Summary:





NtAccessCheck(>)  1 
NtGdiCreateBitmap(>)  2 
NtConnectPort(>)  5 
NtUserCallOneParam(>)  23 


NtAddAtom(>)  1 
NtGdiCreatePatternBrushInternal(>)  2 
NtCreateMutant(>)  5 
NtCreateSection(>)  28 


NtCreateSemaphore(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtDelayExecution(>)  5 
NtQuerySystemInformation(>)  29 


NtEnumerateValueKey(>)  1 
NtGdiDoPalette(>)  2 
NtGdiDeleteObjectApp(>)  5 
NtOpenSection(>)  30 


NtGdiBitBlt(>)  1 
NtGdiGetDIBitsInternal(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenFile(>)  35 


NtGdiCreateCompatibleBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtQueryInformationFile(>)  35 


NtGdiCreateDIBitmapInternal(>)  1 
NtGdiStretchDIBitsInternal(>)  2 
NtCreateKey(>)  7 
NtUserGetClassInfo(>)  37 


NtGdiInit(>)  1 
NtNotifyChangeKey(>)  2 
NtFsControlFile(>)  7 
NtMapViewOfSection(>)  51 


NtGdiQueryFontAssocInfo(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryVolumeInformationFile(>)  7 
NtUserFindExistingCursorIcon(>)  51 


NtOpenKeyedEvent(>)  1 
NtOpenEvent(>)  2 
NtUserCallNoParam(>)  7 
NtQueryAttributesFile(>)  54 


NtOpenProcess(>)  1 
NtQueryInstallUILanguage(>)  2 
NtFlushInstructionCache(>)  8 
NtUserRegisterClassExWOW(>)  64 


NtOpenSymbolicLinkObject(>)  1 
NtQuerySystemTime(>)  2 
NtOpenProcessTokenEx(>)  8 
NtCreateEvent(>)  70 


NtQueryObject(>)  1 
NtQueryVirtualMemory(>)  2 
NtOpenThreadTokenEx(>)  8 
NtContinue(>)  93 


NtQuerySymbolicLinkObject(>)  1 
NtUserCreateWindowEx(>)  2 
NtQueryDebugFilterState(>)  8 
NtOpenKey(>)  116 


NtReleaseSemaphore(>)  1 
NtUserGetThreadDesktop(>)  2 
NtReadFile(>)  8 
NtQueryInformationThread(>)  153 


NtSecureConnectPort(>)  1 
NtUserMessageCall(>)  2 
NtGdiSelectBitmap(>)  9 
NtResumeThread(>)  154 


NtSetEvent(>)  1 
NtGdiExtGetObjectW(>)  3 
NtOpenThreadToken(>)  9 
NtCreateThread(>)  157 


NtUserGetAncestor(>)  1 
NtOpenProcessToken(>)  3 
NtSetInformationThread(>)  9 
NtProtectVirtualMemory(>)  167 


NtUserGetClassName(>)  1 
NtQueryDefaultLocale(>)  3 
NtWriteFile(>)  10 
NtDuplicateObject(>)  175 


NtUserGetGUIThreadInfo(>)  1 
NtSetInformationObject(>)  3 
NtQueryDirectoryFile(>)  11 
NtRequestWaitReplyPort(>)  176 


NtUserGetIconInfo(>)  1 
NtSetValueKey(>)  3 
NtQueryInformationToken(>)  11 
NtRegisterThreadTerminatePort(>)  181 


NtUserGetIconSize(>)  1 
NtUserGetDC(>)  3 
NtUserSystemParametersInfo(>)  11 
NtTestAlert(>)  181 


NtUserGetProcessWindowStation(>)  1 
NtUserGetObjectInformation(>)  3 
NtQuerySection(>)  14 
NtOpenMutant(>)  200 


NtUserRemoveProp(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtUnmapViewOfSection(>)  14 
NtQueryValueKey(>)  211 


NtUserSetCursorIconData(>)  1 
NtCreateIoCompletion(>)  4 
NtSetInformationFile(>)  15 
NtClose(>)  225 


NtUserSetProp(>)  1 
NtFreeVirtualMemory(>)  4 
NtDeviceIoControlFile(>)  16 
NtSetEventBoostPriority(>)  544 


NtUserSetWindowPos(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtCreateFile(>)  19 
NtAllocateVirtualMemory(>)  550 


NtCallbackReturn(>)  2 
NtQueryInformationProcess(>)  4 
NtUserGetWindowDC(>)  19 
NtWaitForSingleObject(>)  843 





Trace:

