) == 0x0
 03661   908   NtDelayExecution  ... ) == 0x0
 03662   904   NtDelayExecution  ... ) == 0x0
 03663   924   NtDelayExecution  ... ) == 0x0
 03664   928   NtDelayExecution  ... ) == 0x0
 03665   932   NtDelayExecution  ... ) == 0x0
 03666   936   NtDelayExecution  ... ) == 0x0
 03667   940   NtDelayExecution  ... ) == 0x0
 03668   944   NtDelayExecution  ... ) == 0x0
 03669   948   NtDelayExecution  ... ) == 0x0
 03670   952   NtDelayExecution  ... ) == 0x0
 03671   956   NtDelayExecution  ... ) == 0x0
 03672   960   NtDelayExecution  ... ) == 0x0
 03673   964   NtDelayExecution  ... ) == 0x0
 03674   968   NtDelayExecution  ... ) == 0x0
 03675   972   NtDelayExecution  ... ) == 0x0
 03676   976   NtDelayExecution  ... ) == 0x0
 03677  1000   NtDelayExecution  ... ) == 0x0
 03678  1004   NtDelayExecution  ... ) == 0x0
 03679  1024   NtDelayExecution  ... ) == 0x0
 03680  1028   NtDelayExecution  ... ) == 0x0
 03681  1032   NtDelayExecution  ... ) == 0x0
 03682  1012   NtDelayExecution  ... ) == 0x0
 03683  1036   NtDelayExecution  ... ) == 0x0
 03684   308   NtDelayExecution  ... ) == 0x0
 03685  1052   NtDelayExecution  ... ) == 0x0
 03686  1068   NtDelayExecution  ... ) == 0x0
 03687  1076   NtDelayExecution  ... ) == 0x0
 03688  1088   NtDelayExecution  ... ) == 0x0
 03689  1056   NtDelayExecution  ... ) == 0x0
 03690  1112   NtDelayExecution  ... ) == 0x0
 03691  1092   NtDelayExecution  ... ) == 0x0
 03692  1100   NtDelayExecution  ... ) == 0x0
 03693  1116   NtDelayExecution  ... ) == 0x0
 03694  1172   NtDelayExecution  ... ) == 0x0
 03695  1168   NtDelayExecution  ... ) == 0x0
 03696  1120   NtDelayExecution  ... ) == 0x0
 03697  1124   NtDelayExecution  ... ) == 0x0
 03698  1176   NtDelayExecution  ... ) == 0x0
 03699  1180   NtDelayExecution  ... ) == 0x0
 03700  1016   NtDelayExecution  ... ) == 0x0
 03701  1148   NtDelayExecution  ... ) == 0x0
 03702   320   NtDelayExecution  ... ) == 0x0
 03703   324   NtDelayExecution  ... ) == 0x0
 03704  1184   NtDelayExecution  ... ) == 0x0
 03705  1188   NtDelayExecution  ... ) == 0x0
 03706  1096   NtDelayExecution  ... ) == 0x0
 03707  1200   NtDelayExecution  ... ) == 0x0
 03708  1212   NtDelayExecution  ... ) == 0x0
 03709  1220   NtDelayExecution  ... ) == 0x0
 03710  1232   NtDelayExecution  ... ) == 0x0
 03711  1244   NtDelayExecution  ... ) == 0x0
 03712  1248   NtDelayExecution  ... ) == 0x0
 03713  1252   NtDelayExecution  ... ) == 0x0
 03714  1256   NtDelayExecution  ... ) == 0x0
 03715  1260   NtDelayExecution  ... ) == 0x0
 03716  1264   NtDelayExecution  ... ) == 0x0
 03717  1272   NtDelayExecution  ... ) == 0x0
 03718  1276   NtDelayExecution  ... ) == 0x0
 03719  1296   NtDelayExecution  ... ) == 0x0
 03720  1300   NtDelayExecution  ... ) == 0x0
 03721   708   NtDelayExecution  ... ) == 0x0
 03722  1284   NtDelayExecution  ... ) == 0x0
 03723  1316   NtDelayExecution  ... ) == 0x0
 03724  1288   NtDelayExecution  ... ) == 0x0
 03725  1320   NtDelayExecution  ... ) == 0x0
