Summary:





NtConnectPort(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserSetCursorIconData(>)  7 
NtCreateFile(>)  31 


NtCreateProcessEx(>)  1 
NtQueryPerformanceCounter(>)  2 
NtCreateSemaphore(>)  8 
NtContinue(>)  32 


NtDuplicateToken(>)  1 
NtUserCloseWindowStation(>)  2 
NtEnumerateKey(>)  8 
NtUserRegisterClassExWOW(>)  33 


NtGdiCreatePaletteInternal(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenSection(>)  35 


NtGdiInit(>)  1 
NtCallbackReturn(>)  3 
NtSetValueKey(>)  8 
NtSetInformationThread(>)  35 


NtGdiQueryFontAssocInfo(>)  1 
NtGdiHfontCreate(>)  3 
NtUserSystemParametersInfo(>)  8 
NtQueryInformationToken(>)  39 


NtNotifyChangeKey(>)  1 
NtOpenDirectoryObject(>)  3 
NtWaitForMultipleObjects(>)  9 
NtRequestWaitReplyPort(>)  40 


NtOpenEvent(>)  1 
NtOpenMutant(>)  3 
NtGdiCreateCompatibleDC(>)  10 
NtCreateEvent(>)  42 


NtOpenKeyedEvent(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtGdiExtGetObjectW(>)  10 
NtQueryInformationProcess(>)  42 


NtOpenProcess(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtQueryInformationFile(>)  11 
NtCreateSection(>)  45 


NtQueryInstallUILanguage(>)  1 
NtReadVirtualMemory(>)  3 
NtUserGetDC(>)  11 
NtUserFindExistingCursorIcon(>)  48 


NtQueryObject(>)  1 
NtReleaseMutant(>)  3 
NtCreateKey(>)  12 
NtQueryDefaultLocale(>)  51 


NtQuerySystemTime(>)  1 
NtSetInformationObject(>)  3 
NtQueryDefaultUILanguage(>)  12 
NtFreeVirtualMemory(>)  54 


NtQueryTimerResolution(>)  1 
NtDuplicateObject(>)  4 
NtGdiDeleteObjectApp(>)  14 
NtGdiSelectBitmap(>)  57 


NtRaiseException(>)  1 
NtCreateMutant(>)  5 
NtQueryDebugFilterState(>)  14 
NtOpenFile(>)  61 


NtSecureConnectPort(>)  1 
NtWriteVirtualMemory(>)  5 
NtUserSelectPalette(>)  14 
NtUnmapViewOfSection(>)  64 


NtUserCallNoParam(>)  1 
NtQueryVolumeInformationFile(>)  6 
NtQuerySection(>)  19 
NtQueryVirtualMemory(>)  67 


NtUserEnumDisplayMonitors(>)  1 
NtSetInformationFile(>)  6 
NtUserCallOneParam(>)  19 
NtUserFindWindowEx(>)  68 


NtUserGetForegroundWindow(>)  1 
NtUserRegisterWindowMessage(>)  6 
NtDeviceIoControlFile(>)  22 
NtQueryAttributesFile(>)  75 


NtUserGetKeyboardLayoutList(>)  1 
NtFsControlFile(>)  7 
NtReadFile(>)  24 
NtSetEvent(>)  86 


NtUserGetObjectInformation(>)  1 
NtGdiBitBlt(>)  7 
NtQueryInformationThread(>)  25 
NtQuerySystemInformation(>)  91 


NtUserGetProcessWindowStation(>)  1 
NtGdiCreateDIBitmapInternal(>)  7 
NtSetInformationProcess(>)  25 
NtMapViewOfSection(>)  102 


NtUserGetThreadDesktop(>)  1 
NtGdiGetDCObject(>)  7 
NtCreateThread(>)  26 
NtWaitForSingleObject(>)  110 


NtUserOpenWindowStation(>)  1 
NtGdiGetDCforBitmap(>)  7 
NtRegisterThreadTerminatePort(>)  26 
NtFlushInstructionCache(>)  120 


NtUserQueryWindow(>)  1 
NtGdiGetStockObject(>)  7 
NtResumeThread(>)  26 
NtOpenKey(>)  189 


NtUserSetWindowsHookEx(>)  1 
NtGdiRestoreDC(>)  7 
NtTestAlert(>)  26 
NtQueryValueKey(>)  205 


NtUserValidateHandleSecure(>)  1 
NtGdiSaveDC(>)  7 
NtOpenProcessTokenEx(>)  30 
NtAllocateVirtualMemory(>)  227 


NtAccessCheck(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtOpenThreadTokenEx(>)  30 
NtProtectVirtualMemory(>)  275 


NtCreateIoCompletion(>)  2 
NtOpenProcessToken(>)  7 
NtQueryDirectoryFile(>)  30 
NtClose(>)  287 


NtGdiCreateSolidBrush(>)  2 
NtOpenThreadToken(>)  7 
NtWriteFile(>)  30 
NtDelayExecution(>)  339 





Trace:

 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 4, ... (0x512000), 4096, 8, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 8, ... (0x512000), 4096, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 5316608, 4096, ... ) == 0x0
 00064  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00065  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00066  1736   NtClose  (16, ... ) == 0x0
 00067  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00068  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00069  1736   NtClose  (16, ... ) == 0x0
 00070  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00071  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00072  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00073  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00074  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00075  1736   NtClose  (16, ... ) == 0x0
 00076  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00077  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00078  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00079  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00080  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00081  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00082  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00083  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00084  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00085  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00086  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00087  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00088  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00089  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00090  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00091  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00092  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00093  1736   NtClose  (16, ... ) == 0x0
 00094  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00098  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00099  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00100  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00101  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00102  1736   NtClose  (16, ... ) == 0x0
 00103  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00107  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00108  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00109  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00110  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00111  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00112  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00113  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00114  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00115  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00116  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00117  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00118  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00119  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00120  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00121  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00122  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00123  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00124  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00125  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00126  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00127  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 4, ... (0x512000), 4096, 4, ) == 0x0
 00128  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 4, ... (0x512000), 4096, 4, ) == 0x0
 00129  1736   NtFlushInstructionCache  (-1, 5316608, 4096, ... ) == 0x0
 00130  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00131  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00132  1736   NtReadFile  (16, 0, 0, 0, 4, {701918, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {701918, 0}, 0, ... {status=0x0, info=4}, "\251\315M\0", ) , ) == 0x0
 00133  1736   NtClose  (16, ... ) == 0x0
 00134  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00135  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00136  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00137  1736   NtClose  (16, ... ) == 0x0
 00138  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00139  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00140  1736   NtClose  (16, ... ) == 0x0
 00141  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00143  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00145  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146  1736   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00147  1736   NtClose  (16, ... ) == 0x0
 00148  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00149  1736   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150  1736   NtClose  (16, ... ) == 0x0
 00151  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00152  1736   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00153  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00156  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6$\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6$\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00157  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00158  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00159  1736   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160  1736   NtClose  (28, ... ) == 0x0
 00161  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00162  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00163  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00164  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00165  1736   NtClose  (28, ... ) == 0x0
 00166  1736   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x610000), 0x0, 110592, ) == 0x0
 00167  1736   NtClose  (32, ... ) == 0x0
 00168  1736   NtUnmapViewOfSection  (-1, 0x610000, ... ) == 0x0
 00169  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00170  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00171  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00172  1736   NtClose  (32, ... ) == 0x0
 00173  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x610000), 0x0, 110592, ) == 0x0
 00174  1736   NtClose  (28, ... ) == 0x0
 00175  1736   NtUnmapViewOfSection  (-1, 0x610000, ... ) == 0x0
 00176  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00177  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00178  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00179  1736   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00180  1736   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00181  1736   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00182  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00184  1736   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00185  1736   NtClose  (40, ... ) == 0x0
 00186  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00187  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00188  1736   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00189  1736   NtClose  (40, ... ) == 0x0
 00190  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191  1736   NtClose  (36, ... ) == 0x0
 00192  1736   NtClose  (28, ... ) == 0x0
 00193  1736   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00194  1736   NtClose  (32, ... ) == 0x0
 00195  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00196  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00197  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00198  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00199  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00200  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00201  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00202  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00203  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00204  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00206  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00207  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00208  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00213  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00215  1736   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216  1736   NtClose  (32, ... ) == 0x0