 00001   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   484   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 4521984, 2097152, ) == 0x0
 00005   484   NtAllocateVirtualMemory  (-1, 4521984, 0, 4096, 4096, 4, ... 4521984, 4096, ) == 0x0
 00006   484   NtAllocateVirtualMemory  (-1, 4526080, 0, 8192, 4096, 4, ... 4526080, 8192, ) == 0x0
 00007   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   484   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   484   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   484   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   484   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   484   NtClose  (12, ... ) == 0x0
 00014   484   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   484   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   484   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   484   NtClose  (16, ... ) == 0x0
 00021   484   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   484   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   484   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   484   NtClose  (16, ... ) == 0x0
 00026   484   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   484   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   484   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   484   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 480, 484, 1533, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ... {28, 56, reply, 0, 480, 484, 1533, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 480, 484, 1533, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ) == 0x0
 00032   484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   484   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   484   NtClose  (16, ... ) == 0x0
 00036   484   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   484   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   484   NtClose  (28, ... ) == 0x0
 00041   484   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   484   NtClose  (28, ... ) == 0x0
 00045   484   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   484   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   484   NtClose  (28, ... ) == 0x0
 00049   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   484   NtClose  (28, ... ) == 0x0
 00052   484   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 480, 484, 1539, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1539, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 480, 484, 1539, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ) == 0x0
 00056   484   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00057   484   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00058   484   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00059   484   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   484   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   484   NtClose  (28, ... ) == 0x0
 00062   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   484   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   484   NtClose  (28, ... ) == 0x0
 00065   484   NtTestAlert  (... ) == 0x0
 00066   484   NtContinue  (2293040, 1, ...
 00067   484   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00068   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   484   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   484   NtClose  (28, ... ) == 0x0
 00071   484   NtAllocateVirtualMemory  (-1, 4534272, 0, 4096, 4096, 4, ... 4534272, 4096, ) == 0x0
 00072   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00073   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00074   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == 0x0
 00076   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00077   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00078   484   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00079   484   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00080   484   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00082   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00083   484   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   484   NtClose  (40, ... ) == 0x0
 00085   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00086   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00087   484   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00088   484   NtClose  (40, ... ) == 0x0
 00089   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   484   NtClose  (36, ... ) == 0x0
 00091   484   NtClose  (28, ... ) == 0x0
 00092   484   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73d90000), 0x0, 159744, ) == 0x0
 00093   484   NtClose  (32, ... ) == 0x0
 00094   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2288964, ... ) }, 2288964, ... ) == 0x0
 00095   484   NtAllocateVirtualMemory  (-1, 4538368, 0, 4096, 4096, 4, ... 4538368, 4096, ) == 0x0
 00096   484   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00097   484   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 480, 484, 1573, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 480, 484, 1573, 0}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 480, 484, 1573, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00098   484   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 480, 484, 1573, 0}  (24, {40, 68, new_msg, 0, 480, 484, 1573, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 480, 484, 1574, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 480, 484, 1574, 0}  (24, {40, 68, new_msg, 0, 480, 484, 1573, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 480, 484, 1574, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00099   484   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 32, ) }, ... 32, ) == 0x0
 00100   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00121   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00136   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00143   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00148   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00161   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00165   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00169   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00171   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   484   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 6619136, 2097152, ) == 0x0
 00200   484   NtAllocateVirtualMemory  (-1, 8708096, 0, 8192, 4096, 4, ... 8708096, 8192, ) == 0x0
 00201   484   NtProtectVirtualMemory  (-1, (0x84e000), 4096, 260, ... (0x84e000), 4096, 4, ) == 0x0
 00202   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292500, 2293216, 1, ... 28, {480, 712}, ) == 0x0
 00203   484   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=480,Tid=712,}, 0x0, ) == 0x0
 00204   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0\340\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 480, 484, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\340\1\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 480, 484, 1575, 0}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0\340\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 480, 484, 1575, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0\340\1\0\0\310\2\0\0" )  ) == 0x0
 00205   484   NtResumeThread  (28, ... 1, ) == 0x0
 00206   712   NtTestAlert  (... ) == 0x0
 00207   712   NtContinue  (8715568, 1, ...
 00208   712   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00209   484   NtContinue  (2292976, 0, ...
 00210   484   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00211   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00212   484   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00213   484   NtClose  (36, ... ) == 0x0
 00214   712   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 36, ) == 0x0
 00215   712   NtWaitForSingleObject  (36, 0, 0x0, ...
 00216   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00217   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00218   484   NtClose  (40, ... ) == 0x0
 00219   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00220   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00221   484   NtClose  (40, ... ) == 0x0
 00222   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 40, ) }, ... 40, ) == 0x0
 00223   484   NtMapViewOfSection  (40, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00224   484   NtClose  (40, ... ) == 0x0
 00225   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 40, ) }, ... 40, ) == 0x0
 00226   484   NtQueryValueKey  (40,  (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00227   484   NtQueryValueKey  (40,  (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (40, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00228   484   NtClose  (40, ... ) == 0x0
 00229   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 40, ) }, ... 40, ) == 0x0
 00230   484   NtQueryValueKey  (40,  (40, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   484   NtClose  (40, ... ) == 0x0
 00232   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 40, ) }, ... 40, ) == 0x0
 00233   484   NtSetInformationObject  (40, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00234   484   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00236   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0} "\210\6\36\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 480, 484, 1576, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" )  ... {28, 56, reply, 0, 480, 484, 1576, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0} "\210\6\36\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 480, 484, 1576, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\36\1$\1\0\0" )  ) == 0x0
 00237   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   484   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 1060864, ) == 0x0
 00239   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00240   484   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00241   484   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00242   484   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00243   484   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00244   484   NtClose  (-2147482020, ... ) == 0x0
 00245   484   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 9830400, 4096, ) == 0x0
 00246   484   NtFreeVirtualMemory  (-1, (0x960000), 4096, 32768, ... (0x960000), 4096, ) == 0x0
 00247   484   NtDuplicateObject  (-1, 52, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00248   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00249   484   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   484   NtClose  (-2147482020, ... ) == 0x0
 00251   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00252   484   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   484   NtClose  (-2147482020, ... ) == 0x0
 00254   484   NtQueryDefaultLocale  (0, -136181236, ... ) == 0x0
 00255   484   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00256   484   NtUserCallNoParam  (24, ... ) == 0x0
 00257   484   NtGdiCreateCompatibleDC  (0, ...
 00258   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9830400, 4096, ) == 0x0
 00257   484   NtGdiCreateCompatibleDC  ... ) == 0xe010451
 00259   484   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00260   484   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00261   484   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00262   484   NtGdiCreateSolidBrush  (0, 0, ...
 00263   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13041664, 4096, ) == 0x0
 00262   484   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00264   484   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00265   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00266   484   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00267   484   NtUserGetThreadDesktop  (484, 0, ... ) == 0x38
 00268   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 64, ) }, ... 64, ) == 0x0
 00269   484   NtQueryValueKey  (64,  (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00270   484   NtClose  (64, ... ) == 0x0
 00271   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00272   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 673, 128, 0, ... ) == 0x810cc017
 00273   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00274   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 674, 128, 0, ... ) == 0x810cc01c
 00275   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00276   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 675, 128, 0, ... ) == 0x810cc01e
 00277   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00278   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 676, 128, 0, ... ) == 0x810c8002
 00279   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10013
 00280   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 677, 128, 0, ... ) == 0x810cc018
 00281   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00282   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 678, 128, 0, ... ) == 0x810cc01a
 00283   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00284   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 679, 128, 0, ... ) == 0x810cc01d
 00285   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00286   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 681, 128, 0, ... ) == 0x810cc026
 00287   484   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00288   484   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 680, 128, 0, ... ) == 0x810cc019
 00289   484   NtUserRegisterClassExWOW  (2289860, 2289940, 2289924, 2289956, 0, 128, 0, ... ) == 0x810cc020
 00290   484   NtUserRegisterClassExWOW  (2289860, 2289936, 2289952, 2289924, 0, 130, 0, ... ) == 0x810cc022
 00291   484   NtUserRegisterClassExWOW  (2289860, 2289940, 2289924, 2289956, 0, 128, 0, ... ) == 0x810cc023
 00292   484   NtUserRegisterClassExWOW  (2289860, 2289936, 2289952, 2289924, 0, 130, 0, ... ) == 0x810cc024
 00293   484   NtUserRegisterClassExWOW  (2289860, 2289940, 2289924, 2289956, 0, 128, 0, ...
 00294   484   NtAllocateVirtualMemory  (-1, 10006528, 0, 4096, 4096, 32, ... 10006528, 4096, ) == 0x0
 00293   484   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00295   484   NtCallbackReturn  (0, 0, 0, ...
 00296   484   NtGdiInit  (... ) == 0x1
 00297   484   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00298   484   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00299   484   NtSetEventBoostPriority  (36, ...
 00215   712   NtWaitForSingleObject  ... ) == 0x0
 00299   484   NtSetEventBoostPriority  ... ) == 0x0
 00300   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00301   712   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00302   712   NtClose  (64, ... ) == 0x0
 00303   484   NtWaitForSingleObject  (36, 0, 0x0, ...
 00304   712   NtAllocateVirtualMemory  (-1, 8704000, 0, 4096, 4096, 260, ... 8704000, 4096, ) == 0x0
 00305   712   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00306   712   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00307   712   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00308   712   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00309   712   NtClose  (64, ... ) == 0x0
 00310   712   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00311   712   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00312   712   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00313   712   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00314   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00315   712   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   712   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   712   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   712   NtClose  (64, ... ) == 0x0
 00319   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00320   712   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   712   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   712   NtClose  (64, ... ) == 0x0
 00323   712   NtOpenEvent  (0x1f0003, {24, 32, 0x0, 0, 0,  (0x1f0003, {24, 32, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   712   NtSetEventBoostPriority  (36, ...
 00303   484   NtWaitForSingleObject  ... ) == 0x0
 00325   484   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 13107200, 28672, ) == 0x0
 00326   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2291552, ... }, 2291552, ...
 00324   712   NtSetEventBoostPriority  ... ) == 0x0
 00328   712   NtWaitForSingleObject  (36, 0, 0x0, ...
 00327   484   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == 0x0
 00331   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00332   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00333   484   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00334   484   NtClose  (64, ... ) == 0x0
 00335   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00336   484   NtClose  (68, ... ) == 0x0
 00337   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00338   484   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00339   484   NtClose  (68, ... ) == 0x0
 00340   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00341   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00342   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == 0x0
 00344   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00345   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00346   484   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00347   484   NtClose  (68, ... ) == 0x0
 00348   484   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00349   484   NtClose  (64, ... ) == 0x0
 00350   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00351   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13172736, 65536, ) == 0x0
 00352   484   NtAllocateVirtualMemory  (-1, 13172736, 0, 4096, 4096, 4, ... 13172736, 4096, ) == 0x0
 00353   484   NtAllocateVirtualMemory  (-1, 13176832, 0, 8192, 4096, 4, ... 13176832, 8192, ) == 0x0
 00354   484   NtAllocateVirtualMemory  (-1, 4542464, 0, 4096, 4096, 4, ... 4542464, 4096, ) == 0x0
 00355   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 64, ) }, ... 64, ) == 0x0
 00356   484   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xca0000), 0x0, 12288, ) == 0x0
 00357   484   NtClose  (64, ... ) == 0x0
 00358   484   NtAllocateVirtualMemory  (-1, 13185024, 0, 4096, 4096, 4, ... 13185024, 4096, ) == 0x0
 00359   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00360   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00361   484   NtSetEventBoostPriority  (36, ...
 00328   712   NtWaitForSingleObject  ... ) == 0x0
 00362   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00363   712   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00364   712   NtClose  (64, ... ) == 0x0
 00365   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 64, ) == 0x0
 00366   712   NtCallbackReturn  (0, 0, 0, ...
 00361   484   NtSetEventBoostPriority  ... ) == 0x0
 00367   484   NtWaitForSingleObject  (36, 0, 0x0, ...
 00368   712   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00369   712   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   712   NtOpenKey  (0x9, {24, 40, 0x40, 0, 0,  (0x9, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   712   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372   712   NtSetEventBoostPriority  (36, ...
 00367   484   NtWaitForSingleObject  ... ) == 0x0
 00373   484   NtFreeVirtualMemory  (-1, (0xc80000), 0, 32768, ... (0xc80000), 28672, ) == 0x0
 00374   484   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00375   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00376   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00372   712   NtSetEventBoostPriority  ... ) == 0x0
 00377   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 8713820, ... }, 8713820, ...
 00379   484   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00380   484   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00381   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13303808, 1048576, ) == 0x0
 00382   484   NtAllocateVirtualMemory  (-1, 13303808, 0, 32768, 4096, 4, ... 13303808, 32768, ) == 0x0
 00383   484   NtWaitForSingleObject  (36, 0, 0x0, ...
 00378   712   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   712   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 8713820, ... ) }, 8713820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 8713820, ... ) }, 8713820, ... ) == 0x0
 00386   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00387   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00388   712   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   712   NtClose  (68, ... ) == 0x0
 00390   712   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 00391   712   NtClose  (72, ... ) == 0x0
 00392   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 8713016, ... ) }, 8713016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   712   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 8713016, ... ) }, 8713016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00395   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 8713016, ... ) }, 8713016, ... ) == 0x0
 00396   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00397   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 68, ) == 0x0
 00398   712   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00399   712   NtClose  (72, ... ) == 0x0
 00400   712   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 00401   712   NtClose  (68, ... ) == 0x0
 00402   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 8712212, ... ) }, 8712212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404   712   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 8712212, ... ) }, 8712212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 8712212, ... ) }, 8712212, ... ) == 0x0
 00406   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00407   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00408   712   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00409   712   NtClose  (68, ... ) == 0x0
 00410   712   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 00411   712   NtClose  (72, ... ) == 0x0
 00412   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00413   712   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00414   712   NtClose  (72, ... ) == 0x0
 00415   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00416   712   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00417   712   NtClose  (72, ... ) == 0x0
 00418   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00419   712   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 00420   712   NtClose  (72, ... ) == 0x0
 00421   712   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00422   712   NtAllocateVirtualMemory  (-1, 4546560, 0, 4096, 4096, 4, ... 4546560, 4096, ) == 0x0
 00423   712   NtAllocateVirtualMemory  (-1, 4550656, 0, 4096, 4096, 4, ... 4550656, 4096, ) == 0x0
 00424   712   NtAllocateVirtualMemory  (-1, 4554752, 0, 4096, 4096, 4, ... 4554752, 4096, ) == 0x0
 00425   712   NtAllocateVirtualMemory  (-1, 4558848, 0, 4096, 4096, 4, ... 4558848, 4096, ) == 0x0
 00426   712   NtCreateEvent  (0x1f0003, {24, 32, 0x80, 8713952, 0,  (0x1f0003, {24, 32, 0x80, 8713952, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00427   712   NtOpenEvent  (0x100000, {24, 32, 0x0, 0, 0,  (0x100000, {24, 32, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 72, ) }, ... 72, ) == 0x0
 00428   712   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00429   712   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14352384, 262144, ) == 0x0
 00430   712   NtAllocateVirtualMemory  (-1, 14352384, 0, 4096, 4096, 4, ... 14352384, 4096, ) == 0x0
 00431   712   NtAllocateVirtualMemory  (-1, 14356480, 0, 8192, 4096, 4, ... 14356480, 8192, ) == 0x0
 00432   712   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00433   712   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14614528, 1048576, ) == 0x0
 00434   712   NtAllocateVirtualMemory  (-1, 14614528, 0, 1048576, 4096, 4, ... 14614528, 1048576, ) == 0x0
 00435   712   NtCreateMutant  (0x1f0001, 0x0, 0, ... 68, ) == 0x0
 00436   712   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 76, ) == 0x0
 00437   712   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00438   712   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 84, ) == 0x0
 00439   712   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 88, ) == 0x0
 00440   712   NtSetEvent  (88, ... 0x0, ) == 0x0
 00441   712   NtSetEventBoostPriority  (36, ...
 00383   484   NtWaitForSingleObject  ... ) == 0x0
 00442   484   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "Jobaka3"}, 0, ... 92, ) }, 0, ... 92, ) == 0x0
 00443   484   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00444   484   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00445   484   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00441   712   NtSetEventBoostPriority  ... ) == 0x0
 00446   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 100, ) }, ... 100, ) == 0x0
 00447   712   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00448   712   NtClose  (100, ... ) == 0x0
 00449   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 100, ) }, ... 100, ) == 0x0
 00450   712   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00451   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00452   484   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Protocol_Catalog9"}, ... 108, ) }, ... 108, ) == 0x0
 00453   484   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454   484   NtNotifyChangeKey  (108, 104, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00455   484   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00456   484   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   712   NtMapViewOfSection  ... (0x772d0000), 0x0, 405504, ) == 0x0
 00457   712   NtClose  (100, ... ) == 0x0
 00458   712   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00459   712   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "SYSTEM\Setup"}, ... 100, ) }, ... 100, ) == 0x0
 00460   712   NtQueryValueKey  (100,  (100, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00461   712   NtClose  (100, ... ) == 0x0
 00462   712   NtQueryDefaultUILanguage  (8712176, ...
 00463   484   NtQueryValueKey  (108,  (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00464   484   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00465   484   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00466   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 112, ) }, ... 112, ) == 0x0
 00467   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 00468   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00469   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00470   712   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00471   712   NtClose  (-2147482020, ... ) == 0x0
 00472   712   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00473   712   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00474   712   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00475   712   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   712   NtClose  (-2147482032, ... ) == 0x0
 00467   484   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 00477   712   NtClose  (-2147482020, ... ) == 0x0
 00462   712   NtQueryDefaultUILanguage  ... ) == 0x0
 00478   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00479   712   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00480   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 116, {status=0x0, info=1}, ) }, 1, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00481   712   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 116, ... 120, ) == 0x0
 00482   712   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ...
 00483   484   NtAllocateVirtualMemory  (-1, 4562944, 0, 4096, 4096, 4, ... 4562944, 4096, ) == 0x0
 00484   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00485   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\346\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\346\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\347\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\350\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\350\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\1\0\0\340\1\0\0\310\2\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\357\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\177\0\351\1\0\0\340\1\0\0\310\2\0\0O\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\346\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\346\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\347\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\350\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\350\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\1\0\0\340\1\0\0\310\2\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\357\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\177\0\351\1\0\0\340\1\0\0\310\2\0\0O\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\347\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\350\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\346\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\346\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\347\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\347\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\350\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\350\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\342\1\0\0\340\1\0\0\310\2\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\357\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\177\0\351\1\0\0\340\1\0\0\310\2\0\0O\0\0\0\0\0\1\0\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 00486   484   NtClose  (112, ... ) == 0x0
 00487   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 112, ) }, ... 112, ) == 0x0
 00488   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00482   712   NtMapViewOfSection  ... (0xef0000), 0x0, 8323072, ) == 0x0
 00489   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00490   712   NtQueryDefaultUILanguage  (2013024600, ...
 00491   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00492   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00493   712   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00494   712   NtClose  (-2147482020, ... ) == 0x0
 00495   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00496   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\361\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\361\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\362\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\362\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\363\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\363\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\364\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\361\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\361\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\362\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\362\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\363\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\363\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\364\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\362\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\363\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\361\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\361\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\362\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\362\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\363\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\363\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\364\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00497   484   NtClose  (112, ... ) == 0x0
 00498   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 112, ) }, ... 112, ) == 0x0
 00499   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00500   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00501   712   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00502   712   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   712   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00504   712   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00505   712   NtClose  (-2147482032, ... ) == 0x0
 00506   712   NtClose  (-2147482020, ... ) == 0x0
 00507   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\374\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\375\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\376\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\376\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\374\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\375\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\376\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\376\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\375\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\376\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\374\1\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\375\1\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\376\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\376\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\1\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00508   484   NtClose  (112, ... ) == 0x0
 00509   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000004"}, ... 112, ) }, ... 112, ) == 0x0
 00510   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00511   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00512   484   NtAllocateVirtualMemory  (-1, 4567040, 0, 4096, 4096, 4, ... 4567040, 4096, ) == 0x0
 00490   712   NtQueryDefaultUILanguage  ... ) == 0x0
 00513   712   NtAllocateVirtualMemory  (-1, 8699904, 0, 4096, 4096, 260, ... 8699904, 4096, ) == 0x0
 00514   712   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00515   712   NtQueryDefaultLocale  (1, 8710212, ... ) == 0x0
 00516   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   712   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 8711068, 1, 96, 0}  (24, {128, 156, new_msg, 0, 8711068, 1, 96, 0} "\210\6\36\1\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" ... {128, 156, reply, 0, 480, 712, 1577, 0} " S\26\0\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 480, 712, 1577, 0}  (24, {128, 156, new_msg, 0, 8711068, 1, 96, 0} "\210\6\36\1\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" ... {128, 156, reply, 0, 480, 712, 1577, 0} " S\26\0\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" )  ) == 0x0
 00518   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\7\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\7\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\10\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\11\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\11\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\7\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\7\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\10\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\11\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\11\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\10\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\11\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\7\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\7\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\10\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\10\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\11\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\11\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\12\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00519   484   NtClose  (112, ... ) == 0x0
 00520   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000005"}, ... 112, ) }, ... 112, ) == 0x0
 00521   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00522   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00523   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\14\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\14\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0x\0\0\0\15\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0\377\377\377\377\0\0\357\0\16\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0\377\377\377\377\234\362\204\0\17\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\1\0\1\0\31\0\0\300\0\0\0\0\20\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\0\0\1\0\0\0\0\0\10\0\0\05\0\0\0\2\0\0\0\20\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\340\1\0\0\310\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\350\0\0\0\10\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\20}\367w@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\266\0\270\0\30}\367w\0\0\0\0\\0R\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\14\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\14\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0x\0\0\0\15\2\0\0\340\1\0\0\310\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0\377\377\377\377\0\0\357\0\16\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0\377\377\377\377\234\362\204\0\17\2\0\0\340\1\0\0\310\2\0\0\302\0\0\0\1\0\1\0\31\0\0\300\0\0\0\0\20\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\0\0\1\0\0\0\0\0\10\0\0\05\0\0\0\2\0\0\0\20\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\21\2\0\0\340\1\0\0\310\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\350\0\0\0\10\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\20}\367w@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\266\0\270\0\30}\367w\0\0\0\0\\0R\0"}, 900, ) }, 900, ) == 0x0
 00524   712   NtClose  (116, ... ) == 0x0
 00525   712   NtClose  (120, ... ) == 0x0
 00526   712   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00527   712   NtUnmapViewOfSection  (-1, 0x84f29c, ... ) == STATUS_NOT_MAPPED_VIEW
 00528   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00529   712   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   484   NtClose  (112, ... ) == 0x0
 00531   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000006"}, ... 112, ) }, ... 112, ) == 0x0
 00532   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00533   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00534   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\27\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\0\0\1\0\0\0\0\0\10\0\0\05\0\0\0\2\0\0\0\30\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\0\0\1\0\0\0\0\0\10\0\0\05\0\0\0\2\0\0\0\31\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\2\0\0\340\1\0\0\310\2\0\0c\0\0\0\0\0\1\0\0\0\0\0l\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\374\344\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0\32\2\240 E\0\0\0\0\0\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0.\0L\0o\0c\0a\0l\0\\0c\0\260\344\204\0\33\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\27\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\27\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\30\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\0\0\1\0\0\0\0\0\10\0\0\05\0\0\0\2\0\0\0\30\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\31\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\0\0\1\0\0\0\0\0\10\0\0\05\0\0\0\2\0\0\0\31\2\0\0\340\1\0\0\310\2\0\0\34\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\2\0\0\340\1\0\0\310\2\0\0c\0\0\0\0\0\1\0\0\0\0\0l\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\374\344\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0\32\2\240 E\0\0\0\0\0\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0.\0L\0o\0c\0a\0l\0\\0c\0\260\344\204\0\33\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0"}, 900, ) == 0x0
 00535   484   NtClose  (112, ... ) == 0x0
 00536   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00537   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00538   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 8709296, ... }, 8709296, ...
 00539   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000007"}, ... 112, ) }, ... 112, ) == 0x0
 00540   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00541   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00542   484   NtAllocateVirtualMemory  (-1, 4571136, 0, 4096, 4096, 4, ... 4571136, 4096, ) == 0x0
 00543   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0 \2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0!\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0"\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0#\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00544   484   NtClose  (112, ... ) == 0x0
 00545   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000008"}, ... 112, ) }, ... 112, ) == 0x0
 00546   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00547   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00548   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0%\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0%\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0&\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0'\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0'\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0%\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0%\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0&\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0'\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0'\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0&\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0'\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0%\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0%\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0&\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0&\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0'\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0'\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0(\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00549   484   NtClose  (112, ... ) == 0x0
 00550   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000009"}, ... 112, ) }, ... 112, ) == 0x0
 00551   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00552   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00553   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0*\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0+\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0,\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0,\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0*\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0+\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0,\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0,\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0+\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0,\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0*\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0*\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0+\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0+\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0,\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0,\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0-\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00554   484   NtClose  (112, ... ) == 0x0
 00555   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000010"}, ... 112, ) }, ... 112, ) == 0x0
 00556   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00557   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00558   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0/\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0/\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\00\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\01\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\01\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0/\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0/\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\00\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\01\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\01\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\00\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\01\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0/\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0/\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0d\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\00\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\01\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\01\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\02\2\0\0\340\1\0\0\344\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00559   484   NtClose  (112, ... ) == 0x0
 00560   484   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000011"}, ... 112, ) }, ... 112, ) == 0x0
 00561   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00562   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00563   484   NtAllocateVirtualMemory  (-1, 4575232, 0, 4096, 4096, 4, ... 4575232, 4096, ) == 0x0
 00564   484   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\05\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\05\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\06\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\07\2\0\0\340\1\0\0\344\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\07\2\0\0\340\1\0\0\344\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\08\2\0\0\340\1\0\0\344\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\08\2\0\0\340\1\0\0\344\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\09\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0\214\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\360\232E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\05\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\05\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\06\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0d\0\0\06\2\0\0\340\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\07\2\0\0\340\1\0\0\344\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\07\2\0\0\340\1\0\0\344\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\08\2\0\0\340\1\0\0\344\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\08\2\0\0\340\1\0\0\344\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0d\0\0\09\2\0\0\340\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0\214\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\360\232E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\360\232E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00565   484   NtClose  (112, ... ) == 0x0
 00566   484   NtClose  (100, ... ) == 0x0
 00567   484   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 00568   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00569   484   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 112, ) }, ... 112, ) == 0x0
 00570   484   NtQueryValueKey  (112,  (112, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00571   484   NtNotifyChangeKey  (112, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00572   484   NtQueryValueKey  (112,  (112, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00573   484   NtOpenKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   484   NtQueryValueKey  (112,  (112, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00575   484   NtOpenKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Catalog_Entries"}, ... 120, ) }, ... 120, ) == 0x0
 00576   484   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00577   484   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... , Partial, 144, ...
 00538   712   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00579   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00580   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 8709888, ... ) }, 8709888, ... ) == 0x0
 00577   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00582   484   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00583   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00584   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00585   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00586   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00587   484   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... , Partial, 144, ...
 00588   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 124, {status=0x0, info=1}, ) }, 3, 33, ... 124, {status=0x0, info=1}, ) == 0x0
 00589   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00590   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00591   712   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 00592   712   NtClose  (128, ... ) == 0x0
 00593   712   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xef0000), 0x0, 921600, ) == 0x0
 00587   484   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00594   484   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   484   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00596   484   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00597   484   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00598   484   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00599   484   NtClose  (116, ...
 00600   712   NtClose  (132, ... ) == 0x0
 00601   712   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00602   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00603   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 00604   712   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00605   712   NtClose  (132, ... ) == 0x0
 00599   484   NtClose  ... ) == 0x0
 00606   484   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00607   484   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00608   484   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00609   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00610   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00611   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00612   712   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00613   712   NtClose  (128, ... ) == 0x0
 00614   712   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00615   712   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00616   712   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00617   712   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00611   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00618   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00619   484   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00620   484   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00621   484   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00622   484   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00623   484   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... , Partial, 144, ...
 00624   712   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00625   712   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00626   712   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00627   712   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00628   712   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00629   712   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00623   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00630   484   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00631   484   NtClose  (116, ... ) == 0x0
 00632   484   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00633   484   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00634   484   NtQueryValueKey  (116,  (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00635   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00636   712   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00637   712   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00638   712   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00639   712   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00640   712   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00641   712   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00635   484   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00642   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00643   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00644   484   NtQueryValueKey  (116,  (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (116, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00645   484   NtQueryValueKey  (116,  (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (116, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00646   484   NtQueryValueKey  (116,  (116, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647   484   NtQueryValueKey  (116,  (116, "SupportedNameSpace", Partial, 144, ... , Partial, 144, ...
 00648   712   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00649   712   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00650   712   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00651   712   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00652   712   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00653   712   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 8711072, ... ) , 42, 8711072, ... ) == 0x0
 00647   484   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00654   484   NtQueryValueKey  (116,  (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00655   484   NtQueryValueKey  (116,  (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00656   484   NtQueryValueKey  (116,  (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00657   484   NtClose  (116, ... ) == 0x0
 00658   484   NtClose  (120, ... ) == 0x0
 00659   484   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 00660   712   NtQueryDefaultUILanguage  (8709788, ...
 00661   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00662   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00663   712   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00664   712   NtClose  (-2147482020, ... ) == 0x0
 00665   712   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00666   712   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... }, ...
 00659   484   NtWaitForSingleObject  ... ) == 0x102
 00667   484   NtClose  (96, ... ) == 0x0
 00668   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00669   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00670   484   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00671   484   NtQueryValueKey  (96,  (96, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   712   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   712   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00673   712   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   712   NtClose  (-2147482032, ... ) == 0x0
 00675   712   NtClose  (-2147482020, ... ) == 0x0
 00660   712   NtQueryDefaultUILanguage  ... ) == 0x0
 00676   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   484   NtClose  (96, ... ) == 0x0
 00678   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 96, ) == 0x0
 00679   484   NtAllocateVirtualMemory  (-1, 4579328, 0, 4096, 4096, 4, ... 4579328, 4096, ) == 0x0
 00680   484   NtWaitForSingleObject  (36, 0, 0x0, ...
 00681   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708640, ... ) }, 8708640, ... ) == 0x0
 00682   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00683   712   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 116, ) == 0x0
 00684   712   NtClose  (120, ... ) == 0x0
 00685   712   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xef0000), 0x0, 4096, ) == 0x0
 00686   712   NtClose  (116, ... ) == 0x0
 00687   712   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00688   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708280, ... ) }, 8708280, ... ) == 0x0
 00689   712   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8708980,  (0x80100080, {24, 0, 0x40, 0, 8708980, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00690   712   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 116, ... 120, ) == 0x0
 00691   712   NtClose  (116, ... ) == 0x0
 00692   712   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xef0000), {0, 0}, 4096, ) == 0x0
 00693   712   NtClose  (120, ... ) == 0x0
 00694   712   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00695   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 120, {status=0x0, info=1}, ) }, 1, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00696   712   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 116, ) == 0x0
 00697   712   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xef0000), 0x0, 4096, ) == 0x0
 00698   712   NtQueryInformationFile  (120, 8708600, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00699   712   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00700   712   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 8708680, 1, 96, 0}  (24, {128, 156, new_msg, 0, 8708680, 1, 96, 0} "\210\6\36\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1x\0\0\0t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" ... {128, 156, reply, 0, 480, 712, 1578, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1x\0\0\0t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 480, 712, 1578, 0}  (24, {128, 156, new_msg, 0, 8708680, 1, 96, 0} "\210\6\36\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1x\0\0\0t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" ... {128, 156, reply, 0, 480, 712, 1578, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1x\0\0\0t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" )  ) == 0x0