 03726  1328   NtDelayExecution  ... ) == 0x0
 03727  1340   NtDelayExecution  ... ) == 0x0
 03728  1348   NtDelayExecution  ... ) == 0x0
 03729  1344   NtDelayExecution  ... ) == 0x0
 03730  1352   NtDelayExecution  ... ) == 0x0
 03731  1360   NtDelayExecution  ... ) == 0x0
 03732  1324   NtDelayExecution  ... ) == 0x0
 03733  1364   NtDelayExecution  ... ) == 0x0
 03734  1132   NtDelayExecution  ... ) == 0x0
 03735  1336   NtDelayExecution  ... ) == 0x0
 03736  1452   NtDelayExecution  ... ) == 0x0
 03737  1236   NtDelayExecution  ... ) == 0x0
 03738  1476   NtDelayExecution  ... ) == 0x0
 03739  1480   NtDelayExecution  ... ) == 0x0
 03740  1484   NtDelayExecution  ... ) == 0x0
 03741  1488   NtDelayExecution  ... ) == 0x0
 03742  1492   NtDelayExecution  ... ) == 0x0
 03743  1496   NtDelayExecution  ... ) == 0x0
 03744   796   NtDelayExecution  ... ) == 0x0
 03745  1368   NtDelayExecution  ... ) == 0x0
 03746  1504   NtDelayExecution  ... ) == 0x0
 03747  1512   NtDelayExecution  ... ) == 0x0
 03748  1516   NtDelayExecution  ... ) == 0x0
 03749  1520   NtDelayExecution  ... ) == 0x0
 03750  1524   NtDelayExecution  ... ) == 0x0
 03751  1528   NtDelayExecution  ... ) == 0x0
 03752  1532   NtDelayExecution  ... ) == 0x0
 03753   340   NtDelayExecution  ... ) == 0x0
 03754  1540   NtDelayExecution  ... ) == 0x0
 03755  1544   NtDelayExecution  ... ) == 0x0
 03756  1460   NtDelayExecution  ... ) == 0x0
 03757  1564   NtDelayExecution  ... ) == 0x0
 03758  1620   NtDelayExecution  ... ) == 0x0
 03759  1624   NtDelayExecution  ... ) == 0x0
 03760  1628   NtDelayExecution  ... ) == 0x0
 03761  1656   NtDelayExecution  ... ) == 0x0
 03762  1660   NtDelayExecution  ... ) == 0x0
 03763  1664   NtDelayExecution  ... ) == 0x0
 03764  1684   NtDelayExecution  ... ) == 0x0
 03765  1688   NtDelayExecution  ... ) == 0x0
 03766  1692   NtDelayExecution  ... ) == 0x0
 03767  1152   NtDelayExecution  ... ) == 0x0
 03768  1332   NtDelayExecution  ... ) == 0x0
 03769  1592   NtDelayExecution  ... ) == 0x0
 03770  1600   NtDelayExecution  ... ) == 0x0
 03771  1632   NtDelayExecution  ... ) == 0x0
 03772  1748   NtDelayExecution  ... ) == 0x0
 03773  1588   NtDelayExecution  ... ) == 0x0
 03774  1640   NtDelayExecution  ... ) == 0x0
 03779   676   NtDelayExecution  (1, {0, 0}, ...
 03780   736   NtDelayExecution  (1, {0, 0}, ...
 03781   800   NtDelayExecution  (1, {0, 0}, ...
 03782   712   NtDelayExecution  (1, {0, 0}, ...
 03783   852   NtDelayExecution  (1, {0, 0}, ...
 03784   872   NtDelayExecution  (1, {0, 0}, ...
 03785   876   NtDelayExecution  (1, {0, 0}, ...
 03786   884   NtDelayExecution  (1, {0, 0}, ...
 03787   880   NtDelayExecution  (1, {0, 0}, ...
 03788   892   NtDelayExecution  (1, {0, 0}, ...
 03789   888   NtDelayExecution  (1, {0, 0}, ...
 03790   900   NtDelayExecution  (1, {0, 0}, ...
 03791   896   NtDelayExecution  (1, {0, 0}, ...
 03792   908   NtDelayExecution  (1, {0, 0}, ...
 03793   904   NtDelayExecution  (1, {0, 0}, ...