 00217  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x610000), 0x0, 1060864, ) == 0x0
 00218  1736   NtClose  (-2147482576, ... ) == 0x0
 00219  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00220  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00221  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00222  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00223  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00224  1736   NtClose  (-2147482576, ... ) == 0x0
 00225  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00226  1736   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00227  1736   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00228  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00229  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230  1736   NtClose  (-2147482576, ... ) == 0x0
 00231  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00232  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233  1736   NtClose  (-2147482576, ... ) == 0x0
 00234  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00235  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00236  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00237  1736   NtGdiCreateCompatibleDC  (0, ...
 00238  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00237  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00239  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00240  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00241  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00242  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00243  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10616832, 4096, ) == 0x0
 00242  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00244  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00245  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00246  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00247  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00248  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00249  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00250  1736   NtClose  (44, ... ) == 0x0
 00251  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00252  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8173c017
 00253  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00254  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8173c01c
 00255  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00256  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8173c01e
 00257  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00258  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81738002
 00259  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00260  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8173c018
 00261  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00262  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8173c01a
 00263  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00264  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8173c01d
 00265  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00266  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8173c026
 00267  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00268  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8173c019
 00269  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c020
 00270  1736   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c022
 00271  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c023
 00272  1736   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c024
 00273  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c025
 00274  1736   NtCallbackReturn  (0, 0, 0, ...
 00275  1736   NtGdiInit  (... ) == 0x1
 00276  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00277  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00278  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00279  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10682368, 65536, ) == 0x0
 00280  1736   NtAllocateVirtualMemory  (-1, 10682368, 0, 4096, 4096, 4, ... 10682368, 4096, ) == 0x0
 00281  1736   NtAllocateVirtualMemory  (-1, 10686464, 0, 8192, 4096, 4, ... 10686464, 8192, ) == 0x0
 00282  1736   NtAllocateVirtualMemory  (-1, 10694656, 0, 4096, 4096, 4, ... 10694656, 4096, ) == 0x0
 00283  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00284  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 12288, ) == 0x0
 00285  1736   NtClose  (44, ... ) == 0x0
 00286  1736   NtAllocateVirtualMemory  (-1, 10698752, 0, 4096, 4096, 4, ... 10698752, 4096, ) == 0x0
 00287  1736   NtQueryDefaultUILanguage  (1241688, ...
 00288  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00289  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00290  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00291  1736   NtClose  (-2147482576, ... ) == 0x0
 00292  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00293  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00295  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296  1736   NtClose  (-2147481400, ... ) == 0x0
 00297  1736   NtClose  (-2147482576, ... ) == 0x0
 00287  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00298  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll"}, 1, 96, ... 44, {status=0x0, info=1}, ) }, 1, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00299  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 44, ... 48, ) == 0x0
 00300  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa50000), 0x0, 618496, ) == 0x0
 00301  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302  1736   NtQueryDefaultUILanguage  (2090319928, ...
 00303  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00304  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00305  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00306  1736   NtClose  (-2147482576, ... ) == 0x0
 00307  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00308  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00310  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311  1736   NtClose  (-2147481400, ... ) == 0x0
 00312  1736   NtClose  (-2147482576, ... ) == 0x0
 00302  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00313  1736   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00314  1736   NtQueryDefaultLocale  (1, 1239784, ... ) == 0x0
 00315  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75480, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75480, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75480, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ) == 0x0
 00317  1736   NtClose  (44, ... ) == 0x0
 00318  1736   NtClose  (48, ... ) == 0x0
 00319  1736   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00320  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00321  1736   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1636, 0}, ... 48, ) == 0x0
 00322  1736   NtQueryInformationProcess  (48, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00323  1736   NtClose  (48, ... ) == 0x0
 00324  1736   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00325  1736   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00326  1736   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00327  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00328  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00329  1736   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00330  1736   NtClose  (48, ... ) == 0x0
 00331  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0
 00332  1736   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00333  1736   NtAccessCheck  (1329168, 44, 0x1, 1242880, 1242932, 56, 1242912, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00334  1736   NtClose  (44, ... ) == 0x0
 00335  1736   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Control Panel\Desktop"}, ... 44, ) }, ... 44, ) == 0x0
 00336  1736   NtQueryValueKey  (44,  (44, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337  1736   NtClose  (44, ... ) == 0x0
 00338  1736   NtUserSystemParametersInfo  (41, 500, 1243060, 0, ... ) == 0x1
 00339  1736   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00340  1736   NtClose  (48, ... ) == 0x0
 00341  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00342  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00343  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03b
