Summary:


NtAccessCheck(>) 
 1 
NtQuerySystemTime(>) 
 2 
NtSetValueKey(>) 
 4 
NtCreateKey(>) 
 29 

NtAddAtom(>) 
 1 
NtQueryVirtualMemory(>) 
 2 
NtUserMessageCall(>) 
 4 
NtOpenSection(>) 
 30 

NtEnumerateValueKey(>) 
 1 
NtReadFile(>) 
 2 
NtGdiExtGetObjectW(>) 
 5 
NtUserGetWindowDC(>) 
 33 

NtFsControlFile(>) 
 1 
NtReleaseSemaphore(>) 
 2 
NtGdiGetStockObject(>) 
 5 
NtUserCallOneParam(>) 
 37 

NtGdiBitBlt(>) 
 1 
NtUserCreateWindowEx(>) 
 2 
NtQueryVolumeInformationFile(>) 
 5 
NtUserGetClassInfo(>) 
 37 

NtGdiCreateCompatibleBitmap(>) 
 1 
NtUserGetAncestor(>) 
 2 
NtSetInformationFile(>) 
 5 
NtOpenFile(>) 
 38 

NtGdiCreateDIBitmapInternal(>) 
 1 
NtUserGetClassName(>) 
 2 
NtWriteFile(>) 
 5 
NtMapViewOfSection(>) 
 49 

NtGdiInit(>) 
 1 
NtUserGetGUIThreadInfo(>) 
 2 
NtCreateMutant(>) 
 6 
NtUserFindExistingCursorIcon(>) 
 51 

NtGdiQueryFontAssocInfo(>) 
 1 
NtUserGetIconInfo(>) 
 2 
NtQueryDefaultUILanguage(>) 
 6 
NtQueryAttributesFile(>) 
 61 

NtOpenKeyedEvent(>) 
 1 
NtUserGetProcessWindowStation(>) 
 2 
NtUserGetObjectInformation(>) 
 6 
NtUserRegisterClassExWOW(>) 
 65 

NtOpenProcess(>) 
 1 
NtUserRemoveProp(>) 
 2 
NtGdiDeleteObjectApp(>) 
 7 
NtContinue(>) 
 68 

NtOpenSymbolicLinkObject(>) 
 1 
NtUserSetProp(>) 
 2 
NtUserCallNoParam(>) 
 7 
NtResumeThread(>) 
 104 

NtQueryObject(>) 
 1 
NtUserSetWindowPos(>) 
 2 
NtFlushInstructionCache(>) 
 8 
NtCreateThread(>) 
 106 

NtQuerySymbolicLinkObject(>) 
 1 
NtFreeVirtualMemory(>) 
 3 
NtOpenProcessTokenEx(>) 
 8 
NtCreateEvent(>) 
 110 

NtSecureConnectPort(>) 
 1 
NtGdiCreatePatternBrushInternal(>) 
 3 
NtQueryDebugFilterState(>) 
 8 
NtQueryInformationThread(>) 
 112 

NtSetEvent(>) 
 1 
NtGdiDoPalette(>) 
 3 
NtCreateFile(>) 
 9 
NtProtectVirtualMemory(>) 
 121 

NtSetInformationThread(>) 
 1 
NtGdiGetDIBitsInternal(>) 
 3 
NtOpenThreadTokenEx(>) 
 9 
NtRegisterThreadTerminatePort(>) 
 130 

NtUserGetIconSize(>) 
 1 
NtGdiStretchDIBitsInternal(>) 
 3 
NtConnectPort(>) 
 10 
NtTestAlert(>) 
 130 

NtUserSetCursorIconData(>) 
 1 
NtOpenProcessToken(>) 
 3 
NtGdiSelectBitmap(>) 
 10 
NtOpenKey(>) 
 138 

NtCallbackReturn(>) 
 2 
NtQueryDefaultLocale(>) 
 3 
NtQueryInformationToken(>) 
 11 
NtDuplicateObject(>) 
 149 

NtCreateSemaphore(>) 
 2 
NtQueryInformationProcess(>) 
 3 
NtUserSystemParametersInfo(>) 
 12 
NtRequestWaitReplyPort(>) 
 156 

NtGdiCreateBitmap(>) 
 2 
NtSetInformationObject(>) 
 3 
NtQueryInformationFile(>) 
 13 
NtOpenMutant(>) 
 200 

NtGdiCreateSolidBrush(>) 
 2 
NtUserGetDC(>) 
 3 
NtUnmapViewOfSection(>) 
 13 
NtClose(>) 
 206 

NtNotifyChangeKey(>) 
 2 
NtUserGetThreadDesktop(>) 
 3 
NtQuerySection(>) 
 15 
NtQueryValueKey(>) 
 232 

NtOpenDirectoryObject(>) 
 2 
NtUserRegisterWindowMessage(>) 
 3 
NtDeviceIoControlFile(>) 
 16 
NtAllocateVirtualMemory(>) 
 377 

NtOpenEvent(>) 
 2 
NtDelayExecution(>) 
 4 
NtQueryDirectoryFile(>) 
 18 
NtSetEventBoostPriority(>) 
 827 

NtOpenThreadToken(>) 
 2 
NtGdiCreateCompatibleDC(>) 
 4 
NtCreateSection(>) 
 26 
NtWaitForSingleObject(>) 
 1014 

NtQueryInstallUILanguage(>) 
 2 
NtGdiHfontCreate(>) 
 4 
NtQuerySystemInformation(>) 
 28 