 03794   924   NtDelayExecution  (1, {0, 0}, ...
 03795   928   NtDelayExecution  (1, {0, 0}, ...
 03796   932   NtDelayExecution  (1, {0, 0}, ...
 03797   936   NtDelayExecution  (1, {0, 0}, ...
 03798   940   NtDelayExecution  (1, {0, 0}, ...
 03799   944   NtDelayExecution  (1, {0, 0}, ...
 03800   948   NtDelayExecution  (1, {0, 0}, ...
 03801   952   NtDelayExecution  (1, {0, 0}, ...
 03802   956   NtDelayExecution  (1, {0, 0}, ...
 03803   960   NtDelayExecution  (1, {0, 0}, ...
 03804   964   NtDelayExecution  (1, {0, 0}, ...
 03805   968   NtDelayExecution  (1, {0, 0}, ...
 03806   972   NtDelayExecution  (1, {0, 0}, ...
 03807   976   NtDelayExecution  (1, {0, 0}, ...
 03808  1000   NtDelayExecution  (1, {0, 0}, ...
 03809  1004   NtDelayExecution  (1, {0, 0}, ...
 03810  1024   NtDelayExecution  (1, {0, 0}, ...
 03811  1028   NtDelayExecution  (1, {0, 0}, ...
 03812  1032   NtDelayExecution  (1, {0, 0}, ...
 03813  1012   NtDelayExecution  (1, {0, 0}, ...
 03814  1036   NtDelayExecution  (1, {0, 0}, ...
 03815   308   NtDelayExecution  (1, {0, 0}, ...
 03816  1052   NtDelayExecution  (1, {0, 0}, ...
 03817  1068   NtDelayExecution  (1, {0, 0}, ...
 03818  1076   NtDelayExecution  (1, {0, 0}, ...
 03819  1088   NtDelayExecution  (1, {0, 0}, ...
 03820  1056   NtDelayExecution  (1, {0, 0}, ...
 03821  1112   NtDelayExecution  (1, {0, 0}, ...
 03822  1092   NtDelayExecution  (1, {0, 0}, ...
 03823  1100   NtDelayExecution  (1, {0, 0}, ...
 03824  1116   NtDelayExecution  (1, {0, 0}, ...
 03825  1172   NtDelayExecution  (1, {0, 0}, ...
 03826  1168   NtDelayExecution  (1, {0, 0}, ...
 03827  1120   NtDelayExecution  (1, {0, 0}, ...
 03828  1124   NtDelayExecution  (1, {0, 0}, ...
 03829  1176   NtDelayExecution  (1, {0, 0}, ...
 03830  1180   NtDelayExecution  (1, {0, 0}, ...
 03831  1016   NtDelayExecution  (1, {0, 0}, ...
 03832  1148   NtDelayExecution  (1, {0, 0}, ...
 03833   320   NtDelayExecution  (1, {0, 0}, ...
 03834   324   NtDelayExecution  (1, {0, 0}, ...
 03835  1184   NtDelayExecution  (1, {0, 0}, ...
 03836  1188   NtDelayExecution  (1, {0, 0}, ...
 03837  1096   NtDelayExecution  (1, {0, 0}, ...
 03838  1200   NtDelayExecution  (1, {0, 0}, ...
 03839  1212   NtDelayExecution  (1, {0, 0}, ...
 03840  1220   NtDelayExecution  (1, {0, 0}, ...
 03841  1232   NtDelayExecution  (1, {0, 0}, ...
 03842  1244   NtDelayExecution  (1, {0, 0}, ...
 03843  1248   NtDelayExecution  (1, {0, 0}, ...
 03844  1252   NtDelayExecution  (1, {0, 0}, ...
 03845  1256   NtDelayExecution  (1, {0, 0}, ...
 03846  1260   NtDelayExecution  (1, {0, 0}, ...
 03775   584   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03847  1264   NtDelayExecution  (1, {0, 0}, ...
 03848  1272   NtDelayExecution  (1, {0, 0}, ...
 03849  1276   NtDelayExecution  (1, {0, 0}, ...
 03850  1296   NtDelayExecution  (1, {0, 0}, ...
 03851  1300   NtDelayExecution  (1, {0, 0}, ...
 03852   708   NtDelayExecution  (1, {0, 0}, ...