 00344  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03d
 00345  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00346  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03f
 00347  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00348  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c041
 00349  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00350  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c043
 00351  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c045
 00352  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00353  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c047
 00354  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00355  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c049
 00356  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00357  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04b
 00358  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00359  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04d
 00360  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00361  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04f
 00362  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c051
 00363  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00364  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c053
 00365  1736   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00366  1736   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8173c055
 00367  1736   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00368  1736   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8173c057
 00369  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00370  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c059
 00371  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10013
 00372  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05b
 00373  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00374  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05d
 00375  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00376  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05f
 00377  1736   NtTestAlert  (... ) == 0x0
 00378  1736   NtContinue  (1244464, 1, ...
 00379  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x607000,}, 4, ... ) == 0x0
 00380  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00381  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00382  1736   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00383  1736   NtClose  (48, ... ) == 0x0
 00384  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0
 00385  1736   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 44, ) }, ... 44, ) == 0x0
 00387  1736   NtQueryValueKey  (44,  (44, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388  1736   NtClose  (44, ... ) == 0x0
 00389  1736   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00390  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) == 0x0
 00391  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp"}, 1233816, ... ) }, 1233816, ... ) == 0x0
 00392  1736   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0\2741\0\0\2\0\0\0" ... {20, 48, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\2741\0\0\3\0\0\0" )  ... {20, 48, reply, 0, 1636, 1736, 75481, 0}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0\2741\0\0\2\0\0\0" ... {20, 48, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\2\0\1\0\3\0\0\0\2741\0\0\3\0\0\0" )  ) == 0x0
 00393  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233824,  (0x80100080, {24, 0, 0x40, 0, 1233824, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00394  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00395  1736   NtClose  (-2147482576, ... ) == 0x0
 00396  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00397  1736   NtClose  (-2147482576, ... ) == 0x0
 00398  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00399  1736   NtClose  (-2147482576, ... ) == 0x0
 00393  1736   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 00400  1736   NtClose  (52, ... ) == 0x0
 00401  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00402  1736   NtClose  (-2147482576, ... ) == 0x0
 00403  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00404  1736   NtClose  (-2147482576, ... ) == 0x0
 00405  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00406  1736   NtClose  (-2147482576, ... ) == 0x0
 00407  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00408  1736   NtClose  (-2147482576, ... ) == 0x0
 00401  1736   NtCreateFile  ... 52, {status=0x0, info=3}, ) == 0x0
 00409  1736   NtSetInformationFile  (44, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00410  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\344\227\35\0\253\315M\0\255\315B\0V2M\0\21\315M\0\251\315M\0\351\315W\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\317M\0\23\335M\16\266yD\315\210uLLd\354\335\220\375\245$s\211\275?o\316\277,m\211\2408s\335\355/e\211\2778n\211\270#d\314\277mW\300\243~2\244\307i7\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0\251\315M\0", ) , ) == 0x0
 00411  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... , 10240, 0x0, 0, ...
 00412  1736   NtContinue  (-139350572, 0, ...
 00411  1736   NtWriteFile  ... {status=0x0, info=10240}, ) == 0x0
 00413  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\374\305{\34\306\361\0E\306\2774,\11\240,\10\231\316\314\7a\5+\331\313\15\14\304a\216\205<\253\201?\334A<'D\303\255\34\271\255\3261\377\217\17\25},bCD\362e\205\270!\2342\300\317F\35\1\371[&g\310\317\15\315\325\362L\2\27\211`\32*\17HR\\370\34\21#\24~e\211}\347K\327\245\16,Ao\237\305\252\364\245\353\367\232\221\200\256J\315\302~\306:C\205\334o\301\270\315G^\364\261C8\344\\2241\364\326[\319]\225\225\22\177\35\12\5\332\306Q\346\305)\2039\311E#e\37a\210\231\136\22\350\303\254\311Q\213eIM\373V\37\255\2\275fy1\3713\257\16\254\15\230O\2654w\241\17\266\371\251\275X\227\373\237 m\377\12WaI\205\257\345\343\214y\324\0d\200\\340\330H-e\351\325\365\351\300\37\314\371^\315\221\4_\243\3340\34i\370\14\260\30uiF\20\304b\224\333\357%\16\345\306\5}\371F\371\303\254\224\221\5\36\17ez\225\217\31e\217\32~\210\223_\367j\250\10\315\363m\306\365\316x\361\240}\213\35F\7X\204\351J\220\326\5m^\260.f\227\2752\262\12\205\265q\231\210\325)\360}\5]\224\343\356\261}\250\252\354\250\26Ap\243\23\276P\316\256\205\266\267\217n\350\320%F5\300{\251&M\225B\11t\20}\2\253\255\15\3;\205\345\211\353\225v2\215\226\252\324}\236\356\17-\334\377\1E\322\374\22\315\205\205\324\256\11\27\274\314d\252$\242\306Va/\1\313[\5=\220\17", ) \214y\324\0d\200\\340\330H-e\351\325\365\351\300\37\314\371^\315\221\4_\243\3340\34i\370\14\260\30uiF\20\304b\224\333\357%\16\345\306\5}\371F\371\303\254\224\221\5\36\17ez\225\217\31e\217\32~\210\223_\367j\250\10\315\363m\306\365\316x\361\240}\213\35F\7X\204\351J\220\326\5m^\260.f\227\2752\262\12\205\265q\231\210\325)\360}\5]\224\343\356\261}\250\252\354\250\26Ap\243\23\276P\316\256\205\266\267\217n\350\320%F5\300{\251&M\225B\11t\20}\2\253\255\15\3;\205\345\211\353\225v2\215\226\252\324}\236\356\17-\334\377\1E\322\374\22\315\205\205\324\256\11\27\274\314d\252$\242\306Va/\1\313[\5=\220\17", ) == 0x0
 00414  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00415  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "~\17FX\21\337Xw\230\307AHz\200\216\30\343[\1\340\374h\377H\251f\337\345\31H\372}\261\211\15\221L](Z\315\221\25Y\247\226\327\0\373\206.T\371\251td\262\257Y6\315\255\334\3459\250'!\305\245\34\226\352[?\14\335\275a\35`\255\206z\325\3705@\203L\325C\271\261W\301\326H\331\2352\255*\20\7\275\366\363\220f\33%\273EA9\202I]\274\256F\31393\214\301\14!\242\15\323V:g\276\201G\12\10\223\3599_\213\3663\3\204\230\2561\21\32\4P\241\10]\36\311\134Z\213R\306\37\217Y\270\7!Y\5\245\203H>\255Z\7V\231\273\357\310CKp\366\254\306\315K\351\225\216\13;J\30?\242\275\216k\6\340\246\221\25)\205\257\235\5L\367\250\343\265\27M\213,l\332J#\31MN\36T\333\270(\1\207\316\305\4\3068|\322#\235[D\271\317z\304,\263\306w\222\374\204\212\341\216\11\10U2\17\267\366\315E\215\334\302\306|\241\312|\300#\303vJU\270\372~\10\226\303\\243?Q\16_\16\222\237\340\270\257o\362f\274\371\276\215i\16\250\364\265~th*\5\204\11v\200\221\352BM\255\226\266\302\333)\310\257\306z\362\202\335b\304\321\240\254F\212\356Gg\201Y\237\243\356H2\222\177rG\25c=G\23\12,\226\36o\305\261S\13\277\325\302\36\244\364\271\355\2443\25\32)*\2229b1\372\0\346\334U\33\334!\240\355\237\317\374 >&\205?)(\222:\37\15\240\355\263&\257\35#\241W\221\305\325\17\305;2\217\11Q*\6uYB\356:"\362\376\4)\362H\266\364nJ\203x\202L\267\246?\262\255\3z\7\20\323\312\263\261\333\306:\15\246r\204\3\343\21\347\5\225\12\262\321'\27\262BLCt\1", ) \362\376\4)\362H\266\364nJ\203x\202L\267\246?\262\255\3z\7\20\323\312\263\261\333\306:\15\246r\204\3\343\21\347\5\225\12\262\321'\27\262BLCt\1", ) == 0x0