Trace:
 00001   564   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   564   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 4521984, 2097152, ) == 0x0
 00005   564   NtAllocateVirtualMemory  (-1, 4521984, 0, 4096, 4096, 4, ... 4521984, 4096, ) == 0x0
 00006   564   NtAllocateVirtualMemory  (-1, 4526080, 0, 8192, 4096, 4, ... 4526080, 8192, ) == 0x0
 00007   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   564   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   564   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   564   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   564   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   564   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   564   NtClose  (12, ... ) == 0x0
 00014   564   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   564   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   564   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   564   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   564   NtClose  (16, ... ) == 0x0
 00021   564   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   564   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   564   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4531000, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   564   NtClose  (16, ... ) == 0x0
 00026   564   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   564   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   564   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   564   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 556, 564, 1506, 0} "\330\357\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 556, 564, 1506, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 556, 564, 1506, 0} "\330\357\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   564   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   564   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   564   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   564   NtClose  (16, ... ) == 0x0
 00036   564   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   564   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   564   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   564   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   564   NtClose  (28, ... ) == 0x0
 00041   564   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   564   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   564   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   564   NtClose  (28, ... ) == 0x0
 00045   564   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   564   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   564   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   564   NtClose  (28, ... ) == 0x0
 00049   564   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   564   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   564   NtClose  (28, ... ) == 0x0
 00052   564   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   564   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   564   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 556, 564, 1507, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 556, 564, 1507, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 556, 564, 1507, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   564   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00057   564   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00058   564   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00059   564   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   564   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   564   NtClose  (28, ... ) == 0x0
 00062   564   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   564   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   564   NtClose  (28, ... ) == 0x0
 00065   564   NtTestAlert  (... ) == 0x0
 00066   564   NtContinue  (2293040, 1, ...
 00067   564   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x41a000,}, 4, ... ) == 0x0
 00068   564   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   564   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   564   NtClose  (28, ... ) == 0x0
 00071   564   NtAllocateVirtualMemory  (-1, 4534272, 0, 4096, 4096, 4, ... 4534272, 4096, ) == 0x0
 00072   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "crtdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00073   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00074   564   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2291300, ... ) }, 2291300, ... ) == 0x0
 00076   564   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00077   564   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00078   564   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00079   564   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00080   564   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   564   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00082   564   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00083   564   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   564   NtClose  (40, ... ) == 0x0
 00085   564   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00086   564   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00087   564   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00088   564   NtClose  (40, ... ) == 0x0
 00089   564   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   564   NtClose  (36, ... ) == 0x0
 00091   564   NtClose  (28, ... ) == 0x0
 00092   564   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73d90000), 0x0, 159744, ) == 0x0
 00093   564   NtClose  (32, ... ) == 0x0
 00094   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\crtdll.dll"}, 2288964, ... ) }, 2288964, ... ) == 0x0
 00095   564   NtAllocateVirtualMemory  (-1, 4538368, 0, 4096, 4096, 4, ... 4538368, 4096, ) == 0x0
 00096   564   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00097   564   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 556, 564, 1517, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 556, 564, 1517, 0}  (24, {40, 68, new_msg, 0, 6357092, 4539168, 5505056, 7143529} "\0\0\0\0\0\2\2\0D[\351w\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 556, 564, 1517, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00098   564   NtRequestWaitReplyPort  (24, {40, 68, new_msg, 0, 556, 564, 1517, 0}  (24, {40, 68, new_msg, 0, 556, 564, 1517, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 556, 564, 1518, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ... {40, 68, reply, 0, 556, 564, 1518, 0}  (24, {40, 68, new_msg, 0, 556, 564, 1517, 0} "\0\0\0\0\0\2\2\0d[\351w\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" ... {40, 68, reply, 0, 556, 564, 1518, 0} "\0\0\0\0\0\2\2\0\10\0\0\300\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0@\0\0\0\0\3\0\0\0\0\0\0\0" )  ) == 0x0
 00099   564   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 32, ) }, ... 32, ) == 0x0
 00100   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00112   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00120   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00121   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00124   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00125   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00135   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00136   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00143   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00146   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00148   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00149   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00153   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00159   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00161   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00164   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00165   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00169   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00170   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00171   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00196   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   564   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 6619136, 2097152, ) == 0x0
 00200   564   NtAllocateVirtualMemory  (-1, 8708096, 0, 8192, 4096, 4, ... 8708096, 8192, ) == 0x0
 00201   564   NtProtectVirtualMemory  (-1, (0x84e000), 4096, 260, ... (0x84e000), 4096, 4, ) == 0x0
 00202   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292500, 2293216, 1, ... 28, {556, 572}, ) == 0x0
 00203   564   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=556,Tid=572,}, 0x0, ) == 0x0
 00204   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0,\2\0\0<\2\0\0" ... {28, 56, reply, 0, 556, 564, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0,\2\0\0<\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1519, 0}  (24, {28, 56, new_msg, 0, 4522094, 2012550769, 4527016, 2012550797} "\0\0\0\0\1\0\1\0p#E\0\0\0\0\0\34\0\0\0,\2\0\0<\2\0\0" ... {28, 56, reply, 0, 556, 564, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\0\0\0,\2\0\0<\2\0\0" )  ) == 0x0
 00205   564   NtResumeThread  (28, ... 1, ) == 0x0
 00206   572   NtTestAlert  (... ) == 0x0
 00207   572   NtContinue  (8715568, 1, ...
 00208   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00209   564   NtContinue  (2292976, 0, ...
 00210   564   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00211   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00212   564   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00213   564   NtClose  (36, ... ) == 0x0
 00214   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00215   572   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 40, ) == 0x0
 00216   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 00217   564   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00218   564   NtClose  (36, ... ) == 0x0
 00219   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00220   564   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00221   564   NtClose  (36, ... ) == 0x0
 00222   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0
 00223   564   NtMapViewOfSection  (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00224   564   NtClose  (36, ... ) == 0x0
 00225   564   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0
 00226   564   NtQueryValueKey  (36,  (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00227   564   NtQueryValueKey  (36,  (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00228   564   NtClose  (36, ... ) == 0x0
 00229   564   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0
 00230   564   NtQueryValueKey  (36,  (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   564   NtClose  (36, ... ) == 0x0
 00232   564   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0
 00233   564   NtSetInformationObject  (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00234   564   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00236   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0} "\210\6\31\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 556, 564, 1520, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 556, 564, 1520, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 2294988, 0} "\210\6\31\1\0\0\0\0\314\4#\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 556, 564, 1520, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00237   564   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   564   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 1060864, ) == 0x0
 00239   564   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00240   564   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00241   564   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481956, ) == 0x0
 00242   564   NtQueryInformationToken  (-2147481956, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00243   564   NtQueryInformationToken  (-2147481956, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00244   564   NtClose  (-2147481956, ... ) == 0x0
 00245   564   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 9830400, 4096, ) == 0x0
 00246   564   NtFreeVirtualMemory  (-1, (0x960000), 4096, 32768, ... (0x960000), 4096, ) == 0x0
 00247   564   NtDuplicateObject  (-1, 52, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00248   564   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00249   564   NtQueryValueKey  (-2147481956,  (-2147481956, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   564   NtClose  (-2147481956, ... ) == 0x0
 00251   564   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00252   564   NtQueryValueKey  (-2147481956,  (-2147481956, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   564   NtClose  (-2147481956, ... ) == 0x0
 00254   564   NtQueryDefaultLocale  (0, -136443380, ... ) == 0x0
 00255   564   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00256   564   NtUserCallNoParam  (24, ... ) == 0x0
 00257   564   NtGdiCreateCompatibleDC  (0, ...
 00258   564   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9830400, 4096, ) == 0x0
 00257   564   NtGdiCreateCompatibleDC  ... ) == 0x100103fd
 00259   564   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00260   564   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00261   564   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x32050403
 00262   564   NtGdiCreateSolidBrush  (0, 0, ...
 00263   564   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 13041664, 4096, ) == 0x0
 00262   564   NtGdiCreateSolidBrush  ... ) == 0x28100405
 00264   564   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00265   564   NtGdiCreateCompatibleDC  (0, ... ) == 0x47010406
 00266   564   NtGdiSelectBitmap  (1191248902, 839189507, ... ) == 0x185000f
 00267   564   NtUserGetThreadDesktop  (564, 0, ... ) == 0x38
 00268   564   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 64, ) }, ... 64, ) == 0x0
 00269   564   NtQueryValueKey  (64,  (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00270   564   NtClose  (64, ... ) == 0x0
 00271   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00272   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 673, 128, 0, ... ) == 0x810dc017
 00273   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00274   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 674, 128, 0, ... ) == 0x810dc01c
 00275   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00276   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 675, 128, 0, ... ) == 0x810dc01e
 00277   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00278   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 676, 128, 0, ... ) == 0x810d8002
 00279   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10013
 00280   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 677, 128, 0, ... ) == 0x810dc018
 00281   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00282   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 678, 128, 0, ... ) == 0x810dc01a
 00283   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00284   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 679, 128, 0, ... ) == 0x810dc01d
 00285   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00286   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 681, 128, 0, ... ) == 0x810dc026
 00287   564   NtUserFindExistingCursorIcon  (2289388, 2289404, 2289972, ... ) == 0x10011
 00288   564   NtUserRegisterClassExWOW  (2289908, 2289988, 2289972, 2290004, 680, 128, 0, ... ) == 0x810dc019
 00289   564   NtUserRegisterClassExWOW  (2289860, 2289940, 2289924, 2289956, 0, 128, 0, ...
 00290   564   NtAllocateVirtualMemory  (-1, 9990144, 0, 4096, 4096, 32, ... 9990144, 4096, ) == 0x0
 00289   564   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00291   564   NtUserRegisterClassExWOW  (2289860, 2289936, 2289952, 2289924, 0, 130, 0, ... ) == 0x810dc022
 00292   564   NtUserRegisterClassExWOW  (2289860, 2289940, 2289924, 2289956, 0, 128, 0, ... ) == 0x810dc023
 00293   564   NtUserRegisterClassExWOW  (2289860, 2289936, 2289952, 2289924, 0, 130, 0, ... ) == 0x810dc024
 00294   564   NtUserRegisterClassExWOW  (2289860, 2289940, 2289924, 2289956, 0, 128, 0, ... ) == 0x810dc025
 00295   564   NtCallbackReturn  (0, 0, 0, ...
 00296   564   NtGdiInit  (... ) == 0x1
 00297   564   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00298   564   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00299   564   NtSetEventBoostPriority  (40, ...
 00216   572   NtWaitForSingleObject  ... ) == 0x0
 00300   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00301   572   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00302   572   NtClose  (64, ... ) == 0x0
 00303   572   NtAllocateVirtualMemory  (-1, 8704000, 0, 4096, 4096, 260, ... 8704000, 4096, ) == 0x0
 00299   564   NtSetEventBoostPriority  ... ) == 0x0
 00304   564   NtWaitForSingleObject  (40, 0, 0x0, ...
 00305   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00306   572   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00307   572   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00308   572   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00309   572   NtClose  (64, ... ) == 0x0
 00310   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00311   572   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00312   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00313   572   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00314   572   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00315   572   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   572   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00317   572   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   572   NtClose  (64, ... ) == 0x0
 00319   572   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00320   572   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   572   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   572   NtClose  (64, ... ) == 0x0
 00323   572   NtOpenEvent  (0x1f0003, {24, 32, 0x0, 0, 0,  (0x1f0003, {24, 32, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   572   NtSetEventBoostPriority  (40, ...
 00304   564   NtWaitForSingleObject  ... ) == 0x0
 00325   564   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 13107200, 28672, ) == 0x0
 00326   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2291552, ... }, 2291552, ...
 00324   572   NtSetEventBoostPriority  ... ) == 0x0
 00328   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 00327   564   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   564   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2291552, ... ) }, 2291552, ... ) == 0x0
 00331   564   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00332   564   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00333   564   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00334   564   NtClose  (64, ... ) == 0x0
 00335   564   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00336   564   NtClose  (68, ... ) == 0x0
 00337   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00338   564   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00339   564   NtClose  (68, ... ) == 0x0
 00340   564   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00341   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00342   564   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   564   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2290748, ... ) }, 2290748, ... ) == 0x0
 00344   564   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00345   564   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 64, ) == 0x0
 00346   564   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00347   564   NtClose  (68, ... ) == 0x0
 00348   564   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00349   564   NtClose  (64, ... ) == 0x0
 00350   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00351   564   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 13172736, 65536, ) == 0x0
 00352   564   NtAllocateVirtualMemory  (-1, 13172736, 0, 4096, 4096, 4, ... 13172736, 4096, ) == 0x0
 00353   564   NtAllocateVirtualMemory  (-1, 13176832, 0, 8192, 4096, 4, ... 13176832, 8192, ) == 0x0
 00354   564   NtAllocateVirtualMemory  (-1, 4542464, 0, 4096, 4096, 4, ... 4542464, 4096, ) == 0x0
 00355   564   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 64, ) }, ... 64, ) == 0x0
 00356   564   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xca0000), 0x0, 12288, ) == 0x0
 00357   564   NtClose  (64, ... ) == 0x0
 00358   564   NtAllocateVirtualMemory  (-1, 13185024, 0, 4096, 4096, 4, ... 13185024, 4096, ) == 0x0
 00359   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00360   564   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00361   564   NtSetEventBoostPriority  (40, ...
 00328   572   NtWaitForSingleObject  ... ) == 0x0
 00362   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00363   572   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00364   572   NtClose  (64, ... ) == 0x0
 00361   564   NtSetEventBoostPriority  ... ) == 0x0
 00365   564   NtWaitForSingleObject  (40, 0, 0x0, ...
 00366   572   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 64, ) == 0x0
 00367   572   NtCallbackReturn  (0, 0, 0, ...
 00368   572   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00369   572   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   572   NtOpenKey  (0x9, {24, 36, 0x40, 0, 0,  (0x9, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   572   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372   572   NtSetEventBoostPriority  (40, ...
 00365   564   NtWaitForSingleObject  ... ) == 0x0
 00373   564   NtFreeVirtualMemory  (-1, (0xc80000), 0, 32768, ... (0xc80000), 28672, ) == 0x0
 00374   564   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00375   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00376   564   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00372   572   NtSetEventBoostPriority  ... ) == 0x0
 00377   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc.dll"}, 8713820, ... }, 8713820, ...
 00379   564   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00380   564   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00381   564   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13303808, 1048576, ) == 0x0
 00382   564   NtAllocateVirtualMemory  (-1, 13303808, 0, 32768, 4096, 4, ... 13303808, 32768, ) == 0x0
 00383   564   NtWaitForSingleObject  (40, 0, 0x0, ...
 00378   572   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   572   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc.dll"}, 8713820, ... ) }, 8713820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 8713820, ... ) }, 8713820, ... ) == 0x0
 00386   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00387   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00388   572   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00389   572   NtClose  (68, ... ) == 0x0
 00390   572   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bb0000), 0x0, 16384, ) == 0x0
 00391   572   NtClose  (72, ... ) == 0x0
 00392   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sfc_os.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sfc_os.dll"}, 8713016, ... ) }, 8713016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   572   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sfc_os.dll"}, 8713016, ... ) }, 8713016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00395   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 8713016, ... ) }, 8713016, ... ) == 0x0
 00396   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sfc_os.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00397   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 68, ) == 0x0
 00398   572   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00399   572   NtClose  (72, ... ) == 0x0
 00400   572   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c60000), 0x0, 167936, ) == 0x0
 00401   572   NtClose  (68, ... ) == 0x0
 00402   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINTRUST.dll"}, 8712212, ... ) }, 8712212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00404   572   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINTRUST.dll"}, 8712212, ... ) }, 8712212, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 8712212, ... ) }, 8712212, ... ) == 0x0
 00406   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINTRUST.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00407   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 72, ) == 0x0
 00408   572   NtQuerySection  (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00409   572   NtClose  (68, ... ) == 0x0
 00410   572   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 176128, ) == 0x0
 00411   572   NtClose  (72, ... ) == 0x0
 00412   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00413   572   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00414   572   NtClose  (72, ... ) == 0x0
 00415   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00416   572   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00417   572   NtClose  (72, ... ) == 0x0
 00418   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 72, ) }, ... 72, ) == 0x0
 00419   572   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 139264, ) == 0x0
 00420   572   NtClose  (72, ... ) == 0x0
 00421   572   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00422   572   NtAllocateVirtualMemory  (-1, 4546560, 0, 4096, 4096, 4, ... 4546560, 4096, ) == 0x0
 00423   572   NtAllocateVirtualMemory  (-1, 4550656, 0, 4096, 4096, 4, ... 4550656, 4096, ) == 0x0
 00424   572   NtAllocateVirtualMemory  (-1, 4554752, 0, 4096, 4096, 4, ... 4554752, 4096, ) == 0x0
 00425   572   NtAllocateVirtualMemory  (-1, 4558848, 0, 4096, 4096, 4, ... 4558848, 4096, ) == 0x0
 00426   572   NtCreateEvent  (0x1f0003, {24, 32, 0x80, 8713952, 0,  (0x1f0003, {24, 32, 0x80, 8713952, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00427   572   NtOpenEvent  (0x100000, {24, 32, 0x0, 0, 0,  (0x100000, {24, 32, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 72, ) }, ... 72, ) == 0x0
 00428   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00429   572   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 14352384, 262144, ) == 0x0
 00430   572   NtAllocateVirtualMemory  (-1, 14352384, 0, 4096, 4096, 4, ... 14352384, 4096, ) == 0x0
 00431   572   NtAllocateVirtualMemory  (-1, 14356480, 0, 8192, 4096, 4, ... 14356480, 8192, ) == 0x0
 00432   572   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00433   572   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14614528, 1048576, ) == 0x0
 00434   572   NtAllocateVirtualMemory  (-1, 14614528, 0, 1048576, 4096, 4, ... 14614528, 1048576, ) == 0x0
 00435   572   NtCreateMutant  (0x1f0001, 0x0, 0, ... 68, ) == 0x0
 00436   572   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 76, ) == 0x0
 00437   572   NtCreateMutant  (0x1f0001, 0x0, 0, ... 80, ) == 0x0
 00438   572   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 84, ) == 0x0
 00439   572   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 88, ) == 0x0
 00440   572   NtSetEvent  (88, ... 0x0, ) == 0x0
 00441   572   NtSetEventBoostPriority  (40, ...
 00383   564   NtWaitForSingleObject  ... ) == 0x0
 00442   564   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "Jobaka3"}, 0, ... 92, ) }, 0, ... 92, ) == 0x0
 00443   564   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00444   564   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00445   564   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00441   572   NtSetEventBoostPriority  ... ) == 0x0
 00446   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 100, ) }, ... 100, ) == 0x0
 00447   572   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00448   572   NtClose  (100, ... ) == 0x0
 00449   564   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00450   564   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Protocol_Catalog9"}, ... 104, ) }, ... 104, ) == 0x0
 00451   564   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00452   564   NtNotifyChangeKey  (104, 100, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00453   564   NtQueryValueKey  (104,  (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454   564   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00455   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00456   572   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00457   572   NtClose  (108, ... ) == 0x0
 00458   572   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00459   572   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "SYSTEM\Setup"}, ... }, ...
 00460   564   NtQueryValueKey  (104,  (104, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00461   564   NtQueryValueKey  (104,  (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00462   564   NtOpenKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Catalog_Entries"}, ... 108, ) }, ... 108, ) == 0x0
 00463   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000001"}, ... 112, ) }, ... 112, ) == 0x0
 00464   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00465   564   NtAllocateVirtualMemory  (-1, 4562944, 0, 4096, 4096, 4, ... 4562944, 4096, ) == 0x0
 00459   572   NtOpenKey  ... 116, ) == 0x0
 00466   572   NtQueryValueKey  (116,  (116, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00467   572   NtClose  (116, ... ) == 0x0
 00468   572   NtQueryDefaultUILanguage  (8712176, ...
 00469   572   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00470   572   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 00471   572   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00472   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00473   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\332\1\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\332\1\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\1\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\333\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\334\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\334\1\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\332\1\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\332\1\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\1\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\333\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\334\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\334\1\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\333\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\334\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\332\1\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\332\1\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\1\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\333\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\334\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\334\1\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\335\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00474   564   NtClose  (112, ... ) == 0x0
 00475   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000002"}, ... 112, ) }, ... 112, ) == 0x0
 00476   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00477   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00478   572   NtClose  (-2147481956, ... ) == 0x0
 00479   572   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00480   572   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   572   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481960, ) }, ... -2147481960, ) == 0x0
 00482   572   NtQueryValueKey  (-2147481960,  (-2147481960, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00483   572   NtClose  (-2147481960, ... ) == 0x0
 00484   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\1\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\345\1\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\1\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\346\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\347\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\347\1\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\1\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\345\1\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\1\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\346\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\347\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\347\1\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\346\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\347\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\1\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\345\1\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\1\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\346\1\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\347\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\347\1\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\1\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00485   564   NtClose  (112, ... ) == 0x0
 00486   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000003"}, ... 112, ) }, ... 112, ) == 0x0
 00487   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00488   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00489   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\1\0\0,\2\0\0<\2\0\0\17\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\234\6\0\200\352\1\0\0,\2\0\0<\2\0\0\17\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0,\2\0\0<\2\0\0\356\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\1\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\270\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\0\0\0\0\274\357\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\206\0\210\0`\214\350w\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0c\0h\0i\0n\0e\0\\0S\0y\0s\0t\0e\0m\0\\0C\0u\0r\0r\0e\0n\0t\0C\0o\0n\0t\0r\0o\0l\0S\0e\0t\0\\0C\0o\0n\0t\0r\0o\0l\0\\0N\0l\0s\0\\0M\0U\0I\0L\0a\0n\0g\0u\0a\0g\0e\0s\0E\370\353\1\0\0,\2\0\0<\2\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\354\1\0\0,\2\0\0<\2\0\0\360\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354g\355w\354\1\0\0,\2\0\0<\2\0\0\360\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\1\0\0,\2\0\0<\2\0\0\17\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\234\6\0\200\352\1\0\0,\2\0\0<\2\0\0\17\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0,\2\0\0<\2\0\0\356\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\1\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\270\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\0\0\0\0\274\357\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\206\0\210\0`\214\350w\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0c\0h\0i\0n\0e\0\\0S\0y\0s\0t\0e\0m\0\\0C\0u\0r\0r\0e\0n\0t\0C\0o\0n\0t\0r\0o\0l\0S\0e\0t\0\\0C\0o\0n\0t\0r\0o\0l\0\\0N\0l\0s\0\\0M\0U\0I\0L\0a\0n\0g\0u\0a\0g\0e\0s\0E\370\353\1\0\0,\2\0\0<\2\0\0Q\0\0\0\1\0\1\04\0\0\300\0\0\0\0\354\1\0\0,\2\0\0<\2\0\0\360\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\354g\355w\354\1\0\0,\2\0\0<\2\0\0\360\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\355\1\0\0"}, 900, ) }, 900, ) == 0x0
 00490   572   NtClose  (-2147481956, ... ) == 0x0
 00468   572   NtQueryDefaultUILanguage  ... ) == 0x0
 00491   572   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00492   572   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00493   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 116, {status=0x0, info=1}, ) }, 1, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00494   572   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 116, ... 120, ) == 0x0
 00495   572   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ...
 00496   564   NtClose  (112, ... ) == 0x0
 00497   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000004"}, ... 112, ) }, ... 112, ) == 0x0
 00498   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00499   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00500   564   NtAllocateVirtualMemory  (-1, 4567040, 0, 4096, 4096, 4, ... 4567040, 4096, ) == 0x0
 00501   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\357\1\0\0,\2\0\0<\2\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\357\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\177\0\366\1\0\0,\2\0\0<\2\0\0O\0\0\0\0\0\1\0\0\0\0\0\230\0\0\0\251\0\22\0\0\0\0\0\30\0\0\0\0\0\0\0$\357\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0b\0\230\355\204\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0.\01\02\04\0.\0M\0a\0n\0i\0f\0e\0s\0t\0\1\0\0\0`\0\0\0\366\1\0\0,\2\0\0<\2\0\0O\0\0\0\1\0\1\04\0\0\300\0\0\0\0\367\1\0\0,\2\0\0<\2\0\0\356\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0XQ\374w\370\1\0\0,\2\0\0<\2\0\0\31\4\0\0\0\0\0\0\0\0\0\0\20\0\0\0\376\377\377\377\10\0\2\0\1\0\0\0\0\2\0\0\370\1\0\0,\2\0\0<\2\0\0\31\4\0\0\1\0\0\0|\0\0\300\0\0\0\0\371\1\0\0,\2\0\0<\2\0\0\30\4\0\0\0\0\0\0\0\0\0\0\14\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\357\1\0\0,\2\0\0<\2\0\0I\0\0\0\1\0\1\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\357\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\177\0\366\1\0\0,\2\0\0<\2\0\0O\0\0\0\0\0\1\0\0\0\0\0\230\0\0\0\251\0\22\0\0\0\0\0\30\0\0\0\0\0\0\0$\357\204\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0b\0\230\355\204\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0.\01\02\04\0.\0M\0a\0n\0i\0f\0e\0s\0t\0\1\0\0\0`\0\0\0\366\1\0\0,\2\0\0<\2\0\0O\0\0\0\1\0\1\04\0\0\300\0\0\0\0\367\1\0\0,\2\0\0<\2\0\0\356\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0XQ\374w\370\1\0\0,\2\0\0<\2\0\0\31\4\0\0\0\0\0\0\0\0\0\0\20\0\0\0\376\377\377\377\10\0\2\0\1\0\0\0\0\2\0\0\370\1\0\0,\2\0\0<\2\0\0\31\4\0\0\1\0\0\0|\0\0\300\0\0\0\0\371\1\0\0,\2\0\0<\2\0\0\30\4\0\0\0\0\0\0\0\0\0\0\14\0\0\0"}, 900, ) }, 900, ) == 0x0
 00495   572   NtMapViewOfSection  ... (0xef0000), 0x0, 8323072, ) == 0x0
 00502   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00503   572   NtQueryDefaultUILanguage  (2013024600, ...
 00504   572   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00505   572   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 00506   572   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00507   572   NtClose  (-2147481956, ... ) == 0x0
 00508   564   NtClose  (112, ... ) == 0x0
 00509   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000005"}, ... 112, ) }, ... 112, ) == 0x0
 00510   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00511   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00512   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\1\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\1\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\0\0\0\0\0\0\250\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\0\0\0\04\7\335\367@\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0v\0\254\0xt\2\341\0\0\0\0\\0R\0E\0G\0I\0S\0T\0R\0Y\0\\0U\0S\0E\0R\0\\0S\0-\01\0-\05\0-\02\01\0-\01\00\07\08\00\08\01\05\03\03\0-\04\08\04\07\06\03\08\06\09\0-\08\03\09\05\02\02\01\01\05\0-\01\00\00\03\0\17\201\2\2\0\0,\2\0\0<\2\0\0Q\0\0\0\1\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\234\6\0\200\3\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\0\0\0\200\0\0\0\0\30\0\0\0\0\0\0\0\360\6\335\367@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\206\0\210\0\230}X\200\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\1\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\1\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\0\0\0\0\0\0\250\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\0\0\0\04\7\335\367@\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0v\0\254\0xt\2\341\0\0\0\0\\0R\0E\0G\0I\0S\0T\0R\0Y\0\\0U\0S\0E\0R\0\\0S\0-\01\0-\05\0-\02\01\0-\01\00\07\08\00\08\01\05\03\03\0-\04\08\04\07\06\03\08\06\09\0-\08\03\09\05\02\02\01\01\05\0-\01\00\00\03\0\17\201\2\2\0\0,\2\0\0<\2\0\0Q\0\0\0\1\0\0\0\0\0\0\0\10\0\0\0\0\0\0\0\234\6\0\200\3\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\0\0\0\200\0\0\0\0\30\0\0\0\0\0\0\0\360\6\335\367@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\206\0\210\0\230}X\200\0\0\0\0\\0R\0e\0g\0i\0s\0t\0r\0y\0\\0M\0a\0"}, 900, ) }, 900, ) == 0x0
 00513   564   NtClose  (112, ... ) == 0x0
 00514   572   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00515   572   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   572   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481960, ) }, ... -2147481960, ) == 0x0
 00517   572   NtQueryValueKey  (-2147481960,  (-2147481960, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   572   NtClose  (-2147481960, ... ) == 0x0
 00519   572   NtClose  (-2147481956, ... ) == 0x0
 00520   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000006"}, ... 112, ) }, ... 112, ) == 0x0
 00521   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00522   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00523   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\14\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\14\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\15\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\367\1\0\0,\2\0\0<\2\0\0\356\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0,\2\0\0<\2\0\0\12\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\300\204\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\1\0\0\16\2\0\0,\2\0\0<\2\0\0\12\0\0\0\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\300\204\0\0\0\0\0\0\20\0\0\17\2\0\0,\2\0\0<\2\0\0\360\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0ZQ\374w\17\2\0\0,\2\0\0<\2\0\0\360\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\2\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\14\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\14\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\15\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\367\1\0\0,\2\0\0<\2\0\0\356\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0,\2\0\0<\2\0\0\12\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\300\204\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\1\0\0\16\2\0\0,\2\0\0<\2\0\0\12\0\0\0\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\300\204\0\0\0\0\0\0\20\0\0\17\2\0\0,\2\0\0<\2\0\0\360\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0ZQ\374w\17\2\0\0,\2\0\0<\2\0\0\360\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\2\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\15\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\367\1\0\0,\2\0\0<\2\0\0\356\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\16\2\0\0,\2\0\0<\2\0\0\12\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\377\377\377\377\0\0\0\0\0\300\204\0\0\0\0\0\0\0\0\0\0\20\0\0\0\20\0\0\4\1\0\0\16\2\0\0,\2\0\0<\2\0\0\12\0\0\0\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\300\204\0\0\0\0\0\0\20\0\0\17\2\0\0,\2\0\0<\2\0\0\360\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0ZQ\374w\17\2\0\0,\2\0\0<\2\0\0\360\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\2\0\0"}, 900, ) == 0x0
 00524   564   NtClose  (112, ... ) == 0x0
 00525   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000007"}, ... 112, ) }, ... 112, ) == 0x0
 00503   572   NtQueryDefaultUILanguage  ... ) == 0x0
 00526   572   NtAllocateVirtualMemory  (-1, 8699904, 0, 4096, 4096, 260, ... 8699904, 4096, ) == 0x0
 00527   572   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00528   572   NtQueryDefaultLocale  (1, 8710212, ... ) == 0x0
 00529   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   572   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 8711068, 1, 96, 0}  (24, {128, 156, new_msg, 0, 8711068, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" ... {128, 156, reply, 0, 556, 572, 1521, 0} " S\26\0\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 556, 572, 1521, 0}  (24, {128, 156, new_msg, 0, 8711068, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" ... {128, 156, reply, 0, 556, 572, 1521, 0} " S\26\0\33\0\1\0\0\0\0\0\1\356\204\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1t\0\0\0\377\377\377\377\0\0\0\0\20\311&\1\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\234\362\204\0\0\0\0\0" )  ) == 0x0
 00531   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00532   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00533   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\26\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\26\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\30\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\30\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\2\0\0,\2\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\31\2\0\0,\2\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\2\0\0,\2\0\0<\2\0\0\17\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\26\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\26\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\30\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\30\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\2\0\0,\2\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\31\2\0\0,\2\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\2\0\0,\2\0\0<\2\0\0\17\0\0\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\30\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\26\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\26\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\30\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0\30\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\2\0\0,\2\0\0<\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\31\2\0\0,\2\0\0<\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\2\0\0,\2\0\0<\2\0\0\17\0\0\0"}, 900, ) }, 900, ) == 0x0
 00534   564   NtClose  (112, ... ) == 0x0
 00535   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000008"}, ... 112, ) }, ... 112, ) == 0x0
 00536   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00537   572   NtClose  (116, ... ) == 0x0
 00538   572   NtClose  (120, ... ) == 0x0
 00539   572   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00540   572   NtUnmapViewOfSection  (-1, 0x84f29c, ... ) == STATUS_NOT_MAPPED_VIEW
 00541   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00542   572   NtAllocateVirtualMemory  (-1, 4571136, 0, 4096, 4096, 4, ... 4571136, 4096, ) == 0x0
 00543   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00544   564   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 120, ) == 0x0
 00545   564   NtWaitForSingleObject  (120, 0, 0x0, ...
 00546   572   NtSetEventBoostPriority  (120, ...
 00545   564   NtWaitForSingleObject  ... ) == 0x0
 00547   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0$\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0$\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0%\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0&\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0&\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\2\0\0,\2\0\0<\2\0\0'\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\350\0\0\0\10\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\20}\367w"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0$\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0$\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0%\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0&\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0&\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\2\0\0,\2\0\0<\2\0\0'\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\350\0\0\0\10\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\20}\367w"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0%\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0&\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0$\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0$\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0%\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0&\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0&\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0"\2\0\0,\2\0\0<\2\0\0'\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\350\0\0\0\10\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\20}\367w"}, 900, ) \2\0\0,\2\0\0<\2\0\0'\4\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\2\0\0,\2\0\0<\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0\350\0\0\0\10\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\20}\367w"}, 900, ) == 0x0
 00548   564   NtClose  (112, ... ) == 0x0
 00549   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000009"}, ... 112, ) }, ... 112, ) == 0x0
 00550   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00546   572   NtSetEventBoostPriority  ... ) == 0x0
 00551   572   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00553   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00554   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 8709296, ... }, 8709296, ...
 00555   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00556   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0-\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0-\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0.\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0/\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0/\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0-\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0-\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0.\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0/\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0/\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0.\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0/\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0-\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0-\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0.\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0/\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\0/\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00557   564   NtClose  (112, ... ) == 0x0