 03853  1284   NtDelayExecution  (1, {0, 0}, ...
 03854  1316   NtDelayExecution  (1, {0, 0}, ...
 03855  1288   NtDelayExecution  (1, {0, 0}, ...
 03856  1320   NtDelayExecution  (1, {0, 0}, ...
 03857  1328   NtDelayExecution  (1, {0, 0}, ...
 03858  1340   NtDelayExecution  (1, {0, 0}, ...
 03859  1348   NtDelayExecution  (1, {0, 0}, ...
 03860  1344   NtDelayExecution  (1, {0, 0}, ...
 03861  1352   NtDelayExecution  (1, {0, 0}, ...
 03862  1360   NtDelayExecution  (1, {0, 0}, ...
 03863  1324   NtDelayExecution  (1, {0, 0}, ...
 03864  1364   NtDelayExecution  (1, {0, 0}, ...
 03865  1132   NtDelayExecution  (1, {0, 0}, ...
 03866  1336   NtDelayExecution  (1, {0, 0}, ...
 03867  1452   NtDelayExecution  (1, {0, 0}, ...
 03868  1236   NtDelayExecution  (1, {0, 0}, ...
 03869  1476   NtDelayExecution  (1, {0, 0}, ...
 03870  1480   NtDelayExecution  (1, {0, 0}, ...
 03871  1484   NtDelayExecution  (1, {0, 0}, ...
 03872  1488   NtDelayExecution  (1, {0, 0}, ...
 03873  1492   NtDelayExecution  (1, {0, 0}, ...
 03874  1496   NtDelayExecution  (1, {0, 0}, ...
 03875   796   NtDelayExecution  (1, {0, 0}, ...
 03876  1368   NtDelayExecution  (1, {0, 0}, ...
 03877  1504   NtDelayExecution  (1, {0, 0}, ...
 03878  1512   NtDelayExecution  (1, {0, 0}, ...
 03879  1516   NtDelayExecution  (1, {0, 0}, ...
 03880  1520   NtDelayExecution  (1, {0, 0}, ...
 03881  1524   NtDelayExecution  (1, {0, 0}, ...
 03882  1528   NtDelayExecution  (1, {0, 0}, ...
 03883  1532   NtDelayExecution  (1, {0, 0}, ...
 03884   340   NtDelayExecution  (1, {0, 0}, ...
 03885  1540   NtDelayExecution  (1, {0, 0}, ...
 03886  1544   NtDelayExecution  (1, {0, 0}, ...
 03887  1460   NtDelayExecution  (1, {0, 0}, ...
 03888  1564   NtDelayExecution  (1, {0, 0}, ...
 03889  1620   NtDelayExecution  (1, {0, 0}, ...
 03890  1624   NtDelayExecution  (1, {0, 0}, ...
 03891  1628   NtDelayExecution  (1, {0, 0}, ...
 03892  1656   NtDelayExecution  (1, {0, 0}, ...
 03893  1660   NtDelayExecution  (1, {0, 0}, ...
 03894  1664   NtDelayExecution  (1, {0, 0}, ...
 03895  1684   NtDelayExecution  (1, {0, 0}, ...
 03896  1688   NtDelayExecution  (1, {0, 0}, ...
 03897  1692   NtDelayExecution  (1, {0, 0}, ...
 03898  1152   NtDelayExecution  (1, {0, 0}, ...
 03899  1332   NtDelayExecution  (1, {0, 0}, ...
 03900  1592   NtDelayExecution  (1, {0, 0}, ...
 03901  1600   NtDelayExecution  (1, {0, 0}, ...
 03902  1632   NtDelayExecution  (1, {0, 0}, ...
 03903  1748   NtDelayExecution  (1, {0, 0}, ...
 03904  1588   NtDelayExecution  (1, {0, 0}, ...
 03905  1640   NtDelayExecution  (1, {0, 0}, ...