 00701   712   NtClose  (120, ... ) == 0x0
 00702   712   NtClose  (116, ... ) == 0x0
 00703   712   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00704   712   NtUnmapViewOfSection  (-1, 0x84e948, ... ) == STATUS_NOT_MAPPED_VIEW
 00705   712   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00706   712   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00707   712   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00708   712   NtUserGetDC  (0, ... ) == 0x1010054
 00709   712   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00710   712   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00711   712   NtUserSystemParametersInfo  (66, 12, 8711092, 0, ... ) == 0x1
 00712   712   NtOpenProcessToken  (-1, 0x8, ... 116, ) == 0x0
 00713   712   NtAccessCheck  (4581152, 116, 0x1, 8710496, 8710440, 56, 8710524, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00714   712   NtClose  (116, ... ) == 0x0
 00715   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00716   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 00717   712   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00718   712   NtClose  (116, ... ) == 0x0
 00719   712   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 116, ) }, ... 116, ) == 0x0
 00720   712   NtSetInformationObject  (116, Handle, {Inherit=0,ProtectFromClose=1,}, 8651008, ... ) == 0x0
 00721   712   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "Control Panel\Desktop"}, ... 120, ) }, ... 120, ) == 0x0
 00722   712   NtQueryValueKey  (120,  (120, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   712   NtClose  (120, ... ) == 0x0
 00724   712   NtUserSystemParametersInfo  (41, 500, 8710592, 0, ... ) == 0x1
 00725   712   NtOpenKey  (0x1, {24, 116, 0x40, 0, 0,  (0x1, {24, 116, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 120, ) }, ... 120, ) == 0x0
 00726   712   NtQueryValueKey  (120,  (120, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00727   712   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 128, ) }, ... 128, ) == 0x0
 00728   712   NtQueryValueKey  (128,  (128, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   712   NtClose  (128, ... ) == 0x0
 00730   712   NtClose  (120, ... ) == 0x0
 00731   712   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00732   712   NtUserSystemParametersInfo  (4130, 0, 8711116, 0, ... ) == 0x1
 00733   712   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 120, ) }, ... 120, ) == 0x0
 00734   712   NtEnumerateValueKey  (120, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00735   712   NtClose  (120, ... ) == 0x0
 00736   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00737   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc03b
 00738   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc03d
 00739   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00740   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc03f
 00741   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00742   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc041
 00743   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00744   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc043
 00745   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc045
 00746   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00747   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc047
 00748   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00749   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc049
 00750   712   NtUserGetClassInfo  (1905590272, 8711012, 8710964, 8711040, 0, ... ) == 0xc049
 00751   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00752   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc04b
 00753   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00754   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc04d
 00755   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00756   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc04f
 00757   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc051
 00758   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00759   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc053
 00760   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00761   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc055
 00762   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc057
 00763   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00764   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc059
 00765   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10013
 00766   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc05b
 00767   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00768   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc05d
 00769   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00770   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc05f
 00771   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00772   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc017
 00773   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00774   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc019
 00775   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10013
 00776   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc018
 00777   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00778   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc01a
 00779   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00780   712   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810cc01c
 00781   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00782   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc01e
 00783   712   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00784   712   NtUserRegisterClassExWOW  (8710908, 8710988, 8710972, 8711004, 0, 384, 0, ... ) == 0x810cc01b
 00785   712   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00786   712   NtUserRegisterClassExWOW  (8710904, 8710984, 8710968, 8711000, 0, 384, 0, ... ) == 0x810cc068
 00787   712   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00788   712   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810cc06a
 00789   712   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 120, ) }, ... 120, ) == 0x0
 00790   712   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00791   712   NtClose  (120, ... ) == 0x0
 00792   712   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {480, 0}, ... 120, ) == 0x0
 00793   712   NtQueryInformationProcess  (120, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00794   712   NtClose  (120, ... ) == 0x0
 00795   712   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00796   712   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00797   712   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00798   712   NtOpenKey  (0x20019, {24, 116, 0x40, 0, 0,  (0x20019, {24, 116, 0x40, 0, 0, "Control Panel\Desktop"}, ... 120, ) }, ... 120, ) == 0x0
 00799   712   NtQueryValueKey  (120,  (120, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   712   NtClose  (120, ... ) == 0x0
 00801   712   NtUserSystemParametersInfo  (41, 500, 8711752, 0, ... ) == 0x1
 00802   712   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00803   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00804   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00805   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ...
 00806   712   NtAllocateVirtualMemory  (-1, 10010624, 0, 4096, 4096, 32, ... 10010624, 4096, ) == 0x0
 00805   712   NtUserRegisterClassExWOW  ... ) == 0x810cc03b
 00807   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00808   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc03d
 00809   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00810   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00811   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc03f
 00812   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00813   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00814   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc041
 00815   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00816   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00817   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc043
 00818   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00819   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc045
 00820   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00821   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00822   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc047
 00823   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00824   712   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00825   712   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810cc049
 00826   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00827   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00828   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc04b
 00829   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00830   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00831   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc04d
 00832   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00833   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00834   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc04f
 00835   712   NtUserGetClassInfo  (1999896576, 8712164, 8712116, 8712192, 0, ... ) == 0x0
 00836   712   NtUserRegisterClassExWOW  (8712000, 8712080, 8712064, 8712096, 0, 384, 0, ... ) == 0x810cc051
 00837   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00838   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00839   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc053
 00840   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00841   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00842   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc055
 00843   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc057
 00844   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00845   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00846   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc059
 00847   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00848   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10013
 00849   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc05b
 00850   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00851   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00852   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc05d
 00853   712   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00854   712   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00855   712   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810cc05f
 00856   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc03b
 00857   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc03d
 00858   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc03f
 00859   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc041
 00860   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc043
 00861   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc045
 00862   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc047
 00863   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc049
 00864   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc04b
 00865   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc04d
 00866   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc04f
 00867   712   NtUserGetClassInfo  (1999896576, 8713916, 8713868, 8713944, 0, ... ) == 0xc051
 00868   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc053
 00869   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc055
 00870   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc059
 00871   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc05b
 00872   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc05d
 00873   712   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc05f
 00874   712   NtSetEventBoostPriority  (36, ...
 00680   484   NtWaitForSingleObject  ... ) == 0x0
 00875   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2290256,  (0x80100080, {24, 0, 0x40, 0, 2290256, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... }, 0x0, 0, 1, 1, 2097252, 0, 0, ...
 00874   712   NtSetEventBoostPriority  ... ) == 0x0
 00876   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00878   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... }, ...
 00875   484   NtCreateFile  ... 120, {status=0x0, info=1}, ) == 0x0
 00943   484   NtQueryInformationFile  (120, 2291192, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00944   484   NtQueryInformationFile  (120, 2291164, 24, Standard, ...
 00942   712   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   712   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977   712   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "kkq-vx_mtx1"}, 0, ... 128, ) }, 0, ... 128, ) == 0x0
 00978   712   NtUserFindExistingCursorIcon  (8715176, 8715192, 8715760, ... ) == 0x10011
 00979   712   NtUserFindExistingCursorIcon  (8715176, 8715192, 8715760, ... ) == 0x10005
 00980   712   NtUserRegisterClassExWOW  (8715628, 8715704, 8715720, 8715692, 0, 386, 0, ... ) == 0x810cc0d5
 00981   712   NtUserCreateWindowEx  (-2147483648, 8715664, 8715476, "13238272, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 00982   712   NtUserGetIconSize  (65541, 0, 8714192, 8714200, ... ) == 0x1
 00983   712   NtUserGetIconInfo  (65541, 8714168, 8714160, 8714152, 8714188, 1, ... ) == 0x1
 00944   484   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 00984   484   NtQueryInformationFile  (120, 2291116, 40, Basic, ...
 00985   712   NtUserFindExistingCursorIcon  (8712900, 8712916, 8714132, ... ) == 0x10005
 00986   712   NtGdiExtGetObjectW  (100992093, 24, 8712908, ... ) == 0x18
 00987   712   NtGdiGetDIBitsInternal  (234947665, 100992093, 0, 64, 4582744, 4582696, 0, 256, 0, ... ) == 0x40
 00984   484   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 00988   484   NtAllocateVirtualMemory  (-1, 4583424, 0, 8192, 4096, 4, ... 4583424, 8192, ) == 0x0
 00989   484   NtQueryInformationFile  (120, 4583008, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00990   484   NtQueryInformationFile  (120, 2289660, 40, Basic, ...
 00991   712   NtUserGetDC  (0, ... ) == 0x1010054
 00992   712   NtGdiCreateDIBitmapInternal  (16842836, 16, 32, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1050461
 00993   712   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00994   712   NtGdiSelectBitmap  (234947665, 17106017, ... ) == 0x185000f
 00995   712   NtGdiDoPalette  (234947665, 0, 1, 8712760, 4, 0, ... ) == 0x1
 00996   712   NtGdiStretchDIBitsInternal  (234947665, 0, 0, 16, 32, 0, 0, 32, 64, 4582744, 4568512, 0, 13369376, 48, 256, 0, ... ) == 0x40
 00997   712   NtGdiSelectBitmap  (234947665, 25493519, ... ) == 0x1050461
 00998   712   NtGdiCreateCompatibleDC  (234947665, ... ) == 0x2010462
 00999   712   NtGdiExtGetObjectW  (17106017, 24, 8712784, ... ) == 0x18
 01000   712   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x2050463
 01001   712   NtGdiSelectBitmap  (234947665, 17106017, ... ) == 0x185000f
 01002   712   NtGdiSelectBitmap  (33621090, 33883235, ... ) == 0x185000f
 01003   712   NtGdiBitBlt  (33621090, 0, 0, 16, 32, 234947665, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01004   712   NtGdiSelectBitmap  (234947665, 25493519, ... ) == 0x1050461
 01005   712   NtGdiSelectBitmap  (33621090, 25493519, ... ) == 0x2050463
 01006   712   NtGdiDeleteObjectApp  (17106017, ... ) == 0x1
 01007   712   NtGdiDeleteObjectApp  (33621090, ... ) == 0x1
 01008   712   NtGdiExtGetObjectW  (17106015, 24, 8712908, ... ) == 0x18
 01009   712   NtGdiGetDIBitsInternal  (234947665, 17106015, 0, 32, 4587164, 4587112, 0, 4096, 0, ... ) == 0x20
 01010   712   NtUserGetDC  (0, ... ) == 0x1010054
 01011   712   NtGdiCreateCompatibleBitmap  (16842836, 16, 16, ... ) == 0x4050462
 01012   712   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01013   712   NtGdiSelectBitmap  (234947665, 67437666, ... ) == 0x185000f
 01014   712   NtGdiDoPalette  (234947665, 0, 1, 8712760, 4, 0, ... ) == 0x0
 01015   712   NtGdiStretchDIBitsInternal  (234947665, 0, 0, 16, 16, 0, 0, 32, 32, 4587164, 4568512, 0, 13369376, 40, 4096, 0, ... ) == 0x20
 01016   712   NtGdiSelectBitmap  (234947665, 25493519, ... ) == 0x4050462
 01017   712   NtGdiDeleteObjectApp  (100992093, ... ) == 0x1
 00990   484   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 01018   484   NtQueryInformationFile  (120, 2289504, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01019   484   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2289512,  (0x40110080, {24, 0, 0x40, 0, 2289512, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01020   484   NtClose  (-2147482020, ...
 01021   712   NtGdiDeleteObjectApp  (17106015, ... ) == 0x1
 01022   712   NtUserCallOneParam  (0, 33, ... ) == 0x100b3
 01023   712   NtUserSetCursorIconData  (65715, 8712944, 8712960, 8714044, ... ) == 0x1
 01024   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711860, ... ) }, 8711860, ... ) == 0x0
 01025   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01026   712   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 136, ) == 0x0
 01020   484   NtClose  ... ) == 0x0
 01019   484   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01027   484   NtQueryVolumeInformationFile  (140, 2288884, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01028   484   NtQueryInformationFile  (140, 2288844, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01029   484   NtQueryVolumeInformationFile  (120, 2288884, 536, Attribute, ...
 01030   712   NtClose  (132, ... ) == 0x0
 01031   712   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf10000), 0x0, 204800, ) == 0x0
 01032   712   NtClose  (136, ... ) == 0x0
 01029   484   NtQueryVolumeInformationFile  ... {status=0x0, info=20}, ) == 0x0
 01033   484   NtQueryVolumeInformationFile  (120, 2288568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01034   712   NtUnmapViewOfSection  (-1, 0xf10000, ... ) == 0x0
 01035   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8712176, ... ) }, 8712176, ... ) == 0x0
 01036   712   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 01037   712   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 132, ) == 0x0
 01038   712   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01039   712   NtClose  (136, ... ) == 0x0
 01040   712   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01041   712   NtClose  (132, ... ) == 0x0
 01042   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01043   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01044   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01045   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01046   712   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01047   712   NtClose  (132, ... ) == 0x0
 01048   712   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 132, ) }, ... 132, ) == 0x0
 01049   712   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 136, ) }, ... 136, ) == 0x0
 01050   712   NtQueryValueKey  (136,  (136, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   712   NtClose  (136, ... ) == 0x0
 01052   712   NtClose  (132, ... ) == 0x0
 01053   712   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01054   712   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01055   712   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01056   712   NtClose  (132, ... ) == 0x0
 01057   712   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 132, ) }, ... 132, ) == 0x0
 01058   712   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0
 01059   712   NtQueryValueKey  (136,  (136, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060   712   NtClose  (136, ... ) == 0x0
 01061   712   NtClose  (132, ... ) == 0x0
 01062   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 8711676, ... ) }, 8711676, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   712   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 8711676, ... ) }, 8711676, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 8711676, ... ) }, 8711676, ... ) == 0x0
 01065   712   NtUserGetProcessWindowStation  (... ) == 0x34
 01066   712   NtUserGetObjectInformation  (52, 2, 0, 0, 8713972, ... ) == 0x0
 01067   712   NtUserGetObjectInformation  (52, 2, 4577104, 16, 8713972, ... ) == 0x1
 01068   712   NtUserGetGUIThreadInfo  (712, 8713928, ... ) == 0x1
 01069   712   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 8713748, 64, ... 132, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 8713748, 64, ... 132, 0x0, 0x0, 0x0, 64, ) == 0x0
 01070   712   NtRequestWaitReplyPort  (132, {32, 56, new_msg, 0, 0, 0, 0, 0}  (132, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 480, 712, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 480, 712, 1580, 0}  (132, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 480, 712, 1580, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01071   712   NtRequestWaitReplyPort  (132, {32, 56, new_msg, 0, 0, 0, 0, 0}  (132, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 480, 712, 1581, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 480, 712, 1581, 0}  (132, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 480, 712, 1581, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01072   712   NtUserCallNoParam  (29, ...
 01073   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711220, ... ) }, 8711220, ... ) == 0x0
 01072   712   NtUserCallNoParam  ... ) == 0x0
 01074   712   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01075   712   NtGdiHfontCreate  (8713300, 356, 0, 0, 4581224, ... ) == 0x90a045d
 01076   712   NtGdiHfontCreate  (8713300, 356, 0, 0, 4581216, ... ) == 0x40a0460
 01077   712   NtRequestWaitReplyPort  (132, {32, 56, new_msg, 0, 0, 0, 0, 0}  (132, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 480, 712, 1582, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 480, 712, 1582, 0}  (132, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 480, 712, 1582, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01078   712   NtMapViewOfSection  (136, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf10000), {0, 0}, 331776, ) == 0x0
 01079   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01080   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01081   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01082   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01083   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01084   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01085   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01086   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01087   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01088   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01089   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01090   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01091   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01092   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01093   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01094   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01095   712   NtAllocateVirtualMemory  (-1, 13189120, 0, 4096, 4096, 4, ... 13189120, 4096, ) == 0x0
 01096   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01097   712   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100464
 01098   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01099   712   NtUserCallNoParam  (29, ...
 01100   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710664, ... ) }, 8710664, ... ) == 0x0
 01099   712   NtUserCallNoParam  ... ) == 0x0
 01101   712   NtUserCallNoParam  (29, ...
 01102   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710660, ... ) }, 8710660, ... ) == 0x0
 01101   712   NtUserCallNoParam  ... ) == 0x0
 01103   712   NtUserMessageCall  (0x100e0, WM_NCCREATE, 0x0, 0x84f800, 0, 670, 1, ... ) == 0x1
 01104   712   NtUserMessageCall  (0x100e0, WM_NCCALCSIZE, 0x0, 0x84f834, 0, 670, 1, ... ) == 0x0
 01105   712   NtUserGetClassName  (65760, 0, 8713452, ... ) == 0x6
 01106   712   NtUserRemoveProp  (65760, 43282, ... ) == 0x0
 01107   712   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 4194366, 8713044, 35020, 28}  (24, {24, 52, new_msg, 0, 4194366, 8713044, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0\310\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 480, 712, 1583, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0\310\2\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 480, 712, 1583, 0}  (24, {24, 52, new_msg, 0, 4194366, 8713044, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0\310\2\0\0\0\0\0\0" ... {24, 52, reply, 0, 480, 712, 1583, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0\310\2\0\0\0\0\0\0" )  ) == 0x0
 01108   712   NtUserGetThreadDesktop  (712, 0, ... ) == 0x38
 01109   712   NtUserGetObjectInformation  (56, 2, 8713128, 520, 0, ... ) == 0x1
 01110   712   NtGdiDeleteObjectApp  (17826916, ... ) == 0x1
 01111   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01112   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01113   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01114   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01115   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01116   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01117   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01118   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01119   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01120   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01121   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01122   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01123   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01124   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01125   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01126   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01127   712   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01128   712   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2100464
 01129   712   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01130   712   NtUserSetProp  (65760, 43288, 13189392, ... ) == 0x1
 01131   712   NtUserGetAncestor  (65760, 1, ... ) == 0x10014
 01132   712   NtUserSetWindowPos  (65760, 0, 0, 0, 123, 34, 1047, ... ) == 0x1
 00981   712   NtUserCreateWindowEx  ... ) == 0x100e0
 01133   484   NtSetInformationFile  (140, 2288672, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01134   484   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 120, ... 144, ) == 0x0
 01135   484   NtMapViewOfSection  (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf70000), {0, 0}, 131072, ) == 0x0
 01136   484   NtClose  (144, ... ) == 0x0
 01137   484   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\6\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34\312\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\34\312\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01138   484   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "~~~~~~~~~~~~~z\305~n~~~~~~~~~~~~~~~~~~~~[\15~~\11~\14~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\177~~~x~~~y~~~v~~~z~~~|~~~}~~~}~~~v~~~v~~~z~~~w~~~\177~~~z~~~y~~~\177~~~~~~~\177~~~{~~~x~~~~~~~|~~~{~~~{~~~z~~~w~~~|~~~y~~~w~~~}~~~~~~~y~~~z~~~|~~~\177~~~}~~~|~~~\177~~~~~~~{~~~~~~~}~~~v~~~|~~~v~~~{~~~}~~~x~~~{~~~v~~~~~~~z~~~v~~~~~~~v~~~z~~~v~~~w~~~}~~~x~~~x~~~x~~~~~~~\177~~~}~~~~~~~v~~~x~~~x~~~~~~~~~~~z~~~~~~~\177~~~}~~~x~~~}~~~{~~~|~~~z~~~~~~~~~~~~~~~~~~~~~~~~~~", 61440, 0x0, 0, ... , 61440, 0x0, 0, ...
 01139   712   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01140   712   NtCreateSemaphore  (0x1f0003, {24, 32, 0x80, 4569920, 0,  (0x1f0003, {24, 32, 0x80, 4569920, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 144, ) }, 0, 2147483647, ... 144, ) == STATUS_OBJECT_NAME_EXISTS
 01141   712   NtReleaseSemaphore  (144, 1, ... 0, ) == 0x0
 01142   712   NtWaitForSingleObject  (144, 0, {0, 0}, ... ) == 0x0
 01143   712   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 148, 2, ) }, 0, 0x0, 0, ... 148, 2, ) == 0x0
 01144   712   NtQueryValueKey  (148,  (148, "Programs", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (148, "Programs", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0"}, 80, ) }, 80, ) == 0x0
 01145   712   NtClose  (148, ... ) == 0x0
 01146   712   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs"}, 8714164, ... ) }, 8714164, ... ) == 0x0
 01147   712   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 148, 2, ) }, 0, 0x0, 0, ... 148, 2, ) == 0x0
 01148   712   NtSetValueKey  (148,  (148, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... ) , 0, 1,  (148, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... ) , 110, ... ) == 0x0
 01149   712   NtClose  (148, ... ) == 0x0
 01150   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\"}, 3, 16417, ... 148, {status=0x0, info=1}, ) }, 3, 16417, ... 148, {status=0x0, info=1}, ) == 0x0
 01151   712   NtQueryDirectoryFile  (148, 0, 0, 0, 8713580, 616, BothDirectory, 1,  (148, 0, 0, 0, 8713580, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01152   712   NtQueryDirectoryFile  (148, 0, 0, 0, 4587112, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1118}, ) == 0x0
 01153   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\"}, 3, 16417, ... 152, {status=0x0, info=1}, ) }, 3, 16417, ... 152, {status=0x0, info=1}, ) == 0x0
 01154   712   NtQueryDirectoryFile  (152, 0, 0, 0, 8712936, 616, BothDirectory, 1,  (152, 0, 0, 0, 8712936, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01155   712   NtAllocateVirtualMemory  (-1, 4591616, 0, 8192, 4096, 4, ... 4591616, 8192, ) == 0x0
 01156   712   NtQueryDirectoryFile  (152, 0, 0, 0, 4591312, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1380}, ) == 0x0
 01157   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\"}, 3, 16417, ... 156, {status=0x0, info=1}, ) }, 3, 16417, ... 156, {status=0x0, info=1}, ) == 0x0
 01158   712   NtQueryDirectoryFile  (156, 0, 0, 0, 8712292, 616, BothDirectory, 1,  (156, 0, 0, 0, 8712292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 01159   712   NtQueryDirectoryFile  (156, 0, 0, 0, 4595416, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=220}, ) == 0x0
 01160   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\desktop.ini\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_NOT_A_DIRECTORY
 01161   712   NtQueryDirectoryFile  (156, 0, 0, 0, 4595416, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01162   712   NtDelayExecution  (0, {-10000, -1}, ...
 01138   484   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01163   484   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\13\15\34\17\6\0\10\0\256\330\335\336\334\307\300\332\310\0\7\0\371\212\211\213\220\227\215\237\0\6\0\321\242\245\243\262\260\245\0\5\0z\11\10\33\24\36\0\4\0\352\230\213\204\216\0\6\0\336\263\273\263\255\273\252\0\6\0\336\263\273\263\275\256\247\0\6\0\227\372\362\372\364\372\347\0\6\0\332\267\273\266\266\265\271\0\4\0\342\204\220\207\207\0\4\0\20qd\177y\0\7\0L8#9<<)>\0\6\0n1\35\2\13\13\36\0\12\0\243\300\321\327\307\317\317\215\307\317\317\0\12\0"APVFNN\14FNN\0\22\0\201\322\347\342\310\362\307\350\355\344\321\363\356\365\344\342\365\344\345\0\7\0\255\336\313\316\203\311\301\301\0\7\0^-8=p:22\0\13\0\320\231\243\225\241\245\261\274\227\205\231\224\0\16\0@\3/\25.).)4)!,):%\0\14\0>}QwPWJW_RWD[\0\20\0]\362\36/8<)8\243.)<3>8\0\17\0d'(7- "\26\13\117\20\26\15\12\3\0\11\0\26yzs%$8rzz\0\11\0\305\252\251\240\366\367\353\241\251\251\0\21\0\202\313\354\366\347\360\354\347\366\242\307\372\362\356\355\360\347\360\0\1\0-\16\0\1\0\13(\0\1\0\3 \0\7\0H <<8rgg\0\1\0\343\300\0\7\07_CCG\15\30\30\0+\4\363\220\233\226\220\233\226\235\203\201\226\200\200\335\232\235\225\234\320\224\234\237\227\203\234\237\237\335\220\234\236\320\232\235\207\224\234\237\227\335\220\234\236\320\204\204\204\335\220\221\201\335\201\206\320\204\204\204\335\200\234\220\230\200\335\222\220\320\200\207\234\201\236\203\222\212\335\220\234\236\320\220\201\206\207\234\203\335\235\206\320\235\226\204\335\226\224\224\335\220\234\236\320\204\204\204\335\203\234\235\211\232\200\220\222\236", 5120, 0x0, 0, ... {status=0x0, info=5120}, ) APVFNN\14FNN\0\22\0\201\322\347\342\310\362\307\350\355\344\321\363\356\365\344\342\365\344\345\0\7\0\255\336\313\316\203\311\301\301\0\7\0^-8=p:22\0\13\0\320\231\243\225\241\245\261\274\227\205\231\224\0\16\0@\3/\25.).)4)!,):%\0\14\0>}QwPWJW_RWD[\0\20\0]\362\36/8<)8\243.)<3>8\0\17\0d'(7-  (140, 0, 0, 0, "\13\15\34\17\6\0\10\0\256\330\335\336\334\307\300\332\310\0\7\0\371\212\211\213\220\227\215\237\0\6\0\321\242\245\243\262\260\245\0\5\0z\11\10\33\24\36\0\4\0\352\230\213\204\216\0\6\0\336\263\273\263\255\273\252\0\6\0\336\263\273\263\275\256\247\0\6\0\227\372\362\372\364\372\347\0\6\0\332\267\273\266\266\265\271\0\4\0\342\204\220\207\207\0\4\0\20qd\177y\0\7\0L8#9<<)>\0\6\0n1\35\2\13\13\36\0\12\0\243\300\321\327\307\317\317\215\307\317\317\0\12\0"APVFNN\14FNN\0\22\0\201\322\347\342\310\362\307\350\355\344\321\363\356\365\344\342\365\344\345\0\7\0\255\336\313\316\203\311\301\301\0\7\0^-8=p:22\0\13\0\320\231\243\225\241\245\261\274\227\205\231\224\0\16\0@\3/\25.).)4)!,):%\0\14\0>}QwPWJW_RWD[\0\20\0]\362\36/8<)8\243.)<3>8\0\17\0d'(7- "\26\13\117\20\26\15\12\3\0\11\0\26yzs%$8rzz\0\11\0\305\252\251\240\366\367\353\241\251\251\0\21\0\202\313\354\366\347\360\354\347\366\242\307\372\362\356\355\360\347\360\0\1\0-\16\0\1\0\13(\0\1\0\3 \0\7\0H <<8rgg\0\1\0\343\300\0\7\07_CCG\15\30\30\0+\4\363\220\233\226\220\233\226\235\203\201\226\200\200\335\232\235\225\234\320\224\234\237\227\203\234\237\237\335\220\234\236\320\232\235\207\224\234\237\227\335\220\234\236\320\204\204\204\335\220\221\201\335\201\206\320\204\204\204\335\200\234\220\230\200\335\222\220\320\200\207\234\201\236\203\222\212\335\220\234\236\320\220\201\206\207\234\203\335\235\206\320\235\226\204\335\226\224\224\335\220\234\236\320\204\204\204\335\203\234\235\211\232\200\220\222\236", 5120, 0x0, 0, ... {status=0x0, info=5120}, ) , 5120, 0x0, 0, ... {status=0x0, info=5120}, ) == 0x0
 01164   484   NtUnmapViewOfSection  (-1, 0xf70000, ... ) == 0x0
 01165   484   NtSetInformationFile  (140, 2291116, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01166   484   NtClose  (120, ... ) == 0x0
 01167   484   NtClose  (140, ... ) == 0x0
 01168   484   NtOpenKey  (0x2000000, {24, 40, 0x40, 0, 0,  (0x2000000, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 140, ) }, ... 140, ) == 0x0
 01169   484   NtSetValueKey  (140,  (140, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (140, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01170   484   NtSetInformationFile  (-2147482808, -136181964, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01171   484   NtSetInformationFile  (-2147482808, -136182056, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01172   484   NtSetInformationFile  (-2147482808, -136182364, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01169   484   NtSetValueKey  ... ) == 0x0
 01173   484   NtClose  (140, ... ) == 0x0
 01174   484   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 140, ) }, 0, ... 140, ) == 0x0
 01175   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 16187392, 2097152, ) == 0x0
 01176   484   NtAllocateVirtualMemory  (-1, 18276352, 0, 8192, 4096, 4, ... 18276352, 8192, ) == 0x0
 01177   484   NtProtectVirtualMemory  (-1, (0x116e000), 4096, 260, ... (0x116e000), 4096, 4, ) == 0x0
 01178   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 120, {480, 836}, ) == 0x0
 01179   484   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=480,Tid=836,}, 0x0, ) == 0x0
 01180   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508}  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508} "\0\0\0\0\1\0\1\0C:\WINDOx\0\0\0\340\1\0\0D\3\0\0" ... {28, 56, reply, 0, 480, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\340\1\0\0D\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1584, 0}  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508} "\0\0\0\0\1\0\1\0C:\WINDOx\0\0\0\340\1\0\0D\3\0\0" ... {28, 56, reply, 0, 480, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\0\0\0\340\1\0\0D\3\0\0" )  ) == 0x0
 01181   484   NtResumeThread  (120, ... 1, ) == 0x0
 01182   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 18284544, 2097152, ) == 0x0
 01183   484   NtAllocateVirtualMemory  (-1, 20373504, 0, 8192, 4096, 4, ...
 01184   836   NtTestAlert  (... ) == 0x0
 01185   836   NtContinue  (18283824, 1, ...
 01186   836   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01187   836   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 160, ) == 0x0
 01188   836   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01189   836   NtAllocateVirtualMemory  (-1, 18272256, 0, 4096, 4096, 260, ...
 01183   484   NtAllocateVirtualMemory  ... 20373504, 8192, ) == 0x0
 01190   484   NtProtectVirtualMemory  (-1, (0x136e000), 4096, 260, ... (0x136e000), 4096, 4, ) == 0x0
 01191   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 164, {480, 856}, ) == 0x0
 01192   484   NtQueryInformationThread  (164, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=480,Tid=856,}, 0x0, ) == 0x0
 01193   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1584, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\340\1\0\0X\3\0\0" ... {28, 56, reply, 0, 480, 484, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\340\1\0\0X\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1585, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\340\1\0\0X\3\0\0" ... {28, 56, reply, 0, 480, 484, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\0\0\0\340\1\0\0X\3\0\0" )  ) == 0x0
 01194   484   NtResumeThread  (164, ... 1, ) == 0x0
 01189   836   NtAllocateVirtualMemory  ... 18272256, 4096, ) == 0x0
 01195   856   NtWaitForSingleObject  (36, 0, 0x0, ...
 01196   836   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18281020, ... ) }, 18281020, ... ) == 0x0
 01197   836   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01198   836   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 172, ) == 0x0
 01199   836   NtClose  (168, ... ) == 0x0
 01200   836   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1370000), 0x0, 229376, ) == 0x0
 01201   836   NtClose  (172, ...
 01202   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 20643840, 2097152, ) == 0x0
 01203   484   NtAllocateVirtualMemory  (-1, 22732800, 0, 8192, 4096, 4, ... 22732800, 8192, ) == 0x0
 01204   484   NtProtectVirtualMemory  (-1, (0x15ae000), 4096, 260, ... (0x15ae000), 4096, 4, ) == 0x0
 01205   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 168, {480, 860}, ) == 0x0
 01206   484   NtQueryInformationThread  (168, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=480,Tid=860,}, 0x0, ) == 0x0
 01207   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1585, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\340\1\0\0\\3\0\0" ...  ...
 01201   836   NtClose  ... ) == 0x0
 01208   836   NtUnmapViewOfSection  (-1, 0x1370000, ... ) == 0x0
 01209   836   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18281336, ... ) }, 18281336, ... ) == 0x0
 01210   836   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01207   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1586, 0}  ... {28, 56, reply, 0, 480, 484, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\0\0\0\340\1\0\0\\3\0\0" )  ) == 0x0
 01211   484   NtResumeThread  (168, ... 1, ) == 0x0
 01212   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 22740992, 2097152, ) == 0x0
 01213   484   NtAllocateVirtualMemory  (-1, 24829952, 0, 8192, 4096, 4, ... 24829952, 8192, ) == 0x0
 01214   484   NtProtectVirtualMemory  (-1, (0x17ae000), 4096, 260, ... (0x17ae000), 4096, 4, ) == 0x0
 01215   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01210   836   NtOpenFile  ... 172, {status=0x0, info=1}, ) == 0x0
 01216   836   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 176, ) == 0x0
 01217   836   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01218   836   NtClose  (172, ...
 01219   860   NtWaitForSingleObject  (36, 0, 0x0, ...
 01162   712   NtDelayExecution  ... ) == 0x0
 01215   484   NtCreateThread  ... 180, {480, 864}, ) == 0x0
 01220   712   NtClose  (156, ...
 01221   484   NtQueryInformationThread  (180, Basic, 28, ...
 01220   712   NtClose  ... ) == 0x0
 01221   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=480,Tid=864,}, 0x0, ) == 0x0
 01222   712   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\"}, 3, 16417, ... }, 3, 16417, ...
 01223   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1586, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1586, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\340\1\0\0`\3\0\0" ...  ...
 01222   712   NtOpenFile  ... 156, {status=0x0, info=1}, ) == 0x0
 01223   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1587, 0}  ... {28, 56, reply, 0, 480, 484, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\0\0\0\340\1\0\0`\3\0\0" )  ) == 0x0
 01224   712   NtQueryDirectoryFile  (156, 0, 0, 0, 8712292, 616, BothDirectory, 1,  (156, 0, 0, 0, 8712292, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 01218   836   NtClose  ... ) == 0x0
 01225   484   NtResumeThread  (180, ...
 01226   836   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01225   484   NtResumeThread  ... 1, ) == 0x0
 01226   836   NtMapViewOfSection  ... (0x71a50000), 0x0, 241664, ) == 0x0
 01227   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01228   836   NtClose  (176, ...
 01227   484   NtAllocateVirtualMemory  ... 24838144, 2097152, ) == 0x0
 01228   836   NtClose  ... ) == 0x0
 01229   484   NtAllocateVirtualMemory  (-1, 26927104, 0, 8192, 4096, 4, ...
 01230   836   NtQuerySystemInformation  (Basic, 44, ...
 01229   484   NtAllocateVirtualMemory  ... 26927104, 8192, ) == 0x0
 01224   712   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 01231   864   NtWaitForSingleObject  (36, 0, 0x0, ...
 01230   836   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01232   712   NtQueryDirectoryFile  (156, 0, 0, 0, 4595416, 4096, BothDirectory, 0, 0x0, 0, ...
 01233   836   NtQuerySystemInformation  (Processor, 12, ...
 01232   712   NtQueryDirectoryFile  ... {status=0x0, info=724}, ) == 0x0
 01233   836   NtQuerySystemInformation  ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01234   712   NtAllocateVirtualMemory  (-1, 8695808, 0, 4096, 4096, 260, ...
 01235   836   NtSetEventBoostPriority  (36, ...
 01234   712   NtAllocateVirtualMemory  ... 8695808, 4096, ) == 0x0
 01195   856   NtWaitForSingleObject  ... ) == 0x0
 01235   836   NtSetEventBoostPriority  ... ) == 0x0
 01236   856   NtSetEventBoostPriority  (36, ...
 01237   712   NtAllocateVirtualMemory  (-1, 8691712, 0, 4096, 4096, 260, ...
 01219   860   NtWaitForSingleObject  ... ) == 0x0
 01236   856   NtSetEventBoostPriority  ... ) == 0x0
 01238   836   NtWaitForSingleObject  (36, 0, 0x0, ...
 01239   484   NtProtectVirtualMemory  (-1, (0x19ae000), 4096, 260, ...
 01240   860   NtSetEventBoostPriority  (36, ...
 01237   712   NtAllocateVirtualMemory  ... 8691712, 4096, ) == 0x0
 01241   856   NtTestAlert  (...
 01231   864   NtWaitForSingleObject  ... ) == 0x0
 01240   860   NtSetEventBoostPriority  ... ) == 0x0
 01239   484   NtProtectVirtualMemory  ... (0x19ae000), 4096, 4, ) == 0x0
 01242   712   NtAllocateVirtualMemory  (-1, 8687616, 0, 4096, 4096, 260, ...
 01243   864   NtSetEventBoostPriority  (36, ...
 01241   856   NtTestAlert  ... ) == 0x0
 01244   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01238   836   NtWaitForSingleObject  ... ) == 0x0
 01243   864   NtSetEventBoostPriority  ... ) == 0x0
 01242   712   NtAllocateVirtualMemory  ... 8687616, 4096, ) == 0x0
 01245   856   NtContinue  (20380976, 1, ...
 01246   836   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01244   484   NtCreateThread  ... 176, {480, 868}, ) == 0x0
 01247   860   NtTestAlert  (...
 01248   712   NtAllocateVirtualMemory  (-1, 8683520, 0, 4096, 4096, 260, ...
 01246   836   NtCreateEvent  ... 172, ) == 0x0
 01249   856   NtRegisterThreadTerminatePort  (24, ...
 01250   484   NtQueryInformationThread  (176, Basic, 28, ...
 01247   860   NtTestAlert  ... ) == 0x0
 01251   836   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 18280664, ... }, 18280664, ...
 01248   712   NtAllocateVirtualMemory  ... 8683520, 4096, ) == 0x0
 01249   856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01250   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=480,Tid=868,}, 0x0, ) == 0x0
 01251   836   NtQueryAttributesFile  ... ) == 0x0
 01252   860   NtContinue  (22740272, 1, ...
 01253   712   NtAllocateVirtualMemory  (-1, 8679424, 0, 4096, 4096, 260, ...
 01254   856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01255   864   NtTestAlert  (...
 01256   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1587, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1587, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\340\1\0\0d\3\0\0" ...  ...
 01257   860   NtRegisterThreadTerminatePort  (24, ...
 01258   836   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01253   712   NtAllocateVirtualMemory  ... 8679424, 4096, ) == 0x0
 01255   864   NtTestAlert  ... ) == 0x0
 01256   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1588, 0}  ... {28, 56, reply, 0, 480, 484, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0\340\1\0\0d\3\0\0" )  ) == 0x0
 01257   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 01258   836   NtOpenKey  ... 184, ) == 0x0
 01259   712   NtAllocateVirtualMemory  (-1, 8675328, 0, 4096, 4096, 260, ...
 01260   864   NtContinue  (24837424, 1, ...
 01261   484   NtResumeThread  (176, ...
 01262   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01263   836   NtQueryValueKey  (184,  (184, "Transports", Partial, 144, ... , Partial, 144, ...
 01259   712   NtAllocateVirtualMemory  ... 8675328, 4096, ) == 0x0
 01264   864   NtRegisterThreadTerminatePort  (24, ...
 01261   484   NtResumeThread  ... 1, ) == 0x0
 01254   856   NtDuplicateObject  ... 188, ) == 0x0
 01263   836   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01265   712   NtAllocateVirtualMemory  (-1, 8671232, 0, 4096, 4096, 260, ...
 01264   864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01266   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01267   856   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01268   836   NtQueryValueKey  (184,  (184, "Transports", Partial, 144, ... , Partial, 144, ...
 01265   712   NtAllocateVirtualMemory  ... 8671232, 4096, ) == 0x0
 01269   864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01262   860   NtDuplicateObject  ... 192, ) == 0x0
 01270   868   NtTestAlert  (...
 01267   856   NtWaitForSingleObject  ... ) == 0x102
 01268   836   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01271   712   NtAllocateVirtualMemory  (-1, 8667136, 0, 4096, 4096, 260, ...
 01266   484   NtAllocateVirtualMemory  ... 26935296, 2097152, ) == 0x0
 01272   860   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01270   868   NtTestAlert  ... ) == 0x0
 01273   856   NtAllocateVirtualMemory  (-1, 20369408, 0, 4096, 4096, 260, ...
 01269   864   NtDuplicateObject  ... 196, ) == 0x0
 01274   836   NtClose  (184, ...
 01275   484   NtAllocateVirtualMemory  (-1, 29024256, 0, 8192, 4096, 4, ...
 01272   860   NtWaitForSingleObject  ... ) == 0x102
 01276   868   NtContinue  (26934576, 1, ...
 01273   856   NtAllocateVirtualMemory  ... 20369408, 4096, ) == 0x0
 01277   864   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01274   836   NtClose  ... ) == 0x0
 01275   484   NtAllocateVirtualMemory  ... 29024256, 8192, ) == 0x0
 01278   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01279   868   NtRegisterThreadTerminatePort  (24, ...
 01271   712   NtAllocateVirtualMemory  ... 8667136, 4096, ) == 0x0
 01277   864   NtWaitForSingleObject  ... ) == 0x102
 01280   836   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01281   484   NtProtectVirtualMemory  (-1, (0x1bae000), 4096, 260, ...
 01278   860   NtCreateEvent  ... 184, ) == 0x0
 01279   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 01282   712   NtAllocateVirtualMemory  (-1, 8663040, 0, 4096, 4096, 260, ...
 01283   864   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01280   836   NtOpenKey  ... 200, ) == 0x0
 01281   484   NtProtectVirtualMemory  ... (0x1bae000), 4096, 4, ) == 0x0
 01284   856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 20376620, ... }, 20376620, ...
 01285   860   NtWaitForSingleObject  (184, 0, 0x0, ...
 01282   712   NtAllocateVirtualMemory  ... 8663040, 4096, ) == 0x0
 01283   864   NtCreateEvent  ... 204, ) == 0x0
 01286   836   NtQueryValueKey  (200,  (200, "Mapping", Partial, 144, ... , Partial, 144, ...
 01287   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01284   856   NtQueryAttributesFile  ... ) == 0x0
 01288   712   NtAllocateVirtualMemory  (-1, 8658944, 0, 4096, 4096, 260, ...
 01289   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01286   836   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01290   864   NtClose  (204, ...
 01291   856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01288   712   NtAllocateVirtualMemory  ... 8658944, 4096, ) == 0x0
 01289   868   NtDuplicateObject  ... 208, ) == 0x0
 01287   484   NtCreateThread  ... 212, {480, 872}, ) == 0x0
 01290   864   NtClose  ... ) == 0x0
 01291   856   NtCreateEvent  ... 204, ) == 0x0
 01292   712   NtAllocateVirtualMemory  (-1, 8654848, 0, 4096, 4096, 260, ...
 01293   868   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01294   484   NtQueryInformationThread  (212, Basic, 28, ...
 01295   864   NtWaitForSingleObject  (184, 0, 0x0, ...
 01296   856   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01297   836   NtQueryValueKey  (200,  (200, "Mapping", Partial, 144, ... , Partial, 144, ...
 01293   868   NtWaitForSingleObject  ... ) == 0x102
 01294   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=480,Tid=872,}, 0x0, ) == 0x0
 01296   856   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   836   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01298   868   NtWaitForSingleObject  (184, 0, 0x0, ...
 01299   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1588, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1588, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\340\1\0\0h\3\0\0" ...  ...
 01292   712   NtAllocateVirtualMemory  ... 8654848, 4096, ) == 0x0
 01300   836   NtQueryValueKey  (200,  (200, "Mapping", Partial, 152, ... , Partial, 152, ...
 01301   856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 20376736, ... }, 20376736, ...
 01299   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1589, 0}  ... {28, 56, reply, 0, 480, 484, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0\340\1\0\0h\3\0\0" )  ) == 0x0
 01302   712   NtAllocateVirtualMemory  (-1, 8650752, 0, 4096, 4096, 260, ...
 01300   836   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01302   712   NtAllocateVirtualMemory  ... 8650752, 4096, ) == 0x0
 01303   836   NtClose  (200, ...
 01304   712   NtAllocateVirtualMemory  (-1, 8646656, 0, 4096, 4096, 260, ...
 01303   836   NtClose  ... ) == 0x0
 01304   712   NtAllocateVirtualMemory  ... 8646656, 4096, ) == 0x0
 01305   484   NtResumeThread  (212, ...
 01306   712   NtAllocateVirtualMemory  (-1, 8642560, 0, 4096, 4096, 260, ...
 01305   484   NtResumeThread  ... 1, ) == 0x0
 01307   836   NtAllocateVirtualMemory  (-1, 4599808, 0, 4096, 4096, 4, ...
 01308   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01307   836   NtAllocateVirtualMemory  ... 4599808, 4096, ) == 0x0
 01308   484   NtAllocateVirtualMemory  ... 29032448, 2097152, ) == 0x0
 01309   836   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01310   484   NtAllocateVirtualMemory  (-1, 31121408, 0, 8192, 4096, 4, ...
 01309   836   NtOpenKey  ... 200, ) == 0x0
 01310   484   NtAllocateVirtualMemory  ... 31121408, 8192, ) == 0x0
 01311   836   NtQueryValueKey  (200,  (200, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01306   712   NtAllocateVirtualMemory  ... 8642560, 4096, ) == 0x0
 01312   872   NtWaitForSingleObject  (36, 0, 0x0, ...
 01311   836   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01313   712   NtAllocateVirtualMemory  (-1, 8638464, 0, 4096, 4096, 260, ...
 01314   484   NtProtectVirtualMemory  (-1, (0x1dae000), 4096, 260, ...
 01313   712   NtAllocateVirtualMemory  ... 8638464, 4096, ) == 0x0
 01314   484   NtProtectVirtualMemory  ... (0x1dae000), 4096, 4, ) == 0x0
 01315   712   NtAllocateVirtualMemory  (-1, 8634368, 0, 4096, 4096, 260, ...
 01316   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01315   712   NtAllocateVirtualMemory  ... 8634368, 4096, ) == 0x0
 01316   484   NtCreateThread  ... 216, {480, 876}, ) == 0x0
 01317   712   NtAllocateVirtualMemory  (-1, 8630272, 0, 4096, 4096, 260, ...
 01318   484   NtQueryInformationThread  (216, Basic, 28, ...
 01319   836   NtQueryValueKey  (200,  (200, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01301   856   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=480,Tid=876,}, 0x0, ) == 0x0
 01319   836   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01317   712   NtAllocateVirtualMemory  ... 8630272, 4096, ) == 0x0
 01320   856   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 20376736, ... }, 20376736, ...
 01321   836   NtQueryValueKey  (200,  (200, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01322   712   NtCreateFile  (0x80100081, {24, 0, 0x40, 0, 8638856,  (0x80100081, {24, 0, 0x40, 0, 8638856, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk"}, 0x0, 0, 0, 1, 96, 0, 0, ... }, 0x0, 0, 0, 1, 96, 0, 0, ...
 01321   836   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01322   712   NtCreateFile  ... 220, {status=0x0, info=1}, ) == 0x0
 01323   836   NtQueryValueKey  (200,  (200, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01324   712   NtReadFile  (220, 0, 0, 0, 8191, 0x0, 0, ...
 01323   836   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01325   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1589, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\340\1\0\0l\3\0\0" ... {28, 56, reply, 0, 480, 484, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\340\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1590, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\340\1\0\0l\3\0\0" ... {28, 56, reply, 0, 480, 484, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\0\0\0\340\1\0\0l\3\0\0" )  ) == 0x0
 01326   484   NtResumeThread  (216, ... 1, ) == 0x0
 01327   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 31129600, 2097152, ) == 0x0
 01328   484   NtAllocateVirtualMemory  (-1, 33218560, 0, 8192, 4096, 4, ... 33218560, 8192, ) == 0x0
 01329   484   NtProtectVirtualMemory  (-1, (0x1fae000), 4096, 260, ... (0x1fae000), 4096, 4, ) == 0x0
 01330   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01331   836   NtWaitForSingleObject  (36, 0, 0x0, ...
 01332   876   NtWaitForSingleObject  (36, 0, 0x0, ...
 01330   484   NtCreateThread  ... 224, {480, 880}, ) == 0x0
 01333   484   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=480,Tid=880,}, 0x0, ) == 0x0
 01334   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1590, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\340\1\0\0p\3\0\0" ... {28, 56, reply, 0, 480, 484, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\340\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1591, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1590, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\340\1\0\0p\3\0\0" ... {28, 56, reply, 0, 480, 484, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\0\0\0\340\1\0\0p\3\0\0" )  ) == 0x0
 01335   484   NtResumeThread  (224, ... 1, ) == 0x0
 01336   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 33226752, 2097152, ) == 0x0
 01337   484   NtAllocateVirtualMemory  (-1, 35315712, 0, 8192, 4096, 4, ... 35315712, 8192, ) == 0x0
 01338   880   NtWaitForSingleObject  (36, 0, 0x0, ...
 01339   484   NtProtectVirtualMemory  (-1, (0x21ae000), 4096, 260, ... (0x21ae000), 4096, 4, ) == 0x0
 01340   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 228, {480, 884}, ) == 0x0
 01341   484   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=480,Tid=884,}, 0x0, ) == 0x0
 01342   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1591, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\340\1\0\0t\3\0\0" ... {28, 56, reply, 0, 480, 484, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\340\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1592, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\340\1\0\0t\3\0\0" ... {28, 56, reply, 0, 480, 484, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0\340\1\0\0t\3\0\0" )  ) == 0x0