 00558   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000010"}, ... 112, ) }, ... 112, ) == 0x0
 00559   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00560   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00561   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\02\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\02\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\03\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\04\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\04\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\02\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\02\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\03\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\04\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\04\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\03\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\04\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0 (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\02\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\02\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0l\0\0\0p\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\320\233E\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\03\2\0\0,\2\0\04\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\04\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0E\0\2\0\0\0\220\0\0\04\2\0\0,\2\0\04\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\2\0\0,\2\0\04\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0p\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00562   564   NtClose  (112, ... ) == 0x0
 00563   564   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "000000000011"}, ... 112, ) }, ... 112, ) == 0x0
 00564   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00565   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00566   564   NtAllocateVirtualMemory  (-1, 4575232, 0, 4096, 4096, 4, ... 4575232, 4096, ) == 0x0
 00567   564   NtQueryValueKey  (112,  (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\08\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\08\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\09\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\09\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\2\0\0,\2\0\04\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\2\0\0,\2\0\04\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0;\2\0\0,\2\0\04\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0;\2\0\0,\2\0\04\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0<\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0\214\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\360\232E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (112, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\08\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\08\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\09\2\0\0,\2\0\04\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0l\0\0\09\2\0\0,\2\0\04\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0:\2\0\0,\2\0\04\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\2\0\0,\2\0\04\2\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0;\2\0\0,\2\0\04\2\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0;\2\0\0,\2\0\04\2\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0l\0\0\0<\2\0\0,\2\0\04\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0\214\374"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\360\232E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\360\232E\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00568   564   NtClose  (112, ... ) == 0x0
 00569   564   NtClose  (108, ... ) == 0x0
 00570   564   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x102
 00571   564   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 00572   564   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 112, ) }, ... 112, ) == 0x0
 00573   564   NtQueryValueKey  (112,  (112, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00574   564   NtNotifyChangeKey  (112, 108, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00575   564   NtQueryValueKey  (112,  (112, "Serial_Access_Num", Partial, 144, ... , Partial, 144, ...
 00554   572   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00577   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00578   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00579   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 8709888, ... ) }, 8709888, ... ) == 0x0
 00580   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 116, {status=0x0, info=1}, ) }, 3, 33, ... 116, {status=0x0, info=1}, ) == 0x0
 00575   564   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00581   564   NtOpenKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   564   NtQueryValueKey  (112,  (112, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (112, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00583   564   NtOpenKey  (0x2000000, {24, 112, 0x40, 0, 0,  (0x2000000, {24, 112, 0x40, 0, 0, "Catalog_Entries"}, ... 124, ) }, ... 124, ) == 0x0
 00584   564   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "000000000001"}, ... 128, ) }, ... 128, ) == 0x0
 00585   564   NtQueryValueKey  (128,  (128, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00586   564   NtQueryValueKey  (128,  (128, "LibraryPath", Partial, 144, ... , Partial, 144, ...
 00587   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00588   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00589   572   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 132, ... 136, ) == 0x0
 00590   572   NtClose  (132, ... ) == 0x0
 00591   572   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xef0000), 0x0, 921600, ) == 0x0
 00592   572   NtClose  (136, ... ) == 0x0
 00586   564   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00593   564   NtQueryValueKey  (128,  (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00594   564   NtQueryValueKey  (128,  (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00595   564   NtQueryValueKey  (128,  (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00596   564   NtQueryValueKey  (128,  (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00597   564   NtQueryValueKey  (128,  (128, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (128, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00598   564   NtQueryValueKey  (128,  (128, "AddressFamily", Partial, 144, ... , Partial, 144, ...
 00599   572   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00600   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 00601   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 136, ... 132, ) == 0x0
 00602   572   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00603   572   NtClose  (136, ... ) == 0x0
 00604   572   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00598   564   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   564   NtQueryValueKey  (128,  (128, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00606   564   NtQueryValueKey  (128,  (128, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00607   564   NtQueryValueKey  (128,  (128, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00608   564   NtQueryValueKey  (128,  (128, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00609   564   NtClose  (128, ... ) == 0x0
 00610   564   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "000000000002"}, ... }, ...
 00611   572   NtClose  (132, ... ) == 0x0
 00612   572   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00613   572   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00614   572   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00615   572   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00616   572   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00610   564   NtOpenKey  ... 132, ) == 0x0
 00617   564   NtQueryValueKey  (132,  (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00618   564   NtQueryValueKey  (132,  (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00619   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00620   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00621   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00622   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00623   572   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00624   572   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00625   572   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00626   572   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00627   572   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00628   572   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00622   564   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00629   564   NtQueryValueKey  (132,  (132, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (132, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00630   564   NtQueryValueKey  (132,  (132, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   564   NtQueryValueKey  (132,  (132, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00632   564   NtQueryValueKey  (132,  (132, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00633   564   NtQueryValueKey  (132,  (132, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00634   564   NtQueryValueKey  (132,  (132, "StoresServiceClassInfo", Partial, 144, ... , Partial, 144, ...
 00635   572   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00636   572   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00637   572   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00638   572   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00639   572   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00640   572   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00634   564   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00641   564   NtClose  (132, ... ) == 0x0
 00642   564   NtOpenKey  (0x20019, {24, 124, 0x40, 0, 0,  (0x20019, {24, 124, 0x40, 0, 0, "000000000003"}, ... 132, ) }, ... 132, ) == 0x0
 00643   564   NtQueryValueKey  (132,  (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00644   564   NtQueryValueKey  (132,  (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00645   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00646   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... , Partial, 144, ...
 00647   572   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00648   572   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00649   572   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00650   572   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00651   572   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 8711072, ... ) , 42, 8711072, ... ) == 0x0
 00652   572   NtQueryDefaultUILanguage  (8709788, ...
 00653   572   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ...
 00646   564   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00654   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00655   564   NtQueryValueKey  (132,  (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00656   564   NtQueryValueKey  (132,  (132, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (132, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00657   564   NtQueryValueKey  (132,  (132, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658   564   NtQueryValueKey  (132,  (132, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00659   564   NtQueryValueKey  (132,  (132, "Enabled", Partial, 144, ... , Partial, 144, ...
 00653   572   NtOpenThreadTokenEx  ... ) == STATUS_NO_TOKEN
 00660   572   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481956, ) == 0x0
 00661   572   NtQueryInformationToken  (-2147481956, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00662   572   NtClose  (-2147481956, ... ) == 0x0
 00663   572   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481956, ) }, ... -2147481956, ) == 0x0
 00664   572   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   572   NtOpenKey  (0x80000000, {24, -2147481956, 0x640, 0, 0,  (0x80000000, {24, -2147481956, 0x640, 0, 0, "Control Panel\Desktop"}, ... }, ...
 00659   564   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00666   564   NtQueryValueKey  (132,  (132, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00667   564   NtQueryValueKey  (132,  (132, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00668   564   NtClose  (132, ... ) == 0x0
 00669   564   NtClose  (124, ... ) == 0x0
 00670   564   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x102
 00665   572   NtOpenKey  ... -2147481960, ) == 0x0
 00671   572   NtQueryValueKey  (-2147481960,  (-2147481960, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   572   NtClose  (-2147481960, ... ) == 0x0
 00673   572   NtClose  (-2147481956, ... ) == 0x0
 00652   572   NtQueryDefaultUILanguage  ... ) == 0x0
 00674   572   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708640, ... ) }, 8708640, ... ) == 0x0
 00676   564   NtClose  (96, ... ) == 0x0
 00677   564   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00678   564   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00679   564   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00680   564   NtQueryValueKey  (96,  (96, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   564   NtClose  (96, ... ) == 0x0
 00682   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00683   572   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 96, ... 124, ) == 0x0
 00684   572   NtClose  (96, ... ) == 0x0
 00685   572   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xef0000), 0x0, 4096, ) == 0x0
 00686   572   NtClose  (124, ... ) == 0x0
 00687   572   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00688   564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00689   564   NtAllocateVirtualMemory  (-1, 4579328, 0, 4096, 4096, 4, ... 4579328, 4096, ) == 0x0
 00690   564   NtWaitForSingleObject  (40, 0, 0x0, ...
 00691   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 8708280, ... ) }, 8708280, ... ) == 0x0
 00692   572   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 8708980,  (0x80100080, {24, 0, 0x40, 0, 8708980, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00693   572   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 96, ... 132, ) == 0x0
 00694   572   NtClose  (96, ... ) == 0x0
 00695   572   NtMapViewOfSection  (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xef0000), {0, 0}, 4096, ) == 0x0
 00696   572   NtClose  (132, ... ) == 0x0
 00697   572   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00698   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 132, {status=0x0, info=1}, ) }, 1, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00699   572   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 132, ... 96, ) == 0x0
 00700   572   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xef0000), 0x0, 4096, ) == 0x0
 00701   572   NtQueryInformationFile  (132, 8708600, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00702   572   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00703   572   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 8708680, 1, 96, 0}  (24, {128, 156, new_msg, 0, 8708680, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" ... {128, 156, reply, 0, 556, 572, 1522, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" )  ... {128, 156, reply, 0, 556, 572, 1522, 0}  (24, {128, 156, new_msg, 0, 8708680, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" ... {128, 156, reply, 0, 556, 572, 1522, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\204\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0H\351\204\0\0\0\0\0" )  ) == 0x0
 00704   572   NtClose  (132, ... ) == 0x0
 00705   572   NtClose  (96, ... ) == 0x0
 00706   572   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 00707   572   NtUnmapViewOfSection  (-1, 0x84e948, ... ) == STATUS_NOT_MAPPED_VIEW
 00708   572   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00709   572   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00710   572   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00711   572   NtUserGetDC  (0, ... ) == 0x1010050
 00712   572   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00713   572   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00714   572   NtUserSystemParametersInfo  (66, 12, 8711092, 0, ... ) == 0x1
 00715   572   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00716   572   NtAccessCheck  (4581152, 96, 0x1, 8710496, 8710440, 56, 8710524, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00717   572   NtClose  (96, ... ) == 0x0
 00718   572   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00719   572   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00720   572   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00721   572   NtClose  (96, ... ) == 0x0
 00722   572   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 96, ) }, ... 96, ) == 0x0
 00723   572   NtSetInformationObject  (96, Handle, {Inherit=0,ProtectFromClose=1,}, 8651008, ... ) == 0x0
 00724   572   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "Control Panel\Desktop"}, ... 132, ) }, ... 132, ) == 0x0
 00725   572   NtQueryValueKey  (132,  (132, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00726   572   NtClose  (132, ... ) == 0x0
 00727   572   NtUserSystemParametersInfo  (41, 500, 8710592, 0, ... ) == 0x1
 00728   572   NtOpenKey  (0x1, {24, 96, 0x40, 0, 0,  (0x1, {24, 96, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 132, ) }, ... 132, ) == 0x0
 00729   572   NtQueryValueKey  (132,  (132, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   572   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 128, ) }, ... 128, ) == 0x0
 00731   572   NtQueryValueKey  (128,  (128, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   572   NtClose  (128, ... ) == 0x0
 00733   572   NtClose  (132, ... ) == 0x0
 00734   572   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00735   572   NtUserSystemParametersInfo  (4130, 0, 8711116, 0, ... ) == 0x1
 00736   572   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 132, ) }, ... 132, ) == 0x0
 00737   572   NtEnumerateValueKey  (132, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00738   572   NtClose  (132, ... ) == 0x0
 00739   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00740   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc03b
 00741   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc03d
 00742   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00743   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810dc03f
 00744   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00745   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc041
 00746   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00747   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc043
 00748   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc045
 00749   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00750   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc047
 00751   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00752   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810dc049
 00753   572   NtUserGetClassInfo  (1905590272, 8711012, 8710964, 8711040, 0, ... ) == 0xc049
 00754   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00755   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc04b
 00756   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00757   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc04d
 00758   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00759   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc04f
 00760   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc051
 00761   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00762   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc053
 00763   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00764   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810dc055
 00765   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810dc057
 00766   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00767   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc059
 00768   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10013
 00769   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc05b
 00770   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00771   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc05d
 00772   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00773   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc05f
 00774   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00775   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810dc017
 00776   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00777   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810dc019
 00778   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10013
 00779   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ... ) == 0x810dc018
 00780   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00781   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc01a
 00782   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00783   572   NtUserRegisterClassExWOW  (8710848, 8710928, 8710912, 8710944, 0, 384, 0, ...
 00784   572   NtAllocateVirtualMemory  (-1, 9994240, 0, 4096, 4096, 32, ... 9994240, 4096, ) == 0x0
 00783   572   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00785   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00786   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc01e
 00787   572   NtUserFindExistingCursorIcon  (8710396, 8710412, 8710980, ... ) == 0x10011
 00788   572   NtUserRegisterClassExWOW  (8710908, 8710988, 8710972, 8711004, 0, 384, 0, ... ) == 0x810dc01b
 00789   572   NtUserFindExistingCursorIcon  (8710392, 8710408, 8710976, ... ) == 0x10011
 00790   572   NtUserRegisterClassExWOW  (8710904, 8710984, 8710968, 8711000, 0, 384, 0, ... ) == 0x810dc068
 00791   572   NtUserFindExistingCursorIcon  (8710400, 8710416, 8710984, ... ) == 0x10011
 00792   572   NtUserRegisterClassExWOW  (8710852, 8710932, 8710916, 8710948, 0, 384, 0, ... ) == 0x810dc06a
 00793   572   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 132, ) }, ... 132, ) == 0x0
 00794   572   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00795   572   NtClose  (132, ... ) == 0x0
 00796   572   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 132, ) == 0x0
 00797   572   NtQueryInformationProcess  (132, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00798   572   NtClose  (132, ... ) == 0x0
 00799   572   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00800   572   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00801   572   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00802   572   NtOpenKey  (0x20019, {24, 96, 0x40, 0, 0,  (0x20019, {24, 96, 0x40, 0, 0, "Control Panel\Desktop"}, ... 132, ) }, ... 132, ) == 0x0
 00803   572   NtQueryValueKey  (132,  (132, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   572   NtClose  (132, ... ) == 0x0
 00805   572   NtUserSystemParametersInfo  (41, 500, 8711752, 0, ... ) == 0x1
 00806   572   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00807   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00808   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00809   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc03b
 00810   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00811   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc03d
 00812   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00813   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00814   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc03f
 00815   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00816   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00817   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc041
 00818   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00819   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00820   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc043
 00821   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00822   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc045
 00823   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00824   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00825   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc047
 00826   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00827   572   NtUserFindExistingCursorIcon  (8711540, 8711556, 8712124, ... ) == 0x10011
 00828   572   NtUserRegisterClassExWOW  (8711992, 8712072, 8712056, 8712088, 0, 384, 0, ... ) == 0x810dc049
 00829   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00830   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00831   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc04b
 00832   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00833   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00834   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc04d
 00835   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00836   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00837   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc04f
 00838   572   NtUserGetClassInfo  (1999896576, 8712164, 8712116, 8712192, 0, ... ) == 0x0
 00839   572   NtUserRegisterClassExWOW  (8712000, 8712080, 8712064, 8712096, 0, 384, 0, ... ) == 0x810dc051
 00840   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00841   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00842   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc053
 00843   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00844   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00845   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc055
 00846   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc057
 00847   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00848   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00849   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc059
 00850   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00851   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10013
 00852   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc05b
 00853   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00854   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00855   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc05d
 00856   572   NtUserGetClassInfo  (1999896576, 8712160, 8712112, 8712188, 0, ... ) == 0x0
 00857   572   NtUserFindExistingCursorIcon  (8711544, 8711560, 8712128, ... ) == 0x10011
 00858   572   NtUserRegisterClassExWOW  (8711996, 8712076, 8712060, 8712092, 0, 384, 0, ... ) == 0x810dc05f
 00859   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc03b
 00860   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc03d
 00861   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc03f
 00862   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc041
 00863   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc043
 00864   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc045
 00865   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc047
 00866   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc049
 00867   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc04b
 00868   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc04d
 00869   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc04f
 00870   572   NtUserGetClassInfo  (1999896576, 8713916, 8713868, 8713944, 0, ... ) == 0xc051
 00871   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc053
 00872   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc055
 00873   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc059
 00874   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc05b
 00875   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc05d
 00876   572   NtUserGetClassInfo  (1999896576, 8713912, 8713864, 8713940, 0, ... ) == 0xc05f
 00877   572   NtSetEventBoostPriority  (40, ...
 00690   564   NtWaitForSingleObject  ... ) == 0x0
 00878   564   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2290256,  (0x80100080, {24, 0, 0x40, 0, 2290256, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... }, 0x0, 0, 1, 1, 2097252, 0, 0, ...
 00877   572   NtSetEventBoostPriority  ... ) == 0x0
 00879   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00929   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... }, ...
 00878   564   NtCreateFile  ... 132, {status=0x0, info=1}, ) == 0x0
 00976   564   NtQueryInformationFile  (132, 2291192, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00977   564   NtQueryInformationFile  (132, 2291164, 24, Standard, ...
 00975   572   NtOpenMutant  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   572   NtOpenMutant  (0x1f0001, {24, 32, 0x0, 0, 0,  (0x1f0001, {24, 32, 0x0, 0, 0, "kkq-vx_mtx1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   572   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "kkq-vx_mtx1"}, 0, ... }, 0, ...
 00977   564   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 00981   564   NtQueryInformationFile  (132, 2291116, 40, Basic, ...
 00980   572   NtCreateMutant  ... 128, ) == 0x0
 00982   572   NtUserFindExistingCursorIcon  (8715176, 8715192, 8715760, ... ) == 0x10011
 00983   572   NtUserFindExistingCursorIcon  (8715176, 8715192, 8715760, ... ) == 0x10005
 00984   572   NtUserRegisterClassExWOW  (8715628, 8715704, 8715720, 8715692, 0, 386, 0, ...
 00981   564   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 00985   564   NtAllocateVirtualMemory  (-1, 4583424, 0, 8192, 4096, 4, ... 4583424, 8192, ) == 0x0
 00986   564   NtQueryInformationFile  (132, 4582696, 4094, Stream, ...
 00984   572   NtUserRegisterClassExWOW  ... ) == 0x810dc0cb
 00987   572   NtUserCreateWindowEx  (-2147483648, 8715664, 8715476, "13238272, 0, 0, 0, 0, 0, 0, 4194304, 0, 1073742848, 0, ...
 00988   572   NtUserGetIconSize  (65541, 0, 8714192, 8714200, ... ) == 0x1
 00989   572   NtUserGetIconInfo  (65541, 8714168, 8714160, 8714152, 8714188, 1, ...
 00986   564   NtQueryInformationFile  ... {status=0x0, info=38}, ) == 0x0
 00990   564   NtQueryInformationFile  (132, 2289660, 40, Basic, ...
 00989   572   NtUserGetIconInfo  ... ) == 0x1
 00991   572   NtUserFindExistingCursorIcon  (8712900, 8712916, 8714132, ... ) == 0x10005
 00992   572   NtGdiExtGetObjectW  (335873028, 24, 8712908, ... ) == 0x18
 00993   572   NtGdiGetDIBitsInternal  (268502013, 335873028, 0, 64, 4570384, 4570336, 0, 256, 0, ... ) == 0x40
 00994   572   NtUserGetDC  (0, ... ) == 0x1010050
 00995   572   NtGdiCreateDIBitmapInternal  (16842832, 16, 32, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x150503dc
 00996   572   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00997   572   NtGdiSelectBitmap  (268502013, 352650204, ... ) == 0x185000f
 00998   572   NtGdiDoPalette  (268502013, 0, 1, 8712760, 4, 0, ... ) == 0x1
 00999   572   NtGdiStretchDIBitsInternal  (268502013, 0, 0, 16, 32, 0, 0, 32, 64, 4570384, 4570648, 0, 13369376, 48, 256, 0, ...
 00990   564   NtQueryInformationFile  ... {status=0x0, info=40}, ) == 0x0
 01000   564   NtQueryInformationFile  (132, 2289504, 4, Ea, ...
 00999   572   NtGdiStretchDIBitsInternal  ... ) == 0x40
 01001   572   NtGdiSelectBitmap  (268502013, 25493519, ... ) == 0x150503dc
 01002   572   NtGdiCreateCompatibleDC  (268502013, ... ) == 0x70103fe
 01003   572   NtGdiExtGetObjectW  (352650204, 24, 8712784, ...
 01000   564   NtQueryInformationFile  ... {status=0x0, info=4}, ) == 0x0
 01004   564   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2289512,  (0x40110080, {24, 0, 0x40, 0, 2289512, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01005   564   NtClose  (-2147481956, ... ) == 0x0
 01004   564   NtCreateFile  ... 136, {status=0x0, info=2}, ) == 0x0
 01003   572   NtGdiExtGetObjectW  ... ) == 0x18
 01006   572   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x70503ff
 01007   572   NtGdiSelectBitmap  (268502013, 352650204, ... ) == 0x185000f
 01008   572   NtGdiSelectBitmap  (117507070, 117769215, ... ) == 0x185000f
 01009   572   NtGdiBitBlt  (117507070, 0, 0, 16, 32, 268502013, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01010   572   NtGdiSelectBitmap  (268502013, 25493519, ... ) == 0x150503dc
 01011   572   NtGdiSelectBitmap  (117507070, 25493519, ...
 01012   564   NtQueryVolumeInformationFile  (136, 2288884, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01013   564   NtQueryInformationFile  (136, 2288844, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01014   564   NtQueryVolumeInformationFile  (132, 2288884, 536, Attribute, ...
 01011   572   NtGdiSelectBitmap  ... ) == 0x70503ff
 01015   572   NtGdiDeleteObjectApp  (352650204, ... ) == 0x1
 01016   572   NtGdiDeleteObjectApp  (117507070, ... ) == 0x1
 01017   572   NtGdiExtGetObjectW  (201655275, 24, 8712908, ...
 01014   564   NtQueryVolumeInformationFile  ... {status=0x0, info=20}, ) == 0x0
 01018   564   NtQueryVolumeInformationFile  (132, 2288568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01017   572   NtGdiExtGetObjectW  ... ) == 0x18
 01019   572   NtGdiGetDIBitsInternal  (268502013, 201655275, 0, 32, 4586852, 4586800, 0, 4096, 0, ...
 01020   564   NtSetInformationFile  (136, 2288672, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01021   564   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 132, ...
 01019   572   NtGdiGetDIBitsInternal  ... ) == 0x20
 01022   572   NtUserGetDC  (0, ... ) == 0x1010050
 01023   572   NtGdiCreateCompatibleBitmap  (16842832, 16, 16, ... ) == 0x90503fe
 01024   572   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01025   572   NtGdiSelectBitmap  (268502013, 151323646, ... ) == 0x185000f
 01026   572   NtGdiDoPalette  (268502013, 0, 1, 8712760, 4, 0, ...
 01021   564   NtCreateSection  ... 140, ) == 0x0
 01027   564   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xf10000), {0, 0}, 126976, ) == 0x0
 01028   564   NtClose  (140, ... ) == 0x0
 01026   572   NtGdiDoPalette  ... ) == 0x0
 01030   572   NtGdiStretchDIBitsInternal  (268502013, 0, 0, 16, 16, 0, 0, 32, 32, 4586852, 4570648, 0, 13369376, 40, 4096, 0, ... ) == 0x20
 01029   564   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\6\0\204\214\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\10\0\0>\0\0\0"\0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\240\311\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ... \0\0\0\0\0\0\0\240\1\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\15\0\1\0\4\0\0\0\0\0\0\0\240\311\4\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0 \0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 61440, 0x0, 0, ...
 01031   572   NtGdiSelectBitmap  (268502013, 25493519, ... ) == 0x90503fe
 01032   572   NtGdiDeleteObjectApp  (335873028, ...
 01029   564   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01033   564   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "\225\225\225\225\225\225\225\225\225\225\225\225\225\241)\225\205\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\260\346\225\225\342\225\347\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\227\225\225\225\225\225\225\225\220\225\225\225\226\225\225\225\220\225\225\225\220\225\225\225\221\225\225\225\227\225\225\225\220\225\225\225\220\225\225\225\227\225\225\225\224\225\225\225\226\225\225\225\221\225\225\225\221\225\225\225\222\225\225\225\225\225\225\225\225\225\225\225\226\225\225\225\235\225\225\225\235\225\225\225\223\225\225\225\223\225\225\225\225\225\225\225\220\225\225\225\225\225\225\225\222\225\225\225\226\225\225\225\226\225\225\225\227\225\225\225\220\225\225\225\226\225\225\225\235\225\225\225\226\225\225\225\234\225\225\225\227\225\225\225\235\225\225\225\227\225\225\225\225\225\225\225\221\225\225\225\221\225\225\225\221\225\225\225\227\225\225\225\222\225\225\225\222\225\225\225\225\225\225\225\227\225\225\225\221\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225O\242\224\205\365}\225\225\225\225\364|\225\225\225\225\225\225\225\225\204\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\225\2250{bt\271\353h*\352}\17\23\27\325\261YwH\377Btt\342", 61440, 0x0, 0, ... , 61440, 0x0, 0, ...
 01032   572   NtGdiDeleteObjectApp  ... ) == 0x1
 01034   572   NtGdiDeleteObjectApp  (201655275, ... ) == 0x1
 01035   572   NtUserCallOneParam  (0, 33, ... ) == 0x3004d
 01036   572   NtUserSetCursorIconData  (196685, 8712944, 8712960, 8714044, ... ) == 0x1
 01037   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711860, ... ) }, 8711860, ... ) == 0x0
 01038   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01039   572   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 140, ... 144, ) == 0x0
 01040   572   NtClose  (140, ... ) == 0x0
 01033   564   NtWriteFile  ... {status=0x0, info=61440}, ) == 0x0
 01041   564   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "\21W\32W[Y\0\26\0\226\263\365\263\365\263\365\263\365\263\365\273\263\365\263\365\263\365\263\365\270\344\343\0\1\0\230\273\0\1\0\307\344\0\1\0\255\216\0\7\0\210\340\374\374\370\262\247\247\0\1\0\257\214\0\7\0\233\363\357\357\353\241\264\264\0+\4\341\202\211\204\202\211\204\217\221\223\204\222\222\317\210\217\207\216\302\206\216\215\205\221\216\215\215\317\202\216\214\302\210\217\225\206\216\215\205\317\202\216\214\302\226\226\226\317\202\203\223\317\223\224\302\226\226\226\317\222\216\202\212\222\317\200\202\302\222\225\216\223\214\221\200\230\317\202\216\214\302\202\223\224\225\216\221\317\217\224\302\217\204\226\317\204\206\206\317\202\216\214\302\226\226\226\317\221\216\217\233\210\222\202\200\214\222\317\202\216\214\302\226\204\215\202\216\214\204\322\317\222\214\210\215\204\317\202\216\317\224\212\302\216\215\203\323\317\217\200\225\210\216\217\204\225\317\202\216\214\302\226\226\226\317\203\203\210\217\317\223\224\302\214\200\222\225\204\223\314\231\317\202\216\214\302\226\226\226\317\221\216\217\233\210\222\202\200\214\222\317\202\216\214\302\226\226\226\317\203\200\217\212\314\203\200\217\220\224\204\314\202\200\217\200\205\200\317\202\200\302\226\226\226\317\221\216\217\233\210\222\202\200\214\222\317\202\216\214\302\226\226\226\317\203\214\216\317\202\216\214\302\221\200\230\221\200\215\317\202\216\214\302\204\203\200\230\317\202\216\214\302\226\226\226\317\203\200\217\212\216\207\214\200\205\224\223\200\317\202\216\214\302\226\226\226\317\202\210\203\202\317\202\216\214\302\226\226\226\317\227\225\203\317\223\224\302\226\226\226\317\202\226\203\200\217\212\317\202\216\214\302\206\216\215\205\221\216\215\215\317\202\216\214\302\226\226\226\317\221\216\217\233\210\222\202\200\214\222\317\202\216\214\302\226\226\226\317\214\214\203\200\217\212\317\223\224\302\226\226\226\317\224\217\210\200\222\225\223\224\214\317\223\224\302\206\216\215\205\221\216\215\215\317\202\216\214\302\226\226\226\317\221", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 01042   564   NtUnmapViewOfSection  (-1, 0xf10000, ... ) == 0x0
 01043   564   NtSetInformationFile  (136, 2291116, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01044   564   NtClose  (132, ...
 01045   572   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf10000), 0x0, 204800, ) == 0x0
 01046   572   NtClose  (144, ... ) == 0x0
 01047   572   NtUnmapViewOfSection  (-1, 0xf10000, ... ) == 0x0
 01048   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8712176, ... ) }, 8712176, ... ) == 0x0
 01049   572   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01050   572   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 132, ) == 0x0
 01051   572   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01052   572   NtClose  (144, ... ) == 0x0
 01053   572   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 01054   572   NtClose  (132, ... ) == 0x0
 01055   572   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01056   572   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01057   572   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01058   572   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01059   572   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01060   572   NtClose  (132, ... ) == 0x0
 01061   572   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 132, ) }, ... 132, ) == 0x0
 01062   572   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 144, ) }, ... 144, ) == 0x0
 01063   572   NtQueryValueKey  (144,  (144, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   572   NtClose  (144, ... ) == 0x0
 01065   572   NtClose  (132, ... ) == 0x0
 01044   564   NtClose  ... ) == 0x0
 01066   564   NtClose  (136, ... ) == 0x0
 01067   564   NtOpenKey  (0x2000000, {24, 36, 0x40, 0, 0,  (0x2000000, {24, 36, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 136, ) }, ... 136, ) == 0x0
 01068   564   NtSetValueKey  (136,  (136, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (136, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 01069   564   NtSetInformationFile  (-2147482808, -136444108, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01070   564   NtSetInformationFile  (-2147482808, -136444200, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01071   564   NtSetInformationFile  (-2147482808, -136444508, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01072   572   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01073   572   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01074   572   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01075   572   NtClose  (132, ... ) == 0x0
 01076   572   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... }, ...
 01068   564   NtSetValueKey  ... ) == 0x0
 01077   564   NtClose  (136, ... ) == 0x0
 01078   564   NtCreateMutant  (0x1f0001, {24, 32, 0x80, 0, 0,  (0x1f0001, {24, 32, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 136, ) }, 0, ... 136, ) == 0x0
 01079   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01076   572   NtOpenKey  ... 132, ) == 0x0
 01080   572   NtOpenKey  (0x1, {24, 132, 0x40, 0, 0,  (0x1, {24, 132, 0x40, 0, 0, "Control Panel\Desktop"}, ... 144, ) }, ... 144, ) == 0x0
 01081   572   NtQueryValueKey  (144,  (144, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01082   572   NtClose  (144, ... ) == 0x0
 01083   572   NtClose  (132, ...
 01079   564   NtAllocateVirtualMemory  ... 15794176, 2097152, ) == 0x0
 01084   564   NtAllocateVirtualMemory  (-1, 17883136, 0, 8192, 4096, 4, ... 17883136, 8192, ) == 0x0
 01085   564   NtProtectVirtualMemory  (-1, (0x110e000), 4096, 260, ... (0x110e000), 4096, 4, ) == 0x0
 01086   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 144, {556, 584}, ) == 0x0
 01087   564   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=556,Tid=584,}, 0x0, ) == 0x0
 01088   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508}  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508} "\0\0\0\0\1\0\1\0C:\WINDO\220\0\0\0,\2\0\0H\2\0\0" ... {28, 56, reply, 0, 556, 564, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\0\0\0,\2\0\0H\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1523, 0}  (24, {28, 56, new_msg, 0, 2292524, 2292580, 2010981548, 2292508} "\0\0\0\0\1\0\1\0C:\WINDO\220\0\0\0,\2\0\0H\2\0\0" ... {28, 56, reply, 0, 556, 564, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\220\0\0\0,\2\0\0H\2\0\0" )  ) == 0x0
 01083   572   NtClose  ... ) == 0x0
 01089   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 8711676, ... }, 8711676, ...
 01090   564   NtResumeThread  (144, ... 1, ) == 0x0
 01091   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 17891328, 2097152, ) == 0x0
 01092   564   NtAllocateVirtualMemory  (-1, 19980288, 0, 8192, 4096, 4, ... 19980288, 8192, ) == 0x0
 01093   584   NtWaitForSingleObject  (40, 0, 0x0, ...
 01094   564   NtProtectVirtualMemory  (-1, (0x130e000), 4096, 260, ... (0x130e000), 4096, 4, ) == 0x0
 01095   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 132, {556, 588}, ) == 0x0
 01096   564   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=556,Tid=588,}, 0x0, ) == 0x0
 01097   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1523, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0,\2\0\0L\2\0\0" ... {28, 56, reply, 0, 556, 564, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0,\2\0\0L\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1524, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1523, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0,\2\0\0L\2\0\0" ... {28, 56, reply, 0, 556, 564, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\0\0\0,\2\0\0L\2\0\0" )  ) == 0x0
 01098   564   NtResumeThread  (132, ... 1, ) == 0x0
 01099   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01100   588   NtWaitForSingleObject  (40, 0, 0x0, ...
 01099   564   NtAllocateVirtualMemory  ... 19988480, 2097152, ) == 0x0
 01101   564   NtAllocateVirtualMemory  (-1, 22077440, 0, 8192, 4096, 4, ... 22077440, 8192, ) == 0x0
 01102   564   NtProtectVirtualMemory  (-1, (0x150e000), 4096, 260, ... (0x150e000), 4096, 4, ) == 0x0
 01103   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 140, {556, 576}, ) == 0x0
 01104   564   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=556,Tid=576,}, 0x0, ) == 0x0
 01105   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1524, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0,\2\0\0@\2\0\0" ... {28, 56, reply, 0, 556, 564, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0,\2\0\0@\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1525, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0,\2\0\0@\2\0\0" ... {28, 56, reply, 0, 556, 564, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\214\0\0\0,\2\0\0@\2\0\0" )  ) == 0x0
 01089   572   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   572   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 8711676, ... }, 8711676, ...
 01107   564   NtResumeThread  (140, ... 1, ) == 0x0
 01108   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 22085632, 2097152, ) == 0x0
 01109   564   NtAllocateVirtualMemory  (-1, 24174592, 0, 8192, 4096, 4, ... 24174592, 8192, ) == 0x0
 01110   576   NtWaitForSingleObject  (40, 0, 0x0, ...
 01111   564   NtProtectVirtualMemory  (-1, (0x170e000), 4096, 260, ... (0x170e000), 4096, 4, ) == 0x0
 01112   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 148, {556, 596}, ) == 0x0
 01113   564   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=556,Tid=596,}, 0x0, ) == 0x0
 01114   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1525, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0,\2\0\0T\2\0\0" ... {28, 56, reply, 0, 556, 564, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0,\2\0\0T\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1526, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1525, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0,\2\0\0T\2\0\0" ... {28, 56, reply, 0, 556, 564, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\224\0\0\0,\2\0\0T\2\0\0" )  ) == 0x0
 01115   564   NtResumeThread  (148, ... 1, ) == 0x0
 01116   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01117   596   NtWaitForSingleObject  (40, 0, 0x0, ...
 01116   564   NtAllocateVirtualMemory  ... 24182784, 2097152, ) == 0x0
 01118   564   NtAllocateVirtualMemory  (-1, 26271744, 0, 8192, 4096, 4, ... 26271744, 8192, ) == 0x0
 01119   564   NtProtectVirtualMemory  (-1, (0x190e000), 4096, 260, ... (0x190e000), 4096, 4, ) == 0x0
 01120   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 152, {556, 636}, ) == 0x0
 01121   564   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=556,Tid=636,}, 0x0, ) == 0x0
 01122   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1526, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0,\2\0\0|\2\0\0" ... {28, 56, reply, 0, 556, 564, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0,\2\0\0|\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1527, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1526, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0,\2\0\0|\2\0\0" ... {28, 56, reply, 0, 556, 564, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\0\0\0,\2\0\0|\2\0\0" )  ) == 0x0
 01123   564   NtResumeThread  (152, ... 1, ) == 0x0
 01124   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 26279936, 2097152, ) == 0x0
 01125   564   NtAllocateVirtualMemory  (-1, 28368896, 0, 8192, 4096, 4, ... 28368896, 8192, ) == 0x0
 01106   572   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   636   NtWaitForSingleObject  (40, 0, 0x0, ...
 01127   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 8711676, ... ) }, 8711676, ... ) == 0x0
 01128   572   NtSetEventBoostPriority  (40, ...
 01093   584   NtWaitForSingleObject  ... ) == 0x0
 01129   584   NtSetEventBoostPriority  (40, ...
 01100   588   NtWaitForSingleObject  ... ) == 0x0
 01130   588   NtSetEventBoostPriority  (40, ...
 01110   576   NtWaitForSingleObject  ... ) == 0x0
 01131   576   NtSetEventBoostPriority  (40, ...
 01117   596   NtWaitForSingleObject  ... ) == 0x0
 01132   596   NtSetEventBoostPriority  (40, ...
 01126   636   NtWaitForSingleObject  ... ) == 0x0
 01133   636   NtTestAlert  (... ) == 0x0
 01132   596   NtSetEventBoostPriority  ... ) == 0x0
 01131   576   NtSetEventBoostPriority  ... ) == 0x0
 01130   588   NtSetEventBoostPriority  ... ) == 0x0
 01129   584   NtSetEventBoostPriority  ... ) == 0x0
 01128   572   NtSetEventBoostPriority  ... ) == 0x0
 01134   564   NtProtectVirtualMemory  (-1, (0x1b0e000), 4096, 260, ...
 01135   636   NtContinue  (26279216, 1, ...
 01136   596   NtTestAlert  (...
 01137   576   NtTestAlert  (...
 01138   588   NtTestAlert  (...
 01139   572   NtUserGetProcessWindowStation  (...