 03906   584   NtCreateSection  (0x5, 0x0, {46592, 0}, 2, 134217728, -2147482068, ... 872, ) == 0x0
 03907   584   NtMapViewOfSection  (872, -1, (0x0), 0, 0, {0, 0}, 46592, 2, 0, 2, ... (0xc80000), {0, 0}, 49152, ) == 0x0
 03908   584   NtWriteFile  (-2147482072, 0, 0, 0,  (-2147482072, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\373\225\346S\277\364\210\0\277\364\210\0\277\364\210\0E\327\310\0\275\364\210\0\277\364\211\0$\364\210\0E\327\221\0\252\364\210\0e\327\225\0\275\364\210\0(\327\315\0\276\364\210\0e\327\224\0\251\364\210\0E\327\265\0\276\364\210\0Rich\277\364\210\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\08\204};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0H\0\0\0n\0\0\0\0\0\0\34F\0\0\0\20\0\0\0`\0\0\0\0\0\1\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\0\0\0\4\0\0\246\20\1\0\2\0\0\200\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0XJ\0\0\334\0\0\0\0p\0\0@f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\2\0\0\324\0\0\0\0\20\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0jG\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 46592, {0, 0}, 0, ... , 46592, {0, 0}, 0, ...
 03778   804   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03909   804   NtQueryValueKey  (84,  (84, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03910   804   NtQueryValueKey  (84,  (84, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03911   804   NtRequestWaitReplyPort  (224, {28, 52, new_msg, 0, 0, 0, 0, 0}  (224, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2X ...  ...
 03779   676   NtDelayExecution  ... ) == 0x0
 03780   736   NtDelayExecution  ... ) == 0x0
 03781   800   NtDelayExecution  ... ) == 0x0
 03782   712   NtDelayExecution  ... ) == 0x0
 03783   852   NtDelayExecution  ... ) == 0x0
 03784   872   NtDelayExecution  ... ) == 0x0
 03785   876   NtDelayExecution  ... ) == 0x0
 03786   884   NtDelayExecution  ... ) == 0x0
 03787   880   NtDelayExecution  ... ) == 0x0
 03788   892   NtDelayExecution  ... ) == 0x0
 03789   888   NtDelayExecution  ... ) == 0x0
 03790   900   NtDelayExecution  ... ) == 0x0
 03791   896   NtDelayExecution  ... ) == 0x0
 03792   908   NtDelayExecution  ... ) == 0x0
 03793   904   NtDelayExecution  ... ) == 0x0
 03794   924   NtDelayExecution  ... ) == 0x0
 03795   928   NtDelayExecution  ... ) == 0x0
 03796   932   NtDelayExecution  ... ) == 0x0
 03797   936   NtDelayExecution  ... ) == 0x0
 03798   940   NtDelayExecution  ... ) == 0x0
 03799   944   NtDelayExecution  ... ) == 0x0
 03800   948   NtDelayExecution  ... ) == 0x0
 03801   952   NtDelayExecution  ... ) == 0x0
 03802   956   NtDelayExecution  ... ) == 0x0
 03803   960   NtDelayExecution  ... ) == 0x0
 03804   964   NtDelayExecution  ... ) == 0x0
 03805   968   NtDelayExecution  ... ) == 0x0
 03806   972   NtDelayExecution  ... ) == 0x0
 03807   976   NtDelayExecution  ... ) == 0x0
 03808  1000   NtDelayExecution  ... ) == 0x0
 03809  1004   NtDelayExecution  ... ) == 0x0
 03810  1024   NtDelayExecution  ... ) == 0x0
 03811  1028   NtDelayExecution  ... ) == 0x0
 03812  1032   NtDelayExecution  ... ) == 0x0
 03813  1012   NtDelayExecution  ... ) == 0x0
 03814  1036   NtDelayExecution  ... ) == 0x0
 03815   308   NtDelayExecution  ... ) == 0x0
 03816  1052   NtDelayExecution  ... ) == 0x0
 03817  1068   NtDelayExecution  ... ) == 0x0
 03818  1076   NtDelayExecution  ... ) == 0x0
 03819  1088   NtDelayExecution  ... ) == 0x0
 03820  1056   NtDelayExecution  ... ) == 0x0
 03821  1112   NtDelayExecution  ... ) == 0x0
 03822  1092   NtDelayExecution  ... ) == 0x0
 03823  1100   NtDelayExecution  ... ) == 0x0
 03824  1116   NtDelayExecution  ... ) == 0x0
 03825  1172   NtDelayExecution  ... ) == 0x0