 01343   484   NtResumeThread  (228, ... 1, ) == 0x0
 01344   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01345   884   NtWaitForSingleObject  (36, 0, 0x0, ...
 01344   484   NtAllocateVirtualMemory  ... 35323904, 2097152, ) == 0x0
 01346   484   NtAllocateVirtualMemory  (-1, 37412864, 0, 8192, 4096, 4, ... 37412864, 8192, ) == 0x0
 01347   484   NtProtectVirtualMemory  (-1, (0x23ae000), 4096, 260, ... (0x23ae000), 4096, 4, ) == 0x0
 01348   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 232, {480, 888}, ) == 0x0
 01349   484   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=480,Tid=888,}, 0x0, ) == 0x0
 01350   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1592, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\340\1\0\0x\3\0\0" ... {28, 56, reply, 0, 480, 484, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\340\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1593, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\340\1\0\0x\3\0\0" ... {28, 56, reply, 0, 480, 484, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\0\0\0\340\1\0\0x\3\0\0" )  ) == 0x0
 01351   484   NtResumeThread  (232, ... 1, ) == 0x0
 01352   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 37421056, 2097152, ) == 0x0
 01353   484   NtAllocateVirtualMemory  (-1, 39510016, 0, 8192, 4096, 4, ... 39510016, 8192, ) == 0x0
 01354   888   NtWaitForSingleObject  (36, 0, 0x0, ...
 01355   484   NtProtectVirtualMemory  (-1, (0x25ae000), 4096, 260, ... (0x25ae000), 4096, 4, ) == 0x0
 01356   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 236, {480, 892}, ) == 0x0
 01357   484   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=480,Tid=892,}, 0x0, ) == 0x0
 01358   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1593, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\340\1\0\0|\3\0\0" ... {28, 56, reply, 0, 480, 484, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\340\1\0\0|\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1594, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\340\1\0\0|\3\0\0" ... {28, 56, reply, 0, 480, 484, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\0\0\0\340\1\0\0|\3\0\0" )  ) == 0x0
 01359   484   NtResumeThread  (236, ... 1, ) == 0x0
 01360   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01361   892   NtWaitForSingleObject  (36, 0, 0x0, ...
 01360   484   NtAllocateVirtualMemory  ... 39518208, 2097152, ) == 0x0
 01362   484   NtAllocateVirtualMemory  (-1, 41607168, 0, 8192, 4096, 4, ... 41607168, 8192, ) == 0x0
 01363   484   NtProtectVirtualMemory  (-1, (0x27ae000), 4096, 260, ... (0x27ae000), 4096, 4, ) == 0x0
 01364   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 240, {480, 908}, ) == 0x0
 01365   484   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=480,Tid=908,}, 0x0, ) == 0x0
 01366   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1594, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\340\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 480, 484, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\340\1\0\0\214\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1595, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1594, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\340\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 480, 484, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\0\0\0\340\1\0\0\214\3\0\0" )  ) == 0x0
 01367   484   NtResumeThread  (240, ... 1, ) == 0x0
 01368   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 41615360, 2097152, ) == 0x0
 01369   484   NtAllocateVirtualMemory  (-1, 43704320, 0, 8192, 4096, 4, ... 43704320, 8192, ) == 0x0
 01370   908   NtWaitForSingleObject  (36, 0, 0x0, ...
 01371   484   NtProtectVirtualMemory  (-1, (0x29ae000), 4096, 260, ... (0x29ae000), 4096, 4, ) == 0x0
 01372   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 244, {480, 912}, ) == 0x0
 01373   484   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=480,Tid=912,}, 0x0, ) == 0x0
 01374   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1595, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\340\1\0\0\220\3\0\0" ... {28, 56, reply, 0, 480, 484, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\340\1\0\0\220\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1596, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1595, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\340\1\0\0\220\3\0\0" ... {28, 56, reply, 0, 480, 484, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\0\0\0\340\1\0\0\220\3\0\0" )  ) == 0x0
 01375   484   NtResumeThread  (244, ... 1, ) == 0x0
 01376   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01377   912   NtWaitForSingleObject  (36, 0, 0x0, ...
 01376   484   NtAllocateVirtualMemory  ... 43712512, 2097152, ) == 0x0
 01378   484   NtAllocateVirtualMemory  (-1, 45801472, 0, 8192, 4096, 4, ... 45801472, 8192, ) == 0x0
 01379   484   NtProtectVirtualMemory  (-1, (0x2bae000), 4096, 260, ... (0x2bae000), 4096, 4, ) == 0x0
 01380   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 248, {480, 916}, ) == 0x0
 01381   484   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=480,Tid=916,}, 0x0, ) == 0x0
 01382   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1596, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\340\1\0\0\224\3\0\0" ... {28, 56, reply, 0, 480, 484, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\340\1\0\0\224\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1597, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\340\1\0\0\224\3\0\0" ... {28, 56, reply, 0, 480, 484, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0\340\1\0\0\224\3\0\0" )  ) == 0x0
 01383   484   NtResumeThread  (248, ... 1, ) == 0x0
 01384   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 45809664, 2097152, ) == 0x0
 01385   484   NtAllocateVirtualMemory  (-1, 47898624, 0, 8192, 4096, 4, ... 47898624, 8192, ) == 0x0
 01386   916   NtWaitForSingleObject  (36, 0, 0x0, ...
 01387   484   NtProtectVirtualMemory  (-1, (0x2dae000), 4096, 260, ... (0x2dae000), 4096, 4, ) == 0x0
 01388   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 252, {480, 920}, ) == 0x0
 01389   484   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=480,Tid=920,}, 0x0, ) == 0x0
 01320   856   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 20376736, ... ) }, 20376736, ... ) == 0x0
 01391   856   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 01392   856   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 256, ... 260, ) == 0x0
 01393   856   NtQuerySection  (260, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01394   856   NtClose  (256, ...
 01395   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1597, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\340\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 480, 484, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\340\1\0\0\230\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1598, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1597, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\340\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 480, 484, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0\340\1\0\0\230\3\0\0" )  ) == 0x0
 01396   484   NtResumeThread  (252, ... 1, ) == 0x0
 01397   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 47906816, 2097152, ) == 0x0
 01398   484   NtAllocateVirtualMemory  (-1, 49995776, 0, 8192, 4096, 4, ... 49995776, 8192, ) == 0x0
 01399   484   NtProtectVirtualMemory  (-1, (0x2fae000), 4096, 260, ... (0x2fae000), 4096, 4, ) == 0x0
 01400   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01394   856   NtClose  ... ) == 0x0
 01401   920   NtWaitForSingleObject  (36, 0, 0x0, ...
 01402   856   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01403   856   NtClose  (260, ... ) == 0x0
 01404   856   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 260, 2, ) }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 260, 2, ) , 0, ... 260, 2, ) == 0x0
 01405   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 256, ) }, ... 256, ) == 0x0
 01406   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   856   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... }, ...
 01400   484   NtCreateThread  ... 264, {480, 924}, ) == 0x0
 01408   484   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=480,Tid=924,}, 0x0, ) == 0x0
 01409   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1598, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\340\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 480, 484, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\340\1\0\0\234\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1599, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\340\1\0\0\234\3\0\0" ... {28, 56, reply, 0, 480, 484, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\1\0\0\340\1\0\0\234\3\0\0" )  ) == 0x0
 01410   484   NtResumeThread  (264, ... 1, ) == 0x0
 01411   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 50003968, 2097152, ) == 0x0
 01412   484   NtAllocateVirtualMemory  (-1, 52092928, 0, 8192, 4096, 4, ... 52092928, 8192, ) == 0x0
 01407   856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413   924   NtWaitForSingleObject  (36, 0, 0x0, ...
 01414   856   NtQueryValueKey  (256,  (256, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   856   NtQueryValueKey  (260,  (260, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   856   NtQueryValueKey  (256,  (256, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   856   NtQueryValueKey  (260,  (260, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01418   856   NtQueryValueKey  (256,  (256, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   856   NtQueryValueKey  (260,  (260, "PrioritizeRecordData", Partial, 144, ... , Partial, 144, ...
 01420   484   NtProtectVirtualMemory  (-1, (0x31ae000), 4096, 260, ... (0x31ae000), 4096, 4, ) == 0x0
 01421   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 268, {480, 928}, ) == 0x0
 01422   484   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=480,Tid=928,}, 0x0, ) == 0x0
 01423   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1599, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\340\1\0\0\240\3\0\0" ... {28, 56, reply, 0, 480, 484, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\340\1\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1600, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\340\1\0\0\240\3\0\0" ... {28, 56, reply, 0, 480, 484, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0\340\1\0\0\240\3\0\0" )  ) == 0x0
 01424   484   NtResumeThread  (268, ... 1, ) == 0x0
 01425   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01419   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   928   NtWaitForSingleObject  (36, 0, 0x0, ...
 01427   856   NtQueryValueKey  (256,  (256, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   856   NtQueryValueKey  (260,  (260, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   856   NtQueryValueKey  (256,  (256, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   856   NtQueryValueKey  (256,  (256, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   856   NtQueryValueKey  (256,  (256, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   856   NtQueryValueKey  (256,  (256, "FilterClusterIp", Partial, 144, ... , Partial, 144, ...
 01425   484   NtAllocateVirtualMemory  ... 52101120, 2097152, ) == 0x0
 01433   484   NtAllocateVirtualMemory  (-1, 54190080, 0, 8192, 4096, 4, ... 54190080, 8192, ) == 0x0
 01434   484   NtProtectVirtualMemory  (-1, (0x33ae000), 4096, 260, ... (0x33ae000), 4096, 4, ) == 0x0
 01435   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 272, {480, 932}, ) == 0x0
 01436   484   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=480,Tid=932,}, 0x0, ) == 0x0
 01437   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1600, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\340\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 480, 484, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\340\1\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1601, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1600, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\340\1\0\0\244\3\0\0" ... {28, 56, reply, 0, 480, 484, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0\340\1\0\0\244\3\0\0" )  ) == 0x0
 01432   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   856   NtQueryValueKey  (256,  (256, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   856   NtQueryValueKey  (256,  (256, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   856   NtQueryValueKey  (256,  (256, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   856   NtQueryValueKey  (260,  (260, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   856   NtQueryValueKey  (256,  (256, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   856   NtQueryValueKey  (256,  (256, "RegisterAdapterName", Partial, 144, ... , Partial, 144, ...
 01444   484   NtResumeThread  (272, ... 1, ) == 0x0
 01445   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 54198272, 2097152, ) == 0x0
 01446   484   NtAllocateVirtualMemory  (-1, 56287232, 0, 8192, 4096, 4, ... 56287232, 8192, ) == 0x0
 01447   484   NtProtectVirtualMemory  (-1, (0x35ae000), 4096, 260, ... (0x35ae000), 4096, 4, ) == 0x0
 01448   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 276, {480, 936}, ) == 0x0
 01449   484   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=480,Tid=936,}, 0x0, ) == 0x0
 01443   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   932   NtWaitForSingleObject  (36, 0, 0x0, ...
 01451   856   NtQueryValueKey  (260,  (260, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   856   NtQueryValueKey  (256,  (256, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   856   NtQueryValueKey  (260,  (260, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   856   NtQueryValueKey  (256,  (256, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   856   NtQueryValueKey  (260,  (260, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   856   NtQueryValueKey  (256,  (256, "RegistrationOverwritesInConflict", Partial, 144, ... , Partial, 144, ...
 01457   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1601, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\340\1\0\0\250\3\0\0" ... {28, 56, reply, 0, 480, 484, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\340\1\0\0\250\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1602, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\340\1\0\0\250\3\0\0" ... {28, 56, reply, 0, 480, 484, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0\340\1\0\0\250\3\0\0" )  ) == 0x0
 01458   484   NtResumeThread  (276, ... 1, ) == 0x0
 01459   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 56295424, 2097152, ) == 0x0
 01460   484   NtAllocateVirtualMemory  (-1, 58384384, 0, 8192, 4096, 4, ... 58384384, 8192, ) == 0x0
 01461   484   NtProtectVirtualMemory  (-1, (0x37ae000), 4096, 260, ... (0x37ae000), 4096, 4, ) == 0x0
 01462   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01456   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   936   NtWaitForSingleObject  (36, 0, 0x0, ...
 01464   856   NtQueryValueKey  (260,  (260, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   856   NtQueryValueKey  (256,  (256, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   856   NtQueryValueKey  (260,  (260, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467   856   NtQueryValueKey  (256,  (256, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   856   NtQueryValueKey  (260,  (260, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   856   NtQueryValueKey  (256,  (256, "RegistrationMaxAddressCount", Partial, 144, ... , Partial, 144, ...
 01462   484   NtCreateThread  ... 280, {480, 940}, ) == 0x0
 01470   484   NtQueryInformationThread  (280, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=480,Tid=940,}, 0x0, ) == 0x0
 01471   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1602, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\340\1\0\0\254\3\0\0" ... {28, 56, reply, 0, 480, 484, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\340\1\0\0\254\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1603, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\340\1\0\0\254\3\0\0" ... {28, 56, reply, 0, 480, 484, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0\340\1\0\0\254\3\0\0" )  ) == 0x0
 01472   484   NtResumeThread  (280, ... 1, ) == 0x0
 01473   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 58392576, 2097152, ) == 0x0
 01474   484   NtAllocateVirtualMemory  (-1, 60481536, 0, 8192, 4096, 4, ... 60481536, 8192, ) == 0x0
 01469   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   940   NtWaitForSingleObject  (36, 0, 0x0, ...
 01476   856   NtQueryValueKey  (260,  (260, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   856   NtQueryValueKey  (256,  (256, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   856   NtQueryValueKey  (260,  (260, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   856   NtQueryValueKey  (256,  (256, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   856   NtQueryValueKey  (256,  (256, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   856   NtQueryValueKey  (256,  (256, "DnsTest", Partial, 144, ... , Partial, 144, ...
 01482   484   NtProtectVirtualMemory  (-1, (0x39ae000), 4096, 260, ... (0x39ae000), 4096, 4, ) == 0x0
 01483   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 284, {480, 944}, ) == 0x0
 01484   484   NtQueryInformationThread  (284, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=480,Tid=944,}, 0x0, ) == 0x0
 01485   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1603, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\340\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 480, 484, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\340\1\0\0\260\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1604, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\340\1\0\0\260\3\0\0" ... {28, 56, reply, 0, 480, 484, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0\340\1\0\0\260\3\0\0" )  ) == 0x0
 01486   484   NtResumeThread  (284, ... 1, ) == 0x0
 01487   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01481   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01488   944   NtWaitForSingleObject  (36, 0, 0x0, ...
 01489   856   NtQueryValueKey  (256,  (256, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   856   NtQueryValueKey  (256,  (256, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   856   NtQueryValueKey  (256,  (256, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   856   NtQueryValueKey  (256,  (256, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   856   NtQueryValueKey  (256,  (256, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   856   NtQueryValueKey  (256,  (256, "MaxCachedSockets", Partial, 144, ... , Partial, 144, ...
 01487   484   NtAllocateVirtualMemory  ... 60489728, 2097152, ) == 0x0
 01495   484   NtAllocateVirtualMemory  (-1, 62578688, 0, 8192, 4096, 4, ... 62578688, 8192, ) == 0x0
 01496   484   NtProtectVirtualMemory  (-1, (0x3bae000), 4096, 260, ... (0x3bae000), 4096, 4, ) == 0x0
 01497   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 288, {480, 948}, ) == 0x0
 01498   484   NtQueryInformationThread  (288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=480,Tid=948,}, 0x0, ) == 0x0
 01499   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1604, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0\340\1\0\0\264\3\0\0" ... {28, 56, reply, 0, 480, 484, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0\340\1\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1605, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0\340\1\0\0\264\3\0\0" ... {28, 56, reply, 0, 480, 484, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0\340\1\0\0\264\3\0\0" )  ) == 0x0
 01494   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01500   856   NtQueryValueKey  (256,  (256, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501   856   NtQueryValueKey  (256,  (256, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   856   NtQueryValueKey  (256,  (256, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   856   NtQueryValueKey  (256,  (256, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   856   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\Setup"}, ... 292, ) }, ... 292, ) == 0x0
 01505   856   NtQueryValueKey  (292,  (292, "SystemSetupInProgress", Partial, 144, ... , Partial, 144, ...
 01506   484   NtResumeThread  (288, ... 1, ) == 0x0
 01507   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 62586880, 2097152, ) == 0x0
 01508   484   NtAllocateVirtualMemory  (-1, 64675840, 0, 8192, 4096, 4, ... 64675840, 8192, ) == 0x0
 01509   484   NtProtectVirtualMemory  (-1, (0x3dae000), 4096, 260, ... (0x3dae000), 4096, 4, ) == 0x0
 01510   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 296, {480, 952}, ) == 0x0
 01511   484   NtQueryInformationThread  (296, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=480,Tid=952,}, 0x0, ) == 0x0
 01505   856   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01512   948   NtWaitForSingleObject  (36, 0, 0x0, ...
 01513   856   NtClose  (292, ... ) == 0x0
 01514   856   NtClose  (260, ... ) == 0x0
 01515   856   NtClose  (256, ... ) == 0x0
 01516   856   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 256, ) }, ... 256, ) == 0x0
 01517   856   NtQueryValueKey  (256,  (256, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   856   NtQueryValueKey  (256,  (256, "DnsQuickQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01519   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1605, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0\340\1\0\0\270\3\0\0" ... {28, 56, reply, 0, 480, 484, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0\340\1\0\0\270\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1606, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0\340\1\0\0\270\3\0\0" ... {28, 56, reply, 0, 480, 484, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0\340\1\0\0\270\3\0\0" )  ) == 0x0
 01520   484   NtResumeThread  (296, ... 1, ) == 0x0
 01521   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 64684032, 2097152, ) == 0x0
 01522   484   NtAllocateVirtualMemory  (-1, 66772992, 0, 8192, 4096, 4, ... 66772992, 8192, ) == 0x0
 01523   484   NtProtectVirtualMemory  (-1, (0x3fae000), 4096, 260, ... (0x3fae000), 4096, 4, ) == 0x0
 01524   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01518   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   952   NtWaitForSingleObject  (36, 0, 0x0, ...
 01526   856   NtQueryValueKey  (256,  (256, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   856   NtClose  (256, ... ) == 0x0
 01528   856   NtSetEventBoostPriority  (36, ...
 01312   872   NtWaitForSingleObject  ... ) == 0x0
 01529   872   NtSetEventBoostPriority  (36, ...
 01331   836   NtWaitForSingleObject  ... ) == 0x0
 01530   836   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 18281584, ... ) }, 18281584, ... ) == 0x0
 01531   836   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01529   872   NtSetEventBoostPriority  ... ) == 0x0
 01528   856   NtSetEventBoostPriority  ... ) == 0x0
 01524   484   NtCreateThread  ... 256, {480, 956}, ) == 0x0
 01531   836   NtOpenFile  ... 260, {status=0x0, info=1}, ) == 0x0
 01532   856   NtWaitForSingleObject  (36, 0, 0x0, ...
 01533   484   NtQueryInformationThread  (256, Basic, 28, ...
 01534   836   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 260, ...
 01533   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=480,Tid=956,}, 0x0, ) == 0x0
 01534   836   NtCreateSection  ... 292, ) == 0x0
 01535   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1606, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0\340\1\0\0\274\3\0\0" ...  ...
 01536   836   NtClose  (260, ...
 01535   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1607, 0}  ... {28, 56, reply, 0, 480, 484, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0\340\1\0\0\274\3\0\0" )  ) == 0x0
 01536   836   NtClose  ... ) == 0x0
 01537   872   NtTestAlert  (...
 01538   836   NtMapViewOfSection  (292, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01537   872   NtTestAlert  ... ) == 0x0
 01539   484   NtResumeThread  (256, ...
 01540   872   NtContinue  (29031728, 1, ...
 01539   484   NtResumeThread  ... 1, ) == 0x0
 01541   872   NtRegisterThreadTerminatePort  (24, ...
 01542   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01541   872   NtRegisterThreadTerminatePort  ... ) == 0x0
 01542   484   NtAllocateVirtualMemory  ... 66781184, 2097152, ) == 0x0
 01543   872   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01544   484   NtAllocateVirtualMemory  (-1, 68870144, 0, 8192, 4096, 4, ...
 01538   836   NtMapViewOfSection  ... (0xef0000), 0x0, 20480, ) == 0x0
 01545   956   NtWaitForSingleObject  (36, 0, 0x0, ...
 01544   484   NtAllocateVirtualMemory  ... 68870144, 8192, ) == 0x0
 01546   836   NtClose  (292, ...
 01543   872   NtDuplicateObject  ... 260, ) == 0x0
 01546   836   NtClose  ... ) == 0x0
 01547   872   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01548   836   NtUnmapViewOfSection  (-1, 0xef0000, ...
 01547   872   NtWaitForSingleObject  ... ) == 0x102
 01548   836   NtUnmapViewOfSection  ... ) == 0x0
 01549   872   NtWaitForSingleObject  (184, 0, 0x0, ...
 01550   836   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 18281900, ... }, 18281900, ...
 01551   484   NtProtectVirtualMemory  (-1, (0x41ae000), 4096, 260, ... (0x41ae000), 4096, 4, ) == 0x0
 01552   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 292, {480, 960}, ) == 0x0
 01553   484   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=480,Tid=960,}, 0x0, ) == 0x0
 01554   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1607, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\340\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 480, 484, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\340\1\0\0\300\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1608, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\340\1\0\0\300\3\0\0" ... {28, 56, reply, 0, 480, 484, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0\340\1\0\0\300\3\0\0" )  ) == 0x0
 01555   484   NtResumeThread  (292, ... 1, ) == 0x0
 01556   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01550   836   NtQueryAttributesFile  ... ) == 0x0
 01557   960   NtWaitForSingleObject  (36, 0, 0x0, ...
 01558   836   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01559   836   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 300, ... 304, ) == 0x0
 01560   836   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01561   836   NtClose  (300, ... ) == 0x0
 01562   836   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01563   836   NtClose  (304, ...
 01556   484   NtAllocateVirtualMemory  ... 68878336, 2097152, ) == 0x0
 01564   484   NtAllocateVirtualMemory  (-1, 70967296, 0, 8192, 4096, 4, ... 70967296, 8192, ) == 0x0
 01565   484   NtProtectVirtualMemory  (-1, (0x43ae000), 4096, 260, ... (0x43ae000), 4096, 4, ) == 0x0
 01566   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 300, {480, 984}, ) == 0x0
 01567   484   NtQueryInformationThread  (300, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=480,Tid=984,}, 0x0, ) == 0x0
 01568   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1608, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0\340\1\0\0\330\3\0\0" ... {28, 56, reply, 0, 480, 484, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0\340\1\0\0\330\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1609, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0\340\1\0\0\330\3\0\0" ... {28, 56, reply, 0, 480, 484, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0\340\1\0\0\330\3\0\0" )  ) == 0x0
 01563   836   NtClose  ... ) == 0x0
 01569   836   NtSetEventBoostPriority  (36, ...
 01332   876   NtWaitForSingleObject  ... ) == 0x0
 01570   876   NtSetEventBoostPriority  (36, ...
 01338   880   NtWaitForSingleObject  ... ) == 0x0
 01571   880   NtSetEventBoostPriority  (36, ...
 01345   884   NtWaitForSingleObject  ... ) == 0x0
 01572   884   NtSetEventBoostPriority  (36, ...
 01354   888   NtWaitForSingleObject  ... ) == 0x0
 01573   888   NtSetEventBoostPriority  (36, ...
 01361   892   NtWaitForSingleObject  ... ) == 0x0
 01574   892   NtSetEventBoostPriority  (36, ...
 01370   908   NtWaitForSingleObject  ... ) == 0x0
 01575   908   NtSetEventBoostPriority  (36, ...
 01377   912   NtWaitForSingleObject  ... ) == 0x0
 01576   912   NtSetEventBoostPriority  (36, ...
 01386   916   NtWaitForSingleObject  ... ) == 0x0
 01577   916   NtSetEventBoostPriority  (36, ...
 01401   920   NtWaitForSingleObject  ... ) == 0x0
 01578   920   NtSetEventBoostPriority  (36, ...
 01413   924   NtWaitForSingleObject  ... ) == 0x0
 01579   924   NtSetEventBoostPriority  (36, ...
 01426   928   NtWaitForSingleObject  ... ) == 0x0
 01580   928   NtSetEventBoostPriority  (36, ...
 01450   932   NtWaitForSingleObject  ... ) == 0x0
 01581   932   NtSetEventBoostPriority  (36, ...
 01463   936   NtWaitForSingleObject  ... ) == 0x0
 01582   936   NtAllocateVirtualMemory  (-1, 13193216, 0, 4096, 4096, 4, ... 13193216, 4096, ) == 0x0
 01581   932   NtSetEventBoostPriority  ... ) == 0x0
 01580   928   NtSetEventBoostPriority  ... ) == 0x0
 01579   924   NtSetEventBoostPriority  ... ) == 0x0
 01578   920   NtSetEventBoostPriority  ... ) == 0x0
 01577   916   NtSetEventBoostPriority  ... ) == 0x0
 01576   912   NtSetEventBoostPriority  ... ) == 0x0
 01575   908   NtSetEventBoostPriority  ... ) == 0x0
 01574   892   NtSetEventBoostPriority  ... ) == 0x0
 01573   888   NtSetEventBoostPriority  ... ) == 0x0
 01572   884   NtSetEventBoostPriority  ... ) == 0x0
 01571   880   NtSetEventBoostPriority  ... ) == 0x0
 01570   876   NtSetEventBoostPriority  ... ) == 0x0
 01569   836   NtSetEventBoostPriority  ... ) == 0x0
 01583   484   NtResumeThread  (300, ...
 01584   936   NtSetEventBoostPriority  (36, ...
 01585   932   NtTestAlert  (...
 01586   928   NtTestAlert  (...
 01587   924   NtTestAlert  (...
 01588   920   NtTestAlert  (...
 01589   916   NtTestAlert  (...
 01590   912   NtTestAlert  (...
 01591   908   NtTestAlert  (...
 01592   892   NtTestAlert  (...
 01593   888   NtTestAlert  (...
 01594   884   NtTestAlert  (...
 01595   880   NtTestAlert  (...
 01596   836   NtClose  (200, ...
 01583   484   NtResumeThread  ... 1, ) == 0x0
 01475   940   NtWaitForSingleObject  ... ) == 0x0
 01584   936   NtSetEventBoostPriority  ... ) == 0x0
 01585   932   NtTestAlert  ... ) == 0x0
 01586   928   NtTestAlert  ... ) == 0x0
 01587   924   NtTestAlert  ... ) == 0x0
 01588   920   NtTestAlert  ... ) == 0x0
 01589   916   NtTestAlert  ... ) == 0x0
 01590   912   NtTestAlert  ... ) == 0x0
 01591   908   NtTestAlert  ... ) == 0x0
 01592   892   NtTestAlert  ... ) == 0x0
 01593   888   NtTestAlert  ... ) == 0x0
 01594   884   NtTestAlert  ... ) == 0x0
 01595   880   NtTestAlert  ... ) == 0x0
 01596   836   NtClose  ... ) == 0x0
 01597   940   NtSetEventBoostPriority  (36, ...
 01598   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01599   936   NtTestAlert  (...
 01600   932   NtContinue  (54197552, 1, ...
 01601   928   NtContinue  (52100400, 1, ...
 01602   924   NtContinue  (50003248, 1, ...
 01603   920   NtContinue  (47906096, 1, ...
 01604   916   NtContinue  (45808944, 1, ...
 01605   912   NtContinue  (43711792, 1, ...
 01606   908   NtContinue  (41614640, 1, ...
 01607   892   NtContinue  (39517488, 1, ...
 01608   888   NtContinue  (37420336, 1, ...
 01609   884   NtContinue  (35323184, 1, ...
 01610   880   NtContinue  (33226032, 1, ...
 01488   944   NtWaitForSingleObject  ... ) == 0x0
 01597   940   NtSetEventBoostPriority  ... ) == 0x0
 01611   836   NtWaitForSingleObject  (36, 0, 0x0, ...
 01598   484   NtAllocateVirtualMemory  ... 70975488, 2097152, ) == 0x0
 01599   936   NtTestAlert  ... ) == 0x0
 01612   932   NtRegisterThreadTerminatePort  (24, ...
 01613   928   NtRegisterThreadTerminatePort  (24, ...
 01614   924   NtRegisterThreadTerminatePort  (24, ...
 01615   920   NtRegisterThreadTerminatePort  (24, ...
 01616   916   NtRegisterThreadTerminatePort  (24, ...
 01617   912   NtRegisterThreadTerminatePort  (24, ...
 01618   908   NtRegisterThreadTerminatePort  (24, ...
 01619   892   NtRegisterThreadTerminatePort  (24, ...
 01620   888   NtRegisterThreadTerminatePort  (24, ...
 01621   884   NtRegisterThreadTerminatePort  (24, ...
 01622   944   NtSetEventBoostPriority  (36, ...
 01623   880   NtRegisterThreadTerminatePort  (24, ...
 01624   876   NtTestAlert  (...
 01625   984   NtWaitForSingleObject  (36, 0, 0x0, ...
 01626   940   NtTestAlert  (...
 01627   484   NtAllocateVirtualMemory  (-1, 73064448, 0, 8192, 4096, 4, ...
 01628   936   NtContinue  (56294704, 1, ...
 01612   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01613   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01614   924   NtRegisterThreadTerminatePort  ... ) == 0x0
 01615   920   NtRegisterThreadTerminatePort  ... ) == 0x0
 01616   916   NtRegisterThreadTerminatePort  ... ) == 0x0
 01617   912   NtRegisterThreadTerminatePort  ... ) == 0x0
 01618   908   NtRegisterThreadTerminatePort  ... ) == 0x0
 01619   892   NtRegisterThreadTerminatePort  ... ) == 0x0
 01620   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01512   948   NtWaitForSingleObject  ... ) == 0x0
 01622   944   NtSetEventBoostPriority  ... ) == 0x0
 01621   884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01623   880   NtRegisterThreadTerminatePort  ... ) == 0x0
 01624   876   NtTestAlert  ... ) == 0x0
 01626   940   NtTestAlert  ... ) == 0x0
 01627   484   NtAllocateVirtualMemory  ... 73064448, 8192, ) == 0x0
 01629   936   NtRegisterThreadTerminatePort  (24, ...
 01630   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01631   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01632   924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01633   920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01634   916   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01635   912   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01636   908   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01637   892   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01638   948   NtSetEventBoostPriority  (36, ...
 01639   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01640   884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01641   880   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01642   876   NtContinue  (31128880, 1, ...
 01643   940   NtContinue  (58391856, 1, ...
 01644   944   NtTestAlert  (...
 01645   484   NtProtectVirtualMemory  (-1, (0x45ae000), 4096, 260, ...
 01629   936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01630   932   NtDuplicateObject  ... 200, ) == 0x0
 01631   928   NtDuplicateObject  ... 304, ) == 0x0
 01632   924   NtDuplicateObject  ... 308, ) == 0x0
 01633   920   NtDuplicateObject  ... 312, ) == 0x0
 01634   916   NtDuplicateObject  ... 316, ) == 0x0
 01635   912   NtDuplicateObject  ... 320, ) == 0x0
 01636   908   NtDuplicateObject  ... 324, ) == 0x0
 01525   952   NtWaitForSingleObject  ... ) == 0x0
 01638   948   NtSetEventBoostPriority  ... ) == 0x0
 01637   892   NtDuplicateObject  ... 328, ) == 0x0
 01639   888   NtDuplicateObject  ... 332, ) == 0x0
 01640   884   NtDuplicateObject  ... 336, ) == 0x0
 01646   876   NtRegisterThreadTerminatePort  (24, ...
 01647   940   NtRegisterThreadTerminatePort  (24, ...
 01644   944   NtTestAlert  ... ) == 0x0
 01645   484   NtProtectVirtualMemory  ... (0x45ae000), 4096, 4, ) == 0x0
 01648   936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01649   932   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01650   928   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01651   924   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01652   920   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01653   916   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01654   912   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01655   952   NtSetEventBoostPriority  (36, ...
 01656   908   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01641   880   NtDuplicateObject  ... 340, ) == 0x0
 01657   892   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01658   888   NtAllocateVirtualMemory  (-1, 4603904, 0, 4096, 4096, 4, ...
 01659   884   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01646   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01647   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01660   944   NtContinue  (60489008, 1, ...
 01661   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01648   936   NtDuplicateObject  ... 344, ) == 0x0
 01649   932   NtWaitForSingleObject  ... ) == 0x102
 01650   928   NtWaitForSingleObject  ... ) == 0x102
 01651   924   NtWaitForSingleObject  ... ) == 0x102
 01652   920   NtWaitForSingleObject  ... ) == 0x102
 01653   916   NtWaitForSingleObject  ... ) == 0x102
 01532   856   NtWaitForSingleObject  ... ) == 0x0
 01655   952   NtSetEventBoostPriority  ... ) == 0x0
 01654   912   NtWaitForSingleObject  ... ) == 0x102
 01656   908   NtWaitForSingleObject  ... ) == 0x102
 01662   880   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01657   892   NtWaitForSingleObject  ... ) == 0x102
 01658   888   NtAllocateVirtualMemory  ... 4603904, 4096, ) == 0x0
 01659   884   NtCreateEvent  ... 348, ) == 0x0
 01663   876   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01664   940   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01665   944   NtRegisterThreadTerminatePort  (24, ...
 01661   484   NtCreateThread  ... 352, {480, 992}, ) == 0x0
 01666   936   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01667   932   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01668   928   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01669   924   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01670   920   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01671   856   NtSetEventBoostPriority  (36, ...
 01672   916   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01673   948   NtTestAlert  (...
 01674   912   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01675   908   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01662   880   NtCreateEvent  ... 356, ) == 0x0
 01676   892   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01677   888   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01678   884   NtWaitForSingleObject  (348, 0, 0x0, ...
 01679   952   NtTestAlert  (...
 01663   876   NtCreateEvent  ... 360, ) == 0x0
 01665   944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01680   484   NtQueryInformationThread  (352, Basic, 28, ...
 01666   936   NtCreateEvent  ... 364, ) == 0x0
 01667   932   NtCreateEvent  ... 368, ) == 0x0
 01668   928   NtCreateEvent  ... 372, ) == 0x0
 01669   924   NtCreateEvent  ... 376, ) == 0x0
 01545   956   NtWaitForSingleObject  ... ) == 0x0
 01671   856   NtSetEventBoostPriority  ... ) == 0x0
 01670   920   NtCreateEvent  ... 380, ) == 0x0
 01672   916   NtCreateEvent  ... 384, ) == 0x0
 01673   948   NtTestAlert  ... ) == 0x0
 01674   912   NtCreateEvent  ... 388, ) == 0x0
 01675   908   NtCreateEvent  ... 392, ) == 0x0
 01681   880   NtClose  (356, ...
 01676   892   NtCreateEvent  ... 396, ) == 0x0
 01677   888   NtCreateEvent  ... 400, ) == 0x0
 01679   952   NtTestAlert  ... ) == 0x0
 01682   876   NtClose  (360, ...
 01683   944   NtWaitForSingleObject  (348, 0, 0x0, ...
 01680   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=480,Tid=992,}, 0x0, ) == 0x0
 01684   936   NtClose  (364, ...
 01664   940   NtCreateEvent  ... 404, ) == 0x0
 01685   932   NtClose  (368, ...
 01686   928   NtClose  (372, ...
 01687   956   NtSetEventBoostPriority  (36, ...
 01688   924   NtClose  (376, ...
 01689   856   NtWaitForSingleObject  (348, 0, 0x0, ...
 01690   920   NtClose  (380, ...
 01691   948   NtContinue  (62586160, 1, ...
 01692   916   NtClose  (384, ...
 01693   912   NtClose  (388, ...
 01681   880   NtClose  ... ) == 0x0
 01694   908   NtClose  (392, ...
 01695   888   NtClose  (400, ...
 01696   952   NtContinue  (64683312, 1, ...
 01682   876   NtClose  ... ) == 0x0
 01697   892   NtClose  (396, ...
 01698   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1609, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\340\1\0\0\340\3\0\0" ...  ...
 01699   940   NtClose  (404, ...
 01685   932   NtClose  ... ) == 0x0
 01557   960   NtWaitForSingleObject  ... ) == 0x0
 01687   956   NtSetEventBoostPriority  ... ) == 0x0
 01686   928   NtClose  ... ) == 0x0
 01688   924   NtClose  ... ) == 0x0
 01690   920   NtClose  ... ) == 0x0
 01700   948   NtRegisterThreadTerminatePort  (24, ...
 01692   916   NtClose  ... ) == 0x0
 01693   912   NtClose  ... ) == 0x0
 01701   880   NtWaitForSingleObject  (348, 0, 0x0, ...
 01694   908   NtClose  ... ) == 0x0
 01684   936   NtClose  ... ) == 0x0
 01324   712   NtReadFile  ... {status=0x0, info=1443},  ... {status=0x0, info=1443}, "L\0\0\0\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\277\2\0\0 \0\0\0\0`\2370\16,\301\1\0\300\233'{8\307\1\0`\2370\16,\301\1\0\266\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\363\0\24\0\37P\340O\320 \352:i\20\242\330\10\0+00\235\31\0/C:\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\01\0\0\0\0\006T\10\20\0WINDOWS\0&\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0W\0I\0N\0D\0O\0W\0S\0\0\0\26\0@\01\0\0\0\0\006T\10\20\0system32\0\0(\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0s\0y\0s\0t\0e\0m\03\02\0\0\0\30\0H\02\0\0\266\0\0\27+\0\240 \0utilman.exe\0.\0\3\0\4\0\357\276\27+\0\240/6\0@\24\0\0\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0\32\0\0\0N\0\0\0\34\0\0\0\1\0\0\0\34\0\0\0-\0\0\0\0\0\0\0M\0\0\0\21\0\0\0\3\0\0\0\350\35\361<\20\0\0\0\0C:\WINDOWS\system32\utilman.exe\0\0)\0@\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0,\0-\02\02\05\07\07\0.\0.\0.\0\\0.\0.\0\\0.\0.", ) , ) == 0x0
 01702   952   NtRegisterThreadTerminatePort  (24, ...
 01703   876   NtWaitForSingleObject  (348, 0, 0x0, ...
 01697   892   NtClose  ... ) == 0x0
 01698   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1610, 0}  ... {28, 56, reply, 0, 480, 484, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\1\0\0\340\1\0\0\340\3\0\0" )  ) == 0x0
 01699   940   NtClose  ... ) == 0x0
 01704   960   NtSetEventBoostPriority  (36, ...
 01705   932   NtWaitForSingleObject  (348, 0, 0x0, ...
 01695   888   NtClose  ... ) == 0x0
 01706   928   NtWaitForSingleObject  (348, 0, 0x0, ...
 01707   924   NtWaitForSingleObject  (348, 0, 0x0, ...
 01708   920   NtWaitForSingleObject  (348, 0, 0x0, ...
 01700   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01709   916   NtWaitForSingleObject  (348, 0, 0x0, ...
 01710   912   NtWaitForSingleObject  (348, 0, 0x0, ...
 01711   956   NtTestAlert  (...
 01712   908   NtWaitForSingleObject  (348, 0, 0x0, ...
 01713   936   NtWaitForSingleObject  (348, 0, 0x0, ...
 01714   712   NtClose  (220, ...
 01702   952   NtRegisterThreadTerminatePort  ... ) == 0x0
 01715   892   NtWaitForSingleObject  (348, 0, 0x0, ...
 01716   484   NtResumeThread  (352, ...
 01625   984   NtWaitForSingleObject  ... ) == 0x0
 01704   960   NtSetEventBoostPriority  ... ) == 0x0
 01717   940   NtWaitForSingleObject  (348, 0, 0x0, ...
 01718   888   NtSetEventBoostPriority  (348, ...
 01719   948   NtWaitForSingleObject  (348, 0, 0x0, ...
 01711   956   NtTestAlert  ... ) == 0x0
 01714   712   NtClose  ... ) == 0x0
 01720   952   NtWaitForSingleObject  (348, 0, 0x0, ...
 01721   984   NtSetEventBoostPriority  (36, ...
 01716   484   NtResumeThread  ... 1, ) == 0x0
 01678   884   NtWaitForSingleObject  ... ) == 0x0
 01718   888   NtSetEventBoostPriority  ... ) == 0x0
 01722   960   NtTestAlert  (...
 01723   992   NtWaitForSingleObject  (36, 0, 0x0, ...
 01724   956   NtContinue  (66780464, 1, ...
 01725   712   NtDelayExecution  (0, {-10000, -1}, ...
 01611   836   NtWaitForSingleObject  ... ) == 0x0
 01721   984   NtSetEventBoostPriority  ... ) == 0x0
 01726   884   NtSetEventBoostPriority  (348, ...
 01727   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01728   888   NtWaitForSingleObject  (348, 0, 0x0, ...
 01722   960   NtTestAlert  ... ) == 0x0
 01729   956   NtRegisterThreadTerminatePort  (24, ...
 01730   836   NtSetEventBoostPriority  (36, ...
 01683   944   NtWaitForSingleObject  ... ) == 0x0
 01726   884   NtSetEventBoostPriority  ... ) == 0x0
 01731   984   NtTestAlert  (...
 01732   960   NtContinue  (68877616, 1, ...
 01723   992   NtWaitForSingleObject  ... ) == 0x0
 01733   944   NtSetEventBoostPriority  (348, ...
 01729   956   NtRegisterThreadTerminatePort  ... ) == 0x0
 01730   836   NtSetEventBoostPriority  ... ) == 0x0
 01727   484   NtAllocateVirtualMemory  ... 73072640, 2097152, ) == 0x0
 01731   984   NtTestAlert  ... ) == 0x0
 01734   960   NtRegisterThreadTerminatePort  (24, ...
 01689   856   NtWaitForSingleObject  ... ) == 0x0
 01735   992   NtTestAlert  (...
 01736   956   NtWaitForSingleObject  (348, 0, 0x0, ...
 01737   836   NtWaitForSingleObject  (348, 0, 0x0, ...
 01738   484   NtAllocateVirtualMemory  (-1, 75161600, 0, 8192, 4096, 4, ...
 01739   984   NtContinue  (70974768, 1, ...
 01734   960   NtRegisterThreadTerminatePort  ... ) == 0x0
 01740   856   NtSetEventBoostPriority  (348, ...
 01735   992   NtTestAlert  ... ) == 0x0
 01733   944   NtSetEventBoostPriority  ... ) == 0x0
 01741   884   NtWaitForSingleObject  (348, 0, 0x0, ...
 01738   484   NtAllocateVirtualMemory  ... 75161600, 8192, ) == 0x0
 01742   984   NtRegisterThreadTerminatePort  (24, ...
 01743   960   NtWaitForSingleObject  (348, 0, 0x0, ...
 01703   876   NtWaitForSingleObject  ... ) == 0x0
 01740   856   NtSetEventBoostPriority  ... ) == 0x0
 01744   944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01745   484   NtProtectVirtualMemory  (-1, (0x47ae000), 4096, 260, ...
 01742   984   NtRegisterThreadTerminatePort  ... ) == 0x0
 01746   992   NtContinue  (73071920, 1, ...
 01747   876   NtSetEventBoostPriority  (348, ...
 01748   856   NtWaitForSingleObject  (348, 0, 0x0, ...
 01744   944   NtDuplicateObject  ... 220, ) == 0x0
 01745   484   NtProtectVirtualMemory  ... (0x47ae000), 4096, 4, ) == 0x0
 01749   984   NtWaitForSingleObject  (348, 0, 0x0, ...
 01705   932   NtWaitForSingleObject  ... ) == 0x0
 01747   876   NtSetEventBoostPriority  ... ) == 0x0
 01750   992   NtRegisterThreadTerminatePort  (24, ...
 01751   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01752   944   NtWaitForSingleObject  (348, 0, 0x0, ...
 01753   932   NtSetEventBoostPriority  (348, ...
 01750   992   NtRegisterThreadTerminatePort  ... ) == 0x0
 01754   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01706   928   NtWaitForSingleObject  ... ) == 0x0
 01753   932   NtSetEventBoostPriority  ... ) == 0x0
 01755   992   NtWaitForSingleObject  (348, 0, 0x0, ...
 01756   928   NtSetEventBoostPriority  (348, ...
 01754   876   NtDuplicateObject  ... 400, ) == 0x0
 01751   484   NtCreateThread  ... 404, {480, 1008}, ) == 0x0
 01707   924   NtWaitForSingleObject  ... ) == 0x0
 01756   928   NtSetEventBoostPriority  ... ) == 0x0
 01757   876   NtWaitForSingleObject  (348, 0, 0x0, ...
 01758   924   NtSetEventBoostPriority  (348, ...
 01759   484   NtQueryInformationThread  (404, Basic, 28, ...
 01760   932   NtWaitForSingleObject  (184, 0, 0x0, ...
 01708   920   NtWaitForSingleObject  ... ) == 0x0
 01758   924   NtSetEventBoostPriority  ... ) == 0x0
 01759   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=480,Tid=1008,}, 0x0, ) == 0x0
 01761   920   NtSetEventBoostPriority  (348, ...
 01762   928   NtWaitForSingleObject  (184, 0, 0x0, ...
 01709   916   NtWaitForSingleObject  ... ) == 0x0
 01761   920   NtSetEventBoostPriority  ... ) == 0x0
 01763   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1610, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\340\1\0\0\360\3\0\0" ...  ...
 01764   916   NtSetEventBoostPriority  (348, ...
 01765   924   NtWaitForSingleObject  (184, 0, 0x0, ...
 01710   912   NtWaitForSingleObject  ... ) == 0x0
 01764   916   NtSetEventBoostPriority  ... ) == 0x0
 01763   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1611, 0}  ... {28, 56, reply, 0, 480, 484, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\1\0\0\340\1\0\0\360\3\0\0" )  ) == 0x0
 01766   912   NtSetEventBoostPriority  (348, ...
 01767   920   NtWaitForSingleObject  (184, 0, 0x0, ...
 01768   916   NtWaitForSingleObject  (184, 0, 0x0, ...
 01712   908   NtWaitForSingleObject  ... ) == 0x0
 01766   912   NtSetEventBoostPriority  ... ) == 0x0
 01769   908   NtSetEventBoostPriority  (348, ...
 01770   484   NtResumeThread  (404, ...
 01713   936   NtWaitForSingleObject  ... ) == 0x0
 01769   908   NtSetEventBoostPriority  ... ) == 0x0
 01771   936   NtSetEventBoostPriority  (348, ...
 01770   484   NtResumeThread  ... 1, ) == 0x0
 01772   912   NtWaitForSingleObject  (184, 0, 0x0, ...
 01715   892   NtWaitForSingleObject  ... ) == 0x0
 01771   936   NtSetEventBoostPriority  ... ) == 0x0
 01773   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01774   892   NtSetEventBoostPriority  (348, ...
 01775   908   NtWaitForSingleObject  (184, 0, 0x0, ...
 01776  1008   NtTestAlert  (...
 01701   880   NtWaitForSingleObject  ... ) == 0x0
 01774   892   NtSetEventBoostPriority  ... ) == 0x0
 01773   484   NtAllocateVirtualMemory  ... 75169792, 2097152, ) == 0x0
 01777   880   NtSetEventBoostPriority  (348, ...
 01776  1008   NtTestAlert  ... ) == 0x0
 01778   936   NtWaitForSingleObject  (348, 0, 0x0, ...
 01717   940   NtWaitForSingleObject  ... ) == 0x0
 01779   484   NtAllocateVirtualMemory  (-1, 77258752, 0, 8192, 4096, 4, ...
 01780  1008   NtContinue  (75169072, 1, ...
 01781   940   NtSetEventBoostPriority  (348, ...
 01779   484   NtAllocateVirtualMemory  ... 77258752, 8192, ) == 0x0
 01782  1008   NtRegisterThreadTerminatePort  (24, ...
 01719   948   NtWaitForSingleObject  ... ) == 0x0
 01781   940   NtSetEventBoostPriority  ... ) == 0x0
 01777   880   NtSetEventBoostPriority  ... ) == 0x0
 01783   892   NtWaitForSingleObject  (184, 0, 0x0, ...
 01784   948   NtSetEventBoostPriority  (348, ...
 01782  1008   NtRegisterThreadTerminatePort  ... ) == 0x0
 01785   484   NtProtectVirtualMemory  (-1, (0x49ae000), 4096, 260, ...
 01786   880   NtWaitForSingleObject  (348, 0, 0x0, ...
 01720   952   NtWaitForSingleObject  ... ) == 0x0
 01784   948   NtSetEventBoostPriority  ... ) == 0x0
 01787   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01785   484   NtProtectVirtualMemory  ... (0x49ae000), 4096, 4, ) == 0x0
 01788   952   NtSetEventBoostPriority  (348, ...
 01789   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01787   940   NtDuplicateObject  ... 396, ) == 0x0
 01790   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01728   888   NtWaitForSingleObject  ... ) == 0x0
 01789   948   NtDuplicateObject  ... 364, ) == 0x0
 01791   940   NtWaitForSingleObject  (348, 0, 0x0, ...
 01790   484   NtCreateThread  ... 392, {480, 1012}, ) == 0x0
 01792   888   NtSetEventBoostPriority  (348, ...
 01788   952   NtSetEventBoostPriority  ... ) == 0x0
 01793  1008   NtWaitForSingleObject  (348, 0, 0x0, ...
 01794   484   NtQueryInformationThread  (392, Basic, 28, ...
 01737   836   NtWaitForSingleObject  ... ) == 0x0
 01792   888   NtSetEventBoostPriority  ... ) == 0x0
 01795   952   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01796   836   NtSetEventBoostPriority  (348, ...
 01794   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=480,Tid=1012,}, 0x0, ) == 0x0
 01797   948   NtWaitForSingleObject  (348, 0, 0x0, ...
 01736   956   NtWaitForSingleObject  ... ) == 0x0
 01796   836   NtSetEventBoostPriority  ... ) == 0x0
 01795   952   NtDuplicateObject  ... 388, ) == 0x0
 01798   888   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01799   956   NtSetEventBoostPriority  (348, ...
 01800   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1611, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\340\1\0\0\364\3\0\0" ...  ...
 01801   836   NtWaitForSingleObject  (348, 0, 0x0, ...
 01741   884   NtWaitForSingleObject  ... ) == 0x0
 01798   888   NtWaitForSingleObject  ... ) == 0x102
 01800   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1612, 0}  ... {28, 56, reply, 0, 480, 484, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\1\0\0\340\1\0\0\364\3\0\0" )  ) == 0x0
 01802   884   NtSetEventBoostPriority  (348, ...
 01803   888   NtWaitForSingleObject  (348, 0, 0x0, ...
 01804   484   NtResumeThread  (392, ...
 01743   960   NtWaitForSingleObject  ... ) == 0x0
 01802   884   NtSetEventBoostPriority  ... ) == 0x0
 01805   960   NtSetEventBoostPriority  (348, ...
 01804   484   NtResumeThread  ... 1, ) == 0x0
 01748   856   NtWaitForSingleObject  ... ) == 0x0
 01806   884   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01807   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01808   856   NtSetEventBoostPriority  (348, ...
 01805   960   NtSetEventBoostPriority  ... ) == 0x0
 01799   956   NtSetEventBoostPriority  ... ) == 0x0
 01809   952   NtWaitForSingleObject  (348, 0, 0x0, ...
 01810  1012   NtTestAlert  (...
 01806   884   NtCreateEvent  ... 384, ) == 0x0
 01749   984   NtWaitForSingleObject  ... ) == 0x0
 01811   960   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01812   956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01810  1012   NtTestAlert  ... ) == 0x0
 01813   884   NtWaitForSingleObject  (384, 0, 0x0, ...
 01814   984   NtSetEventBoostPriority  (348, ...
 01811   960   NtDuplicateObject  ... 380, ) == 0x0
 01812   956   NtDuplicateObject  ... 376, ) == 0x0
 01815  1012   NtContinue  (77266224, 1, ...
 01752   944   NtWaitForSingleObject  ... ) == 0x0
 01814   984   NtSetEventBoostPriority  ... ) == 0x0
 01808   856   NtSetEventBoostPriority  ... ) == 0x0
 01807   484   NtAllocateVirtualMemory  ... 77266944, 2097152, ) == 0x0
 01816   960   NtWaitForSingleObject  (348, 0, 0x0, ...
 01817  1012   NtRegisterThreadTerminatePort  (24, ...
 01818   944   NtSetEventBoostPriority  (348, ...
 01819   984   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01820   856   NtQuerySystemInformation  (Basic, 44, ...
 01821   484   NtAllocateVirtualMemory  (-1, 79355904, 0, 8192, 4096, 4, ...
 01817  1012   NtRegisterThreadTerminatePort  ... ) == 0x0
 01755   992   NtWaitForSingleObject  ... ) == 0x0
 01818   944   NtSetEventBoostPriority  ... ) == 0x0
 01819   984   NtDuplicateObject  ... 372, ) == 0x0
 01820   856   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01821   484   NtAllocateVirtualMemory  ... 79355904, 8192, ) == 0x0
 01822   956   NtWaitForSingleObject  (348, 0, 0x0, ...
 01823   992   NtSetEventBoostPriority  (348, ...
 01824   944   NtWaitForSingleObject  (348, 0, 0x0, ...
 01825  1012   NtWaitForSingleObject  (348, 0, 0x0, ...
 01826   984   NtWaitForSingleObject  (348, 0, 0x0, ...
 01827   484   NtProtectVirtualMemory  (-1, (0x4bae000), 4096, 260, ...
 01757   876   NtWaitForSingleObject  ... ) == 0x0
 01823   992   NtSetEventBoostPriority  ... ) == 0x0
 01828   856   NtWaitForSingleObject  (348, 0, 0x0, ...
 01829   876   NtSetEventBoostPriority  (348, ...
 01827   484   NtProtectVirtualMemory  ... (0x4bae000), 4096, 4, ) == 0x0
 01778   936   NtWaitForSingleObject  ... ) == 0x0
 01829   876   NtSetEventBoostPriority  ... ) == 0x0
 01830   936   NtSetEventBoostPriority  (348, ...
 01831   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01832   992   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01786   880   NtWaitForSingleObject  ... ) == 0x0
 01830   936   NtSetEventBoostPriority  ... ) == 0x0
 01833   876   NtWaitForSingleObject  (348, 0, 0x0, ...
 01834   880   NtSetEventBoostPriority  (348, ...
 01832   992   NtDuplicateObject  ... 368, ) == 0x0
 01835   936   NtWaitForSingleObject  (348, 0, 0x0, ...
 01791   940   NtWaitForSingleObject  ... ) == 0x0
 01834   880   NtSetEventBoostPriority  ... ) == 0x0
 01836   992   NtWaitForSingleObject  (348, 0, 0x0, ...
 01831   484   NtCreateThread  ... 360, {480, 1016}, ) == 0x0
 01837   940   NtSetEventBoostPriority  (348, ...
 01793  1008   NtWaitForSingleObject  ... ) == 0x0
 01838  1008   NtSetEventBoostPriority  (348, ...
 01797   948   NtWaitForSingleObject  ... ) == 0x0
 01839   948   NtSetEventBoostPriority  (348, ...
 01801   836   NtWaitForSingleObject  ... ) == 0x0
 01840   836   NtSetEventBoostPriority  (348, ...
 01803   888   NtWaitForSingleObject  ... ) == 0x0
 01841   888   NtSetEventBoostPriority  (348, ...
 01809   952   NtWaitForSingleObject  ... ) == 0x0
 01842   952   NtSetEventBoostPriority  (348, ...
 01816   960   NtWaitForSingleObject  ... ) == 0x0
 01843   960   NtSetEventBoostPriority  (348, ...
 01822   956   NtWaitForSingleObject  ... ) == 0x0
 01844   956   NtSetEventBoostPriority  (348, ...
 01825  1012   NtWaitForSingleObject  ... ) == 0x0
 01845  1012   NtSetEventBoostPriority  (348, ...
 01826   984   NtWaitForSingleObject  ... ) == 0x0