 01134   564   NtProtectVirtualMemory  ... (0x1b0e000), 4096, 4, ) == 0x0
 01140   636   NtRegisterThreadTerminatePort  (24, ...
 01136   596   NtTestAlert  ... ) == 0x0
 01137   576   NtTestAlert  ... ) == 0x0
 01138   588   NtTestAlert  ... ) == 0x0
 01139   572   NtUserGetProcessWindowStation  ... ) == 0x34
 01141   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01140   636   NtRegisterThreadTerminatePort  ... ) == 0x0
 01142   596   NtContinue  (24182064, 1, ...
 01143   576   NtContinue  (22084912, 1, ...
 01144   588   NtContinue  (19987760, 1, ...
 01145   572   NtUserGetObjectInformation  (52, 2, 0, 0, 8713972, ...
 01141   564   NtCreateThread  ... 156, {556, 728}, ) == 0x0
 01146   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01147   596   NtRegisterThreadTerminatePort  (24, ...
 01148   576   NtRegisterThreadTerminatePort  (24, ...
 01149   588   NtRegisterThreadTerminatePort  (24, ...
 01145   572   NtUserGetObjectInformation  ... ) == 0x0
 01150   564   NtQueryInformationThread  (156, Basic, 28, ...
 01146   636   NtDuplicateObject  ... 160, ) == 0x0
 01147   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 01148   576   NtRegisterThreadTerminatePort  ... ) == 0x0
 01149   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 01151   584   NtTestAlert  (...
 01150   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=556,Tid=728,}, 0x0, ) == 0x0
 01152   636   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01153   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01154   576   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01155   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01151   584   NtTestAlert  ... ) == 0x0
 01156   572   NtUserGetObjectInformation  (52, 2, 4577104, 16, 8713972, ...
 01157   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1527, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1527, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0,\2\0\0\330\2\0\0" ...  ...
 01152   636   NtWaitForSingleObject  ... ) == 0x102
 01153   596   NtDuplicateObject  ... 164, ) == 0x0
 01154   576   NtDuplicateObject  ... 168, ) == 0x0
 01158   584   NtContinue  (17890608, 1, ...
 01156   572   NtUserGetObjectInformation  ... ) == 0x1
 01157   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1528, 0}  ... {28, 56, reply, 0, 556, 564, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\0\0\0,\2\0\0\330\2\0\0" )  ) == 0x0
 01159   636   NtAllocateVirtualMemory  (-1, 26267648, 0, 4096, 4096, 260, ...
 01160   596   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01161   576   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01162   584   NtRegisterThreadTerminatePort  (24, ...
 01163   572   NtUserGetGUIThreadInfo  (572, 8713928, ...
 01164   564   NtResumeThread  (156, ...
 01159   636   NtAllocateVirtualMemory  ... 26267648, 4096, ) == 0x0
 01160   596   NtWaitForSingleObject  ... ) == 0x102
 01161   576   NtWaitForSingleObject  ... ) == 0x102
 01162   584   NtRegisterThreadTerminatePort  ... ) == 0x0
 01163   572   NtUserGetGUIThreadInfo  ... ) == 0x1
 01164   564   NtResumeThread  ... 1, ) == 0x0
 01165   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 26274860, ... }, 26274860, ...
 01166   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01167   576   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01168   584   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01169   572   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 8713748, 64, ... , {12, 2, 1, 1}, 0x0, 0x0, 8713748, 64, ...
 01170   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01165   636   NtQueryAttributesFile  ... ) == 0x0
 01166   596   NtCreateEvent  ... 172, ) == 0x0
 01167   576   NtCreateEvent  ... 176, ) == 0x0
 01155   588   NtDuplicateObject  ... 180, ) == 0x0
 01171   728   NtWaitForSingleObject  (40, 0, 0x0, ...
 01168   584   NtDuplicateObject  ... 184, ) == 0x0
 01170   564   NtAllocateVirtualMemory  ... 28377088, 2097152, ) == 0x0
 01172   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... }, 5, 96, ...
 01169   572   NtConnectPort  ... 188, 0x0, 0x0, 0x0, 64, ) == 0x0
 01173   596   NtWaitForSingleObject  (172, 0, 0x0, ...
 01174   588   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01175   584   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01176   564   NtAllocateVirtualMemory  (-1, 30466048, 0, 8192, 4096, 4, ...
 01172   636   NtOpenFile  ... 192, {status=0x0, info=1}, ) == 0x0
 01177   572   NtRequestWaitReplyPort  (188, {32, 56, new_msg, 0, 0, 0, 0, 0}  (188, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01174   588   NtWaitForSingleObject  ... ) == 0x102
 01175   584   NtWaitForSingleObject  ... ) == 0x102
 01176   564   NtAllocateVirtualMemory  ... 30466048, 8192, ) == 0x0
 01178   636   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ...
 01179   588   NtWaitForSingleObject  (172, 0, 0x0, ...
 01180   584   NtWaitForSingleObject  (40, 0, 0x0, ...
 01181   564   NtProtectVirtualMemory  (-1, (0x1d0e000), 4096, 260, ...
 01178   636   NtCreateSection  ... 196, ) == 0x0
 01181   564   NtProtectVirtualMemory  ... (0x1d0e000), 4096, 4, ) == 0x0
 01182   636   NtClose  (192, ...
 01183   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01182   636   NtClose  ... ) == 0x0
 01184   576   NtClose  (176, ...
 01177   572   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 556, 572, 1530, 0}  ... {32, 56, reply, 0, 556, 572, 1530, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01183   564   NtCreateThread  ... 192, {556, 736}, ) == 0x0
 01184   576   NtClose  ... ) == 0x0
 01185   572   NtRequestWaitReplyPort  (188, {32, 56, new_msg, 0, 0, 0, 0, 0}  (188, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01186   564   NtQueryInformationThread  (192, Basic, 28, ...
 01187   576   NtWaitForSingleObject  (172, 0, 0x0, ...
 01186   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=556,Tid=736,}, 0x0, ) == 0x0
 01188   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1528, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0,\2\0\0\340\2\0\0" ... {28, 56, reply, 0, 556, 564, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0,\2\0\0\340\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1532, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1528, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0,\2\0\0\340\2\0\0" ... {28, 56, reply, 0, 556, 564, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\0\0\0,\2\0\0\340\2\0\0" )  ) == 0x0
 01189   564   NtResumeThread  (192, ... 1, ) == 0x0
 01190   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 30474240, 2097152, ) == 0x0
 01191   564   NtAllocateVirtualMemory  (-1, 32563200, 0, 8192, 4096, 4, ... 32563200, 8192, ) == 0x0
 01192   636   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01193   736   NtWaitForSingleObject  (40, 0, 0x0, ...
 01192   636   NtMapViewOfSection  ... (0x1f10000), 0x0, 229376, ) == 0x0
 01194   636   NtClose  (196, ... ) == 0x0
 01195   636   NtUnmapViewOfSection  (-1, 0x1f10000, ... ) == 0x0
 01196   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 26275176, ... ) }, 26275176, ... ) == 0x0
 01197   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01198   636   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 196, ... 176, ) == 0x0
 01199   564   NtProtectVirtualMemory  (-1, (0x1f0e000), 4096, 260, ...
 01185   572   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 556, 572, 1531, 0}  ... {32, 56, reply, 0, 556, 572, 1531, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01199   564   NtProtectVirtualMemory  ... (0x1f0e000), 4096, 4, ) == 0x0
 01200   572   NtUserCallNoParam  (29, ...
 01201   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01202   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 01201   564   NtCreateThread  ... 200, {556, 676}, ) == 0x0
 01203   564   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=556,Tid=676,}, 0x0, ) == 0x0
 01204   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1532, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0,\2\0\0\244\2\0\0" ... {28, 56, reply, 0, 556, 564, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0,\2\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 556, 564, 1533, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1532, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0,\2\0\0\244\2\0\0" ... {28, 56, reply, 0, 556, 564, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\310\0\0\0,\2\0\0\244\2\0\0" )  ) == 0x0
 01205   564   NtResumeThread  (200, ... 1, ) == 0x0
 01206   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01207   636   NtQuerySection  (176, Image, 48, ...
 01208   676   NtWaitForSingleObject  (40, 0, 0x0, ...
 01207   636   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01209   636   NtClose  (196, ... ) == 0x0
 01210   636   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01211   636   NtClose  (176, ... ) == 0x0
 01212   636   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01213   636   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01206   564   NtAllocateVirtualMemory  ... 32571392, 2097152, ) == 0x0
 01214   564   NtAllocateVirtualMemory  (-1, 34660352, 0, 8192, 4096, 4, ... 34660352, 8192, ) == 0x0
 01215   564   NtProtectVirtualMemory  (-1, (0x210e000), 4096, 260, ... (0x210e000), 4096, 4, ) == 0x0
 01216   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 176, {556, 788}, ) == 0x0
 01217   564   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=556,Tid=788,}, 0x0, ) == 0x0
 01218   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1533, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0,\2\0\0\24\3\0\0" ... {28, 56, reply, 0, 556, 564, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0,\2\0\0\24\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1534, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0,\2\0\0\24\3\0\0" ... {28, 56, reply, 0, 556, 564, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\260\0\0\0,\2\0\0\24\3\0\0" )  ) == 0x0
 01219   636   NtSetEventBoostPriority  (40, ...
 01171   728   NtWaitForSingleObject  ... ) == 0x0
 01220   728   NtSetEventBoostPriority  (40, ...
 01180   584   NtWaitForSingleObject  ... ) == 0x0
 01221   584   NtAllocateVirtualMemory  (-1, 17879040, 0, 4096, 4096, 260, ... 17879040, 4096, ) == 0x0
 01220   728   NtSetEventBoostPriority  ... ) == 0x0
 01219   636   NtSetEventBoostPriority  ... ) == 0x0
 01222   564   NtResumeThread  (176, ...
 01223   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 17887804, ... }, 17887804, ...
 01224   636   NtWaitForSingleObject  (40, 0, 0x0, ...
 01222   564   NtResumeThread  ... 1, ) == 0x0
 01223   584   NtQueryAttributesFile  ... ) == 0x0
 01225   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01226   584   NtSetEventBoostPriority  (40, ...
 01225   564   NtAllocateVirtualMemory  ... 34668544, 2097152, ) == 0x0
 01193   736   NtWaitForSingleObject  ... ) == 0x0
 01226   584   NtSetEventBoostPriority  ... ) == 0x0
 01227   736   NtSetEventBoostPriority  (40, ...
 01228   564   NtAllocateVirtualMemory  (-1, 36757504, 0, 8192, 4096, 4, ...
 01202   572   NtWaitForSingleObject  ... ) == 0x0
 01227   736   NtSetEventBoostPriority  ... ) == 0x0
 01229   584   NtWaitForSingleObject  (40, 0, 0x0, ...
 01230   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8711220, ... }, 8711220, ...
 01228   564   NtAllocateVirtualMemory  ... 36757504, 8192, ) == 0x0
 01231   728   NtTestAlert  (...
 01232   788   NtWaitForSingleObject  (40, 0, 0x0, ...
 01230   572   NtQueryAttributesFile  ... ) == 0x0
 01233   736   NtTestAlert  (...
 01231   728   NtTestAlert  ... ) == 0x0
 01234   564   NtProtectVirtualMemory  (-1, (0x230e000), 4096, 260, ...
 01233   736   NtTestAlert  ... ) == 0x0
 01235   728   NtContinue  (28376368, 1, ...
 01234   564   NtProtectVirtualMemory  ... (0x230e000), 4096, 4, ) == 0x0
 01236   736   NtContinue  (30473520, 1, ...
 01237   728   NtRegisterThreadTerminatePort  (24, ...
 01238   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01239   736   NtRegisterThreadTerminatePort  (24, ...
 01237   728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01238   564   NtCreateThread  ... 196, {556, 784}, ) == 0x0
 01239   736   NtRegisterThreadTerminatePort  ... ) == 0x0
 01240   728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01241   564   NtQueryInformationThread  (196, Basic, 28, ...
 01242   736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01243   572   NtSetEventBoostPriority  (40, ...
 01241   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=556,Tid=784,}, 0x0, ) == 0x0
 01240   728   NtDuplicateObject  ... 204, ) == 0x0
 01208   676   NtWaitForSingleObject  ... ) == 0x0
 01243   572   NtSetEventBoostPriority  ... ) == 0x0
 01242   736   NtDuplicateObject  ... 208, ) == 0x0
 01244   676   NtAllocateVirtualMemory  (-1, 13189120, 0, 4096, 4096, 4, ...
 01245   728   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01246   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 01244   676   NtAllocateVirtualMemory  ... 13189120, 4096, ) == 0x0
 01247   736   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01245   728   NtWaitForSingleObject  ... ) == 0x102
 01248   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1534, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1534, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0,\2\0\0\20\3\0\0" ...  ...
 01247   736   NtWaitForSingleObject  ... ) == 0x102
 01249   728   NtWaitForSingleObject  (172, 0, 0x0, ...
 01248   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1535, 0}  ... {28, 56, reply, 0, 556, 564, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\304\0\0\0,\2\0\0\20\3\0\0" )  ) == 0x0
 01250   736   NtWaitForSingleObject  (172, 0, 0x0, ...
 01251   564   NtResumeThread  (196, ... 1, ) == 0x0
 01252   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 36765696, 2097152, ) == 0x0
 01253   564   NtAllocateVirtualMemory  (-1, 38854656, 0, 8192, 4096, 4, ... 38854656, 8192, ) == 0x0
 01254   564   NtProtectVirtualMemory  (-1, (0x250e000), 4096, 260, ... (0x250e000), 4096, 4, ) == 0x0
 01255   676   NtSetEventBoostPriority  (40, ...
 01256   784   NtWaitForSingleObject  (40, 0, 0x0, ...
 01224   636   NtWaitForSingleObject  ... ) == 0x0
 01255   676   NtSetEventBoostPriority  ... ) == 0x0
 01257   636   NtSetEventBoostPriority  (40, ...
 01229   584   NtWaitForSingleObject  ... ) == 0x0
 01258   584   NtSetEventBoostPriority  (40, ...
 01232   788   NtWaitForSingleObject  ... ) == 0x0
 01259   788   NtSetEventBoostPriority  (40, ...
 01246   572   NtWaitForSingleObject  ... ) == 0x0
 01260   572   NtSetEventBoostPriority  (40, ...
 01256   784   NtWaitForSingleObject  ... ) == 0x0
 01261   784   NtTestAlert  (... ) == 0x0
 01260   572   NtSetEventBoostPriority  ... ) == 0x0
 01259   788   NtSetEventBoostPriority  ... ) == 0x0
 01258   584   NtSetEventBoostPriority  ... ) == 0x0
 01257   636   NtSetEventBoostPriority  ... ) == 0x0
 01262   676   NtTestAlert  (...
 01263   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01264   784   NtContinue  (36764976, 1, ...
 01200   572   NtUserCallNoParam  ... ) == 0x0
 01265   788   NtTestAlert  (...
 01266   584   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01262   676   NtTestAlert  ... ) == 0x0
 01263   564   NtCreateThread  ... 212, {556, 308}, ) == 0x0
 01267   784   NtRegisterThreadTerminatePort  (24, ...
 01268   572   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ...
 01265   788   NtTestAlert  ... ) == 0x0
 01266   584   NtCreateEvent  ... 216, ) == 0x0
 01269   676   NtContinue  (32570672, 1, ...
 01270   564   NtQueryInformationThread  (212, Basic, 28, ...
 01267   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 01268   572   NtUserSystemParametersInfo  ... ) == 0x1
 01271   788   NtContinue  (34667824, 1, ...
 01272   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 17887448, ... }, 17887448, ...
 01273   676   NtRegisterThreadTerminatePort  (24, ...
 01270   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=556,Tid=308,}, 0x0, ) == 0x0
 01274   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01275   572   NtGdiHfontCreate  (8713300, 356, 0, 0, 4584392, ...
 01276   788   NtRegisterThreadTerminatePort  (24, ...
 01272   584   NtQueryAttributesFile  ... ) == 0x0
 01277   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01278   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1535, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1535, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0,\2\0\04\1\0\0" ...  ...
 01274   784   NtDuplicateObject  ... 220, ) == 0x0
 01275   572   NtGdiHfontCreate  ... ) == 0x170a0404
 01276   788   NtRegisterThreadTerminatePort  ... ) == 0x0
 01279   584   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01277   636   NtCreateEvent  ... 224, ) == 0x0
 01280   784   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01281   572   NtGdiHfontCreate  (8713300, 356, 0, 0, 4584384, ...
 01282   788   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01279   584   NtOpenKey  ... 228, ) == 0x0
 01283   636   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 01273   676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01278   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1536, 0}  ... {28, 56, reply, 0, 556, 564, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\324\0\0\0,\2\0\04\1\0\0" )  ) == 0x0
 01280   784   NtWaitForSingleObject  ... ) == 0x102
 01281   572   NtGdiHfontCreate  ... ) == 0x160a03e3
 01282   788   NtDuplicateObject  ... 232, ) == 0x0
 01283   636   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01285   564   NtResumeThread  (212, ...
 01286   784   NtWaitForSingleObject  (172, 0, 0x0, ...
 01287   572   NtRequestWaitReplyPort  (188, {32, 56, new_msg, 0, 0, 0, 0, 0}  (188, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01288   788   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01289   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 26274976, ... }, 26274976, ...
 01284   676   NtDuplicateObject  ... 236, ) == 0x0
 01285   564   NtResumeThread  ... 1, ) == 0x0
 01288   788   NtWaitForSingleObject  ... ) == 0x102
 01290   676   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01291   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01292   788   NtWaitForSingleObject  (172, 0, 0x0, ...
 01290   676   NtWaitForSingleObject  ... ) == 0x102
 01291   564   NtAllocateVirtualMemory  ... 38862848, 2097152, ) == 0x0
 01293   584   NtQueryValueKey  (228,  (228, "Transports", Partial, 144, ... , Partial, 144, ...
 01294   308   NtWaitForSingleObject  (40, 0, 0x0, ...
 01287   572   NtRequestWaitReplyPort  ... {32, 56, reply, 0, 556, 572, 1537, 0}  ... {32, 56, reply, 0, 556, 572, 1537, 0} "\0\0\0\0\0\0\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01295   564   NtAllocateVirtualMemory  (-1, 40951808, 0, 8192, 4096, 4, ...
 01293   584   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01296   572   NtMapViewOfSection  (240, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ...
 01297   676   NtWaitForSingleObject  (172, 0, 0x0, ...
 01298   584   NtQueryValueKey  (228,  (228, "Transports", Partial, 144, ... , Partial, 144, ...
 01296   572   NtMapViewOfSection  ... (0x2710000), {0, 0}, 331776, ) == 0x0
 01298   584   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01295   564   NtAllocateVirtualMemory  ... 40951808, 8192, ) == 0x0
 01299   584   NtClose  (228, ...
 01300   564   NtProtectVirtualMemory  (-1, (0x270e000), 4096, 260, ...
 01299   584   NtClose  ... ) == 0x0
 01300   564   NtProtectVirtualMemory  ... (0x270e000), 4096, 4, ) == 0x0
 01301   572   NtUserGetWindowDC  (0, ...
 01302   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01301   572   NtUserGetWindowDC  ... ) == 0x1010052
 01302   564   NtCreateThread  ... 228, {556, 812}, ) == 0x0
 01303   572   NtUserCallOneParam  (16842834, 56, ...
 01304   564   NtQueryInformationThread  (228, Basic, 28, ...
 01303   572   NtUserCallOneParam  ... ) == 0x1
 01305   584   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01306   572   NtUserGetWindowDC  (0, ...
 01305   584   NtOpenKey  ... 244, ) == 0x0
 01306   572   NtUserGetWindowDC  ... ) == 0x1010052
 01307   584   NtQueryValueKey  (244,  (244, "Mapping", Partial, 144, ... , Partial, 144, ...
 01304   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=556,Tid=812,}, 0x0, ) == 0x0
 01307   584   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01308   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1536, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1536, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0,\2\0\0,\3\0\0" ...  ...
 01309   584   NtQueryValueKey  (244,  (244, "Mapping", Partial, 144, ... , Partial, 144, ...
 01308   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1538, 0}  ... {28, 56, reply, 0, 556, 564, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\344\0\0\0,\2\0\0,\3\0\0" )  ) == 0x0
 01309   584   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01310   564   NtResumeThread  (228, ...
 01311   572   NtUserCallOneParam  (16842834, 56, ...
 01310   564   NtResumeThread  ... 1, ) == 0x0
 01311   572   NtUserCallOneParam  ... ) == 0x1
 01312   584   NtQueryValueKey  (244,  (244, "Mapping", Partial, 152, ... , Partial, 152, ...
 01313   812   NtWaitForSingleObject  (40, 0, 0x0, ...
 01314   572   NtUserGetWindowDC  (0, ...
 01312   584   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01314   572   NtUserGetWindowDC  ... ) == 0x1010052
 01315   584   NtClose  (244, ...
 01316   572   NtUserCallOneParam  (16842834, 56, ...
 01315   584   NtClose  ... ) == 0x0
 01316   572   NtUserCallOneParam  ... ) == 0x1
 01317   584   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01318   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01317   584   NtOpenKey  ... 244, ) == 0x0
 01318   564   NtAllocateVirtualMemory  ... 41353216, 2097152, ) == 0x0
 01319   572   NtUserGetWindowDC  (0, ...
 01320   564   NtAllocateVirtualMemory  (-1, 43442176, 0, 8192, 4096, 4, ...
 01319   572   NtUserGetWindowDC  ... ) == 0x1010052
 01320   564   NtAllocateVirtualMemory  ... 43442176, 8192, ) == 0x0
 01321   572   NtUserCallOneParam  (16842834, 56, ...
 01322   564   NtProtectVirtualMemory  (-1, (0x296e000), 4096, 260, ...
 01321   572   NtUserCallOneParam  ... ) == 0x1
 01322   564   NtProtectVirtualMemory  ... (0x296e000), 4096, 4, ) == 0x0
 01323   572   NtUserGetWindowDC  (0, ...
 01324   584   NtQueryValueKey  (244,  (244, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01323   572   NtUserGetWindowDC  ... ) == 0x1010052
 01324   584   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01325   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01326   584   NtQueryValueKey  (244,  (244, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01325   564   NtCreateThread  ... 248, {556, 808}, ) == 0x0
 01326   584   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01327   564   NtQueryInformationThread  (248, Basic, 28, ...
 01328   584   NtQueryValueKey  (244,  (244, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01327   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=556,Tid=808,}, 0x0, ) == 0x0
 01328   584   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01329   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1538, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1538, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0,\2\0\0(\3\0\0" ...  ...
 01330   572   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01331   572   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01332   572   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01333   572   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01334   572   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01335   572   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01336   584   NtQueryValueKey  (244,  (244, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01329   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1539, 0}  ... {28, 56, reply, 0, 556, 564, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\0\0\0,\2\0\0(\3\0\0" )  ) == 0x0
 01336   584   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01337   564   NtResumeThread  (248, ...
 01338   584   NtWaitForSingleObject  (40, 0, 0x0, ...
 01337   564   NtResumeThread  ... 1, ) == 0x0
 01339   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 43450368, 2097152, ) == 0x0
 01340   564   NtAllocateVirtualMemory  (-1, 45539328, 0, 8192, 4096, 4, ... 45539328, 8192, ) == 0x0
 01341   564   NtProtectVirtualMemory  (-1, (0x2b6e000), 4096, 260, ... (0x2b6e000), 4096, 4, ) == 0x0
 01342   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 252, {556, 832}, ) == 0x0
 01343   564   NtQueryInformationThread  (252, Basic, 28, ...
 01344   572   NtUserCallOneParam  (16842834, 56, ...
 01345   808   NtWaitForSingleObject  (40, 0, 0x0, ...
 01344   572   NtUserCallOneParam  ... ) == 0x1
 01346   572   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01347   572   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0xf1003fb
 01348   572   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01349   572   NtUserCallNoParam  (29, ...
 01350   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 01343   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=556,Tid=832,}, 0x0, ) == 0x0
 01351   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1539, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0,\2\0\0@\3\0\0" ... {28, 56, reply, 0, 556, 564, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0,\2\0\0@\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1540, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0,\2\0\0@\3\0\0" ... {28, 56, reply, 0, 556, 564, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\374\0\0\0,\2\0\0@\3\0\0" )  ) == 0x0
 01352   564   NtResumeThread  (252, ... 1, ) == 0x0
 01289   636   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   832   NtWaitForSingleObject  (40, 0, 0x0, ...
 01354   636   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 26274976, ... }, 26274976, ...
 01355   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 45547520, 2097152, ) == 0x0
 01356   564   NtAllocateVirtualMemory  (-1, 47636480, 0, 8192, 4096, 4, ... 47636480, 8192, ) == 0x0
 01357   564   NtProtectVirtualMemory  (-1, (0x2d6e000), 4096, 260, ... (0x2d6e000), 4096, 4, ) == 0x0
 01358   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 256, {556, 852}, ) == 0x0
 01359   564   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=556,Tid=852,}, 0x0, ) == 0x0
 01360   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1540, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0,\2\0\0T\3\0\0" ... {28, 56, reply, 0, 556, 564, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0,\2\0\0T\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1541, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1540, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0,\2\0\0T\3\0\0" ... {28, 56, reply, 0, 556, 564, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\0\1\0\0,\2\0\0T\3\0\0" )  ) == 0x0
 01361   564   NtResumeThread  (256, ... 1, ) == 0x0
 01362   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 47644672, 2097152, ) == 0x0
 01363   564   NtAllocateVirtualMemory  (-1, 49733632, 0, 8192, 4096, 4, ...
 01364   852   NtWaitForSingleObject  (40, 0, 0x0, ...
 01363   564   NtAllocateVirtualMemory  ... 49733632, 8192, ) == 0x0
 01365   564   NtProtectVirtualMemory  (-1, (0x2f6e000), 4096, 260, ... (0x2f6e000), 4096, 4, ) == 0x0
 01366   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 260, {556, 856}, ) == 0x0
 01367   564   NtQueryInformationThread  (260, Basic, 28, ...
 01354   636   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 26274976, ... ) }, 26274976, ... ) == 0x0
 01369   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01370   636   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 268, ) == 0x0
 01371   636   NtQuerySection  (268, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01372   636   NtClose  (264, ... ) == 0x0
 01373   636   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01367   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=556,Tid=856,}, 0x0, ) == 0x0
 01374   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1541, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\1\0\0,\2\0\0X\3\0\0" ... {28, 56, reply, 0, 556, 564, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\1\0\0,\2\0\0X\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1542, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1541, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\1\0\0,\2\0\0X\3\0\0" ... {28, 56, reply, 0, 556, 564, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\1\0\0,\2\0\0X\3\0\0" )  ) == 0x0
 01375   564   NtResumeThread  (260, ... 1, ) == 0x0
 01376   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 49741824, 2097152, ) == 0x0
 01377   564   NtAllocateVirtualMemory  (-1, 51830784, 0, 8192, 4096, 4, ... 51830784, 8192, ) == 0x0
 01378   564   NtProtectVirtualMemory  (-1, (0x316e000), 4096, 260, ... (0x316e000), 4096, 4, ) == 0x0
 01373   636   NtMapViewOfSection  ... (0x76f20000), 0x0, 151552, ) == 0x0
 01379   856   NtWaitForSingleObject  (40, 0, 0x0, ...
 01380   636   NtClose  (268, ... ) == 0x0
 01381   636   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 268, 2, ) }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 268, 2, ) , 0, ... 268, 2, ) == 0x0
 01382   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 264, ) }, ... 264, ) == 0x0
 01383   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   636   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   636   NtQueryValueKey  (264,  (264, "QueryAdapterName", Partial, 144, ... , Partial, 144, ...
 01386   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 272, {556, 860}, ) == 0x0
 01387   564   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=556,Tid=860,}, 0x0, ) == 0x0
 01388   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1542, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0,\2\0\0\\3\0\0" ... {28, 56, reply, 0, 556, 564, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0,\2\0\0\\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1543, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1542, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0,\2\0\0\\3\0\0" ... {28, 56, reply, 0, 556, 564, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\1\0\0,\2\0\0\\3\0\0" )  ) == 0x0
 01389   564   NtResumeThread  (272, ... 1, ) == 0x0
 01390   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 51838976, 2097152, ) == 0x0
 01391   564   NtAllocateVirtualMemory  (-1, 53927936, 0, 8192, 4096, 4, ...
 01385   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   860   NtWaitForSingleObject  (40, 0, 0x0, ...
 01393   636   NtQueryValueKey  (268,  (268, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   636   NtQueryValueKey  (264,  (264, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   636   NtQueryValueKey  (268,  (268, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01396   636   NtQueryValueKey  (264,  (264, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397   636   NtQueryValueKey  (268,  (268, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   636   NtQueryValueKey  (264,  (264, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 01391   564   NtAllocateVirtualMemory  ... 53927936, 8192, ) == 0x0
 01399   564   NtProtectVirtualMemory  (-1, (0x336e000), 4096, 260, ... (0x336e000), 4096, 4, ) == 0x0
 01400   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 276, {556, 864}, ) == 0x0
 01401   564   NtQueryInformationThread  (276, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=556,Tid=864,}, 0x0, ) == 0x0
 01402   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1543, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0,\2\0\0`\3\0\0" ... {28, 56, reply, 0, 556, 564, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0,\2\0\0`\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1544, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0,\2\0\0`\3\0\0" ... {28, 56, reply, 0, 556, 564, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\1\0\0,\2\0\0`\3\0\0" )  ) == 0x0
 01403   564   NtResumeThread  (276, ... 1, ) == 0x0
 01398   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404   864   NtWaitForSingleObject  (40, 0, 0x0, ...
 01405   636   NtQueryValueKey  (268,  (268, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   636   NtQueryValueKey  (264,  (264, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   636   NtQueryValueKey  (264,  (264, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408   636   NtQueryValueKey  (264,  (264, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   636   NtQueryValueKey  (264,  (264, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410   636   NtQueryValueKey  (264,  (264, "WaitForNameErrorOnAll", Partial, 144, ... , Partial, 144, ...
 01411   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 53936128, 2097152, ) == 0x0
 01412   564   NtAllocateVirtualMemory  (-1, 56025088, 0, 8192, 4096, 4, ... 56025088, 8192, ) == 0x0
 01413   564   NtProtectVirtualMemory  (-1, (0x356e000), 4096, 260, ... (0x356e000), 4096, 4, ) == 0x0
 01414   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 280, {556, 868}, ) == 0x0
 01415   564   NtQueryInformationThread  (280, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=556,Tid=868,}, 0x0, ) == 0x0
 01416   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1544, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1544, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0,\2\0\0d\3\0\0" ...  ...
 01410   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   636   NtQueryValueKey  (264,  (264, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   636   NtQueryValueKey  (264,  (264, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   636   NtQueryValueKey  (268,  (268, "DisableDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 01416   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1545, 0}  ... {28, 56, reply, 0, 556, 564, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\30\1\0\0,\2\0\0d\3\0\0" )  ) == 0x0
 01420   564   NtResumeThread  (280, ... 1, ) == 0x0
 01421   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 56033280, 2097152, ) == 0x0
 01422   564   NtAllocateVirtualMemory  (-1, 58122240, 0, 8192, 4096, 4, ... 58122240, 8192, ) == 0x0
 01423   564   NtProtectVirtualMemory  (-1, (0x376e000), 4096, 260, ... (0x376e000), 4096, 4, ) == 0x0
 01424   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 284, {556, 872}, ) == 0x0
 01425   564   NtQueryInformationThread  (284, Basic, 28, ...
 01419   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   868   NtWaitForSingleObject  (40, 0, 0x0, ...
 01427   636   NtQueryValueKey  (264,  (264, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01428   636   NtQueryValueKey  (264,  (264, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01429   636   NtQueryValueKey  (268,  (268, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01430   636   NtQueryValueKey  (264,  (264, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   636   NtQueryValueKey  (268,  (268, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   636   NtQueryValueKey  (264,  (264, "RegisterWanAdapters", Partial, 144, ... , Partial, 144, ...
 01425   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=556,Tid=872,}, 0x0, ) == 0x0
 01433   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1545, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0,\2\0\0h\3\0\0" ... {28, 56, reply, 0, 556, 564, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0,\2\0\0h\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1546, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1545, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0,\2\0\0h\3\0\0" ... {28, 56, reply, 0, 556, 564, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\1\0\0,\2\0\0h\3\0\0" )  ) == 0x0
 01434   564   NtResumeThread  (284, ... 1, ) == 0x0
 01435   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 58130432, 2097152, ) == 0x0
 01436   564   NtAllocateVirtualMemory  (-1, 60219392, 0, 8192, 4096, 4, ... 60219392, 8192, ) == 0x0
 01437   564   NtProtectVirtualMemory  (-1, (0x396e000), 4096, 260, ... (0x396e000), 4096, 4, ) == 0x0
 01432   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   872   NtWaitForSingleObject  (40, 0, 0x0, ...
 01439   636   NtQueryValueKey  (268,  (268, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   636   NtQueryValueKey  (264,  (264, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   636   NtQueryValueKey  (268,  (268, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   636   NtQueryValueKey  (264,  (264, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   636   NtQueryValueKey  (268,  (268, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   636   NtQueryValueKey  (264,  (264, "RegistrationRefreshInterval", Partial, 144, ... , Partial, 144, ...
 01445   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 288, {556, 876}, ) == 0x0
 01446   564   NtQueryInformationThread  (288, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=556,Tid=876,}, 0x0, ) == 0x0
 01447   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1546, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0,\2\0\0l\3\0\0" ... {28, 56, reply, 0, 556, 564, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0,\2\0\0l\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1547, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0,\2\0\0l\3\0\0" ... {28, 56, reply, 0, 556, 564, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \1\0\0,\2\0\0l\3\0\0" )  ) == 0x0
 01448   564   NtResumeThread  (288, ... 1, ) == 0x0
 01449   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 60227584, 2097152, ) == 0x0
 01450   564   NtAllocateVirtualMemory  (-1, 62316544, 0, 8192, 4096, 4, ...
 01444   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   876   NtWaitForSingleObject  (40, 0, 0x0, ...
 01452   636   NtQueryValueKey  (268,  (268, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   636   NtQueryValueKey  (264,  (264, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   636   NtQueryValueKey  (268,  (268, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   636   NtQueryValueKey  (264,  (264, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   636   NtQueryValueKey  (268,  (268, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   636   NtQueryValueKey  (264,  (264, "UpdateZoneExcludeFile", Partial, 144, ... , Partial, 144, ...
 01450   564   NtAllocateVirtualMemory  ... 62316544, 8192, ) == 0x0
 01458   564   NtProtectVirtualMemory  (-1, (0x3b6e000), 4096, 260, ... (0x3b6e000), 4096, 4, ) == 0x0
 01459   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 292, {556, 880}, ) == 0x0
 01460   564   NtQueryInformationThread  (292, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=556,Tid=880,}, 0x0, ) == 0x0
 01461   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1547, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0,\2\0\0p\3\0\0" ... {28, 56, reply, 0, 556, 564, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0,\2\0\0p\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1548, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1547, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0,\2\0\0p\3\0\0" ... {28, 56, reply, 0, 556, 564, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO$\1\0\0,\2\0\0p\3\0\0" )  ) == 0x0
 01462   564   NtResumeThread  (292, ... 1, ) == 0x0
 01457   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   880   NtWaitForSingleObject  (40, 0, 0x0, ...
 01464   636   NtQueryValueKey  (264,  (264, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01465   636   NtQueryValueKey  (264,  (264, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   636   NtQueryValueKey  (264,  (264, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467   636   NtQueryValueKey  (264,  (264, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   636   NtQueryValueKey  (264,  (264, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   636   NtQueryValueKey  (264,  (264, "AdapterTimeoutLimit", Partial, 144, ... , Partial, 144, ...
 01470   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 62324736, 2097152, ) == 0x0
 01471   564   NtAllocateVirtualMemory  (-1, 64413696, 0, 8192, 4096, 4, ... 64413696, 8192, ) == 0x0
 01472   564   NtProtectVirtualMemory  (-1, (0x3d6e000), 4096, 260, ... (0x3d6e000), 4096, 4, ) == 0x0
 01473   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 296, {556, 884}, ) == 0x0
 01474   564   NtQueryInformationThread  (296, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=556,Tid=884,}, 0x0, ) == 0x0
 01475   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1548, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1548, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0,\2\0\0t\3\0\0" ...  ...
 01469   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   636   NtQueryValueKey  (264,  (264, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   636   NtQueryValueKey  (264,  (264, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   636   NtQueryValueKey  (264,  (264, "UseMulticast", Partial, 144, ... , Partial, 144, ...
 01475   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1549, 0}  ... {28, 56, reply, 0, 556, 564, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO(\1\0\0,\2\0\0t\3\0\0" )  ) == 0x0
 01479   564   NtResumeThread  (296, ... 1, ) == 0x0
 01480   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 64421888, 2097152, ) == 0x0
 01481   564   NtAllocateVirtualMemory  (-1, 66510848, 0, 8192, 4096, 4, ... 66510848, 8192, ) == 0x0
 01482   564   NtProtectVirtualMemory  (-1, (0x3f6e000), 4096, 260, ... (0x3f6e000), 4096, 4, ) == 0x0
 01483   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 300, {556, 888}, ) == 0x0
 01484   564   NtQueryInformationThread  (300, Basic, 28, ...
 01478   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485   884   NtWaitForSingleObject  (40, 0, 0x0, ...
 01486   636   NtQueryValueKey  (264,  (264, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   636   NtQueryValueKey  (264,  (264, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01488   636   NtQueryValueKey  (264,  (264, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   636   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\Setup"}, ... 304, ) }, ... 304, ) == 0x0
 01490   636   NtQueryValueKey  (304,  (304, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01491   636   NtClose  (304, ...
 01484   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=556,Tid=888,}, 0x0, ) == 0x0
 01492   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1549, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0,\2\0\0x\3\0\0" ... {28, 56, reply, 0, 556, 564, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0,\2\0\0x\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1550, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1549, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0,\2\0\0x\3\0\0" ... {28, 56, reply, 0, 556, 564, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO,\1\0\0,\2\0\0x\3\0\0" )  ) == 0x0
 01493   564   NtResumeThread  (300, ... 1, ) == 0x0
 01494   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 66519040, 2097152, ) == 0x0
 01495   564   NtAllocateVirtualMemory  (-1, 68608000, 0, 8192, 4096, 4, ... 68608000, 8192, ) == 0x0
 01496   564   NtProtectVirtualMemory  (-1, (0x416e000), 4096, 260, ... (0x416e000), 4096, 4, ) == 0x0
 01491   636   NtClose  ... ) == 0x0
 01497   888   NtWaitForSingleObject  (40, 0, 0x0, ...
 01498   636   NtClose  (268, ... ) == 0x0
 01499   636   NtClose  (264, ... ) == 0x0
 01500   636   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 264, ) }, ... 264, ) == 0x0
 01501   636   NtQueryValueKey  (264,  (264, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   636   NtQueryValueKey  (264,  (264, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   636   NtQueryValueKey  (264,  (264, "DnsMulticastQueryTimeouts", Partial, 144, ... , Partial, 144, ...
 01504   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 268, {556, 904}, ) == 0x0
 01505   564   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=556,Tid=904,}, 0x0, ) == 0x0
 01506   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1550, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0,\2\0\0\210\3\0\0" ... {28, 56, reply, 0, 556, 564, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0,\2\0\0\210\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1551, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1550, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0,\2\0\0\210\3\0\0" ... {28, 56, reply, 0, 556, 564, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\14\1\0\0,\2\0\0\210\3\0\0" )  ) == 0x0
 01507   564   NtResumeThread  (268, ... 1, ) == 0x0
 01508   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 68616192, 2097152, ) == 0x0
 01509   564   NtAllocateVirtualMemory  (-1, 70705152, 0, 8192, 4096, 4, ...
 01503   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   904   NtWaitForSingleObject  (40, 0, 0x0, ...
 01511   636   NtClose  (264, ... ) == 0x0
 01512   636   NtSetEventBoostPriority  (40, ...
 01294   308   NtWaitForSingleObject  ... ) == 0x0
 01513   308   NtSetEventBoostPriority  (40, ...
 01313   812   NtWaitForSingleObject  ... ) == 0x0
 01514   812   NtSetEventBoostPriority  (40, ...
 01338   584   NtWaitForSingleObject  ... ) == 0x0
 01515   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 17888368, ... ) }, 17888368, ... ) == 0x0
 01514   812   NtSetEventBoostPriority  ... ) == 0x0
 01513   308   NtSetEventBoostPriority  ... ) == 0x0
 01512   636   NtSetEventBoostPriority  ... ) == 0x0
 01509   564   NtAllocateVirtualMemory  ... 70705152, 8192, ) == 0x0
 01516   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01517   812   NtTestAlert  (...
 01518   636   NtWaitForSingleObject  (40, 0, 0x0, ...
 01519   564   NtProtectVirtualMemory  (-1, (0x436e000), 4096, 260, ...
 01516   584   NtOpenFile  ... 264, {status=0x0, info=1}, ) == 0x0
 01517   812   NtTestAlert  ... ) == 0x0
 01520   308   NtTestAlert  (...
 01519   564   NtProtectVirtualMemory  ... (0x436e000), 4096, 4, ) == 0x0
 01521   584   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 264, ...
 01522   812   NtContinue  (40959280, 1, ...
 01520   308   NtTestAlert  ... ) == 0x0
 01523   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01521   584   NtCreateSection  ... 304, ) == 0x0
 01524   812   NtRegisterThreadTerminatePort  (24, ...
 01525   308   NtContinue  (38862128, 1, ...
 01523   564   NtCreateThread  ... 308, {556, 908}, ) == 0x0
 01526   584   NtClose  (264, ...
 01524   812   NtRegisterThreadTerminatePort  ... ) == 0x0
 01527   308   NtRegisterThreadTerminatePort  (24, ...
 01528   564   NtQueryInformationThread  (308, Basic, 28, ...
 01526   584   NtClose  ... ) == 0x0
 01529   812   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01527   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01528   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=556,Tid=908,}, 0x0, ) == 0x0
 01530   584   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01531   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01532   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1551, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1551, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0,\2\0\0\214\3\0\0" ...  ...
 01530   584   NtMapViewOfSection  ... (0xef0000), 0x0, 20480, ) == 0x0
 01529   812   NtDuplicateObject  ... 264, ) == 0x0
 01532   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1552, 0}  ... {28, 56, reply, 0, 556, 564, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\1\0\0,\2\0\0\214\3\0\0" )  ) == 0x0
 01533   584   NtClose  (304, ...
 01534   812   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01535   564   NtResumeThread  (308, ...
 01533   584   NtClose  ... ) == 0x0
 01534   812   NtWaitForSingleObject  ... ) == 0x102
 01535   564   NtResumeThread  ... 1, ) == 0x0
 01536   584   NtUnmapViewOfSection  (-1, 0xef0000, ...
 01537   812   NtWaitForSingleObject  (172, 0, 0x0, ...
 01531   308   NtDuplicateObject  ... 304, ) == 0x0
 01538   908   NtWaitForSingleObject  (40, 0, 0x0, ...
 01536   584   NtUnmapViewOfSection  ... ) == 0x0
 01539   308   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01540   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01539   308   NtWaitForSingleObject  ... ) == 0x102
 01540   564   NtAllocateVirtualMemory  ... 70713344, 2097152, ) == 0x0
 01541   308   NtWaitForSingleObject  (172, 0, 0x0, ...
 01542   564   NtAllocateVirtualMemory  (-1, 72802304, 0, 8192, 4096, 4, ... 72802304, 8192, ) == 0x0
 01543   564   NtProtectVirtualMemory  (-1, (0x456e000), 4096, 260, ... (0x456e000), 4096, 4, ) == 0x0
 01544   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 312, {556, 912}, ) == 0x0
 01545   564   NtQueryInformationThread  (312, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=556,Tid=912,}, 0x0, ) == 0x0
 01546   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1552, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0,\2\0\0\220\3\0\0" ...  ...
 01547   584   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 17888684, ... ) }, 17888684, ... ) == 0x0
 01548   584   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01549   584   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01546   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1553, 0}  ... {28, 56, reply, 0, 556, 564, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO8\1\0\0,\2\0\0\220\3\0\0" )  ) == 0x0
 01550   564   NtResumeThread  (312, ... 1, ) == 0x0
 01551   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 72810496, 2097152, ) == 0x0