 03826  1168   NtDelayExecution  ... ) == 0x0
 03827  1120   NtDelayExecution  ... ) == 0x0
 03828  1124   NtDelayExecution  ... ) == 0x0
 03829  1176   NtDelayExecution  ... ) == 0x0
 03830  1180   NtDelayExecution  ... ) == 0x0
 03831  1016   NtDelayExecution  ... ) == 0x0
 03832  1148   NtDelayExecution  ... ) == 0x0
 03833   320   NtDelayExecution  ... ) == 0x0
 03834   324   NtDelayExecution  ... ) == 0x0
 03835  1184   NtDelayExecution  ... ) == 0x0
 03836  1188   NtDelayExecution  ... ) == 0x0
 03837  1096   NtDelayExecution  ... ) == 0x0
 03838  1200   NtDelayExecution  ... ) == 0x0
 03839  1212   NtDelayExecution  ... ) == 0x0
 03840  1220   NtDelayExecution  ... ) == 0x0
 03841  1232   NtDelayExecution  ... ) == 0x0
 03842  1244   NtDelayExecution  ... ) == 0x0
 03843  1248   NtDelayExecution  ... ) == 0x0
 03844  1252   NtDelayExecution  ... ) == 0x0
 03845  1256   NtDelayExecution  ... ) == 0x0
 03846  1260   NtDelayExecution  ... ) == 0x0
 03847  1264   NtDelayExecution  ... ) == 0x0
 03848  1272   NtDelayExecution  ... ) == 0x0
 03849  1276   NtDelayExecution  ... ) == 0x0
 03850  1296   NtDelayExecution  ... ) == 0x0
 03851  1300   NtDelayExecution  ... ) == 0x0
 03852   708   NtDelayExecution  ... ) == 0x0
 03853  1284   NtDelayExecution  ... ) == 0x0
 03854  1316   NtDelayExecution  ... ) == 0x0
 03855  1288   NtDelayExecution  ... ) == 0x0
 03856  1320   NtDelayExecution  ... ) == 0x0
 03857  1328   NtDelayExecution  ... ) == 0x0
 03858  1340   NtDelayExecution  ... ) == 0x0
 03859  1348   NtDelayExecution  ... ) == 0x0
 03860  1344   NtDelayExecution  ... ) == 0x0
 03861  1352   NtDelayExecution  ... ) == 0x0
 03862  1360   NtDelayExecution  ... ) == 0x0
 03863  1324   NtDelayExecution  ... ) == 0x0
 03864  1364   NtDelayExecution  ... ) == 0x0
 03865  1132   NtDelayExecution  ... ) == 0x0
 03866  1336   NtDelayExecution  ... ) == 0x0
 03867  1452   NtDelayExecution  ... ) == 0x0
 03868  1236   NtDelayExecution  ... ) == 0x0
 03869  1476   NtDelayExecution  ... ) == 0x0
 03870  1480   NtDelayExecution  ... ) == 0x0
 03871  1484   NtDelayExecution  ... ) == 0x0
 03872  1488   NtDelayExecution  ... ) == 0x0
 03873  1492   NtDelayExecution  ... ) == 0x0
 03874  1496   NtDelayExecution  ... ) == 0x0
 03875   796   NtDelayExecution  ... ) == 0x0
 03876  1368   NtDelayExecution  ... ) == 0x0
 03877  1504   NtDelayExecution  ... ) == 0x0
 03878  1512   NtDelayExecution  ... ) == 0x0
 03879  1516   NtDelayExecution  ... ) == 0x0
 03880  1520   NtDelayExecution  ... ) == 0x0
 03881  1524   NtDelayExecution  ... ) == 0x0
 03882  1528   NtDelayExecution  ... ) == 0x0
 03883  1532   NtDelayExecution  ... ) == 0x0
 03884   340   NtDelayExecution  ... ) == 0x0
 03885  1540   NtDelayExecution  ... ) == 0x0
 03886  1544   NtDelayExecution  ... ) == 0x0
 03887  1460   NtDelayExecution  ... ) == 0x0
 03888  1564   NtDelayExecution  ... ) == 0x0
 03889  1620   NtDelayExecution  ... ) == 0x0
 03890  1624   NtDelayExecution  ... ) == 0x0
 03891  1628   NtDelayExecution  ... ) == 0x0
 03892  1656   NtDelayExecution  ... ) == 0x0
 03893  1660   NtDelayExecution  ... ) == 0x0
 03894  1664   NtDelayExecution  ... ) == 0x0
 03895  1684   NtDelayExecution  ... ) == 0x0
 03896  1688   NtDelayExecution  ... ) == 0x0
 03897  1692   NtDelayExecution  ... ) == 0x0
 03898  1152   NtDelayExecution  ... ) == 0x0
 03899  1332   NtDelayExecution  ... ) == 0x0
 03900  1592   NtDelayExecution  ... ) == 0x0
 03901  1600   NtDelayExecution  ... ) == 0x0
 03902  1632   NtDelayExecution  ... ) == 0x0
 03903  1748   NtDelayExecution  ... ) == 0x0
 03904  1588   NtDelayExecution  ... ) == 0x0
 03905  1640   NtDelayExecution  ... ) == 0x0
 03912   676   NtDelayExecution  (1, {0, 0}, ...