 01846   984   NtSetEventBoostPriority  (348, ...
 01824   944   NtWaitForSingleObject  ... ) == 0x0
 01847   944   NtSetEventBoostPriority  (348, ...
 01828   856   NtWaitForSingleObject  ... ) == 0x0
 01848   856   NtSetEventBoostPriority  (348, ...
 01833   876   NtWaitForSingleObject  ... ) == 0x0
 01849   876   NtAllocateVirtualMemory  (-1, 4608000, 0, 4096, 4096, 4, ... 4608000, 4096, ) == 0x0
 01850   876   NtSetEventBoostPriority  (348, ...
 01848   856   NtSetEventBoostPriority  ... ) == 0x0
 01846   984   NtSetEventBoostPriority  ... ) == 0x0
 01845  1012   NtSetEventBoostPriority  ... ) == 0x0
 01844   956   NtSetEventBoostPriority  ... ) == 0x0
 01843   960   NtSetEventBoostPriority  ... ) == 0x0
 01842   952   NtSetEventBoostPriority  ... ) == 0x0
 01841   888   NtSetEventBoostPriority  ... ) == 0x0
 01840   836   NtSetEventBoostPriority  ... ) == 0x0
 01839   948   NtSetEventBoostPriority  ... ) == 0x0
 01838  1008   NtSetEventBoostPriority  ... ) == 0x0
 01837   940   NtSetEventBoostPriority  ... ) == 0x0
 01851   484   NtQueryInformationThread  (360, Basic, 28, ...
 01847   944   NtSetEventBoostPriority  ... ) == 0x0
 01852   880   NtWaitForSingleObject  (348, 0, 0x0, ...
 01853   856   NtWaitForSingleObject  (384, 0, 0x0, ...
 01854   984   NtWaitForSingleObject  (348, 0, 0x0, ...
 01855  1012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01856   956   NtWaitForSingleObject  (348, 0, 0x0, ...
 01857   960   NtWaitForSingleObject  (348, 0, 0x0, ...
 01858   952   NtWaitForSingleObject  (348, 0, 0x0, ...
 01835   936   NtWaitForSingleObject  ... ) == 0x0
 01850   876   NtSetEventBoostPriority  ... ) == 0x0
 01859   836   NtSetEventBoostPriority  (384, ...
 01860   948   NtWaitForSingleObject  (348, 0, 0x0, ...
 01861  1008   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01862   888   NtWaitForSingleObject  (184, 0, 0x0, ...
 01851   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=480,Tid=1016,}, 0x0, ) == 0x0
 01863   944   NtWaitForSingleObject  (384, 0, 0x0, ...
 01864   940   NtWaitForSingleObject  (348, 0, 0x0, ...
 01855  1012   NtDuplicateObject  ... 356, ) == 0x0
 01865   936   NtSetEventBoostPriority  (348, ...
 01866   876   NtWaitForSingleObject  (348, 0, 0x0, ...
 01813   884   NtWaitForSingleObject  ... ) == 0x0
 01859   836   NtSetEventBoostPriority  ... ) == 0x0
 01867   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1612, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\340\1\0\0\370\3\0\0" ...  ...
 01868  1012   NtWaitForSingleObject  (348, 0, 0x0, ...
 01836   992   NtWaitForSingleObject  ... ) == 0x0
 01869   884   NtWaitForSingleObject  (348, 0, 0x0, ...
 01870   836   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18284100, 67, ... }, 0x0, 0, 3, 3, 0, 18284100, 67, ...
 01867   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1613, 0}  ... {28, 56, reply, 0, 480, 484, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\1\0\0\340\1\0\0\370\3\0\0" )  ) == 0x0
 01871   992   NtSetEventBoostPriority  (348, ...
 01870   836   NtCreateFile  ... 408, {status=0x0, info=0}, ) == 0x0
 01865   936   NtSetEventBoostPriority  ... ) == 0x0
 01861  1008   NtDuplicateObject  ... 412, ) == 0x0
 01852   880   NtWaitForSingleObject  ... ) == 0x0
 01871   992   NtSetEventBoostPriority  ... ) == 0x0
 01872   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x1207b,  (408, 172, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0H\342E\0\17\346\367w", 16, 16, ... , 16, 16, ...
 01873   936   NtWaitForSingleObject  (384, 0, 0x0, ...
 01874   880   NtSetEventBoostPriority  (348, ...
 01875  1008   NtWaitForSingleObject  (348, 0, 0x0, ...
 01876   484   NtResumeThread  (360, ...
 01872   836   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\270q\16\201", ) , ) == 0x0
 01854   984   NtWaitForSingleObject  ... ) == 0x0
 01874   880   NtSetEventBoostPriority  ... ) == 0x0
 01876   484   NtResumeThread  ... 1, ) == 0x0
 01877   984   NtSetEventBoostPriority  (348, ...
 01878   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x1207b,  (408, 172, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\270q\16\201", 16, 16, ... , 16, 16, ...
 01879   880   NtWaitForSingleObject  (384, 0, 0x0, ...
 01856   956   NtWaitForSingleObject  ... ) == 0x0
 01880   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01877   984   NtSetEventBoostPriority  ... ) == 0x0
 01881   992   NtWaitForSingleObject  (348, 0, 0x0, ...
 01882  1016   NtTestAlert  (...
 01878   836   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\270q\16\201", ) , ) == 0x0
 01883   956   NtSetEventBoostPriority  (348, ...
 01880   484   NtAllocateVirtualMemory  ... 79364096, 2097152, ) == 0x0
 01884   984   NtWaitForSingleObject  (384, 0, 0x0, ...
 01882  1016   NtTestAlert  ... ) == 0x0
 01885   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x12047,  (408, 172, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310OF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01857   960   NtWaitForSingleObject  ... ) == 0x0
 01886   484   NtAllocateVirtualMemory  (-1, 81453056, 0, 8192, 4096, 4, ...
 01887  1016   NtContinue  (79363376, 1, ...
 01885   836   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01888   960   NtSetEventBoostPriority  (348, ...
 01886   484   NtAllocateVirtualMemory  ... 81453056, 8192, ) == 0x0
 01889  1016   NtRegisterThreadTerminatePort  (24, ...
 01890   836   NtWaitForSingleObject  (348, 0, 0x0, ...
 01858   952   NtWaitForSingleObject  ... ) == 0x0
 01888   960   NtSetEventBoostPriority  ... ) == 0x0
 01883   956   NtSetEventBoostPriority  ... ) == 0x0
 01889  1016   NtRegisterThreadTerminatePort  ... ) == 0x0
 01891   952   NtSetEventBoostPriority  (348, ...
 01892   960   NtWaitForSingleObject  (384, 0, 0x0, ...
 01893   956   NtWaitForSingleObject  (384, 0, 0x0, ...
 01894   484   NtProtectVirtualMemory  (-1, (0x4dae000), 4096, 260, ...
 01860   948   NtWaitForSingleObject  ... ) == 0x0
 01894   484   NtProtectVirtualMemory  ... (0x4dae000), 4096, 4, ) == 0x0
 01895   948   NtSetEventBoostPriority  (348, ...
 01896   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01864   940   NtWaitForSingleObject  ... ) == 0x0
 01896   484   NtCreateThread  ... 416, {480, 996}, ) == 0x0
 01897   940   NtSetEventBoostPriority  (348, ...
 01898   484   NtQueryInformationThread  (416, Basic, 28, ...
 01866   876   NtWaitForSingleObject  ... ) == 0x0
 01897   940   NtSetEventBoostPriority  ... ) == 0x0
 01899   876   NtSetEventBoostPriority  (348, ...
 01898   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=480,Tid=996,}, 0x0, ) == 0x0
 01868  1012   NtWaitForSingleObject  ... ) == 0x0
 01899   876   NtSetEventBoostPriority  ... ) == 0x0
 01900   940   NtWaitForSingleObject  (384, 0, 0x0, ...
 01895   948   NtSetEventBoostPriority  ... ) == 0x0
 01891   952   NtSetEventBoostPriority  ... ) == 0x0
 01901  1016   NtWaitForSingleObject  (348, 0, 0x0, ...
 01902  1012   NtSetEventBoostPriority  (348, ...
 01903   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1613, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\1\0\0\340\1\0\0\344\3\0\0" ...  ...
 01904   876   NtWaitForSingleObject  (384, 0, 0x0, ...
 01905   948   NtWaitForSingleObject  (384, 0, 0x0, ...
 01906   952   NtWaitForSingleObject  (384, 0, 0x0, ...
 01869   884   NtWaitForSingleObject  ... ) == 0x0
 01902  1012   NtSetEventBoostPriority  ... ) == 0x0
 01903   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1614, 0}  ... {28, 56, reply, 0, 480, 484, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\1\0\0\340\1\0\0\344\3\0\0" )  ) == 0x0
 01907   884   NtSetEventBoostPriority  (348, ...
 01875  1008   NtWaitForSingleObject  ... ) == 0x0
 01908  1008   NtSetEventBoostPriority  (348, ...
 01881   992   NtWaitForSingleObject  ... ) == 0x0
 01909   992   NtSetEventBoostPriority  (348, ...
 01890   836   NtWaitForSingleObject  ... ) == 0x0
 01910   836   NtSetEventBoostPriority  (348, ...
 01901  1016   NtWaitForSingleObject  ... ) == 0x0
 01911  1016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 420, ) == 0x0
 01912  1016   NtWaitForSingleObject  (384, 0, 0x0, ...
 01910   836   NtSetEventBoostPriority  ... ) == 0x0
 01909   992   NtSetEventBoostPriority  ... ) == 0x0
 01908  1008   NtSetEventBoostPriority  ... ) == 0x0
 01907   884   NtSetEventBoostPriority  ... ) == 0x0
 01913   484   NtResumeThread  (416, ...
 01914  1012   NtWaitForSingleObject  (384, 0, 0x0, ...
 01915   992   NtWaitForSingleObject  (384, 0, 0x0, ...
 01916   836   NtWaitForSingleObject  (104, 0, {0, 0}, ...
 01917  1008   NtWaitForSingleObject  (384, 0, 0x0, ...
 01913   484   NtResumeThread  ... 1, ) == 0x0
 01918   884   NtSetEventBoostPriority  (384, ...
 01725   712   NtDelayExecution  ... ) == 0x0
 01919   996   NtTestAlert  (...
 01916   836   NtWaitForSingleObject  ... ) == 0x102
 01920   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01853   856   NtWaitForSingleObject  ... ) == 0x0
 01918   884   NtSetEventBoostPriority  ... ) == 0x0
 01919   996   NtTestAlert  ... ) == 0x0
 01921   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x12003,  (408, 172, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01922   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01923   856   NtSetEventBoostPriority  (384, ...
 01924   884   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01920   484   NtAllocateVirtualMemory  ... 81461248, 2097152, ) == 0x0
 01921   836   NtDeviceIoControlFile  ... {status=0x0, info=424},  ... {status=0x0, info=424}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01863   944   NtWaitForSingleObject  ... ) == 0x0
 01922   712   NtOpenKey  ... 428, ) == 0x0
 01924   884   NtWaitForSingleObject  ... ) == 0x102
 01925   484   NtAllocateVirtualMemory  (-1, 83550208, 0, 8192, 4096, 4, ...
 01926   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x12047,  (408, 172, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01927   944   NtSetEventBoostPriority  (384, ...
 01928   712   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01929   884   NtWaitForSingleObject  (184, 0, 0x0, ...
 01925   484   NtAllocateVirtualMemory  ... 83550208, 8192, ) == 0x0
 01923   856   NtSetEventBoostPriority  ... ) == 0x0
 01930   996   NtContinue  (81460528, 1, ...
 01873   936   NtWaitForSingleObject  ... ) == 0x0
 01927   944   NtSetEventBoostPriority  ... ) == 0x0
 01928   712   NtOpenKey  ... 432, ) == 0x0
 01926   836   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01931   484   NtProtectVirtualMemory  (-1, (0x4fae000), 4096, 260, ...
 01932   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01933   936   NtSetEventBoostPriority  (384, ...
 01934   996   NtRegisterThreadTerminatePort  (24, ...
 01935   712   NtQueryValueKey  (432,  (432, "ComputerName", Full, 108, ... , Full, 108, ...
 01936   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x1200b,  (408, 172, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 01931   484   NtProtectVirtualMemory  ... (0x4fae000), 4096, 4, ) == 0x0
 01884   984   NtWaitForSingleObject  ... ) == 0x0
 01933   936   NtSetEventBoostPriority  ... ) == 0x0
 01932   856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01934   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 01935   712   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01936   836   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01937   984   NtSetEventBoostPriority  (384, ...
 01938   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01939   944   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01940   936   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01941   996   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01942   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01879   880   NtWaitForSingleObject  ... ) == 0x0
 01937   984   NtSetEventBoostPriority  ... ) == 0x0
 01943   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x12047,  (408, 172, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0e\0t\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01944   712   NtClose  (432, ...
 01939   944   NtWaitForSingleObject  ... ) == 0x102
 01940   936   NtWaitForSingleObject  ... ) == 0x102
 01941   996   NtDuplicateObject  ... 436, ) == 0x0
 01945   880   NtSetEventBoostPriority  (384, ...
 01942   856   NtOpenKey  ... 440, ) == 0x0
 01938   484   NtCreateThread  ... 444, {480, 1028}, ) == 0x0
 01943   836   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01944   712   NtClose  ... ) == 0x0
 01946   944   NtWaitForSingleObject  (184, 0, 0x0, ...
 01947   936   NtWaitForSingleObject  (184, 0, 0x0, ...
 01892   960   NtWaitForSingleObject  ... ) == 0x0
 01948   996   NtWaitForSingleObject  (384, 0, 0x0, ...
 01949   856   NtQueryValueKey  (440,  (440, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01950   484   NtQueryInformationThread  (444, Basic, 28, ...
 01951   836   NtDeviceIoControlFile  (408, 172, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01952   712   NtClose  (428, ...
 01953   960   NtSetEventBoostPriority  (384, ...
 01945   880   NtSetEventBoostPriority  ... ) == 0x0
 01954   984   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01949   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01950   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=480,Tid=1028,}, 0x0, ) == 0x0
 01952   712   NtClose  ... ) == 0x0
 01893   956   NtWaitForSingleObject  ... ) == 0x0
 01953   960   NtSetEventBoostPriority  ... ) == 0x0
 01955   880   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01954   984   NtWaitForSingleObject  ... ) == 0x102
 01956   856   NtClose  (440, ...
 01957   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1614, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\340\1\0\0\4\4\0\0" ...  ...
 01958   956   NtSetEventBoostPriority  (384, ...
 01959   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01951   836   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 01960   984   NtWaitForSingleObject  (184, 0, 0x0, ...
 01956   856   NtClose  ... ) == 0x0
 01904   876   NtWaitForSingleObject  ... ) == 0x0
 01958   956   NtSetEventBoostPriority  ... ) == 0x0
 01957   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1615, 0}  ... {28, 56, reply, 0, 480, 484, 1615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0\340\1\0\0\4\4\0\0" )  ) == 0x0
 01959   712   NtOpenKey  ... 440, ) == 0x0
 01961   960   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01955   880   NtWaitForSingleObject  ... ) == 0x102
 01962   876   NtSetEventBoostPriority  (384, ...
 01963   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01964   956   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01965   484   NtResumeThread  (444, ...
 01961   960   NtWaitForSingleObject  ... ) == 0x102
 01905   948   NtWaitForSingleObject  ... ) == 0x0
 01962   876   NtSetEventBoostPriority  ... ) == 0x0
 01966   880   NtWaitForSingleObject  (184, 0, 0x0, ...
 01963   856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01964   956   NtWaitForSingleObject  ... ) == 0x102
 01965   484   NtResumeThread  ... 1, ) == 0x0
 01967   948   NtSetEventBoostPriority  (384, ...
 01968   960   NtWaitForSingleObject  (184, 0, 0x0, ...
 01969   876   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01970   856   NtWaitForSingleObject  (384, 0, 0x0, ...
 01971   956   NtWaitForSingleObject  (184, 0, 0x0, ...
 01906   952   NtWaitForSingleObject  ... ) == 0x0
 01967   948   NtSetEventBoostPriority  ... ) == 0x0
 01972   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01973   836   NtWaitForSingleObject  (172, 1, {-5000000, -1}, ...
 01974   712   NtQueryValueKey  (440,  (440, "Hostname", Full, 128, ... , Full, 128, ...
 01975  1028   NtTestAlert  (...
 01976   952   NtSetEventBoostPriority  (384, ...
 01969   876   NtWaitForSingleObject  ... ) == 0x102
 01972   484   NtAllocateVirtualMemory  ... 83558400, 2097152, ) == 0x0
 01974   712   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01900   940   NtWaitForSingleObject  ... ) == 0x0
 01976   952   NtSetEventBoostPriority  ... ) == 0x0
 01975  1028   NtTestAlert  ... ) == 0x0
 01977   876   NtWaitForSingleObject  (184, 0, 0x0, ...
 01978   484   NtAllocateVirtualMemory  (-1, 85647360, 0, 8192, 4096, 4, ...
 01979   940   NtSetEventBoostPriority  (384, ...
 01980   712   NtClose  (440, ...
 01981   948   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01982  1028   NtContinue  (83557680, 1, ...
 01912  1016   NtWaitForSingleObject  ... ) == 0x0
 01978   484   NtAllocateVirtualMemory  ... 85647360, 8192, ) == 0x0
 01980   712   NtClose  ... ) == 0x0
 01981   948   NtWaitForSingleObject  ... ) == 0x102
 01983  1028   NtRegisterThreadTerminatePort  (24, ...
 01984  1016   NtSetEventBoostPriority  (384, ...
 01979   940   NtSetEventBoostPriority  ... ) == 0x0
 01985   952   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01986   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... }, ...
 01987   948   NtWaitForSingleObject  (184, 0, 0x0, ...
 01983  1028   NtRegisterThreadTerminatePort  ... ) == 0x0
 01914  1012   NtWaitForSingleObject  ... ) == 0x0
 01988   940   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01985   952   NtWaitForSingleObject  ... ) == 0x102
 01986   712   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984  1016   NtSetEventBoostPriority  ... ) == 0x0
 01989   484   NtProtectVirtualMemory  (-1, (0x51ae000), 4096, 260, ...
 01990  1012   NtSetEventBoostPriority  (384, ...
 01991   952   NtWaitForSingleObject  (184, 0, 0x0, ...
 01992  1028   NtAllocateVirtualMemory  (-1, 4612096, 0, 4096, 4096, 4, ...
 01988   940   NtWaitForSingleObject  ... ) == 0x102
 01993  1016   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01989   484   NtProtectVirtualMemory  ... (0x51ae000), 4096, 4, ) == 0x0
 01917  1008   NtWaitForSingleObject  ... ) == 0x0
 01990  1012   NtSetEventBoostPriority  ... ) == 0x0
 01992  1028   NtAllocateVirtualMemory  ... 4612096, 4096, ) == 0x0
 01994   940   NtWaitForSingleObject  (348, 0, 0x0, ...
 01995  1008   NtWaitForSingleObject  (348, 0, 0x0, ...
 01996   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01997  1012   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01998  1028   NtSetEventBoostPriority  (348, ...
 01996   484   NtCreateThread  ... 440, {480, 1040}, ) == 0x0
 01999   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01993  1016   NtWaitForSingleObject  ... ) == 0x102
 01995  1008   NtWaitForSingleObject  ... ) == 0x0
 01998  1028   NtSetEventBoostPriority  ... ) == 0x0
 02000   484   NtQueryInformationThread  (440, Basic, 28, ...
 01999   712   NtOpenKey  ... 428, ) == 0x0
 02001  1008   NtSetEventBoostPriority  (348, ...
 02002  1016   NtWaitForSingleObject  (348, 0, 0x0, ...
 02003  1028   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02000   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=480,Tid=1040,}, 0x0, ) == 0x0
 01994   940   NtWaitForSingleObject  ... ) == 0x0
 02001  1008   NtSetEventBoostPriority  ... ) == 0x0
 02004   712   NtQueryValueKey  (428,  (428, "Domain", Full, 128, ... , Full, 128, ...
 02003  1028   NtDuplicateObject  ... 432, ) == 0x0
 01997  1012   NtWaitForSingleObject  ... ) == 0x102
 02005   940   NtSetEventBoostPriority  (348, ...
 02006   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1615, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\340\1\0\0\20\4\0\0" ...  ...
 02004   712   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02007  1008   NtSetEventBoostPriority  (384, ...
 02002  1016   NtWaitForSingleObject  ... ) == 0x0
 02005   940   NtSetEventBoostPriority  ... ) == 0x0
 02008  1012   NtWaitForSingleObject  (348, 0, 0x0, ...
 02006   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1616, 0}  ... {28, 56, reply, 0, 480, 484, 1616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\1\0\0\340\1\0\0\20\4\0\0" )  ) == 0x0
 02009   712   NtClose  (428, ...
 02010  1016   NtSetEventBoostPriority  (348, ...
 01915   992   NtWaitForSingleObject  ... ) == 0x0
 02007  1008   NtSetEventBoostPriority  ... ) == 0x0
 02011  1028   NtWaitForSingleObject  (348, 0, 0x0, ...
 02012   484   NtResumeThread  (440, ...
 02008  1012   NtWaitForSingleObject  ... ) == 0x0
 02013   992   NtWaitForSingleObject  (348, 0, 0x0, ...
 02010  1016   NtSetEventBoostPriority  ... ) == 0x0
 02009   712   NtClose  ... ) == 0x0
 02014  1008   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02015  1012   NtSetEventBoostPriority  (348, ...
 02012   484   NtResumeThread  ... 1, ) == 0x0
 02016   940   NtWaitForSingleObject  (184, 0, 0x0, ...
 02017  1016   NtWaitForSingleObject  (184, 0, 0x0, ...
 02018  1040   NtTestAlert  (...
 02011  1028   NtWaitForSingleObject  ... ) == 0x0
 02015  1012   NtSetEventBoostPriority  ... ) == 0x0
 02014  1008   NtWaitForSingleObject  ... ) == 0x102
 02019   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02020  1028   NtSetEventBoostPriority  (348, ...
 02018  1040   NtTestAlert  ... ) == 0x0
 02021   712   NtWaitForSingleObject  (348, 0, 0x0, ...
 02022  1008   NtWaitForSingleObject  (348, 0, 0x0, ...
 02023  1012   NtWaitForSingleObject  (184, 0, 0x0, ...
 02013   992   NtWaitForSingleObject  ... ) == 0x0
 02020  1028   NtSetEventBoostPriority  ... ) == 0x0
 02024  1040   NtContinue  (85654832, 1, ...
 02019   484   NtAllocateVirtualMemory  ... 85655552, 2097152, ) == 0x0
 02025   992   NtSetEventBoostPriority  (348, ...
 02026  1028   NtWaitForSingleObject  (348, 0, 0x0, ...
 02027  1040   NtRegisterThreadTerminatePort  (24, ...
 02021   712   NtWaitForSingleObject  ... ) == 0x0
 02028   484   NtAllocateVirtualMemory  (-1, 87744512, 0, 8192, 4096, 4, ...
 02025   992   NtSetEventBoostPriority  ... ) == 0x0
 02027  1040   NtRegisterThreadTerminatePort  ... ) == 0x0
 02029   712   NtSetEventBoostPriority  (348, ...
 02028   484   NtAllocateVirtualMemory  ... 87744512, 8192, ) == 0x0
 02030   992   NtSetEventBoostPriority  (384, ...
 02022  1008   NtWaitForSingleObject  ... ) == 0x0
 02029   712   NtSetEventBoostPriority  ... ) == 0x0
 02031   484   NtProtectVirtualMemory  (-1, (0x53ae000), 4096, 260, ...
 02032  1008   NtSetEventBoostPriority  (348, ...
 01948   996   NtWaitForSingleObject  ... ) == 0x0
 02030   992   NtSetEventBoostPriority  ... ) == 0x0
 02033   712   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02026  1028   NtWaitForSingleObject  ... ) == 0x0
 02034   996   NtWaitForSingleObject  (348, 0, 0x0, ...
 02031   484   NtProtectVirtualMemory  ... (0x53ae000), 4096, 4, ) == 0x0
 02035   992   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02032  1008   NtSetEventBoostPriority  ... ) == 0x0
 02036  1040   NtWaitForSingleObject  (348, 0, 0x0, ...
 02037  1028   NtSetEventBoostPriority  (348, ...
 02038   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02035   992   NtWaitForSingleObject  ... ) == 0x102
 02039  1008   NtWaitForSingleObject  (184, 0, 0x0, ...
 02034   996   NtWaitForSingleObject  ... ) == 0x0
 02037  1028   NtSetEventBoostPriority  ... ) == 0x0
 02033   712   NtCreateEvent  ... 428, ) == 0x0
 02040   992   NtWaitForSingleObject  (348, 0, 0x0, ...
 02041   996   NtSetEventBoostPriority  (348, ...
 02042  1028   NtWaitForSingleObject  (348, 0, 0x0, ...
 02043   712   NtWaitForSingleObject  (428, 0, 0x0, ...
 02038   484   NtCreateThread  ... 448, {480, 1044}, ) == 0x0
 02036  1040   NtWaitForSingleObject  ... ) == 0x0
 02044   484   NtQueryInformationThread  (448, Basic, 28, ...
 02045  1040   NtSetEventBoostPriority  (348, ...
 02044   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=480,Tid=1044,}, 0x0, ) == 0x0
 02042  1028   NtWaitForSingleObject  ... ) == 0x0
 02045  1040   NtSetEventBoostPriority  ... ) == 0x0
 02046  1028   NtSetEventBoostPriority  (348, ...
 02047   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1616, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1616, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\1\0\0\340\1\0\0\24\4\0\0" ...  ...
 02046  1028   NtSetEventBoostPriority  ... ) == 0x0
 02048  1040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02047   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1617, 0}  ... {28, 56, reply, 0, 480, 484, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\1\0\0\340\1\0\0\24\4\0\0" )  ) == 0x0
 02041   996   NtSetEventBoostPriority  ... ) == 0x0
 02040   992   NtWaitForSingleObject  ... ) == 0x0
 02049  1028   NtWaitForSingleObject  (384, 0, 0x0, ...
 02048  1040   NtDuplicateObject  ... 452, ) == 0x0
 02050   484   NtResumeThread  (448, ...
 02051   992   NtWaitForSingleObject  (184, 0, 0x0, ...
 02052  1040   NtWaitForSingleObject  (384, 0, 0x0, ...
 02050   484   NtResumeThread  ... 1, ) == 0x0
 02053   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 87752704, 2097152, ) == 0x0
 02054   484   NtAllocateVirtualMemory  (-1, 89841664, 0, 8192, 4096, 4, ... 89841664, 8192, ) == 0x0
 02055   484   NtProtectVirtualMemory  (-1, (0x55ae000), 4096, 260, ... (0x55ae000), 4096, 4, ) == 0x0
 02056   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 456, {480, 308}, ) == 0x0
 02057   484   NtQueryInformationThread  (456, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=480,Tid=308,}, 0x0, ) == 0x0
 02058   996   NtSetEventBoostPriority  (384, ...
 02059  1044   NtTestAlert  (...
 01970   856   NtWaitForSingleObject  ... ) == 0x0
 02058   996   NtSetEventBoostPriority  ... ) == 0x0
 02060   856   NtSetEventBoostPriority  (384, ...
 02059  1044   NtTestAlert  ... ) == 0x0
 02049  1028   NtWaitForSingleObject  ... ) == 0x0
 02060   856   NtSetEventBoostPriority  ... ) == 0x0
 02061   996   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02062  1028   NtSetEventBoostPriority  (384, ...
 02063  1044   NtContinue  (87751984, 1, ...
 02064   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1617, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1617, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\1\0\0\340\1\0\04\1\0\0" ...  ...
 02052  1040   NtWaitForSingleObject  ... ) == 0x0
 02062  1028   NtSetEventBoostPriority  ... ) == 0x0
 02061   996   NtWaitForSingleObject  ... ) == 0x102
 02065  1044   NtRegisterThreadTerminatePort  (24, ...
 02066  1040   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02064   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1618, 0}  ... {28, 56, reply, 0, 480, 484, 1618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\1\0\0\340\1\0\04\1\0\0" )  ) == 0x0
 02067  1028   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02068   996   NtWaitForSingleObject  (184, 0, 0x0, ...
 02065  1044   NtRegisterThreadTerminatePort  ... ) == 0x0
 02069   484   NtResumeThread  (456, ...
 02070   856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02066  1040   NtWaitForSingleObject  ... ) == 0x102
 02067  1028   NtWaitForSingleObject  ... ) == 0x102
 02069   484   NtResumeThread  ... 1, ) == 0x0
 02070   856   NtCreateEvent  ... 460, ) == 0x0
 02071  1040   NtWaitForSingleObject  (184, 0, 0x0, ...
 02072  1028   NtWaitForSingleObject  (184, 0, 0x0, ...
 02073   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02074   856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02075  1044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02076   308   NtTestAlert  (...
 02074   856   NtCreateEvent  ... 464, ) == 0x0
 02075  1044   NtDuplicateObject  ... 468, ) == 0x0
 02076   308   NtTestAlert  ... ) == 0x0
 02077   856   NtQuerySystemTime  (...
 02078  1044   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02079   308   NtContinue  (89849136, 1, ...
 02077   856   NtQuerySystemTime  ... {1650568098, 29889237}, ) == 0x0
 02078  1044   NtWaitForSingleObject  ... ) == 0x102
 02080   308   NtRegisterThreadTerminatePort  (24, ...
 02073   484   NtAllocateVirtualMemory  ... 89849856, 2097152, ) == 0x0
 02081  1044   NtWaitForSingleObject  (184, 0, 0x0, ...
 02080   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 02082   484   NtAllocateVirtualMemory  (-1, 91938816, 0, 8192, 4096, 4, ...
 02083   856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02082   484   NtAllocateVirtualMemory  ... 91938816, 8192, ) == 0x0
 02083   856   NtCreateEvent  ... 472, ) == 0x0
 02084   484   NtProtectVirtualMemory  (-1, (0x57ae000), 4096, 260, ...
 02085   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 02084   484   NtProtectVirtualMemory  ... (0x57ae000), 4096, 4, ) == 0x0
 02085   856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02086   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02087   856   NtQuerySystemInformation  (Performance, 312, ...
 02088   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02087   856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02088   308   NtDuplicateObject  ... 476, ) == 0x0
 02086   484   NtCreateThread  ... 480, {480, 1092}, ) == 0x0
 02089   308   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02090   484   NtQueryInformationThread  (480, Basic, 28, ...
 02089   308   NtWaitForSingleObject  ... ) == 0x102
 02090   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=480,Tid=1092,}, 0x0, ) == 0x0
 02091   308   NtWaitForSingleObject  (184, 0, 0x0, ...
 02092   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1618, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1618, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\340\1\0\0D\4\0\0" ...  ...
 02093   856   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 02092   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1619, 0}  ... {28, 56, reply, 0, 480, 484, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\1\0\0\340\1\0\0D\4\0\0" )  ) == 0x0
 02093   856   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02094   856   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02095   856   NtSetEventBoostPriority  (428, ...
 02043   712   NtWaitForSingleObject  ... ) == 0x0
 02096   712   NtAllocateVirtualMemory  (-1, 4616192, 0, 4096, 4096, 4, ... 4616192, 4096, ) == 0x0
 02095   856   NtSetEventBoostPriority  ... ) == 0x0
 02097   484   NtResumeThread  (480, ...
 02098   712   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02097   484   NtResumeThread  ... 1, ) == 0x0
 02098   712   NtCreateEvent  ... 484, ) == 0x0
 02099   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02100   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02099   484   NtAllocateVirtualMemory  ... 91947008, 2097152, ) == 0x0
 02100   712   NtDuplicateObject  ... 488, ) == 0x0
 02101   484   NtAllocateVirtualMemory  (-1, 94035968, 0, 8192, 4096, 4, ...
 02102   712   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 02101   484   NtAllocateVirtualMemory  ... 94035968, 8192, ) == 0x0
 02102   712   NtOpenKey  ... 492, ) == 0x0
 02103   856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02104  1092   NtTestAlert  (...
 02105   484   NtProtectVirtualMemory  (-1, (0x59ae000), 4096, 260, ...
 02103   856   NtCreateEvent  ... 496, ) == 0x0
 02104  1092   NtTestAlert  ... ) == 0x0
 02105   484   NtProtectVirtualMemory  ... (0x59ae000), 4096, 4, ) == 0x0
 02106   856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02107  1092   NtContinue  (91946288, 1, ...
 02108   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02106   856   NtDuplicateObject  ... 500, ) == 0x0
 02109  1092   NtRegisterThreadTerminatePort  (24, ...
 02108   484   NtCreateThread  ... 504, {480, 1132}, ) == 0x0
 02110   856   NtWaitForSingleObject  (428, 0, 0x0, ...
 02109  1092   NtRegisterThreadTerminatePort  ... ) == 0x0
 02111   484   NtQueryInformationThread  (504, Basic, 28, ...
 02112   712   NtOpenKey  (0x20019, {24, 492, 0x40, 0, 0,  (0x20019, {24, 492, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 02111   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=480,Tid=1132,}, 0x0, ) == 0x0
 02112   712   NtOpenKey  ... 508, ) == 0x0
 02113  1092   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02114   712   NtQueryValueKey  (508,  (508, "ComputerName", Full, 108, ... , Full, 108, ...
 02113  1092   NtDuplicateObject  ... 512, ) == 0x0
 02114   712   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02115  1092   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02116   712   NtClose  (508, ...
 02115  1092   NtWaitForSingleObject  ... ) == 0x102
 02116   712   NtClose  ... ) == 0x0
 02117  1092   NtWaitForSingleObject  (184, 0, 0x0, ...
 02118   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1619, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1619, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\340\1\0\0l\4\0\0" ...  ...
 02119   712   NtClose  (492, ...
 02118   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1620, 0}  ... {28, 56, reply, 0, 480, 484, 1620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\1\0\0\340\1\0\0l\4\0\0" )  ) == 0x0
 02119   712   NtClose  ... ) == 0x0
 02120   484   NtResumeThread  (504, ...
 02121   712   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 02120   484   NtResumeThread  ... 1, ) == 0x0
 02121   712   NtCreateIoCompletion  ... 492, ) == 0x0
 02122   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02123   712   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02124  1132   NtTestAlert  (...
 02123   712   NtCreateIoCompletion  ... 508, ) == 0x0
 02124  1132   NtTestAlert  ... ) == 0x0
 02122   484   NtAllocateVirtualMemory  ... 94044160, 2097152, ) == 0x0
 02125  1132   NtContinue  (94043440, 1, ...
 02126   484   NtAllocateVirtualMemory  (-1, 96133120, 0, 8192, 4096, 4, ...
 02127  1132   NtRegisterThreadTerminatePort  (24, ...
 02126   484   NtAllocateVirtualMemory  ... 96133120, 8192, ) == 0x0
 02127  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 02128   484   NtProtectVirtualMemory  (-1, (0x5bae000), 4096, 260, ...
 02129   712   NtDuplicateObject  (-1, 492, -1, 0x0, 0, 2, ...
 02128   484   NtProtectVirtualMemory  ... (0x5bae000), 4096, 4, ) == 0x0
 02129   712   NtDuplicateObject  ... 516, ) == 0x0
 02130   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02131   712   NtSetEventBoostPriority  (428, ...
 02132  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02110   856   NtWaitForSingleObject  ... ) == 0x0
 02131   712   NtSetEventBoostPriority  ... ) == 0x0
 02133   856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02132  1132   NtDuplicateObject  ... 520, ) == 0x0
 02133   856   NtCreateEvent  ... 524, ) == 0x0
 02134   712   NtOpenThreadToken  (-2, 0xc, 1, ...
 02135  1132   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02130   484   NtCreateThread  ... 528, {480, 1128}, ) == 0x0
 02134   712   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02135  1132   NtWaitForSingleObject  ... ) == 0x102
 02136   484   NtQueryInformationThread  (528, Basic, 28, ...
 02137   856   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 20377212, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 20377212, 112, ...
 02138  1132   NtWaitForSingleObject  (184, 0, 0x0, ...
 02136   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=480,Tid=1128,}, 0x0, ) == 0x0
 02137   856   NtConnectPort  ... 532, 0x0, 0x0, 0x0, 112, ) == 0x0
 02139   712   NtAllocateVirtualMemory  (-1, 4620288, 0, 4096, 4096, 4, ...
 02140   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1620, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1620, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\2\0\0\340\1\0\0h\4\0\0" ...  ...
 02141   856   NtRequestWaitReplyPort  (532, {128, 152, new_msg, 0, 4521984, 126032, 4521984, 20376976}  (532, {128, 152, new_msg, 0, 4521984, 126032, 4521984, 20376976} "\0$\370w@\3646\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\310~F\0\4\0\0\0\310~F\0\20\344\314w\310~F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1E\0\0\0\0\0p~F\0\220zF\0H~F\0\0\0\0\0\0\0\0\0\0\0\0\0p~F\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02139   712   NtAllocateVirtualMemory  ... 4620288, 4096, ) == 0x0
 02140   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1622, 0}  ... {28, 56, reply, 0, 480, 484, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\2\0\0\340\1\0\0h\4\0\0" )  ) == 0x0
 02142   712   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02141   856   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 480, 856, 1623, 0}  ... {128, 152, reply, 0, 480, 856, 1623, 0} "\7$\370w@\3646\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\310~F\0\377\377\377\377\310~F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1E\0\0\0\0\0p~F\0\220zF\0H~F\0\0\0\0\0\0\0\0\0\0\0\0\0p~F\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02142   712   NtCreateEvent  ... 536, ) == 0x0
 02143   484   NtResumeThread  (528, ...
 02144   712   NtOpenThreadToken  (-2, 0xc, 1, ...
 02143   484   NtResumeThread  ... 1, ) == 0x0
 02144   712   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02145   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02146   856   NtRequestWaitReplyPort  (532, {64, 88, new_msg, 0, 0, 0, 0, 0}  (532, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02147  1128   NtTestAlert  (...
 02145   484   NtAllocateVirtualMemory  ... 96141312, 2097152, ) == 0x0
 02147  1128   NtTestAlert  ... ) == 0x0
 02148   484   NtAllocateVirtualMemory  (-1, 98230272, 0, 8192, 4096, 4, ...
 02149  1128   NtContinue  (96140592, 1, ...
 02148   484   NtAllocateVirtualMemory  ... 98230272, 8192, ) == 0x0
 02150  1128   NtRegisterThreadTerminatePort  (24, ...
 02151   712   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02150  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 02151   712   NtSetInformationThread  ... ) == 0x0
 02152   484   NtProtectVirtualMemory  (-1, (0x5dae000), 4096, 260, ...
 02153   712   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 8635956,  (0xc0100080, {24, 0, 0x40, 0, 8635956, "\??\PIPE\SfcApi"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 02152   484   NtProtectVirtualMemory  ... (0x5dae000), 4096, 4, ) == 0x0
 02153   712   NtCreateFile  ... 540, {status=0x0, info=1}, ) == 0x0
 02154   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02155   712   NtSetInformationFile  (540, 8636012, 8, Pipe, ...
 02154   484   NtCreateThread  ... 544, {480, 1136}, ) == 0x0
 02155   712   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02156   484   NtQueryInformationThread  (544, Basic, 28, ...
 02157  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02156   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=480,Tid=1136,}, 0x0, ) == 0x0
 02157  1128   NtDuplicateObject  ... 548, ) == 0x0
 02158   712   NtSetInformationFile  (540, 8636004, 8, Completion, ...
 02159  1128   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02158   712   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02159  1128   NtWaitForSingleObject  ... ) == 0x102
 02160   712   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 02161  1128   NtWaitForSingleObject  (184, 0, 0x0, ...
 02160   712   NtSetInformationThread  ... ) == 0x0
 02162   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1622, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1622, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\340\1\0\0p\4\0\0" ...  ...
 02163   712   NtWriteFile  (540, 485, 0, 0,  (540, 485, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\0|\332\203O\350\322\21\230\7\0\300O\216\310P\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 02162   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1625, 0}  ... {28, 56, reply, 0, 480, 484, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0\340\1\0\0p\4\0\0" )  ) == 0x0
 02163   712   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 02164   484   NtResumeThread  (544, ...
 02146   856   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 480, 856, 1624, 0}  ... {52, 76, reply, 0, 480, 856, 1624, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200W\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02164   484   NtResumeThread  ... 1, ) == 0x0
 02165   856   NtClose  (524, ...
 02166   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02165   856   NtClose  ... ) == 0x0
 02167   712   NtReadFile  (540, 485, 0, 0, 1024, {0, 0}, 0, ...
 02168  1136   NtTestAlert  (...
 02169   856   NtClose  (532, ...
 02167   712   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\208\36\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02168  1136   NtTestAlert  ... ) == 0x0
 02166   484   NtAllocateVirtualMemory  ... 98238464, 2097152, ) == 0x0
 02170   712   NtFsControlFile  (540, 485, 0x0, 0x0, 0x11c017,  (540, 485, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0h\0\0\0\1\0\0\0P\0\0\0\0\0\1\0\326\317\203\0 \0\0\0\0\0\0\0 \0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0", 104, 1024, ... , 104, 1024, ...
 02171  1136   NtContinue  (98237744, 1, ...
 02172   484   NtAllocateVirtualMemory  (-1, 100327424, 0, 8192, 4096, 4, ...
 02170   712   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\208\36\0\0\15\0\PIPE\SfcApi\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02173  1136   NtRegisterThreadTerminatePort  (24, ...
 02172   484   NtAllocateVirtualMemory  ... 100327424, 8192, ) == 0x0
 02174   712   NtFsControlFile  (540, 485, 0x0, 0x0, 0x11c017,  (540, 485, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0l\0\0\0\2\0\0\0T\0\0\0\0\0\2\0\260\212F\0 \0\0\0\0\0\0\0 \0\0\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0\377\377\377\377", 108, 1024, ... , 108, 1024, ...
 02173  1136   NtRegisterThreadTerminatePort  ... ) == 0x0
 02175   484   NtProtectVirtualMemory  (-1, (0x5fae000), 4096, 260, ...
 02174   712   NtFsControlFile  ... {status=0x103, info=28},  ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02169   856   NtClose  ... ) == 0x0
 02175   484   NtProtectVirtualMemory  ... (0x5fae000), 4096, 4, ) == 0x0
 02176  1136   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02177   856   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02178   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02176  1136   NtDuplicateObject  ... 532, ) == 0x0
 02177   856   NtCreateKey  ... 524, 2, ) == 0x0
 02179   712   NtAllocateVirtualMemory  (-1, 8626176, 0, 4096, 4096, 260, ...
 02180  1136   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02181   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02179   712   NtAllocateVirtualMemory  ... 8626176, 4096, ) == 0x0
 02180  1136   NtWaitForSingleObject  ... ) == 0x102
 02181   856   NtOpenKey  ... 552, ) == 0x0
 02182   712   NtAllocateVirtualMemory  (-1, 8622080, 0, 4096, 4096, 260, ...
 02183  1136   NtWaitForSingleObject  (184, 0, 0x0, ...
 02184   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02182   712   NtAllocateVirtualMemory  ... 8622080, 4096, ) == 0x0
 02178   484   NtCreateThread  ... 556, {480, 1080}, ) == 0x0
 02185   712   NtAllocateVirtualMemory  (-1, 8617984, 0, 4096, 4096, 260, ...
 02186   484   NtQueryInformationThread  (556, Basic, 28, ...
 02185   712   NtAllocateVirtualMemory  ... 8617984, 4096, ) == 0x0
 02186   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=480,Tid=1080,}, 0x0, ) == 0x0
 02184   856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1625, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1625, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\340\1\0\08\4\0\0" ...  ...
 02188   856   NtQueryValueKey  (524,  (524, "Hostname", Partial, 144, ... , Partial, 144, ...
 02187   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1627, 0}  ... {28, 56, reply, 0, 480, 484, 1627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\2\0\0\340\1\0\08\4\0\0" )  ) == 0x0
 02188   856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02189   712   NtAllocateVirtualMemory  (-1, 8613888, 0, 4096, 4096, 260, ...
 02190   856   NtQueryValueKey  (524,  (524, "Hostname", Partial, 144, ... , Partial, 144, ...
 02189   712   NtAllocateVirtualMemory  ... 8613888, 4096, ) == 0x0
 02190   856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02191   712   NtAllocateVirtualMemory  (-1, 8609792, 0, 4096, 4096, 260, ...
 02192   856   NtClose  (524, ...
 02191   712   NtAllocateVirtualMemory  ... 8609792, 4096, ) == 0x0
 02193   484   NtResumeThread  (556, ...
 02194   712   NtAllocateVirtualMemory  (-1, 8605696, 0, 4096, 4096, 260, ...
 02193   484   NtResumeThread  ... 1, ) == 0x0
 02194   712   NtAllocateVirtualMemory  ... 8605696, 4096, ) == 0x0
 02195   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02192   856   NtClose  ... ) == 0x0
 02196  1080   NtTestAlert  (...
 02195   484   NtAllocateVirtualMemory  ... 100335616, 2097152, ) == 0x0
 02197   856   NtClose  (552, ...
 02196  1080   NtTestAlert  ... ) == 0x0
 02198   484   NtAllocateVirtualMemory  (-1, 102424576, 0, 8192, 4096, 4, ...
 02197   856   NtClose  ... ) == 0x0
 02199  1080   NtContinue  (100334896, 1, ...
 02198   484   NtAllocateVirtualMemory  ... 102424576, 8192, ) == 0x0
 02200   856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02201  1080   NtRegisterThreadTerminatePort  (24, ...
 02202   712   NtAllocateVirtualMemory  (-1, 8601600, 0, 4096, 4096, 260, ...
 02200   856   NtCreateEvent  ... 552, ) == 0x0
 02201  1080   NtRegisterThreadTerminatePort  ... ) == 0x0
 02202   712   NtAllocateVirtualMemory  ... 8601600, 4096, ) == 0x0
 02203   856   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 20377076, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 20377076, 112, ...
 02204   484   NtProtectVirtualMemory  (-1, (0x61ae000), 4096, 260, ...
 02205   712   NtAllocateVirtualMemory  (-1, 8597504, 0, 4096, 4096, 260, ...
 02206  1080   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02204   484   NtProtectVirtualMemory  ... (0x61ae000), 4096, 4, ) == 0x0
 02205   712   NtAllocateVirtualMemory  ... 8597504, 4096, ) == 0x0
 02206  1080   NtDuplicateObject  ... 524, ) == 0x0
 02207   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02208   712   NtAllocateVirtualMemory  (-1, 8593408, 0, 4096, 4096, 260, ...
 02209  1080   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02207   484   NtCreateThread  ... 560, {480, 1140}, ) == 0x0
 02208   712   NtAllocateVirtualMemory  ... 8593408, 4096, ) == 0x0
 02209  1080   NtWaitForSingleObject  ... ) == 0x102
 02210   484   NtQueryInformationThread  (560, Basic, 28, ...
 02203   856   NtConnectPort  ... 564, 0x0, 0x0, 0x0, 112, ) == 0x0
 02211  1080   NtWaitForSingleObject  (184, 0, 0x0, ...
 02210   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=480,Tid=1140,}, 0x0, ) == 0x0
 02212   856   NtRequestWaitReplyPort  (564, {128, 152, new_msg, 0, 4521984, 125896, 4521984, 20376840}  (564, {128, 152, new_msg, 0, 4521984, 125896, 4521984, 20376840} "\0$\370w\270\3636\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\310~F\0\4\0\0\0\310~F\0\20\344\314w\310~F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\0\0\240\1E\0 \214F\0?\360\367\0p\206F\0\0\0\0\0\0\0\0\0\0\0\0\0 \214F\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02213   712   NtAllocateVirtualMemory  (-1, 8589312, 0, 4096, 4096, 260, ... 8589312, 4096, ) == 0x0
 02214   712   NtAllocateVirtualMemory  (-1, 8585216, 0, 4096, 4096, 260, ... 8585216, 4096, ) == 0x0
 02215   712   NtAllocateVirtualMemory  (-1, 8581120, 0, 4096, 4096, 260, ... 8581120, 4096, ) == 0x0
 02216   712   NtAllocateVirtualMemory  (-1, 8577024, 0, 4096, 4096, 260, ... 8577024, 4096, ) == 0x0
 02217   712   NtAllocateVirtualMemory  (-1, 8572928, 0, 4096, 4096, 260, ... 8572928, 4096, ) == 0x0
 02218   712   NtAllocateVirtualMemory  (-1, 8568832, 0, 4096, 4096, 260, ... 8568832, 4096, ) == 0x0
 02219   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1627, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1627, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\340\1\0\0t\4\0\0" ...  ...
 02212   856   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 480, 856, 1629, 0}  ... {128, 152, reply, 0, 480, 856, 1629, 0} "\7$\370w\270\3636\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\310~F\0\377\377\377\377\310~F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\0\0\240\1E\0 \214F\0?\360\367\0p\206F\0\0\0\0\0\0\0\0\0\0\0\0\0 \214F\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02219   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1630, 0}  ... {28, 56, reply, 0, 480, 484, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\2\0\0\340\1\0\0t\4\0\0" )  ) == 0x0
 02220   856   NtRequestWaitReplyPort  (564, {44, 68, new_msg, 0, 480, 856, 1624, 0}  (564, {44, 68, new_msg, 0, 480, 856, 1624, 0} "\1\0\0\0A\2\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02221   484   NtResumeThread  (560, ...
 02222   712   NtAllocateVirtualMemory  (-1, 8564736, 0, 4096, 4096, 260, ...
 02221   484   NtResumeThread  ... 1, ) == 0x0
 02222   712   NtAllocateVirtualMemory  ... 8564736, 4096, ) == 0x0
 02223   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02224   712   NtAllocateVirtualMemory  (-1, 8560640, 0, 4096, 4096, 260, ...
 02225  1140   NtTestAlert  (...
 02224   712   NtAllocateVirtualMemory  ... 8560640, 4096, ) == 0x0
 02225  1140   NtTestAlert  ... ) == 0x0
 02226   712   NtAllocateVirtualMemory  (-1, 8556544, 0, 4096, 4096, 260, ...
 02227  1140   NtContinue  (102432048, 1, ...
 02226   712   NtAllocateVirtualMemory  ... 8556544, 4096, ) == 0x0
 02228  1140   NtRegisterThreadTerminatePort  (24, ...
 02223   484   NtAllocateVirtualMemory  ... 102432768, 2097152, ) == 0x0
 02228  1140   NtRegisterThreadTerminatePort  ... ) == 0x0
 02229   484   NtAllocateVirtualMemory  (-1, 104521728, 0, 8192, 4096, 4, ...
 02230   712   NtAllocateVirtualMemory  (-1, 8552448, 0, 4096, 4096, 260, ...
 02229   484   NtAllocateVirtualMemory  ... 104521728, 8192, ) == 0x0
 02230   712   NtAllocateVirtualMemory  ... 8552448, 4096, ) == 0x0
 02231   484   NtProtectVirtualMemory  (-1, (0x63ae000), 4096, 260, ...
 02232   712   NtAllocateVirtualMemory  (-1, 8548352, 0, 4096, 4096, 260, ...
 02231   484   NtProtectVirtualMemory  ... (0x63ae000), 4096, 4, ) == 0x0
 02232   712   NtAllocateVirtualMemory  ... 8548352, 4096, ) == 0x0
 02233   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02234   712   NtAllocateVirtualMemory  (-1, 8544256, 0, 4096, 4096, 260, ...
 02235  1140   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02234   712   NtAllocateVirtualMemory  ... 8544256, 4096, ) == 0x0
 02235  1140   NtDuplicateObject  ... 568, ) == 0x0
 02233   484   NtCreateThread  ... 572, {480, 1144}, ) == 0x0
 02236  1140   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02237   484   NtQueryInformationThread  (572, Basic, 28, ...
 02236  1140   NtWaitForSingleObject  ... ) == 0x102
 02237   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=480,Tid=1144,}, 0x0, ) == 0x0
 02238  1140   NtWaitForSingleObject  (184, 0, 0x0, ...
 02239   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1630, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1630, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\340\1\0\0x\4\0\0" ...  ...
 02240   712   NtAllocateVirtualMemory  (-1, 8540160, 0, 4096, 4096, 260, ...
 02239   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1632, 0}  ... {28, 56, reply, 0, 480, 484, 1632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0\340\1\0\0x\4\0\0" )  ) == 0x0
 02240   712   NtAllocateVirtualMemory  ... 8540160, 4096, ) == 0x0
 02241   712   NtAllocateVirtualMemory  (-1, 8536064, 0, 4096, 4096, 260, ... 8536064, 4096, ) == 0x0
 02242   712   NtAllocateVirtualMemory  (-1, 8531968, 0, 4096, 4096, 260, ... 8531968, 4096, ) == 0x0
 02243   712   NtAllocateVirtualMemory  (-1, 8527872, 0, 4096, 4096, 260, ... 8527872, 4096, ) == 0x0
 02244   712   NtAllocateVirtualMemory  (-1, 8523776, 0, 4096, 4096, 260, ... 8523776, 4096, ) == 0x0
 02245   712   NtAllocateVirtualMemory  (-1, 8519680, 0, 4096, 4096, 260, ... 8519680, 4096, ) == 0x0
 02246   484   NtResumeThread  (572, ... 1, ) == 0x0
 02247   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 104529920, 2097152, ) == 0x0
 02248   484   NtAllocateVirtualMemory  (-1, 106618880, 0, 8192, 4096, 4, ... 106618880, 8192, ) == 0x0
 02249   484   NtProtectVirtualMemory  (-1, (0x65ae000), 4096, 260, ... (0x65ae000), 4096, 4, ) == 0x0
 02250   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 576, {480, 1164}, ) == 0x0
 02251   484   NtQueryInformationThread  (576, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=480,Tid=1164,}, 0x0, ) == 0x0
 02252   712   NtAllocateVirtualMemory  (-1, 8515584, 0, 4096, 4096, 260, ...
 02220   856   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 480, 856, 1631, 0}  ... {40, 64, reply, 0, 480, 856, 1631, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02253  1144   NtTestAlert  (...
 02252   712   NtAllocateVirtualMemory  ... 8515584, 4096, ) == 0x0
 02254   856   NtAllocateVirtualMemory  (-1, 4624384, 0, 4096, 4096, 4, ...
 02253  1144   NtTestAlert  ... ) == 0x0
 02255   712   NtAllocateVirtualMemory  (-1, 8511488, 0, 4096, 4096, 260, ...
 02254   856   NtAllocateVirtualMemory  ... 4624384, 4096, ) == 0x0
 02256  1144   NtContinue  (104529200, 1, ...
 02255   712   NtAllocateVirtualMemory  ... 8511488, 4096, ) == 0x0
 02257   856   NtRequestWaitReplyPort  (564, {64, 88, new_msg, 56, 0, 1, 0, 0}  (564, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\3576\1@\0\314w\220yF\0\274\3576\1$\3606\1\0\267\362v$\3606\1\220yF\0\1\0\0\0\310\217F\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02258  1144   NtRegisterThreadTerminatePort  (24, ...
 02259   712   NtAllocateVirtualMemory  (-1, 8507392, 0, 4096, 4096, 260, ...
 02258  1144   NtRegisterThreadTerminatePort  ... ) == 0x0
 02259   712   NtAllocateVirtualMemory  ... 8507392, 4096, ) == 0x0
 02260   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1632, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1632, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\340\1\0\0\214\4\0\0" ...  ...
 02257   856   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 480, 856, 1633, 0}  ... {64, 88, reply, 56, 480, 856, 1633, 0} "\10\3576\1@\0\314w\220yF\0\274\3576\1$\3606\1\0\267\362v$\3606\1\220yF\0\1\0\0\0\310\217F\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02261  1144   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02260   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1634, 0}  ... {28, 56, reply, 0, 480, 484, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\2\0\0\340\1\0\0\214\4\0\0" )  ) == 0x0
 02262   856   NtClose  (552, ...
 02261  1144   NtDuplicateObject  ... 580, ) == 0x0
 02263   484   NtResumeThread  (576, ...
 02262   856   NtClose  ... ) == 0x0
 02264  1144   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02263   484   NtResumeThread  ... 1, ) == 0x0
 02265   856   NtClose  (564, ...
 02264  1144   NtWaitForSingleObject  ... ) == 0x102
 02266   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02265   856   NtClose  ... ) == 0x0
 02267  1144   NtWaitForSingleObject  (184, 0, 0x0, ...
 02268   712   NtAllocateVirtualMemory  (-1, 8503296, 0, 4096, 4096, 260, ...
 02269  1164   NtTestAlert  (...
 02270   856   NtCreateKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02266   484   NtAllocateVirtualMemory  ... 106627072, 2097152, ) == 0x0
 02268   712   NtAllocateVirtualMemory  ... 8503296, 4096, ) == 0x0
 02269  1164   NtTestAlert  ... ) == 0x0
 02271   484   NtAllocateVirtualMemory  (-1, 108716032, 0, 8192, 4096, 4, ...
 02272   712   NtAllocateVirtualMemory  (-1, 8499200, 0, 4096, 4096, 260, ...
 02273  1164   NtContinue  (106626352, 1, ...
 02271   484   NtAllocateVirtualMemory  ... 108716032, 8192, ) == 0x0
 02272   712   NtAllocateVirtualMemory  ... 8499200, 4096, ) == 0x0
 02274  1164   NtRegisterThreadTerminatePort  (24, ...
 02275   484   NtProtectVirtualMemory  (-1, (0x67ae000), 4096, 260, ...
 02276   712   NtAllocateVirtualMemory  (-1, 8495104, 0, 4096, 4096, 260, ...
 02274  1164   NtRegisterThreadTerminatePort  ... ) == 0x0
 02275   484   NtProtectVirtualMemory  ... (0x67ae000), 4096, 4, ) == 0x0
 02276   712   NtAllocateVirtualMemory  ... 8495104, 4096, ) == 0x0
 02270   856   NtCreateKey  ... 564, 2, ) == 0x0
 02277   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02278  1164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02279   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02280   712   NtAllocateVirtualMemory  (-1, 8491008, 0, 4096, 4096, 260, ...
 02278  1164   NtDuplicateObject  ... 552, ) == 0x0
 02279   856   NtOpenKey  ... 584, ) == 0x0
 02280   712   NtAllocateVirtualMemory  ... 8491008, 4096, ) == 0x0
 02281  1164   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02282   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02283   712   NtAllocateVirtualMemory  (-1, 8486912, 0, 4096, 4096, 260, ...
 02281  1164   NtWaitForSingleObject  ... ) == 0x102
 02282   856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   712   NtAllocateVirtualMemory  ... 8486912, 4096, ) == 0x0
 02284  1164   NtWaitForSingleObject  (184, 0, 0x0, ...
 02285   856   NtQueryValueKey  (564,  (564, "Domain", Partial, 144, ... , Partial, 144, ...
 02286   712   NtAllocateVirtualMemory  (-1, 8482816, 0, 4096, 4096, 260, ...
 02277   484   NtCreateThread  ... 588, {480, 320}, ) == 0x0
 02286   712   NtAllocateVirtualMemory  ... 8482816, 4096, ) == 0x0
 02287   484   NtQueryInformationThread  (588, Basic, 28, ...
 02285   856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02287   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=480,Tid=320,}, 0x0, ) == 0x0
 02288   856   NtQueryValueKey  (564,  (564, "Domain", Partial, 144, ... , Partial, 144, ...