 01552   564   NtAllocateVirtualMemory  (-1, 74899456, 0, 8192, 4096, 4, ... 74899456, 8192, ) == 0x0
 01553   564   NtProtectVirtualMemory  (-1, (0x476e000), 4096, 260, ... (0x476e000), 4096, 4, ) == 0x0
 01554   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 324, {556, 916}, ) == 0x0
 01555   564   NtQueryInformationThread  (324, Basic, 28, ...
 01556   584   NtQuerySection  (320, Image, 48, ...
 01557   912   NtWaitForSingleObject  (40, 0, 0x0, ...
 01556   584   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01558   584   NtClose  (316, ... ) == 0x0
 01559   584   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01560   584   NtClose  (320, ... ) == 0x0
 01561   584   NtSetEventBoostPriority  (40, ...
 01345   808   NtWaitForSingleObject  ... ) == 0x0
 01562   808   NtSetEventBoostPriority  (40, ...
 01350   572   NtWaitForSingleObject  ... ) == 0x0
 01563   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710664, ... ) }, 8710664, ... ) == 0x0
 01562   808   NtSetEventBoostPriority  ... ) == 0x0
 01561   584   NtSetEventBoostPriority  ... ) == 0x0
 01555   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=556,Tid=916,}, 0x0, ) == 0x0
 01564   572   NtSetEventBoostPriority  (40, ...
 01565   584   NtClose  (244, ...
 01566   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1553, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1553, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0,\2\0\0\224\3\0\0" ...  ...
 01353   832   NtWaitForSingleObject  ... ) == 0x0
 01564   572   NtSetEventBoostPriority  ... ) == 0x0
 01565   584   NtClose  ... ) == 0x0
 01567   832   NtSetEventBoostPriority  (40, ...
 01566   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1554, 0}  ... {28, 56, reply, 0, 556, 564, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\1\0\0,\2\0\0\224\3\0\0" )  ) == 0x0
 01568   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 01569   808   NtTestAlert  (...
 01364   852   NtWaitForSingleObject  ... ) == 0x0
 01567   832   NtSetEventBoostPriority  ... ) == 0x0
 01570   564   NtResumeThread  (324, ...
 01571   852   NtSetEventBoostPriority  (40, ...
 01569   808   NtTestAlert  ... ) == 0x0
 01572   584   NtWaitForSingleObject  (40, 0, 0x0, ...
 01379   856   NtWaitForSingleObject  ... ) == 0x0
 01571   852   NtSetEventBoostPriority  ... ) == 0x0
 01570   564   NtResumeThread  ... 1, ) == 0x0
 01573   808   NtContinue  (43449648, 1, ...
 01574   856   NtSetEventBoostPriority  (40, ...
 01575   832   NtTestAlert  (...
 01576   916   NtWaitForSingleObject  (40, 0, 0x0, ...
 01577   852   NtTestAlert  (...
 01392   860   NtWaitForSingleObject  ... ) == 0x0
 01574   856   NtSetEventBoostPriority  ... ) == 0x0
 01578   808   NtRegisterThreadTerminatePort  (24, ...
 01575   832   NtTestAlert  ... ) == 0x0
 01579   860   NtSetEventBoostPriority  (40, ...
 01577   852   NtTestAlert  ... ) == 0x0
 01580   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01578   808   NtRegisterThreadTerminatePort  ... ) == 0x0
 01404   864   NtWaitForSingleObject  ... ) == 0x0
 01579   860   NtSetEventBoostPriority  ... ) == 0x0
 01581   832   NtContinue  (45546800, 1, ...
 01582   852   NtContinue  (47643952, 1, ...
 01580   564   NtAllocateVirtualMemory  ... 74907648, 2097152, ) == 0x0
 01583   864   NtSetEventBoostPriority  (40, ...
 01584   808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01585   856   NtTestAlert  (...
 01586   832   NtRegisterThreadTerminatePort  (24, ...
 01587   852   NtRegisterThreadTerminatePort  (24, ...
 01426   868   NtWaitForSingleObject  ... ) == 0x0
 01583   864   NtSetEventBoostPriority  ... ) == 0x0
 01588   564   NtAllocateVirtualMemory  (-1, 76996608, 0, 8192, 4096, 4, ...
 01589   860   NtTestAlert  (...
 01585   856   NtTestAlert  ... ) == 0x0
 01586   832   NtRegisterThreadTerminatePort  ... ) == 0x0
 01590   868   NtSetEventBoostPriority  (40, ...
 01587   852   NtRegisterThreadTerminatePort  ... ) == 0x0
 01584   808   NtDuplicateObject  ... 244, ) == 0x0
 01588   564   NtAllocateVirtualMemory  ... 76996608, 8192, ) == 0x0
 01589   860   NtTestAlert  ... ) == 0x0
 01591   856   NtContinue  (49741104, 1, ...
 01438   872   NtWaitForSingleObject  ... ) == 0x0
 01590   868   NtSetEventBoostPriority  ... ) == 0x0
 01592   832   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01593   852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01594   808   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01595   564   NtProtectVirtualMemory  (-1, (0x496e000), 4096, 260, ...
 01596   860   NtContinue  (51838256, 1, ...
 01597   872   NtSetEventBoostPriority  (40, ...
 01598   856   NtRegisterThreadTerminatePort  (24, ...
 01599   864   NtTestAlert  (...
 01600   868   NtTestAlert  (...
 01592   832   NtDuplicateObject  ... 320, ) == 0x0
 01594   808   NtWaitForSingleObject  ... ) == 0x102
 01595   564   NtProtectVirtualMemory  ... (0x496e000), 4096, 4, ) == 0x0
 01451   876   NtWaitForSingleObject  ... ) == 0x0
 01597   872   NtSetEventBoostPriority  ... ) == 0x0
 01601   860   NtRegisterThreadTerminatePort  (24, ...
 01598   856   NtRegisterThreadTerminatePort  ... ) == 0x0
 01599   864   NtTestAlert  ... ) == 0x0
 01600   868   NtTestAlert  ... ) == 0x0
 01602   832   NtAllocateVirtualMemory  (-1, 4591616, 0, 4096, 4096, 4, ...
 01603   808   NtWaitForSingleObject  (172, 0, 0x0, ...
 01593   852   NtDuplicateObject  ... 316, ) == 0x0
 01604   876   NtSetEventBoostPriority  (40, ...
 01605   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01601   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 01606   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 01607   864   NtContinue  (53935408, 1, ...
 01608   868   NtContinue  (56032560, 1, ...
 01602   832   NtAllocateVirtualMemory  ... 4591616, 4096, ) == 0x0
 01463   880   NtWaitForSingleObject  ... ) == 0x0
 01604   876   NtSetEventBoostPriority  ... ) == 0x0
 01609   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 01605   564   NtCreateThread  ... 328, {556, 920}, ) == 0x0
 01610   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 01611   872   NtTestAlert  (...
 01612   864   NtRegisterThreadTerminatePort  (24, ...
 01613   868   NtRegisterThreadTerminatePort  (24, ...
 01614   880   NtSetEventBoostPriority  (40, ...
 01615   832   NtSetEventBoostPriority  (120, ...
 01616   564   NtQueryInformationThread  (328, Basic, 28, ...
 01617   876   NtTestAlert  (...
 01611   872   NtTestAlert  ... ) == 0x0
 01612   864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01485   884   NtWaitForSingleObject  ... ) == 0x0
 01614   880   NtSetEventBoostPriority  ... ) == 0x0
 01613   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 01606   856   NtWaitForSingleObject  ... ) == 0x0
 01615   832   NtSetEventBoostPriority  ... ) == 0x0
 01616   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=556,Tid=920,}, 0x0, ) == 0x0
 01617   876   NtTestAlert  ... ) == 0x0
 01618   872   NtContinue  (58129712, 1, ...
 01619   884   NtSetEventBoostPriority  (40, ...
 01620   864   NtWaitForSingleObject  (120, 0, 0x0, ...
 01621   856   NtSetEventBoostPriority  (120, ...
 01622   868   NtWaitForSingleObject  (120, 0, 0x0, ...
 01623   832   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01624   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1554, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0,\2\0\0\230\3\0\0" ...  ...
 01625   876   NtContinue  (60226864, 1, ...
 01497   888   NtWaitForSingleObject  ... ) == 0x0
 01619   884   NtSetEventBoostPriority  ... ) == 0x0
 01626   872   NtRegisterThreadTerminatePort  (24, ...
 01627   880   NtTestAlert  (...
 01609   852   NtWaitForSingleObject  ... ) == 0x0
 01621   856   NtSetEventBoostPriority  ... ) == 0x0
 01628   888   NtSetEventBoostPriority  (40, ...
 01629   876   NtRegisterThreadTerminatePort  (24, ...
 01623   832   NtWaitForSingleObject  ... ) == 0x102
 01624   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1555, 0}  ... {28, 56, reply, 0, 556, 564, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\1\0\0,\2\0\0\230\3\0\0" )  ) == 0x0
 01626   872   NtRegisterThreadTerminatePort  ... ) == 0x0
 01627   880   NtTestAlert  ... ) == 0x0
 01630   852   NtSetEventBoostPriority  (120, ...
 01510   904   NtWaitForSingleObject  ... ) == 0x0
 01628   888   NtSetEventBoostPriority  ... ) == 0x0
 01631   856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01629   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 01632   832   NtWaitForSingleObject  (120, 0, 0x0, ...
 01633   564   NtResumeThread  (328, ...
 01634   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 01635   880   NtContinue  (62324016, 1, ...
 01636   904   NtSetEventBoostPriority  (40, ...
 01610   860   NtWaitForSingleObject  ... ) == 0x0
 01630   852   NtSetEventBoostPriority  ... ) == 0x0
 01637   884   NtTestAlert  (...
 01631   856   NtDuplicateObject  ... 332, ) == 0x0
 01638   876   NtWaitForSingleObject  (120, 0, 0x0, ...
 01633   564   NtResumeThread  ... 1, ) == 0x0
 01639   888   NtTestAlert  (...
 01518   636   NtWaitForSingleObject  ... ) == 0x0
 01640   860   NtSetEventBoostPriority  (120, ...
 01636   904   NtSetEventBoostPriority  ... ) == 0x0
 01641   880   NtRegisterThreadTerminatePort  (24, ...
 01642   920   NtWaitForSingleObject  (40, 0, 0x0, ...
 01637   884   NtTestAlert  ... ) == 0x0
 01643   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 01644   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 01645   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01646   636   NtSetEventBoostPriority  (40, ...
 01620   864   NtWaitForSingleObject  ... ) == 0x0
 01639   888   NtTestAlert  ... ) == 0x0
 01640   860   NtSetEventBoostPriority  ... ) == 0x0
 01641   880   NtRegisterThreadTerminatePort  ... ) == 0x0
 01647   884   NtContinue  (64421168, 1, ...
 01538   908   NtWaitForSingleObject  ... ) == 0x0
 01645   564   NtAllocateVirtualMemory  ... 77004800, 2097152, ) == 0x0
 01648   864   NtSetEventBoostPriority  (120, ...
 01649   888   NtContinue  (66518320, 1, ...
 01650   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01651   880   NtWaitForSingleObject  (120, 0, 0x0, ...
 01652   884   NtRegisterThreadTerminatePort  (24, ...
 01653   908   NtSetEventBoostPriority  (40, ...
 01654   564   NtAllocateVirtualMemory  (-1, 79093760, 0, 8192, 4096, 4, ...
 01622   868   NtWaitForSingleObject  ... ) == 0x0
 01655   888   NtRegisterThreadTerminatePort  (24, ...
 01650   860   NtDuplicateObject  ... 336, ) == 0x0
 01648   864   NtSetEventBoostPriority  ... ) == 0x0
 01646   636   NtSetEventBoostPriority  ... ) == 0x0
 01656   904   NtTestAlert  (...
 01652   884   NtRegisterThreadTerminatePort  ... ) == 0x0
 01557   912   NtWaitForSingleObject  ... ) == 0x0
 01653   908   NtSetEventBoostPriority  ... ) == 0x0
 01657   868   NtSetEventBoostPriority  (120, ...
 01655   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01654   564   NtAllocateVirtualMemory  ... 79093760, 8192, ) == 0x0
 01658   864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01659   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 01656   904   NtTestAlert  ... ) == 0x0
 01660   912   NtAllocateVirtualMemory  (-1, 13193216, 0, 4096, 4096, 4, ...
 01661   884   NtWaitForSingleObject  (120, 0, 0x0, ...
 01662   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 01632   832   NtWaitForSingleObject  ... ) == 0x0
 01663   888   NtWaitForSingleObject  (120, 0, 0x0, ...
 01664   564   NtProtectVirtualMemory  (-1, (0x4b6e000), 4096, 260, ...
 01658   864   NtDuplicateObject  ... 340, ) == 0x0
 01660   912   NtAllocateVirtualMemory  ... 13193216, 4096, ) == 0x0
 01665   904   NtContinue  (68615472, 1, ...
 01657   868   NtSetEventBoostPriority  ... ) == 0x0
 01666   908   NtTestAlert  (...
 01667   832   NtSetEventBoostPriority  (120, ...
 01664   564   NtProtectVirtualMemory  ... (0x4b6e000), 4096, 4, ) == 0x0
 01668   864   NtWaitForSingleObject  (120, 0, 0x0, ...
 01669   904   NtRegisterThreadTerminatePort  (24, ...
 01670   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01666   908   NtTestAlert  ... ) == 0x0
 01634   872   NtWaitForSingleObject  ... ) == 0x0
 01667   832   NtSetEventBoostPriority  ... ) == 0x0
 01671   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01669   904   NtRegisterThreadTerminatePort  ... ) == 0x0
 01670   868   NtDuplicateObject  ... 344, ) == 0x0
 01672   872   NtSetEventBoostPriority  (120, ...
 01673   908   NtContinue  (70712624, 1, ...
 01674   912   NtSetEventBoostPriority  (40, ...
 01671   564   NtCreateThread  ... 348, {556, 924}, ) == 0x0
 01675   904   NtWaitForSingleObject  (120, 0, 0x0, ...
 01676   832   NtWaitForSingleObject  (172, 0, 0x0, ...
 01638   876   NtWaitForSingleObject  ... ) == 0x0
 01677   908   NtRegisterThreadTerminatePort  (24, ...
 01568   572   NtWaitForSingleObject  ... ) == 0x0
 01674   912   NtSetEventBoostPriority  ... ) == 0x0
 01678   564   NtQueryInformationThread  (348, Basic, 28, ...
 01672   872   NtSetEventBoostPriority  ... ) == 0x0
 01679   868   NtWaitForSingleObject  (120, 0, 0x0, ...
 01680   876   NtSetEventBoostPriority  (120, ...
 01681   572   NtSetEventBoostPriority  (40, ...
 01677   908   NtRegisterThreadTerminatePort  ... ) == 0x0
 01682   912   NtTestAlert  (...
 01683   872   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01572   584   NtWaitForSingleObject  ... ) == 0x0
 01681   572   NtSetEventBoostPriority  ... ) == 0x0
 01643   852   NtWaitForSingleObject  ... ) == 0x0
 01684   908   NtWaitForSingleObject  (120, 0, 0x0, ...
 01682   912   NtTestAlert  ... ) == 0x0
 01685   584   NtSetEventBoostPriority  (40, ...
 01683   872   NtDuplicateObject  ... 352, ) == 0x0
 01680   876   NtSetEventBoostPriority  ... ) == 0x0
 01678   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=556,Tid=924,}, 0x0, ) == 0x0
 01686   852   NtSetEventBoostPriority  (120, ...
 01349   572   NtUserCallNoParam  ... ) == 0x0
 01576   916   NtWaitForSingleObject  ... ) == 0x0
 01685   584   NtSetEventBoostPriority  ... ) == 0x0
 01687   912   NtContinue  (72809776, 1, ...
 01688   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01689   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1555, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1555, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\1\0\0,\2\0\0\234\3\0\0" ...  ...
 01644   856   NtWaitForSingleObject  ... ) == 0x0
 01686   852   NtSetEventBoostPriority  ... ) == 0x0
 01690   916   NtSetEventBoostPriority  (40, ...
 01691   572   NtUserCallNoParam  (29, ...
 01692   584   NtWaitForSingleObject  (40, 0, 0x0, ...
 01693   912   NtRegisterThreadTerminatePort  (24, ...
 01688   876   NtDuplicateObject  ... 356, ) == 0x0
 01694   856   NtSetEventBoostPriority  (120, ...
 01689   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1556, 0}  ... {28, 56, reply, 0, 556, 564, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\\1\0\0,\2\0\0\234\3\0\0" )  ) == 0x0
 01642   920   NtWaitForSingleObject  ... ) == 0x0
 01690   916   NtSetEventBoostPriority  ... ) == 0x0
 01695   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 01696   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 01697   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 01693   912   NtRegisterThreadTerminatePort  ... ) == 0x0
 01651   880   NtWaitForSingleObject  ... ) == 0x0
 01694   856   NtSetEventBoostPriority  ... ) == 0x0
 01698   920   NtSetEventBoostPriority  (40, ...
 01699   564   NtResumeThread  (348, ...
 01700   876   NtWaitForSingleObject  (120, 0, 0x0, ...
 01701   916   NtTestAlert  (...
 01702   880   NtSetEventBoostPriority  (120, ...
 01703   912   NtWaitForSingleObject  (120, 0, 0x0, ...
 01692   584   NtWaitForSingleObject  ... ) == 0x0
 01698   920   NtSetEventBoostPriority  ... ) == 0x0
 01704   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 01699   564   NtResumeThread  ... 1, ) == 0x0
 01659   636   NtWaitForSingleObject  ... ) == 0x0
 01701   916   NtTestAlert  ... ) == 0x0
 01705   584   NtSetEventBoostPriority  (40, ...
 01702   880   NtSetEventBoostPriority  ... ) == 0x0
 01706   924   NtWaitForSingleObject  (40, 0, 0x0, ...
 01707   920   NtTestAlert  (...
 01708   636   NtSetEventBoostPriority  (120, ...
 01696   572   NtWaitForSingleObject  ... ) == 0x0
 01709   916   NtContinue  (74906928, 1, ...
 01710   880   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01707   920   NtTestAlert  ... ) == 0x0
 01662   860   NtWaitForSingleObject  ... ) == 0x0
 01708   636   NtSetEventBoostPriority  ... ) == 0x0
 01711   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 8710660, ... }, 8710660, ...
 01712   916   NtRegisterThreadTerminatePort  (24, ...
 01710   880   NtDuplicateObject  ... 360, ) == 0x0
 01713   860   NtSetEventBoostPriority  (120, ...
 01714   920   NtContinue  (77004080, 1, ...
 01705   584   NtSetEventBoostPriority  ... ) == 0x0
 01715   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01711   572   NtQueryAttributesFile  ... ) == 0x0
 01712   916   NtRegisterThreadTerminatePort  ... ) == 0x0
 01716   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 01661   884   NtWaitForSingleObject  ... ) == 0x0
 01713   860   NtSetEventBoostPriority  ... ) == 0x0
 01717   920   NtRegisterThreadTerminatePort  (24, ...
 01718   584   NtWaitForSingleObject  (40, 0, 0x0, ...
 01715   564   NtAllocateVirtualMemory  ... 79101952, 2097152, ) == 0x0
 01719   880   NtWaitForSingleObject  (120, 0, 0x0, ...
 01720   916   NtWaitForSingleObject  (120, 0, 0x0, ...
 01721   884   NtSetEventBoostPriority  (120, ...
 01722   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 01717   920   NtRegisterThreadTerminatePort  ... ) == 0x0
 01723   564   NtAllocateVirtualMemory  (-1, 81190912, 0, 8192, 4096, 4, ...
 01724   572   NtSetEventBoostPriority  (40, ...
 01663   888   NtWaitForSingleObject  ... ) == 0x0
 01721   884   NtSetEventBoostPriority  ... ) == 0x0
 01725   920   NtWaitForSingleObject  (120, 0, 0x0, ...
 01723   564   NtAllocateVirtualMemory  ... 81190912, 8192, ) == 0x0
 01706   924   NtWaitForSingleObject  ... ) == 0x0
 01724   572   NtSetEventBoostPriority  ... ) == 0x0
 01726   888   NtSetEventBoostPriority  (120, ...
 01727   884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01728   924   NtSetEventBoostPriority  (40, ...
 01729   564   NtProtectVirtualMemory  (-1, (0x4d6e000), 4096, 260, ...
 01730   572   NtWaitForSingleObject  (40, 0, 0x0, ...
 01668   864   NtWaitForSingleObject  ... ) == 0x0
 01718   584   NtWaitForSingleObject  ... ) == 0x0
 01728   924   NtSetEventBoostPriority  ... ) == 0x0
 01727   884   NtDuplicateObject  ... 364, ) == 0x0
 01729   564   NtProtectVirtualMemory  ... (0x4d6e000), 4096, 4, ) == 0x0
 01731   584   NtSetEventBoostPriority  (40, ...
 01732   864   NtSetEventBoostPriority  (120, ...
 01726   888   NtSetEventBoostPriority  ... ) == 0x0
 01733   924   NtTestAlert  (...
 01734   884   NtWaitForSingleObject  (120, 0, 0x0, ...
 01730   572   NtWaitForSingleObject  ... ) == 0x0
 01731   584   NtSetEventBoostPriority  ... ) == 0x0
 01675   904   NtWaitForSingleObject  ... ) == 0x0
 01732   864   NtSetEventBoostPriority  ... ) == 0x0
 01735   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01733   924   NtTestAlert  ... ) == 0x0
 01691   572   NtUserCallNoParam  ... ) == 0x0
 01736   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01737   904   NtSetEventBoostPriority  (120, ...
 01738   864   NtWaitForSingleObject  (120, 0, 0x0, ...
 01735   888   NtDuplicateObject  ... 368, ) == 0x0
 01739   924   NtContinue  (79101232, 1, ...
 01679   868   NtWaitForSingleObject  ... ) == 0x0
 01736   564   NtCreateThread  ... 372, {556, 928}, ) == 0x0
 01737   904   NtSetEventBoostPriority  ... ) == 0x0
 01740   584   NtWaitForSingleObject  (120, 0, 0x0, ...
 01741   572   NtUserMessageCall  (0x200b4, WM_NCCREATE, 0x0, 0x84f800, 0, 670, 1, ...
 01742   924   NtRegisterThreadTerminatePort  (24, ...
 01743   868   NtSetEventBoostPriority  (120, ...
 01744   564   NtQueryInformationThread  (372, Basic, 28, ...
 01745   904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01741   572   NtUserMessageCall  ... ) == 0x1
 01742   924   NtRegisterThreadTerminatePort  ... ) == 0x0
 01684   908   NtWaitForSingleObject  ... ) == 0x0
 01743   868   NtSetEventBoostPriority  ... ) == 0x0
 01744   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=556,Tid=928,}, 0x0, ) == 0x0
 01745   904   NtDuplicateObject  ... 376, ) == 0x0
 01746   572   NtUserMessageCall  (0x200b4, WM_NCCALCSIZE, 0x0, 0x84f834, 0, 670, 1, ...
 01747   908   NtSetEventBoostPriority  (120, ...
 01748   924   NtWaitForSingleObject  (120, 0, 0x0, ...
 01749   868   NtWaitForSingleObject  (120, 0, 0x0, ...
 01750   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1556, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1556, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0,\2\0\0\240\3\0\0" ...  ...
 01751   888   NtWaitForSingleObject  (120, 0, 0x0, ...
 01697   872   NtWaitForSingleObject  ... ) == 0x0
 01746   572   NtUserMessageCall  ... ) == 0x0
 01747   908   NtSetEventBoostPriority  ... ) == 0x0
 01752   904   NtWaitForSingleObject  (120, 0, 0x0, ...
 01753   872   NtSetEventBoostPriority  (120, ...
 01754   572   NtUserGetClassName  (131252, 0, 8713452, ...
 01755   908   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01700   876   NtWaitForSingleObject  ... ) == 0x0
 01753   872   NtSetEventBoostPriority  ... ) == 0x0
 01754   572   NtUserGetClassName  ... ) == 0x6
 01756   876   NtSetEventBoostPriority  (120, ...
 01755   908   NtDuplicateObject  ... 380, ) == 0x0
 01757   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 01750   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1557, 0}  ... {28, 56, reply, 0, 556, 564, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\1\0\0,\2\0\0\240\3\0\0" )  ) == 0x0
 01703   912   NtWaitForSingleObject  ... ) == 0x0
 01756   876   NtSetEventBoostPriority  ... ) == 0x0
 01758   572   NtUserRemoveProp  (131252, 43282, ...
 01759   908   NtWaitForSingleObject  (120, 0, 0x0, ...
 01760   912   NtSetEventBoostPriority  (120, ...
 01761   564   NtResumeThread  (372, ...
 01762   876   NtWaitForSingleObject  (120, 0, 0x0, ...
 01758   572   NtUserRemoveProp  ... ) == 0x0
 01695   852   NtWaitForSingleObject  ... ) == 0x0
 01760   912   NtSetEventBoostPriority  ... ) == 0x0
 01761   564   NtResumeThread  ... 1, ) == 0x0
 01763   852   NtSetEventBoostPriority  (120, ...
 01764   572   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 4194366, 8713044, 35020, 28}  (24, {24, 52, new_msg, 0, 4194366, 8713044, 35020, 28} "\0\0\0\0\5\4\3\0I\0N\0D\0O\0<\2\0\0\0\0\0\0" ...  ...
 01765   928   NtTestAlert  (...
 01704   856   NtWaitForSingleObject  ... ) == 0x0
 01766   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01764   572   NtRequestWaitReplyPort  ... {24, 52, reply, 0, 556, 572, 1558, 0}  ... {24, 52, reply, 0, 556, 572, 1558, 0} "\0\0\0\0\5\4\3\0\0\0\0\0D\0O\0<\2\0\0\0\0\0\0" )  ) == 0x0
 01765   928   NtTestAlert  ... ) == 0x0
 01767   856   NtSetEventBoostPriority  (120, ...
 01766   564   NtAllocateVirtualMemory  ... 81199104, 2097152, ) == 0x0
 01768   572   NtUserGetThreadDesktop  (572, 0, ...
 01769   928   NtContinue  (81198384, 1, ...
 01716   636   NtWaitForSingleObject  ... ) == 0x0
 01770   564   NtAllocateVirtualMemory  (-1, 83288064, 0, 8192, 4096, 4, ...
 01767   856   NtSetEventBoostPriority  ... ) == 0x0
 01763   852   NtSetEventBoostPriority  ... ) == 0x0
 01771   912   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01772   928   NtRegisterThreadTerminatePort  (24, ...
 01773   636   NtSetEventBoostPriority  (120, ...
 01768   572   NtUserGetThreadDesktop  ... ) == 0x38
 01774   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 01775   852   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01771   912   NtDuplicateObject  ... 384, ) == 0x0
 01772   928   NtRegisterThreadTerminatePort  ... ) == 0x0
 01719   880   NtWaitForSingleObject  ... ) == 0x0
 01773   636   NtSetEventBoostPriority  ... ) == 0x0
 01776   572   NtUserGetObjectInformation  (56, 2, 8713128, 520, 0, ...
 01777   912   NtWaitForSingleObject  (120, 0, 0x0, ...
 01770   564   NtAllocateVirtualMemory  ... 83288064, 8192, ) == 0x0
 01775   852   NtWaitForSingleObject  ... ) == 0x102
 01778   880   NtSetEventBoostPriority  (120, ...
 01779   636   NtQuerySystemInformation  (Basic, 44, ...
 01776   572   NtUserGetObjectInformation  ... ) == 0x1
 01780   564   NtProtectVirtualMemory  (-1, (0x4f6e000), 4096, 260, ...
 01720   916   NtWaitForSingleObject  ... ) == 0x0
 01778   880   NtSetEventBoostPriority  ... ) == 0x0
 01781   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 01782   928   NtWaitForSingleObject  (120, 0, 0x0, ...
 01783   572   NtGdiDeleteObjectApp  (252707835, ...
 01784   916   NtSetEventBoostPriority  (120, ...
 01780   564   NtProtectVirtualMemory  ... (0x4f6e000), 4096, 4, ) == 0x0
 01785   880   NtWaitForSingleObject  (120, 0, 0x0, ...
 01722   860   NtWaitForSingleObject  ... ) == 0x0
 01783   572   NtGdiDeleteObjectApp  ... ) == 0x1
 01786   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01784   916   NtSetEventBoostPriority  ... ) == 0x0
 01779   636   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01787   860   NtSetEventBoostPriority  (120, ...
 01788   572   NtUserGetWindowDC  (0, ...
 01786   564   NtCreateThread  ... 388, {556, 932}, ) == 0x0
 01789   916   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01790   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 01725   920   NtWaitForSingleObject  ... ) == 0x0
 01787   860   NtSetEventBoostPriority  ... ) == 0x0
 01791   564   NtQueryInformationThread  (388, Basic, 28, ...
 01789   916   NtDuplicateObject  ... 392, ) == 0x0
 01792   920   NtSetEventBoostPriority  (120, ...
 01793   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 01788   572   NtUserGetWindowDC  ... ) == 0x1010052
 01791   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=556,Tid=932,}, 0x0, ) == 0x0
 01734   884   NtWaitForSingleObject  ... ) == 0x0
 01794   572   NtUserCallOneParam  (16842834, 56, ...
 01795   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1557, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0,\2\0\0\244\3\0\0" ...  ...
 01796   884   NtSetEventBoostPriority  (120, ...
 01794   572   NtUserCallOneParam  ... ) == 0x1
 01795   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1559, 0}  ... {28, 56, reply, 0, 556, 564, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\204\1\0\0,\2\0\0\244\3\0\0" )  ) == 0x0
 01738   864   NtWaitForSingleObject  ... ) == 0x0
 01796   884   NtSetEventBoostPriority  ... ) == 0x0
 01797   572   NtUserGetWindowDC  (0, ...
 01798   864   NtSetEventBoostPriority  (120, ...
 01799   564   NtResumeThread  (388, ...
 01800   884   NtWaitForSingleObject  (120, 0, 0x0, ...
 01740   584   NtWaitForSingleObject  ... ) == 0x0
 01797   572   NtUserGetWindowDC  ... ) == 0x1010052
 01799   564   NtResumeThread  ... 1, ) == 0x0
 01798   864   NtSetEventBoostPriority  ... ) == 0x0
 01792   920   NtSetEventBoostPriority  ... ) == 0x0
 01801   916   NtWaitForSingleObject  (120, 0, 0x0, ...
 01802   584   NtSetEventBoostPriority  (120, ...
 01803   572   NtUserCallOneParam  (16842834, 56, ...
 01804   932   NtTestAlert  (...
 01805   864   NtWaitForSingleObject  (120, 0, 0x0, ...
 01806   920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01748   924   NtWaitForSingleObject  ... ) == 0x0
 01802   584   NtSetEventBoostPriority  ... ) == 0x0
 01807   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01804   932   NtTestAlert  ... ) == 0x0
 01808   924   NtSetEventBoostPriority  (120, ...
 01806   920   NtDuplicateObject  ... 396, ) == 0x0
 01809   584   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01807   564   NtAllocateVirtualMemory  ... 83296256, 2097152, ) == 0x0
 01751   888   NtWaitForSingleObject  ... ) == 0x0
 01810   932   NtContinue  (83295536, 1, ...
 01808   924   NtSetEventBoostPriority  ... ) == 0x0
 01803   572   NtUserCallOneParam  ... ) == 0x1
 01811   920   NtWaitForSingleObject  (120, 0, 0x0, ...
 01812   564   NtAllocateVirtualMemory  (-1, 85385216, 0, 8192, 4096, 4, ...
 01813   888   NtSetEventBoostPriority  (120, ...
 01814   932   NtRegisterThreadTerminatePort  (24, ...
 01815   924   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01816   572   NtUserGetWindowDC  (0, ...
 01812   564   NtAllocateVirtualMemory  ... 85385216, 8192, ) == 0x0
 01752   904   NtWaitForSingleObject  ... ) == 0x0
 01813   888   NtSetEventBoostPriority  ... ) == 0x0
 01814   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01815   924   NtDuplicateObject  ... 400, ) == 0x0
 01816   572   NtUserGetWindowDC  ... ) == 0x1010052
 01817   904   NtSetEventBoostPriority  (120, ...
 01818   564   NtProtectVirtualMemory  (-1, (0x516e000), 4096, 260, ...
 01819   888   NtWaitForSingleObject  (120, 0, 0x0, ...
 01809   584   NtCreateEvent  ... 404, ) == 0x0
 01820   932   NtWaitForSingleObject  (120, 0, 0x0, ...
 01749   868   NtWaitForSingleObject  ... ) == 0x0
 01817   904   NtSetEventBoostPriority  ... ) == 0x0
 01821   572   NtUserCallOneParam  (16842834, 56, ...
 01818   564   NtProtectVirtualMemory  ... (0x516e000), 4096, 4, ) == 0x0
 01822   924   NtWaitForSingleObject  (120, 0, 0x0, ...
 01823   584   NtWaitForSingleObject  (404, 0, 0x0, ...
 01824   868   NtSetEventBoostPriority  (120, ...
 01825   904   NtWaitForSingleObject  (120, 0, 0x0, ...
 01821   572   NtUserCallOneParam  ... ) == 0x1
 01759   908   NtWaitForSingleObject  ... ) == 0x0
 01824   868   NtSetEventBoostPriority  ... ) == 0x0
 01826   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01827   572   NtUserGetWindowDC  (0, ...
 01828   908   NtSetEventBoostPriority  (120, ...
 01829   868   NtWaitForSingleObject  (120, 0, 0x0, ...
 01826   564   NtCreateThread  ... 408, {556, 936}, ) == 0x0
 01757   872   NtWaitForSingleObject  ... ) == 0x0
 01828   908   NtSetEventBoostPriority  ... ) == 0x0
 01830   872   NtSetEventBoostPriority  (120, ...
 01831   564   NtQueryInformationThread  (408, Basic, 28, ...
 01762   876   NtWaitForSingleObject  ... ) == 0x0
 01832   908   NtWaitForSingleObject  (120, 0, 0x0, ...
 01831   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=556,Tid=936,}, 0x0, ) == 0x0
 01833   876   NtSetEventBoostPriority  (120, ...
 01830   872   NtSetEventBoostPriority  ... ) == 0x0
 01827   572   NtUserGetWindowDC  ... ) == 0x1010052
 01834   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1559, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1559, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0,\2\0\0\250\3\0\0" ...  ...
 01774   856   NtWaitForSingleObject  ... ) == 0x0
 01835   872   NtWaitForSingleObject  (404, 0, 0x0, ...
 01836   572   NtUserCallOneParam  (16842834, 56, ...
 01837   856   NtSetEventBoostPriority  (120, ...
 01836   572   NtUserCallOneParam  ... ) == 0x1
 01777   912   NtWaitForSingleObject  ... ) == 0x0
 01837   856   NtSetEventBoostPriority  ... ) == 0x0
 01838   912   NtSetEventBoostPriority  (120, ...
 01839   572   NtUserGetWindowDC  (0, ...
 01833   876   NtSetEventBoostPriority  ... ) == 0x0
 01834   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1560, 0}  ... {28, 56, reply, 0, 556, 564, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\1\0\0,\2\0\0\250\3\0\0" )  ) == 0x0
 01781   852   NtWaitForSingleObject  ... ) == 0x0
 01838   912   NtSetEventBoostPriority  ... ) == 0x0
 01839   572   NtUserGetWindowDC  ... ) == 0x1010052
 01840   876   NtWaitForSingleObject  (120, 0, 0x0, ...
 01841   852   NtAllocateVirtualMemory  (-1, 4595712, 0, 4096, 4096, 4, ...
 01842   564   NtResumeThread  (408, ...
 01843   856   NtWaitForSingleObject  (404, 0, 0x0, ...
 01844   572   NtUserCallOneParam  (16842834, 56, ...
 01841   852   NtAllocateVirtualMemory  ... 4595712, 4096, ) == 0x0
 01842   564   NtResumeThread  ... 1, ) == 0x0
 01845   912   NtWaitForSingleObject  (120, 0, 0x0, ...
 01846   936   NtTestAlert  (...
 01844   572   NtUserCallOneParam  ... ) == 0x1
 01847   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01846   936   NtTestAlert  ... ) == 0x0
 01848   572   NtUserGetWindowDC  (0, ...
 01847   564   NtAllocateVirtualMemory  ... 85393408, 2097152, ) == 0x0
 01849   936   NtContinue  (85392688, 1, ...
 01848   572   NtUserGetWindowDC  ... ) == 0x1010052
 01850   564   NtAllocateVirtualMemory  (-1, 87482368, 0, 8192, 4096, 4, ...
 01851   936   NtRegisterThreadTerminatePort  (24, ...
 01852   572   NtUserCallOneParam  (16842834, 56, ...
 01853   852   NtSetEventBoostPriority  (120, ...
 01851   936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01852   572   NtUserCallOneParam  ... ) == 0x1
 01782   928   NtWaitForSingleObject  ... ) == 0x0
 01853   852   NtSetEventBoostPriority  ... ) == 0x0
 01850   564   NtAllocateVirtualMemory  ... 87482368, 8192, ) == 0x0
 01854   928   NtSetEventBoostPriority  (120, ...
 01855   572   NtUserGetWindowDC  (0, ...
 01856   852   NtWaitForSingleObject  (172, 0, 0x0, ...
 01785   880   NtWaitForSingleObject  ... ) == 0x0
 01854   928   NtSetEventBoostPriority  ... ) == 0x0
 01857   564   NtProtectVirtualMemory  (-1, (0x536e000), 4096, 260, ...
 01858   936   NtWaitForSingleObject  (120, 0, 0x0, ...
 01859   880   NtSetEventBoostPriority  (120, ...
 01860   928   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01857   564   NtProtectVirtualMemory  ... (0x536e000), 4096, 4, ) == 0x0
 01790   636   NtWaitForSingleObject  ... ) == 0x0
 01859   880   NtSetEventBoostPriority  ... ) == 0x0
 01855   572   NtUserGetWindowDC  ... ) == 0x1010052
 01861   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01862   636   NtSetEventBoostPriority  (120, ...
 01863   880   NtWaitForSingleObject  (120, 0, 0x0, ...
 01864   572   NtUserCallOneParam  (16842834, 56, ...
 01861   564   NtCreateThread  ... 412, {556, 940}, ) == 0x0
 01793   860   NtWaitForSingleObject  ... ) == 0x0
 01862   636   NtSetEventBoostPriority  ... ) == 0x0
 01864   572   NtUserCallOneParam  ... ) == 0x1
 01865   860   NtSetEventBoostPriority  (120, ...
 01866   564   NtQueryInformationThread  (412, Basic, 28, ...
 01860   928   NtDuplicateObject  ... 416, ) == 0x0
 01800   884   NtWaitForSingleObject  ... ) == 0x0
 01865   860   NtSetEventBoostPriority  ... ) == 0x0
 01867   572   NtUserGetWindowDC  (0, ...
 01868   636   NtSetEventBoostPriority  (404, ...
 01869   884   NtSetEventBoostPriority  (120, ...
 01870   928   NtWaitForSingleObject  (120, 0, 0x0, ...
 01866   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=556,Tid=940,}, 0x0, ) == 0x0
 01867   572   NtUserGetWindowDC  ... ) == 0x1010052
 01801   916   NtWaitForSingleObject  ... ) == 0x0
 01823   584   NtWaitForSingleObject  ... ) == 0x0
 01868   636   NtSetEventBoostPriority  ... ) == 0x0
 01871   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1560, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1560, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0,\2\0\0\254\3\0\0" ...  ...
 01872   572   NtUserCallOneParam  (16842834, 56, ...
 01873   584   NtWaitForSingleObject  (120, 0, 0x0, ...
 01874   916   NtSetEventBoostPriority  (120, ...
 01875   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 01871   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1561, 0}  ... {28, 56, reply, 0, 556, 564, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\234\1\0\0,\2\0\0\254\3\0\0" )  ) == 0x0
 01869   884   NtSetEventBoostPriority  ... ) == 0x0
 01876   860   NtWaitForSingleObject  (404, 0, 0x0, ...
 01805   864   NtWaitForSingleObject  ... ) == 0x0
 01874   916   NtSetEventBoostPriority  ... ) == 0x0
 01875   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   564   NtResumeThread  (412, ...
 01878   884   NtWaitForSingleObject  (404, 0, 0x0, ...
 01879   864   NtSetEventBoostPriority  (120, ...
 01880   916   NtWaitForSingleObject  (120, 0, 0x0, ...
 01881   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 01877   564   NtResumeThread  ... 1, ) == 0x0
 01811   920   NtWaitForSingleObject  ... ) == 0x0
 01879   864   NtSetEventBoostPriority  ... ) == 0x0
 01872   572   NtUserCallOneParam  ... ) == 0x1
 01882   940   NtTestAlert  (...
 01881   636   NtOpenKey  ... 420, ) == 0x0
 01883   920   NtSetEventBoostPriority  (120, ...
 01884   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01885   572   NtUserGetWindowDC  (0, ...
 01882   940   NtTestAlert  ... ) == 0x0
 01886   864   NtWaitForSingleObject  (404, 0, 0x0, ...
 01820   932   NtWaitForSingleObject  ... ) == 0x0
 01883   920   NtSetEventBoostPriority  ... ) == 0x0
 01884   564   NtAllocateVirtualMemory  ... 87490560, 2097152, ) == 0x0
 01885   572   NtUserGetWindowDC  ... ) == 0x1010052
 01887   940   NtContinue  (87489840, 1, ...
 01888   932   NtSetEventBoostPriority  (120, ...
 01889   920   NtWaitForSingleObject  (120, 0, 0x0, ...
 01890   564   NtAllocateVirtualMemory  (-1, 89579520, 0, 8192, 4096, 4, ...
 01891   572   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ...
 01819   888   NtWaitForSingleObject  ... ) == 0x0
 01888   932   NtSetEventBoostPriority  ... ) == 0x0
 01892   940   NtRegisterThreadTerminatePort  (24, ...
 01893   636   NtQueryValueKey  (420,  (420, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 01890   564   NtAllocateVirtualMemory  ... 89579520, 8192, ) == 0x0
 01894   888   NtSetEventBoostPriority  (120, ...
 01891   572   NtGdiCreatePatternBrushInternal  ... ) == 0x101003fb
 01895   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01892   940   NtRegisterThreadTerminatePort  ... ) == 0x0
 01893   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   924   NtWaitForSingleObject  ... ) == 0x0
 01896   564   NtProtectVirtualMemory  (-1, (0x556e000), 4096, 260, ...
 01897   572   NtUserCallOneParam  (16842834, 56, ...
 01894   888   NtSetEventBoostPriority  ... ) == 0x0
 01895   932   NtDuplicateObject  ... 424, ) == 0x0
 01898   636   NtClose  (420, ...
 01899   924   NtSetEventBoostPriority  (120, ...
 01896   564   NtProtectVirtualMemory  ... (0x556e000), 4096, 4, ) == 0x0
 01900   940   NtWaitForSingleObject  (120, 0, 0x0, ...
 01901   888   NtWaitForSingleObject  (120, 0, 0x0, ...
 01902   932   NtWaitForSingleObject  (120, 0, 0x0, ...
 01898   636   NtClose  ... ) == 0x0
 01825   904   NtWaitForSingleObject  ... ) == 0x0
 01899   924   NtSetEventBoostPriority  ... ) == 0x0
 01897   572   NtUserCallOneParam  ... ) == 0x1
 01903   904   NtSetEventBoostPriority  (120, ...
 01904   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 01905   924   NtWaitForSingleObject  (120, 0, 0x0, ...
 01829   868   NtWaitForSingleObject  ... ) == 0x0
 01906   572   NtWaitForSingleObject  (404, 0, 0x0, ...
 01904   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   904   NtSetEventBoostPriority  ... ) == 0x0
 01907   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01908   868   NtSetEventBoostPriority  (120, ...
 01909   904   NtWaitForSingleObject  (120, 0, 0x0, ...
 01907   564   NtCreateThread  ... 420, {556, 944}, ) == 0x0
 01832   908   NtWaitForSingleObject  ... ) == 0x0
 01908   868   NtSetEventBoostPriority  ... ) == 0x0
 01910   908   NtSetEventBoostPriority  (120, ...
 01911   564   NtQueryInformationThread  (420, Basic, 28, ...
 01912   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 01840   876   NtWaitForSingleObject  ... ) == 0x0
 01911   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=556,Tid=944,}, 0x0, ) == 0x0
 01913   876   NtSetEventBoostPriority  (120, ...
 01914   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1561, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0,\2\0\0\260\3\0\0" ...  ...
 01845   912   NtWaitForSingleObject  ... ) == 0x0
 01913   876   NtSetEventBoostPriority  ... ) == 0x0
 01915   912   NtSetEventBoostPriority  (120, ...
 01914   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1562, 0}  ... {28, 56, reply, 0, 556, 564, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\244\1\0\0,\2\0\0\260\3\0\0" )  ) == 0x0
 01910   908   NtSetEventBoostPriority  ... ) == 0x0
 01916   868   NtWaitForSingleObject  (404, 0, 0x0, ...
 01858   936   NtWaitForSingleObject  ... ) == 0x0
 01915   912   NtSetEventBoostPriority  ... ) == 0x0
 01917   564   NtResumeThread  (420, ...
 01918   908   NtWaitForSingleObject  (404, 0, 0x0, ...
 01919   936   NtSetEventBoostPriority  (120, ...
 01920   912   NtWaitForSingleObject  (404, 0, 0x0, ...
 01917   564   NtResumeThread  ... 1, ) == 0x0
 01863   880   NtWaitForSingleObject  ... ) == 0x0
 01919   936   NtSetEventBoostPriority  ... ) == 0x0
 01921   876   NtWaitForSingleObject  (404, 0, 0x0, ...
 01922   944   NtTestAlert  (...
 01923   880   NtSetEventBoostPriority  (120, ...
 01924   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01925   936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01870   928   NtWaitForSingleObject  ... ) == 0x0
 01923   880   NtSetEventBoostPriority  ... ) == 0x0
 01922   944   NtTestAlert  ... ) == 0x0
 01924   564   NtAllocateVirtualMemory  ... 89587712, 2097152, ) == 0x0
 01926   928   NtSetEventBoostPriority  (120, ...
 01925   936   NtDuplicateObject  ... 428, ) == 0x0
 01927   944   NtContinue  (89586992, 1, ...
 01873   584   NtWaitForSingleObject  ... ) == 0x0
 01926   928   NtSetEventBoostPriority  ... ) == 0x0
 01928   564   NtAllocateVirtualMemory  (-1, 91676672, 0, 8192, 4096, 4, ...
 01929   936   NtWaitForSingleObject  (120, 0, 0x0, ...
 01930   584   NtSetEventBoostPriority  (120, ...
 01931   944   NtRegisterThreadTerminatePort  (24, ...
 01932   880   NtWaitForSingleObject  (120, 0, 0x0, ...
 01933   928   NtWaitForSingleObject  (404, 0, 0x0, ...
 01880   916   NtWaitForSingleObject  ... ) == 0x0
 01930   584   NtSetEventBoostPriority  ... ) == 0x0
 01931   944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01934   916   NtSetEventBoostPriority  (120, ...
 01928   564   NtAllocateVirtualMemory  ... 91676672, 8192, ) == 0x0
 01935   584   NtSetEventBoostPriority  (404, ...
 01889   920   NtWaitForSingleObject  ... ) == 0x0
 01936   564   NtProtectVirtualMemory  (-1, (0x576e000), 4096, 260, ...
 01835   872   NtWaitForSingleObject  ... ) == 0x0
 01935   584   NtSetEventBoostPriority  ... ) == 0x0
 01937   920   NtSetEventBoostPriority  (120, ...
 01938   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 01936   564   NtProtectVirtualMemory  ... (0x576e000), 4096, 4, ) == 0x0
 01939   584   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 17890884, 67, ... }, 0x0, 0, 3, 3, 0, 17890884, 67, ...
 01900   940   NtWaitForSingleObject  ... ) == 0x0
 01940   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01939   584   NtCreateFile  ... 432, {status=0x0, info=0}, ) == 0x0
 01941   940   NtSetEventBoostPriority  (120, ...
 01940   564   NtCreateThread  ... 436, {556, 948}, ) == 0x0
 01942   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x1207b,  (432, 216, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0(\1F\0\17\346\367w", 16, 16, ... , 16, 16, ...
 01901   888   NtWaitForSingleObject  ... ) == 0x0
 01941   940   NtSetEventBoostPriority  ... ) == 0x0
 01943   564   NtQueryInformationThread  (436, Basic, 28, ...
 01944   888   NtSetEventBoostPriority  (120, ...
 01942   584   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\270X\21\201", ) , ) == 0x0
 01945   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01937   920   NtSetEventBoostPriority  ... ) == 0x0
 01934   916   NtSetEventBoostPriority  ... ) == 0x0
 01946   944   NtWaitForSingleObject  (120, 0, 0x0, ...
 01902   932   NtWaitForSingleObject  ... ) == 0x0
 01944   888   NtSetEventBoostPriority  ... ) == 0x0
 01943   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=556,Tid=948,}, 0x0, ) == 0x0
 01947   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x1207b,  (432, 216, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\270X\21\201", 16, 16, ... , 16, 16, ...
 01948   920   NtWaitForSingleObject  (120, 0, 0x0, ...
 01949   916   NtWaitForSingleObject  (404, 0, 0x0, ...
 01950   932   NtSetEventBoostPriority  (120, ...
 01945   940   NtDuplicateObject  ... 440, ) == 0x0
 01951   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1562, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\1\0\0,\2\0\0\264\3\0\0" ...  ...
 01947   584   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\270X\21\201", ) , ) == 0x0
 01905   924   NtWaitForSingleObject  ... ) == 0x0
 01950   932   NtSetEventBoostPriority  ... ) == 0x0
 01952   940   NtWaitForSingleObject  (120, 0, 0x0, ...
 01951   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1563, 0}  ... {28, 56, reply, 0, 556, 564, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\264\1\0\0,\2\0\0\264\3\0\0" )  ) == 0x0
 01953   924   NtSetEventBoostPriority  (120, ...
 01954   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x12047,  (432, 216, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370%F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01955   888   NtWaitForSingleObject  (120, 0, 0x0, ...
 01909   904   NtWaitForSingleObject  ... ) == 0x0
 01956   564   NtResumeThread  (436, ...
 01954   584   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01957   904   NtSetEventBoostPriority  (120, ...
 01956   564   NtResumeThread  ... 1, ) == 0x0
 01958   584   NtWaitForSingleObject  (120, 0, 0x0, ...
 01912   636   NtWaitForSingleObject  ... ) == 0x0
 01957   904   NtSetEventBoostPriority  ... ) == 0x0
 01953   924   NtSetEventBoostPriority  ... ) == 0x0
 01959   932   NtWaitForSingleObject  (404, 0, 0x0, ...
 01960   948   NtTestAlert  (...
 01961   636   NtSetEventBoostPriority  (120, ...
 01962   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 01963   924   NtWaitForSingleObject  (404, 0, 0x0, ...
 01929   936   NtWaitForSingleObject  ... ) == 0x0
 01961   636   NtSetEventBoostPriority  ... ) == 0x0
 01960   948   NtTestAlert  ... ) == 0x0
 01962   564   NtAllocateVirtualMemory  ... 91684864, 2097152, ) == 0x0
 01964   936   NtSetEventBoostPriority  (120, ...
 01965   636   NtWaitForSingleObject  (404, 0, 0x0, ...
 01966   948   NtContinue  (91684144, 1, ...
 01932   880   NtWaitForSingleObject  ... ) == 0x0
 01964   936   NtSetEventBoostPriority  ... ) == 0x0
 01967   564   NtAllocateVirtualMemory  (-1, 93773824, 0, 8192, 4096, 4, ...
 01968   904   NtWaitForSingleObject  (404, 0, 0x0, ...
 01969   880   NtSetEventBoostPriority  (120, ...
 01970   948   NtRegisterThreadTerminatePort  (24, ...
 01967   564   NtAllocateVirtualMemory  ... 93773824, 8192, ) == 0x0
 01938   872   NtWaitForSingleObject  ... ) == 0x0
 01969   880   NtSetEventBoostPriority  ... ) == 0x0
 01970   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 01971   872   NtSetEventBoostPriority  (120, ...
 01972   564   NtProtectVirtualMemory  (-1, (0x596e000), 4096, 260, ...
 01973   880   NtWaitForSingleObject  (404, 0, 0x0, ...
 01974   936   NtWaitForSingleObject  (404, 0, 0x0, ...
 01946   944   NtWaitForSingleObject  ... ) == 0x0
 01971   872   NtSetEventBoostPriority  ... ) == 0x0
 01972   564   NtProtectVirtualMemory  ... (0x596e000), 4096, 4, ) == 0x0
 01975   948   NtWaitForSingleObject  (120, 0, 0x0, ...
 01976   944   NtSetEventBoostPriority  (120, ...
 01977   872   NtSetEventBoostPriority  (404, ...
 01948   920   NtWaitForSingleObject  ... ) == 0x0
 01976   944   NtSetEventBoostPriority  ... ) == 0x0
 01978   920   NtSetEventBoostPriority  (120, ...
 01843   856   NtWaitForSingleObject  ... ) == 0x0
 01977   872   NtSetEventBoostPriority  ... ) == 0x0
 01952   940   NtWaitForSingleObject  ... ) == 0x0
 01979   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 01978   920   NtSetEventBoostPriority  ... ) == 0x0
 01980   944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01981   940   NtSetEventBoostPriority  (120, ...
 01982   872   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01983   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 01984   920   NtWaitForSingleObject  (404, 0, 0x0, ...
 01955   888   NtWaitForSingleObject  ... ) == 0x0
 01981   940   NtSetEventBoostPriority  ... ) == 0x0
 01982   872   NtWaitForSingleObject  ... ) == 0x102
 01983   564   NtCreateThread  ... 444, {556, 952}, ) == 0x0
 01985   888   NtSetEventBoostPriority  (120, ...
 01980   944   NtDuplicateObject  ... 448, ) == 0x0
 01986   872   NtWaitForSingleObject  (172, 0, 0x0, ...
 01958   584   NtWaitForSingleObject  ... ) == 0x0
 01985   888   NtSetEventBoostPriority  ... ) == 0x0
 01987   564   NtQueryInformationThread  (444, Basic, 28, ...
 01988   944   NtWaitForSingleObject  (120, 0, 0x0, ...
 01989   940   NtWaitForSingleObject  (404, 0, 0x0, ...
 01990   584   NtSetEventBoostPriority  (120, ...
 01991   888   NtWaitForSingleObject  (404, 0, 0x0, ...
 01987   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=556,Tid=952,}, 0x0, ) == 0x0
 01975   948   NtWaitForSingleObject  ... ) == 0x0
 01990   584   NtSetEventBoostPriority  ... ) == 0x0
 01992   948   NtSetEventBoostPriority  (120, ...
 01993   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1563, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1563, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0,\2\0\0\270\3\0\0" ...  ...
 01979   856   NtWaitForSingleObject  ... ) == 0x0
 01992   948   NtSetEventBoostPriority  ... ) == 0x0
 01994   856   NtSetEventBoostPriority  (120, ...
 01988   944   NtWaitForSingleObject  ... ) == 0x0
 01995   944   NtWaitForSingleObject  (404, 0, 0x0, ...
 01994   856   NtSetEventBoostPriority  ... ) == 0x0
 01996   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01997   584   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 01993   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1564, 0}  ... {28, 56, reply, 0, 556, 564, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\274\1\0\0,\2\0\0\270\3\0\0" )  ) == 0x0
 01998   856   NtSetEventBoostPriority  (404, ...
 01997   584   NtWaitForSingleObject  ... ) == 0x102
 01999   564   NtResumeThread  (444, ...
 01876   860   NtWaitForSingleObject  ... ) == 0x0