 00416  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00417  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "?&\260\265)\32\341f\372D\310\6\277M\307\265\336\13\310\227\326\303:\21\317r\371\22\374\301(\211\240m\24\6\32\12,\35\231qQ\210\35\266\322\240#@\330>\243\315\371\274\316\343\12\263\330\347\2150\260\224\3264\250\12O\316-o\22\271 Zyt\241\227I\3104I\333\244\202\23\274t\312\226\36\364\374\237i\361\374\305\37"\356M\2135!A\10\13\341O\346\200\7GA&\200M|\254\224)\246\12\264\306:\266_K\260\13\346G\30\373\276\234\10v\234\253\214i\231L\2511n\221;\214\214\265a\2\243\215\317\32-\306\265B\16\333\315{\234{]\31gS=\353\256\351\231\350\232M\333t*\217j!\301\224\15{:\317\300\5\275+\216\377\204\340\241N\317l\332\360\317jm\364\274K\355\266}\307\271\364y\7]\240\213\235\375\326\204\24JCU\200"\0\222\235q/\205\354n\207\271\272q8\262\277\205\310\225\365q8\200\354k\205\16*\2\210\256\26vw\362\303\331\341\250\301\355\346hPM\233\241\267K\243\262\317c,l\12\33\272\3\374[z_\17]\360\370@\337`*\333Y\310M\221\337\246\11~\2XY&Q\30\365m\346aa~]\35\232\4\31\17>GV\0.!U\1k\275\224\22\13\303\216^\226\314\277\204\362Jf\271\3743\271\15\34;I\322\324;\10\376\336\233\225\353\203\334a\332\253\213\261\26w\260~:\225\260F`=\324\7\33\247W%O8\211\20\25\241\351o\16\250\321\14\340\311Z/\364\352G_\20]\227\353\266\257\304"\21Q=\341\0\261-IU\207\304d*\240\311\352\26\241\235!\253\259^\4bEj\247\353\313gHAU\2769p\203\370j\\313\275\354G\246\37\321z\215\265\234k\317y\0\372\2723\350\326\275&\330\5\335R\322Q\230\208", ) \356M\2135!A\10\13\341O\346\200\7GA&\200M|\254\224)\246\12\264\306:\266_K\260\13\346G\30\373\276\234\10v\234\253\214i\231L\2511n\221;\214\214\265a\2\243\215\317\32-\306\265B\16\333\315{\234{]\31gS=\353\256\351\231\350\232M\333t*\217j!\301\224\15{:\317\300\5\275+\216\377\204\340\241N\317l\332\360\317jm\364\274K\355\266}\307\271\364y\7]\240\213\235\375\326\204\24JCU\200 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "?&\260\265)\32\341f\372D\310\6\277M\307\265\336\13\310\227\326\303:\21\317r\371\22\374\301(\211\240m\24\6\32\12,\35\231qQ\210\35\266\322\240#@\330>\243\315\371\274\316\343\12\263\330\347\2150\260\224\3264\250\12O\316-o\22\271 Zyt\241\227I\3104I\333\244\202\23\274t\312\226\36\364\374\237i\361\374\305\37"\356M\2135!A\10\13\341O\346\200\7GA&\200M|\254\224)\246\12\264\306:\266_K\260\13\346G\30\373\276\234\10v\234\253\214i\231L\2511n\221;\214\214\265a\2\243\215\317\32-\306\265B\16\333\315{\234{]\31gS=\353\256\351\231\350\232M\333t*\217j!\301\224\15{:\317\300\5\275+\216\377\204\340\241N\317l\332\360\317jm\364\274K\355\266}\307\271\364y\7]\240\213\235\375\326\204\24JCU\200"\0\222\235q/\205\354n\207\271\272q8\262\277\205\310\225\365q8\200\354k\205\16*\2\210\256\26vw\362\303\331\341\250\301\355\346hPM\233\241\267K\243\262\317c,l\12\33\272\3\374[z_\17]\360\370@\337`*\333Y\310M\221\337\246\11~\2XY&Q\30\365m\346aa~]\35\232\4\31\17>GV\0.!U\1k\275\224\22\13\303\216^\226\314\277\204\362Jf\271\3743\271\15\34;I\322\324;\10\376\336\233\225\353\203\334a\332\253\213\261\26w\260~:\225\260F`=\324\7\33\247W%O8\211\20\25\241\351o\16\250\321\14\340\311Z/\364\352G_\20]\227\353\266\257\304"\21Q=\341\0\261-IU\207\304d*\240\311\352\26\241\235!\253\259^\4bEj\247\353\313gHAU\2769p\203\370j\\313\275\354G\246\37\321z\215\265\234k\317y\0\372\2723\350\326\275&\330\5\335R\322Q\230\208", ) \21Q=\341\0\261-IU\207\304d*\240\311\352\26\241\235!\253\259^\4bEj\247\353\313gHAU\2769p\203\370j\\313\275\354G\246\37\321z\215\265\234k\317y\0\372\2723\350\326\275&\330\5\335R\322Q\230\208", ) == 0x0
 00418  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (52, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00419  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\266\242\217#\210\335\215\11\21\341\237\345\315\302\344y\317\17\314\307\351\257V\341\267\357\317|\250\305\317.\361\333X&\212f\245{\350\177\216\270\247\301\365%\350q\234\273 \225kw\177@=\30\276u\374\263n\307\304\34`\3370\314\357wF \241\233\326\301?e\227\233\304\300\253{%\315\243Ys\247Q\334u\345J\361\334\30\340\210\253\311\212]\251sl\264O%\x\223\253Ra\31\5-\315]\320\261\252\374_g\262\3\315\30\315\327Zu\322\234\273h_\335\322\32\307\247\306OC\214\345\3278B\314\242\305\13\356#\5\31\4;YE\240@P\207\220\241\271\336\2015\353\224|\367\370\271\271DFu\325#\303\241kj\25u\323ED\326U\240\242\312\355\370\347i\215\364\14\232\214\230\222\325\314\363v!\354\3120\35\3=\302\260\4\4q\376\236v\370\32\222Y\237\334\204\351;\354M8>\315\240\225C\375\273yJ\375\16\305=\251\307\247\4\31\367mm\223\244\366\303\317\4%*\237\324\230\241YBe\30\234}\346\366\233\25)$7\244@X\236\17jh%\376\226\265\262M\2410\236\4\271\246\260\306\3055\3j{\31\237\343<\265\241\333]\214C\332\304\342\205\0\220q\301e\375$\355x\4\4\251\330\305\367\243\223\35\345\221V!\362\273\275\10\344\371uTF3AF\254,\255\304\24\177M\311\35\303\211y=\257\255nFr@\353H\7r\301\2\357s\246 \301\257\332\213%\314LX\21O\350I\245\224\252\362\273-.\2{]\251i\245\243\255\14[\310H\333\250\327\255\262\246J\320\330\243Evt\2333\363j\243T\255\340\373av\205\24\272\353\21\25\354\375\177\31\4\333\30\245[\36|\377o\14\357)|\5i\272\327Z\217\376\37\26\370\300\360[\311\233\25\337\215\277\1d\343\242\207\5\7", ) , ) == 0x0
 00420  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00421  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\233S\35\20n\355\15\12\33\205q\350w\306\33\34\241\340h\14\235\37L\324b\352\271\377)\220\364A\213C\326\275v\205F\250v\353\277+n\223\37 \265\6\263\342\353x\235R5\323\306\3739\242\246\22\362\332C\332\3172[-\255\252\360KF\366\246J\302WfU\335\225zW\237\355*\22\252\351h\21Z\371l%\6Y\315\341\354\35\20N3B(\377M\3524\336\273\277\303\252,\3349%\237\5,\267K\212\313\312G\257\275\330\343\313!\25\252\346\35j/\215\240u\367z\327[\274\11i\1,T\204\3253k\364t\2528\207\21\204\203"\11\32k$\237q)\1\223\220\241(\206\340\245V\3f\315\35\13\312\335mk\270\323\323\212\17\355\245\13\322\222W\3\343\220\314x\275\11\27\357\207\3653\23\374\353\354'\345{&'\336\251\31\317\373\313]S\365\251\6c"\320\264J\221\346!\260~\W\304\242\303\237 \374\370!\24\246\322\343\32\275\263\225;\372\351\345\345ol\357]\254Z\16\30'\11\240\200\\201\341#yDo\306\352\312\310\373b\376\244\1x\11ge\251\214\311\12\377i&\337\3272^\211\255\13\15,\251\316h@\304\371O\324:\341+\2104\245)\242\255\346~\211-\\360\326\361\252:\363e7\237_\2109\371\245\26\0\21\262\327\201-\235\353\4\306&a\215\3556K\205{\260O\300\202\311^\353b\233\357j\374\320S\14\335\303I\217\20\200`\27\271\346\217\263\234\272:\4\327\313\225\344a\346\207\15\237\257a>"\302\20\20\335\320\371\2059\214\367\0pu\3153\360"\217\342W\232\14\36\235H \200r\366$t\260=AP\264\377D'g\365\204;\231M\21\310\251y}\366\210m>0\32\302\305\4\25\340\301\204\236\236u\27 \235u\221(g\334&\33\316Y\275", ) \11\32k$\237q)\1\223\220\241(\206\340\245V\3f\315\35\13\312\335mk\270\323\323\212\17\355\245\13\322\222W\3\343\220\314x\275\11\27\357\207\3653\23\374\353\354'\345{&'\336\251\31\317\373\313]S\365\251\6c (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\233S\35\20n\355\15\12\33\205q\350w\306\33\34\241\340h\14\235\37L\324b\352\271\377)\220\364A\213C\326\275v\205F\250v\353\277+n\223\37 \265\6\263\342\353x\235R5\323\306\3739\242\246\22\362\332C\332\3172[-\255\252\360KF\366\246J\302WfU\335\225zW\237\355*\22\252\351h\21Z\371l%\6Y\315\341\354\35\20N3B(\377M\3524\336\273\277\303\252,\3349%\237\5,\267K\212\313\312G\257\275\330\343\313!\25\252\346\35j/\215\240u\367z\327[\274\11i\1,T\204\3253k\364t\2528\207\21\204\203"\11\32k$\237q)\1\223\220\241(\206\340\245V\3f\315\35\13\312\335mk\270\323\323\212\17\355\245\13\322\222W\3\343\220\314x\275\11\27\357\207\3653\23\374\353\354'\345{&'\336\251\31\317\373\313]S\365\251\6c"\320\264J\221\346!\260~\W\304\242\303\237 \374\370!