 02289   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1634, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1634, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\340\1\0\0@\1\0\0" ...  ...
 02288   856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02289   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1636, 0}  ... {28, 56, reply, 0, 480, 484, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\2\0\0\340\1\0\0@\1\0\0" )  ) == 0x0
 02290   856   NtClose  (564, ...
 02291   712   NtAllocateVirtualMemory  (-1, 8478720, 0, 4096, 4096, 260, ...
 02290   856   NtClose  ... ) == 0x0
 02291   712   NtAllocateVirtualMemory  ... 8478720, 4096, ) == 0x0
 02292   856   NtClose  (584, ...
 02293   712   NtAllocateVirtualMemory  (-1, 8474624, 0, 4096, 4096, 260, ...
 02294   484   NtResumeThread  (588, ...
 02293   712   NtAllocateVirtualMemory  ... 8474624, 4096, ) == 0x0
 02294   484   NtResumeThread  ... 1, ) == 0x0
 02295   712   NtAllocateVirtualMemory  (-1, 8470528, 0, 4096, 4096, 260, ...
 02296   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02295   712   NtAllocateVirtualMemory  ... 8470528, 4096, ) == 0x0
 02296   484   NtAllocateVirtualMemory  ... 108724224, 2097152, ) == 0x0
 02292   856   NtClose  ... ) == 0x0
 02297   320   NtTestAlert  (...
 02298   484   NtAllocateVirtualMemory  (-1, 110813184, 0, 8192, 4096, 4, ...
 02299   856   NtOpenKey  (0x1, {24, 40, 0x40, 0, 0,  (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 02297   320   NtTestAlert  ... ) == 0x0
 02298   484   NtAllocateVirtualMemory  ... 110813184, 8192, ) == 0x0
 02299   856   NtOpenKey  ... 584, ) == 0x0
 02300   320   NtContinue  (108723504, 1, ...
 02301   712   NtAllocateVirtualMemory  (-1, 8466432, 0, 4096, 4096, 260, ...
 02302   856   NtQueryValueKey  (584,  (584, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02303   320   NtRegisterThreadTerminatePort  (24, ...
 02301   712   NtAllocateVirtualMemory  ... 8466432, 4096, ) == 0x0
 02302   856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 02304   712   NtAllocateVirtualMemory  (-1, 8462336, 0, 4096, 4096, 260, ...
 02305   856   NtClose  (584, ...
 02306   484   NtProtectVirtualMemory  (-1, (0x69ae000), 4096, 260, ...
 02304   712   NtAllocateVirtualMemory  ... 8462336, 4096, ) == 0x0
 02307   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02306   484   NtProtectVirtualMemory  ... (0x69ae000), 4096, 4, ) == 0x0
 02308   712   NtAllocateVirtualMemory  (-1, 8458240, 0, 4096, 4096, 260, ...
 02307   320   NtDuplicateObject  ... 564, ) == 0x0
 02309   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02308   712   NtAllocateVirtualMemory  ... 8458240, 4096, ) == 0x0
 02310   320   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02309   484   NtCreateThread  ... 592, {480, 1168}, ) == 0x0
 02305   856   NtClose  ... ) == 0x0
 02310   320   NtWaitForSingleObject  ... ) == 0x102
 02311   484   NtQueryInformationThread  (592, Basic, 28, ...
 02312   856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 20376620, ... }, 20376620, ...
 02313   320   NtWaitForSingleObject  (184, 0, 0x0, ...
 02311   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=480,Tid=1168,}, 0x0, ) == 0x0
 02312   856   NtQueryAttributesFile  ... ) == 0x0
 02314   712   NtAllocateVirtualMemory  (-1, 8454144, 0, 4096, 4096, 260, ...
 02315   856   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02314   712   NtAllocateVirtualMemory  ... 8454144, 4096, ) == 0x0
 02315   856   NtOpenFile  ... 584, {status=0x0, info=1}, ) == 0x0
 02316   712   NtAllocateVirtualMemory  (-1, 8450048, 0, 4096, 4096, 260, ...
 02317   856   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 584, ...
 02316   712   NtAllocateVirtualMemory  ... 8450048, 4096, ) == 0x0
 02318   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1636, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1636, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\340\1\0\0\220\4\0\0" ...  ...
 02319   712   NtAllocateVirtualMemory  (-1, 8445952, 0, 4096, 4096, 260, ...
 02318   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1637, 0}  ... {28, 56, reply, 0, 480, 484, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\2\0\0\340\1\0\0\220\4\0\0" )  ) == 0x0
 02319   712   NtAllocateVirtualMemory  ... 8445952, 4096, ) == 0x0
 02320   484   NtResumeThread  (592, ...
 02317   856   NtCreateSection  ... 596, ) == 0x0
 02320   484   NtResumeThread  ... 1, ) == 0x0
 02321   856   NtClose  (584, ...
 02322   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02321   856   NtClose  ... ) == 0x0
 02323   712   NtAllocateVirtualMemory  (-1, 8441856, 0, 4096, 4096, 260, ...
 02324  1168   NtWaitForSingleObject  (36, 0, 0x0, ...
 02322   484   NtAllocateVirtualMemory  ... 110821376, 2097152, ) == 0x0
 02323   712   NtAllocateVirtualMemory  ... 8441856, 4096, ) == 0x0
 02325   484   NtAllocateVirtualMemory  (-1, 112910336, 0, 8192, 4096, 4, ...
 02326   712   NtAllocateVirtualMemory  (-1, 8437760, 0, 4096, 4096, 260, ...
 02325   484   NtAllocateVirtualMemory  ... 112910336, 8192, ) == 0x0
 02326   712   NtAllocateVirtualMemory  ... 8437760, 4096, ) == 0x0
 02327   484   NtProtectVirtualMemory  (-1, (0x6bae000), 4096, 260, ...
 02328   712   NtAllocateVirtualMemory  (-1, 8433664, 0, 4096, 4096, 260, ...
 02327   484   NtProtectVirtualMemory  ... (0x6bae000), 4096, 4, ) == 0x0
 02328   712   NtAllocateVirtualMemory  ... 8433664, 4096, ) == 0x0
 02329   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02330   856   NtMapViewOfSection  (596, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 02331   712   NtAllocateVirtualMemory  (-1, 8429568, 0, 4096, 4096, 260, ...
 02330   856   NtMapViewOfSection  ... (0xef0000), 0x0, 16384, ) == 0x0
 02331   712   NtAllocateVirtualMemory  ... 8429568, 4096, ) == 0x0
 02332   856   NtClose  (596, ...
 02333   712   NtAllocateVirtualMemory  (-1, 8425472, 0, 4096, 4096, 260, ...
 02332   856   NtClose  ... ) == 0x0
 02333   712   NtAllocateVirtualMemory  ... 8425472, 4096, ) == 0x0
 02334   856   NtUnmapViewOfSection  (-1, 0xef0000, ...
 02335   712   NtCreateFile  (0xc0100081, {24, 0, 0x40, 0, 8433160,  (0xc0100081, {24, 0, 0x40, 0, 8433160, "\??\C:\WINDOWS\system32\utilman.exe"}, 0x0, 0, 0, 1, 96, 0, 0, ... }, 0x0, 0, 0, 1, 96, 0, 0, ...
 02334   856   NtUnmapViewOfSection  ... ) == 0x0
 02335   712   NtCreateFile  ... 596, {status=0x0, info=1}, ) == 0x0
 02329   484   NtCreateThread  ... 584, {480, 1172}, ) == 0x0
 02336   856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 20376936, ... }, 20376936, ...
 02337   484   NtQueryInformationThread  (584, Basic, 28, ...
 02336   856   NtQueryAttributesFile  ... ) == 0x0
 02337   484   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=480,Tid=1172,}, 0x0, ) == 0x0
 02338   856   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02339   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1637, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1637, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\340\1\0\0\224\4\0\0" ...  ...
 02338   856   NtOpenFile  ... 600, {status=0x0, info=1}, ) == 0x0
 02339   484   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 480, 484, 1638, 0}  ... {28, 56, reply, 0, 480, 484, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0\340\1\0\0\224\4\0\0" )  ) == 0x0
 02340   856   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 600, ...
 02341   712   NtQueryInformationFile  (596, 8433212, 24, Standard, ...
 02340   856   NtCreateSection  ... 604, ) == 0x0
 02341   712   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 02342   484   NtResumeThread  (584, ...
 02343   712   NtAllocateVirtualMemory  (-1, 4628480, 0, 241664, 4096, 4, ...
 02342   484   NtResumeThread  ... 1, ) == 0x0
 02343   712   NtAllocateVirtualMemory  ... 4628480, 241664, ) == 0x0
 02344   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02345   712   NtReadFile  (596, 0, 0, 0, 46592, 0x0, 0, ...
 02344   484   NtAllocateVirtualMemory  ... 112918528, 2097152, ) == 0x0
 02346   484   NtAllocateVirtualMemory  (-1, 115007488, 0, 8192, 4096, 4, ... 115007488, 8192, ) == 0x0
 02347   484   NtProtectVirtualMemory  (-1, (0x6dae000), 4096, 260, ... (0x6dae000), 4096, 4, ) == 0x0
 02348   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 608, {480, 1176}, ) == 0x0
 02349   484   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=480,Tid=1176,}, 0x0, ) == 0x0
 02350   856   NtQuerySection  (604, Image, 48, ...
 02351  1172   NtWaitForSingleObject  (36, 0, 0x0, ...
 02350   856   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02352   856   NtClose  (600, ... ) == 0x0
 02353   856   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02354   856   NtClose  (604, ... ) == 0x0
 02355   856   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 604, ) }, ... 604, ) == 0x0
 02356   856   NtMapViewOfSection  (604, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02357   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1638, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\340\1\0\0\230\4\0\0" ... {28, 56, reply, 0, 480, 484, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\340\1\0\0\230\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1639, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1638, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\340\1\0\0\230\4\0\0" ... {28, 56, reply, 0, 480, 484, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0\340\1\0\0\230\4\0\0" )  ) == 0x0
 02358   484   NtResumeThread  (608, ... 1, ) == 0x0
 02359   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 115015680, 2097152, ) == 0x0
 02360   484   NtAllocateVirtualMemory  (-1, 117104640, 0, 8192, 4096, 4, ... 117104640, 8192, ) == 0x0
 02361   484   NtProtectVirtualMemory  (-1, (0x6fae000), 4096, 260, ... (0x6fae000), 4096, 4, ) == 0x0
 02362   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02363   856   NtClose  (604, ...
 02364  1176   NtWaitForSingleObject  (36, 0, 0x0, ...
 02363   856   NtClose  ... ) == 0x0
 02365   856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 604, ) == 0x0
 02366   856   NtOpenKey  (0x20019, {24, 40, 0x40, 0, 0,  (0x20019, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... }, ...
 02362   484   NtCreateThread  ... 600, {480, 1072}, ) == 0x0
 02367   484   NtQueryInformationThread  (600, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=480,Tid=1072,}, 0x0, ) == 0x0
 02368   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1639, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\340\1\0\00\4\0\0" ... {28, 56, reply, 0, 480, 484, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\340\1\0\00\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1640, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1639, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\340\1\0\00\4\0\0" ... {28, 56, reply, 0, 480, 484, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\2\0\0\340\1\0\00\4\0\0" )  ) == 0x0
 02369   484   NtResumeThread  (600, ... 1, ) == 0x0
 02370   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 117112832, 2097152, ) == 0x0
 02371   484   NtAllocateVirtualMemory  (-1, 119201792, 0, 8192, 4096, 4, ... 119201792, 8192, ) == 0x0
 02372  1072   NtWaitForSingleObject  (36, 0, 0x0, ...
 02373   484   NtProtectVirtualMemory  (-1, (0x71ae000), 4096, 260, ... (0x71ae000), 4096, 4, ) == 0x0
 02374   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 612, {480, 1184}, ) == 0x0
 02375   484   NtQueryInformationThread  (612, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=480,Tid=1184,}, 0x0, ) == 0x0
 02376   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1640, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\340\1\0\0\240\4\0\0" ... {28, 56, reply, 0, 480, 484, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\340\1\0\0\240\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1641, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1640, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\340\1\0\0\240\4\0\0" ... {28, 56, reply, 0, 480, 484, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\2\0\0\340\1\0\0\240\4\0\0" )  ) == 0x0
 02377   484   NtResumeThread  (612, ... 1, ) == 0x0
 02378   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02379  1184   NtWaitForSingleObject  (36, 0, 0x0, ...
 02378   484   NtAllocateVirtualMemory  ... 119209984, 2097152, ) == 0x0
 02380   484   NtAllocateVirtualMemory  (-1, 121298944, 0, 8192, 4096, 4, ... 121298944, 8192, ) == 0x0
 02381   484   NtProtectVirtualMemory  (-1, (0x73ae000), 4096, 260, ... (0x73ae000), 4096, 4, ) == 0x0
 02382   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 616, {480, 1192}, ) == 0x0
 02383   484   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=480,Tid=1192,}, 0x0, ) == 0x0
 02384   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1641, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\340\1\0\0\250\4\0\0" ... {28, 56, reply, 0, 480, 484, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\340\1\0\0\250\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1642, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1641, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\340\1\0\0\250\4\0\0" ... {28, 56, reply, 0, 480, 484, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0\340\1\0\0\250\4\0\0" )  ) == 0x0
 02385   484   NtResumeThread  (616, ... 1, ) == 0x0
 02386   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 121307136, 2097152, ) == 0x0
 02387   484   NtAllocateVirtualMemory  (-1, 123396096, 0, 8192, 4096, 4, ... 123396096, 8192, ) == 0x0
 02388  1192   NtWaitForSingleObject  (36, 0, 0x0, ...
 02389   484   NtProtectVirtualMemory  (-1, (0x75ae000), 4096, 260, ... (0x75ae000), 4096, 4, ) == 0x0
 02390   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 620, {480, 1196}, ) == 0x0
 02391   484   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=480,Tid=1196,}, 0x0, ) == 0x0
 02392   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1642, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\2\0\0\340\1\0\0\254\4\0\0" ... {28, 56, reply, 0, 480, 484, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\2\0\0\340\1\0\0\254\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1643, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1642, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\2\0\0\340\1\0\0\254\4\0\0" ... {28, 56, reply, 0, 480, 484, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\2\0\0\340\1\0\0\254\4\0\0" )  ) == 0x0
 02393   484   NtResumeThread  (620, ... 1, ) == 0x0
 02394   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02395  1196   NtWaitForSingleObject  (36, 0, 0x0, ...
 02394   484   NtAllocateVirtualMemory  ... 123404288, 2097152, ) == 0x0
 02396   484   NtAllocateVirtualMemory  (-1, 125493248, 0, 8192, 4096, 4, ... 125493248, 8192, ) == 0x0
 02397   484   NtProtectVirtualMemory  (-1, (0x77ae000), 4096, 260, ... (0x77ae000), 4096, 4, ) == 0x0
 02398   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 624, {480, 1212}, ) == 0x0
 02399   484   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=480,Tid=1212,}, 0x0, ) == 0x0
 02400   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1643, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\340\1\0\0\274\4\0\0" ... {28, 56, reply, 0, 480, 484, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\340\1\0\0\274\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1644, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1643, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\340\1\0\0\274\4\0\0" ... {28, 56, reply, 0, 480, 484, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\2\0\0\340\1\0\0\274\4\0\0" )  ) == 0x0
 02401   484   NtResumeThread  (624, ... 1, ) == 0x0
 02402   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 125501440, 2097152, ) == 0x0
 02403   484   NtAllocateVirtualMemory  (-1, 127590400, 0, 8192, 4096, 4, ... 127590400, 8192, ) == 0x0
 02404  1212   NtWaitForSingleObject  (36, 0, 0x0, ...
 02405   484   NtProtectVirtualMemory  (-1, (0x79ae000), 4096, 260, ... (0x79ae000), 4096, 4, ) == 0x0
 02406   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 628, {480, 1224}, ) == 0x0
 02407   484   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=480,Tid=1224,}, 0x0, ) == 0x0
 02408   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1644, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\340\1\0\0\310\4\0\0" ... {28, 56, reply, 0, 480, 484, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\340\1\0\0\310\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1645, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1644, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\340\1\0\0\310\4\0\0" ... {28, 56, reply, 0, 480, 484, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0\340\1\0\0\310\4\0\0" )  ) == 0x0
 02409   484   NtResumeThread  (628, ... 1, ) == 0x0
 02410   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02411  1224   NtWaitForSingleObject  (36, 0, 0x0, ...
 02410   484   NtAllocateVirtualMemory  ... 127598592, 2097152, ) == 0x0
 02412   484   NtAllocateVirtualMemory  (-1, 129687552, 0, 8192, 4096, 4, ... 129687552, 8192, ) == 0x0
 02413   484   NtProtectVirtualMemory  (-1, (0x7bae000), 4096, 260, ... (0x7bae000), 4096, 4, ) == 0x0
 02414   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 632, {480, 324}, ) == 0x0
 02415   484   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=480,Tid=324,}, 0x0, ) == 0x0
 02416   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1645, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\2\0\0\340\1\0\0D\1\0\0" ... {28, 56, reply, 0, 480, 484, 1646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\2\0\0\340\1\0\0D\1\0\0" )  ... {28, 56, reply, 0, 480, 484, 1646, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1645, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\2\0\0\340\1\0\0D\1\0\0" ... {28, 56, reply, 0, 480, 484, 1646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\2\0\0\340\1\0\0D\1\0\0" )  ) == 0x0
 02417   484   NtResumeThread  (632, ... 1, ) == 0x0
 02418   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 129695744, 2097152, ) == 0x0
 02419   484   NtAllocateVirtualMemory  (-1, 131784704, 0, 8192, 4096, 4, ... 131784704, 8192, ) == 0x0
 02420   324   NtWaitForSingleObject  (36, 0, 0x0, ...
 02421   484   NtProtectVirtualMemory  (-1, (0x7dae000), 4096, 260, ... (0x7dae000), 4096, 4, ) == 0x0
 02422   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 636, {480, 1228}, ) == 0x0
 02423   484   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=480,Tid=1228,}, 0x0, ) == 0x0
 02424   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1646, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\340\1\0\0\314\4\0\0" ... {28, 56, reply, 0, 480, 484, 1647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\340\1\0\0\314\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1647, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1646, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\340\1\0\0\314\4\0\0" ... {28, 56, reply, 0, 480, 484, 1647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\2\0\0\340\1\0\0\314\4\0\0" )  ) == 0x0
 02425   484   NtResumeThread  (636, ... 1, ) == 0x0
 02426   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02427  1228   NtWaitForSingleObject  (36, 0, 0x0, ...
 02426   484   NtAllocateVirtualMemory  ... 131792896, 2097152, ) == 0x0
 02428   484   NtAllocateVirtualMemory  (-1, 133881856, 0, 8192, 4096, 4, ... 133881856, 8192, ) == 0x0
 02429   484   NtProtectVirtualMemory  (-1, (0x7fae000), 4096, 260, ... (0x7fae000), 4096, 4, ) == 0x0
 02430   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 640, {480, 1232}, ) == 0x0
 02431   484   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=480,Tid=1232,}, 0x0, ) == 0x0
 02432   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1647, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\340\1\0\0\320\4\0\0" ... {28, 56, reply, 0, 480, 484, 1648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\340\1\0\0\320\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1648, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1647, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\340\1\0\0\320\4\0\0" ... {28, 56, reply, 0, 480, 484, 1648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0\340\1\0\0\320\4\0\0" )  ) == 0x0
 02433   484   NtResumeThread  (640, ... 1, ) == 0x0
 02434   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 133890048, 2097152, ) == 0x0
 02435   484   NtAllocateVirtualMemory  (-1, 135979008, 0, 8192, 4096, 4, ... 135979008, 8192, ) == 0x0
 02436  1232   NtWaitForSingleObject  (36, 0, 0x0, ...
 02437   484   NtProtectVirtualMemory  (-1, (0x81ae000), 4096, 260, ... (0x81ae000), 4096, 4, ) == 0x0
 02438   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 644, {480, 1244}, ) == 0x0
 02439   484   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=480,Tid=1244,}, 0x0, ) == 0x0
 02440   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1648, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\340\1\0\0\334\4\0\0" ... {28, 56, reply, 0, 480, 484, 1649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\340\1\0\0\334\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1649, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1648, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\340\1\0\0\334\4\0\0" ... {28, 56, reply, 0, 480, 484, 1649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\2\0\0\340\1\0\0\334\4\0\0" )  ) == 0x0
 02441   484   NtResumeThread  (644, ... 1, ) == 0x0
 02442   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02443  1244   NtWaitForSingleObject  (36, 0, 0x0, ...
 02442   484   NtAllocateVirtualMemory  ... 135987200, 2097152, ) == 0x0
 02444   484   NtAllocateVirtualMemory  (-1, 138076160, 0, 8192, 4096, 4, ... 138076160, 8192, ) == 0x0
 02445   484   NtProtectVirtualMemory  (-1, (0x83ae000), 4096, 260, ... (0x83ae000), 4096, 4, ) == 0x0
 02446   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 648, {480, 1248}, ) == 0x0
 02447   484   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=480,Tid=1248,}, 0x0, ) == 0x0
 02448   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1649, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\340\1\0\0\340\4\0\0" ... {28, 56, reply, 0, 480, 484, 1650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\340\1\0\0\340\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1650, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1649, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\340\1\0\0\340\4\0\0" ... {28, 56, reply, 0, 480, 484, 1650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\2\0\0\340\1\0\0\340\4\0\0" )  ) == 0x0
 02449   484   NtResumeThread  (648, ... 1, ) == 0x0
 02450   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 138084352, 2097152, ) == 0x0
 02451   484   NtAllocateVirtualMemory  (-1, 140173312, 0, 8192, 4096, 4, ... 140173312, 8192, ) == 0x0
 02452  1248   NtWaitForSingleObject  (36, 0, 0x0, ...
 02453   484   NtProtectVirtualMemory  (-1, (0x85ae000), 4096, 260, ... (0x85ae000), 4096, 4, ) == 0x0
 02454   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 652, {480, 1252}, ) == 0x0
 02455   484   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=480,Tid=1252,}, 0x0, ) == 0x0
 02456   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1650, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\340\1\0\0\344\4\0\0" ... {28, 56, reply, 0, 480, 484, 1651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\340\1\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1651, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1650, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\340\1\0\0\344\4\0\0" ... {28, 56, reply, 0, 480, 484, 1651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\2\0\0\340\1\0\0\344\4\0\0" )  ) == 0x0
 02457   484   NtResumeThread  (652, ... 1, ) == 0x0
 02458   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02459  1252   NtWaitForSingleObject  (36, 0, 0x0, ...
 02458   484   NtAllocateVirtualMemory  ... 140181504, 2097152, ) == 0x0
 02460   484   NtAllocateVirtualMemory  (-1, 142270464, 0, 8192, 4096, 4, ... 142270464, 8192, ) == 0x0
 02461   484   NtProtectVirtualMemory  (-1, (0x87ae000), 4096, 260, ... (0x87ae000), 4096, 4, ) == 0x0
 02462   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 656, {480, 1256}, ) == 0x0
 02463   484   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=480,Tid=1256,}, 0x0, ) == 0x0
 02464   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1651, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\2\0\0\340\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 480, 484, 1652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\2\0\0\340\1\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1652, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1651, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\2\0\0\340\1\0\0\350\4\0\0" ... {28, 56, reply, 0, 480, 484, 1652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\2\0\0\340\1\0\0\350\4\0\0" )  ) == 0x0
 02465   484   NtResumeThread  (656, ... 1, ) == 0x0
 02466   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 142278656, 2097152, ) == 0x0
 02467   484   NtAllocateVirtualMemory  (-1, 144367616, 0, 8192, 4096, 4, ... 144367616, 8192, ) == 0x0
 02468  1256   NtWaitForSingleObject  (36, 0, 0x0, ...
 02469   484   NtProtectVirtualMemory  (-1, (0x89ae000), 4096, 260, ... (0x89ae000), 4096, 4, ) == 0x0
 02470   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 660, {480, 1260}, ) == 0x0
 02471   484   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=480,Tid=1260,}, 0x0, ) == 0x0
 02472   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1652, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\340\1\0\0\354\4\0\0" ... {28, 56, reply, 0, 480, 484, 1653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\340\1\0\0\354\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1653, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1652, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\340\1\0\0\354\4\0\0" ... {28, 56, reply, 0, 480, 484, 1653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\2\0\0\340\1\0\0\354\4\0\0" )  ) == 0x0
 02473   484   NtResumeThread  (660, ... 1, ) == 0x0
 02474   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02475  1260   NtWaitForSingleObject  (36, 0, 0x0, ...
 02474   484   NtAllocateVirtualMemory  ... 144375808, 2097152, ) == 0x0
 02476   484   NtAllocateVirtualMemory  (-1, 146464768, 0, 8192, 4096, 4, ... 146464768, 8192, ) == 0x0
 02477   484   NtProtectVirtualMemory  (-1, (0x8bae000), 4096, 260, ... (0x8bae000), 4096, 4, ) == 0x0
 02478   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 664, {480, 1268}, ) == 0x0
 02479   484   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=480,Tid=1268,}, 0x0, ) == 0x0
 02480   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1653, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\340\1\0\0\364\4\0\0" ... {28, 56, reply, 0, 480, 484, 1654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\340\1\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1654, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1653, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\340\1\0\0\364\4\0\0" ... {28, 56, reply, 0, 480, 484, 1654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\2\0\0\340\1\0\0\364\4\0\0" )  ) == 0x0
 02481   484   NtResumeThread  (664, ... 1, ) == 0x0
 02482   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 146472960, 2097152, ) == 0x0
 02483   484   NtAllocateVirtualMemory  (-1, 148561920, 0, 8192, 4096, 4, ... 148561920, 8192, ) == 0x0
 02484  1268   NtWaitForSingleObject  (36, 0, 0x0, ...
 02485   484   NtProtectVirtualMemory  (-1, (0x8dae000), 4096, 260, ... (0x8dae000), 4096, 4, ) == 0x0
 02486   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 668, {480, 708}, ) == 0x0
 02487   484   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=480,Tid=708,}, 0x0, ) == 0x0
 02488   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1654, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\2\0\0\340\1\0\0\304\2\0\0" ... {28, 56, reply, 0, 480, 484, 1655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\2\0\0\340\1\0\0\304\2\0\0" )  ... {28, 56, reply, 0, 480, 484, 1655, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1654, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\2\0\0\340\1\0\0\304\2\0\0" ... {28, 56, reply, 0, 480, 484, 1655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\2\0\0\340\1\0\0\304\2\0\0" )  ) == 0x0
 02489   484   NtResumeThread  (668, ... 1, ) == 0x0
 02490   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02491   708   NtWaitForSingleObject  (36, 0, 0x0, ...
 02490   484   NtAllocateVirtualMemory  ... 148570112, 2097152, ) == 0x0
 02492   484   NtAllocateVirtualMemory  (-1, 150659072, 0, 8192, 4096, 4, ... 150659072, 8192, ) == 0x0
 02493   484   NtProtectVirtualMemory  (-1, (0x8fae000), 4096, 260, ... (0x8fae000), 4096, 4, ) == 0x0
 02494   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 672, {480, 1280}, ) == 0x0
 02495   484   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=480,Tid=1280,}, 0x0, ) == 0x0
 02496   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1655, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\2\0\0\340\1\0\0\0\5\0\0" ... {28, 56, reply, 0, 480, 484, 1656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\2\0\0\340\1\0\0\0\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1656, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1655, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\2\0\0\340\1\0\0\0\5\0\0" ... {28, 56, reply, 0, 480, 484, 1656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\2\0\0\340\1\0\0\0\5\0\0" )  ) == 0x0
 02497   484   NtResumeThread  (672, ... 1, ) == 0x0
 02498   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 150667264, 2097152, ) == 0x0
 02499   484   NtAllocateVirtualMemory  (-1, 152756224, 0, 8192, 4096, 4, ... 152756224, 8192, ) == 0x0
 02500  1280   NtWaitForSingleObject  (36, 0, 0x0, ...
 02501   484   NtProtectVirtualMemory  (-1, (0x91ae000), 4096, 260, ... (0x91ae000), 4096, 4, ) == 0x0
 02502   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 676, {480, 1300}, ) == 0x0
 02503   484   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=480,Tid=1300,}, 0x0, ) == 0x0
 02504   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1656, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\340\1\0\0\24\5\0\0" ... {28, 56, reply, 0, 480, 484, 1657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\340\1\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1657, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1656, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\340\1\0\0\24\5\0\0" ... {28, 56, reply, 0, 480, 484, 1657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\2\0\0\340\1\0\0\24\5\0\0" )  ) == 0x0
 02505   484   NtResumeThread  (676, ... 1, ) == 0x0
 02506   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02507  1300   NtWaitForSingleObject  (36, 0, 0x0, ...
 02506   484   NtAllocateVirtualMemory  ... 152764416, 2097152, ) == 0x0
 02508   484   NtAllocateVirtualMemory  (-1, 154853376, 0, 8192, 4096, 4, ... 154853376, 8192, ) == 0x0
 02509   484   NtProtectVirtualMemory  (-1, (0x93ae000), 4096, 260, ... (0x93ae000), 4096, 4, ) == 0x0
 02510   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 680, {480, 1272}, ) == 0x0
 02511   484   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=480,Tid=1272,}, 0x0, ) == 0x0
 02512   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1657, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\340\1\0\0\370\4\0\0" ... {28, 56, reply, 0, 480, 484, 1658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\340\1\0\0\370\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1658, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1657, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\340\1\0\0\370\4\0\0" ... {28, 56, reply, 0, 480, 484, 1658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\250\2\0\0\340\1\0\0\370\4\0\0" )  ) == 0x0
 02513   484   NtResumeThread  (680, ... 1, ) == 0x0
 02514   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 154861568, 2097152, ) == 0x0
 02515   484   NtAllocateVirtualMemory  (-1, 156950528, 0, 8192, 4096, 4, ... 156950528, 8192, ) == 0x0
 02516  1272   NtWaitForSingleObject  (36, 0, 0x0, ...
 02517   484   NtProtectVirtualMemory  (-1, (0x95ae000), 4096, 260, ... (0x95ae000), 4096, 4, ) == 0x0
 02518   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 684, {480, 1296}, ) == 0x0
 02519   484   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=480,Tid=1296,}, 0x0, ) == 0x0
 02520   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1658, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\2\0\0\340\1\0\0\20\5\0\0" ... {28, 56, reply, 0, 480, 484, 1659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\2\0\0\340\1\0\0\20\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1659, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1658, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\2\0\0\340\1\0\0\20\5\0\0" ... {28, 56, reply, 0, 480, 484, 1659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\254\2\0\0\340\1\0\0\20\5\0\0" )  ) == 0x0
 02521   484   NtResumeThread  (684, ... 1, ) == 0x0
 02522   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02523  1296   NtWaitForSingleObject  (36, 0, 0x0, ...
 02522   484   NtAllocateVirtualMemory  ... 156958720, 2097152, ) == 0x0
 02524   484   NtAllocateVirtualMemory  (-1, 159047680, 0, 8192, 4096, 4, ... 159047680, 8192, ) == 0x0
 02525   484   NtProtectVirtualMemory  (-1, (0x97ae000), 4096, 260, ... (0x97ae000), 4096, 4, ) == 0x0
 02526   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 688, {480, 1308}, ) == 0x0
 02527   484   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=480,Tid=1308,}, 0x0, ) == 0x0
 02528   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1659, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\340\1\0\0\34\5\0\0" ... {28, 56, reply, 0, 480, 484, 1660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\340\1\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1660, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1659, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\340\1\0\0\34\5\0\0" ... {28, 56, reply, 0, 480, 484, 1660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\2\0\0\340\1\0\0\34\5\0\0" )  ) == 0x0
 02529   484   NtResumeThread  (688, ... 1, ) == 0x0
 02530   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 159055872, 2097152, ) == 0x0
 02531   484   NtAllocateVirtualMemory  (-1, 161144832, 0, 8192, 4096, 4, ... 161144832, 8192, ) == 0x0
 02532  1308   NtWaitForSingleObject  (36, 0, 0x0, ...
 02533   484   NtProtectVirtualMemory  (-1, (0x99ae000), 4096, 260, ... (0x99ae000), 4096, 4, ) == 0x0
 02534   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 692, {480, 1316}, ) == 0x0
 02535   484   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=480,Tid=1316,}, 0x0, ) == 0x0
 02536   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1660, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\340\1\0\0$\5\0\0" ... {28, 56, reply, 0, 480, 484, 1661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\340\1\0\0$\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1661, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1660, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\340\1\0\0$\5\0\0" ... {28, 56, reply, 0, 480, 484, 1661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\2\0\0\340\1\0\0$\5\0\0" )  ) == 0x0
 02537   484   NtResumeThread  (692, ... 1, ) == 0x0
 02538   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02539  1316   NtWaitForSingleObject  (36, 0, 0x0, ...
 02538   484   NtAllocateVirtualMemory  ... 161153024, 2097152, ) == 0x0
 02540   484   NtAllocateVirtualMemory  (-1, 163241984, 0, 8192, 4096, 4, ... 163241984, 8192, ) == 0x0
 02541   484   NtProtectVirtualMemory  (-1, (0x9bae000), 4096, 260, ... (0x9bae000), 4096, 4, ) == 0x0
 02542   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 696, {480, 1332}, ) == 0x0
 02543   484   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=480,Tid=1332,}, 0x0, ) == 0x0
 02544   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1661, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\340\1\0\04\5\0\0" ... {28, 56, reply, 0, 480, 484, 1662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\340\1\0\04\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1662, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1661, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\340\1\0\04\5\0\0" ... {28, 56, reply, 0, 480, 484, 1662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\270\2\0\0\340\1\0\04\5\0\0" )  ) == 0x0
 02545   484   NtResumeThread  (696, ... 1, ) == 0x0
 02546   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 163250176, 2097152, ) == 0x0
 02547   484   NtAllocateVirtualMemory  (-1, 165339136, 0, 8192, 4096, 4, ... 165339136, 8192, ) == 0x0
 02548  1332   NtWaitForSingleObject  (36, 0, 0x0, ...
 02549   484   NtProtectVirtualMemory  (-1, (0x9dae000), 4096, 260, ... (0x9dae000), 4096, 4, ) == 0x0
 02550   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 700, {480, 1336}, ) == 0x0
 02551   484   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=480,Tid=1336,}, 0x0, ) == 0x0
 02552   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1662, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\340\1\0\08\5\0\0" ... {28, 56, reply, 0, 480, 484, 1663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\340\1\0\08\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1663, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1662, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\340\1\0\08\5\0\0" ... {28, 56, reply, 0, 480, 484, 1663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\2\0\0\340\1\0\08\5\0\0" )  ) == 0x0
 02553   484   NtResumeThread  (700, ... 1, ) == 0x0
 02554   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02555  1336   NtWaitForSingleObject  (36, 0, 0x0, ...
 02554   484   NtAllocateVirtualMemory  ... 165347328, 2097152, ) == 0x0
 02556   484   NtAllocateVirtualMemory  (-1, 167436288, 0, 8192, 4096, 4, ... 167436288, 8192, ) == 0x0
 02557   484   NtProtectVirtualMemory  (-1, (0x9fae000), 4096, 260, ... (0x9fae000), 4096, 4, ) == 0x0
 02558   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 704, {480, 1340}, ) == 0x0
 02559   484   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=480,Tid=1340,}, 0x0, ) == 0x0
 02560   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1663, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\340\1\0\0<\5\0\0" ... {28, 56, reply, 0, 480, 484, 1664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\340\1\0\0<\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1664, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1663, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\340\1\0\0<\5\0\0" ... {28, 56, reply, 0, 480, 484, 1664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0\340\1\0\0<\5\0\0" )  ) == 0x0
 02561   484   NtResumeThread  (704, ... 1, ) == 0x0
 02562   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 167444480, 2097152, ) == 0x0
 02563   484   NtAllocateVirtualMemory  (-1, 169533440, 0, 8192, 4096, 4, ... 169533440, 8192, ) == 0x0
 02564  1340   NtWaitForSingleObject  (36, 0, 0x0, ...
 02565   484   NtProtectVirtualMemory  (-1, (0xa1ae000), 4096, 260, ... (0xa1ae000), 4096, 4, ) == 0x0
 02566   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 708, {480, 1328}, ) == 0x0
 02567   484   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=480,Tid=1328,}, 0x0, ) == 0x0
 02568   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1664, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\2\0\0\340\1\0\00\5\0\0" ... {28, 56, reply, 0, 480, 484, 1665, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\2\0\0\340\1\0\00\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1665, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1664, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\2\0\0\340\1\0\00\5\0\0" ... {28, 56, reply, 0, 480, 484, 1665, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\2\0\0\340\1\0\00\5\0\0" )  ) == 0x0
 02569   484   NtResumeThread  (708, ... 1, ) == 0x0
 02570   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02571  1328   NtWaitForSingleObject  (36, 0, 0x0, ...
 02570   484   NtAllocateVirtualMemory  ... 169541632, 2097152, ) == 0x0
 02572   484   NtAllocateVirtualMemory  (-1, 171630592, 0, 8192, 4096, 4, ... 171630592, 8192, ) == 0x0
 02573   484   NtProtectVirtualMemory  (-1, (0xa3ae000), 4096, 260, ... (0xa3ae000), 4096, 4, ) == 0x0
 02574   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 712, {480, 1312}, ) == 0x0
 02575   484   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=480,Tid=1312,}, 0x0, ) == 0x0
 02576   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1665, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1665, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\340\1\0\0 \5\0\0" ... {28, 56, reply, 0, 480, 484, 1666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\340\1\0\0 \5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1666, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1665, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\340\1\0\0 \5\0\0" ... {28, 56, reply, 0, 480, 484, 1666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\2\0\0\340\1\0\0 \5\0\0" )  ) == 0x0
 02577   484   NtResumeThread  (712, ... 1, ) == 0x0
 02578   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 171638784, 2097152, ) == 0x0
 02579   484   NtAllocateVirtualMemory  (-1, 173727744, 0, 8192, 4096, 4, ... 173727744, 8192, ) == 0x0
 02580  1312   NtWaitForSingleObject  (36, 0, 0x0, ...
 02581   484   NtProtectVirtualMemory  (-1, (0xa5ae000), 4096, 260, ... (0xa5ae000), 4096, 4, ) == 0x0
 02582   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 716, {480, 1348}, ) == 0x0
 02583   484   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=480,Tid=1348,}, 0x0, ) == 0x0
 02584   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1666, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\340\1\0\0D\5\0\0" ... {28, 56, reply, 0, 480, 484, 1667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\340\1\0\0D\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1667, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1666, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\340\1\0\0D\5\0\0" ... {28, 56, reply, 0, 480, 484, 1667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\314\2\0\0\340\1\0\0D\5\0\0" )  ) == 0x0
 02585   484   NtResumeThread  (716, ... 1, ) == 0x0
 02586   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02587  1348   NtWaitForSingleObject  (36, 0, 0x0, ...
 02586   484   NtAllocateVirtualMemory  ... 173735936, 2097152, ) == 0x0
 02588   484   NtAllocateVirtualMemory  (-1, 175824896, 0, 8192, 4096, 4, ... 175824896, 8192, ) == 0x0
 02589   484   NtProtectVirtualMemory  (-1, (0xa7ae000), 4096, 260, ... (0xa7ae000), 4096, 4, ) == 0x0
 02590   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 720, {480, 1324}, ) == 0x0
 02591   484   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=480,Tid=1324,}, 0x0, ) == 0x0
 02592   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1667, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\340\1\0\0,\5\0\0" ... {28, 56, reply, 0, 480, 484, 1668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\340\1\0\0,\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1668, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1667, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\340\1\0\0,\5\0\0" ... {28, 56, reply, 0, 480, 484, 1668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\2\0\0\340\1\0\0,\5\0\0" )  ) == 0x0
 02593   484   NtResumeThread  (720, ... 1, ) == 0x0
 02594   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 175833088, 2097152, ) == 0x0
 02595   484   NtAllocateVirtualMemory  (-1, 177922048, 0, 8192, 4096, 4, ... 177922048, 8192, ) == 0x0
 02596  1324   NtWaitForSingleObject  (36, 0, 0x0, ...
 02597   484   NtProtectVirtualMemory  (-1, (0xa9ae000), 4096, 260, ... (0xa9ae000), 4096, 4, ) == 0x0
 02598   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 724, {480, 1352}, ) == 0x0
 02599   484   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=480,Tid=1352,}, 0x0, ) == 0x0
 02600   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1668, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\340\1\0\0H\5\0\0" ... {28, 56, reply, 0, 480, 484, 1669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\340\1\0\0H\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1669, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1668, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\340\1\0\0H\5\0\0" ... {28, 56, reply, 0, 480, 484, 1669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\2\0\0\340\1\0\0H\5\0\0" )  ) == 0x0
 02601   484   NtResumeThread  (724, ... 1, ) == 0x0
 02602   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02603  1352   NtWaitForSingleObject  (36, 0, 0x0, ...
 02602   484   NtAllocateVirtualMemory  ... 177930240, 2097152, ) == 0x0
 02604   484   NtAllocateVirtualMemory  (-1, 180019200, 0, 8192, 4096, 4, ... 180019200, 8192, ) == 0x0
 02605   484   NtProtectVirtualMemory  (-1, (0xabae000), 4096, 260, ... (0xabae000), 4096, 4, ) == 0x0
 02606   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 728, {480, 1156}, ) == 0x0
 02607   484   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=480,Tid=1156,}, 0x0, ) == 0x0
 02608   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1669, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\340\1\0\0\204\4\0\0" ... {28, 56, reply, 0, 480, 484, 1670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\340\1\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1670, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1669, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\340\1\0\0\204\4\0\0" ... {28, 56, reply, 0, 480, 484, 1670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\2\0\0\340\1\0\0\204\4\0\0" )  ) == 0x0
 02609   484   NtResumeThread  (728, ... 1, ) == 0x0
 02610   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 180027392, 2097152, ) == 0x0
 02611   484   NtAllocateVirtualMemory  (-1, 182116352, 0, 8192, 4096, 4, ... 182116352, 8192, ) == 0x0
 02612  1156   NtWaitForSingleObject  (36, 0, 0x0, ...
 02613   484   NtProtectVirtualMemory  (-1, (0xadae000), 4096, 260, ... (0xadae000), 4096, 4, ) == 0x0
 02614   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 732, {480, 1440}, ) == 0x0
 02615   484   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=480,Tid=1440,}, 0x0, ) == 0x0
 02616   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1670, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\340\1\0\0\240\5\0\0" ... {28, 56, reply, 0, 480, 484, 1671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\340\1\0\0\240\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1671, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1670, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\340\1\0\0\240\5\0\0" ... {28, 56, reply, 0, 480, 484, 1671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\2\0\0\340\1\0\0\240\5\0\0" )  ) == 0x0
 02617   484   NtResumeThread  (732, ... 1, ) == 0x0
 02618   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02619  1440   NtWaitForSingleObject  (36, 0, 0x0, ...
 02618   484   NtAllocateVirtualMemory  ... 182124544, 2097152, ) == 0x0
 02620   484   NtAllocateVirtualMemory  (-1, 184213504, 0, 8192, 4096, 4, ... 184213504, 8192, ) == 0x0
 02621   484   NtProtectVirtualMemory  (-1, (0xafae000), 4096, 260, ... (0xafae000), 4096, 4, ) == 0x0
 02622   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 736, {480, 1464}, ) == 0x0
 02623   484   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=480,Tid=1464,}, 0x0, ) == 0x0
 02624   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1671, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\2\0\0\340\1\0\0\270\5\0\0" ... {28, 56, reply, 0, 480, 484, 1672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\2\0\0\340\1\0\0\270\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1672, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1671, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\2\0\0\340\1\0\0\270\5\0\0" ... {28, 56, reply, 0, 480, 484, 1672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\340\2\0\0\340\1\0\0\270\5\0\0" )  ) == 0x0
 02625   484   NtResumeThread  (736, ... 1, ) == 0x0
 02626   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 184221696, 2097152, ) == 0x0
 02627   484   NtAllocateVirtualMemory  (-1, 186310656, 0, 8192, 4096, 4, ... 186310656, 8192, ) == 0x0
 02628  1464   NtWaitForSingleObject  (36, 0, 0x0, ...
 02629   484   NtProtectVirtualMemory  (-1, (0xb1ae000), 4096, 260, ... (0xb1ae000), 4096, 4, ) == 0x0
 02630   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 740, {480, 1220}, ) == 0x0
 02631   484   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=480,Tid=1220,}, 0x0, ) == 0x0
 02632   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1672, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\2\0\0\340\1\0\0\304\4\0\0" ... {28, 56, reply, 0, 480, 484, 1673, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\2\0\0\340\1\0\0\304\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1673, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1672, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\2\0\0\340\1\0\0\304\4\0\0" ... {28, 56, reply, 0, 480, 484, 1673, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\2\0\0\340\1\0\0\304\4\0\0" )  ) == 0x0
 02633   484   NtResumeThread  (740, ... 1, ) == 0x0
 02634   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02635  1220   NtWaitForSingleObject  (36, 0, 0x0, ...
 02634   484   NtAllocateVirtualMemory  ... 186318848, 2097152, ) == 0x0
 02636   484   NtAllocateVirtualMemory  (-1, 188407808, 0, 8192, 4096, 4, ... 188407808, 8192, ) == 0x0
 02637   484   NtProtectVirtualMemory  (-1, (0xb3ae000), 4096, 260, ... (0xb3ae000), 4096, 4, ) == 0x0
 02638   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 744, {480, 1468}, ) == 0x0
 02639   484   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=480,Tid=1468,}, 0x0, ) == 0x0
 02640   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1673, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1673, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\340\1\0\0\274\5\0\0" ... {28, 56, reply, 0, 480, 484, 1674, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\340\1\0\0\274\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1674, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1673, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\340\1\0\0\274\5\0\0" ... {28, 56, reply, 0, 480, 484, 1674, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\350\2\0\0\340\1\0\0\274\5\0\0" )  ) == 0x0
 02641   484   NtResumeThread  (744, ... 1, ) == 0x0
 02642   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 188416000, 2097152, ) == 0x0
 02643   484   NtAllocateVirtualMemory  (-1, 190504960, 0, 8192, 4096, 4, ... 190504960, 8192, ) == 0x0
 02644  1468   NtWaitForSingleObject  (36, 0, 0x0, ...
 02645   484   NtProtectVirtualMemory  (-1, (0xb5ae000), 4096, 260, ... (0xb5ae000), 4096, 4, ) == 0x0
 02646   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 748, {480, 1472}, ) == 0x0
 02647   484   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=480,Tid=1472,}, 0x0, ) == 0x0
 02648   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1674, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1674, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\2\0\0\340\1\0\0\300\5\0\0" ... {28, 56, reply, 0, 480, 484, 1675, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\2\0\0\340\1\0\0\300\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1675, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1674, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\2\0\0\340\1\0\0\300\5\0\0" ... {28, 56, reply, 0, 480, 484, 1675, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\2\0\0\340\1\0\0\300\5\0\0" )  ) == 0x0
 02649   484   NtResumeThread  (748, ... 1, ) == 0x0
 02650   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02651  1472   NtWaitForSingleObject  (36, 0, 0x0, ...
 02650   484   NtAllocateVirtualMemory  ... 190513152, 2097152, ) == 0x0
 02652   484   NtAllocateVirtualMemory  (-1, 192602112, 0, 8192, 4096, 4, ... 192602112, 8192, ) == 0x0
 02653   484   NtProtectVirtualMemory  (-1, (0xb7ae000), 4096, 260, ... (0xb7ae000), 4096, 4, ) == 0x0
 02654   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 752, {480, 1476}, ) == 0x0
 02655   484   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=480,Tid=1476,}, 0x0, ) == 0x0
 02656   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1675, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1675, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\340\1\0\0\304\5\0\0" ... {28, 56, reply, 0, 480, 484, 1676, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\340\1\0\0\304\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1676, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1675, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\340\1\0\0\304\5\0\0" ... {28, 56, reply, 0, 480, 484, 1676, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0\340\1\0\0\304\5\0\0" )  ) == 0x0
 02657   484   NtResumeThread  (752, ... 1, ) == 0x0
 02658   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 192610304, 2097152, ) == 0x0
 02659   484   NtAllocateVirtualMemory  (-1, 194699264, 0, 8192, 4096, 4, ... 194699264, 8192, ) == 0x0
 02660  1476   NtWaitForSingleObject  (36, 0, 0x0, ...
 02661   484   NtProtectVirtualMemory  (-1, (0xb9ae000), 4096, 260, ... (0xb9ae000), 4096, 4, ) == 0x0
 02662   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 756, {480, 1480}, ) == 0x0
 02663   484   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=480,Tid=1480,}, 0x0, ) == 0x0
 02664   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1676, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1676, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\340\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 480, 484, 1677, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\340\1\0\0\310\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1677, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1676, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\340\1\0\0\310\5\0\0" ... {28, 56, reply, 0, 480, 484, 1677, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\364\2\0\0\340\1\0\0\310\5\0\0" )  ) == 0x0
 02665   484   NtResumeThread  (756, ... 1, ) == 0x0
 02666   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02667  1480   NtWaitForSingleObject  (36, 0, 0x0, ...
 02666   484   NtAllocateVirtualMemory  ... 194707456, 2097152, ) == 0x0
 02668   484   NtAllocateVirtualMemory  (-1, 196796416, 0, 8192, 4096, 4, ... 196796416, 8192, ) == 0x0
 02669   484   NtProtectVirtualMemory  (-1, (0xbbae000), 4096, 260, ... (0xbbae000), 4096, 4, ) == 0x0
 02670   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 760, {480, 1484}, ) == 0x0
 02671   484   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=480,Tid=1484,}, 0x0, ) == 0x0
 02672   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1677, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1677, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\340\1\0\0\314\5\0\0" ... {28, 56, reply, 0, 480, 484, 1678, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\340\1\0\0\314\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1678, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1677, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\340\1\0\0\314\5\0\0" ... {28, 56, reply, 0, 480, 484, 1678, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0\340\1\0\0\314\5\0\0" )  ) == 0x0
 02673   484   NtResumeThread  (760, ... 1, ) == 0x0
 02674   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 196804608, 2097152, ) == 0x0
 02675   484   NtAllocateVirtualMemory  (-1, 198893568, 0, 8192, 4096, 4, ... 198893568, 8192, ) == 0x0
 02676  1484   NtWaitForSingleObject  (36, 0, 0x0, ...
 02677   484   NtProtectVirtualMemory  (-1, (0xbdae000), 4096, 260, ... (0xbdae000), 4096, 4, ) == 0x0
 02678   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 764, {480, 1356}, ) == 0x0
 02679   484   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=480,Tid=1356,}, 0x0, ) == 0x0
 02680   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1678, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1678, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\340\1\0\0L\5\0\0" ... {28, 56, reply, 0, 480, 484, 1679, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\340\1\0\0L\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1679, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1678, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\340\1\0\0L\5\0\0" ... {28, 56, reply, 0, 480, 484, 1679, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\2\0\0\340\1\0\0L\5\0\0" )  ) == 0x0
 02681   484   NtResumeThread  (764, ... 1, ) == 0x0