 01998   856   NtSetEventBoostPriority  ... ) == 0x0
 02000   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x12003,  (432, 216, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02001   860   NtSetEventBoostPriority  (404, ...
 01999   564   NtResumeThread  ... 1, ) == 0x0
 02002   856   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01878   884   NtWaitForSingleObject  ... ) == 0x0
 02001   860   NtSetEventBoostPriority  ... ) == 0x0
 02000   584   NtDeviceIoControlFile  ... {status=0x0, info=452},  ... {status=0x0, info=452}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02003   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02004   884   NtSetEventBoostPriority  (404, ...
 02002   856   NtWaitForSingleObject  ... ) == 0x102
 02005   860   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02006   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x12047,  (432, 216, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01886   864   NtWaitForSingleObject  ... ) == 0x0
 02004   884   NtSetEventBoostPriority  ... ) == 0x0
 02003   564   NtAllocateVirtualMemory  ... 93782016, 2097152, ) == 0x0
 02007   856   NtWaitForSingleObject  (172, 0, 0x0, ...
 01996   948   NtDuplicateObject  ... 456, ) == 0x0
 02008   952   NtTestAlert  (...
 02005   860   NtWaitForSingleObject  ... ) == 0x102
 02009   864   NtSetEventBoostPriority  (404, ...
 02006   584   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02010   564   NtAllocateVirtualMemory  (-1, 95870976, 0, 8192, 4096, 4, ...
 02011   884   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02012   948   NtWaitForSingleObject  (404, 0, 0x0, ...
 02008   952   NtTestAlert  ... ) == 0x0
 01906   572   NtWaitForSingleObject  ... ) == 0x0
 02009   864   NtSetEventBoostPriority  ... ) == 0x0
 02013   860   NtWaitForSingleObject  (172, 0, 0x0, ...
 02014   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x1200b,  (432, 216, 0x0, 0x0, 0x1200b, "\0\21\252q\5\0\0\0\0\0\0\0", 12, 0, ... , 12, 0, ...
 02011   884   NtWaitForSingleObject  ... ) == 0x102
 02015   572   NtSetEventBoostPriority  (404, ...
 02016   952   NtContinue  (93781296, 1, ...
 02017   864   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02014   584   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01916   868   NtWaitForSingleObject  ... ) == 0x0
 02015   572   NtSetEventBoostPriority  ... ) == 0x0
 02018   884   NtWaitForSingleObject  (172, 0, 0x0, ...
 02019   952   NtRegisterThreadTerminatePort  (24, ...
 02010   564   NtAllocateVirtualMemory  ... 95870976, 8192, ) == 0x0
 02020   868   NtSetEventBoostPriority  (404, ...
 02021   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x12047,  (432, 216, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0e\0t\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0n\0t\0r\0o\0l\0S\0e\0t\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0s\0\\0T\0c\0p\0i\0p\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02017   864   NtWaitForSingleObject  ... ) == 0x102
 02019   952   NtRegisterThreadTerminatePort  ... ) == 0x0
 01918   908   NtWaitForSingleObject  ... ) == 0x0
 02020   868   NtSetEventBoostPriority  ... ) == 0x0
 02022   564   NtProtectVirtualMemory  (-1, (0x5b6e000), 4096, 260, ...
 02021   584   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02023   864   NtWaitForSingleObject  (172, 0, 0x0, ...
 02024   572   NtUserSetProp  (131252, 43288, 13194296, ...
 02025   908   NtSetEventBoostPriority  (404, ...
 02026   868   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02022   564   NtProtectVirtualMemory  ... (0x5b6e000), 4096, 4, ) == 0x0
 02027   584   NtDeviceIoControlFile  (432, 216, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 01921   876   NtWaitForSingleObject  ... ) == 0x0
 02025   908   NtSetEventBoostPriority  ... ) == 0x0
 02024   572   NtUserSetProp  ... ) == 0x1
 02028   952   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02029   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02026   868   NtWaitForSingleObject  ... ) == 0x102
 02030   876   NtSetEventBoostPriority  (404, ...
 02027   584   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02031   572   NtUserGetAncestor  (131252, 1, ...
 02028   952   NtDuplicateObject  ... 460, ) == 0x0
 02029   564   NtCreateThread  ... 464, {556, 956}, ) == 0x0
 01920   912   NtWaitForSingleObject  ... ) == 0x0
 02030   876   NtSetEventBoostPriority  ... ) == 0x0
 02032   868   NtWaitForSingleObject  (172, 0, 0x0, ...
 02033   584   NtWaitForSingleObject  (216, 1, {-5000000, -1}, ...
 02031   572   NtUserGetAncestor  ... ) == 0x10014
 02034   952   NtAllocateVirtualMemory  (-1, 4599808, 0, 4096, 4096, 4, ...
 02035   912   NtWaitForSingleObject  (120, 0, 0x0, ...
 02036   564   NtQueryInformationThread  (464, Basic, 28, ...
 02037   876   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02038   572   NtUserSetWindowPos  (131252, 0, 0, 0, 123, 34, 1047, ...
 02034   952   NtAllocateVirtualMemory  ... 4599808, 4096, ) == 0x0
 02039   908   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02036   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=556,Tid=956,}, 0x0, ) == 0x0
 02040   952   NtSetEventBoostPriority  (120, ...
 02039   908   NtWaitForSingleObject  ... ) == 0x102
 02041   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1564, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1564, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0,\2\0\0\274\3\0\0" ...  ...
 02035   912   NtWaitForSingleObject  ... ) == 0x0
 02040   952   NtSetEventBoostPriority  ... ) == 0x0
 02042   908   NtWaitForSingleObject  (120, 0, 0x0, ...
 02043   912   NtSetEventBoostPriority  (120, ...
 02041   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1565, 0}  ... {28, 56, reply, 0, 556, 564, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\320\1\0\0,\2\0\0\274\3\0\0" )  ) == 0x0
 02037   876   NtWaitForSingleObject  ... ) == 0x102
 02038   572   NtUserSetWindowPos  ... ) == 0x1
 02043   912   NtSetEventBoostPriority  ... ) == 0x0
 02042   908   NtWaitForSingleObject  ... ) == 0x0
 02044   564   NtResumeThread  (464, ...
 02045   876   NtWaitForSingleObject  (120, 0, 0x0, ...
 00987   572   NtUserCreateWindowEx  ... ) == 0x200b4
 02046   952   NtWaitForSingleObject  (120, 0, 0x0, ...
 02047   912   NtSetEventBoostPriority  (404, ...
 02044   564   NtResumeThread  ... 1, ) == 0x0
 01933   928   NtWaitForSingleObject  ... ) == 0x0
 02047   912   NtSetEventBoostPriority  ... ) == 0x0
 02048   908   NtSetEventBoostPriority  (120, ...
 02049   956   NtTestAlert  (...
 02050   928   NtWaitForSingleObject  (120, 0, 0x0, ...
 02051   912   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02045   876   NtWaitForSingleObject  ... ) == 0x0
 02048   908   NtSetEventBoostPriority  ... ) == 0x0
 02049   956   NtTestAlert  ... ) == 0x0
 02052   876   NtSetEventBoostPriority  (120, ...
 02051   912   NtWaitForSingleObject  ... ) == 0x102
 02053   908   NtWaitForSingleObject  (172, 0, 0x0, ...
 02046   952   NtWaitForSingleObject  ... ) == 0x0
 02052   876   NtSetEventBoostPriority  ... ) == 0x0
 02054   956   NtContinue  (95878448, 1, ...
 02055   912   NtWaitForSingleObject  (172, 0, 0x0, ...
 02056   952   NtSetEventBoostPriority  (120, ...
 02057   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02058   956   NtRegisterThreadTerminatePort  (24, ...
 02059   876   NtWaitForSingleObject  (172, 0, 0x0, ...
 02050   928   NtWaitForSingleObject  ... ) == 0x0
 02056   952   NtSetEventBoostPriority  ... ) == 0x0
 02057   564   NtAllocateVirtualMemory  ... 95879168, 2097152, ) == 0x0
 02058   956   NtRegisterThreadTerminatePort  ... ) == 0x0
 02060   928   NtSetEventBoostPriority  (404, ...
 02061   952   NtWaitForSingleObject  (404, 0, 0x0, ...
 02062   564   NtAllocateVirtualMemory  (-1, 97968128, 0, 8192, 4096, 4, ...
 01949   916   NtWaitForSingleObject  ... ) == 0x0
 02060   928   NtSetEventBoostPriority  ... ) == 0x0
 02063   956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02064   916   NtSetEventBoostPriority  (404, ...
 02062   564   NtAllocateVirtualMemory  ... 97968128, 8192, ) == 0x0
 01959   932   NtWaitForSingleObject  ... ) == 0x0
 02064   916   NtSetEventBoostPriority  ... ) == 0x0
 02063   956   NtDuplicateObject  ... 468, ) == 0x0
 02065   932   NtSetEventBoostPriority  (404, ...
 02066   564   NtProtectVirtualMemory  (-1, (0x5d6e000), 4096, 260, ...
 02067   928   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01963   924   NtWaitForSingleObject  ... ) == 0x0
 02065   932   NtSetEventBoostPriority  ... ) == 0x0
 02068   956   NtWaitForSingleObject  (404, 0, 0x0, ...
 02066   564   NtProtectVirtualMemory  ... (0x5d6e000), 4096, 4, ) == 0x0
 02069   924   NtSetEventBoostPriority  (404, ...
 02067   928   NtWaitForSingleObject  ... ) == 0x102
 02070   932   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02071   916   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01965   636   NtWaitForSingleObject  ... ) == 0x0
 02069   924   NtSetEventBoostPriority  ... ) == 0x0
 02072   928   NtWaitForSingleObject  (172, 0, 0x0, ...
 02073   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02074   636   NtSetEventBoostPriority  (404, ...
 02071   916   NtWaitForSingleObject  ... ) == 0x102
 02070   932   NtWaitForSingleObject  ... ) == 0x102
 01968   904   NtWaitForSingleObject  ... ) == 0x0
 02073   564   NtCreateThread  ... 472, {556, 980}, ) == 0x0
 02075   916   NtWaitForSingleObject  (172, 0, 0x0, ...
 02076   932   NtWaitForSingleObject  (172, 0, 0x0, ...
 02077   904   NtSetEventBoostPriority  (404, ...
 02078   564   NtQueryInformationThread  (472, Basic, 28, ...
 01974   936   NtWaitForSingleObject  ... ) == 0x0
 02077   904   NtSetEventBoostPriority  ... ) == 0x0
 02079   936   NtSetEventBoostPriority  (404, ...
 02078   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=556,Tid=980,}, 0x0, ) == 0x0
 01973   880   NtWaitForSingleObject  ... ) == 0x0
 02079   936   NtSetEventBoostPriority  ... ) == 0x0
 02080   904   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02081   880   NtSetEventBoostPriority  (404, ...
 02082   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1565, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1565, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0,\2\0\0\324\3\0\0" ...  ...
 02083   936   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02074   636   NtSetEventBoostPriority  ... ) == 0x0
 02084   924   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01984   920   NtWaitForSingleObject  ... ) == 0x0
 02082   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1566, 0}  ... {28, 56, reply, 0, 556, 564, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\330\1\0\0,\2\0\0\324\3\0\0" )  ) == 0x0
 02081   880   NtSetEventBoostPriority  ... ) == 0x0
 02080   904   NtWaitForSingleObject  ... ) == 0x102
 02085   636   NtWaitForSingleObject  (404, 0, 0x0, ...
 02084   924   NtWaitForSingleObject  ... ) == 0x102
 02086   920   NtSetEventBoostPriority  (404, ...
 02087   564   NtResumeThread  (472, ...
 02088   880   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02089   904   NtWaitForSingleObject  (172, 0, 0x0, ...
 02090   924   NtWaitForSingleObject  (172, 0, 0x0, ...
 01989   940   NtWaitForSingleObject  ... ) == 0x0
 02086   920   NtSetEventBoostPriority  ... ) == 0x0
 02087   564   NtResumeThread  ... 1, ) == 0x0
 02091   940   NtSetEventBoostPriority  (404, ...
 02092   920   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 01991   888   NtWaitForSingleObject  ... ) == 0x0
 02091   940   NtSetEventBoostPriority  ... ) == 0x0
 02093   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02083   936   NtWaitForSingleObject  ... ) == 0x102
 02094   980   NtTestAlert  (...
 02088   880   NtWaitForSingleObject  ... ) == 0x102
 02095   888   NtSetEventBoostPriority  (404, ...
 02096   940   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02093   564   NtAllocateVirtualMemory  ... 97976320, 2097152, ) == 0x0
 02097   936   NtWaitForSingleObject  (172, 0, 0x0, ...
 02094   980   NtTestAlert  ... ) == 0x0
 01995   944   NtWaitForSingleObject  ... ) == 0x0
 02098   880   NtWaitForSingleObject  (172, 0, 0x0, ...
 02095   888   NtSetEventBoostPriority  ... ) == 0x0
 02092   920   NtWaitForSingleObject  ... ) == 0x102
 02099   564   NtAllocateVirtualMemory  (-1, 100065280, 0, 8192, 4096, 4, ...
 02100   944   NtSetEventBoostPriority  (404, ...
 02101   980   NtContinue  (97975600, 1, ...
 02102   888   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02103   920   NtWaitForSingleObject  (172, 0, 0x0, ...
 02096   940   NtWaitForSingleObject  ... ) == 0x102
 02012   948   NtWaitForSingleObject  ... ) == 0x0
 02100   944   NtSetEventBoostPriority  ... ) == 0x0
 02104   980   NtRegisterThreadTerminatePort  (24, ...
 02105   948   NtSetEventBoostPriority  (404, ...
 02106   940   NtWaitForSingleObject  (172, 0, 0x0, ...
 02099   564   NtAllocateVirtualMemory  ... 100065280, 8192, ) == 0x0
 02102   888   NtWaitForSingleObject  ... ) == 0x102
 02061   952   NtWaitForSingleObject  ... ) == 0x0
 02105   948   NtSetEventBoostPriority  ... ) == 0x0
 02104   980   NtRegisterThreadTerminatePort  ... ) == 0x0
 02107   564   NtProtectVirtualMemory  (-1, (0x5f6e000), 4096, 260, ...
 02108   952   NtSetEventBoostPriority  (404, ...
 02109   888   NtWaitForSingleObject  (172, 0, 0x0, ...
 02110   944   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02111   948   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02068   956   NtWaitForSingleObject  ... ) == 0x0
 02107   564   NtProtectVirtualMemory  ... (0x5f6e000), 4096, 4, ) == 0x0
 02110   944   NtWaitForSingleObject  ... ) == 0x102
 02111   948   NtWaitForSingleObject  ... ) == 0x102
 02112   956   NtSetEventBoostPriority  (404, ...
 02113   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02114   944   NtWaitForSingleObject  (172, 0, 0x0, ...
 02115   948   NtWaitForSingleObject  (172, 0, 0x0, ...
 02085   636   NtWaitForSingleObject  ... ) == 0x0
 02112   956   NtSetEventBoostPriority  ... ) == 0x0
 02113   564   NtCreateThread  ... 476, {556, 984}, ) == 0x0
 02116   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02108   952   NtSetEventBoostPriority  ... ) == 0x0
 02117   980   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02116   636   NtCreateEvent  ... 480, ) == 0x0
 02118   564   NtQueryInformationThread  (476, Basic, 28, ...
 02119   952   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02117   980   NtDuplicateObject  ... 484, ) == 0x0
 02120   956   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02121   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02122   980   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02120   956   NtWaitForSingleObject  ... ) == 0x102
 02121   636   NtCreateEvent  ... 488, ) == 0x0
 02122   980   NtWaitForSingleObject  ... ) == 0x102
 02123   956   NtWaitForSingleObject  (172, 0, 0x0, ...
 02124   636   NtQuerySystemTime  (...
 02125   980   NtAllocateVirtualMemory  (-1, 4603904, 0, 4096, 4096, 4, ...
 02124   636   NtQuerySystemTime  ... {957403398, 29882437}, ) == 0x0
 02118   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=556,Tid=984,}, 0x0, ) == 0x0
 02119   952   NtWaitForSingleObject  ... ) == 0x102
 02126   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02127   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1566, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1566, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\1\0\0,\2\0\0\330\3\0\0" ...  ...
 02128   952   NtWaitForSingleObject  (120, 0, 0x0, ...
 02127   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1567, 0}  ... {28, 56, reply, 0, 556, 564, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\334\1\0\0,\2\0\0\330\3\0\0" )  ) == 0x0
 02129   564   NtResumeThread  (476, ... 1, ) == 0x0
 02130   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 100073472, 2097152, ) == 0x0
 02131   564   NtAllocateVirtualMemory  (-1, 102162432, 0, 8192, 4096, 4, ... 102162432, 8192, ) == 0x0
 02132   564   NtProtectVirtualMemory  (-1, (0x616e000), 4096, 260, ... (0x616e000), 4096, 4, ) == 0x0
 02125   980   NtAllocateVirtualMemory  ... 4603904, 4096, ) == 0x0
 02133   984   NtTestAlert  (...
 02134   980   NtSetEventBoostPriority  (120, ...
 02133   984   NtTestAlert  ... ) == 0x0
 02126   636   NtWaitForSingleObject  ... ) == 0x0
 02134   980   NtSetEventBoostPriority  ... ) == 0x0
 02135   636   NtSetEventBoostPriority  (120, ...
 02136   984   NtContinue  (100072752, 1, ...
 02128   952   NtWaitForSingleObject  ... ) == 0x0
 02135   636   NtSetEventBoostPriority  ... ) == 0x0
 02137   980   NtWaitForSingleObject  (172, 0, 0x0, ...
 02138   952   NtWaitForSingleObject  (172, 0, 0x0, ...
 02139   984   NtRegisterThreadTerminatePort  (24, ...
 02140   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02139   984   NtRegisterThreadTerminatePort  ... ) == 0x0
 02140   564   NtCreateThread  ... 492, {556, 1004}, ) == 0x0
 02141   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02142   564   NtQueryInformationThread  (492, Basic, 28, ...
 02141   636   NtCreateEvent  ... 496, ) == 0x0
 02142   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=556,Tid=1004,}, 0x0, ) == 0x0
 02143   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 02144   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1567, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0,\2\0\0\354\3\0\0" ...  ...
 02143   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02145   636   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02146   636   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02147   636   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02148   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 500, ) == 0x0
 02149   984   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02144   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1568, 0}  ... {28, 56, reply, 0, 556, 564, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\354\1\0\0,\2\0\0\354\3\0\0" )  ) == 0x0
 02149   984   NtDuplicateObject  ... 504, ) == 0x0
 02150   564   NtResumeThread  (492, ...
 02151   984   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02150   564   NtResumeThread  ... 1, ) == 0x0
 02151   984   NtWaitForSingleObject  ... ) == 0x102
 02152   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02153   984   NtWaitForSingleObject  (172, 0, 0x0, ...
 02152   564   NtAllocateVirtualMemory  ... 102170624, 2097152, ) == 0x0
 02154   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02155  1004   NtTestAlert  (...
 02156   564   NtAllocateVirtualMemory  (-1, 104259584, 0, 8192, 4096, 4, ...
 02154   636   NtDuplicateObject  ... 508, ) == 0x0
 02155  1004   NtTestAlert  ... ) == 0x0
 02157   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02158  1004   NtContinue  (102169904, 1, ...
 02157   636   NtCreateEvent  ... 512, ) == 0x0
 02159  1004   NtRegisterThreadTerminatePort  (24, ...
 02160   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 26275452, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 26275452, 112, ...
 02159  1004   NtRegisterThreadTerminatePort  ... ) == 0x0
 02156   564   NtAllocateVirtualMemory  ... 104259584, 8192, ) == 0x0
 02161   564   NtProtectVirtualMemory  (-1, (0x636e000), 4096, 260, ... (0x636e000), 4096, 4, ) == 0x0
 02162   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 516, {556, 1008}, ) == 0x0
 02163   564   NtQueryInformationThread  (516, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=556,Tid=1008,}, 0x0, ) == 0x0
 02164   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1568, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0,\2\0\0\360\3\0\0" ... {28, 56, reply, 0, 556, 564, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0,\2\0\0\360\3\0\0" )  ... {28, 56, reply, 0, 556, 564, 1570, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0,\2\0\0\360\3\0\0" ... {28, 56, reply, 0, 556, 564, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\4\2\0\0,\2\0\0\360\3\0\0" )  ) == 0x0
 02165   564   NtResumeThread  (516, ... 1, ) == 0x0
 02166  1004   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02160   636   NtConnectPort  ... 520, 0x0, 0x0, 0x0, 112, ) == 0x0
 02167  1008   NtTestAlert  (...
 02168   572   NtOpenThreadToken  (-2, 0xc, 1, ...
 02166  1004   NtDuplicateObject  ... 524, ) == 0x0
 02169   636   NtRequestWaitReplyPort  (520, {128, 152, new_msg, 0, 4521984, 126032, 4521984, 26275216}  (520, {128, 152, new_msg, 0, 4521984, 126032, 4521984, 26275216} "\0$\370w@\364\220\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\10JF\0\4\0\0\0\10JF\0\20\344\314w\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1E\0\0\0\0\0\260IF\0\30HF\0\210IF\0\0\0\0\0\0\0\0\0\0\0\0\0\260IF\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02167  1008   NtTestAlert  ... ) == 0x0
 02168   572   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 02170  1004   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02171  1008   NtContinue  (104267056, 1, ...
 02172   572   NtCreateSemaphore  (0x1f0003, {24, 32, 0x80, 4606736, 0,  (0x1f0003, {24, 32, 0x80, 4606736, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... }, 0, 2147483647, ...
 02170  1004   NtWaitForSingleObject  ... ) == 0x102
 02173  1008   NtRegisterThreadTerminatePort  (24, ...
 02172   572   NtCreateSemaphore  ... 528, ) == STATUS_OBJECT_NAME_EXISTS
 02174  1004   NtWaitForSingleObject  (172, 0, 0x0, ...
 02173  1008   NtRegisterThreadTerminatePort  ... ) == 0x0
 02175   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02169   636   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 556, 636, 1571, 0}  ... {128, 152, reply, 0, 556, 636, 1571, 0} "\7$\370w@\364\220\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\10JF\0\377\377\377\377\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0x\1E\0\0\0\0\0\260IF\0\30HF\0\210IF\0\0\0\0\0\0\0\0\0\0\0\0\0\260IF\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02176   572   NtReleaseSemaphore  (528, 1, ...
 02175   564   NtAllocateVirtualMemory  ... 104267776, 2097152, ) == 0x0
 02177   636   NtRequestWaitReplyPort  (520, {64, 88, new_msg, 0, 0, 0, 0, 0}  (520, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02176   572   NtReleaseSemaphore  ... 0, ) == 0x0
 02178   564   NtAllocateVirtualMemory  (-1, 106356736, 0, 8192, 4096, 4, ...
 02179   572   NtWaitForSingleObject  (528, 0, {0, 0}, ...
 02178   564   NtAllocateVirtualMemory  ... 106356736, 8192, ) == 0x0
 02179   572   NtWaitForSingleObject  ... ) == 0x0
 02180   564   NtProtectVirtualMemory  (-1, (0x656e000), 4096, 260, ...
 02181   572   NtCreateKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02180   564   NtProtectVirtualMemory  ... (0x656e000), 4096, 4, ) == 0x0
 02182  1008   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02177   636   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 636, 1572, 0}  ... {52, 76, reply, 0, 556, 636, 1572, 0} "\2\200\372\177\1\00\300\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02181   572   NtCreateKey  ... 532, 2, ) == 0x0
 02182  1008   NtDuplicateObject  ... 536, ) == 0x0
 02183   636   NtClose  (512, ...
 02184   572   NtQueryValueKey  (532,  (532, "Programs", Partial, 144, ... , Partial, 144, ...
 02185  1008   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02183   636   NtClose  ... ) == 0x0
 02184   572   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0"}, 80, ) }, 80, ) == 0x0
 02185  1008   NtWaitForSingleObject  ... ) == 0x102
 02186   636   NtClose  (520, ...
 02187   572   NtClose  (532, ...
 02188  1008   NtWaitForSingleObject  (172, 0, 0x0, ...
 02186   636   NtClose  ... ) == 0x0
 02187   572   NtClose  ... ) == 0x0
 02189   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02190   636   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02191   572   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs"}, 8714164, ... }, 8714164, ...
 02189   564   NtCreateThread  ... 532, {556, 1016}, ) == 0x0
 02190   636   NtCreateKey  ... 520, 2, ) == 0x0
 02192   564   NtQueryInformationThread  (532, Basic, 28, ...
 02193   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02192   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=556,Tid=1016,}, 0x0, ) == 0x0
 02193   636   NtOpenKey  ... 512, ) == 0x0
 02194   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1570, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1570, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0,\2\0\0\370\3\0\0" ...  ...
 02195   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   636   NtQueryValueKey  (520,  (520, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (520, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02197   636   NtQueryValueKey  (520,  (520, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (520, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02198   636   NtClose  (520, ... ) == 0x0
 02199   636   NtClose  (512, ...
 02191   572   NtQueryAttributesFile  ... ) == 0x0
 02194   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1574, 0}  ... {28, 56, reply, 0, 556, 564, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\24\2\0\0,\2\0\0\370\3\0\0" )  ) == 0x0
 02200   572   NtCreateKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02201   564   NtResumeThread  (532, ...
 02200   572   NtCreateKey  ... 520, 2, ) == 0x0
 02201   564   NtResumeThread  ... 1, ) == 0x0
 02202   572   NtSetValueKey  (520,  (520, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... , 0, 1,  (520, "Programs", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\0\0", 110, ... , 110, ...
 02203   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02202   572   NtSetValueKey  ... ) == 0x0
 02203   564   NtAllocateVirtualMemory  ... 106364928, 2097152, ) == 0x0
 02204   572   NtClose  (520, ...
 02205   564   NtAllocateVirtualMemory  (-1, 108453888, 0, 8192, 4096, 4, ...
 02199   636   NtClose  ... ) == 0x0
 02206  1016   NtTestAlert  (...
 02204   572   NtClose  ... ) == 0x0
 02207   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02206  1016   NtTestAlert  ... ) == 0x0
 02208   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\"}, 3, 16417, ... }, 3, 16417, ...
 02207   636   NtCreateEvent  ... 520, ) == 0x0
 02209  1016   NtContinue  (106364208, 1, ...
 02208   572   NtOpenFile  ... 512, {status=0x0, info=1}, ) == 0x0
 02210   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 26275316, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 26275316, 112, ...
 02211  1016   NtRegisterThreadTerminatePort  (24, ...
 02212   572   NtQueryDirectoryFile  (512, 0, 0, 0, 8713580, 616, BothDirectory, 1,  (512, 0, 0, 0, 8713580, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02211  1016   NtRegisterThreadTerminatePort  ... ) == 0x0
 02212   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02210   636   NtConnectPort  ... 540, 0x0, 0x0, 0x0, 112, ) == 0x0
 02205   564   NtAllocateVirtualMemory  ... 108453888, 8192, ) == 0x0
 02213   572   NtAllocateVirtualMemory  (-1, 4608000, 0, 8192, 4096, 4, ...
 02214  1016   NtWaitForSingleObject  (120, 0, 0x0, ...
 02215   564   NtProtectVirtualMemory  (-1, (0x676e000), 4096, 260, ...
 02216   636   NtRequestWaitReplyPort  (540, {128, 152, new_msg, 0, 4521984, 125896, 4521984, 26275080}  (540, {128, 152, new_msg, 0, 4521984, 125896, 4521984, 26275080} "\0$\370w\270\363\220\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\10JF\0\4\0\0\0\10JF\0\20\344\314w\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\370GF\0\0\0\0\00OF\0?\360\367w\221\337\314w\0\0\0\0\0\0\220\1\364\356\220\00OF\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02215   564   NtProtectVirtualMemory  ... (0x676e000), 4096, 4, ) == 0x0
 02217   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 544, {556, 992}, ) == 0x0
 02218   564   NtQueryInformationThread  (544, Basic, 28, ...
 02216   636   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 556, 636, 1576, 0}  ... {128, 152, reply, 0, 556, 636, 1576, 0} "\7$\370w\270\363\220\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\10JF\0\377\377\377\377\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\370GF\0\0\0\0\00OF\0?\360\367w\221\337\314w\0\0\0\0\0\0\220\1\364\356\220\00OF\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02213   572   NtAllocateVirtualMemory  ... 4608000, 8192, ) == 0x0
 02219   636   NtRequestWaitReplyPort  (540, {44, 68, new_msg, 0, 556, 636, 1572, 0}  (540, {44, 68, new_msg, 0, 556, 636, 1572, 0} "\1\200\0\0A\2\4\0\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02220   572   NtSetEventBoostPriority  (120, ...
 02214  1016   NtWaitForSingleObject  ... ) == 0x0
 02221  1016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 548, ) == 0x0
 02222  1016   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02220   572   NtSetEventBoostPriority  ... ) == 0x0
 02218   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=556,Tid=992,}, 0x0, ) == 0x0
 02219   636   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 556, 636, 1577, 0}  ... {40, 64, reply, 0, 556, 636, 1577, 0} "\2\200\372\177\4\00\300\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02223   572   NtQueryDirectoryFile  (512, 0, 0, 0, 4607920, 4096, BothDirectory, 0, 0x0, 0, ...
 02224   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1574, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0,\2\0\0\340\3\0\0" ...  ...
 02222  1016   NtWaitForSingleObject  ... ) == 0x102
 02223   572   NtQueryDirectoryFile  ... {status=0x0, info=1118}, ) == 0x0
 02224   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1578, 0}  ... {28, 56, reply, 0, 556, 564, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \2\0\0,\2\0\0\340\3\0\0" )  ) == 0x0
 02225  1016   NtWaitForSingleObject  (172, 0, 0x0, ...
 02226   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\"}, 3, 16417, ... }, 3, 16417, ...
 02227   564   NtResumeThread  (544, ...
 02228   636   NtRequestWaitReplyPort  (540, {64, 88, new_msg, 56, 0, 1, 0, 0}  (540, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\357\220\1@\0\314w\30GF\0\274\357\220\1$\360\220\1\0\267\362v$\360\220\1\30GF\0\1\0\0\0`aF\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02227   564   NtResumeThread  ... 1, ) == 0x0
 02228   636   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 556, 636, 1579, 0}  ... {64, 88, reply, 56, 556, 636, 1579, 0} "\10\357\220\1@\0\314w\30GF\0\274\357\220\1$\360\220\1\0\267\362v$\360\220\1\30GF\0\1\0\0\0`aF\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02226   572   NtOpenFile  ... 552, {status=0x0, info=1}, ) == 0x0
 02229   992   NtTestAlert  (...
 02230   636   NtClose  (520, ...
 02231   572   NtQueryDirectoryFile  (552, 0, 0, 0, 8712936, 616, BothDirectory, 1,  (552, 0, 0, 0, 8712936, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02229   992   NtTestAlert  ... ) == 0x0
 02230   636   NtClose  ... ) == 0x0
 02231   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02232   992   NtContinue  (108461360, 1, ...
 02233   636   NtClose  (540, ...
 02234   572   NtAllocateVirtualMemory  (-1, 4616192, 0, 8192, 4096, 4, ...
 02235   992   NtRegisterThreadTerminatePort  (24, ...
 02236   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02234   572   NtAllocateVirtualMemory  ... 4616192, 8192, ) == 0x0
 02235   992   NtRegisterThreadTerminatePort  ... ) == 0x0
 02236   564   NtAllocateVirtualMemory  ... 108462080, 2097152, ) == 0x0
 02237   572   NtQueryDirectoryFile  (552, 0, 0, 0, 4613416, 4096, BothDirectory, 0, 0x0, 0, ...
 02233   636   NtClose  ... ) == 0x0
 02238   564   NtAllocateVirtualMemory  (-1, 110551040, 0, 8192, 4096, 4, ...
 02239   992   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02240   636   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02238   564   NtAllocateVirtualMemory  ... 110551040, 8192, ) == 0x0
 02239   992   NtDuplicateObject  ... 540, ) == 0x0
 02240   636   NtCreateKey  ... 520, 2, ) == 0x0
 02241   564   NtProtectVirtualMemory  (-1, (0x696e000), 4096, 260, ...
 02242   992   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02243   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02241   564   NtProtectVirtualMemory  ... (0x696e000), 4096, 4, ) == 0x0
 02242   992   NtWaitForSingleObject  ... ) == 0x102
 02243   636   NtOpenKey  ... 556, ) == 0x0
 02237   572   NtQueryDirectoryFile  ... {status=0x0, info=1380}, ) == 0x0
 02244   992   NtWaitForSingleObject  (172, 0, 0x0, ...
 02245   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02246   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\"}, 3, 16417, ... }, 3, 16417, ...
 02247   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02246   572   NtOpenFile  ... 560, {status=0x0, info=1}, ) == 0x0
 02247   564   NtCreateThread  ... 564, {556, 1024}, ) == 0x0
 02248   572   NtQueryDirectoryFile  (560, 0, 0, 0, 8712292, 616, BothDirectory, 1,  (560, 0, 0, 0, 8712292, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02249   564   NtQueryInformationThread  (564, Basic, 28, ...
 02248   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02249   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=556,Tid=1024,}, 0x0, ) == 0x0
 02250   572   NtQueryDirectoryFile  (560, 0, 0, 0, 4618088, 4096, BothDirectory, 0, 0x0, 0, ...
 02251   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1578, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\2\0\0,\2\0\0\0\4\0\0" ...  ...
 02245   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252   636   NtQueryValueKey  (520,  (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02253   636   NtQueryValueKey  (520,  (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02254   636   NtClose  (520, ... ) == 0x0
 02255   636   NtClose  (556, ... ) == 0x0
 02256   636   NtOpenKey  (0x1, {24, 36, 0x40, 0, 0,  (0x1, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 556, ) }, ... 556, ) == 0x0
 02257   636   NtQueryValueKey  (556,  (556, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 02250   572   NtQueryDirectoryFile  ... {status=0x0, info=220}, ) == 0x0
 02251   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1581, 0}  ... {28, 56, reply, 0, 556, 564, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO4\2\0\0,\2\0\0\0\4\0\0" )  ) == 0x0
 02258   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Entertainment\desktop.ini\"}, 3, 16417, ... }, 3, 16417, ...
 02259   564   NtResumeThread  (564, ...
 02258   572   NtOpenFile  ... ) == STATUS_NOT_A_DIRECTORY
 02259   564   NtResumeThread  ... 1, ) == 0x0
 02260   572   NtQueryDirectoryFile  (560, 0, 0, 0, 4618088, 4096, BothDirectory, 0, 0x0, 0, ...
 02261   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02260   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 02261   564   NtAllocateVirtualMemory  ... 110559232, 2097152, ) == 0x0
 02262   572   NtDelayExecution  (0, {-10000, -1}, ...
 02263   564   NtAllocateVirtualMemory  (-1, 112648192, 0, 8192, 4096, 4, ...
 02257   636   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264  1024   NtTestAlert  (...
 02265   636   NtClose  (556, ...
 02264  1024   NtTestAlert  ... ) == 0x0
 02265   636   NtClose  ... ) == 0x0
 02266  1024   NtContinue  (110558512, 1, ...
 02267   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 26274860, ... }, 26274860, ...
 02268  1024   NtRegisterThreadTerminatePort  (24, ...
 02267   636   NtQueryAttributesFile  ... ) == 0x0
 02268  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 02269   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 02263   564   NtAllocateVirtualMemory  ... 112648192, 8192, ) == 0x0
 02270  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02271   564   NtProtectVirtualMemory  (-1, (0x6b6e000), 4096, 260, ...
 02270  1024   NtDuplicateObject  ... 556, ) == 0x0
 02271   564   NtProtectVirtualMemory  ... (0x6b6e000), 4096, 4, ) == 0x0
 02272  1024   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02273   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02272  1024   NtWaitForSingleObject  ... ) == 0x102
 02273   564   NtCreateThread  ... 520, {556, 1036}, ) == 0x0
 02274  1024   NtWaitForSingleObject  (172, 0, 0x0, ...
 02275   564   NtQueryInformationThread  (520, Basic, 28, ...
 02269   636   NtOpenFile  ... 568, {status=0x0, info=1}, ) == 0x0
 02276   636   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 568, ... 572, ) == 0x0
 02277   636   NtClose  (568, ... ) == 0x0
 02278   636   NtMapViewOfSection  (572, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xef0000), 0x0, 16384, ) == 0x0
 02279   636   NtClose  (572, ... ) == 0x0
 02280   636   NtUnmapViewOfSection  (-1, 0xef0000, ... ) == 0x0
 02281   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 26275176, ... }, 26275176, ...
 02275   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=556,Tid=1036,}, 0x0, ) == 0x0
 02282   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1581, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0,\2\0\0\14\4\0\0" ... {28, 56, reply, 0, 556, 564, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0,\2\0\0\14\4\0\0" )  ... {28, 56, reply, 0, 556, 564, 1582, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1581, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0,\2\0\0\14\4\0\0" ... {28, 56, reply, 0, 556, 564, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\10\2\0\0,\2\0\0\14\4\0\0" )  ) == 0x0
 02283   564   NtResumeThread  (520, ... 1, ) == 0x0
 02284   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 112656384, 2097152, ) == 0x0
 02285   564   NtAllocateVirtualMemory  (-1, 114745344, 0, 8192, 4096, 4, ... 114745344, 8192, ) == 0x0
 02286   564   NtProtectVirtualMemory  (-1, (0x6d6e000), 4096, 260, ... (0x6d6e000), 4096, 4, ) == 0x0
 02281   636   NtQueryAttributesFile  ... ) == 0x0
 02287  1036   NtWaitForSingleObject  (40, 0, 0x0, ...
 02288   636   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 572, {status=0x0, info=1}, ) }, 5, 96, ... 572, {status=0x0, info=1}, ) == 0x0
 02289   636   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 572, ... 568, ) == 0x0
 02290   636   NtQuerySection  (568, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02291   636   NtClose  (572, ... ) == 0x0
 02292   636   NtMapViewOfSection  (568, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02293   636   NtClose  (568, ...
 02294   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 572, {556, 1040}, ) == 0x0
 02295   564   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=556,Tid=1040,}, 0x0, ) == 0x0
 02296   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1582, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0,\2\0\0\20\4\0\0" ... {28, 56, reply, 0, 556, 564, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0,\2\0\0\20\4\0\0" )  ... {28, 56, reply, 0, 556, 564, 1583, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0,\2\0\0\20\4\0\0" ... {28, 56, reply, 0, 556, 564, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO<\2\0\0,\2\0\0\20\4\0\0" )  ) == 0x0
 02297   564   NtResumeThread  (572, ... 1, ) == 0x0
 02298   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 114753536, 2097152, ) == 0x0
 02299   564   NtAllocateVirtualMemory  (-1, 116842496, 0, 8192, 4096, 4, ...
 02293   636   NtClose  ... ) == 0x0
 02300  1040   NtWaitForSingleObject  (40, 0, 0x0, ...
 02301   636   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 568, ) }, ... 568, ) == 0x0
 02302   636   NtMapViewOfSection  (568, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02303   636   NtClose  (568, ... ) == 0x0
 02304   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 568, ) == 0x0
 02305   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 576, ) }, ... 576, ) == 0x0
 02306   636   NtQueryValueKey  (576,  (576, "LdapClientIntegrity", Partial, 144, ... , Partial, 144, ...
 02299   564   NtAllocateVirtualMemory  ... 116842496, 8192, ) == 0x0
 02307   564   NtProtectVirtualMemory  (-1, (0x6f6e000), 4096, 260, ... (0x6f6e000), 4096, 4, ) == 0x0
 02308   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 580, {556, 1080}, ) == 0x0
 02309   564   NtQueryInformationThread  (580, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=556,Tid=1080,}, 0x0, ) == 0x0
 02310   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1583, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0,\2\0\08\4\0\0" ... {28, 56, reply, 0, 556, 564, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0,\2\0\08\4\0\0" )  ... {28, 56, reply, 0, 556, 564, 1584, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0,\2\0\08\4\0\0" ... {28, 56, reply, 0, 556, 564, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\2\0\0,\2\0\08\4\0\0" )  ) == 0x0
 02311   564   NtResumeThread  (580, ... 1, ) == 0x0
 02306   636   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02312  1080   NtWaitForSingleObject  (40, 0, 0x0, ...
 02313   636   NtClose  (576, ... ) == 0x0
 02314   636   NtSetEventBoostPriority  (40, ...
 02287  1036   NtWaitForSingleObject  ... ) == 0x0
 02315  1036   NtSetEventBoostPriority  (40, ...
 02300  1040   NtWaitForSingleObject  ... ) == 0x0
 02316  1040   NtSetEventBoostPriority  (40, ...
 02312  1080   NtWaitForSingleObject  ... ) == 0x0
 02317  1080   NtAllocateVirtualMemory  (-1, 13197312, 0, 4096, 4096, 4, ... 13197312, 4096, ) == 0x0
 02316  1040   NtSetEventBoostPriority  ... ) == 0x0
 02315  1036   NtSetEventBoostPriority  ... ) == 0x0
 02314   636   NtSetEventBoostPriority  ... ) == 0x0
 02318   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02262   572   NtDelayExecution  ... ) == 0x0
 02319  1080   NtTestAlert  (...
 02320  1040   NtTestAlert  (...
 02321   636   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 26274860, ... }, 26274860, ...
 02318   564   NtAllocateVirtualMemory  ... 116850688, 2097152, ) == 0x0
 02322   572   NtClose  (560, ...
 02319  1080   NtTestAlert  ... ) == 0x0
 02320  1040   NtTestAlert  ... ) == 0x0
 02323  1036   NtTestAlert  (...
 02324   564   NtAllocateVirtualMemory  (-1, 118939648, 0, 8192, 4096, 4, ...
 02322   572   NtClose  ... ) == 0x0
 02325  1080   NtContinue  (116849968, 1, ...
 02326  1040   NtContinue  (114752816, 1, ...
 02323  1036   NtTestAlert  ... ) == 0x0
 02324   564   NtAllocateVirtualMemory  ... 118939648, 8192, ) == 0x0
 02327   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\"}, 3, 16417, ... }, 3, 16417, ...
 02328  1080   NtRegisterThreadTerminatePort  (24, ...
 02329  1040   NtRegisterThreadTerminatePort  (24, ...
 02330  1036   NtContinue  (112655664, 1, ...
 02331   564   NtProtectVirtualMemory  (-1, (0x716e000), 4096, 260, ...
 02327   572   NtOpenFile  ... 560, {status=0x0, info=1}, ) == 0x0
 02328  1080   NtRegisterThreadTerminatePort  ... ) == 0x0
 02329  1040   NtRegisterThreadTerminatePort  ... ) == 0x0
 02332  1036   NtRegisterThreadTerminatePort  (24, ...
 02331   564   NtProtectVirtualMemory  ... (0x716e000), 4096, 4, ) == 0x0
 02321   636   NtQueryAttributesFile  ... ) == 0x0
 02333  1080   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02334  1040   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02332  1036   NtRegisterThreadTerminatePort  ... ) == 0x0
 02335   572   NtQueryDirectoryFile  (560, 0, 0, 0, 8712292, 616, BothDirectory, 1,  (560, 0, 0, 0, 8712292, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02336   636   NtQuerySystemInformation  (Basic, 44, ...
 02337   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02333  1080   NtDuplicateObject  ... 576, ) == 0x0
 02338  1036   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02335   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02336   636   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02337   564   NtCreateThread  ... 584, {556, 320}, ) == 0x0
 02339  1080   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02334  1040   NtDuplicateObject  ... 588, ) == 0x0
 02340   572   NtQueryDirectoryFile  (560, 0, 0, 0, 4618088, 4096, BothDirectory, 0, 0x0, 0, ...
 02341   636   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ...
 02342   564   NtQueryInformationThread  (584, Basic, 28, ...
 02339  1080   NtWaitForSingleObject  ... ) == 0x102
 02343  1040   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02340   572   NtQueryDirectoryFile  ... {status=0x0, info=724}, ) == 0x0
 02341   636   NtAllocateVirtualMemory  ... 15663104, 65536, ) == 0x0
 02342   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=556,Tid=320,}, 0x0, ) == 0x0
 02344  1080   NtWaitForSingleObject  (172, 0, 0x0, ...
 02343  1040   NtWaitForSingleObject  ... ) == 0x102
 02345   572   NtAllocateVirtualMemory  (-1, 8695808, 0, 4096, 4096, 260, ...
 02346   636   NtAllocateVirtualMemory  (-1, 15663104, 0, 4096, 4096, 4, ...
 02347   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1584, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1584, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0,\2\0\0@\1\0\0" ...  ...
 02348  1040   NtWaitForSingleObject  (172, 0, 0x0, ...
 02345   572   NtAllocateVirtualMemory  ... 8695808, 4096, ) == 0x0
 02338  1036   NtDuplicateObject  ... 592, ) == 0x0
 02346   636   NtAllocateVirtualMemory  ... 15663104, 4096, ) == 0x0
 02347   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1585, 0}  ... {28, 56, reply, 0, 556, 564, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOH\2\0\0,\2\0\0@\1\0\0" )  ) == 0x0
 02349  1036   NtAllocateVirtualMemory  (-1, 4624384, 0, 4096, 4096, 4, ...
 02350   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02351   564   NtResumeThread  (584, ...
 02349  1036   NtAllocateVirtualMemory  ... 4624384, 4096, ) == 0x0
 02351   564   NtResumeThread  ... 1, ) == 0x0
 02352  1036   NtSetEventBoostPriority  (120, ...
 02353   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02350   636   NtWaitForSingleObject  ... ) == 0x0
 02352  1036   NtSetEventBoostPriority  ... ) == 0x0
 02354   636   NtAllocateVirtualMemory  (-1, 15667200, 0, 8192, 4096, 4, ...
 02353   564   NtAllocateVirtualMemory  ... 118947840, 2097152, ) == 0x0
 02354   636   NtAllocateVirtualMemory  ... 15667200, 8192, ) == 0x0
 02355  1036   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02356   564   NtAllocateVirtualMemory  (-1, 121036800, 0, 8192, 4096, 4, ...
 02357   572   NtAllocateVirtualMemory  (-1, 8691712, 0, 4096, 4096, 260, ...
 02358   320   NtTestAlert  (...
 02359   636   NtSetEventBoostPriority  (172, ...
 02355  1036   NtWaitForSingleObject  ... ) == 0x102
 02357   572   NtAllocateVirtualMemory  ... 8691712, 4096, ) == 0x0
 02358   320   NtTestAlert  ... ) == 0x0
 01173   596   NtWaitForSingleObject  ... ) == 0x0
 02359   636   NtSetEventBoostPriority  ... ) == 0x0
 02360  1036   NtWaitForSingleObject  (172, 0, 0x0, ...
 02361   572   NtAllocateVirtualMemory  (-1, 8687616, 0, 4096, 4096, 260, ...
 02362   596   NtSetEventBoostPriority  (172, ...
 02363   320   NtContinue  (118947120, 1, ...
 02364   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01179   588   NtWaitForSingleObject  ... ) == 0x0
 02362   596   NtSetEventBoostPriority  ... ) == 0x0
 02361   572   NtAllocateVirtualMemory  ... 8687616, 4096, ) == 0x0
 02365   320   NtRegisterThreadTerminatePort  (24, ...
 02366   588   NtSetEventBoostPriority  (172, ...
 02364   636   NtCreateEvent  ... 596, ) == 0x0
 02367   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02368   572   NtAllocateVirtualMemory  (-1, 8683520, 0, 4096, 4096, 260, ...
 01187   576   NtWaitForSingleObject  ... ) == 0x0
 02366   588   NtSetEventBoostPriority  ... ) == 0x0
 02365   320   NtRegisterThreadTerminatePort  ... ) == 0x0
 02369   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 26275148, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 26275148, 112, ...
 02356   564   NtAllocateVirtualMemory  ... 121036800, 8192, ) == 0x0
 02370   576   NtSetEventBoostPriority  (172, ...
 02368   572   NtAllocateVirtualMemory  ... 8683520, 4096, ) == 0x0
 02367   596   NtCreateEvent  ... 600, ) == 0x0
 02371   588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01249   728   NtWaitForSingleObject  ... ) == 0x0
 02370   576   NtSetEventBoostPriority  ... ) == 0x0
 02372   564   NtProtectVirtualMemory  (-1, (0x736e000), 4096, 260, ...
 02373   320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02374   596   NtAllocateVirtualMemory  (-1, 4628480, 0, 4096, 4096, 4, ...
 02375   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02371   588   NtCreateEvent  ... 604, ) == 0x0
 02376   572   NtAllocateVirtualMemory  (-1, 8679424, 0, 4096, 4096, 260, ...
 02369   636   NtConnectPort  ... 608, 0x0, 0x0, 0x0, 112, ) == 0x0
 02372   564   NtProtectVirtualMemory  ... (0x736e000), 4096, 4, ) == 0x0
 02373   320   NtDuplicateObject  ... 612, ) == 0x0
 02374   596   NtAllocateVirtualMemory  ... 4628480, 4096, ) == 0x0
 02377   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02376   572   NtAllocateVirtualMemory  ... 8679424, 4096, ) == 0x0
 02378   636   NtRequestWaitReplyPort  (608, {128, 152, new_msg, 0, 4521984, 125728, 4521984, 26274912}  (608, {128, 152, new_msg, 0, 4521984, 125728, 4521984, 26274912} "\0$\370w\20\363\220\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\10JF\0\4\0\0\0\10JF\0\20\344\314w\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1E\0\0\0\0\0\310\223F\0\0\222F\0\240\223F\0\0\0\0\0\0\0\0\0\0\0\0\0\310\223F\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02379   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02380   320   NtWaitForSingleObject  (120, 0, 0x0, ...
 02381   596   NtSetEventBoostPriority  (120, ...
 02382   572   NtAllocateVirtualMemory  (-1, 8675328, 0, 4096, 4096, 260, ...
 02379   564   NtCreateThread  ... 616, {556, 324}, ) == 0x0
 02378   636   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 556, 636, 1587, 0}  ... {128, 152, reply, 0, 556, 636, 1587, 0} "\7$\370w\20\363\220\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\10JF\0\377\377\377\377\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0x\1E\0\0\0\0\0\310\223F\0\0\222F\0\240\223F\0\0\0\0\0\0\0\0\0\0\0\0\0\310\223F\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02375   728   NtWaitForSingleObject  ... ) == 0x0