\24\246\322\343\32\275\263\225;\372\351\345\345ol\357]\254Z\16\30'\11\240\200\\201\341#yDo\306\352\312\310\373b\376\244\1x\11ge\251\214\311\12\377i&\337\3272^\211\255\13\15,\251\316h@\304\371O\324:\341+\2104\245)\242\255\346~\211-\\360\326\361\252:\363e7\237_\2109\371\245\26\0\21\262\327\201-\235\353\4\306&a\215\3556K\205{\260O\300\202\311^\353b\233\357j\374\320S\14\335\303I\217\20\200`\27\271\346\217\263\234\272:\4\327\313\225\344a\346\207\15\237\257a>"\302\20\20\335\320\371\2059\214\367\0pu\3153\360"\217\342W\232\14\36\235H \200r\366$t\260=AP\264\377D'g\365\204;\231M\21\310\251y}\366\210m>0\32\302\305\4\25\340\301\204\236\236u\27 \235u\221(g\334&\33\316Y\275", ) \302\20\20\335\320\371\2059\214\367\0pu\3153\360 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\233S\35\20n\355\15\12\33\205q\350w\306\33\34\241\340h\14\235\37L\324b\352\271\377)\220\364A\213C\326\275v\205F\250v\353\277+n\223\37 \265\6\263\342\353x\235R5\323\306\3739\242\246\22\362\332C\332\3172[-\255\252\360KF\366\246J\302WfU\335\225zW\237\355*\22\252\351h\21Z\371l%\6Y\315\341\354\35\20N3B(\377M\3524\336\273\277\303\252,\3349%\237\5,\267K\212\313\312G\257\275\330\343\313!\25\252\346\35j/\215\240u\367z\327[\274\11i\1,T\204\3253k\364t\2528\207\21\204\203"\11\32k$\237q)\1\223\220\241(\206\340\245V\3f\315\35\13\312\335mk\270\323\323\212\17\355\245\13\322\222W\3\343\220\314x\275\11\27\357\207\3653\23\374\353\354'\345{&'\336\251\31\317\373\313]S\365\251\6c"\320\264J\221\346!\260~\W\304\242\303\237 \374\370!\24\246\322\343\32\275\263\225;\372\351\345\345ol\357]\254Z\16\30'\11\240\200\\201\341#yDo\306\352\312\310\373b\376\244\1x\11ge\251\214\311\12\377i&\337\3272^\211\255\13\15,\251\316h@\304\371O\324:\341+\2104\245)\242\255\346~\211-\\360\326\361\252:\363e7\237_\2109\371\245\26\0\21\262\327\201-\235\353\4\306&a\215\3556K\205{\260O\300\202\311^\353b\233\357j\374\320S\14\335\303I\217\20\200`\27\271\346\217\263\234\272:\4\327\313\225\344a\346\207\15\237\257a>"\302\20\20\335\320\371\2059\214\367\0pu\3153\360"\217\342W\232\14\36\235H \200r\366$t\260=AP\264\377D'g\365\204;\231M\21\310\251y}\366\210m>0\32\302\305\4\25\340\301\204\236\236u\27 \235u\221(g\334&\33\316Y\275", ) , ) == 0x0
 00422  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (52, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00423  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\253>\225H\334g\347\277a\214o\210tN\300\327\372\222\375\337\276\15\205d\273\224e`\377\310\371a\262\337\360\377\277\35\256'\21\227t\212\345\314\262\200@\307\303\375s\227\365\4\252R\7\215\217\251y?\2568\300I\351\2078\336\366\277\346\14u\242O\25\331\301\277LJ\3047\4n\263\354\4\3n\277d\250\350:\2\2121\2172\213\217\366\31\357(\35[\216\203W\241\3379h#.\305N\223\250$\325\45\36=\223Fr\355q\357\227\370]{t\325\265{\233Y\334\34P;\205\357\336\335!-5\0Yg\37*\244\236\271-;\356\377\215\3245\350v\303L\2270\335\16\305\0\323\304A\254JJ\263 \211o\\3K\20\223\201\263,>\36CS\202\223\250nN}\335\271#\243\347\373i]\305\263\37\16}:\365"\266\220\5\354\241/\17n\242\177L\12C\4CI\236\373\216\3\253E\204\26Y\323\3656\365\35t0\3259{\213\25\366\322\220#\324\36\32\355\200\260\372\159\336\307&\337_D\273\200n<)\236YC\250w\335j9\252\336& \36\14"\327\336\270C\241\255At\262\340\262\257\255O"\272\273L\16\4#\235\12\351\340\343\216\35B\274B\270QJq\34495\265C\2555\205\0\333\350\265\370\314\15\256MQ\277\364k\215\310\310\344\217]\376<\336\301\307\343_u\211\224\311\215\214prF\214 \325\215\211\30M\353\2347\215\364\346\362\261V\307S\356JC\16\251iA\353\220?XH\254~O(\241N\37\362\254\317j\350\265G\22R\350}\364h\335\273\205\246+\14\305m9t%\214o\347\14\24\341\36\336TY\10\2450\302\317M\311\272\4j\357\253\345Ba\257\335\360o\251\202\25a\370\34/H\271\352\346\360\231Y)\24\225\315\13`j\345\5`\216\325|\30", ) \266\220\5\354\241/\17n\242\177L\12C\4CI\236\373\216\3\253E\204\26Y\323\3656\365\35t0\3259{\213\25\366\322\220#\324\36\32\355\200\260\372\159\336\307&\337_D\273\200n<)\236YC\250w\335j9\252\336& \36\14 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\253>\225H\334g\347\277a\214o\210tN\300\327\372\222\375\337\276\15\205d\273\224e`\377\310\371a\262\337\360\377\277\35\256'\21\227t\212\345\314\262\200@\307\303\375s\227\365\4\252R\7\215\217\251y?\2568\300I\351\2078\336\366\277\346\14u\242O\25\331\301\277LJ\3047\4n\263\354\4\3n\277d\250\350:\2\2121\2172\213\217\366\31\357(\35[\216\203W\241\3379h#.\305N\223\250$\325\45\36=\223Fr\355q\357\227\370]{t\325\265{\233Y\334\34P;\205\357\336\335!-5\0Yg\37*\244\236\271-;\356\377\215\3245\350v\303L\2270\335\16\305\0\323\304A\254JJ\263 \211o\\3K\20\223\201\263,>\36CS\202\223\250nN}\335\271#\243\347\373i]\305\263\37\16}:\365"\266\220\5\354\241/\17n\242\177L\12C\4CI\236\373\216\3\253E\204\26Y\323\3656\365\35t0\3259{\213\25\366\322\220#\324\36\32\355\200\260\372\159\336\307&\337_D\273\200n<)\236YC\250w\335j9\252\336& \36\14"\327\336\270C\241\255At\262\340\262\257\255O"\272\273L\16\4#\235\12\351\340\343\216\35B\274B\270QJq\34495\265C\2555\205\0\333\350\265\370\314\15\256MQ\277\364k\215\310\310\344\217]\376<\336\301\307\343_u\211\224\311\215\214prF\214 \325\215\211\30M\353\2347\215\364\346\362\261V\307S\356JC\16\251iA\353\220?XH\254~O(\241N\37\362\254\317j\350\265G\22R\350}\364h\335\273\205\246+\14\305m9t%\214o\347\14\24\341\36\336TY\10\2450\302\317M\311\272\4j\357\253\345Ba\257\335\360o\251\202\25a\370\34/H\271\352\346\360\231Y)\24\225\315\13`j\345\5`\216\325|\30", ) \272\273L\16\4#\235\12\351\340\343\216\35B\274B\270QJq\34495\265C\2555\205\0\333\350\265\370\314\15\256MQ\277\364k\215\310\310\344\217]\376<\336\301\307\343_u\211\224\311\215\214prF\214 \325\215\211\30M\353\2347\215\364\346\362\261V\307S\356JC\16\251iA\353\220?XH\254~O(\241N\37\362\254\317j\350\265G\22R\350}\364h\335\273\205\246+\14\305m9t%\214o\347\14\24\341\36\336TY\10\2450\302\317M\311\272\4j\357\253\345Ba\257\335\360o\251\202\25a\370\34/H\271\352\346\360\231Y)\24\225\315\13`j\345\5`\216\325|\30", ) == 0x0
 00424  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00425  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\321\255c\230\342\203"\374\276?b{\342\336\5S\331\241$t\377a\254,\210\222\0\4\300\235\264b\326\224\312S\370\201\32a\201\256I\205)HH\323\35\352O\366\271\200M\227\255\312y \310v\201\327\362\305z\260\362:\326\0\236\257fz\252\336~\25\33\351z\122\200\375\17\252\342n\340\251\232\306\326\340\331q\0\301\262\5S\340\211L\340\244\265\224\220+/\240\353\271\354\206I\235\25\305\250/.\262\232\305\324\260\233\261\16\214\275\17\23}$\236L\271\250\216\14\202#\336o|\334\315v\200\260O\3`s\330\305\267\252-E*\254lD\12\221\310t\327\3\375\317\216\337\242B\271\204\250r\242\13yp\215\277D\344(\271qP :\314\331<\34\314\211uVMY\6\274\360\315X\271*t\242\374\363O\201\265\315*\307\213mJ\25K\303eh`~\341\221\246\234F\5i\3367r\306\326\357\362]\3665\4\2052N\24\222\233EI\375\336\307|b\312Q\325\5\257\370\252\255\31\301\325\254\3279\3649\342\345\11\3266\265\207\303\304\34-\261G\305;\1\316\332\200=\224\317'\355\242\235\4$\200\265\346)\255\214\11A\354E\313\212\302\346\252\276\266\331q1\306oX\255\204B\244\12MC\10\234\327\10\22\213\372\373\24\375~.\33\324$YqeuO\05\335B\377e\335\360\2\227\200\5u\244\230\310"_0\248B\360\363\16m\361\376 \251\11\246&\1\R*\301\330\270\205\255]M|\354\272g\12\303\317\372\252\36`\357Gu38Gn\227L\3\253\257)\236\205\6\377l\254\301A\20\271\331\377,b\177Y\30\261\355m\313\33\341\206$\215\345e,\205\331\326\0\313\32\274\202\371\214\301\355\375\315\346S\2468\305f\370r\6\242\212\227O\213x\316\247\11}n\350v\311!A\3", ) \374\276?b{\342\336\5S\331\241$t\377a\254,\210\222\0\4\300\235\264b\326\224\312S\370\201\32a\201\256I\205)HH\323\35\352O\366\271\200M\227\255\312y \310v\201\327\362\305z\260\362:\326\0\236\257fz\252\336~\25\33\351z\122\200\375\17\252\342n\340\251\232\306\326\340\331q\0\301\262\5S\340\211L\340\244\265\224\220+/\240\353\271\354\206I\235\25\305\250/.\262\232\305\324\260\233\261\16\214\275\17\23}$\236L\271\250\216\14\202#\336o|\334\315v\200\260O\3`s\330\305\267\252-E*\254lD\12\221\310t\327\3\375\317\216\337\242B\271\204\250r\242\13yp\215\277D\344(\271qP :\314\331<\34\314\211uVMY\6\274\360\315X\271*t\242\374\363O\201\265\315*\307\213mJ\25K\303eh`~\341\221\246\234F\5i\3367r\306\326\357\362]\3665\4\2052N\24\222\233EI\375\336\307|b\312Q\325\5\257\370\252\255\31\301\325\254\3279\3649\342\345\11\3266\265\207\303\304\34-\261G\305;\1\316\332\200=\224\317'\355\242\235\4$\200\265\346)\255\214\11A\354E\313\212\302\346\252\276\266\331q1\306oX\255\204B\244\12MC\10\234\327\10\22\213\372\373\24\375~.\33\324$YqeuO\05\335B\377e\335\360\2\227\200\5u\244\230\310 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\321\255c\230\342\203"\374\276?b{\342\336\5S\331\241$t\377a\254,\210\222\0\4\300\235\264b\326\224\312S\370\201\32a\201\256I\205)HH\323\35\352O\366\271\200M\227\255\312y \310v\201\327\362\305z\260\362:\326\0\236\257fz\252\336~\25\33\351z\122\200\375\17\252\342n\340\251\232\306\326\340\331q\0\301\262\5S\340\211L\340\244\265\224\220+/\240\353\271\354\206I\235\25\305\250/.\262\232\305\324\260\233\261\16\214\275\17\23}$\236L\271\250\216\14\202#\336o|\334\315v\200\260O\3`s\330\305\267\252-E*\254lD\12\221\310t\327\3\375\317\216\337\242B\271\204\250r\242\13yp\215\277D\344(\271qP :\314\331<\34\314\211uVMY\6\274\360\315X\271*t\242\374\363O\201\265\315*\307\213mJ\25K\303eh`~\341\221\246\234F\5i\3367r\306\326\357\362]\3665\4\2052N\24\222\233EI\375\336\307|b\312Q\325\5\257\370\252\255\31\301\325\254\3279\3649\342\345\11\3266\265\207\303\304\34-\261G\305;\1\316\332\200=\224\317'\355\242\235\4$\200\265\346)\255\214\11A\354E\313\212\302\346\252\276\266\331q1\306oX\255\204B\244\12MC\10\234\327\10\22\213\372\373\24\375~.\33\324$YqeuO\05\335B\377e\335\360\2\227\200\5u\244\230\310"_0\248B\360\363\16m\361\376 \251\11\246&\1\R*\301\330\270\205\255]M|\354\272g\12\303\317\372\252\36`\357Gu38Gn\227L\3\253\257)\236\205\6\377l\254\301A\20\271\331\377,b\177Y\30\261\355m\313\33\341\206$\215\345e,\205\331\326\0\313\32\274\202\371\214\301\355\375\315\346S\2468\305f\370r\6\242\212\227O\213x\316\247\11}n\350v\311!A\3", ) , ) == 0x0