 02682   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02683  1356   NtWaitForSingleObject  (36, 0, 0x0, ...
 02682   484   NtAllocateVirtualMemory  ... 198901760, 2097152, ) == 0x0
 02684   484   NtAllocateVirtualMemory  (-1, 200990720, 0, 8192, 4096, 4, ... 200990720, 8192, ) == 0x0
 02685   484   NtProtectVirtualMemory  (-1, (0xbfae000), 4096, 260, ... (0xbfae000), 4096, 4, ) == 0x0
 02686   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 768, {480, 1492}, ) == 0x0
 02687   484   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=480,Tid=1492,}, 0x0, ) == 0x0
 02688   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1679, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1679, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\340\1\0\0\324\5\0\0" ... {28, 56, reply, 0, 480, 484, 1680, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\340\1\0\0\324\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1680, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1679, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\340\1\0\0\324\5\0\0" ... {28, 56, reply, 0, 480, 484, 1680, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\3\0\0\340\1\0\0\324\5\0\0" )  ) == 0x0
 02689   484   NtResumeThread  (768, ... 1, ) == 0x0
 02690   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 200998912, 2097152, ) == 0x0
 02691   484   NtAllocateVirtualMemory  (-1, 203087872, 0, 8192, 4096, 4, ... 203087872, 8192, ) == 0x0
 02692  1492   NtWaitForSingleObject  (36, 0, 0x0, ...
 02693   484   NtProtectVirtualMemory  (-1, (0xc1ae000), 4096, 260, ... (0xc1ae000), 4096, 4, ) == 0x0
 02694   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 772, {480, 780}, ) == 0x0
 02695   484   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=480,Tid=780,}, 0x0, ) == 0x0
 02696   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1680, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1680, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\340\1\0\0\14\3\0\0" ... {28, 56, reply, 0, 480, 484, 1681, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\340\1\0\0\14\3\0\0" )  ... {28, 56, reply, 0, 480, 484, 1681, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1680, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\340\1\0\0\14\3\0\0" ... {28, 56, reply, 0, 480, 484, 1681, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\3\0\0\340\1\0\0\14\3\0\0" )  ) == 0x0
 02697   484   NtResumeThread  (772, ... 1, ) == 0x0
 02698   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02699   780   NtWaitForSingleObject  (36, 0, 0x0, ...
 02698   484   NtAllocateVirtualMemory  ... 203096064, 2097152, ) == 0x0
 02700   484   NtAllocateVirtualMemory  (-1, 205185024, 0, 8192, 4096, 4, ... 205185024, 8192, ) == 0x0
 02701   484   NtProtectVirtualMemory  (-1, (0xc3ae000), 4096, 260, ... (0xc3ae000), 4096, 4, ) == 0x0
 02702   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 776, {480, 1500}, ) == 0x0
 02703   484   NtQueryInformationThread  (776, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=480,Tid=1500,}, 0x0, ) == 0x0
 02704   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1681, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1681, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\340\1\0\0\334\5\0\0" ... {28, 56, reply, 0, 480, 484, 1682, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\340\1\0\0\334\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1682, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1681, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\340\1\0\0\334\5\0\0" ... {28, 56, reply, 0, 480, 484, 1682, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\3\0\0\340\1\0\0\334\5\0\0" )  ) == 0x0
 02705   484   NtResumeThread  (776, ... 1, ) == 0x0
 02706   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 205193216, 2097152, ) == 0x0
 02707   484   NtAllocateVirtualMemory  (-1, 207282176, 0, 8192, 4096, 4, ... 207282176, 8192, ) == 0x0
 02708  1500   NtWaitForSingleObject  (36, 0, 0x0, ...
 02709   484   NtProtectVirtualMemory  (-1, (0xc5ae000), 4096, 260, ... (0xc5ae000), 4096, 4, ) == 0x0
 02710   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 780, {480, 1504}, ) == 0x0
 02711   484   NtQueryInformationThread  (780, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=480,Tid=1504,}, 0x0, ) == 0x0
 02712   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1682, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1682, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\340\1\0\0\340\5\0\0" ... {28, 56, reply, 0, 480, 484, 1683, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\340\1\0\0\340\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1683, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1682, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\340\1\0\0\340\5\0\0" ... {28, 56, reply, 0, 480, 484, 1683, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\3\0\0\340\1\0\0\340\5\0\0" )  ) == 0x0
 02713   484   NtResumeThread  (780, ... 1, ) == 0x0
 02714   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02715  1504   NtWaitForSingleObject  (36, 0, 0x0, ...
 02714   484   NtAllocateVirtualMemory  ... 207290368, 2097152, ) == 0x0
 02716   484   NtAllocateVirtualMemory  (-1, 209379328, 0, 8192, 4096, 4, ... 209379328, 8192, ) == 0x0
 02717   484   NtProtectVirtualMemory  (-1, (0xc7ae000), 4096, 260, ... (0xc7ae000), 4096, 4, ) == 0x0
 02718   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 784, {480, 1508}, ) == 0x0
 02719   484   NtQueryInformationThread  (784, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=480,Tid=1508,}, 0x0, ) == 0x0
 02720   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1683, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1683, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\340\1\0\0\344\5\0\0" ... {28, 56, reply, 0, 480, 484, 1684, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\340\1\0\0\344\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1684, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1683, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\340\1\0\0\344\5\0\0" ... {28, 56, reply, 0, 480, 484, 1684, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0\340\1\0\0\344\5\0\0" )  ) == 0x0
 02721   484   NtResumeThread  (784, ... 1, ) == 0x0
 02722   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 209387520, 2097152, ) == 0x0
 02723   484   NtAllocateVirtualMemory  (-1, 211476480, 0, 8192, 4096, 4, ... 211476480, 8192, ) == 0x0
 02724  1508   NtWaitForSingleObject  (36, 0, 0x0, ...
 02725   484   NtProtectVirtualMemory  (-1, (0xc9ae000), 4096, 260, ... (0xc9ae000), 4096, 4, ) == 0x0
 02726   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 788, {480, 1512}, ) == 0x0
 02727   484   NtQueryInformationThread  (788, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=480,Tid=1512,}, 0x0, ) == 0x0
 02728   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1684, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1684, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\340\1\0\0\350\5\0\0" ... {28, 56, reply, 0, 480, 484, 1685, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\340\1\0\0\350\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1685, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1684, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\340\1\0\0\350\5\0\0" ... {28, 56, reply, 0, 480, 484, 1685, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\3\0\0\340\1\0\0\350\5\0\0" )  ) == 0x0
 02729   484   NtResumeThread  (788, ... 1, ) == 0x0
 02730   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02731  1512   NtWaitForSingleObject  (36, 0, 0x0, ...
 02730   484   NtAllocateVirtualMemory  ... 211484672, 2097152, ) == 0x0
 02732   484   NtAllocateVirtualMemory  (-1, 213573632, 0, 8192, 4096, 4, ... 213573632, 8192, ) == 0x0
 02733   484   NtProtectVirtualMemory  (-1, (0xcbae000), 4096, 260, ... (0xcbae000), 4096, 4, ) == 0x0
 02734   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 792, {480, 1516}, ) == 0x0
 02735   484   NtQueryInformationThread  (792, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=480,Tid=1516,}, 0x0, ) == 0x0
 02736   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1685, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1685, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\340\1\0\0\354\5\0\0" ... {28, 56, reply, 0, 480, 484, 1686, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\340\1\0\0\354\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1686, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1685, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\340\1\0\0\354\5\0\0" ... {28, 56, reply, 0, 480, 484, 1686, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\3\0\0\340\1\0\0\354\5\0\0" )  ) == 0x0
 02737   484   NtResumeThread  (792, ... 1, ) == 0x0
 02738   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 213581824, 2097152, ) == 0x0
 02739   484   NtAllocateVirtualMemory  (-1, 215670784, 0, 8192, 4096, 4, ... 215670784, 8192, ) == 0x0
 02740  1516   NtWaitForSingleObject  (36, 0, 0x0, ...
 02741   484   NtProtectVirtualMemory  (-1, (0xcdae000), 4096, 260, ... (0xcdae000), 4096, 4, ) == 0x0
 02742   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 796, {480, 1520}, ) == 0x0
 02743   484   NtQueryInformationThread  (796, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=480,Tid=1520,}, 0x0, ) == 0x0
 02744   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1686, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1686, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\340\1\0\0\360\5\0\0" ... {28, 56, reply, 0, 480, 484, 1687, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\340\1\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1687, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1686, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\340\1\0\0\360\5\0\0" ... {28, 56, reply, 0, 480, 484, 1687, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0\340\1\0\0\360\5\0\0" )  ) == 0x0
 02745   484   NtResumeThread  (796, ... 1, ) == 0x0
 02746   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02747  1520   NtWaitForSingleObject  (36, 0, 0x0, ...
 02746   484   NtAllocateVirtualMemory  ... 215678976, 2097152, ) == 0x0
 02748   484   NtAllocateVirtualMemory  (-1, 217767936, 0, 8192, 4096, 4, ... 217767936, 8192, ) == 0x0
 02749   484   NtProtectVirtualMemory  (-1, (0xcfae000), 4096, 260, ... (0xcfae000), 4096, 4, ) == 0x0
 02750   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 800, {480, 340}, ) == 0x0
 02751   484   NtQueryInformationThread  (800, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=480,Tid=340,}, 0x0, ) == 0x0
 02752   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1687, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1687, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\340\1\0\0T\1\0\0" ... {28, 56, reply, 0, 480, 484, 1688, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\340\1\0\0T\1\0\0" )  ... {28, 56, reply, 0, 480, 484, 1688, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1687, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\340\1\0\0T\1\0\0" ... {28, 56, reply, 0, 480, 484, 1688, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0\340\1\0\0T\1\0\0" )  ) == 0x0
 02753   484   NtResumeThread  (800, ... 1, ) == 0x0
 02754   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 217776128, 2097152, ) == 0x0
 02755   484   NtAllocateVirtualMemory  (-1, 219865088, 0, 8192, 4096, 4, ... 219865088, 8192, ) == 0x0
 02756   340   NtWaitForSingleObject  (36, 0, 0x0, ...
 02757   484   NtProtectVirtualMemory  (-1, (0xd1ae000), 4096, 260, ... (0xd1ae000), 4096, 4, ) == 0x0
 02758   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 804, {480, 1528}, ) == 0x0
 02759   484   NtQueryInformationThread  (804, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=480,Tid=1528,}, 0x0, ) == 0x0
 02760   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1688, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1688, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\340\1\0\0\370\5\0\0" ... {28, 56, reply, 0, 480, 484, 1689, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\340\1\0\0\370\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1689, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1688, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\340\1\0\0\370\5\0\0" ... {28, 56, reply, 0, 480, 484, 1689, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\3\0\0\340\1\0\0\370\5\0\0" )  ) == 0x0
 02761   484   NtResumeThread  (804, ... 1, ) == 0x0
 02762   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02763  1528   NtWaitForSingleObject  (36, 0, 0x0, ...
 02762   484   NtAllocateVirtualMemory  ... 219873280, 2097152, ) == 0x0
 02764   484   NtAllocateVirtualMemory  (-1, 221962240, 0, 8192, 4096, 4, ... 221962240, 8192, ) == 0x0
 02765   484   NtProtectVirtualMemory  (-1, (0xd3ae000), 4096, 260, ... (0xd3ae000), 4096, 4, ) == 0x0
 02766   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 808, {480, 1532}, ) == 0x0
 02767   484   NtQueryInformationThread  (808, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=480,Tid=1532,}, 0x0, ) == 0x0
 02768   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1689, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1689, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\340\1\0\0\374\5\0\0" ... {28, 56, reply, 0, 480, 484, 1690, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\340\1\0\0\374\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1690, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1689, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\340\1\0\0\374\5\0\0" ... {28, 56, reply, 0, 480, 484, 1690, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\3\0\0\340\1\0\0\374\5\0\0" )  ) == 0x0
 02769   484   NtResumeThread  (808, ... 1, ) == 0x0
 02770   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 221970432, 2097152, ) == 0x0
 02771   484   NtAllocateVirtualMemory  (-1, 224059392, 0, 8192, 4096, 4, ... 224059392, 8192, ) == 0x0
 02772  1532   NtWaitForSingleObject  (36, 0, 0x0, ...
 02773   484   NtProtectVirtualMemory  (-1, (0xd5ae000), 4096, 260, ... (0xd5ae000), 4096, 4, ) == 0x0
 02774   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 812, {480, 1448}, ) == 0x0
 02775   484   NtQueryInformationThread  (812, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=480,Tid=1448,}, 0x0, ) == 0x0
 02776   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1690, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1690, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\340\1\0\0\250\5\0\0" ... {28, 56, reply, 0, 480, 484, 1691, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\340\1\0\0\250\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1691, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1690, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\340\1\0\0\250\5\0\0" ... {28, 56, reply, 0, 480, 484, 1691, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\3\0\0\340\1\0\0\250\5\0\0" )  ) == 0x0
 02777   484   NtResumeThread  (812, ... 1, ) == 0x0
 02778   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02779  1448   NtWaitForSingleObject  (36, 0, 0x0, ...
 02778   484   NtAllocateVirtualMemory  ... 224067584, 2097152, ) == 0x0
 02780   484   NtAllocateVirtualMemory  (-1, 226156544, 0, 8192, 4096, 4, ... 226156544, 8192, ) == 0x0
 02781   484   NtProtectVirtualMemory  (-1, (0xd7ae000), 4096, 260, ... (0xd7ae000), 4096, 4, ) == 0x0
 02782   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 816, {480, 1552}, ) == 0x0
 02783   484   NtQueryInformationThread  (816, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=480,Tid=1552,}, 0x0, ) == 0x0
 02784   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1691, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1691, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\340\1\0\0\20\6\0\0" ... {28, 56, reply, 0, 480, 484, 1692, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\340\1\0\0\20\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1692, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1691, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\340\1\0\0\20\6\0\0" ... {28, 56, reply, 0, 480, 484, 1692, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0\340\1\0\0\20\6\0\0" )  ) == 0x0
 02785   484   NtResumeThread  (816, ... 1, ) == 0x0
 02786   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 226164736, 2097152, ) == 0x0
 02787   484   NtAllocateVirtualMemory  (-1, 228253696, 0, 8192, 4096, 4, ... 228253696, 8192, ) == 0x0
 02788  1552   NtWaitForSingleObject  (36, 0, 0x0, ...
 02789   484   NtProtectVirtualMemory  (-1, (0xd9ae000), 4096, 260, ... (0xd9ae000), 4096, 4, ) == 0x0
 02790   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 820, {480, 1612}, ) == 0x0
 02791   484   NtQueryInformationThread  (820, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=480,Tid=1612,}, 0x0, ) == 0x0
 02792   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1692, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1692, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\340\1\0\0L\6\0\0" ... {28, 56, reply, 0, 480, 484, 1693, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\340\1\0\0L\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1693, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1692, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\340\1\0\0L\6\0\0" ... {28, 56, reply, 0, 480, 484, 1693, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\3\0\0\340\1\0\0L\6\0\0" )  ) == 0x0
 02793   484   NtResumeThread  (820, ... 1, ) == 0x0
 02794   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02795  1612   NtWaitForSingleObject  (36, 0, 0x0, ...
 02794   484   NtAllocateVirtualMemory  ... 228261888, 2097152, ) == 0x0
 02796   484   NtAllocateVirtualMemory  (-1, 230350848, 0, 8192, 4096, 4, ... 230350848, 8192, ) == 0x0
 02797   484   NtProtectVirtualMemory  (-1, (0xdbae000), 4096, 260, ... (0xdbae000), 4096, 4, ) == 0x0
 02798   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 824, {480, 1608}, ) == 0x0
 02799   484   NtQueryInformationThread  (824, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=480,Tid=1608,}, 0x0, ) == 0x0
 02800   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1693, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1693, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\340\1\0\0H\6\0\0" ... {28, 56, reply, 0, 480, 484, 1694, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\340\1\0\0H\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1694, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1693, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\340\1\0\0H\6\0\0" ... {28, 56, reply, 0, 480, 484, 1694, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\3\0\0\340\1\0\0H\6\0\0" )  ) == 0x0
 02801   484   NtResumeThread  (824, ... 1, ) == 0x0
 02802   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 230359040, 2097152, ) == 0x0
 02803   484   NtAllocateVirtualMemory  (-1, 232448000, 0, 8192, 4096, 4, ... 232448000, 8192, ) == 0x0
 02804  1608   NtWaitForSingleObject  (36, 0, 0x0, ...
 02805   484   NtProtectVirtualMemory  (-1, (0xddae000), 4096, 260, ... (0xddae000), 4096, 4, ) == 0x0
 02806   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 828, {480, 1616}, ) == 0x0
 02807   484   NtQueryInformationThread  (828, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=480,Tid=1616,}, 0x0, ) == 0x0
 02808   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1694, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1694, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\340\1\0\0P\6\0\0" ... {28, 56, reply, 0, 480, 484, 1695, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\340\1\0\0P\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1695, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1694, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\340\1\0\0P\6\0\0" ... {28, 56, reply, 0, 480, 484, 1695, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\3\0\0\340\1\0\0P\6\0\0" )  ) == 0x0
 02809   484   NtResumeThread  (828, ... 1, ) == 0x0
 02810   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02811  1616   NtWaitForSingleObject  (36, 0, 0x0, ...
 02810   484   NtAllocateVirtualMemory  ... 232456192, 2097152, ) == 0x0
 02812   484   NtAllocateVirtualMemory  (-1, 234545152, 0, 8192, 4096, 4, ... 234545152, 8192, ) == 0x0
 02813   484   NtProtectVirtualMemory  (-1, (0xdfae000), 4096, 260, ... (0xdfae000), 4096, 4, ) == 0x0
 02814   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 832, {480, 1620}, ) == 0x0
 02815   484   NtQueryInformationThread  (832, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=480,Tid=1620,}, 0x0, ) == 0x0
 02816   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1695, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1695, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\340\1\0\0T\6\0\0" ... {28, 56, reply, 0, 480, 484, 1696, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\340\1\0\0T\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1696, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1695, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\340\1\0\0T\6\0\0" ... {28, 56, reply, 0, 480, 484, 1696, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0\340\1\0\0T\6\0\0" )  ) == 0x0
 02817   484   NtResumeThread  (832, ... 1, ) == 0x0
 02818   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 234553344, 2097152, ) == 0x0
 02819   484   NtAllocateVirtualMemory  (-1, 236642304, 0, 8192, 4096, 4, ... 236642304, 8192, ) == 0x0
 02820  1620   NtWaitForSingleObject  (36, 0, 0x0, ...
 02821   484   NtProtectVirtualMemory  (-1, (0xe1ae000), 4096, 260, ... (0xe1ae000), 4096, 4, ) == 0x0
 02822   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 836, {480, 1648}, ) == 0x0
 02823   484   NtQueryInformationThread  (836, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=480,Tid=1648,}, 0x0, ) == 0x0
 02824   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1696, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1696, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\340\1\0\0p\6\0\0" ... {28, 56, reply, 0, 480, 484, 1697, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\340\1\0\0p\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1697, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1696, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\340\1\0\0p\6\0\0" ... {28, 56, reply, 0, 480, 484, 1697, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0\340\1\0\0p\6\0\0" )  ) == 0x0
 02825   484   NtResumeThread  (836, ... 1, ) == 0x0
 02826   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02827  1648   NtWaitForSingleObject  (36, 0, 0x0, ...
 02826   484   NtAllocateVirtualMemory  ... 236650496, 2097152, ) == 0x0
 02828   484   NtAllocateVirtualMemory  (-1, 238739456, 0, 8192, 4096, 4, ... 238739456, 8192, ) == 0x0
 02829   484   NtProtectVirtualMemory  (-1, (0xe3ae000), 4096, 260, ... (0xe3ae000), 4096, 4, ) == 0x0
 02830   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 840, {480, 1652}, ) == 0x0
 02831   484   NtQueryInformationThread  (840, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=480,Tid=1652,}, 0x0, ) == 0x0
 02832   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1697, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1697, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\340\1\0\0t\6\0\0" ... {28, 56, reply, 0, 480, 484, 1698, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\340\1\0\0t\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1698, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1697, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\340\1\0\0t\6\0\0" ... {28, 56, reply, 0, 480, 484, 1698, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\3\0\0\340\1\0\0t\6\0\0" )  ) == 0x0
 02833   484   NtResumeThread  (840, ... 1, ) == 0x0
 02834   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 238747648, 2097152, ) == 0x0
 02835   484   NtAllocateVirtualMemory  (-1, 240836608, 0, 8192, 4096, 4, ... 240836608, 8192, ) == 0x0
 02836  1652   NtWaitForSingleObject  (36, 0, 0x0, ...
 02837   484   NtProtectVirtualMemory  (-1, (0xe5ae000), 4096, 260, ... (0xe5ae000), 4096, 4, ) == 0x0
 02838   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 844, {480, 1656}, ) == 0x0
 02839   484   NtQueryInformationThread  (844, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=480,Tid=1656,}, 0x0, ) == 0x0
 02840   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1698, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1698, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\340\1\0\0x\6\0\0" ... {28, 56, reply, 0, 480, 484, 1699, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\340\1\0\0x\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1699, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1698, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\340\1\0\0x\6\0\0" ... {28, 56, reply, 0, 480, 484, 1699, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOL\3\0\0\340\1\0\0x\6\0\0" )  ) == 0x0
 02841   484   NtResumeThread  (844, ... 1, ) == 0x0
 02842   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02843  1656   NtWaitForSingleObject  (36, 0, 0x0, ...
 02842   484   NtAllocateVirtualMemory  ... 240844800, 2097152, ) == 0x0
 02844   484   NtAllocateVirtualMemory  (-1, 242933760, 0, 8192, 4096, 4, ... 242933760, 8192, ) == 0x0
 02845   484   NtProtectVirtualMemory  (-1, (0xe7ae000), 4096, 260, ... (0xe7ae000), 4096, 4, ) == 0x0
 02846   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 848, {480, 1660}, ) == 0x0
 02847   484   NtQueryInformationThread  (848, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=480,Tid=1660,}, 0x0, ) == 0x0
 02848   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1699, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1699, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\340\1\0\0|\6\0\0" ... {28, 56, reply, 0, 480, 484, 1700, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\340\1\0\0|\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1700, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1699, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\340\1\0\0|\6\0\0" ... {28, 56, reply, 0, 480, 484, 1700, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOP\3\0\0\340\1\0\0|\6\0\0" )  ) == 0x0
 02849   484   NtResumeThread  (848, ... 1, ) == 0x0
 02850   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 242941952, 2097152, ) == 0x0
 02851   484   NtAllocateVirtualMemory  (-1, 245030912, 0, 8192, 4096, 4, ... 245030912, 8192, ) == 0x0
 02852  1660   NtWaitForSingleObject  (36, 0, 0x0, ...
 02853   484   NtProtectVirtualMemory  (-1, (0xe9ae000), 4096, 260, ... (0xe9ae000), 4096, 4, ) == 0x0
 02854   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 852, {480, 1680}, ) == 0x0
 02855   484   NtQueryInformationThread  (852, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=480,Tid=1680,}, 0x0, ) == 0x0
 02856   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1700, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1700, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\340\1\0\0\220\6\0\0" ... {28, 56, reply, 0, 480, 484, 1701, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\340\1\0\0\220\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1701, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1700, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\340\1\0\0\220\6\0\0" ... {28, 56, reply, 0, 480, 484, 1701, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOT\3\0\0\340\1\0\0\220\6\0\0" )  ) == 0x0
 02857   484   NtResumeThread  (852, ... 1, ) == 0x0
 02858   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02859  1680   NtWaitForSingleObject  (36, 0, 0x0, ...
 02858   484   NtAllocateVirtualMemory  ... 245039104, 2097152, ) == 0x0
 02860   484   NtAllocateVirtualMemory  (-1, 247128064, 0, 8192, 4096, 4, ... 247128064, 8192, ) == 0x0
 02861   484   NtProtectVirtualMemory  (-1, (0xebae000), 4096, 260, ... (0xebae000), 4096, 4, ) == 0x0
 02862   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 856, {480, 1588}, ) == 0x0
 02863   484   NtQueryInformationThread  (856, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=480,Tid=1588,}, 0x0, ) == 0x0
 02864   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1701, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1701, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\340\1\0\04\6\0\0" ... {28, 56, reply, 0, 480, 484, 1702, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\340\1\0\04\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1702, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1701, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\340\1\0\04\6\0\0" ... {28, 56, reply, 0, 480, 484, 1702, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOX\3\0\0\340\1\0\04\6\0\0" )  ) == 0x0
 02865   484   NtResumeThread  (856, ... 1, ) == 0x0
 02866   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 247136256, 2097152, ) == 0x0
 02867   484   NtAllocateVirtualMemory  (-1, 249225216, 0, 8192, 4096, 4, ... 249225216, 8192, ) == 0x0
 02868  1588   NtWaitForSingleObject  (36, 0, 0x0, ...
 02869   484   NtProtectVirtualMemory  (-1, (0xedae000), 4096, 260, ... (0xedae000), 4096, 4, ) == 0x0
 02870   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 860, {480, 1624}, ) == 0x0
 02871   484   NtQueryInformationThread  (860, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=480,Tid=1624,}, 0x0, ) == 0x0
 02872   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1702, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1702, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\340\1\0\0X\6\0\0" ... {28, 56, reply, 0, 480, 484, 1703, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\340\1\0\0X\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1703, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1702, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\340\1\0\0X\6\0\0" ... {28, 56, reply, 0, 480, 484, 1703, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\3\0\0\340\1\0\0X\6\0\0" )  ) == 0x0
 02873   484   NtResumeThread  (860, ... 1, ) == 0x0
 02874   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02875  1624   NtWaitForSingleObject  (36, 0, 0x0, ...
 02874   484   NtAllocateVirtualMemory  ... 249233408, 2097152, ) == 0x0
 02876   484   NtAllocateVirtualMemory  (-1, 251322368, 0, 8192, 4096, 4, ... 251322368, 8192, ) == 0x0
 02877   484   NtProtectVirtualMemory  (-1, (0xefae000), 4096, 260, ... (0xefae000), 4096, 4, ) == 0x0
 02878   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 864, {480, 1576}, ) == 0x0
 02879   484   NtQueryInformationThread  (864, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=480,Tid=1576,}, 0x0, ) == 0x0
 02880   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1703, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1703, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\3\0\0\340\1\0\0(\6\0\0" ... {28, 56, reply, 0, 480, 484, 1704, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\3\0\0\340\1\0\0(\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1704, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1703, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\3\0\0\340\1\0\0(\6\0\0" ... {28, 56, reply, 0, 480, 484, 1704, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\3\0\0\340\1\0\0(\6\0\0" )  ) == 0x0
 02881   484   NtResumeThread  (864, ... 1, ) == 0x0
 02882   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 251330560, 2097152, ) == 0x0
 02883   484   NtAllocateVirtualMemory  (-1, 253419520, 0, 8192, 4096, 4, ... 253419520, 8192, ) == 0x0
 02884  1576   NtWaitForSingleObject  (36, 0, 0x0, ...
 02885   484   NtProtectVirtualMemory  (-1, (0xf1ae000), 4096, 260, ... (0xf1ae000), 4096, 4, ) == 0x0
 02886   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 868, {480, 1724}, ) == 0x0
 02887   484   NtQueryInformationThread  (868, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=480,Tid=1724,}, 0x0, ) == 0x0
 02888   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1704, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1704, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\3\0\0\340\1\0\0\274\6\0\0" ... {28, 56, reply, 0, 480, 484, 1705, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\3\0\0\340\1\0\0\274\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1705, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1704, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\3\0\0\340\1\0\0\274\6\0\0" ... {28, 56, reply, 0, 480, 484, 1705, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOd\3\0\0\340\1\0\0\274\6\0\0" )  ) == 0x0
 02889   484   NtResumeThread  (868, ... 1, ) == 0x0
 02890   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02891  1724   NtWaitForSingleObject  (36, 0, 0x0, ...
 02890   484   NtAllocateVirtualMemory  ... 253427712, 2097152, ) == 0x0
 02892   484   NtAllocateVirtualMemory  (-1, 255516672, 0, 8192, 4096, 4, ... 255516672, 8192, ) == 0x0
 02893   484   NtProtectVirtualMemory  (-1, (0xf3ae000), 4096, 260, ... (0xf3ae000), 4096, 4, ) == 0x0
 02894   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 872, {480, 1632}, ) == 0x0
 02895   484   NtQueryInformationThread  (872, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=480,Tid=1632,}, 0x0, ) == 0x0
 02896   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1705, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1705, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\340\1\0\0`\6\0\0" ... {28, 56, reply, 0, 480, 484, 1706, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\340\1\0\0`\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1706, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1705, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\340\1\0\0`\6\0\0" ... {28, 56, reply, 0, 480, 484, 1706, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\3\0\0\340\1\0\0`\6\0\0" )  ) == 0x0
 02897   484   NtResumeThread  (872, ... 1, ) == 0x0
 02898   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 255524864, 2097152, ) == 0x0
 02899   484   NtAllocateVirtualMemory  (-1, 257613824, 0, 8192, 4096, 4, ... 257613824, 8192, ) == 0x0
 02900  1632   NtWaitForSingleObject  (36, 0, 0x0, ...
 02901   484   NtProtectVirtualMemory  (-1, (0xf5ae000), 4096, 260, ... (0xf5ae000), 4096, 4, ) == 0x0
 02902   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 876, {480, 1580}, ) == 0x0
 02903   484   NtQueryInformationThread  (876, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=480,Tid=1580,}, 0x0, ) == 0x0
 02904   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1706, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1706, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\3\0\0\340\1\0\0,\6\0\0" ... {28, 56, reply, 0, 480, 484, 1707, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\3\0\0\340\1\0\0,\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1707, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1706, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\3\0\0\340\1\0\0,\6\0\0" ... {28, 56, reply, 0, 480, 484, 1707, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOl\3\0\0\340\1\0\0,\6\0\0" )  ) == 0x0
 02905   484   NtResumeThread  (876, ... 1, ) == 0x0
 02906   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02907  1580   NtWaitForSingleObject  (36, 0, 0x0, ...
 02906   484   NtAllocateVirtualMemory  ... 257622016, 2097152, ) == 0x0
 02908   484   NtAllocateVirtualMemory  (-1, 259710976, 0, 8192, 4096, 4, ... 259710976, 8192, ) == 0x0
 02909   484   NtProtectVirtualMemory  (-1, (0xf7ae000), 4096, 260, ... (0xf7ae000), 4096, 4, ) == 0x0
 02910   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 880, {480, 1732}, ) == 0x0
 02911   484   NtQueryInformationThread  (880, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=480,Tid=1732,}, 0x0, ) == 0x0
 02912   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1707, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1707, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\3\0\0\340\1\0\0\304\6\0\0" ... {28, 56, reply, 0, 480, 484, 1708, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\3\0\0\340\1\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1708, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1707, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\3\0\0\340\1\0\0\304\6\0\0" ... {28, 56, reply, 0, 480, 484, 1708, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOp\3\0\0\340\1\0\0\304\6\0\0" )  ) == 0x0
 02913   484   NtResumeThread  (880, ... 1, ) == 0x0
 02914   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 259719168, 2097152, ) == 0x0
 02915   484   NtAllocateVirtualMemory  (-1, 261808128, 0, 8192, 4096, 4, ... 261808128, 8192, ) == 0x0
 02916  1732   NtWaitForSingleObject  (36, 0, 0x0, ...
 02917   484   NtProtectVirtualMemory  (-1, (0xf9ae000), 4096, 260, ... (0xf9ae000), 4096, 4, ) == 0x0
 02918   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 884, {480, 1780}, ) == 0x0
 02919   484   NtQueryInformationThread  (884, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=480,Tid=1780,}, 0x0, ) == 0x0
 02920   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1708, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1708, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\3\0\0\340\1\0\0\364\6\0\0" ... {28, 56, reply, 0, 480, 484, 1709, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\3\0\0\340\1\0\0\364\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1709, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1708, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\3\0\0\340\1\0\0\364\6\0\0" ... {28, 56, reply, 0, 480, 484, 1709, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\3\0\0\340\1\0\0\364\6\0\0" )  ) == 0x0
 02921   484   NtResumeThread  (884, ... 1, ) == 0x0
 02922   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02923  1780   NtWaitForSingleObject  (36, 0, 0x0, ...
 02922   484   NtAllocateVirtualMemory  ... 261816320, 2097152, ) == 0x0
 02924   484   NtAllocateVirtualMemory  (-1, 263905280, 0, 8192, 4096, 4, ... 263905280, 8192, ) == 0x0
 02925   484   NtProtectVirtualMemory  (-1, (0xfbae000), 4096, 260, ... (0xfbae000), 4096, 4, ) == 0x0
 02926   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 888, {480, 1784}, ) == 0x0
 02927   484   NtQueryInformationThread  (888, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff43000,Pid=480,Tid=1784,}, 0x0, ) == 0x0
 02928   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1709, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1709, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\3\0\0\340\1\0\0\370\6\0\0" ... {28, 56, reply, 0, 480, 484, 1710, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\3\0\0\340\1\0\0\370\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1710, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1709, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\3\0\0\340\1\0\0\370\6\0\0" ... {28, 56, reply, 0, 480, 484, 1710, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOx\3\0\0\340\1\0\0\370\6\0\0" )  ) == 0x0
 02929   484   NtResumeThread  (888, ... 1, ) == 0x0
 02930   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 263913472, 2097152, ) == 0x0
 02931   484   NtAllocateVirtualMemory  (-1, 266002432, 0, 8192, 4096, 4, ... 266002432, 8192, ) == 0x0
 02932  1784   NtWaitForSingleObject  (36, 0, 0x0, ...
 02933   484   NtProtectVirtualMemory  (-1, (0xfdae000), 4096, 260, ... (0xfdae000), 4096, 4, ) == 0x0
 02934   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 892, {480, 1692}, ) == 0x0
 02935   484   NtQueryInformationThread  (892, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff42000,Pid=480,Tid=1692,}, 0x0, ) == 0x0
 02936   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1710, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1710, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0\340\1\0\0\234\6\0\0" ... {28, 56, reply, 0, 480, 484, 1711, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0\340\1\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1711, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1710, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0\340\1\0\0\234\6\0\0" ... {28, 56, reply, 0, 480, 484, 1711, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0\340\1\0\0\234\6\0\0" )  ) == 0x0
 02937   484   NtResumeThread  (892, ... 1, ) == 0x0
 02938   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02939  1692   NtWaitForSingleObject  (36, 0, 0x0, ...
 02938   484   NtAllocateVirtualMemory  ... 266010624, 2097152, ) == 0x0
 02940   484   NtAllocateVirtualMemory  (-1, 268099584, 0, 8192, 4096, 4, ... 268099584, 8192, ) == 0x0
 02941   484   NtProtectVirtualMemory  (-1, (0xffae000), 4096, 260, ... (0xffae000), 4096, 4, ) == 0x0
 02942   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 896, {480, 1628}, ) == 0x0
 02943   484   NtQueryInformationThread  (896, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff41000,Pid=480,Tid=1628,}, 0x0, ) == 0x0
 02944   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1711, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1711, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\3\0\0\340\1\0\0\\6\0\0" ... {28, 56, reply, 0, 480, 484, 1712, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\3\0\0\340\1\0\0\\6\0\0" )  ... {28, 56, reply, 0, 480, 484, 1712, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1711, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\3\0\0\340\1\0\0\\6\0\0" ... {28, 56, reply, 0, 480, 484, 1712, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\3\0\0\340\1\0\0\\6\0\0" )  ) == 0x0
 02945   484   NtResumeThread  (896, ... 1, ) == 0x0
 02946   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 268107776, 2097152, ) == 0x0
 02947   484   NtAllocateVirtualMemory  (-1, 270196736, 0, 8192, 4096, 4, ... 270196736, 8192, ) == 0x0
 02948  1628   NtWaitForSingleObject  (36, 0, 0x0, ...
 02949   484   NtProtectVirtualMemory  (-1, (0x101ae000), 4096, 260, ... (0x101ae000), 4096, 4, ) == 0x0
 02950   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 900, {480, 1112}, ) == 0x0
 02951   484   NtQueryInformationThread  (900, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff40000,Pid=480,Tid=1112,}, 0x0, ) == 0x0
 02952   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1712, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1712, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\3\0\0\340\1\0\0X\4\0\0" ... {28, 56, reply, 0, 480, 484, 1713, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\3\0\0\340\1\0\0X\4\0\0" )  ... {28, 56, reply, 0, 480, 484, 1713, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1712, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\3\0\0\340\1\0\0X\4\0\0" ... {28, 56, reply, 0, 480, 484, 1713, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\3\0\0\340\1\0\0X\4\0\0" )  ) == 0x0
 02953   484   NtResumeThread  (900, ... 1, ) == 0x0
 02954   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02955  1112   NtWaitForSingleObject  (36, 0, 0x0, ...
 02954   484   NtAllocateVirtualMemory  ... 270204928, 2097152, ) == 0x0
 02956   484   NtAllocateVirtualMemory  (-1, 272293888, 0, 8192, 4096, 4, ... 272293888, 8192, ) == 0x0
 02957   484   NtProtectVirtualMemory  (-1, (0x103ae000), 4096, 260, ... (0x103ae000), 4096, 4, ) == 0x0
 02958   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 904, {480, 1320}, ) == 0x0
 02959   484   NtQueryInformationThread  (904, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3f000,Pid=480,Tid=1320,}, 0x0, ) == 0x0
 02960   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1713, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1713, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\3\0\0\340\1\0\0(\5\0\0" ... {28, 56, reply, 0, 480, 484, 1714, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\3\0\0\340\1\0\0(\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1714, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1713, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\3\0\0\340\1\0\0(\5\0\0" ... {28, 56, reply, 0, 480, 484, 1714, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\210\3\0\0\340\1\0\0(\5\0\0" )  ) == 0x0
 02961   484   NtResumeThread  (904, ... 1, ) == 0x0
 02962   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 272302080, 2097152, ) == 0x0
 02963   484   NtAllocateVirtualMemory  (-1, 274391040, 0, 8192, 4096, 4, ... 274391040, 8192, ) == 0x0
 02964  1320   NtWaitForSingleObject  (36, 0, 0x0, ...
 02965   484   NtProtectVirtualMemory  (-1, (0x105ae000), 4096, 260, ... (0x105ae000), 4096, 4, ) == 0x0
 02966   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 908, {480, 1524}, ) == 0x0
 02967   484   NtQueryInformationThread  (908, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3e000,Pid=480,Tid=1524,}, 0x0, ) == 0x0
 02968   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1714, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1714, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\3\0\0\340\1\0\0\364\5\0\0" ... {28, 56, reply, 0, 480, 484, 1715, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\3\0\0\340\1\0\0\364\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1715, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1714, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\3\0\0\340\1\0\0\364\5\0\0" ... {28, 56, reply, 0, 480, 484, 1715, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\3\0\0\340\1\0\0\364\5\0\0" )  ) == 0x0
 02969   484   NtResumeThread  (908, ... 1, ) == 0x0
 02970   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02971  1524   NtWaitForSingleObject  (36, 0, 0x0, ...
 02970   484   NtAllocateVirtualMemory  ... 274399232, 2097152, ) == 0x0
 02972   484   NtAllocateVirtualMemory  (-1, 276488192, 0, 8192, 4096, 4, ... 276488192, 8192, ) == 0x0
 02973   484   NtProtectVirtualMemory  (-1, (0x107ae000), 4096, 260, ... (0x107ae000), 4096, 4, ) == 0x0
 02974   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 912, {480, 1808}, ) == 0x0
 02975   484   NtQueryInformationThread  (912, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3d000,Pid=480,Tid=1808,}, 0x0, ) == 0x0
 02976   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1715, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1715, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\340\1\0\0\20\7\0\0" ... {28, 56, reply, 0, 480, 484, 1716, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\340\1\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 480, 484, 1716, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1715, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\340\1\0\0\20\7\0\0" ... {28, 56, reply, 0, 480, 484, 1716, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\3\0\0\340\1\0\0\20\7\0\0" )  ) == 0x0
 02977   484   NtResumeThread  (912, ... 1, ) == 0x0
 02978   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 276496384, 2097152, ) == 0x0
 02979   484   NtAllocateVirtualMemory  (-1, 278585344, 0, 8192, 4096, 4, ... 278585344, 8192, ) == 0x0
 02980  1808   NtWaitForSingleObject  (36, 0, 0x0, ...
 02981   484   NtProtectVirtualMemory  (-1, (0x109ae000), 4096, 260, ... (0x109ae000), 4096, 4, ) == 0x0
 02982   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 916, {480, 1816}, ) == 0x0
 02983   484   NtQueryInformationThread  (916, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3c000,Pid=480,Tid=1816,}, 0x0, ) == 0x0
 02984   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1716, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1716, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\3\0\0\340\1\0\0\30\7\0\0" ... {28, 56, reply, 0, 480, 484, 1717, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\3\0\0\340\1\0\0\30\7\0\0" )  ... {28, 56, reply, 0, 480, 484, 1717, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1716, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\3\0\0\340\1\0\0\30\7\0\0" ... {28, 56, reply, 0, 480, 484, 1717, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\3\0\0\340\1\0\0\30\7\0\0" )  ) == 0x0
 02985   484   NtResumeThread  (916, ... 1, ) == 0x0
 02986   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02987  1816   NtWaitForSingleObject  (36, 0, 0x0, ...
 02986   484   NtAllocateVirtualMemory  ... 278593536, 2097152, ) == 0x0
 02988   484   NtAllocateVirtualMemory  (-1, 280682496, 0, 8192, 4096, 4, ... 280682496, 8192, ) == 0x0
 02989   484   NtProtectVirtualMemory  (-1, (0x10bae000), 4096, 260, ... (0x10bae000), 4096, 4, ) == 0x0
 02990   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 920, {480, 1820}, ) == 0x0
 02991   484   NtQueryInformationThread  (920, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3b000,Pid=480,Tid=1820,}, 0x0, ) == 0x0
 02992   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1717, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1717, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\3\0\0\340\1\0\0\34\7\0\0" ... {28, 56, reply, 0, 480, 484, 1718, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\3\0\0\340\1\0\0\34\7\0\0" )  ... {28, 56, reply, 0, 480, 484, 1718, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1717, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\3\0\0\340\1\0\0\34\7\0\0" ... {28, 56, reply, 0, 480, 484, 1718, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\3\0\0\340\1\0\0\34\7\0\0" )  ) == 0x0
 02993   484   NtResumeThread  (920, ... 1, ) == 0x0
 02994   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 280690688, 2097152, ) == 0x0
 02995   484   NtAllocateVirtualMemory  (-1, 282779648, 0, 8192, 4096, 4, ... 282779648, 8192, ) == 0x0
 02996  1820   NtWaitForSingleObject  (36, 0, 0x0, ...
 02997   484   NtProtectVirtualMemory  (-1, (0x10dae000), 4096, 260, ... (0x10dae000), 4096, 4, ) == 0x0
 02998   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 924, {480, 1360}, ) == 0x0
 02999   484   NtQueryInformationThread  (924, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff3a000,Pid=480,Tid=1360,}, 0x0, ) == 0x0
 03000   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1718, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1718, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\3\0\0\340\1\0\0P\5\0\0" ... {28, 56, reply, 0, 480, 484, 1719, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\3\0\0\340\1\0\0P\5\0\0" )  ... {28, 56, reply, 0, 480, 484, 1719, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1718, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\3\0\0\340\1\0\0P\5\0\0" ... {28, 56, reply, 0, 480, 484, 1719, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\3\0\0\340\1\0\0P\5\0\0" )  ) == 0x0
 03001   484   NtResumeThread  (924, ... 1, ) == 0x0
 03002   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03003  1360   NtWaitForSingleObject  (36, 0, 0x0, ...
 03002   484   NtAllocateVirtualMemory  ... 282787840, 2097152, ) == 0x0
 03004   484   NtAllocateVirtualMemory  (-1, 284876800, 0, 8192, 4096, 4, ... 284876800, 8192, ) == 0x0
 03005   484   NtProtectVirtualMemory  (-1, (0x10fae000), 4096, 260, ... (0x10fae000), 4096, 4, ) == 0x0
 03006   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 928, {480, 1824}, ) == 0x0
 03007   484   NtQueryInformationThread  (928, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff39000,Pid=480,Tid=1824,}, 0x0, ) == 0x0
 03008   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1719, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1719, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\3\0\0\340\1\0\0 \7\0\0" ... {28, 56, reply, 0, 480, 484, 1720, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\3\0\0\340\1\0\0 \7\0\0" )  ... {28, 56, reply, 0, 480, 484, 1720, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1719, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\3\0\0\340\1\0\0 \7\0\0" ... {28, 56, reply, 0, 480, 484, 1720, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\240\3\0\0\340\1\0\0 \7\0\0" )  ) == 0x0
 03009   484   NtResumeThread  (928, ... 1, ) == 0x0
 03010   484   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 284884992, 2097152, ) == 0x0
 03011   484   NtAllocateVirtualMemory  (-1, 286973952, 0, 8192, 4096, 4, ... 286973952, 8192, ) == 0x0
 03012  1824   NtWaitForSingleObject  (36, 0, 0x0, ...
 03013   484   NtProtectVirtualMemory  (-1, (0x111ae000), 4096, 260, ... (0x111ae000), 4096, 4, ) == 0x0
 03014   484   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 932, {480, 1828}, ) == 0x0
 03015   484   NtQueryInformationThread  (932, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff38000,Pid=480,Tid=1828,}, 0x0, ) == 0x0
 03016   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 480, 484, 1720, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1720, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\3\0\0\340\1\0\0$\7\0\0" ... {28, 56, reply, 0, 480, 484, 1721, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\3\0\0\340\1\0\0$\7\0\0" )  ... {28, 56, reply, 0, 480, 484, 1721, 0}  (24, {28, 56, new_msg, 0, 480, 484, 1720, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\3\0\0\340\1\0\0$\7\0\0" ... {28, 56, reply, 0, 480, 484, 1721, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\3\0\0\340\1\0\0$\7\0\0" )  ) == 0x0
 03017   484   NtResumeThread  (932, ... 1, ) == 0x0
 03018   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03019  1828   NtWaitForSingleObject  (36, 0, 0x0, ...
 03018   484   NtCreateEvent  ... 936, ) == 0x0
 03020   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 940, ) == 0x0
 03021   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03022   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 944, ) == 0x0
 03023   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03024   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03025   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2291792,  (0xc0100080, {24, 0, 0x40, 0, 2291792, "\??\PIPE\InitShutdown"}, 0x0, 0, 3, 1, 64, 0, 0, ... 948, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 948, {status=0x0, info=1}, ) == 0x0
 03026   484   NtSetInformationFile  (948, 2291848, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03027   484   NtSetInformationFile  (948, 2291840, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03028   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03029   484   NtWriteFile  (948, 937, 0, 0,  (948, 937, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\300\340M\211U\15\323\21\243"\0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \0\300O\243!\241\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03030   484   NtReadFile  (948, 937, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (948, 937, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\209\36\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03031   484   NtFsControlFile  (948, 937, 0x0, 0x0, 0x11c017,  (948, 937, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\340\376"\0H=", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\209\36\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0H= (948, 937, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\1\0\340\376"\0H=", 30, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\209\36\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\209\36\0\0\23\0\PIPE\InitShutdown\0\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03032   484   NtClose  (944, ... ) == 0x0
 03033   484   NtClose  (948, ... ) == 0x0
 03034   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03035   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 948, ) == 0x0
 03036   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03037   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03038   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2291788,  (0xc0100080, {24, 0, 0x40, 0, 2291788, "\??\PIPE\winreg"}, 0x0, 0, 3, 1, 64, 0, 0, ... 944, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 944, {status=0x0, info=1}, ) == 0x0
 03039   484   NtSetInformationFile  (944, 2291844, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03040   484   NtSetInformationFile  (944, 2291836, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03041   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03042   484   NtWriteFile  (944, 937, 0, 0,  (944, 937, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\1\320\2143D"\3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) \3611\252\252\220\08\0\20\3\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03043   484   NtReadFile  (944, 937, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (944, 937, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\243&\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03044   484   NtFsControlFile  (944, 937, 0x0, 0x0, 0x11c017,  (944, 937, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\324\376"\0H=", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\243&\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0H= (944, 937, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\36\0\0\0\1\0\0\0\6\0\0\0\0\0\31\0\324\376"\0H=", 30, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\243&\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\243&\0\0\15\0\PIPE\winreg\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03045   484   NtWaitForSingleObject  (937, 0, 0x0, ... ) == 0x0
 03046   484   NtClose  (948, ... ) == 0x0
 03047   484   NtClose  (944, ... ) == 0x0