 03913   736   NtDelayExecution  (1, {0, 0}, ...
 03914   800   NtDelayExecution  (1, {0, 0}, ...
 03915   712   NtDelayExecution  (1, {0, 0}, ...
 03916   852   NtDelayExecution  (1, {0, 0}, ...
 03917   872   NtDelayExecution  (1, {0, 0}, ...
 03918   876   NtDelayExecution  (1, {0, 0}, ...
 03919   884   NtDelayExecution  (1, {0, 0}, ...
 03920   880   NtDelayExecution  (1, {0, 0}, ...
 03921   892   NtDelayExecution  (1, {0, 0}, ...
 03922   888   NtDelayExecution  (1, {0, 0}, ...
 03923   900   NtDelayExecution  (1, {0, 0}, ...
 03924   896   NtDelayExecution  (1, {0, 0}, ...
 03925   908   NtDelayExecution  (1, {0, 0}, ...
 03926   904   NtDelayExecution  (1, {0, 0}, ...
 03927   924   NtDelayExecution  (1, {0, 0}, ...
 03928   928   NtDelayExecution  (1, {0, 0}, ...
 03929   932   NtDelayExecution  (1, {0, 0}, ...
 03930   936   NtDelayExecution  (1, {0, 0}, ...
 03931   940   NtDelayExecution  (1, {0, 0}, ...
 03932   944   NtDelayExecution  (1, {0, 0}, ...
 03933   948   NtDelayExecution  (1, {0, 0}, ...
 03934   952   NtDelayExecution  (1, {0, 0}, ...
 03935   956   NtDelayExecution  (1, {0, 0}, ...
 03936   960   NtDelayExecution  (1, {0, 0}, ...
 03937   964   NtDelayExecution  (1, {0, 0}, ...
 03938   968   NtDelayExecution  (1, {0, 0}, ...
 03939   972   NtDelayExecution  (1, {0, 0}, ...
 03940   976   NtDelayExecution  (1, {0, 0}, ...
 03941  1000   NtDelayExecution  (1, {0, 0}, ...
 03942  1004   NtDelayExecution  (1, {0, 0}, ...
 03943  1024   NtDelayExecution  (1, {0, 0}, ...
 03944  1028   NtDelayExecution  (1, {0, 0}, ...
 03945  1032   NtDelayExecution  (1, {0, 0}, ...
 03946  1012   NtDelayExecution  (1, {0, 0}, ...
 03947  1036   NtDelayExecution  (1, {0, 0}, ...
 03948   308   NtDelayExecution  (1, {0, 0}, ...
 03949  1052   NtDelayExecution  (1, {0, 0}, ...
 03950  1068   NtDelayExecution  (1, {0, 0}, ...
 03951  1076   NtDelayExecution  (1, {0, 0}, ...
 03952  1088   NtDelayExecution  (1, {0, 0}, ...
 03953  1056   NtDelayExecution  (1, {0, 0}, ...
 03954  1112   NtDelayExecution  (1, {0, 0}, ...
 03955  1092   NtDelayExecution  (1, {0, 0}, ...
 03956  1100   NtDelayExecution  (1, {0, 0}, ...
 03957  1116   NtDelayExecution  (1, {0, 0}, ...
 03958  1172   NtDelayExecution  (1, {0, 0}, ...