 00426  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (52, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (52, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00427  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\274*\202o,\357\1r&M\314\265\231^\32\306\273,'z\340\351P\265e\275\354\206\267\31\36f\225\24>\334\23_\234K\304!\1\255r\1 \37\231A\360\230\312\267\17\343\201\347~\211\326\326l\360\265\244P\342\321C\212v\7\4\25UQwP\370\276\232\16\270\314O\216&\204X\4\12\3565\203\274\315\352\3225\345N0\212\256F|\265KB8g\312]\213\354=\315\0\205S&6\271\260\231H\327\10P \374=\227\258\377\367d\322\215S\325\317\37\271Y\241\317\335C\247\364N\4\254\206\347`\333\376\215\303\317!V\311|\240\375h\15\301X<;\230\223\222K\335UIr\3;\11)\14g\336\304o\350_\31\325m\206\245\205\11\3!\4F\211\377\364\233\23\352\267\3719D\0\354b\265\241\205y^\305\\177\327\12`\355"L1\262_\37\350=\375\241E\307\26m\1\256\2636\321\345\314#z\21\374\251\27\330\257\11K\336\30\305L\260\311}\37]\355m\200U\317\232\25\341\14\257\262{\217\31\27\247\335Yh\374\344\15\0b\373\270$\277c\306\1{=\271zh\326F\200\356\311\3509\273\305\255%\204=\251\200\335\334\351\344~\321i1\310@f\364n\277\354\322\31cg{\260\314\34E\273\237\300H\370\341\264\332q\306v\203\374\3166.\356.:\24?\305U`v\252\230#\240\265\307\206n\22\2344\305\32\225\22V\36\7\333\361\316F\372\201\210\267\232\10\322\342\300\210\273\377\3\241\306E$\207\2015\24\336\327T\177o\225A\11j \272\336\17e\311\q\211\3425\370\341\326\220[\330U5-\343\237\251\23{\203?-\346QE\324\334\17PD\213:u\\312v\271\27\317\17\242\240g\315\200\25\231\242\2\250\245Z\13\200\227\274=Q\20\377\375#\234\313\246.X\325\14", ) L1\262_\37\350=\375\241E\307\26m\1\256\2636\321\345\314#z\21\374\251\27\330\257\11K\336\30\305L\260\311}\37]\355m\200U\317\232\25\341\14\257\262{\217\31\27\247\335Yh\374\344\15\0b\373\270$\277c\306\1{=\271zh\326F\200\356\311\3509\273\305\255%\204=\251\200\335\334\351\344~\321i1\310@f\364n\277\354\322\31cg{\260\314\34E\273\237\300H\370\341\264\332q\306v\203\374\3166.\356.:\24?\305U`v\252\230#\240\265\307\206n\22\2344\305\32\225\22V\36\7\333\361\316F\372\201\210\267\232\10\322\342\300\210\273\377\3\241\306E$\207\2015\24\336\327T\177o\225A\11j \272\336\17e\311\q\211\3425\370\341\326\220[\330U5-\343\237\251\23{\203?-\346QE\324\334\17PD\213:u\\312v\271\27\317\17\242\240g\315\200\25\231\242\2\250\245Z\13\200\227\274=Q\20\377\375#\234\313\246.X\325\14", ) == 0x0
 00428  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00429  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\250l\262N\15\30E\22\366\320)\262uIfq\202\214T\367!\372H4\13@\317:&\203\377C\307\241\24\205\327\355~\31\214\207a\13\2\313\315\10\215\363&\216\314O\20\371\243,\315m\276\26!JE\370B\313w\7\228\35\201\304\316\254\367\223\317\326\315\375\2748\32\300\177\337\254\373\227Q\254\350J\232/=\341=x(\20Z\367\373\320c\14\33\211\371\254\345\313~\204\30\247\4\23a\3\26\251wek\330GE\16\20_\365\274E\331H\202\300\3014\307\276\37\314g  \306QF\252u\260\11\336\215\212F\355\323\255?5Q\270mG\376m&\241\310\25s\245\267\306\300\241\365U*K\223)V2\323\234\352k\363\16\270\264\255\246F\207\1X\32\233\325A\320\205M\1\204\210r \2EM\1\37\350\261\341\360\262\306\6 \213\217\325\33\335\341\326[\221\240\355 g\310Y\24I\210\211\262\261\325>K\216\6\233\257\245\301A\30\253\331.\7B[vu\243\305\300_\275*[\212$\270\340\211\3161\12\327\356g\273\276\311\372)\353\276\7^\30\267\325\317\2204\271A\301YI\327\20\274\204\241O\351u\333\252\6\330\306D\261G\27\31\361`8\346\362\372\205\213\350\301C\33\243\261\226Y\332z\17\2\343\325^\10\11\235\372Q\33\341\226\22\302\354Y\14\261\3250\266q\277A\30\204v\5P\241\211aae\300\315[^\230\200\22\212\227\6\270\320\367\243\12\263\217\372\232k\262g[\222{N~\3401H\370\202\257_|\323-\274\261\276\357\271\307\251\337F\222Y\25m\237\304\274|\316\353\31789\251\214\201\326\0\231f\204\232\316\3461\31-\303\341\251\234\212Z\350\361\265\200\249-\366\203C\15 \233\302\302\370V\331\270\222\247\15\211\3\333\325v\306i\241\332m\260\23e8\244\35\204N", ) , ) == 0x0
 00430  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (52, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00431  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\303\311\277\30\327#\316\332\350m\231|!\302\376\237g\257(\204A-\216{"\301\10\332\303U\2060/\34t\35\270Z\255D\272B\201])\32)D\201Z3"\11\2668\15\333\3143\34\377S\4\217\17`\265\226\274\340\312f\364\1\211\353\331\327\324\14\271\304F\25e\310\3718\266\14)\333\347\252\360\247\317\31\5j@b\370\204\32N\11\3\204>\267\3\0\31\23\266\353\16\271oM\27QY\333.\2758\261\317\233 )w\234\345\277\3117\241%\301\341\344O\335\343\2246\3143\275\374\26\244`GO\216\27]y\262\207E\365\1kL\266W\243\303\22\343\327\304\212\20\241&\2360\253\365\314m\35\330\253\216\207?\334\217.\340O~\254FH\340\37\221\334\311E[\374\30\342\333\331\13U9\315\3\273\20f\336\335\36d\221?\231HD\2135|!)LV\234\270\30\5\26\306\311\366\235(\303\334\35p\251\305K?\261\241\250\321\334DE8=Q\330R_?\263u\256\272\31\344\224\30\211U:g*Wgl\3TQ\214L\275\254\256|\246\311I\3739\5B\267`\337\305!\35/~\5K\37K\32\202\347Rb\266\321\26\30\240\230\20\364 \2750\254#H0\10\317L\207\265k\226\315\16o\200Y\243\13\345{\25A\260\20d\215\257\7\365Y\213eD\322{\320\353\236J\2328\221D5\344M\7;y\324\351u\364-\210\37\24\35\332\367\222\211M\346\4a\257\16`X\31\263\0\367\307\11\211K]x\375\255\353#3\326\356\14\213\314\271\256\277bDs\241\346\272aj\237\3608\276\366\203\302X\324N\307X\231Y\217\351\341Ls\245\313\355\350\210L\216f1\21\21\276T\3049\14\3172\204\4B\335\304P\242\314K\3\371\347\14=\370\302\15S\341\354\312\214\32^\365D\250\352l\353", ) \301\10\332\303U\2060/\34t\35\270Z\255D\272B\201])\32)D\201Z3 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\303\311\277\30\327#\316\332\350m\231|!\302\376\237g\257(\204A-\216{"\301\10\332\303U\2060/\34t\35\270Z\255D\272B\201])\32)D\201Z3"\11\2668\15\333\3143\34\377S\4\217\17`\265\226\274\340\312f\364\1\211\353\331\327\324\14\271\304F\25e\310\3718\266\14)\333\347\252\360\247\317\31\5j@b\370\204\32N\11\3\204>\267\3\0\31\23\266\353\16\271oM\27QY\333.\2758\261\317\233 )w\234\345\277\3117\241%\301\341\344O\335\343\2246\3143\275\374\26\244`GO\216\27]y\262\207E\365\1kL\266W\243\303\22\343\327\304\212\20\241&\2360\253\365\314m\35\330\253\216\207?\334\217.\340O~\254FH\340\37\221\334\311E[\374\30\342\333\331\13U9\315\3\273\20f\336\335\36d\221?\231HD\2135|!)LV\234\270\30\5\26\306\311\366\235(\303\334\35p\251\305K?\261\241\250\321\334DE8=Q\330R_?\263u\256\272\31\344\224\30\211U:g*Wgl\3TQ\214L\275\254\256|\246\311I\3739\5B\267`\337\305!\35/~\5K\37K\32\202\347Rb\266\321\26\30\240\230\20\364 \2750\254#H0\10\317L\207\265k\226\315\16o\200Y\243\13\345{\25A\260\20d\215\257\7\365Y\213eD\322{\320\353\236J\2328\221D5\344M\7;y\324\351u\364-\210\37\24\35\332\367\222\211M\346\4a\257\16`X\31\263\0\367\307\11\211K]x\375\255\353#3\326\356\14\213\314\271\256\277bDs\241\346\272aj\237\3608\276\366\203\302X\324N\307X\231Y\217\351\341Ls\245\313\355\350\210L\216f1\21\21\276T\3049\14\3172\204\4B\335\304P\242\314K\3\371\347\14=\370\302\15S\341\354\312\214\32^\365D\250\352l\353", ) , ) == 0x0