 02381   596   NtSetEventBoostPriority  ... ) == 0x0
 02382   572   NtAllocateVirtualMemory  ... 8675328, 4096, ) == 0x0
 02383   564   NtQueryInformationThread  (616, Basic, 28, ...
 02384   728   NtSetEventBoostPriority  (120, ...
 02385   636   NtRequestWaitReplyPort  (608, {64, 88, new_msg, 0, 556, 636, 1577, 0}  (608, {64, 88, new_msg, 0, 556, 636, 1577, 0} "\1\200\0\0A\2\10\0\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02386   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02387   572   NtAllocateVirtualMemory  (-1, 8671232, 0, 4096, 4096, 260, ...
 02388   576   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02377   588   NtWaitForSingleObject  ... ) == 0x0
 02384   728   NtSetEventBoostPriority  ... ) == 0x0
 02383   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=556,Tid=324,}, 0x0, ) == 0x0
 02387   572   NtAllocateVirtualMemory  ... 8671232, 4096, ) == 0x0
 02389   588   NtSetEventBoostPriority  (120, ...
 02388   576   NtCreateEvent  ... 620, ) == 0x0
 02385   636   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 636, 1588, 0}  ... {52, 76, reply, 0, 556, 636, 1588, 0} "\2\240\372\177\1\00\300\0\0\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02390   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1585, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1585, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0,\2\0\0D\1\0\0" ...  ...
 02391   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02380   320   NtWaitForSingleObject  ... ) == 0x0
 02389   588   NtSetEventBoostPriority  ... ) == 0x0
 02392   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02393   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02390   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1589, 0}  ... {28, 56, reply, 0, 556, 564, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOh\2\0\0,\2\0\0D\1\0\0" )  ) == 0x0
 02394   320   NtSetEventBoostPriority  (120, ...
 02395   572   NtAllocateVirtualMemory  (-1, 8667136, 0, 4096, 4096, 260, ...
 02386   596   NtWaitForSingleObject  ... ) == 0x0
 02394   320   NtSetEventBoostPriority  ... ) == 0x0
 02396   564   NtResumeThread  (616, ...
 02397   596   NtSetEventBoostPriority  (120, ...
 02395   572   NtAllocateVirtualMemory  ... 8667136, 4096, ) == 0x0
 02398   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02391   728   NtWaitForSingleObject  ... ) == 0x0
 02396   564   NtResumeThread  ... 1, ) == 0x0
 02399   572   NtAllocateVirtualMemory  (-1, 8663040, 0, 4096, 4096, 260, ...
 02400   728   NtSetEventBoostPriority  (120, ...
 02397   596   NtSetEventBoostPriority  ... ) == 0x0
 02401   320   NtWaitForSingleObject  (120, 0, 0x0, ...
 02402   324   NtWaitForSingleObject  (120, 0, 0x0, ...
 02399   572   NtAllocateVirtualMemory  ... 8663040, 4096, ) == 0x0
 02392   576   NtWaitForSingleObject  ... ) == 0x0
 02400   728   NtSetEventBoostPriority  ... ) == 0x0
 02403   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02404   576   NtSetEventBoostPriority  (120, ...
 02405   572   NtAllocateVirtualMemory  (-1, 8658944, 0, 4096, 4096, 260, ...
 02406   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02393   636   NtWaitForSingleObject  ... ) == 0x0
 02404   576   NtSetEventBoostPriority  ... ) == 0x0
 02405   572   NtAllocateVirtualMemory  ... 8658944, 4096, ) == 0x0
 02407   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02408   636   NtSetEventBoostPriority  (120, ...
 02409   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02398   588   NtWaitForSingleObject  ... ) == 0x0
 02408   636   NtSetEventBoostPriority  ... ) == 0x0
 02407   564   NtAllocateVirtualMemory  ... 121044992, 2097152, ) == 0x0
 02410   588   NtSetEventBoostPriority  (120, ...
 02411   572   NtAllocateVirtualMemory  (-1, 8654848, 0, 4096, 4096, 260, ...
 02401   320   NtWaitForSingleObject  ... ) == 0x0
 02410   588   NtSetEventBoostPriority  ... ) == 0x0
 02412   564   NtAllocateVirtualMemory  (-1, 123133952, 0, 8192, 4096, 4, ...
 02413   320   NtAllocateVirtualMemory  (-1, 4632576, 0, 4096, 4096, 4, ...
 02411   572   NtAllocateVirtualMemory  ... 8654848, 4096, ) == 0x0
 02414   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02413   320   NtAllocateVirtualMemory  ... 4632576, 4096, ) == 0x0
 02412   564   NtAllocateVirtualMemory  ... 123133952, 8192, ) == 0x0
 02415   572   NtAllocateVirtualMemory  (-1, 8650752, 0, 4096, 4096, 260, ...
 02416   636   NtClose  (596, ...
 02417   320   NtSetEventBoostPriority  (120, ...
 02418   564   NtProtectVirtualMemory  (-1, (0x756e000), 4096, 260, ...
 02415   572   NtAllocateVirtualMemory  ... 8650752, 4096, ) == 0x0
 02416   636   NtClose  ... ) == 0x0
 02418   564   NtProtectVirtualMemory  ... (0x756e000), 4096, 4, ) == 0x0
 02419   572   NtAllocateVirtualMemory  (-1, 8646656, 0, 4096, 4096, 260, ...
 02420   636   NtClose  (608, ...
 02402   324   NtWaitForSingleObject  ... ) == 0x0
 02417   320   NtSetEventBoostPriority  ... ) == 0x0
 02419   572   NtAllocateVirtualMemory  ... 8646656, 4096, ) == 0x0
 02420   636   NtClose  ... ) == 0x0
 02421   324   NtSetEventBoostPriority  (120, ...
 02422   320   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02423   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02424   636   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02403   596   NtWaitForSingleObject  ... ) == 0x0
 02421   324   NtSetEventBoostPriority  ... ) == 0x0
 02422   320   NtWaitForSingleObject  ... ) == 0x102
 02423   564   NtCreateThread  ... 608, {556, 1064}, ) == 0x0
 02425   596   NtSetEventBoostPriority  (120, ...
 02424   636   NtCreateKey  ... 596, 2, ) == 0x0
 02426   572   NtAllocateVirtualMemory  (-1, 8642560, 0, 4096, 4096, 260, ...
 02427   320   NtWaitForSingleObject  (172, 0, 0x0, ...
 02406   728   NtWaitForSingleObject  ... ) == 0x0
 02425   596   NtSetEventBoostPriority  ... ) == 0x0
 02428   564   NtQueryInformationThread  (608, Basic, 28, ...
 02429   324   NtTestAlert  (...
 02426   572   NtAllocateVirtualMemory  ... 8642560, 4096, ) == 0x0
 02430   728   NtSetEventBoostPriority  (120, ...
 02431   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02428   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=556,Tid=1064,}, 0x0, ) == 0x0
 02429   324   NtTestAlert  ... ) == 0x0
 02409   576   NtWaitForSingleObject  ... ) == 0x0
 02432   572   NtAllocateVirtualMemory  (-1, 8638464, 0, 4096, 4096, 260, ...
 02431   636   NtOpenKey  ... 624, ) == 0x0
 02433   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1589, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1589, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0,\2\0\0(\4\0\0" ...  ...
 02434   324   NtContinue  (121044272, 1, ...
 02435   576   NtSetEventBoostPriority  (120, ...
 02432   572   NtAllocateVirtualMemory  ... 8638464, 4096, ) == 0x0
 02436   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02437   324   NtRegisterThreadTerminatePort  (24, ...
 02414   588   NtWaitForSingleObject  ... ) == 0x0
 02435   576   NtSetEventBoostPriority  ... ) == 0x0
 02438   572   NtAllocateVirtualMemory  (-1, 8634368, 0, 4096, 4096, 260, ...
 02436   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02439   588   NtAllocateVirtualMemory  (-1, 4636672, 0, 4096, 4096, 4, ...
 02437   324   NtRegisterThreadTerminatePort  ... ) == 0x0
 02440   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02438   572   NtAllocateVirtualMemory  ... 8634368, 4096, ) == 0x0
 02439   588   NtAllocateVirtualMemory  ... 4636672, 4096, ) == 0x0
 02441   636   NtQueryValueKey  (596,  (596, "Hostname", Partial, 144, ... , Partial, 144, ...
 02442   324   NtWaitForSingleObject  (120, 0, 0x0, ...
 02430   728   NtSetEventBoostPriority  ... ) == 0x0
 02443   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02433   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1591, 0}  ... {28, 56, reply, 0, 556, 564, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO`\2\0\0,\2\0\0(\4\0\0" )  ) == 0x0
 02444   588   NtSetEventBoostPriority  (120, ...
 02441   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02445   572   NtAllocateVirtualMemory  (-1, 8630272, 0, 4096, 4096, 260, ...
 02446   728   NtSetEventBoostPriority  (172, ...
 02440   576   NtWaitForSingleObject  ... ) == 0x0
 02447   564   NtResumeThread  (608, ...
 02444   588   NtSetEventBoostPriority  ... ) == 0x0
 02445   572   NtAllocateVirtualMemory  ... 8630272, 4096, ) == 0x0
 01250   736   NtWaitForSingleObject  ... ) == 0x0
 02446   728   NtSetEventBoostPriority  ... ) == 0x0
 02448   576   NtSetEventBoostPriority  (120, ...
 02447   564   NtResumeThread  ... 1, ) == 0x0
 02449   636   NtQueryValueKey  (596,  (596, "Hostname", Partial, 144, ... , Partial, 144, ...
 02450   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02451   572   NtCreateFile  (0x80100081, {24, 0, 0x40, 0, 8638856,  (0x80100081, {24, 0, 0x40, 0, 8638856, "\??\C:\Documents and Settings\SRI-user\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk"}, 0x0, 0, 0, 1, 96, 0, 0, ... }, 0x0, 0, 0, 1, 96, 0, 0, ...
 02452   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02453  1064   NtTestAlert  (...
 02443   596   NtWaitForSingleObject  ... ) == 0x0
 02454   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02449   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02451   572   NtCreateFile  ... 628, {status=0x0, info=1}, ) == 0x0
 02453  1064   NtTestAlert  ... ) == 0x0
 02455   596   NtSetEventBoostPriority  (120, ...
 02454   564   NtAllocateVirtualMemory  ... 123142144, 2097152, ) == 0x0
 02456   636   NtClose  (596, ...
 02457   572   NtReadFile  (628, 0, 0, 0, 8191, 0x0, 0, ...
 02458  1064   NtContinue  (123141424, 1, ...
 02442   324   NtWaitForSingleObject  ... ) == 0x0
 02455   596   NtSetEventBoostPriority  ... ) == 0x0
 02459   564   NtAllocateVirtualMemory  (-1, 125231104, 0, 8192, 4096, 4, ...
 02456   636   NtClose  ... ) == 0x0
 02460   324   NtSetEventBoostPriority  (120, ...
 02461  1064   NtRegisterThreadTerminatePort  (24, ...
 02462   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02448   576   NtSetEventBoostPriority  ... ) == 0x0
 02463   728   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02450   736   NtWaitForSingleObject  ... ) == 0x0
 02464   636   NtClose  (624, ...
 02461  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 02460   324   NtSetEventBoostPriority  ... ) == 0x0
 02459   564   NtAllocateVirtualMemory  ... 125231104, 8192, ) == 0x0
 02465   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02466   736   NtSetEventBoostPriority  (120, ...
 02463   728   NtCreateEvent  ... 596, ) == 0x0
 02464   636   NtClose  ... ) == 0x0
 02457   572   NtReadFile  ... {status=0x0, info=1443},  ... {status=0x0, info=1443}, "L\0\0\0\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\277\2\0\0 \0\0\0\0`\2370\16,\301\1\0\300\233'{8\307\1\0`\2370\16,\301\1\0\266\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\363\0\24\0\37P\340O\320 \352:i\20\242\330\10\0+00\235\31\0/C:\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\01\0\0\0\0\006T\10\20\0WINDOWS\0&\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0W\0I\0N\0D\0O\0W\0S\0\0\0\26\0@\01\0\0\0\0\006T\10\20\0system32\0\0(\0\3\0\4\0\357\27606T\1006\0@\24\0\0\0s\0y\0s\0t\0e\0m\03\02\0\0\0\30\0H\02\0\0\266\0\0\27+\0\240 \0utilman.exe\0.\0\3\0\4\0\357\276\27+\0\240/6\0@\24\0\0\0u\0t\0i\0l\0m\0a\0n\0.\0e\0x\0e\0\0\0\32\0\0\0N\0\0\0\34\0\0\0\1\0\0\0\34\0\0\0-\0\0\0\0\0\0\0M\0\0\0\21\0\0\0\3\0\0\0\350\35\361<\20\0\0\0\0C:\WINDOWS\system32\utilman.exe\0\0)\0@\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0,\0-\02\02\05\07\07\0.\0.\0.\0\\0.\0.\0\\0.\0.", ) , ) == 0x0
 02467   324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02468   564   NtProtectVirtualMemory  (-1, (0x776e000), 4096, 260, ...
 02452   588   NtWaitForSingleObject  ... ) == 0x0
 02466   736   NtSetEventBoostPriority  ... ) == 0x0
 02469   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02470  1064   NtWaitForSingleObject  (120, 0, 0x0, ...
 02471   572   NtClose  (628, ...
 02467   324   NtDuplicateObject  ... 624, ) == 0x0
 02472   588   NtSetEventBoostPriority  (120, ...
 02468   564   NtProtectVirtualMemory  ... (0x776e000), 4096, 4, ) == 0x0
 02473   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02471   572   NtClose  ... ) == 0x0
 02474   736   NtSetEventBoostPriority  (172, ...
 02462   596   NtWaitForSingleObject  ... ) == 0x0
 02472   588   NtSetEventBoostPriority  ... ) == 0x0
 02475   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02476   572   NtDelayExecution  (0, {-10000, -1}, ...
 02477   596   NtSetEventBoostPriority  (120, ...
 01286   784   NtWaitForSingleObject  ... ) == 0x0
 02474   736   NtSetEventBoostPriority  ... ) == 0x0
 02478   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02475   564   NtCreateThread  ... 628, {556, 1068}, ) == 0x0
 02465   576   NtWaitForSingleObject  ... ) == 0x0
 02479   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02480   736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02477   596   NtSetEventBoostPriority  ... ) == 0x0
 02481   324   NtWaitForSingleObject  (120, 0, 0x0, ...
 02482   564   NtQueryInformationThread  (628, Basic, 28, ...
 02483   576   NtSetEventBoostPriority  (120, ...
 02480   736   NtCreateEvent  ... 632, ) == 0x0
 02484   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02469   728   NtWaitForSingleObject  ... ) == 0x0
 02483   576   NtSetEventBoostPriority  ... ) == 0x0
 02485   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02486   728   NtSetEventBoostPriority  (120, ...
 02482   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=556,Tid=1068,}, 0x0, ) == 0x0
 02470  1064   NtWaitForSingleObject  ... ) == 0x0
 02486   728   NtSetEventBoostPriority  ... ) == 0x0
 02487  1064   NtSetEventBoostPriority  (120, ...
 02488   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1591, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1591, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0,\2\0\0,\4\0\0" ...  ...
 02489   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02473   636   NtWaitForSingleObject  ... ) == 0x0
 02487  1064   NtSetEventBoostPriority  ... ) == 0x0
 02488   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1592, 0}  ... {28, 56, reply, 0, 556, 564, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\2\0\0,\2\0\0,\4\0\0" )  ) == 0x0
 02490   636   NtSetEventBoostPriority  (120, ...
 02491  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02479   784   NtWaitForSingleObject  ... ) == 0x0
 02490   636   NtSetEventBoostPriority  ... ) == 0x0
 02492   564   NtResumeThread  (628, ...
 02493   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02494   784   NtSetEventBoostPriority  (120, ...
 02495   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02492   564   NtResumeThread  ... 1, ) == 0x0
 02481   324   NtWaitForSingleObject  ... ) == 0x0
 02494   784   NtSetEventBoostPriority  ... ) == 0x0
 02491  1064   NtDuplicateObject  ... 636, ) == 0x0
 02496  1068   NtTestAlert  (...
 02497   324   NtSetEventBoostPriority  (120, ...
 02498   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02499  1064   NtWaitForSingleObject  (120, 0, 0x0, ...
 02478   588   NtWaitForSingleObject  ... ) == 0x0
 02497   324   NtSetEventBoostPriority  ... ) == 0x0
 02496  1068   NtTestAlert  ... ) == 0x0
 02498   564   NtAllocateVirtualMemory  ... 125239296, 2097152, ) == 0x0
 02500   588   NtSetEventBoostPriority  (120, ...
 02501   324   NtWaitForSingleObject  (120, 0, 0x0, ...
 02502  1068   NtContinue  (125238576, 1, ...
 02484   596   NtWaitForSingleObject  ... ) == 0x0
 02503   564   NtAllocateVirtualMemory  (-1, 127328256, 0, 8192, 4096, 4, ...
 02500   588   NtSetEventBoostPriority  ... ) == 0x0
 02504   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02505  1068   NtRegisterThreadTerminatePort  (24, ...
 02506   596   NtSetEventBoostPriority  (120, ...
 02503   564   NtAllocateVirtualMemory  ... 127328256, 8192, ) == 0x0
 02507   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02505  1068   NtRegisterThreadTerminatePort  ... ) == 0x0
 02485   736   NtWaitForSingleObject  ... ) == 0x0
 02506   596   NtSetEventBoostPriority  ... ) == 0x0
 02508   564   NtProtectVirtualMemory  (-1, (0x796e000), 4096, 260, ...
 02509   736   NtSetEventBoostPriority  (120, ...
 02510  1068   NtWaitForSingleObject  (120, 0, 0x0, ...
 02489   576   NtWaitForSingleObject  ... ) == 0x0
 02509   736   NtSetEventBoostPriority  ... ) == 0x0
 02508   564   NtProtectVirtualMemory  ... (0x796e000), 4096, 4, ) == 0x0
 02511   576   NtSetEventBoostPriority  (120, ...
 02512   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02513   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02493   728   NtWaitForSingleObject  ... ) == 0x0
 02511   576   NtSetEventBoostPriority  ... ) == 0x0
 02514   728   NtSetEventBoostPriority  (120, ...
 02495   636   NtWaitForSingleObject  ... ) == 0x0
 02515   636   NtSetEventBoostPriority  (120, ...
 02499  1064   NtWaitForSingleObject  ... ) == 0x0
 02516  1064   NtSetEventBoostPriority  (120, ...
 02504   784   NtWaitForSingleObject  ... ) == 0x0
 02517   784   NtSetEventBoostPriority  (120, ...
 02507   588   NtWaitForSingleObject  ... ) == 0x0
 02518   588   NtSetEventBoostPriority  (120, ...
 02501   324   NtWaitForSingleObject  ... ) == 0x0
 02519   324   NtSetEventBoostPriority  (120, ...
 02510  1068   NtWaitForSingleObject  ... ) == 0x0
 02520  1068   NtSetEventBoostPriority  (120, ...
 02512   596   NtWaitForSingleObject  ... ) == 0x0
 02521   596   NtSetEventBoostPriority  (120, ...
 02513   736   NtWaitForSingleObject  ... ) == 0x0
 02522   736   NtAllocateVirtualMemory  (-1, 4640768, 0, 4096, 4096, 4, ... 4640768, 4096, ) == 0x0
 02523   736   NtAllocateVirtualMemory  (-1, 4644864, 0, 4096, 4096, 4, ...
 02521   596   NtSetEventBoostPriority  ... ) == 0x0
 02520  1068   NtSetEventBoostPriority  ... ) == 0x0
 02518   588   NtSetEventBoostPriority  ... ) == 0x0
 02517   784   NtSetEventBoostPriority  ... ) == 0x0
 02516  1064   NtSetEventBoostPriority  ... ) == 0x0
 02514   728   NtSetEventBoostPriority  ... ) == 0x0
 02524   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02519   324   NtSetEventBoostPriority  ... ) == 0x0
 02515   636   NtSetEventBoostPriority  ... ) == 0x0
 02525   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02526   596   NtAllocateVirtualMemory  (-1, 24170496, 0, 4096, 4096, 260, ...
 02527  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02523   736   NtAllocateVirtualMemory  ... 4644864, 4096, ) == 0x0
 02528   784   NtSetEventBoostPriority  (172, ...
 02529   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02530   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02531  1064   NtWaitForSingleObject  (120, 0, 0x0, ...
 02532   324   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02533   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02525   564   NtCreateThread  ... 640, {556, 1084}, ) == 0x0
 02526   596   NtAllocateVirtualMemory  ... 24170496, 4096, ) == 0x0
 02534   736   NtSetEventBoostPriority  (120, ...
 02527  1068   NtDuplicateObject  ... 644, ) == 0x0
 01292   788   NtWaitForSingleObject  ... ) == 0x0
 02528   784   NtSetEventBoostPriority  ... ) == 0x0
 02535   564   NtQueryInformationThread  (640, Basic, 28, ...
 02536   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02524   576   NtWaitForSingleObject  ... ) == 0x0
 02534   736   NtSetEventBoostPriority  ... ) == 0x0
 02537  1068   NtWaitForSingleObject  (120, 0, 0x0, ...
 02538   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02539   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02535   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=556,Tid=1084,}, 0x0, ) == 0x0
 02540   576   NtSetEventBoostPriority  (120, ...
 02541   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02539   784   NtCreateEvent  ... 648, ) == 0x0
 02529   588   NtWaitForSingleObject  ... ) == 0x0
 02542   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1592, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1592, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0,\2\0\0<\4\0\0" ...  ...
 02543   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02544   588   NtSetEventBoostPriority  (120, ...
 02531  1064   NtWaitForSingleObject  ... ) == 0x0
 02545  1064   NtSetEventBoostPriority  (120, ...
 02533   636   NtWaitForSingleObject  ... ) == 0x0
 02546   636   NtSetEventBoostPriority  (120, ...
 02536   596   NtWaitForSingleObject  ... ) == 0x0
 02547   596   NtSetEventBoostPriority  (120, ...
 02537  1068   NtWaitForSingleObject  ... ) == 0x0
 02548  1068   NtSetEventBoostPriority  (120, ...
 02538   788   NtWaitForSingleObject  ... ) == 0x0
 02549   788   NtSetEventBoostPriority  (120, ...
 02541   736   NtWaitForSingleObject  ... ) == 0x0
 02550   736   NtSetEventBoostPriority  (120, ...
 02543   784   NtWaitForSingleObject  ... ) == 0x0
 02551   784   NtSetEventBoostPriority  (120, ... ) == 0x0
 02550   736   NtSetEventBoostPriority  ... ) == 0x0
 02549   788   NtSetEventBoostPriority  ... ) == 0x0
 02548  1068   NtSetEventBoostPriority  ... ) == 0x0
 02547   596   NtSetEventBoostPriority  ... ) == 0x0
 02546   636   NtSetEventBoostPriority  ... ) == 0x0
 02545  1064   NtSetEventBoostPriority  ... ) == 0x0
 02544   588   NtSetEventBoostPriority  ... ) == 0x0
 02540   576   NtSetEventBoostPriority  ... ) == 0x0
 02530   728   NtWaitForSingleObject  ... ) == 0x0
 02532   324   NtWaitForSingleObject  ... ) == 0x102
 02542   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1593, 0}  ... {28, 56, reply, 0, 556, 564, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\200\2\0\0,\2\0\0<\4\0\0" )  ) == 0x0
 02552   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02553   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02554   788   NtSetEventBoostPriority  (172, ...
 02555  1068   NtWaitForSingleObject  (120, 0, 0x0, ...
 02556   596   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02557  1064   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02558   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02559   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02560   728   NtSetEventBoostPriority  (120, ...
 02561   324   NtWaitForSingleObject  (172, 0, 0x0, ...
 02562   564   NtResumeThread  (640, ...
 01297   676   NtWaitForSingleObject  ... ) == 0x0
 02554   788   NtSetEventBoostPriority  ... ) == 0x0
 02556   596   NtCreateEvent  ... 652, ) == 0x0
 02563   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02557  1064   NtWaitForSingleObject  ... ) == 0x102
 02552   784   NtWaitForSingleObject  ... ) == 0x0
 02560   728   NtSetEventBoostPriority  ... ) == 0x0
 02564   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 02562   564   NtResumeThread  ... 1, ) == 0x0
 02565   788   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02566   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02567   784   NtAllocateVirtualMemory  (-1, 4648960, 0, 4096, 4096, 4, ...
 02568  1064   NtWaitForSingleObject  (172, 0, 0x0, ...
 02569   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02570   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02565   788   NtCreateEvent  ... 656, ) == 0x0
 02567   784   NtAllocateVirtualMemory  ... 4648960, 4096, ) == 0x0
 02566   596   NtDuplicateObject  ... 660, ) == 0x0
 02570   564   NtAllocateVirtualMemory  ... 127336448, 2097152, ) == 0x0
 02571   784   NtSetEventBoostPriority  (120, ...
 02572   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02573   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02574   564   NtAllocateVirtualMemory  (-1, 129425408, 0, 8192, 4096, 4, ...
 02575  1084   NtWaitForSingleObject  (120, 0, 0x0, ...
 02553   736   NtWaitForSingleObject  ... ) == 0x0
 02571   784   NtSetEventBoostPriority  ... ) == 0x0
 02576   736   NtSetEventBoostPriority  (120, ...
 02577   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02555  1068   NtWaitForSingleObject  ... ) == 0x0
 02576   736   NtSetEventBoostPriority  ... ) == 0x0
 02578  1068   NtSetEventBoostPriority  (120, ...
 02559   576   NtWaitForSingleObject  ... ) == 0x0
 02579   576   NtSetEventBoostPriority  (120, ...
 02563   636   NtWaitForSingleObject  ... ) == 0x0
 02580   636   NtSetEventBoostPriority  (120, ...
 02564   676   NtWaitForSingleObject  ... ) == 0x0
 02581   676   NtSetEventBoostPriority  (120, ...
 02569   728   NtWaitForSingleObject  ... ) == 0x0
 02582   728   NtSetEventBoostPriority  (120, ...
 02558   588   NtWaitForSingleObject  ... ) == 0x0
 02583   588   NtSetEventBoostPriority  (120, ...
 02572   788   NtWaitForSingleObject  ... ) == 0x0
 02584   788   NtSetEventBoostPriority  (120, ...
 02573   596   NtWaitForSingleObject  ... ) == 0x0
 02585   596   NtSetEventBoostPriority  (120, ...
 02575  1084   NtWaitForSingleObject  ... ) == 0x0
 02586  1084   NtSetEventBoostPriority  (120, ...
 02577   784   NtWaitForSingleObject  ... ) == 0x0
 02587   784   NtAllocateVirtualMemory  (-1, 36753408, 0, 4096, 4096, 260, ... 36753408, 4096, ) == 0x0
 02586  1084   NtSetEventBoostPriority  ... ) == 0x0
 02585   596   NtSetEventBoostPriority  ... ) == 0x0
 02584   788   NtSetEventBoostPriority  ... ) == 0x0
 02582   728   NtSetEventBoostPriority  ... ) == 0x0
 02581   676   NtSetEventBoostPriority  ... ) == 0x0
 02580   636   NtSetEventBoostPriority  ... ) == 0x0
 02579   576   NtSetEventBoostPriority  ... ) == 0x0
 02578  1068   NtSetEventBoostPriority  ... ) == 0x0
 02588   736   NtAllocateVirtualMemory  (-1, 30461952, 0, 4096, 4096, 260, ...
 02583   588   NtSetEventBoostPriority  ... ) == 0x0
 02574   564   NtAllocateVirtualMemory  ... 129425408, 8192, ) == 0x0
 02589   784   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02590  1084   NtTestAlert  (...
 02591   596   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02592   788   NtAllocateVirtualMemory  (-1, 34656256, 0, 4096, 4096, 260, ...
 02593   728   NtAllocateVirtualMemory  (-1, 28364800, 0, 4096, 4096, 260, ...
 02594   636   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02595   676   NtSetEventBoostPriority  (172, ...
 02596  1068   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02597   576   NtAllocateVirtualMemory  (-1, 22073344, 0, 4096, 4096, 260, ...
 02598   588   NtAllocateVirtualMemory  (-1, 19976192, 0, 4096, 4096, 260, ...
 02599   564   NtProtectVirtualMemory  (-1, (0x7b6e000), 4096, 260, ...
 02589   784   NtCreateEvent  ... 664, ) == 0x0
 02590  1084   NtTestAlert  ... ) == 0x0
 02591   596   NtCreateEvent  ... 668, ) == 0x0
 02592   788   NtAllocateVirtualMemory  ... 34656256, 4096, ) == 0x0
 02593   728   NtAllocateVirtualMemory  ... 28364800, 4096, ) == 0x0
 02588   736   NtAllocateVirtualMemory  ... 30461952, 4096, ) == 0x0
 01537   812   NtWaitForSingleObject  ... ) == 0x0
 02595   676   NtSetEventBoostPriority  ... ) == 0x0
 02594   636   NtCreateKey  ... 672, 2, ) == 0x0
 02597   576   NtAllocateVirtualMemory  ... 22073344, 4096, ) == 0x0
 02598   588   NtAllocateVirtualMemory  ... 19976192, 4096, ) == 0x0
 02599   564   NtProtectVirtualMemory  ... (0x7b6e000), 4096, 4, ) == 0x0
 02600   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02601  1084   NtContinue  (127335728, 1, ...
 02602   596   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 24177996, 112, ... , {12, 2, 1, 1}, 0x0, 0x0, 24177996, 112, ...
 02603   788   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02604   728   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02605   812   NtSetEventBoostPriority  (172, ...
 02606   736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02607   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02608   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02609   576   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02596  1068   NtWaitForSingleObject  ... ) == 0x102
 02610   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02600   784   NtDuplicateObject  ... 676, ) == 0x0
 02611  1084   NtRegisterThreadTerminatePort  (24, ...
 02603   788   NtCreateEvent  ... 680, ) == 0x0
 01541   308   NtWaitForSingleObject  ... ) == 0x0
 02605   812   NtSetEventBoostPriority  ... ) == 0x0
 02604   728   NtCreateEvent  ... 684, ) == 0x0
 02606   736   NtCreateEvent  ... 688, ) == 0x0
 02607   676   NtCreateEvent  ... 692, ) == 0x0
 02608   636   NtOpenKey  ... 696, ) == 0x0
 02609   576   NtCreateEvent  ... 700, ) == 0x0
 02612  1068   NtWaitForSingleObject  (172, 0, 0x0, ...
 02610   564   NtCreateThread  ... 704, {556, 1128}, ) == 0x0
 02613   784   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02611  1084   NtRegisterThreadTerminatePort  ... ) == 0x0
 02614   308   NtSetEventBoostPriority  (172, ...
 02615   788   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02616   588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02602   596   NtConnectPort  ... 708, 0x0, 0x0, 0x0, 112, ) == 0x0
 02617   728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02618   736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02619   676   NtAllocateVirtualMemory  (-1, 4653056, 0, 4096, 4096, 4, ...
 02620   636   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02621   576   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02622   564   NtQueryInformationThread  (704, Basic, 28, ...
 02613   784   NtCreateEvent  ... 712, ) == 0x0
 01603   808   NtWaitForSingleObject  ... ) == 0x0
 02614   308   NtSetEventBoostPriority  ... ) == 0x0
 02623  1084   NtWaitForSingleObject  (120, 0, 0x0, ...
 02615   788   NtDuplicateObject  ... 716, ) == 0x0
 02616   588   NtCreateEvent  ... 720, ) == 0x0
 02624   596   NtRequestWaitReplyPort  (708, {128, 152, new_msg, 0, 4521984, 125728, 4521984, 24177760}  (708, {128, 152, new_msg, 0, 4521984, 125728, 4521984, 24177760} "\0$\370w\20\363p\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\10JF\0\4\0\0\0\10JF\0\20\344\314w\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\200GF\0@\310F\0\0\0\0\0\0\0\0\0`\310F\0\370\242F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\276\0\0\0" ...  ...
 02617   728   NtDuplicateObject  ... 724, ) == 0x0
 02618   736   NtDuplicateObject  ... 728, ) == 0x0
 02619   676   NtAllocateVirtualMemory  ... 4653056, 4096, ) == 0x0
 02620   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02621   576   NtDuplicateObject  ... 732, ) == 0x0
 02625   812   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02622   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=556,Tid=1128,}, 0x0, ) == 0x0
 02626   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02627   784   NtWaitForSingleObject  (712, 0, 0x0, ...
 02628   308   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02629   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02630   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02624   596   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 556, 596, 1595, 0}  ... {128, 152, reply, 0, 556, 596, 1595, 0} "\7$\370w\20\363p\1\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\10JF\0\377\377\377\377\10JF\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\200GF\0@\310F\0\0\0\0\0\0\0\0\0`\310F\0\370\242F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\276\0\0\0" )  ) == 0x0
 02631   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02632   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02633   636   NtQueryValueKey  (672,  (672, "Domain", Partial, 144, ... , Partial, 144, ...
 02634   676   NtSetEventBoostPriority  (120, ...
 02625   812   NtCreateEvent  ... 736, ) == 0x0
 02635   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1593, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1593, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0,\2\0\0h\4\0\0" ...  ...
 02628   308   NtCreateEvent  ... 740, ) == 0x0
 02629   588   NtDuplicateObject  ... 744, ) == 0x0
 02636   596   NtSetEventBoostPriority  (712, ...
 02637   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02623  1084   NtWaitForSingleObject  ... ) == 0x0
 02634   676   NtSetEventBoostPriority  ... ) == 0x0
 02638   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 02635   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1596, 0}  ... {28, 56, reply, 0, 556, 564, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\300\2\0\0,\2\0\0h\4\0\0" )  ) == 0x0
 02639   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 02640   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02627   784   NtWaitForSingleObject  ... ) == 0x0
 02636   596   NtSetEventBoostPriority  ... ) == 0x0
 02641  1084   NtSetEventBoostPriority  (120, ...
 02642   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 02643   564   NtResumeThread  (704, ...
 02644   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02626   808   NtWaitForSingleObject  ... ) == 0x0
 02645   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02646   808   NtSetEventBoostPriority  (120, ...
 02643   564   NtResumeThread  ... 1, ) == 0x0
 02630   788   NtWaitForSingleObject  ... ) == 0x0
 02646   808   NtSetEventBoostPriority  ... ) == 0x0
 02641  1084   NtSetEventBoostPriority  ... ) == 0x0
 02633   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02647  1128   NtWaitForSingleObject  (120, 0, 0x0, ...
 02648   788   NtSetEventBoostPriority  (120, ...
 02649   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02650  1084   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02651   636   NtQueryValueKey  (672,  (672, "Domain", Partial, 144, ... , Partial, 144, ...
 02632   728   NtWaitForSingleObject  ... ) == 0x0
 02648   788   NtSetEventBoostPriority  ... ) == 0x0
 02649   564   NtAllocateVirtualMemory  ... 129433600, 2097152, ) == 0x0
 02650  1084   NtDuplicateObject  ... 748, ) == 0x0
 02652   728   NtSetEventBoostPriority  (120, ...
 02651   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02653   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02654   564   NtAllocateVirtualMemory  (-1, 131522560, 0, 8192, 4096, 4, ...
 02655   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02631   736   NtWaitForSingleObject  ... ) == 0x0
 02652   728   NtSetEventBoostPriority  ... ) == 0x0
 02656   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02657  1084   NtWaitForSingleObject  (120, 0, 0x0, ...
 02654   564   NtAllocateVirtualMemory  ... 131522560, 8192, ) == 0x0
 02658   736   NtSetEventBoostPriority  (120, ...
 02659   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02637   576   NtWaitForSingleObject  ... ) == 0x0
 02660   564   NtProtectVirtualMemory  (-1, (0x7d6e000), 4096, 260, ...
 02658   736   NtSetEventBoostPriority  ... ) == 0x0
 02661   576   NtSetEventBoostPriority  (120, ...
 02660   564   NtProtectVirtualMemory  ... (0x7d6e000), 4096, 4, ) == 0x0
 02662   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02638   812   NtWaitForSingleObject  ... ) == 0x0
 02661   576   NtSetEventBoostPriority  ... ) == 0x0
 02663   812   NtSetEventBoostPriority  (120, ...
 02639   308   NtWaitForSingleObject  ... ) == 0x0
 02664   308   NtSetEventBoostPriority  (120, ...
 02640   588   NtWaitForSingleObject  ... ) == 0x0
 02665   588   NtSetEventBoostPriority  (120, ...
 02642   676   NtWaitForSingleObject  ... ) == 0x0
 02666   676   NtSetEventBoostPriority  (120, ...
 02644   784   NtWaitForSingleObject  ... ) == 0x0
 02667   784   NtSetEventBoostPriority  (120, ...
 02645   596   NtWaitForSingleObject  ... ) == 0x0
 02668   596   NtSetEventBoostPriority  (120, ...
 02647  1128   NtWaitForSingleObject  ... ) == 0x0
 02669  1128   NtSetEventBoostPriority  (120, ...
 02655   808   NtWaitForSingleObject  ... ) == 0x0
 02670   808   NtSetEventBoostPriority  (120, ...
 02656   636   NtWaitForSingleObject  ... ) == 0x0
 02671   636   NtSetEventBoostPriority  (120, ...
 02657  1084   NtWaitForSingleObject  ... ) == 0x0
 02672  1084   NtSetEventBoostPriority  (120, ...
 02653   788   NtWaitForSingleObject  ... ) == 0x0
 02673   788   NtSetEventBoostPriority  (120, ...
 02659   728   NtWaitForSingleObject  ... ) == 0x0
 02674   728   NtSetEventBoostPriority  (120, ...
 02662   736   NtWaitForSingleObject  ... ) == 0x0
 02675   736   NtWaitForSingleObject  (712, 0, 0x0, ...
 02672  1084   NtSetEventBoostPriority  ... ) == 0x0
 02676  1084   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02671   636   NtSetEventBoostPriority  ... ) == 0x0
 02670   808   NtSetEventBoostPriority  ... ) == 0x0
 02669  1128   NtSetEventBoostPriority  ... ) == 0x0
 02668   596   NtSetEventBoostPriority  ... ) == 0x0
 02667   784   NtSetEventBoostPriority  ... ) == 0x0
 02666   676   NtSetEventBoostPriority  ... ) == 0x0
 02665   588   NtSetEventBoostPriority  ... ) == 0x0
 02664   308   NtSetEventBoostPriority  ... ) == 0x0
 02663   812   NtSetEventBoostPriority  ... ) == 0x0
 02677   576   NtWaitForSingleObject  (712, 0, 0x0, ...
 02674   728   NtSetEventBoostPriority  ... ) == 0x0
 02673   788   NtSetEventBoostPriority  ... ) == 0x0
 02678   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02676  1084   NtWaitForSingleObject  ... ) == 0x102
 02679   808   NtSetEventBoostPriority  (172, ...
 02680   636   NtClose  (672, ...
 02681  1128   NtTestAlert  (...
 02682   596   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 0, 0, 0, 0}  (708, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02683   784   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02684   676   NtAllocateVirtualMemory  (-1, 32559104, 0, 4096, 4096, 260, ...
 02685   588   NtWaitForSingleObject  (712, 0, 0x0, ...
 02686   308   NtAllocateVirtualMemory  (-1, 4657152, 0, 4096, 4096, 4, ...
 02687   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 02688   728   NtWaitForSingleObject  (120, 0, 0x0, ...
 02689   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02678   564   NtCreateThread  ... 752, {556, 1124}, ) == 0x0
 02690  1084   NtWaitForSingleObject  (172, 0, 0x0, ...
 02680   636   NtClose  ... ) == 0x0
 02681  1128   NtTestAlert  ... ) == 0x0
 02683   784   NtCreateEvent  ... 672, ) == 0x0
 02684   676   NtAllocateVirtualMemory  ... 32559104, 4096, ) == 0x0
 02682   596   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 596, 1597, 0}  ... {52, 76, reply, 0, 556, 596, 1597, 0} "\2\240\372\177\1\00\300\0\0\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02686   308   NtAllocateVirtualMemory  ... 4657152, 4096, ) == 0x0
 02691   564   NtQueryInformationThread  (752, Basic, 28, ...
 02692   636   NtClose  (696, ...
 02693  1128   NtContinue  (129432880, 1, ...
 02694   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02695   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 02696   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02697   308   NtSetEventBoostPriority  (120, ...
 02691   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=556,Tid=1124,}, 0x0, ) == 0x0
 02692   636   NtClose  ... ) == 0x0
 02698  1128   NtRegisterThreadTerminatePort  (24, ...
 02687   812   NtWaitForSingleObject  ... ) == 0x0
 02697   308   NtSetEventBoostPriority  ... ) == 0x0
 02699   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1596, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1596, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0,\2\0\0d\4\0\0" ...  ...
 02700   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02701   812   NtAllocateVirtualMemory  (-1, 4661248, 0, 4096, 4096, 4, ...
 02698  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 02702   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 02701   812   NtAllocateVirtualMemory  ... 4661248, 4096, ) == 0x0
 02703  1128   NtWaitForSingleObject  (120, 0, 0x0, ...
 02704   812   NtSetEventBoostPriority  (120, ...
 01676   832   NtWaitForSingleObject  ... ) == 0x0
 02679   808   NtSetEventBoostPriority  ... ) == 0x0
 02699   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1598, 0}  ... {28, 56, reply, 0, 556, 564, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\360\2\0\0,\2\0\0d\4\0\0" )  ) == 0x0
 02705   832   NtSetEventBoostPriority  (172, ...
 02706   808   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02707   564   NtResumeThread  (752, ...
 01856   852   NtWaitForSingleObject  ... ) == 0x0
 02705   832   NtSetEventBoostPriority  ... ) == 0x0
 02706   808   NtCreateEvent  ... 696, ) == 0x0
 02708   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 02707   564   NtResumeThread  ... 1, ) == 0x0
 02709   832   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02710   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02711   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02688   728   NtWaitForSingleObject  ... ) == 0x0
 02704   812   NtSetEventBoostPriority  ... ) == 0x0
 02712  1124   NtWaitForSingleObject  (120, 0, 0x0, ...
 02711   564   NtAllocateVirtualMemory  ... 131530752, 2097152, ) == 0x0
 02713   728   NtSetEventBoostPriority  (120, ...
 02714   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 02715   564   NtAllocateVirtualMemory  (-1, 133619712, 0, 8192, 4096, 4, ...
 02689   788   NtWaitForSingleObject  ... ) == 0x0
 02713   728   NtSetEventBoostPriority  ... ) == 0x0
 02709   832   NtCreateEvent  ... 756, ) == 0x0
 02716   788   NtSetEventBoostPriority  (120, ...
 02715   564   NtAllocateVirtualMemory  ... 133619712, 8192, ) == 0x0
 02694   784   NtWaitForSingleObject  ... ) == 0x0
 02716   788   NtSetEventBoostPriority  ... ) == 0x0
 02717   832   NtWaitForSingleObject  (120, 0, 0x0, ...
 02718   784   NtSetEventBoostPriority  (120, ...
 02719   564   NtProtectVirtualMemory  (-1, (0x7f6e000), 4096, 260, ...
 02720   728   NtWaitForSingleObject  (404, 0, 0x0, ...
 02695   676   NtWaitForSingleObject  ... ) == 0x0
 02718   784   NtSetEventBoostPriority  ... ) == 0x0
 02719   564   NtProtectVirtualMemory  ... (0x7f6e000), 4096, 4, ) == 0x0
 02721   676   NtSetEventBoostPriority  (120, ...
 02722   788   NtWaitForSingleObject  (712, 0, 0x0, ...
 02696   596   NtWaitForSingleObject  ... ) == 0x0
 02721   676   NtSetEventBoostPriority  ... ) == 0x0
 02723   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02724   596   NtSetEventBoostPriority  (120, ...
 02725   784   NtSetEventBoostPriority  (404, ...
 02700   636   NtWaitForSingleObject  ... ) == 0x0
 02724   596   NtSetEventBoostPriority  ... ) == 0x0
 02723   564   NtCreateThread  ... 760, {556, 1132}, ) == 0x0
 02726   636   NtSetEventBoostPriority  (120, ...
 02720   728   NtWaitForSingleObject  ... ) == 0x0
 02725   784   NtSetEventBoostPriority  ... ) == 0x0
 02727   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 02702   308   NtWaitForSingleObject  ... ) == 0x0
 02728   728   NtWaitForSingleObject  (712, 0, 0x0, ...
 02726   636   NtSetEventBoostPriority  ... ) == 0x0
 02729   564   NtQueryInformationThread  (760, Basic, 28, ...
 02730   784   NtSetEventBoostPriority  (712, ...
 02731   308   NtSetEventBoostPriority  (120, ...
 02732   596   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02733   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02703  1128   NtWaitForSingleObject  ... ) == 0x0
 02731   308   NtSetEventBoostPriority  ... ) == 0x0
 02675   736   NtWaitForSingleObject  ... ) == 0x0
 02730   784   NtSetEventBoostPriority  ... ) == 0x0
 02732   596   NtCreateKey  ... 764, 2, ) == 0x0
 02734  1128   NtSetEventBoostPriority  (120, ...
 02729   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=556,Tid=1132,}, 0x0, ) == 0x0
 02735   736   NtSetEventBoostPriority  (712, ...
 02736   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 02708   852   NtWaitForSingleObject  ... ) == 0x0
 02737   596   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02677   576   NtWaitForSingleObject  ... ) == 0x0
 02735   736   NtSetEventBoostPriority  ... ) == 0x0
 02738   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1598, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1598, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0,\2\0\0l\4\0\0" ...  ...
 02739   852   NtSetEventBoostPriority  (120, ...
 02740   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02737   596   NtOpenKey  ... 768, ) == 0x0
 02734  1128   NtSetEventBoostPriority  ... ) == 0x0
 02741   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 02710   808   NtWaitForSingleObject  ... ) == 0x0
 02739   852   NtSetEventBoostPriority  ... ) == 0x0
 02738   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1599, 0}  ... {28, 56, reply, 0, 556, 564, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\370\2\0\0,\2\0\0l\4\0\0" )  ) == 0x0
 02742   596   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02743  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02744   808   NtSetEventBoostPriority  (120, ...
 02745   736   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 556, 596, 1597, 0}  (708, {64, 88, new_msg, 0, 556, 596, 1597, 0} "\1\240\0\0A\2\10\0\0\0\0\0 \6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02746   564   NtResumeThread  (760, ...
 02742   596   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02712  1124   NtWaitForSingleObject  ... ) == 0x0
 02744   808   NtSetEventBoostPriority  ... ) == 0x0
 02743  1128   NtDuplicateObject  ... 772, ) == 0x0
 02746   564   NtResumeThread  ... 1, ) == 0x0
 02745   736   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 736, 1600, 0}  ... {52, 76, reply, 0, 556, 736, 1600, 0} "\2\200\372\177\1\00\300\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02747   852   NtSetEventBoostPriority  (172, ...
 02748  1124   NtSetEventBoostPriority  (120, ...
 02749   596   NtQueryValueKey  (764,  (764, "Hostname", Partial, 144, ... , Partial, 144, ...
 02750  1132   NtWaitForSingleObject  (40, 0, 0x0, ...
 02751   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02752  1128   NtWaitForSingleObject  (120, 0, 0x0, ...
 02753   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02714   812   NtWaitForSingleObject  ... ) == 0x0
 02748  1124   NtSetEventBoostPriority  ... ) == 0x0
 01986   872   NtWaitForSingleObject  ... ) == 0x0
 02747   852   NtSetEventBoostPriority  ... ) == 0x0
 02749   596   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02754   812   NtSetEventBoostPriority  (120, ...
 02755   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02756   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 02757   852   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02717   832   NtWaitForSingleObject  ... ) == 0x0
 02754   812   NtSetEventBoostPriority  ... ) == 0x0
 02758   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02755   564   NtAllocateVirtualMemory  ... 133627904, 2097152, ) == 0x0
 02759   832   NtSetEventBoostPriority  (120, ...
 02757   852   NtCreateEvent  ... 776, ) == 0x0
 02760  1124   NtSetEventBoostPriority  (40, ...
 02727   676   NtWaitForSingleObject  ... ) == 0x0
 02759   832   NtSetEventBoostPriority  ... ) == 0x0
 02761   564   NtAllocateVirtualMemory  (-1, 135716864, 0, 8192, 4096, 4, ...
 02762   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 02763   676   NtSetEventBoostPriority  (120, ...
 02750  1132   NtWaitForSingleObject  ... ) == 0x0
 02760  1124   NtSetEventBoostPriority  ... ) == 0x0
 02764   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 02761   564   NtAllocateVirtualMemory  ... 135716864, 8192, ) == 0x0
 02733   636   NtWaitForSingleObject  ... ) == 0x0
 02765  1132   NtTestAlert  (...
 02763   676   NtSetEventBoostPriority  ... ) == 0x0
 02766  1124   NtTestAlert  (...
 02767   636   NtSetEventBoostPriority  (120, ...
 02765  1132   NtTestAlert  ... ) == 0x0
 02768   564   NtProtectVirtualMemory  (-1, (0x816e000), 4096, 260, ...
 02769   676   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02736   784   NtWaitForSingleObject  ... ) == 0x0
 02767   636   NtSetEventBoostPriority  ... ) == 0x0
 02766  1124   NtTestAlert  ... ) == 0x0
 02770   832   NtWaitForSingleObject  (120, 0, 0x0, ...
 02768   564   NtProtectVirtualMemory  ... (0x816e000), 4096, 4, ) == 0x0
 02771  1132   NtContinue  (133627184, 1, ...
 02772   784   NtSetEventBoostPriority  (120, ...
 02773   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02774  1124   NtContinue  (131530032, 1, ...
 02769   676   NtCreateEvent  ... 780, ) == 0x0
 02740   576   NtWaitForSingleObject  ... ) == 0x0
 02772   784   NtSetEventBoostPriority  ... ) == 0x0
 02775  1132   NtRegisterThreadTerminatePort  (24, ...
 02776   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02777  1124   NtRegisterThreadTerminatePort  (24, ...
 02778   576   NtSetEventBoostPriority  (120, ...
 02779   676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02775  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 02776   564   NtCreateThread  ... 784, {556, 1088}, ) == 0x0
 02780   784   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 0, 0, 0, 0}  (708, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02741   308   NtWaitForSingleObject  ... ) == 0x0
 02779   676   NtDuplicateObject  ... 788, ) == 0x0
 02781  1132   NtWaitForSingleObject  (120, 0, 0x0, ...
 02782   564   NtQueryInformationThread  (784, Basic, 28, ...
 02783   308   NtSetEventBoostPriority  (120, ...
 02784   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 02780   784   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 784, 1601, 0}  ... {52, 76, reply, 0, 556, 784, 1601, 0} "\2\240\372\177\1\00\300\0\0\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02782   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=556,Tid=1088,}, 0x0, ) == 0x0
 02751   808   NtWaitForSingleObject  ... ) == 0x0
 02783   308   NtSetEventBoostPriority  ... ) == 0x0
 02785   784   NtWaitForSingleObject  (712, 0, 0x0, ...
 02786   808   NtAllocateVirtualMemory  (-1, 4665344, 0, 4096, 4096, 4, ...
 02787   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1599, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1599, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0,\2\0\0@\4\0\0" ...  ...
 02788   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 02786   808   NtAllocateVirtualMemory  ... 4665344, 4096, ) == 0x0