 03959  1168   NtDelayExecution  (1, {0, 0}, ...
 03960  1120   NtDelayExecution  (1, {0, 0}, ...
 03961  1124   NtDelayExecution  (1, {0, 0}, ...
 03962  1176   NtDelayExecution  (1, {0, 0}, ...
 03963  1180   NtDelayExecution  (1, {0, 0}, ...
 03964  1016   NtDelayExecution  (1, {0, 0}, ...
 03965  1148   NtDelayExecution  (1, {0, 0}, ...
 03966   320   NtDelayExecution  (1, {0, 0}, ...
 03967   324   NtDelayExecution  (1, {0, 0}, ...
 03968  1184   NtDelayExecution  (1, {0, 0}, ...
 03969  1188   NtDelayExecution  (1, {0, 0}, ...
 03970  1096   NtDelayExecution  (1, {0, 0}, ...
 03971  1200   NtDelayExecution  (1, {0, 0}, ...
 03972  1212   NtDelayExecution  (1, {0, 0}, ...
 03973  1220   NtDelayExecution  (1, {0, 0}, ...
 03974  1232   NtDelayExecution  (1, {0, 0}, ...
 03975  1244   NtDelayExecution  (1, {0, 0}, ...
 03976  1248   NtDelayExecution  (1, {0, 0}, ...
 03977  1252   NtDelayExecution  (1, {0, 0}, ...
 03978  1256   NtDelayExecution  (1, {0, 0}, ...
 03979  1260   NtDelayExecution  (1, {0, 0}, ...
 03980  1264   NtDelayExecution  (1, {0, 0}, ...
 03981  1272   NtDelayExecution  (1, {0, 0}, ...
 03982  1276   NtDelayExecution  (1, {0, 0}, ...
 03983  1296   NtDelayExecution  (1, {0, 0}, ...
 03984  1300   NtDelayExecution  (1, {0, 0}, ...
 03985   708   NtDelayExecution  (1, {0, 0}, ...
 03986  1284   NtDelayExecution  (1, {0, 0}, ...
 03987  1316   NtDelayExecution  (1, {0, 0}, ...
 03988  1288   NtDelayExecution  (1, {0, 0}, ...
 03989  1320   NtDelayExecution  (1, {0, 0}, ...
 03990  1328   NtDelayExecution  (1, {0, 0}, ...
 03991  1340   NtDelayExecution  (1, {0, 0}, ...
 03992  1348   NtDelayExecution  (1, {0, 0}, ...
 03993  1344   NtDelayExecution  (1, {0, 0}, ...
 03994  1352   NtDelayExecution  (1, {0, 0}, ...
 03995  1360   NtDelayExecution  (1, {0, 0}, ...
 03996  1324   NtDelayExecution  (1, {0, 0}, ...
 03997  1364   NtDelayExecution  (1, {0, 0}, ...
 03998  1132   NtDelayExecution  (1, {0, 0}, ...
 03999  1336   NtDelayExecution  (1, {0, 0}, ...
 04000  1452   NtDelayExecution  (1, {0, 0}, ...
 04001  1236   NtDelayExecution  (1, {0, 0}, ...
 04002  1476   NtDelayExecution  (1, {0, 0}, ...
 04003  1480   NtDelayExecution  (1, {0, 0}, ...
 04004  1484   NtDelayExecution  (1, {0, 0}, ...
 04005  1488   NtDelayExecution  (1, {0, 0}, ...
 04006  1492   NtDelayExecution  (1, {0, 0}, ...
 04007  1496   NtDelayExecution  (1, {0, 0}, ...
 04008   796   NtDelayExecution  (1, {0, 0}, ...
 04009  1368   NtDelayExecution  (1, {0, 0}, ...
 04010  1504   NtDelayExecution  (1, {0, 0}, ...
 04011  1512   NtDelayExecution  (1, {0, 0}, ...
 04012  1516   NtDelayExecution  (1, {0, 0}, ...
 04013  1520   NtDelayExecution  (1, {0, 0}, ...
 04014  1524   NtDelayExecution  (1, {0, 0}, ...
 04015  1528   NtDelayExecution  (1, {0, 0}, ...
 04016  1532   NtDelayExecution  (1, {0, 0}, ...