 03048   484   NtDelayExecution  (0, {-30000000, -1}, ...
 02345   712   NtReadFile  ... {status=0x0, info=46592},  ... {status=0x0, info=46592}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\373\225\346S\277\364\210\0\277\364\210\0\277\364\210\0E\327\310\0\275\364\210\0\277\364\211\0$\364\210\0E\327\221\0\252\364\210\0e\327\225\0\275\364\210\0(\327\315\0\276\364\210\0e\327\224\0\251\364\210\0E\327\265\0\276\364\210\0Rich\277\364\210\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\08\204};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0H\0\0\0n\0\0\0\0\0\0\34F\0\0\0\20\0\0\0`\0\0\0\0\0\1\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\0\0\0\4\0\0\246\20\1\0\2\0\0\200\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0XJ\0\0\334\0\0\0\0p\0\0@f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\2\0\0\324\0\0\0\0\20\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0jG\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03049   712   NtClose  (596, ... ) == 0x0
 03050   712   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 8433160,  (0x40100080, {24, 0, 0x40, 0, 8433160, "\??\C:\WINDOWS\system32\utilman.ivr"}, 0x0, 0, 0, 5, 96, 0, 0, ... }, 0x0, 0, 0, 5, 96, 0, 0, ...
 02366   856   NtOpenKey  ... 596, ) == 0x0
 03051   856   NtQueryValueKey  (596,  (596, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (596, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03052   856   NtClose  (596, ... ) == 0x0
 03053   712   NtClose  (-2147482052, ... ) == 0x0
 03050   712   NtCreateFile  ... 596, {status=0x0, info=2}, ) == 0x0
 03054   712   NtWriteFile  (596, 0, 0, 0,  (596, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\373\225\346S\277\364\210\0\277\364\210\0\277\364\210\0E\327\310\0\275\364\210\0\277\364\211\0$\364\210\0E\327\221\0\252\364\210\0e\327\225\0\275\364\210\0(\327\315\0\276\364\210\0e\327\224\0\251\364\210\0E\327\265\0\276\364\210\0Rich\277\364\210\0\0\0\0\0\0\0\0\0PE\0\0L\1\7\08\204};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0H\0\0\0n\0\0\0\0\0\0\0\340\0\0\0\20\0\0\0`\0\0\0\0\0\1\0\20\0\0\0\2\0\0\5\0\1\0\15\0\1\0\4\0\0\0\0\0\0\0\34\12\4\0\0\4\0\0\246\20\1\0\2\0\0\200\0\0\24\0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0XJ\0\0\334\0\0\0\0p\0\0@f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\2\0\0\324\0\0\0\0\20\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0jG\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 158720, 0x0, 0, ... {status=0x0, info=158720}, ) , 158720, 0x0, 0, ... {status=0x0, info=158720}, ) == 0x0
 03055   712   NtClose  (596, ... ) == 0x0
 03056   712   NtFreeVirtualMemory  (-1, (0x46a000), 233472, 16384, ... (0x46a000), 233472, ) == 0x0
 03057   712   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8432096,  (0x80100080, {24, 0, 0x40, 0, 8432096, "\??\C:\WINDOWS\system32\utilman.ivr"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 596, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 596, {status=0x0, info=1}, ) == 0x0
 03058   856   NtSetEventBoostPriority  (36, ...
 02324  1168   NtWaitForSingleObject  ... ) == 0x0
 03059  1168   NtSetEventBoostPriority  (36, ...
 02351  1172   NtWaitForSingleObject  ... ) == 0x0
 03060  1172   NtSetEventBoostPriority  (36, ...
 02364  1176   NtWaitForSingleObject  ... ) == 0x0
 03061  1176   NtSetEventBoostPriority  (36, ...
 02372  1072   NtWaitForSingleObject  ... ) == 0x0
 03062  1072   NtAllocateVirtualMemory  (-1, 13197312, 0, 4096, 4096, 4, ... 13197312, 4096, ) == 0x0
 03061  1176   NtSetEventBoostPriority  ... ) == 0x0
 03060  1172   NtSetEventBoostPriority  ... ) == 0x0
 03059  1168   NtSetEventBoostPriority  ... ) == 0x0
 03058   856   NtSetEventBoostPriority  ... ) == 0x0
 03063   712   NtQueryInformationFile  (596, 8433032, 8, AttributeFlag, ...
 03064  1072   NtSetEventBoostPriority  (36, ...
 03065  1176   NtTestAlert  (...
 03066  1172   NtTestAlert  (...
 03067   856   NtWaitForSingleObject  (36, 0, 0x0, ...
 03063   712   NtQueryInformationFile  ... ) == STATUS_INVALID_PARAMETER
 02379  1184   NtWaitForSingleObject  ... ) == 0x0
 03064  1072   NtSetEventBoostPriority  ... ) == 0x0
 03065  1176   NtTestAlert  ... ) == 0x0
 03066  1172   NtTestAlert  ... ) == 0x0
 03068  1184   NtSetEventBoostPriority  (36, ...
 03069   712   NtQueryInformationFile  (596, 8433004, 24, Standard, ...
 03070  1072   NtTestAlert  (...
 03071  1176   NtContinue  (115014960, 1, ...
 02388  1192   NtWaitForSingleObject  ... ) == 0x0
 03068  1184   NtSetEventBoostPriority  ... ) == 0x0
 03072  1172   NtContinue  (112917808, 1, ...
 03069   712   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03070  1072   NtTestAlert  ... ) == 0x0
 03073  1192   NtSetEventBoostPriority  (36, ...
 03074  1176   NtRegisterThreadTerminatePort  (24, ...
 03075  1168   NtTestAlert  (...
 03076  1172   NtRegisterThreadTerminatePort  (24, ...
 03077   712   NtQueryInformationFile  (596, 8432956, 40, Basic, ...
 02395  1196   NtWaitForSingleObject  ... ) == 0x0
 03073  1192   NtSetEventBoostPriority  ... ) == 0x0
 03078  1072   NtContinue  (117112112, 1, ...
 03074  1176   NtRegisterThreadTerminatePort  ... ) == 0x0
 03075  1168   NtTestAlert  ... ) == 0x0
 03076  1172   NtRegisterThreadTerminatePort  ... ) == 0x0
 03079  1196   NtSetEventBoostPriority  (36, ...
 03077   712   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 03080  1184   NtTestAlert  (...
 03081  1072   NtRegisterThreadTerminatePort  (24, ...
 03082  1176   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03083  1168   NtContinue  (110820656, 1, ...
 02404  1212   NtWaitForSingleObject  ... ) == 0x0
 03079  1196   NtSetEventBoostPriority  ... ) == 0x0
 03084  1172   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03085  1192   NtTestAlert  (...
 03080  1184   NtTestAlert  ... ) == 0x0
 03086   712   NtAllocateVirtualMemory  (-1, 4628480, 0, 8192, 4096, 4, ...
 03081  1072   NtRegisterThreadTerminatePort  ... ) == 0x0
 03087  1212   NtWaitForSingleObject  (348, 0, 0x0, ...
 03088  1168   NtRegisterThreadTerminatePort  (24, ...
 03082  1176   NtDuplicateObject  ... 944, ) == 0x0
 03089  1196   NtTestAlert  (...
 03085  1192   NtTestAlert  ... ) == 0x0
 03090  1184   NtContinue  (119209264, 1, ...
 03086   712   NtAllocateVirtualMemory  ... 4628480, 8192, ) == 0x0
 03091  1072   NtWaitForSingleObject  (348, 0, 0x0, ...
 03088  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 03092  1176   NtWaitForSingleObject  (348, 0, 0x0, ...
 03089  1196   NtTestAlert  ... ) == 0x0
 03093  1192   NtContinue  (121306416, 1, ...
 03094  1184   NtRegisterThreadTerminatePort  (24, ...
 03095   712   NtSetEventBoostPriority  (348, ...
 03096  1168   NtWaitForSingleObject  (348, 0, 0x0, ...
 03097  1196   NtContinue  (123403568, 1, ...
 03098  1192   NtRegisterThreadTerminatePort  (24, ...
 03094  1184   NtRegisterThreadTerminatePort  ... ) == 0x0
 03087  1212   NtWaitForSingleObject  ... ) == 0x0
 03095   712   NtSetEventBoostPriority  ... ) == 0x0
 03084  1172   NtDuplicateObject  ... 948, ) == 0x0
 03099  1196   NtRegisterThreadTerminatePort  (24, ...
 03098  1192   NtRegisterThreadTerminatePort  ... ) == 0x0
 03100  1212   NtSetEventBoostPriority  (348, ...
 03101  1184   NtWaitForSingleObject  (348, 0, 0x0, ...
 03102   712   NtQueryInformationFile  (596, 4627544, 4094, Stream, ...
 03103  1172   NtWaitForSingleObject  (348, 0, 0x0, ...
 03099  1196   NtRegisterThreadTerminatePort  ... ) == 0x0
 03091  1072   NtWaitForSingleObject  ... ) == 0x0
 03100  1212   NtSetEventBoostPriority  ... ) == 0x0
 03104  1192   NtWaitForSingleObject  (348, 0, 0x0, ...
 03102   712   NtQueryInformationFile  ... ) == STATUS_INVALID_PARAMETER
 03105  1072   NtSetEventBoostPriority  (348, ...
 03106  1196   NtWaitForSingleObject  (348, 0, 0x0, ...
 03107  1212   NtSetEventBoostPriority  (36, ...
 03092  1176   NtWaitForSingleObject  ... ) == 0x0
 03105  1072   NtSetEventBoostPriority  ... ) == 0x0
 03108   712   NtWaitForSingleObject  (348, 0, 0x0, ...
 03109  1176   NtSetEventBoostPriority  (348, ...
 02411  1224   NtWaitForSingleObject  ... ) == 0x0
 03107  1212   NtSetEventBoostPriority  ... ) == 0x0
 03096  1168   NtWaitForSingleObject  ... ) == 0x0
 03110  1224   NtWaitForSingleObject  (348, 0, 0x0, ...
 03109  1176   NtSetEventBoostPriority  ... ) == 0x0
 03111  1168   NtSetEventBoostPriority  (348, ...
 03112  1212   NtTestAlert  (...
 03113  1072   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03103  1172   NtWaitForSingleObject  ... ) == 0x0
 03112  1212   NtTestAlert  ... ) == 0x0
 03113  1072   NtDuplicateObject  ... 952, ) == 0x0
 03114  1172   NtSetEventBoostPriority  (348, ...
 03115  1212   NtContinue  (125500720, 1, ...
 03116  1072   NtWaitForSingleObject  (348, 0, 0x0, ...
 03101  1184   NtWaitForSingleObject  ... ) == 0x0
 03114  1172   NtSetEventBoostPriority  ... ) == 0x0
 03117  1212   NtRegisterThreadTerminatePort  (24, ...
 03118  1184   NtSetEventBoostPriority  (348, ...
 03111  1168   NtSetEventBoostPriority  ... ) == 0x0
 03119  1176   NtWaitForSingleObject  (348, 0, 0x0, ...
 03120  1172   NtWaitForSingleObject  (348, 0, 0x0, ...
 03104  1192   NtWaitForSingleObject  ... ) == 0x0
 03121  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03122  1192   NtSetEventBoostPriority  (348, ...
 03121  1168   NtDuplicateObject  ... 956, ) == 0x0
 03106  1196   NtWaitForSingleObject  ... ) == 0x0
 03122  1192   NtSetEventBoostPriority  ... ) == 0x0
 03118  1184   NtSetEventBoostPriority  ... ) == 0x0
 03117  1212   NtRegisterThreadTerminatePort  ... ) == 0x0
 03123  1196   NtSetEventBoostPriority  (348, ...
 03124  1192   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03125  1184   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03126  1212   NtWaitForSingleObject  (348, 0, 0x0, ...
 03108   712   NtWaitForSingleObject  ... ) == 0x0
 03124  1192   NtDuplicateObject  ... 960, ) == 0x0
 03125  1184   NtDuplicateObject  ... 964, ) == 0x0
 03127   712   NtSetEventBoostPriority  (348, ...
 03123  1196   NtSetEventBoostPriority  ... ) == 0x0
 03128  1168   NtWaitForSingleObject  (348, 0, 0x0, ...
 03129  1192   NtWaitForSingleObject  (348, 0, 0x0, ...
 03110  1224   NtWaitForSingleObject  ... ) == 0x0
 03127   712   NtSetEventBoostPriority  ... ) == 0x0
 03130  1196   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03131  1224   NtSetEventBoostPriority  (348, ...
 03132   712   NtQueryInformationFile  (596, 8431500, 40, Basic, ...
 03116  1072   NtWaitForSingleObject  ... ) == 0x0
 03131  1224   NtSetEventBoostPriority  ... ) == 0x0
 03130  1196   NtDuplicateObject  ... 968, ) == 0x0
 03133  1184   NtWaitForSingleObject  (348, 0, 0x0, ...
 03134  1072   NtSetEventBoostPriority  (348, ...
 03132   712   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 03135  1224   NtSetEventBoostPriority  (36, ...
 03119  1176   NtWaitForSingleObject  ... ) == 0x0
 03134  1072   NtSetEventBoostPriority  ... ) == 0x0
 03136   712   NtAllocateVirtualMemory  (-1, 8421376, 0, 4096, 4096, 260, ...
 03137  1176   NtSetEventBoostPriority  (348, ...
 02420   324   NtWaitForSingleObject  ... ) == 0x0
 03135  1224   NtSetEventBoostPriority  ... ) == 0x0
 03138  1196   NtWaitForSingleObject  (348, 0, 0x0, ...
 03120  1172   NtWaitForSingleObject  ... ) == 0x0
 03139   324   NtWaitForSingleObject  (348, 0, 0x0, ...
 03137  1176   NtSetEventBoostPriority  ... ) == 0x0
 03136   712   NtAllocateVirtualMemory  ... 8421376, 4096, ) == 0x0
 03140  1224   NtTestAlert  (...
 03141  1172   NtSetEventBoostPriority  (348, ...
 03142  1176   NtWaitForSingleObject  (348, 0, 0x0, ...
 03143   712   NtQueryInformationFile  (596, 8431344, 4, Ea, ...
 03126  1212   NtWaitForSingleObject  ... ) == 0x0
 03141  1172   NtSetEventBoostPriority  ... ) == 0x0
 03140  1224   NtTestAlert  ... ) == 0x0
 03144  1072   NtWaitForSingleObject  (348, 0, 0x0, ...
 03145  1212   NtSetEventBoostPriority  (348, ...
 03143   712   NtQueryInformationFile  ... {status=0x0, info=4}, ) == 0x0
 03146  1172   NtWaitForSingleObject  (348, 0, 0x0, ...
 03147  1224   NtContinue  (127597872, 1, ...
 03128  1168   NtWaitForSingleObject  ... ) == 0x0
 03145  1212   NtSetEventBoostPriority  ... ) == 0x0
 03148   712   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 8431352,  (0x40110080, {24, 0, 0x40, 0, 8431352, "\??\C:\WINDOWS\system32\utilman.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 03149  1168   NtSetEventBoostPriority  (348, ...
 03150  1224   NtRegisterThreadTerminatePort  (24, ...
 03151  1212   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03129  1192   NtWaitForSingleObject  ... ) == 0x0
 03149  1168   NtSetEventBoostPriority  ... ) == 0x0
 03152   712   NtClose  (-2147482052, ...
 03153  1192   NtSetEventBoostPriority  (348, ...
 03151  1212   NtDuplicateObject  ... 972, ) == 0x0
 03154  1168   NtWaitForSingleObject  (348, 0, 0x0, ...
 03133  1184   NtWaitForSingleObject  ... ) == 0x0
 03153  1192   NtSetEventBoostPriority  ... ) == 0x0
 03152   712   NtClose  ... ) == 0x0
 03155  1212   NtWaitForSingleObject  (348, 0, 0x0, ...
 03150  1224   NtRegisterThreadTerminatePort  ... ) == 0x0
 03156  1184   NtSetEventBoostPriority  (348, ...
 03157  1192   NtWaitForSingleObject  (348, 0, 0x0, ...
 03158   712   NtQueryVolumeInformationFile  (-2147482056, -136248696, 32, FullSize, ...
 03139   324   NtWaitForSingleObject  ... ) == 0x0
 03156  1184   NtSetEventBoostPriority  ... ) == 0x0
 03159  1224   NtWaitForSingleObject  (348, 0, 0x0, ...
 03160   324   NtSetEventBoostPriority  (348, ...
 03158   712   NtQueryVolumeInformationFile  ... {status=0x0, info=32}, ) == 0x0
 03161  1184   NtWaitForSingleObject  (348, 0, 0x0, ...
 03138  1196   NtWaitForSingleObject  ... ) == 0x0
 03160   324   NtSetEventBoostPriority  ... ) == 0x0
 03162   712   NtQueryInformationFile  (-2147482056, -136248416, 24, Standard, ...
 03163  1196   NtSetEventBoostPriority  (348, ...
 03164   324   NtSetEventBoostPriority  (36, ...
 03144  1072   NtWaitForSingleObject  ... ) == 0x0
 03163  1196   NtSetEventBoostPriority  ... ) == 0x0
 03165  1072   NtSetEventBoostPriority  (348, ...
 02427  1228   NtWaitForSingleObject  ... ) == 0x0
 03164   324   NtSetEventBoostPriority  ... ) == 0x0
 03142  1176   NtWaitForSingleObject  ... ) == 0x0
 03166  1228   NtWaitForSingleObject  (348, 0, 0x0, ...
 03165  1072   NtSetEventBoostPriority  ... ) == 0x0
 03167  1196   NtWaitForSingleObject  (348, 0, 0x0, ...
 03168  1176   NtSetEventBoostPriority  (348, ...
 03169   324   NtTestAlert  (...
 03170  1072   NtWaitForSingleObject  (384, 0, 0x0, ...
 03162   712   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03146  1172   NtWaitForSingleObject  ... ) == 0x0
 03169   324   NtTestAlert  ... ) == 0x0
 03168  1176   NtSetEventBoostPriority  ... ) == 0x0
 03171   712   NtQueryInformationFile  (-2147482056, -136248464, 40, Basic, ...
 03172  1172   NtSetEventBoostPriority  (348, ...
 03173   324   NtContinue  (129695024, 1, ...
 03174  1176   NtSetEventBoostPriority  (384, ...
 03171   712   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 03155  1212   NtWaitForSingleObject  ... ) == 0x0
 03175   324   NtRegisterThreadTerminatePort  (24, ...
 03174  1176   NtSetEventBoostPriority  ... ) == 0x0
 03176   712   NtQueryInformationFile  (-2147482056, -518615040, 4096, Stream, ...
 03177  1212   NtSetEventBoostPriority  (348, ...
 03172  1172   NtSetEventBoostPriority  ... ) == 0x0
 03170  1072   NtWaitForSingleObject  ... ) == 0x0
 03175   324   NtRegisterThreadTerminatePort  ... ) == 0x0
 03176   712   NtQueryInformationFile  ... ) == STATUS_INVALID_PARAMETER
 03154  1168   NtWaitForSingleObject  ... ) == 0x0
 03177  1212   NtSetEventBoostPriority  ... ) == 0x0
 03178  1172   NtWaitForSingleObject  (384, 0, 0x0, ...
 03179  1072   NtWaitForSingleObject  (348, 0, 0x0, ...
 03180   324   NtWaitForSingleObject  (348, 0, 0x0, ...
 03181  1168   NtSetEventBoostPriority  (348, ...
 03182   712   NtQueryInformationFile  (-2147482056, -136248772, 40, Basic, ...
 03183  1176   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03159  1224   NtWaitForSingleObject  ... ) == 0x0
 03181  1168   NtSetEventBoostPriority  ... ) == 0x0
 03184  1212   NtWaitForSingleObject  (384, 0, 0x0, ...
 03183  1176   NtWaitForSingleObject  ... ) == 0x102
 03185  1224   NtSetEventBoostPriority  (348, ...
 03186  1168   NtWaitForSingleObject  (384, 0, 0x0, ...
 03187  1176   NtWaitForSingleObject  (184, 0, 0x0, ...
 03157  1192   NtWaitForSingleObject  ... ) == 0x0
 03185  1224   NtSetEventBoostPriority  ... ) == 0x0
 03188  1192   NtSetEventBoostPriority  (348, ...
 03182   712   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 03161  1184   NtWaitForSingleObject  ... ) == 0x0
 03189  1184   NtSetEventBoostPriority  (348, ...
 03166  1228   NtWaitForSingleObject  ... ) == 0x0
 03190  1228   NtSetEventBoostPriority  (348, ...
 03167  1196   NtWaitForSingleObject  ... ) == 0x0
 03191  1196   NtSetEventBoostPriority  (348, ...
 03179  1072   NtWaitForSingleObject  ... ) == 0x0
 03192  1072   NtSetEventBoostPriority  (348, ...
 03180   324   NtWaitForSingleObject  ... ) == 0x0
 03193   324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 976, ) == 0x0
 03192  1072   NtSetEventBoostPriority  ... ) == 0x0
 03190  1228   NtSetEventBoostPriority  ... ) == 0x0
 03191  1196   NtSetEventBoostPriority  ... ) == 0x0
 03189  1184   NtSetEventBoostPriority  ... ) == 0x0
 03188  1192   NtSetEventBoostPriority  ... ) == 0x0
 03194  1224   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03195   324   NtWaitForSingleObject  (384, 0, 0x0, ...
 03196  1072   NtSetEventBoostPriority  (384, ...
 03197  1196   NtWaitForSingleObject  (384, 0, 0x0, ...
 03198  1184   NtWaitForSingleObject  (384, 0, 0x0, ...
 03199  1192   NtWaitForSingleObject  (384, 0, 0x0, ...
 03194  1224   NtDuplicateObject  ... 980, ) == 0x0
 03178  1172   NtWaitForSingleObject  ... ) == 0x0
 03196  1072   NtSetEventBoostPriority  ... ) == 0x0
 03200  1172   NtSetEventBoostPriority  (384, ...
 03201  1224   NtWaitForSingleObject  (384, 0, 0x0, ...
 03184  1212   NtWaitForSingleObject  ... ) == 0x0
 03200  1172   NtSetEventBoostPriority  ... ) == 0x0
 03202  1072   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03203  1212   NtSetEventBoostPriority  (384, ...
 03204  1228   NtSetEventBoostPriority  (36, ...
 03186  1168   NtWaitForSingleObject  ... ) == 0x0
 03203  1212   NtSetEventBoostPriority  ... ) == 0x0
 03202  1072   NtWaitForSingleObject  ... ) == 0x102
 03205  1168   NtSetEventBoostPriority  (384, ...
 02436  1232   NtWaitForSingleObject  ... ) == 0x0
 03204  1228   NtSetEventBoostPriority  ... ) == 0x0
 03206  1212   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03195   324   NtWaitForSingleObject  ... ) == 0x0
 03207  1232   NtSetEventBoostPriority  (36, ...
 03205  1168   NtSetEventBoostPriority  ... ) == 0x0
 03208  1072   NtWaitForSingleObject  (184, 0, 0x0, ...
 03209  1228   NtTestAlert  (...
 03210  1172   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03211   324   NtSetEventBoostPriority  (384, ...
 02443  1244   NtWaitForSingleObject  ... ) == 0x0
 03207  1232   NtSetEventBoostPriority  ... ) == 0x0
 03206  1212   NtWaitForSingleObject  ... ) == 0x102
 03212  1168   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03209  1228   NtTestAlert  ... ) == 0x0
 03197  1196   NtWaitForSingleObject  ... ) == 0x0
 03213  1244   NtSetEventBoostPriority  (36, ...
 03211   324   NtSetEventBoostPriority  ... ) == 0x0
 03210  1172   NtWaitForSingleObject  ... ) == 0x102
 03214  1212   NtWaitForSingleObject  (184, 0, 0x0, ...
 03212  1168   NtWaitForSingleObject  ... ) == 0x102
 03215  1228   NtContinue  (131792176, 1, ...
 03216   712   NtQueryInformationFile  (-2147482060, -136248812, 40, Basic, ...
 03217  1232   NtTestAlert  (...
 02452  1248   NtWaitForSingleObject  ... ) == 0x0
 03213  1244   NtSetEventBoostPriority  ... ) == 0x0
 03218   324   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03219  1172   NtWaitForSingleObject  (184, 0, 0x0, ...
 03220  1168   NtWaitForSingleObject  (184, 0, 0x0, ...
 03221  1228   NtRegisterThreadTerminatePort  (24, ...
 03216   712   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 03222  1248   NtSetEventBoostPriority  (36, ...
 03217  1232   NtTestAlert  ... ) == 0x0
 03223  1196   NtSetEventBoostPriority  (384, ...
 03224  1244   NtTestAlert  (...
 03218   324   NtWaitForSingleObject  ... ) == 0x102
 02459  1252   NtWaitForSingleObject  ... ) == 0x0
 03222  1248   NtSetEventBoostPriority  ... ) == 0x0
 03225   712   NtSetInformationFile  (-2147482060, -136248732, 8, EndOfFile, ...
 03226  1232   NtContinue  (133889328, 1, ...
 03198  1184   NtWaitForSingleObject  ... ) == 0x0
 03223  1196   NtSetEventBoostPriority  ... ) == 0x0
 03224  1244   NtTestAlert  ... ) == 0x0
 03227  1252   NtSetEventBoostPriority  (36, ...
 03228   324   NtWaitForSingleObject  (184, 0, 0x0, ...
 03221  1228   NtRegisterThreadTerminatePort  ... ) == 0x0
 03229  1248   NtTestAlert  (...
 03230  1184   NtSetEventBoostPriority  (384, ...
 03231  1232   NtRegisterThreadTerminatePort  (24, ...
 03232  1196   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02468  1256   NtWaitForSingleObject  ... ) == 0x0
 03227  1252   NtSetEventBoostPriority  ... ) == 0x0
 03233  1244   NtContinue  (135986480, 1, ...
 03234  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03199  1192   NtWaitForSingleObject  ... ) == 0x0
 03230  1184   NtSetEventBoostPriority  ... ) == 0x0
 03229  1248   NtTestAlert  ... ) == 0x0
 03231  1232   NtRegisterThreadTerminatePort  ... ) == 0x0
 03235  1256   NtSetEventBoostPriority  (36, ...
 03232  1196   NtWaitForSingleObject  ... ) == 0x102
 03236  1244   NtRegisterThreadTerminatePort  (24, ...
 03237  1192   NtSetEventBoostPriority  (384, ...
 03234  1228   NtDuplicateObject  ... 984, ) == 0x0
 03238  1252   NtTestAlert  (...
 03239  1248   NtContinue  (138083632, 1, ...
 02475  1260   NtWaitForSingleObject  ... ) == 0x0
 03235  1256   NtSetEventBoostPriority  ... ) == 0x0
 03240  1232   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03241  1196   NtWaitForSingleObject  (184, 0, 0x0, ...
 03201  1224   NtWaitForSingleObject  ... ) == 0x0
 03237  1192   NtSetEventBoostPriority  ... ) == 0x0
 03236  1244   NtRegisterThreadTerminatePort  ... ) == 0x0
 03242  1228   NtWaitForSingleObject  (384, 0, 0x0, ...
 03238  1252   NtTestAlert  ... ) == 0x0
 03243  1260   NtSetEventBoostPriority  (36, ...
 03244  1248   NtRegisterThreadTerminatePort  (24, ...
 03245  1184   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03246  1256   NtTestAlert  (...
 03240  1232   NtDuplicateObject  ... 988, ) == 0x0
 03247  1224   NtSetEventBoostPriority  (384, ...
 03248  1244   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02484  1268   NtWaitForSingleObject  ... ) == 0x0
 03243  1260   NtSetEventBoostPriority  ... ) == 0x0
 03249  1252   NtContinue  (140180784, 1, ...
 03244  1248   NtRegisterThreadTerminatePort  ... ) == 0x0
 03245  1184   NtWaitForSingleObject  ... ) == 0x102
 03246  1256   NtTestAlert  ... ) == 0x0
 03242  1228   NtWaitForSingleObject  ... ) == 0x0
 03247  1224   NtSetEventBoostPriority  ... ) == 0x0
 03250  1232   NtWaitForSingleObject  (384, 0, 0x0, ...
 03251  1192   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03252  1268   NtSetEventBoostPriority  (36, ...
 03248  1244   NtDuplicateObject  ... 992, ) == 0x0
 03253  1252   NtRegisterThreadTerminatePort  (24, ...
 03254  1248   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03255  1184   NtWaitForSingleObject  (184, 0, 0x0, ...
 03256  1228   NtSetEventBoostPriority  (384, ...
 03257  1256   NtContinue  (142277936, 1, ...
 03258  1260   NtTestAlert  (...
 02491   708   NtWaitForSingleObject  ... ) == 0x0
 03252  1268   NtSetEventBoostPriority  ... ) == 0x0
 03251  1192   NtWaitForSingleObject  ... ) == 0x102
 03259  1244   NtWaitForSingleObject  (384, 0, 0x0, ...
 03253  1252   NtRegisterThreadTerminatePort  ... ) == 0x0
 03260  1224   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03250  1232   NtWaitForSingleObject  ... ) == 0x0
 03256  1228   NtSetEventBoostPriority  ... ) == 0x0
 03261  1256   NtRegisterThreadTerminatePort  (24, ...
 03262   708   NtSetEventBoostPriority  (36, ...
 03258  1260   NtTestAlert  ... ) == 0x0
 03254  1248   NtDuplicateObject  ... 996, ) == 0x0
 03263  1192   NtWaitForSingleObject  (184, 0, 0x0, ...
 03264  1252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03265  1232   NtSetEventBoostPriority  (384, ...
 03260  1224   NtWaitForSingleObject  ... ) == 0x102
 03266  1268   NtTestAlert  (...
 02500  1280   NtWaitForSingleObject  ... ) == 0x0
 03262   708   NtSetEventBoostPriority  ... ) == 0x0
 03261  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 03267  1260   NtContinue  (144375088, 1, ...
 03268  1248   NtWaitForSingleObject  (384, 0, 0x0, ...
 03269  1228   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03259  1244   NtWaitForSingleObject  ... ) == 0x0
 03265  1232   NtSetEventBoostPriority  ... ) == 0x0
 03270  1224   NtWaitForSingleObject  (184, 0, 0x0, ...
 03271  1280   NtSetEventBoostPriority  (36, ...
 03266  1268   NtTestAlert  ... ) == 0x0
 03264  1252   NtDuplicateObject  ... 1000, ) == 0x0
 03272  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03273  1260   NtRegisterThreadTerminatePort  (24, ...
 03274  1244   NtSetEventBoostPriority  (384, ...
 03269  1228   NtWaitForSingleObject  ... ) == 0x102
 03275   708   NtTestAlert  (...
 02507  1300   NtWaitForSingleObject  ... ) == 0x0
 03271  1280   NtSetEventBoostPriority  ... ) == 0x0
 03276  1268   NtContinue  (146472240, 1, ...
 03277  1252   NtWaitForSingleObject  (384, 0, 0x0, ...
 03278  1232   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03268  1248   NtWaitForSingleObject  ... ) == 0x0
 03274  1244   NtSetEventBoostPriority  ... ) == 0x0
 03273  1260   NtRegisterThreadTerminatePort  ... ) == 0x0
 03279  1228   NtWaitForSingleObject  (184, 0, 0x0, ...
 03280  1300   NtSetEventBoostPriority  (36, ...
 03275   708   NtTestAlert  ... ) == 0x0
 03272  1256   NtDuplicateObject  ... 1004, ) == 0x0
 03225   712   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 03281  1268   NtRegisterThreadTerminatePort  (24, ...
 03282  1248   NtSetEventBoostPriority  (384, ...
 03278  1232   NtWaitForSingleObject  ... ) == 0x102
 03283  1280   NtTestAlert  (...
 03284  1260   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02516  1272   NtWaitForSingleObject  ... ) == 0x0
 03280  1300   NtSetEventBoostPriority  ... ) == 0x0
 03285   708   NtContinue  (148569392, 1, ...
 03286  1256   NtWaitForSingleObject  (384, 0, 0x0, ...
 03287   712   NtCreateSection  (0x5, 0x0, {46592, 0}, 2, 134217728, -2147482056, ...
 03277  1252   NtWaitForSingleObject  ... ) == 0x0
 03282  1248   NtSetEventBoostPriority  ... ) == 0x0
 03281  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 03288  1232   NtWaitForSingleObject  (184, 0, 0x0, ...
 03283  1280   NtTestAlert  ... ) == 0x0
 03289  1244   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03290  1272   NtSetEventBoostPriority  (36, ...
 03284  1260   NtDuplicateObject  ... 1008, ) == 0x0
 03291   708   NtRegisterThreadTerminatePort  (24, ...
 03292  1300   NtTestAlert  (...
 03293  1252   NtSetEventBoostPriority  (384, ...
 03287   712   NtCreateSection  ... 1012, ) == 0x0
 03294  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03295  1280   NtContinue  (150666544, 1, ...
 02523  1296   NtWaitForSingleObject  ... ) == 0x0
 03290  1272   NtSetEventBoostPriority  ... ) == 0x0
 03289  1244   NtWaitForSingleObject  ... ) == 0x102
 03296  1260   NtWaitForSingleObject  (384, 0, 0x0, ...
 03291   708   NtRegisterThreadTerminatePort  ... ) == 0x0
 03286  1256   NtWaitForSingleObject  ... ) == 0x0
 03293  1252   NtSetEventBoostPriority  ... ) == 0x0
 03292  1300   NtTestAlert  ... ) == 0x0
 03297   712   NtMapViewOfSection  (1012, -1, (0x0), 0, 0, {0, 0}, 46592, 2, 0, 2, ...
 03298  1248   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03299  1296   NtSetEventBoostPriority  (36, ...
 03300  1280   NtRegisterThreadTerminatePort  (24, ...
 03294  1268   NtDuplicateObject  ... 1016, ) == 0x0
 03301  1244   NtWaitForSingleObject  (184, 0, 0x0, ...
 03302  1256   NtSetEventBoostPriority  (384, ...
 03303   708   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03304  1272   NtTestAlert  (...
 03305  1300   NtContinue  (152763696, 1, ...
 03297   712   NtMapViewOfSection  ... (0xef0000), {0, 0}, 49152, ) == 0x0
 02532  1308   NtWaitForSingleObject  ... ) == 0x0
 03299  1296   NtSetEventBoostPriority  ... ) == 0x0
 03298  1248   NtWaitForSingleObject  ... ) == 0x102
 03300  1280   NtRegisterThreadTerminatePort  ... ) == 0x0
 03306  1268   NtWaitForSingleObject  (384, 0, 0x0, ...
 03296  1260   NtWaitForSingleObject  ... ) == 0x0
 03302  1256   NtSetEventBoostPriority  ... ) == 0x0
 03307  1252   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03304  1272   NtTestAlert  ... ) == 0x0
 03308  1300   NtRegisterThreadTerminatePort  (24, ...
 03309  1308   NtSetEventBoostPriority  (36, ...
 03310   712   NtWriteFile  (-2147482060, 0, 0, 0,  (-2147482060, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\373\225\346S\277\364\210\0\277\364\210\0\277\364\210\0E\327\310\0\275\364\210\0\277\364\211\0$\364\210\0E\327\221\0\252\364\210\0e\327\225\0\275\364\210\0(\327\315\0\276\364\210\0e\327\224\0\251\364\210\0E\327\265\0\276\364\210\0Rich\277\364\210\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\08\204};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0H\0\0\0n\0\0\0\0\0\0\34F\0\0\0\20\0\0\0`\0\0\0\0\0\1\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\0\0\0\4\0\0\246\20\1\0\2\0\0\200\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0XJ\0\0\334\0\0\0\0p\0\0@f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\22\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0H\2\0\0\324\0\0\0\0\20\0\0H\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0jG\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 46592, {0, 0}, 0, ... , 46592, {0, 0}, 0, ...
 03303   708   NtDuplicateObject  ... 1020, ) == 0x0
 03311  1248   NtWaitForSingleObject  (184, 0, 0x0, ...
 03312  1280   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03313  1260   NtSetEventBoostPriority  (384, ...
 03314  1296   NtTestAlert  (...
 03307  1252   NtWaitForSingleObject  ... ) == 0x102
 03315  1272   NtContinue  (154860848, 1, ...
 02539  1316   NtWaitForSingleObject  ... ) == 0x0
 03309  1308   NtSetEventBoostPriority  ... ) == 0x0
 03308  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 03316   708   NtWaitForSingleObject  (384, 0, 0x0, ...
 03317  1256   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03306  1268   NtWaitForSingleObject  ... ) == 0x0
 03313  1260   NtSetEventBoostPriority  ... ) == 0x0
 03314  1296   NtTestAlert  ... ) == 0x0
 03318  1252   NtWaitForSingleObject  (184, 0, 0x0, ...
 03319  1316   NtSetEventBoostPriority  (36, ...
 03320  1272   NtRegisterThreadTerminatePort  (24, ...
 03312  1280   NtDuplicateObject  ... 1024, ) == 0x0
 03321  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03322  1268   NtSetEventBoostPriority  (384, ...
 03317  1256   NtWaitForSingleObject  ... ) == 0x102
 03323  1308   NtTestAlert  (...
 03324  1296   NtContinue  (156958000, 1, ...
 02548  1332   NtWaitForSingleObject  ... ) == 0x0
 03319  1316   NtSetEventBoostPriority  ... ) == 0x0
 03320  1272   NtRegisterThreadTerminatePort  ... ) == 0x0
 03325  1280   NtWaitForSingleObject  (384, 0, 0x0, ...
 03326  1260   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03316   708   NtWaitForSingleObject  ... ) == 0x0
 03322  1268   NtSetEventBoostPriority  ... ) == 0x0
 03327  1256   NtWaitForSingleObject  (184, 0, 0x0, ...
 03323  1308   NtTestAlert  ... ) == 0x0
 03328  1332   NtSetEventBoostPriority  (36, ...
 03329  1296   NtRegisterThreadTerminatePort  (24, ...
 03321  1300   NtDuplicateObject  ... 1028, ) == 0x0
 03330  1272   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03331   708   NtSetEventBoostPriority  (384, ...
 03326  1260   NtWaitForSingleObject  ... ) == 0x102
 03332  1316   NtTestAlert  (...
 02555  1336   NtWaitForSingleObject  ... ) == 0x0
 03328  1332   NtSetEventBoostPriority  ... ) == 0x0
 03333  1308   NtContinue  (159055152, 1, ...
 03329  1296   NtRegisterThreadTerminatePort  ... ) == 0x0
 03334  1300   NtWaitForSingleObject  (384, 0, 0x0, ...
 03335  1268   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03325  1280   NtWaitForSingleObject  ... ) == 0x0
 03331   708   NtSetEventBoostPriority  ... ) == 0x0
 03336  1260   NtWaitForSingleObject  (184, 0, 0x0, ...
 03337  1336   NtSetEventBoostPriority  (36, ...
 03332  1316   NtTestAlert  ... ) == 0x0
 03330  1272   NtDuplicateObject  ... 1032, ) == 0x0
 03338  1308   NtRegisterThreadTerminatePort  (24, ...
 03339  1296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03340  1280   NtSetEventBoostPriority  (384, ...
 03335  1268   NtWaitForSingleObject  ... ) == 0x102
 03341  1332   NtTestAlert  (...
 02564  1340   NtWaitForSingleObject  ... ) == 0x0
 03337  1336   NtSetEventBoostPriority  ... ) == 0x0
 03342  1316   NtContinue  (161152304, 1, ...
 03343  1272   NtWaitForSingleObject  (384, 0, 0x0, ...
 03338  1308   NtRegisterThreadTerminatePort  ... ) == 0x0
 03344   708   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03334  1300   NtWaitForSingleObject  ... ) == 0x0
 03340  1280   NtSetEventBoostPriority  ... ) == 0x0
 03345  1268   NtWaitForSingleObject  (184, 0, 0x0, ...
 03346  1340   NtSetEventBoostPriority  (36, ...
 03341  1332   NtTestAlert  ... ) == 0x0
 03339  1296   NtDuplicateObject  ... 1036, ) == 0x0
 03347  1316   NtRegisterThreadTerminatePort  (24, ...
 03348  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03349  1300   NtSetEventBoostPriority  (384, ...
 03344   708   NtWaitForSingleObject  ... ) == 0x102
 03350  1336   NtTestAlert  (...
 02571  1328   NtWaitForSingleObject  ... ) == 0x0
 03346  1340   NtSetEventBoostPriority  ... ) == 0x0
 03351  1332   NtContinue  (163249456, 1, ...
 03352  1296   NtWaitForSingleObject  (384, 0, 0x0, ...
 03347  1316   NtRegisterThreadTerminatePort  ... ) == 0x0
 03353  1280   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03343  1272   NtWaitForSingleObject  ... ) == 0x0
 03349  1300   NtSetEventBoostPriority  ... ) == 0x0
 03354   708   NtWaitForSingleObject  (184, 0, 0x0, ...
 03355  1328   NtSetEventBoostPriority  (36, ...
 03350  1336   NtTestAlert  ... ) == 0x0
 03348  1308   NtDuplicateObject  ... 1040, ) == 0x0
 03356  1332   NtRegisterThreadTerminatePort  (24, ...
 03357  1316   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03358  1272   NtSetEventBoostPriority  (384, ...
 03353  1280   NtWaitForSingleObject  ... ) == 0x102
 03359  1340   NtTestAlert  (...
 02580  1312   NtWaitForSingleObject  ... ) == 0x0
 03355  1328   NtSetEventBoostPriority  ... ) == 0x0
 03360  1336   NtContinue  (165346608, 1, ...
 03361  1308   NtWaitForSingleObject  (384, 0, 0x0, ...
 03356  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 03362  1300   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03352  1296   NtWaitForSingleObject  ... ) == 0x0
 03358  1272   NtSetEventBoostPriority  ... ) == 0x0
 03363  1280   NtWaitForSingleObject  (184, 0, 0x0, ...
 03364  1312   NtSetEventBoostPriority  (36, ...
 03359  1340   NtTestAlert  ... ) == 0x0
 03357  1316   NtDuplicateObject  ... 1044, ) == 0x0
 03365  1336   NtRegisterThreadTerminatePort  (24, ...
 03366  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03367  1296   NtSetEventBoostPriority  (384, ...
 03362  1300   NtWaitForSingleObject  ... ) == 0x102
 03368  1328   NtTestAlert  (...
 02587  1348   NtWaitForSingleObject  ... ) == 0x0
 03364  1312   NtSetEventBoostPriority  ... ) == 0x0
 03369  1340   NtContinue  (167443760, 1, ...
 03370  1316   NtWaitForSingleObject  (384, 0, 0x0, ...
 03365  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 03371  1272   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03361  1308   NtWaitForSingleObject  ... ) == 0x0
 03367  1296   NtSetEventBoostPriority  ... ) == 0x0
 03372  1300   NtWaitForSingleObject  (184, 0, 0x0, ...
 03373  1348   NtSetEventBoostPriority  (36, ...
 03368  1328   NtTestAlert  ... ) == 0x0
 03366  1332   NtDuplicateObject  ... 1048, ) == 0x0
 03374  1340   NtRegisterThreadTerminatePort  (24, ...
 03375  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03376  1308   NtSetEventBoostPriority  (384, ...
 03371  1272   NtWaitForSingleObject  ... ) == 0x102
 03377  1312   NtTestAlert  (...
 02596  1324   NtWaitForSingleObject  ... ) == 0x0
 03373  1348   NtSetEventBoostPriority  ... ) == 0x0
 03378  1328   NtContinue  (169540912, 1, ...
 03379  1332   NtWaitForSingleObject  (384, 0, 0x0, ...
 03374  1340   NtRegisterThreadTerminatePort  ... ) == 0x0
 03380  1296   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03370  1316   NtWaitForSingleObject  ... ) == 0x0
 03376  1308   NtSetEventBoostPriority  ... ) == 0x0
 03381  1272   NtWaitForSingleObject  (184, 0, 0x0, ...
 03382  1324   NtAllocateVirtualMemory  (-1, 13201408, 0, 4096, 4096, 4, ...
 03377  1312   NtTestAlert  ... ) == 0x0
 03375  1336   NtDuplicateObject  ... 1052, ) == 0x0
 03383  1328   NtRegisterThreadTerminatePort  (24, ...
 03384  1340   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03385  1316   NtSetEventBoostPriority  (384, ...
 03380  1296   NtWaitForSingleObject  ... ) == 0x102
 03386  1348   NtTestAlert  (...
 03382  1324   NtAllocateVirtualMemory  ... 13201408, 4096, ) == 0x0
 03387  1312   NtContinue  (171638064, 1, ...
 03388  1336   NtWaitForSingleObject  (384, 0, 0x0, ...
 03383  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 03389  1308   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03379  1332   NtWaitForSingleObject  ... ) == 0x0
 03385  1316   NtSetEventBoostPriority  ... ) == 0x0
 03390  1296   NtWaitForSingleObject  (184, 0, 0x0, ...
 03386  1348   NtTestAlert  ... ) == 0x0
 03384  1340   NtDuplicateObject  ... 1056, ) == 0x0
 03391  1312   NtRegisterThreadTerminatePort  (24, ...
 03392  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03393  1332   NtSetEventBoostPriority  (384, ...
 03389  1308   NtWaitForSingleObject  ... ) == 0x102
 03394  1324   NtSetEventBoostPriority  (36, ...
 03395  1348   NtContinue  (173735216, 1, ...
 03396  1340   NtWaitForSingleObject  (384, 0, 0x0, ...
 03391  1312   NtRegisterThreadTerminatePort  ... ) == 0x0
 03397  1316   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03388  1336   NtWaitForSingleObject  ... ) == 0x0
 03393  1332   NtSetEventBoostPriority  ... ) == 0x0
 03398  1308   NtWaitForSingleObject  (184, 0, 0x0, ...
 02603  1352   NtWaitForSingleObject  ... ) == 0x0
 03394  1324   NtSetEventBoostPriority  ... ) == 0x0
 03399  1348   NtRegisterThreadTerminatePort  (24, ...
 03400  1312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03401  1336   NtSetEventBoostPriority  (384, ...
 03397  1316   NtWaitForSingleObject  ... ) == 0x102
 03392  1328   NtDuplicateObject  ... 1060, ) == 0x0
 03402  1352   NtSetEventBoostPriority  (36, ...
 03403  1324   NtTestAlert  (...
 03399  1348   NtRegisterThreadTerminatePort  ... ) == 0x0
 03404  1332   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03396  1340   NtWaitForSingleObject  ... ) == 0x0
 03401  1336   NtSetEventBoostPriority  ... ) == 0x0
 03405  1316   NtWaitForSingleObject  (184, 0, 0x0, ...
 02612  1156   NtWaitForSingleObject  ... ) == 0x0
 03402  1352   NtSetEventBoostPriority  ... ) == 0x0
 03406  1328   NtWaitForSingleObject  (384, 0, 0x0, ...
 03403  1324   NtTestAlert  ... ) == 0x0
 03407  1348   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03408  1340   NtSetEventBoostPriority  (384, ...
 03404  1332   NtWaitForSingleObject  ... ) == 0x102
 03400  1312   NtDuplicateObject  ... 1064, ) == 0x0
 03409  1156   NtSetEventBoostPriority  (36, ...
 03410  1336   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03411  1324   NtContinue  (175832368, 1, ...
 03412  1352   NtTestAlert  (...
 03406  1328   NtWaitForSingleObject  ... ) == 0x0
 03408  1340   NtSetEventBoostPriority  ... ) == 0x0
 03413  1332   NtWaitForSingleObject  (184, 0, 0x0, ...
 02619  1440   NtWaitForSingleObject  ... ) == 0x0
 03409  1156   NtSetEventBoostPriority  ... ) == 0x0
 03414  1312   NtWaitForSingleObject  (384, 0, 0x0, ...
 03410  1336   NtWaitForSingleObject  ... ) == 0x102
 03415  1324   NtRegisterThreadTerminatePort  (24, ...
 03416  1328   NtSetEventBoostPriority  (384, ...
 03412  1352   NtTestAlert  ... ) == 0x0
 03407  1348   NtDuplicateObject  ... 1068, ) == 0x0
 03417  1440   NtSetEventBoostPriority  (36, ...
 03418  1340   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03419  1336   NtWaitForSingleObject  (184, 0, 0x0, ...
 03420  1156   NtTestAlert  (...
 03414  1312   NtWaitForSingleObject  ... ) == 0x0
 03416  1328   NtSetEventBoostPriority  ... ) == 0x0
 03421  1352   NtContinue  (177929520, 1, ...
 02628  1464   NtWaitForSingleObject  ... ) == 0x0
 03417  1440   NtSetEventBoostPriority  ... ) == 0x0
 03422  1348   NtWaitForSingleObject  (384, 0, 0x0, ...
 03418  1340   NtWaitForSingleObject  ... ) == 0x102
 03423  1312   NtSetEventBoostPriority  (384, ...
 03420  1156   NtTestAlert  ... ) == 0x0
 03415  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 03424  1464   NtSetEventBoostPriority  (36, ...
 03425  1352   NtRegisterThreadTerminatePort  (24, ...
 03426  1328   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03422  1348   NtWaitForSingleObject  ... ) == 0x0
 03423  1312   NtSetEventBoostPriority  ... ) == 0x0
 03427  1340   NtWaitForSingleObject  (184, 0, 0x0, ...
 03428  1156   NtContinue  (180026672, 1, ...
 02635  1220   NtWaitForSingleObject  ... ) == 0x0
 03424  1464   NtSetEventBoostPriority  ... ) == 0x0
 03429  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03425  1352   NtRegisterThreadTerminatePort  ... ) == 0x0
 03430  1348   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03426  1328   NtWaitForSingleObject  ... ) == 0x102
 03431  1440   NtTestAlert  (...
 03432  1220   NtSetEventBoostPriority  (36, ...
 03433  1156   NtRegisterThreadTerminatePort  (24, ...
 03434  1312   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03429  1324   NtDuplicateObject  ... 1072, ) == 0x0
 03435  1352   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03436  1328   NtAllocateVirtualMemory  (-1, 4636672, 0, 4096, 4096, 4, ...
 02644  1468   NtWaitForSingleObject  ... ) == 0x0
 03432  1220   NtSetEventBoostPriority  ... ) == 0x0
 03431  1440   NtTestAlert  ... ) == 0x0
 03433  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 03434  1312   NtWaitForSingleObject  ... ) == 0x102
 03437  1324   NtWaitForSingleObject  (348, 0, 0x0, ...
 03438  1464   NtTestAlert  (...
 03430  1348   NtWaitForSingleObject  ... ) == 0x102
 03439  1468   NtWaitForSingleObject  (348, 0, 0x0, ...
 03436  1328   NtAllocateVirtualMemory  ... 4636672, 4096, ) == 0x0
 03435  1352   NtDuplicateObject  ... 1076, ) == 0x0
 03440  1440   NtContinue  (182123824, 1, ...
 03441  1156   NtWaitForSingleObject  (348, 0, 0x0, ...
 03442  1312   NtWaitForSingleObject  (348, 0, 0x0, ...
 03438  1464   NtTestAlert  ... ) == 0x0
 03443  1348   NtWaitForSingleObject  (348, 0, 0x0, ...
 03444  1328   NtSetEventBoostPriority  (348, ...
 03445  1352   NtWaitForSingleObject  (348, 0, 0x0, ...
 03446  1440   NtRegisterThreadTerminatePort  (24, ...
 03447  1220   NtTestAlert  (...
 03448  1464   NtContinue  (184220976, 1, ...
 03446  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 03447  1220   NtTestAlert  ... ) == 0x0
 03449  1464   NtRegisterThreadTerminatePort  (24, ...
 03450  1440   NtWaitForSingleObject  (348, 0, 0x0, ...
 03451  1220   NtContinue  (186318128, 1, ...
 03449  1464   NtRegisterThreadTerminatePort  ... ) == 0x0
 03437  1324   NtWaitForSingleObject  ... ) == 0x0
 03444  1328   NtSetEventBoostPriority  ... ) == 0x0
 03452  1220   NtRegisterThreadTerminatePort  (24, ...
 03453  1464   NtWaitForSingleObject  (348, 0, 0x0, ...
 03454  1324   NtSetEventBoostPriority  (348, ...
 03455  1328   NtWaitForSingleObject  (184, 0, 0x0, ...
 03452  1220   NtRegisterThreadTerminatePort  ... ) == 0x0
 03439  1468   NtWaitForSingleObject  ... ) == 0x0
 03454  1324   NtSetEventBoostPriority  ... ) == 0x0
 03456  1468   NtSetEventBoostPriority  (348, ...
 03457  1220   NtWaitForSingleObject  (348, 0, 0x0, ...
 03442  1312   NtWaitForSingleObject  ... ) == 0x0
 03456  1468   NtSetEventBoostPriority  ... ) == 0x0
 03458  1324   NtWaitForSingleObject  (348, 0, 0x0, ...
 03459  1312   NtSetEventBoostPriority  (348, ...
 03443  1348   NtWaitForSingleObject  ... ) == 0x0
 03460  1348   NtSetEventBoostPriority  (348, ...
 03441  1156   NtWaitForSingleObject  ... ) == 0x0
 03461  1156   NtSetEventBoostPriority  (348, ...
 03445  1352   NtWaitForSingleObject  ... ) == 0x0
 03462  1352   NtSetEventBoostPriority  (348, ...
 03450  1440   NtWaitForSingleObject  ... ) == 0x0
 03463  1440   NtSetEventBoostPriority  (348, ...
 03453  1464   NtWaitForSingleObject  ... ) == 0x0
 03464  1464   NtSetEventBoostPriority  (348, ...
 03457  1220   NtWaitForSingleObject  ... ) == 0x0
 03465  1220   NtSetEventBoostPriority  (348, ... ) == 0x0
 03466  1220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 1080, ) == 0x0
 03462  1352   NtSetEventBoostPriority  ... ) == 0x0
 03460  1348   NtSetEventBoostPriority  ... ) == 0x0
 03459  1312   NtSetEventBoostPriority  ... ) == 0x0
 03458  1324   NtWaitForSingleObject  ... ) == 0x0
 03464  1464   NtSetEventBoostPriority  ... ) == 0x0
 03463  1440   NtSetEventBoostPriority  ... ) == 0x0
 03461  1156   NtSetEventBoostPriority  ... ) == 0x0
 03467  1468   NtSetEventBoostPriority  (36, ...
 03468  1220   NtWaitForSingleObject  (348, 0, 0x0, ...
 03469  1352   NtWaitForSingleObject  (348, 0, 0x0, ...
 03470  1348   NtWaitForSingleObject  (184, 0, 0x0, ...
 03471  1324   NtSetEventBoostPriority  (348, ...
 03472  1464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03473  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03474  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02651  1472   NtWaitForSingleObject  ... ) == 0x0
 03467  1468   NtSetEventBoostPriority  ... ) == 0x0
 03468  1220   NtWaitForSingleObject  ... ) == 0x0
 03471  1324   NtSetEventBoostPriority  ... ) == 0x0
 03472  1464   NtDuplicateObject  ... 1084, ) == 0x0
 03473  1440   NtDuplicateObject  ... 1088, ) == 0x0
 03475  1472   NtWaitForSingleObject  (348, 0, 0x0, ...
 03474  1156   NtDuplicateObject  ... 1092, ) == 0x0
 03476  1220   NtSetEventBoostPriority  (348, ...
 03477  1468   NtTestAlert  (...
 03478  1324   NtWaitForSingleObject  (348, 0, 0x0, ...
 03479  1312   NtWaitForSingleObject  (184, 0, 0x0, ...
 03480  1464   NtWaitForSingleObject  (348, 0, 0x0, ...
 03481  1440   NtWaitForSingleObject  (348, 0, 0x0, ...
 03469  1352   NtWaitForSingleObject  ... ) == 0x0
 03476  1220   NtSetEventBoostPriority  ... ) == 0x0
 03477  1468   NtTestAlert  ... ) == 0x0
 03482  1156   NtWaitForSingleObject  (348, 0, 0x0, ...
 03483  1352   NtSetEventBoostPriority  (348, ...
 03484  1220   NtWaitForSingleObject  (348, 0, 0x0, ...
 03485  1468   NtContinue  (188415280, 1, ...
 03475  1472   NtWaitForSingleObject  ... ) == 0x0
 03483  1352   NtSetEventBoostPriority  ... ) == 0x0
 03486  1472   NtSetEventBoostPriority  (348, ...
 03487  1468   NtRegisterThreadTerminatePort  (24, ...
 03480  1464   NtWaitForSingleObject  ... ) == 0x0
 03486  1472   NtSetEventBoostPriority  ... ) == 0x0
 03488  1352   NtWaitForSingleObject  (348, 0, 0x0, ...
 03489  1464   NtSetEventBoostPriority  (348, ...
 03487  1468   NtRegisterThreadTerminatePort  ... ) == 0x0
 03490  1472   NtSetEventBoostPriority  (36, ...
 03481  1440   NtWaitForSingleObject  ... ) == 0x0
 03489  1464   NtSetEventBoostPriority  ... ) == 0x0
 03491  1468   NtWaitForSingleObject  (348, 0, 0x0, ...
 03492  1440   NtSetEventBoostPriority  (348, ...
 02660  1476   NtWaitForSingleObject  ... ) == 0x0
 03490  1472   NtSetEventBoostPriority  ... ) == 0x0
 03493  1464   NtWaitForSingleObject  (348, 0, 0x0, ...
 03482  1156   NtWaitForSingleObject  ... ) == 0x0
 03494  1476   NtWaitForSingleObject  (348, 0, 0x0, ...
 03492  1440   NtSetEventBoostPriority  ... ) == 0x0
 03495  1472   NtTestAlert  (...
 03496  1156   NtSetEventBoostPriority  (348, ...
 03497  1440   NtWaitForSingleObject  (348, 0, 0x0, ...
 03478  1324   NtWaitForSingleObject  ... ) == 0x0
 03496  1156   NtSetEventBoostPriority  ... ) == 0x0
 03495  1472   NtTestAlert  ... ) == 0x0
 03498  1324   NtSetEventBoostPriority  (348, ...
 03499  1156   NtWaitForSingleObject  (348, 0, 0x0, ...
 03484  1220   NtWaitForSingleObject  ... ) == 0x0
 03500  1472   NtContinue  (190512432, 1, ...
 03498  1324   NtSetEventBoostPriority  ... ) == 0x0
 03501  1220   NtSetEventBoostPriority  (348, ...
 03502  1472   NtRegisterThreadTerminatePort  (24, ...
 03503  1324   NtWaitForSingleObject  (348, 0, 0x0, ...
 03491  1468   NtWaitForSingleObject  ... ) == 0x0
 03501  1220   NtSetEventBoostPriority  ... ) == 0x0
 03504  1468   NtSetEventBoostPriority  (348, ...
 03505  1220   NtWaitForSingleObject  (348, 0, 0x0, ...
 03488  1352   NtWaitForSingleObject  ... ) == 0x0
 03504  1468   NtSetEventBoostPriority  ... ) == 0x0
 03506  1352   NtSetEventBoostPriority  (348, ...
 03502  1472   NtRegisterThreadTerminatePort  ... ) == 0x0
 03494  1476   NtWaitForSingleObject  ... ) == 0x0
 03507  1476   NtSetEventBoostPriority  (348, ...
 03493  1464   NtWaitForSingleObject  ... ) == 0x0
 03508  1464   NtSetEventBoostPriority  (348, ...
 03497  1440   NtWaitForSingleObject  ... ) == 0x0
 03509  1440   NtSetEventBoostPriority  (348, ...
 03499  1156   NtWaitForSingleObject  ... ) == 0x0
 03510  1156   NtSetEventBoostPriority  (348, ...
 03503  1324   NtWaitForSingleObject  ... ) == 0x0
 03511  1324   NtSetEventBoostPriority  (348, ...
 03505  1220   NtWaitForSingleObject  ... ) == 0x0
 03512  1220   NtWaitForSingleObject  (384, 0, 0x0, ...
 03511  1324   NtSetEventBoostPriority  ... ) == 0x0
 03507  1476   NtSetEventBoostPriority  ... ) == 0x0
 03513  1472   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03510  1156   NtSetEventBoostPriority  ... ) == 0x0
 03509  1440   NtSetEventBoostPriority  ... ) == 0x0
 03508  1464   NtSetEventBoostPriority  ... ) == 0x0
 03506  1352   NtSetEventBoostPriority  ... ) == 0x0
 03514  1468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03515  1324   NtSetEventBoostPriority  (384, ...
 03513  1472   NtDuplicateObject  ... 1096, ) == 0x0
 03516  1156   NtWaitForSingleObject  (384, 0, 0x0, ...
 03517  1440   NtWaitForSingleObject  (384, 0, 0x0, ...
 03518  1464   NtWaitForSingleObject  (384, 0, 0x0, ...
 03519  1352   NtWaitForSingleObject  (384, 0, 0x0, ...
 03514  1468   NtDuplicateObject  ... 1100, ) == 0x0
 03512  1220   NtWaitForSingleObject  ... ) == 0x0
 03515  1324   NtSetEventBoostPriority  ... ) == 0x0
 03520  1472   NtWaitForSingleObject  (384, 0, 0x0, ...
 03521  1220   NtSetEventBoostPriority  (384, ...
 03522  1468   NtWaitForSingleObject  (384, 0, 0x0, ...
 03523  1324   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03516  1156   NtWaitForSingleObject  ... ) == 0x0
 03521  1220   NtSetEventBoostPriority  ... ) == 0x0
 03524  1156   NtSetEventBoostPriority  (384, ...
 03523  1324   NtWaitForSingleObject  ... ) == 0x102
 03525  1476   NtSetEventBoostPriority  (36, ...
 03517  1440   NtWaitForSingleObject  ... ) == 0x0
 03524  1156   NtSetEventBoostPriority  ... ) == 0x0
 03526  1324   NtWaitForSingleObject  (184, 0, 0x0, ...
 03527  1440   NtSetEventBoostPriority  (384, ...
 02667  1480   NtWaitForSingleObject  ... ) == 0x0
 03525  1476   NtSetEventBoostPriority  ... ) == 0x0
 03528  1220   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03529  1156   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03518  1464   NtWaitForSingleObject  ... ) == 0x0
 03530  1480   NtSetEventBoostPriority  (36, ...
 03527  1440   NtSetEventBoostPriority  ... ) == 0x0
 03531  1476   NtTestAlert  (...
 03528  1220   NtWaitForSingleObject  ... ) == 0x102
 03532  1464   NtSetEventBoostPriority  (384, ...
 02676  1484   NtWaitForSingleObject  ... ) == 0x0
 03530  1480   NtSetEventBoostPriority  ... ) == 0x0
 03529  1156   NtWaitForSingleObject  ... ) == 0x102
 03531  1476   NtTestAlert  ... ) == 0x0
 03519  1352   NtWaitForSingleObject  ... ) == 0x0
 03533  1484   NtSetEventBoostPriority  (36, ...
 03532  1464   NtSetEventBoostPriority  ... ) == 0x0
 03534  1220   NtWaitForSingleObject  (184, 0, 0x0, ...
 03535  1440   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03536  1156   NtWaitForSingleObject  (184, 0, 0x0, ...
 03537  1352   NtSetEventBoostPriority  (384, ...
 02683  1356   NtWaitForSingleObject  ... ) == 0x0
 03533  1484   NtSetEventBoostPriority  ... ) == 0x0
 03538  1476   NtContinue  (192609584, 1, ...
 03539  1480   NtTestAlert  (...
 03535  1440   NtWaitForSingleObject  ... ) == 0x102
 03520  1472   NtWaitForSingleObject  ... ) == 0x0
 03540  1356   NtSetEventBoostPriority  (36, ...
 03537  1352   NtSetEventBoostPriority  ... ) == 0x0
 03541  1464   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03542  1476   NtRegisterThreadTerminatePort  (24, ...
 03539  1480   NtTestAlert  ... ) == 0x0
 03543  1472   NtSetEventBoostPriority  (384, ...
 02692  1492   NtWaitForSingleObject  ... ) == 0x0
 03540  1356   NtSetEventBoostPriority  ... ) == 0x0
 03544  1440   NtWaitForSingleObject  (184, 0, 0x0, ...
 03545  1484   NtTestAlert  (...
 03541  1464   NtWaitForSingleObject  ... ) == 0x102
 03546  1352   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03522  1468   NtWaitForSingleObject  ... ) == 0x0
 03547  1492   NtSetEventBoostPriority  (36, ...
 03543  1472   NtSetEventBoostPriority  ... ) == 0x0
 03548  1480   NtContinue  (194706736, 1, ...
 03542  1476   NtRegisterThreadTerminatePort  ... ) == 0x0
 03545  1484   NtTestAlert  ... ) == 0x0
 03549  1464   NtWaitForSingleObject  (184, 0, 0x0, ...
 03550  1468   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02699   780   NtWaitForSingleObject  ... ) == 0x0
 03547  1492   NtSetEventBoostPriority  ... ) == 0x0
 03546  1352   NtWaitForSingleObject  ... ) == 0x102
 03551  1356   NtTestAlert  (...
 03552  1480   NtRegisterThreadTerminatePort  (24, ...
 03553  1476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03554  1484   NtContinue  (196803888, 1, ...
 03555   780   NtSetEventBoostPriority  (36, ...
 03556  1472   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 03550  1468   NtWaitForSingleObject  ... ) == 0x102
 03557  1352   NtWaitForSingleObject  (184, 0, 0x0, ...
 03551  1356   NtTestAlert  ... ) == 0x0
 03552  1480   NtRegisterThreadTerminatePort  ... ) == 0x0
 03553  1476   NtDuplicateObject  ... 1104, ) == 0x0
 02708  1500   NtWaitForSingleObject  ... ) == 0x0
 03555   780   NtSetEventBoostPriority  ... ) == 0x0
 03558  1484   NtRegisterThreadTerminatePort  (24, ...
 03556  1472   NtWaitForSingleObject  ... ) == 0x102
 03559  1468   NtWaitForSingleObject  (184, 0, 0x0, ...
 03560  1356   NtContinue  (198901040, 1, ...
 03561  1480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03562  1500   NtSetEventBoostPriority  (36, ...
 03563  1476   NtAllocateVirtualMemory  (-1, 4640768, 0, 4096, 4096, 4, ...
 03564  1492   NtTestAlert  (...
 03558  1484   NtRegisterThreadTerminatePort  ... ) == 0x0
 03565  1472   NtWaitForSingleObject  (348, 0, 0x0, ...
 03566  1356   NtRegisterThreadTerminatePort  (24, ...
 03567   780   NtTestAlert  (...
 02715  1504   NtWaitForSingleObject  ... ) == 0x0
 03562  1500   NtSetEventBoostPriority  ... ) == 0x0
 03563  1476   NtAllocateVirtualMemory  ... 4640768, 4096, ) == 0x0
 03564  1492   NtTestAlert  ... ) == 0x0
 03568  1484   NtWaitForSingleObject  (348, 0, 0x0, ...
 03566  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 03569  1504   NtWaitForSingleObject  (348, 0, 0x0, ...
 03567   780   NtTestAlert  ... ) == 0x0
 03561  1480   NtDuplicateObject  ... 1108, ) == 0x0
 03570  1476   NtSetEventBoostPriority  (348, ...
 03571  1492   NtContinue  (200998192, 1, ...
 03572  1500   NtTestAlert  (...
 03573  1356   NtWaitForSingleObject  (348, 0, 0x0, ...
 03574   780   NtContinue  (203095344, 1, ...
 03575  1480   NtWaitForSingleObject  (348, 0, 0x0, ...
 03576  1492   NtRegisterThreadTerminatePort  (24, ...
 03572  1500   NtTestAlert  ... ) == 0x0
 03565  1472   NtWaitForSingleObject  ... ) == 0x0
 03570  1476   NtSetEventBoostPriority  ... ) == 0x0
 03577   780   NtRegisterThreadTerminatePort  (24, ...
 03576  1492   NtRegisterThreadTerminatePort  ... ) == 0x0
 03578  1500   NtContinue  (205192496, 1, ...
 03579  1472   NtSetEventBoostPriority  (348, ...
 03580  1476   NtWaitForSingleObject  (348, 0, 0x0, ...
 03577   780   NtRegisterThreadTerminatePort  ... ) == 0x0
 03581  1492   NtWaitForSingleObject  (348, 0, 0x0, ...
 03582  1500   NtRegisterThreadTerminatePort  (24, ...
 03569  1504   NtWaitForSingleObject  ... ) == 0x0
 03579  1472   NtSetEventBoostPriority  ... ) == 0x0
 03583   780   NtWaitForSingleObject  (348, 0, 0x0, ...
 03584  1504   NtSetEventBoostPriority  (348, ...
 03582  1500   NtRegisterThreadTerminatePort  ... ) == 0x0
 03585  1472   NtWaitForSingleObject  (184, 0, 0x0, ...
 03568  1484   NtWaitForSingleObject  ... ) == 0x0
 03584  1504   NtSetEventBoostPriority  ... ) == 0x0
 03586  1500   NtWaitForSingleObject  (348, 0, 0x0, ...
 03587  1484   NtSetEventBoostPriority  (348, ...