 02787   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1602, 0}  ... {28, 56, reply, 0, 556, 564, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\20\3\0\0,\2\0\0@\4\0\0" )  ) == 0x0
 02778   576   NtSetEventBoostPriority  ... ) == 0x0
 02777  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02789   808   NtSetEventBoostPriority  (120, ...
 02790   564   NtResumeThread  (784, ...
 02791  1124   NtWaitForSingleObject  (120, 0, 0x0, ...
 02792   576   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02790   564   NtResumeThread  ... 1, ) == 0x0
 02792   576   NtCreateEvent  ... 792, ) == 0x0
 02793   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02794   576   NtSetEventBoostPriority  (712, ...
 02793   564   NtAllocateVirtualMemory  ... 135725056, 2097152, ) == 0x0
 02685   588   NtWaitForSingleObject  ... ) == 0x0
 02794   576   NtSetEventBoostPriority  ... ) == 0x0
 02795   588   NtSetEventBoostPriority  (712, ...
 02796   564   NtAllocateVirtualMemory  (-1, 137814016, 0, 8192, 4096, 4, ...
 02722   788   NtWaitForSingleObject  ... ) == 0x0
 02795   588   NtSetEventBoostPriority  ... ) == 0x0
 02797   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02752  1128   NtWaitForSingleObject  ... ) == 0x0
 02789   808   NtSetEventBoostPriority  ... ) == 0x0
 02798  1088   NtWaitForSingleObject  (120, 0, 0x0, ...
 02799   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02800   588   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 556, 736, 1600, 0}  (708, {64, 88, new_msg, 0, 556, 736, 1600, 0} "\1\200\0\0A\2\10\0\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02801  1128   NtSetEventBoostPriority  (120, ...
 02802   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02796   564   NtAllocateVirtualMemory  ... 137814016, 8192, ) == 0x0
 02753   736   NtWaitForSingleObject  ... ) == 0x0
 02801  1128   NtSetEventBoostPriority  ... ) == 0x0
 02803   736   NtSetEventBoostPriority  (120, ...
 02804   564   NtProtectVirtualMemory  (-1, (0x836e000), 4096, 260, ...
 02756   872   NtWaitForSingleObject  ... ) == 0x0
 02803   736   NtSetEventBoostPriority  ... ) == 0x0
 02805  1128   NtWaitForSingleObject  (120, 0, 0x0, ...
 02806   872   NtSetEventBoostPriority  (120, ...
 02804   564   NtProtectVirtualMemory  ... (0x836e000), 4096, 4, ) == 0x0
 02807   736   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02800   588   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 588, 1603, 0}  ... {52, 76, reply, 0, 556, 588, 1603, 0} "\2\200\372\177\1\00\300\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02758   596   NtWaitForSingleObject  ... ) == 0x0
 02808   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02807   736   NtCreateKey  ... 796, 2, ) == 0x0
 02809   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02810   596   NtSetEventBoostPriority  (120, ...
 02808   564   NtCreateThread  ... 800, {556, 1104}, ) == 0x0
 02811   736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02762   852   NtWaitForSingleObject  ... ) == 0x0
 02810   596   NtSetEventBoostPriority  ... ) == 0x0
 02812   564   NtQueryInformationThread  (800, Basic, 28, ...
 02813   852   NtSetEventBoostPriority  (120, ...
 02811   736   NtOpenKey  ... 804, ) == 0x0
 02806   872   NtSetEventBoostPriority  ... ) == 0x0
 02814   596   NtQueryValueKey  (764,  (764, "Hostname", Partial, 144, ... , Partial, 144, ...
 02764   812   NtWaitForSingleObject  ... ) == 0x0
 02813   852   NtSetEventBoostPriority  ... ) == 0x0
 02815   736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02812   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=556,Tid=1104,}, 0x0, ) == 0x0
 02816   812   NtSetEventBoostPriority  (120, ...
 02814   596   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02817   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 02815   736   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   832   NtWaitForSingleObject  ... ) == 0x0
 02816   812   NtSetEventBoostPriority  ... ) == 0x0
 02818   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1602, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0,\2\0\0P\4\0\0" ...  ...
 02819   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02820   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 02821   832   NtSetEventBoostPriority  (120, ...
 02822   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 02818   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1604, 0}  ... {28, 56, reply, 0, 556, 564, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO \3\0\0,\2\0\0P\4\0\0" )  ) == 0x0
 02773   636   NtWaitForSingleObject  ... ) == 0x0
 02821   832   NtSetEventBoostPriority  ... ) == 0x0
 02823   736   NtQueryValueKey  (796,  (796, "Hostname", Partial, 144, ... , Partial, 144, ...
 02824   636   NtSetEventBoostPriority  (120, ...
 02825   564   NtResumeThread  (800, ...
 02826   832   NtWaitForSingleObject  (120, 0, 0x0, ...
 02781  1132   NtWaitForSingleObject  ... ) == 0x0
 02823   736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02825   564   NtResumeThread  ... 1, ) == 0x0
 02824   636   NtSetEventBoostPriority  ... ) == 0x0
 02827  1132   NtSetEventBoostPriority  (120, ...
 02828   736   NtQueryValueKey  (796,  (796, "Hostname", Partial, 144, ... , Partial, 144, ...
 02829  1104   NtWaitForSingleObject  (40, 0, 0x0, ...
 02830   636   NtWaitForSingleObject  (404, 0, 0x0, ...
 02784   676   NtWaitForSingleObject  ... ) == 0x0
 02827  1132   NtSetEventBoostPriority  ... ) == 0x0
 02828   736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02831   676   NtSetEventBoostPriority  (120, ...
 02832   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02788   308   NtWaitForSingleObject  ... ) == 0x0
 02831   676   NtSetEventBoostPriority  ... ) == 0x0
 02833   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02834   308   NtSetEventBoostPriority  (120, ...
 02832   564   NtAllocateVirtualMemory  ... 137822208, 2097152, ) == 0x0
 02835  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02791  1124   NtWaitForSingleObject  ... ) == 0x0
 02836   564   NtAllocateVirtualMemory  (-1, 139911168, 0, 8192, 4096, 4, ...
 02835  1132   NtDuplicateObject  ... 808, ) == 0x0
 02837  1124   NtSetEventBoostPriority  (120, ...
 02836   564   NtAllocateVirtualMemory  ... 139911168, 8192, ) == 0x0
 02838  1132   NtWaitForSingleObject  (120, 0, 0x0, ...
 02797   576   NtWaitForSingleObject  ... ) == 0x0
 02837  1124   NtSetEventBoostPriority  ... ) == 0x0
 02839   564   NtProtectVirtualMemory  (-1, (0x856e000), 4096, 260, ...
 02840   576   NtSetEventBoostPriority  (120, ...
 02834   308   NtSetEventBoostPriority  ... ) == 0x0
 02841   676   NtWaitForSingleObject  (404, 0, 0x0, ...
 02799   788   NtWaitForSingleObject  ... ) == 0x0
 02840   576   NtSetEventBoostPriority  ... ) == 0x0
 02839   564   NtProtectVirtualMemory  ... (0x856e000), 4096, 4, ) == 0x0
 02842   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 02843   788   NtSetEventBoostPriority  (120, ...
 02844  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02845   576   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 0, 0, 0, 0}  (708, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02798  1088   NtWaitForSingleObject  ... ) == 0x0
 02843   788   NtSetEventBoostPriority  ... ) == 0x0
 02844  1124   NtDuplicateObject  ... 812, ) == 0x0
 02846  1088   NtSetEventBoostPriority  (120, ...
 02845   576   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 576, 1605, 0}  ... {52, 76, reply, 0, 556, 576, 1605, 0} "\2\240\372\177\1\00\300\0\0\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02847   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02802   808   NtWaitForSingleObject  ... ) == 0x0
 02846  1088   NtSetEventBoostPriority  ... ) == 0x0
 02848  1124   NtWaitForSingleObject  (120, 0, 0x0, ...
 02849   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 02850   808   NtSetEventBoostPriority  (120, ...
 02847   564   NtCreateThread  ... 816, {556, 1136}, ) == 0x0
 02851   788   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02809   588   NtWaitForSingleObject  ... ) == 0x0
 02850   808   NtSetEventBoostPriority  ... ) == 0x0
 02852   564   NtQueryInformationThread  (816, Basic, 28, ...
 02853   588   NtSetEventBoostPriority  (120, ...
 02851   788   NtCreateEvent  ... 820, ) == 0x0
 02854  1088   NtSetEventBoostPriority  (40, ...
 02805  1128   NtWaitForSingleObject  ... ) == 0x0
 02853   588   NtSetEventBoostPriority  ... ) == 0x0
 02852   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=556,Tid=1136,}, 0x0, ) == 0x0
 02855   788   NtWaitForSingleObject  (404, 0, 0x0, ...
 02856  1128   NtSetEventBoostPriority  (120, ...
 02829  1104   NtWaitForSingleObject  ... ) == 0x0
 02854  1088   NtSetEventBoostPriority  ... ) == 0x0
 02857   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02858   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1604, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0,\2\0\0p\4\0\0" ...  ...
 02817   872   NtWaitForSingleObject  ... ) == 0x0
 02859  1104   NtWaitForSingleObject  (120, 0, 0x0, ...
 02860  1088   NtTestAlert  (...
 02861   872   NtSetEventBoostPriority  (120, ...
 02860  1088   NtTestAlert  ... ) == 0x0
 02819   596   NtWaitForSingleObject  ... ) == 0x0
 02861   872   NtSetEventBoostPriority  ... ) == 0x0
 02862   596   NtSetEventBoostPriority  (120, ...
 02863  1088   NtContinue  (135724336, 1, ...
 02820   852   NtWaitForSingleObject  ... ) == 0x0
 02862   596   NtSetEventBoostPriority  ... ) == 0x0
 02864   872   NtSetEventBoostPriority  (172, ...
 02865   852   NtAllocateVirtualMemory  (-1, 4669440, 0, 4096, 4096, 4, ...
 02866  1088   NtRegisterThreadTerminatePort  (24, ...
 02856  1128   NtSetEventBoostPriority  ... ) == 0x0
 02867   588   NtWaitForSingleObject  (404, 0, 0x0, ...
 02858   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1606, 0}  ... {28, 56, reply, 0, 556, 564, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO0\3\0\0,\2\0\0p\4\0\0" )  ) == 0x0
 02868   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 02865   852   NtAllocateVirtualMemory  ... 4669440, 4096, ) == 0x0
 02007   856   NtWaitForSingleObject  ... ) == 0x0
 02864   872   NtSetEventBoostPriority  ... ) == 0x0
 02869  1128   NtSetEventBoostPriority  (404, ...
 02870   564   NtResumeThread  (816, ...
 02871   852   NtSetEventBoostPriority  (120, ...
 02872   856   NtSetEventBoostPriority  (172, ...
 02873   872   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02830   636   NtWaitForSingleObject  ... ) == 0x0
 02869  1128   NtSetEventBoostPriority  ... ) == 0x0
 02870   564   NtResumeThread  ... 1, ) == 0x0
 02866  1088   NtRegisterThreadTerminatePort  ... ) == 0x0
 02013   860   NtWaitForSingleObject  ... ) == 0x0
 02874   636   NtSetEventBoostPriority  (404, ...
 02873   872   NtCreateEvent  ... 824, ) == 0x0
 02872   856   NtSetEventBoostPriority  ... ) == 0x0
 02822   812   NtWaitForSingleObject  ... ) == 0x0
 02871   852   NtSetEventBoostPriority  ... ) == 0x0
 02875  1136   NtWaitForSingleObject  (40, 0, 0x0, ...
 02876   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02877  1088   NtWaitForSingleObject  (120, 0, 0x0, ...
 02841   676   NtWaitForSingleObject  ... ) == 0x0
 02874   636   NtSetEventBoostPriority  ... ) == 0x0
 02878   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 02879   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 02880   856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02881   812   NtSetEventBoostPriority  (120, ...
 02882   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 02876   564   NtAllocateVirtualMemory  ... 139919360, 2097152, ) == 0x0
 02883   676   NtSetEventBoostPriority  (404, ...
 02884  1128   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02880   856   NtCreateEvent  ... 828, ) == 0x0
 02826   832   NtWaitForSingleObject  ... ) == 0x0
 02855   788   NtWaitForSingleObject  ... ) == 0x0
 02883   676   NtSetEventBoostPriority  ... ) == 0x0
 02885   564   NtAllocateVirtualMemory  (-1, 142008320, 0, 8192, 4096, 4, ...
 02884  1128   NtWaitForSingleObject  ... ) == 0x102
 02881   812   NtSetEventBoostPriority  ... ) == 0x0
 02886   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02887   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02888   832   NtSetEventBoostPriority  (120, ...
 02889   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 02890   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 02891  1128   NtWaitForSingleObject  (172, 0, 0x0, ...
 02892   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 02833   736   NtWaitForSingleObject  ... ) == 0x0
 02888   832   NtSetEventBoostPriority  ... ) == 0x0
 02885   564   NtAllocateVirtualMemory  ... 142008320, 8192, ) == 0x0
 02893   736   NtSetEventBoostPriority  (120, ...
 02894   832   NtWaitForSingleObject  (120, 0, 0x0, ...
 02895   564   NtProtectVirtualMemory  (-1, (0x876e000), 4096, 260, ...
 02838  1132   NtWaitForSingleObject  ... ) == 0x0
 02893   736   NtSetEventBoostPriority  ... ) == 0x0
 02896  1132   NtSetEventBoostPriority  (120, ...
 02895   564   NtProtectVirtualMemory  ... (0x876e000), 4096, 4, ) == 0x0
 02842   308   NtWaitForSingleObject  ... ) == 0x0
 02896  1132   NtSetEventBoostPriority  ... ) == 0x0
 02897   308   NtSetEventBoostPriority  (120, ...
 02898   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02899   736   NtClose  (796, ...
 02848  1124   NtWaitForSingleObject  ... ) == 0x0
 02897   308   NtSetEventBoostPriority  ... ) == 0x0
 02898   564   NtCreateThread  ... 832, {556, 1140}, ) == 0x0
 02900  1124   NtSetEventBoostPriority  (120, ...
 02899   736   NtClose  ... ) == 0x0
 02901  1132   NtWaitForSingleObject  (404, 0, 0x0, ...
 02849   576   NtWaitForSingleObject  ... ) == 0x0
 02900  1124   NtSetEventBoostPriority  ... ) == 0x0
 02902   564   NtQueryInformationThread  (832, Basic, 28, ...
 02903   736   NtClose  (804, ...
 02904   576   NtSetEventBoostPriority  (120, ...
 02905   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 02906  1124   NtWaitForSingleObject  (404, 0, 0x0, ...
 02857   808   NtWaitForSingleObject  ... ) == 0x0
 02904   576   NtSetEventBoostPriority  ... ) == 0x0
 02903   736   NtClose  ... ) == 0x0
 02907   808   NtSetEventBoostPriority  (120, ...
 02902   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=556,Tid=1140,}, 0x0, ) == 0x0
 02859  1104   NtWaitForSingleObject  ... ) == 0x0
 02907   808   NtSetEventBoostPriority  ... ) == 0x0
 02908   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02909  1104   NtSetEventBoostPriority  (120, ...
 02910   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1606, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0,\2\0\0t\4\0\0" ...  ...
 02911   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02868   596   NtWaitForSingleObject  ... ) == 0x0
 02909  1104   NtSetEventBoostPriority  ... ) == 0x0
 02910   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1607, 0}  ... {28, 56, reply, 0, 556, 564, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO@\3\0\0,\2\0\0t\4\0\0" )  ) == 0x0
 02912   576   NtWaitForSingleObject  (712, 0, 0x0, ...
 02913   596   NtSetEventBoostPriority  (120, ...
 02914   564   NtResumeThread  (832, ...
 02877  1088   NtWaitForSingleObject  ... ) == 0x0
 02913   596   NtSetEventBoostPriority  ... ) == 0x0
 02915  1088   NtSetEventBoostPriority  (120, ...
 02914   564   NtResumeThread  ... 1, ) == 0x0
 02878   860   NtWaitForSingleObject  ... ) == 0x0
 02915  1088   NtSetEventBoostPriority  ... ) == 0x0
 02916   596   NtClose  (764, ...
 02917  1104   NtSetEventBoostPriority  (40, ...
 02918  1140   NtWaitForSingleObject  (40, 0, 0x0, ...
 02919   860   NtSetEventBoostPriority  (120, ...
 02920   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02921  1088   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02875  1136   NtWaitForSingleObject  ... ) == 0x0
 02917  1104   NtSetEventBoostPriority  ... ) == 0x0
 02879   872   NtWaitForSingleObject  ... ) == 0x0
 02919   860   NtSetEventBoostPriority  ... ) == 0x0
 02920   564   NtAllocateVirtualMemory  ... 142016512, 2097152, ) == 0x0
 02922  1136   NtSetEventBoostPriority  (40, ...
 02921  1088   NtDuplicateObject  ... 804, ) == 0x0
 02923   872   NtSetEventBoostPriority  (120, ...
 02924  1104   NtTestAlert  (...
 02916   596   NtClose  ... ) == 0x0
 02918  1140   NtWaitForSingleObject  ... ) == 0x0
 02922  1136   NtSetEventBoostPriority  ... ) == 0x0
 02925   564   NtAllocateVirtualMemory  (-1, 144105472, 0, 8192, 4096, 4, ...
 02882   852   NtWaitForSingleObject  ... ) == 0x0
 02923   872   NtSetEventBoostPriority  ... ) == 0x0
 02926  1088   NtWaitForSingleObject  (404, 0, 0x0, ...
 02924  1104   NtTestAlert  ... ) == 0x0
 02927  1140   NtWaitForSingleObject  (120, 0, 0x0, ...
 02928   596   NtClose  (768, ...
 02929   860   NtSetEventBoostPriority  (172, ...
 02930   852   NtSetEventBoostPriority  (120, ...
 02925   564   NtAllocateVirtualMemory  ... 144105472, 8192, ) == 0x0
 02931  1136   NtTestAlert  (...
 02932  1104   NtContinue  (137821488, 1, ...
 02928   596   NtClose  ... ) == 0x0
 02887   788   NtWaitForSingleObject  ... ) == 0x0
 02930   852   NtSetEventBoostPriority  ... ) == 0x0
 02018   884   NtWaitForSingleObject  ... ) == 0x0
 02929   860   NtSetEventBoostPriority  ... ) == 0x0
 02933   564   NtProtectVirtualMemory  (-1, (0x896e000), 4096, 260, ...
 02931  1136   NtTestAlert  ... ) == 0x0
 02934  1104   NtRegisterThreadTerminatePort  (24, ...
 02935   788   NtSetEventBoostPriority  (120, ...
 02936   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02937   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 02938   884   NtWaitForSingleObject  (120, 0, 0x0, ...
 02939   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02933   564   NtProtectVirtualMemory  ... (0x896e000), 4096, 4, ) == 0x0
 02940  1136   NtContinue  (139918640, 1, ...
 02941   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 02886   636   NtWaitForSingleObject  ... ) == 0x0
 02935   788   NtSetEventBoostPriority  ... ) == 0x0
 02936   596   NtCreateEvent  ... 768, ) == 0x0
 02939   860   NtCreateEvent  ... 764, ) == 0x0
 02934  1104   NtRegisterThreadTerminatePort  ... ) == 0x0
 02942  1136   NtRegisterThreadTerminatePort  (24, ...
 02943   636   NtSetEventBoostPriority  (120, ...
 02944   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 02945   596   NtWaitForSingleObject  (768, 0, 0x0, ...
 02946   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 02947  1104   NtWaitForSingleObject  (120, 0, 0x0, ...
 02890   856   NtWaitForSingleObject  ... ) == 0x0
 02943   636   NtSetEventBoostPriority  ... ) == 0x0
 02942  1136   NtRegisterThreadTerminatePort  ... ) == 0x0
 02944   564   NtCreateThread  ... 796, {556, 996}, ) == 0x0
 02948   788   NtSetEventBoostPriority  (404, ...
 02949   856   NtSetEventBoostPriority  (120, ...
 02950   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 02951  1136   NtWaitForSingleObject  (120, 0, 0x0, ...
 02952   564   NtQueryInformationThread  (796, Basic, 28, ...
 02892   812   NtWaitForSingleObject  ... ) == 0x0
 02949   856   NtSetEventBoostPriority  ... ) == 0x0
 02867   588   NtWaitForSingleObject  ... ) == 0x0
 02948   788   NtSetEventBoostPriority  ... ) == 0x0
 02476   572   NtDelayExecution  ... ) == 0x0
 02953   812   NtSetEventBoostPriority  (120, ...
 02954   588   NtSetEventBoostPriority  (404, ...
 02955   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 02956   788   NtSetEventBoostPriority  (712, ...
 02894   832   NtWaitForSingleObject  ... ) == 0x0
 02901  1132   NtWaitForSingleObject  ... ) == 0x0
 02954   588   NtSetEventBoostPriority  ... ) == 0x0
 02953   812   NtSetEventBoostPriority  ... ) == 0x0
 02957   572   NtWaitForSingleObject  (120, 0, 0x0, ...
 02952   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=556,Tid=996,}, 0x0, ) == 0x0
 02958   832   NtSetEventBoostPriority  (120, ...
 02959  1132   NtSetEventBoostPriority  (404, ...
 02728   728   NtWaitForSingleObject  ... ) == 0x0
 02956   788   NtSetEventBoostPriority  ... ) == 0x0
 02960   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 02889   676   NtWaitForSingleObject  ... ) == 0x0
 02906  1124   NtWaitForSingleObject  ... ) == 0x0
 02961   728   NtSetEventBoostPriority  (712, ...
 02959  1132   NtSetEventBoostPriority  ... ) == 0x0
 02958   832   NtSetEventBoostPriority  ... ) == 0x0
 02962   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1607, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0,\2\0\0\344\3\0\0" ...  ...
 02963   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 02964   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 02965   676   NtSetEventBoostPriority  (120, ...
 02966  1124   NtSetEventBoostPriority  (404, ...
 02785   784   NtWaitForSingleObject  ... ) == 0x0
 02961   728   NtSetEventBoostPriority  ... ) == 0x0
 02967  1132   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02962   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1608, 0}  ... {28, 56, reply, 0, 556, 564, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\34\3\0\0,\2\0\0\344\3\0\0" )  ) == 0x0
 02905   308   NtWaitForSingleObject  ... ) == 0x0
 02926  1088   NtWaitForSingleObject  ... ) == 0x0
 02968   784   NtSetEventBoostPriority  (712, ...
 02966  1124   NtSetEventBoostPriority  ... ) == 0x0
 02965   676   NtSetEventBoostPriority  ... ) == 0x0
 02969   832   NtWaitForSingleObject  (120, 0, 0x0, ...
 02970   728   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 556, 588, 1603, 0}  (708, {64, 88, new_msg, 0, 556, 588, 1603, 0} "\1\200\0\0A\2\10\0\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02971   564   NtResumeThread  (796, ...
 02972  1088   NtWaitForSingleObject  (120, 0, 0x0, ...
 02912   576   NtWaitForSingleObject  ... ) == 0x0
 02968   784   NtSetEventBoostPriority  ... ) == 0x0
 02973   308   NtSetEventBoostPriority  (120, ...
 02974  1124   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 02975   676   NtWaitForSingleObject  (712, 0, 0x0, ...
 02976   576   NtSetEventBoostPriority  (712, ...
 02971   564   NtResumeThread  ... 1, ) == 0x0
 02970   728   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 728, 1609, 0}  ... {52, 76, reply, 0, 556, 728, 1609, 0} "\2\200\372\177\1\00\300\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02967  1132   NtWaitForSingleObject  ... ) == 0x102
 02908   736   NtWaitForSingleObject  ... ) == 0x0
 02973   308   NtSetEventBoostPriority  ... ) == 0x0
 02977   784   NtWaitForSingleObject  (404, 0, 0x0, ...
 02978   996   NtWaitForSingleObject  (40, 0, 0x0, ...
 02976   576   NtSetEventBoostPriority  ... ) == 0x0
 02975   676   NtWaitForSingleObject  ... ) == 0x0
 02974  1124   NtWaitForSingleObject  ... ) == 0x102
 02979   728   NtWaitForSingleObject  (404, 0, 0x0, ...
 02980   736   NtSetEventBoostPriority  (120, ...
 02981  1132   NtWaitForSingleObject  (172, 0, 0x0, ...
 02982   308   NtAllocateVirtualMemory  (-1, 38850560, 0, 4096, 4096, 260, ...
 02983   576   NtWaitForSingleObject  (404, 0, 0x0, ...
 02984   676   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 556, 728, 1609, 0}  (708, {64, 88, new_msg, 0, 556, 728, 1609, 0} "\1\200\0\0A\2\10\0\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02985  1124   NtWaitForSingleObject  (120, 0, 0x0, ...
 02911   808   NtWaitForSingleObject  ... ) == 0x0
 02980   736   NtSetEventBoostPriority  ... ) == 0x0
 02986   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02982   308   NtAllocateVirtualMemory  ... 38850560, 4096, ) == 0x0
 02987   808   NtSetEventBoostPriority  (120, ...
 02984   676   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 676, 1610, 0}  ... {52, 76, reply, 0, 556, 676, 1610, 0} "\2\240\372\177\1\00\300\0\0\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02986   564   NtAllocateVirtualMemory  ... 144113664, 2097152, ) == 0x0
 02927  1140   NtWaitForSingleObject  ... ) == 0x0
 02988   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 02989   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 02990  1140   NtSetEventBoostPriority  (120, ...
 02991   564   NtAllocateVirtualMemory  (-1, 146202624, 0, 8192, 4096, 4, ...
 02938   884   NtWaitForSingleObject  ... ) == 0x0
 02990  1140   NtSetEventBoostPriority  ... ) == 0x0
 02992   884   NtSetEventBoostPriority  (120, ...
 02991   564   NtAllocateVirtualMemory  ... 146202624, 8192, ) == 0x0
 02987   808   NtSetEventBoostPriority  ... ) == 0x0
 02993   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 02937   872   NtWaitForSingleObject  ... ) == 0x0
 02992   884   NtSetEventBoostPriority  ... ) == 0x0
 02994   564   NtProtectVirtualMemory  (-1, (0x8b6e000), 4096, 260, ...
 02995   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 02996   872   NtAllocateVirtualMemory  (-1, 4673536, 0, 4096, 4096, 4, ...
 02997  1140   NtSetEventBoostPriority  (40, ...
 02994   564   NtProtectVirtualMemory  ... (0x8b6e000), 4096, 4, ) == 0x0
 02996   872   NtAllocateVirtualMemory  ... 4673536, 4096, ) == 0x0
 02978   996   NtWaitForSingleObject  ... ) == 0x0
 02997  1140   NtSetEventBoostPriority  ... ) == 0x0
 02998   884   NtSetEventBoostPriority  (172, ...
 02999   872   NtSetEventBoostPriority  (120, ...
 03000   996   NtWaitForSingleObject  (120, 0, 0x0, ...
 03001  1140   NtTestAlert  (...
 02023   864   NtWaitForSingleObject  ... ) == 0x0
 02998   884   NtSetEventBoostPriority  ... ) == 0x0
 03002   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03003   864   NtWaitForSingleObject  (120, 0, 0x0, ...
 03001  1140   NtTestAlert  ... ) == 0x0
 03004   884   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03002   564   NtCreateThread  ... 836, {556, 1152}, ) == 0x0
 03005  1140   NtContinue  (142015792, 1, ...
 03004   884   NtCreateEvent  ... 840, ) == 0x0
 03006   564   NtQueryInformationThread  (836, Basic, 28, ...
 03007  1140   NtRegisterThreadTerminatePort  (24, ...
 03008   884   NtWaitForSingleObject  (120, 0, 0x0, ...
 03006   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=556,Tid=1152,}, 0x0, ) == 0x0
 02941   852   NtWaitForSingleObject  ... ) == 0x0
 02999   872   NtSetEventBoostPriority  ... ) == 0x0
 03009   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1608, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0,\2\0\0\200\4\0\0" ...  ...
 03010   852   NtSetEventBoostPriority  (120, ...
 03011   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 02946   860   NtWaitForSingleObject  ... ) == 0x0
 03010   852   NtSetEventBoostPriority  ... ) == 0x0
 03012   860   NtSetEventBoostPriority  (120, ...
 02947  1104   NtWaitForSingleObject  ... ) == 0x0
 03013  1104   NtSetEventBoostPriority  (120, ...
 02950   636   NtWaitForSingleObject  ... ) == 0x0
 03014   636   NtSetEventBoostPriority  (120, ...
 02951  1136   NtWaitForSingleObject  ... ) == 0x0
 03015  1136   NtSetEventBoostPriority  (120, ...
 02955   856   NtWaitForSingleObject  ... ) == 0x0
 03016   856   NtAllocateVirtualMemory  (-1, 4677632, 0, 4096, 4096, 4, ... 4677632, 4096, ) == 0x0
 03017   856   NtSetEventBoostPriority  (120, ...
 02957   572   NtWaitForSingleObject  ... ) == 0x0
 03018   572   NtSetEventBoostPriority  (120, ...
 02960   588   NtWaitForSingleObject  ... ) == 0x0
 03019   588   NtSetEventBoostPriority  (120, ...
 02963   788   NtWaitForSingleObject  ... ) == 0x0
 03020   788   NtSetEventBoostPriority  (120, ...
 02964   812   NtWaitForSingleObject  ... ) == 0x0
 03021   812   NtSetEventBoostPriority  (120, ...
 02969   832   NtWaitForSingleObject  ... ) == 0x0
 03022   832   NtSetEventBoostPriority  (120, ...
 02972  1088   NtWaitForSingleObject  ... ) == 0x0
 03023  1088   NtSetEventBoostPriority  (120, ...
 02985  1124   NtWaitForSingleObject  ... ) == 0x0
 03024  1124   NtSetEventBoostPriority  (120, ...
 02988   308   NtWaitForSingleObject  ... ) == 0x0
 03025   308   NtSetEventBoostPriority  (120, ...
 02989   676   NtWaitForSingleObject  ... ) == 0x0
 03026   676   NtSetEventBoostPriority  (120, ...
 02993   736   NtWaitForSingleObject  ... ) == 0x0
 03027   736   NtSetEventBoostPriority  (120, ...
 02995   808   NtWaitForSingleObject  ... ) == 0x0
 03028   808   NtSetEventBoostPriority  (120, ...
 03000   996   NtWaitForSingleObject  ... ) == 0x0
 03029   996   NtSetEventBoostPriority  (120, ...
 03003   864   NtWaitForSingleObject  ... ) == 0x0
 03030   864   NtSetEventBoostPriority  (120, ...
 03008   884   NtWaitForSingleObject  ... ) == 0x0
 03031   884   NtSetEventBoostPriority  (120, ...
 03011   872   NtWaitForSingleObject  ... ) == 0x0
 03032   872   NtAllocateVirtualMemory  (-1, 58118144, 0, 4096, 4096, 260, ... 58118144, 4096, ) == 0x0
 03031   884   NtSetEventBoostPriority  ... ) == 0x0
 03030   864   NtSetEventBoostPriority  ... ) == 0x0
 03029   996   NtSetEventBoostPriority  ... ) == 0x0
 03028   808   NtSetEventBoostPriority  ... ) == 0x0
 03027   736   NtSetEventBoostPriority  ... ) == 0x0
 03026   676   NtSetEventBoostPriority  ... ) == 0x0
 03025   308   NtSetEventBoostPriority  ... ) == 0x0
 03024  1124   NtSetEventBoostPriority  ... ) == 0x0
 03023  1088   NtSetEventBoostPriority  ... ) == 0x0
 03022   832   NtSetEventBoostPriority  ... ) == 0x0
 03021   812   NtSetEventBoostPriority  ... ) == 0x0
 03020   788   NtSetEventBoostPriority  ... ) == 0x0
 03018   572   NtSetEventBoostPriority  ... ) == 0x0
 03013  1104   NtSetEventBoostPriority  ... ) == 0x0
 03012   860   NtSetEventBoostPriority  ... ) == 0x0
 03033   852   NtAllocateVirtualMemory  (-1, 47632384, 0, 4096, 4096, 260, ...
 03019   588   NtSetEventBoostPriority  ... ) == 0x0
 03017   856   NtSetEventBoostPriority  ... ) == 0x0
 03015  1136   NtSetEventBoostPriority  ... ) == 0x0
 03014   636   NtSetEventBoostPriority  ... ) == 0x0
 03007  1140   NtRegisterThreadTerminatePort  ... ) == 0x0
 03009   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1611, 0}  ... {28, 56, reply, 0, 556, 564, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOD\3\0\0,\2\0\0\200\4\0\0" )  ) == 0x0
 03034   872   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03035   884   NtAllocateVirtualMemory  (-1, 64409600, 0, 4096, 4096, 260, ...
 03036   864   NtSetEventBoostPriority  (172, ...
 03037   996   NtTestAlert  (...
 03038   736   NtSetEventBoostPriority  (768, ...
 03039   808   NtAllocateVirtualMemory  (-1, 43438080, 0, 4096, 4096, 260, ...
 03040   676   NtWaitForSingleObject  (404, 0, 0x0, ...
 03041   308   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03042  1124   NtWaitForSingleObject  (172, 0, 0x0, ...
 03043   832   NtAllocateVirtualMemory  (-1, 45535232, 0, 4096, 4096, 260, ...
 03044   812   NtAllocateVirtualMemory  (-1, 40947712, 0, 4096, 4096, 260, ...
 03045  1088   NtSetEventBoostPriority  (404, ...
 03046   788   NtRequestWaitReplyPort  (708, {64, 88, new_msg, 0, 0, 0, 0, 0}  (708, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03047   572   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 03048  1104   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03049   860   NtAllocateVirtualMemory  (-1, 4681728, 0, 4096, 4096, 4, ...
 03050   588   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03033   852   NtAllocateVirtualMemory  ... 47632384, 4096, ) == 0x0
 03051  1136   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03052   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 03053  1140   NtWaitForSingleObject  (120, 0, 0x0, ...
 03054   564   NtResumeThread  (836, ...
 03034   872   NtCreateEvent  ... 844, ) == 0x0
 03035   884   NtAllocateVirtualMemory  ... 64409600, 4096, ) == 0x0
 02032   868   NtWaitForSingleObject  ... ) == 0x0
 03036   864   NtSetEventBoostPriority  ... ) == 0x0
 03037   996   NtTestAlert  ... ) == 0x0
 03055   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 03039   808   NtAllocateVirtualMemory  ... 43438080, 4096, ) == 0x0
 03041   308   NtCreateEvent  ... 848, ) == 0x0
 02945   596   NtWaitForSingleObject  ... ) == 0x0
 03038   736   NtSetEventBoostPriority  ... ) == 0x0
 03043   832   NtAllocateVirtualMemory  ... 45535232, 4096, ) == 0x0
 02977   784   NtWaitForSingleObject  ... ) == 0x0
 03045  1088   NtSetEventBoostPriority  ... ) == 0x0
 03047   572   NtOpenKey  ... 852, ) == 0x0
 03048  1104   NtDuplicateObject  ... 856, ) == 0x0
 03046   788   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 556, 788, 1612, 0}  ... {52, 76, reply, 0, 556, 788, 1612, 0} "\2\200\372\177\1\00\300\0\0\0\0\377\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03049   860   NtAllocateVirtualMemory  ... 4681728, 4096, ) == 0x0
 03050   588   NtCreateKey  ... 860, 2, ) == 0x0
 03056   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 03051  1136   NtDuplicateObject  ... 864, ) == 0x0
 03054   564   NtResumeThread  ... 1, ) == 0x0
 03057   872   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03058   868   NtSetEventBoostPriority  (172, ...
 03059   884   NtWaitForSingleObject  (120, 0, 0x0, ...
 03060   864   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03061   996   NtContinue  (144112944, 1, ...
 03062   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 03063   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03064   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 03065   736   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03066   784   NtSetEventBoostPriority  (404, ...
 03067   832   NtWaitForSingleObject  (120, 0, 0x0, ...
 03068  1088   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 03069   572   NtOpenKey  (0x20019, {24, 852, 0x40, 0, 0,  (0x20019, {24, 852, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 03070  1104   NtWaitForSingleObject  (404, 0, 0x0, ...
 03071   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 03072   860   NtSetEventBoostPriority  (120, ...
 03044   812   NtAllocateVirtualMemory  ... 40947712, 4096, ) == 0x0
 03073  1152   NtWaitForSingleObject  (120, 0, 0x0, ...
 03074   588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03075   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02053   908   NtWaitForSingleObject  ... ) == 0x0
 03058   868   NtSetEventBoostPriority  ... ) == 0x0
 03057   872   NtDuplicateObject  ... 868, ) == 0x0
 03060   864   NtCreateEvent  ... 872, ) == 0x0
 03076   996   NtRegisterThreadTerminatePort  (24, ...
 03063   308   NtDuplicateObject  ... 876, ) == 0x0
 02979   728   NtWaitForSingleObject  ... ) == 0x0
 03066   784   NtSetEventBoostPriority  ... ) == 0x0
 03065   736   NtCreateKey  ... 880, 2, ) == 0x0
 03068  1088   NtWaitForSingleObject  ... ) == 0x102
 03069   572   NtOpenKey  ... 884, ) == 0x0
 03052   636   NtWaitForSingleObject  ... ) == 0x0
 03072   860   NtSetEventBoostPriority  ... ) == 0x0
 03077   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 03074   588   NtOpenKey  ... 888, ) == 0x0
 03078   908   NtSetEventBoostPriority  (172, ...
 03075   564   NtAllocateVirtualMemory  ... 146210816, 2097152, ) == 0x0
 03079  1136   NtWaitForSingleObject  (120, 0, 0x0, ...
 03080   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 03081   864   NtWaitForSingleObject  (120, 0, 0x0, ...
 03076   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 03082   728   NtSetEventBoostPriority  (404, ...
 03083   308   NtWaitForSingleObject  (120, 0, 0x0, ...
 03084   784   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03085   736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03086  1088   NtWaitForSingleObject  (172, 0, 0x0, ...
 03087   636   NtSetEventBoostPriority  (120, ...
 03088   572   NtQueryValueKey  (884,  (884, "ComputerName", Full, 108, ... , Full, 108, ...
 03089   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 02059   876   NtWaitForSingleObject  ... ) == 0x0
 03078   908   NtSetEventBoostPriority  ... ) == 0x0
 03090   588   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03091   564   NtAllocateVirtualMemory  (-1, 148299776, 0, 8192, 4096, 4, ...
 02983   576   NtWaitForSingleObject  ... ) == 0x0
 03082   728   NtSetEventBoostPriority  ... ) == 0x0
 03092   996   NtWaitForSingleObject  (120, 0, 0x0, ...
 03093   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03085   736   NtOpenKey  ... 892, ) == 0x0
 03084   784   NtCreateKey  ... 896, 2, ) == 0x0
 03053  1140   NtWaitForSingleObject  ... ) == 0x0
 03087   636   NtSetEventBoostPriority  ... ) == 0x0
 03088   572   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03094   876   NtWaitForSingleObject  (120, 0, 0x0, ...
 03090   588   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03095   908   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03096   576   NtSetEventBoostPriority  (404, ...
 03091   564   NtAllocateVirtualMemory  ... 148299776, 8192, ) == 0x0
 03097   728   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03093   868   NtCreateEvent  ... 900, ) == 0x0
 03098   736   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03099  1140   NtSetEventBoostPriority  (120, ...
 03100   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03101   636   NtWaitForSingleObject  (404, 0, 0x0, ...
 03102   588   NtQueryValueKey  (860,  (860, "Hostname", Partial, 144, ... , Partial, 144, ...
 03040   676   NtWaitForSingleObject  ... ) == 0x0
 03095   908   NtCreateEvent  ... 904, ) == 0x0
 03103   564   NtProtectVirtualMemory  (-1, (0x8d6e000), 4096, 260, ...
 03097   728   NtCreateKey  ... 908, 2, ) == 0x0
 03104   868   NtWaitForSingleObject  (120, 0, 0x0, ...
 03096   576   NtSetEventBoostPriority  ... ) == 0x0
 03105   572   NtClose  (884, ...
 03055   856   NtWaitForSingleObject  ... ) == 0x0
 03099  1140   NtSetEventBoostPriority  ... ) == 0x0
 03100   784   NtOpenKey  ... 912, ) == 0x0
 03102   588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03106   676   NtSetEventBoostPriority  (404, ...
 03107   908   NtWaitForSingleObject  (120, 0, 0x0, ...
 03103   564   NtProtectVirtualMemory  ... (0x8d6e000), 4096, 4, ) == 0x0
 03108   728   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03109   576   NtWaitForSingleObject  (120, 0, 0x0, ...
 03110   856   NtSetEventBoostPriority  (120, ...
 03105   572   NtClose  ... ) == 0x0
 03098   736   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03111   784   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03112  1140   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03070  1104   NtWaitForSingleObject  ... ) == 0x0
 03106   676   NtSetEventBoostPriority  ... ) == 0x0
 03113   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03108   728   NtOpenKey  ... 884, ) == 0x0
 03056   852   NtWaitForSingleObject  ... ) == 0x0
 03110   856   NtSetEventBoostPriority  ... ) == 0x0
 03114   572   NtClose  (852, ...
 03115   736   NtQueryValueKey  (880,  (880, "Domain", Partial, 144, ... , Partial, 144, ...
 03111   784   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03116  1104   NtSetEventBoostPriority  (404, ...
 03112  1140   NtDuplicateObject  ... 916, ) == 0x0
 03117   676   NtWaitForSingleObject  (120, 0, 0x0, ...
 03113   564   NtCreateThread  ... 920, {556, 1156}, ) == 0x0
 03118   852   NtSetEventBoostPriority  (120, ...
 03119   728   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03120   856   NtWaitForSingleObject  (120, 0, 0x0, ...
 03114   572   NtClose  ... ) == 0x0
 03115   736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03101   636   NtWaitForSingleObject  ... ) == 0x0
 03116  1104   NtSetEventBoostPriority  ... ) == 0x0
 03121   784   NtQueryValueKey  (896,  (896, "Hostname", Partial, 144, ... , Partial, 144, ...
 03122  1140   NtWaitForSingleObject  (120, 0, 0x0, ...
 03123   588   NtWaitForSingleObject  (120, 0, 0x0, ...
 03059   884   NtWaitForSingleObject  ... ) == 0x0
 03118   852   NtSetEventBoostPriority  ... ) == 0x0
 03124   564   NtQueryInformationThread  (920, Basic, 28, ...
 03119   728   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03125   572   NtWaitForSingleObject  (120, 0, 0x0, ...
 03126   636   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 03127   736   NtQueryValueKey  (880,  (880, "Domain", Partial, 144, ... , Partial, 144, ...
 03128  1104   NtWaitForSingleObject  (108, 0, {0, 0}, ...
 03129   884   NtSetEventBoostPriority  (120, ...
 03121   784   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03130   852   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03124   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=556,Tid=1156,}, 0x0, ) == 0x0
 03126   636   NtWaitForSingleObject  ... ) == 0x102
 03127   736   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03062   808   NtWaitForSingleObject  ... ) == 0x0
 03129   884   NtSetEventBoostPriority  ... ) == 0x0
 03128  1104   NtWaitForSingleObject  ... ) == 0x102
 03131   784   NtWaitForSingleObject  (120, 0, 0x0, ...
 03130   852   NtCreateEvent  ... 852, ) == 0x0
 03132   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1611, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\3\0\0,\2\0\0\204\4\0\0" ...  ...
 03133   728   NtQueryValueKey  (908,  (908, "Hostname", Partial, 144, ... , Partial, 144, ...
 03134   808   NtSetEventBoostPriority  (120, ...
 03135   736   NtClose  (880, ...
 03136   636   NtWaitForSingleObject  (120, 0, 0x0, ...
 03137  1104   NtWaitForSingleObject  (120, 0, 0x0, ...
 03138   852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03132   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1613, 0}  ... {28, 56, reply, 0, 556, 564, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO\230\3\0\0,\2\0\0\204\4\0\0" )  ) == 0x0
 03064   596   NtWaitForSingleObject  ... ) == 0x0
 03134   808   NtSetEventBoostPriority  ... ) == 0x0
 03133   728   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03139   884   NtWaitForSingleObject  (120, 0, 0x0, ...
 03138   852   NtDuplicateObject  ... 924, ) == 0x0
 03140   596   NtSetEventBoostPriority  (120, ...
 03141   564   NtResumeThread  (920, ...
 03135   736   NtClose  ... ) == 0x0
 03142   728   NtQueryValueKey  (908,  (908, "Hostname", Partial, 144, ... , Partial, 144, ...
 03067   832   NtWaitForSingleObject  ... ) == 0x0
 03143   852   NtWaitForSingleObject  (120, 0, 0x0, ...
 03141   564   NtResumeThread  ... 1, ) == 0x0
 03144   736   NtClose  (892, ...
 03142   728   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03145   832   NtSetEventBoostPriority  (120, ...
 03140   596   NtSetEventBoostPriority  ... ) == 0x0
 03146   808   NtWaitForSingleObject  (120, 0, 0x0, ...
 03147  1156   NtWaitForSingleObject  (40, 0, 0x0, ...
 03144   736   NtClose  ... ) == 0x0
 03148   728   NtClose  (908, ...
 03071   788   NtWaitForSingleObject  ... ) == 0x0
 03145   832   NtSetEventBoostPriority  ... ) == 0x0
 03149   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 03150   736   NtWaitForSingleObject  (120, 0, 0x0, ...
 03151   788   NtSetEventBoostPriority  (120, ...
 03148   728   NtClose  ... ) == 0x0
 03152   596   NtWaitForSingleObject  (120, 0, 0x0, ...
 03149   564   NtAllocateVirtualMemory  ... 148307968, 2097152, ) == 0x0
 03073  1152   NtWaitForSingleObject  ... ) == 0x0
 03151   788   NtSetEventBoostPriority  ... ) == 0x0
 03153   832   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03154  1152   NtSetEventBoostPriority  (120, ...
 03155   564   NtAllocateVirtualMemory  (-1, 150396928, 0, 8192, 4096, 4, ...
 03156   728   NtClose  (884, ...
 03077   812   NtWaitForSingleObject  ... ) == 0x0
 03154  1152   NtSetEventBoostPriority  ... ) == 0x0
 03153   832   NtCreateEvent  ... 908, ) == 0x0
 03155   564   NtAllocateVirtualMemory  ... 150396928, 8192, ) == 0x0
 03157   812   NtSetEventBoostPriority  (120, ...
 03156   728   NtClose  ... ) == 0x0
 03158   788   NtClose  (668, ...
 03159   832   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03079  1136   NtWaitForSingleObject  ... ) == 0x0
 03157   812   NtSetEventBoostPriority  ... ) == 0x0
 03160   564   NtProtectVirtualMemory  (-1, (0x8f6e000), 4096, 260, ...
 03161   728   NtWaitForSingleObject  (768, 0, 0x0, ...
 03158   788   NtClose  ... ) == 0x0
 03162  1136   NtSetEventBoostPriority  (120, ...
 03159   832   NtDuplicateObject  ... 668, ) == 0x0
 03163  1152   NtSetEventBoostPriority  (40, ...
 03160   564   NtProtectVirtualMemory  ... (0x8f6e000), 4096, 4, ) == 0x0
 03080   872   NtWaitForSingleObject  ... ) == 0x0
 03162  1136   NtSetEventBoostPriority  ... ) == 0x0
 03164   788   NtWaitForSingleObject  (120, 0, 0x0, ...
 03165   832   NtWaitForSingleObject  (404, 0, 0x0, ...
 03147  1156   NtWaitForSingleObject  ... ) == 0x0
 03163  1152   NtSetEventBoostPriority  ... ) == 0x0
 03166   812   NtWaitForSingleObject  (120, 0, 0x0, ...
 03167   872   NtSetEventBoostPriority  (120, ...
 03168  1136   NtWaitForSingleObject  (404, 0, 0x0, ...
 03169  1156   NtTestAlert  (...
 03170  1152   NtTestAlert  (...
 03081   864   NtWaitForSingleObject  ... ) == 0x0
 03167   872   NtSetEventBoostPriority  ... ) == 0x0
 03171   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ...
 03169  1156   NtTestAlert  ... ) == 0x0
 03172   864   NtSetEventBoostPriority  (120, ...
 03170  1152   NtTestAlert  ... ) == 0x0
 03171   564   NtCreateThread  ... 884, {556, 1164}, ) == 0x0
 03173   872   NtWaitForSingleObject  (120, 0, 0x0, ...
 03083   308   NtWaitForSingleObject  ... ) == 0x0
 03172   864   NtSetEventBoostPriority  ... ) == 0x0
 03174  1152   NtContinue  (146210096, 1, ...
 03175   564   NtQueryInformationThread  (884, Basic, 28, ...
 03176   308   NtSetEventBoostPriority  (120, ...
 03177  1156   NtContinue  (148307248, 1, ...
 03178  1152   NtRegisterThreadTerminatePort  (24, ...
 03089   860   NtWaitForSingleObject  ... ) == 0x0
 03176   308   NtSetEventBoostPriority  ... ) == 0x0
 03175   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=556,Tid=1164,}, 0x0, ) == 0x0
 03179  1156   NtRegisterThreadTerminatePort  (24, ...
 03180   864   NtWaitForSingleObject  (120, 0, 0x0, ...
 03181   860   NtAllocateVirtualMemory  (-1, 4685824, 0, 4096, 4096, 4, ...
 03178  1152   NtRegisterThreadTerminatePort  ... ) == 0x0
 03182   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1613, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1613, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\3\0\0,\2\0\0\214\4\0\0" ...  ...
 03179  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 03181   860   NtAllocateVirtualMemory  ... 4685824, 4096, ) == 0x0
 03183  1152   NtWaitForSingleObject  (120, 0, 0x0, ...
 03184  1156   NtWaitForSingleObject  (120, 0, 0x0, ...
 03185   308   NtWaitForSingleObject  (404, 0, 0x0, ...
 03182   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1614, 0}  ... {28, 56, reply, 0, 556, 564, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDOt\3\0\0,\2\0\0\214\4\0\0" )  ) == 0x0
 03186   564   NtResumeThread  (884, ... 1, ) == 0x0
 03187   564   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 150405120, 2097152, ) == 0x0
 03188   564   NtAllocateVirtualMemory  (-1, 152494080, 0, 8192, 4096, 4, ... 152494080, 8192, ) == 0x0
 03189   564   NtProtectVirtualMemory  (-1, (0x916e000), 4096, 260, ... (0x916e000), 4096, 4, ) == 0x0
 03190   564   NtCreateThread  (0x1f03ff, 0x0, -1, 2292700, 2293416, 1, ... 892, {556, 1060}, ) == 0x0
 03191   564   NtQueryInformationThread  (892, Basic, 28, ...
 03192   860   NtSetEventBoostPriority  (120, ...
 03193  1164   NtTestAlert  (...
 03092   996   NtWaitForSingleObject  ... ) == 0x0
 03192   860   NtSetEventBoostPriority  ... ) == 0x0
 03194   996   NtSetEventBoostPriority  (120, ...
 03193  1164   NtTestAlert  ... ) == 0x0
 03094   876   NtWaitForSingleObject  ... ) == 0x0
 03195   860   NtWaitForSingleObject  (120, 0, 0x0, ...
 03196   876   NtSetEventBoostPriority  (120, ...
 03197  1164   NtContinue  (150404400, 1, ...
 03104   868   NtWaitForSingleObject  ... ) == 0x0
 03196   876   NtSetEventBoostPriority  ... ) == 0x0
 03198   868   NtSetEventBoostPriority  (120, ...
 03199  1164   NtRegisterThreadTerminatePort  (24, ...
 03194   996   NtSetEventBoostPriority  ... ) == 0x0
 03191   564   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=556,Tid=1060,}, 0x0, ) == 0x0
 03107   908   NtWaitForSingleObject  ... ) == 0x0
 03198   868   NtSetEventBoostPriority  ... ) == 0x0
 03199  1164   NtRegisterThreadTerminatePort  ... ) == 0x0
 03200   996   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03201   908   NtSetEventBoostPriority  (120, ...
 03202   564   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 556, 564, 1614, 0}  (24, {28, 56, new_msg, 0, 556, 564, 1614, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0,\2\0\0$\4\0\0" ...  ...
 03203   876   NtWaitForSingleObject  (120, 0, 0x0, ...
 03204   868   NtWaitForSingleObject  (120, 0, 0x0, ...
 03109   576   NtWaitForSingleObject  ... ) == 0x0
 03201   908   NtSetEventBoostPriority  ... ) == 0x0
 03200   996   NtDuplicateObject  ... 880, ) == 0x0
 03202   564   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 556, 564, 1615, 0}  ... {28, 56, reply, 0, 556, 564, 1615, 0} "\0\0\0\0\1\0\1\0\0\0\0\0INDO|\3\0\0,\2\0\0$\4\0\0" )  ) == 0x0
 03205   576   NtSetEventBoostPriority  (120, ...
 03206  1164   NtWaitForSingleObject  (120, 0, 0x0, ...
 03207   908   NtWaitForSingleObject  (120, 0, 0x0, ...
 03117   676   NtWaitForSingleObject  ... ) == 0x0
 03205   576   NtSetEventBoostPriority  ... ) == 0x0
 03208   564   NtResumeThread  (892, ...
 03209   676   NtSetEventBoostPriority  (120, ...
 03210   996   NtWaitForSingleObject  (120, 0, 0x0, ...
 03120   856   NtWaitForSingleObject  ... ) == 0x0
 03208   564   NtResumeThread  ... 1, ) == 0x0
 03211   856   NtSetEventBoostPriority  (120, ...
 03209   676   NtSetEventBoostPriority  ... ) == 0x0
 03212   576   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03213  1060   NtTestAlert  (...
 03122  1140   NtWaitForSingleObject  ... ) == 0x0
 03214   676   NtCreateKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03212   576   NtCreateKey  ... 928, 2, ) == 0x0
 03213  1060   NtTestAlert  ... ) == 0x0
 03215  1140   NtSetEventBoostPriority  (120, ...
 03214   676   NtCreateKey  ... 932, 2, ) == 0x0
 03216   576   NtOpenKey  (0x20019, {24, 36, 0x40, 0, 0,  (0x20019, {24, 36, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03217  1060   NtContinue  (152501552, 1, ...
 03123   588   NtWaitForSingleObject  ... ) == 0x0