 00432  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (52, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00433  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\272\352^\223\322\344\21\15S%2\3\246\214\350\240\304\240\215+\220\351\221?\340w`\335\7=/\215\364\343\217\10R\3058\323\235\0:\367d\352n\363F\216\2364\344\323W$\211\236mw_\16\13O\13\31\21\273B\0\373\306\2755\26\373\342\367\271\212\217M\261+\327\311`uu\377\251\2714{\233.\1\214\130\3704\201\232\34\256\34^\372G;\214o\267\306-\362\333\262[BE\356\303V\263\305\12o\3261\14\360\21\262Mq\263&\245S\270\273\353\2442@\261j)3\22B\214\237c\262[eC\267\306\6\21I\263|}\33\323\355\212\35\306&\271\257g8\353\267PG\27\210\226\227\25\371.B\262a?\301M\303\335\30.\27\305~F\0\231\5\322\263\5k\303\377\236V\371\205\241\240O\6gK\343E\205`\10\372[\16\262hh\364\253\360Ku\213\253\272\240c\230\212F\257S\\35\335,+\226\254\263@\3\351\244\213C\27\341=\267E$\10@r\343\377?\300\15]M/FO\336\254\14\265\20\324$\270\227A\340\222\370p,\2071\341\24\261\333\204F'\13vk=\330pV\220\2022\236\277\350v\2570A\335\304\227\273G5\222uO@6\3V R\202\215V\307D\274(\221\300A\311\315\344\246\253H\360Dz\2270\231,,\353\233\15\347\213M\3160\10\320l\253\340\364?\317;\324\301v\4Q\263\266\27\323\337>'\237\366N5\333\350\213D\257\315\2x\2443\254nV*J\22\220\272\240\353\266\253\212\245\230\315,\13\306}\372^\26_i\31\211m\274\333\222m%\360\2625+\301C\247\304\7\271-\265\3!\236O\303\350\4O\340\4\317t\310\242\70\201\362\Y\373\320\312;\367qN\227\12)`}\12\317\306\0|Q;vz\255\261R\277\247\214`!", ) , ) == 0x0
 00434  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00435  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\231\354e\336?\301\246'\277\316\33\15/3\332\254\244\321Z\213v\366\246ukX[\13\203s\210\237E\353y7\243\224\215Z\362\35\266\213\3069f\240\233V?l\347\316\7\4\322\376L\4\226\246\200w\367\334\364\255\355\230\25\273\250\263\225\31\351}H)\21\211)\20\330.{\353?\307\306\377\252\3\14\304\337\346\177\27\222\2\260)\277\315\364\2664\353YA\23\270\234(\13H\203\213BM\33\24\273e\2314\377\347u\331-&An\372\215\375FU\326v\373\334H\231\221\0\233\342Y\212\220\304\304\363\220\236\257\344\314\306\235L\253<\220\315W\1\231\322UUh\337\34V\345,\32Q\2245\304;\276\36\365G\227\257v\254e\256^$)\364N\350\251#\354\272\341:\266_\250S\303_\374%\256`\303\273\215\276\30\311\2h\242\230\37u\266\265H\315\217\212I$\360\317\241\24\336\273\2260pMo\243EEER\355\311v\270HA\20\350G\316\210\211\FPT\276\3273NB\234\277s&#:\14u\340a\200\252\273v\31\336\366vc\1\267\325\333/DH\24\245\273vb*pat\377\277\310\12n\30,\234\23\310\10\2501\302\222\251K\11\342\252\361\270\352Q\220\210"khh\362\31\247\304M\360\250\211]\344\277\314p\334\241\300\343[\26]\355\10\362\35\306\352(O#[x(M\376\252\301\314\302\234V6\233\244L\257\16o\364\11(E\255\22T8\10\10\213\234\3\304\216\213\255q\316\327q\373\335\303\256\266\217\337\307\220;\322\305\364/\246\332\221\213\2542;\36\376\335f\373\376|Pv\27\236\215B\14&D6\214\304\307\317\247t\361\210[\324{&\202x\276\241(+\204\20M\373y\235B\316\2\310`\254\220F_\346KA-\365\233m\306\362Q$\332\316\306\4\222">\214", ) khh\362\31\247\304M\360\250\211]\344\277\314p\334\241\300\343[\26]\355\10\362\35\306\352(O#[x(M\376\252\301\314\302\234V6\233\244L\257\16o\364\11(E\255\22T8\10\10\213\234\3\304\216\213\255q\316\327q\373\335\303\256\266\217\337\307\220;\322\305\364/\246\332\221\213\2542;\36\376\335f\373\376|Pv\27\236\215B\14&D6\214\304\307\317\247t\361\210[\324{&\202x\276\241(+\204\20M\373y\235B\316\2\310`\254\220F_\346KA-\365\233m\306\362Q$\332\316\306\4\222 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\231\354e\336?\301\246'\277\316\33\15/3\332\254\244\321Z\213v\366\246ukX[\13\203s\210\237E\353y7\243\224\215Z\362\35\266\213\3069f\240\233V?l\347\316\7\4\322\376L\4\226\246\200w\367\334\364\255\355\230\25\273\250\263\225\31\351}H)\21\211)\20\330.{\353?\307\306\377\252\3\14\304\337\346\177\27\222\2\260)\277\315\364\2664\353YA\23\270\234(\13H\203\213BM\33\24\273e\2314\377\347u\331-&An\372\215\375FU\326v\373\334H\231\221\0\233\342Y\212\220\304\304\363\220\236\257\344\314\306\235L\253<\220\315W\1\231\322UUh\337\34V\345,\32Q\2245\304;\276\36\365G\227\257v\254e\256^$)\364N\350\251#\354\272\341:\266_\250S\303_\374%\256`\303\273\215\276\30\311\2h\242\230\37u\266\265H\315\217\212I$\360\317\241\24\336\273\2260pMo\243EEER\355\311v\270HA\20\350G\316\210\211\FPT\276\3273NB\234\277s&#:\14u\340a\200\252\273v\31\336\366vc\1\267\325\333/DH\24\245\273vb*pat\377\277\310\12n\30,\234\23\310\10\2501\302\222\251K\11\342\252\361\270\352Q\220\210"khh\362\31\247\304M\360\250\211]\344\277\314p\334\241\300\343[\26]\355\10\362\35\306\352(O#[x(M\376\252\301\314\302\234V6\233\244L\257\16o\364\11(E\255\22T8\10\10\213\234\3\304\216\213\255q\316\327q\373\335\303\256\266\217\337\307\220;\322\305\364/\246\332\221\213\2542;\36\376\335f\373\376|Pv\27\236\215B\14&D6\214\304\307\317\247t\361\210[\324{&\202x\276\241(+\204\20M\373y\235B\316\2\310`\254\220F_\346KA-\365\233m\306\362Q$\332\316\306\4\222">\214", ) , ) == 0x0
 00436  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (52, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00437  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\272\340\306\274*\367s\334T\370\0\15\243DL\241\257\21\213\0\247\2641\364\317\6g\263\26B\32\2~\310\330\32n\304\211\2313\354E\17-^j\353\202\210\251\35\371\346I\202PWP\257\371$0\217\241\235\0;\324;\11\241C\331c\366\356m \26\2\31p1\177\203\207\332[)\177?\261\201-!\221\373;-(S\0h\205\30|\2\365I\270^\216`\17\315\231\17\0\211\16\242T\230\333R\20}\336\343\265\343\313\352~\243\302\26\25\345\254Rt\224\244\32Pi\333*\34\346h\346\255;1\341D\260\3715\353\373\232\36\246\344\2709_\376\315Y\360\261\365\363\240\231@=\30^i\36\300\351\214\210\261s\275@\211\243O\246.\260_\6+\25]\345\222\240\364\7\320\1\224Ld\315]\345\335\364}5\272\12.\227\371\331\215\32\226\30P\3MO\22\16K\366\220\321\323}\310\315\272F\230Pm\304\312\370\240\25Lh\7\333\320\243\312\372S\4\317\275Z\241v2\331\211e\330\202\255\314\224\233\350\20~\213cZ\322#\202M\262\260\210\366\263r\210\271`\375\260\3175\255\204\352c7E\240 \261\267\361\261\261U\302\13\257\312\361\332\177\340B\32\212Y}n\340\22\335\35\212I:\217\374\344\220+\253Qz"\231$\201Z\374\257\212O\213\256\14\247\3\273\250\226\332\304\312F\4\343\22H\10\241\301\333e\360[j\20\275\323U\34\360[(Y\274\355i\14\201\206H\277\354\30720\343\270\205\350\350\305+\255\241#m\243\312\224[\12"B\13!\312\263\312\33\255\11\27V\330#\257\334~\306\205\317\302\232\363\317f\322\2\361;T\3577\377\215$U]\262\374[c\300wVF0\14\2024\312\367\201=\0\21\305,\10\250\252\270`\213t\233\200\1\245\327\205\1\251L\23\340\36\0\257\200", ) \231$\201Z\374\257\212O\213\256\14\247\3\273\250\226\332\304\312F\4\343\22H\10\241\301\333e\360[j\20\275\323U\34\360[(Y\274\355i\14\201\206H\277\354\30720\343\270\205\350\350\305+\255\241#m\243\312\224[\12 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\272\340\306\274*\367s\334T\370\0\15\243DL\241\257\21\213\0\247\2641\364\317\6g\263\26B\32\2~\310\330\32n\304\211\2313\354E\17-^j\353\202\210\251\35\371\346I\202PWP\257\371$0\217\241\235\0;\324;\11\241C\331c\366\356m \26\2\31p1\177\203\207\332[)\177?\261\201-!\221\373;-(S\0h\205\30|\2\365I\270^\216`\17\315\231\17\0\211\16\242T\230\333R\20}\336\343\265\343\313\352~\243\302\26\25\345\254Rt\224\244\32Pi\333*\34\346h\346\255;1\341D\260\3715\353\373\232\36\246\344\2709_\376\315Y\360\261\365\363\240\231@=\30^i\36\300\351\214\210\261s\275@\211\243O\246.\260_\6+\25]\345\222\240\364\7\320\1\224Ld\315]\345\335\364}5\272\12.\227\371\331\215\32\226\30P\3MO\22\16K\366\220\321\323}\310\315\272F\230Pm\304\312\370\240\25Lh\7\333\320\243\312\372S\4\317\275Z\241v2\331\211e\330\202\255\314\224\233\350\20~\213cZ\322#\202M\262\260\210\366\263r\210\271`\375\260\3175\255\204\352c7E\240 \261\267\361\261\261U\302\13\257\312\361\332\177\340B\32\212Y}n\340\22\335\35\212I:\217\374\344\220+\253Qz"\231$\201Z\374\257\212O\213\256\14\247\3\273\250\226\332\304\312F\4\343\22H\10\241\301\333e\360[j\20\275\323U\34\360[(Y\274\355i\14\201\206H\277\354\30720\343\270\205\350\350\305+\255\241#m\243\312\224[\12"B\13!\312\263\312\33\255\11\27V\330#\257\334~\306\205\317\302\232\363\317f\322\2\361;T\3577\377\215$U]\262\374[c\300wVF0\14\2024\312\367\201=\0\21\305,\10\250\252\270`\213t\233\200\1\245\327\205\1\251L\23\340\36\0\257\200", ) , ) == 0x0
 00438  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00439  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2128X\205\317\213\261\6\262\271\306\22\254\26Es\206\26\323\242\307\371wC7\317\257\6\270"M2\35\277\243/\47v\373\336o0\31\31\334P\353R\273\242\377\3052J\16\211o\330\12\222\200\265\1779\316u\0\251|8\213\35\237\266x`\225\2000u\252\14`B<\223\5\241z`\227MK\321\231\14%\235\16m\325\373\375Q\312\245\13\335\345TW\274\220\346\200\276\211\300_\255\203\367\24I\373g\32c\230U\24`\324\365?\233\366z|C\242\342\330NL\315\14q\335\255\202\311\34\337\330R\247K\304\245y\253oH\240\332\267*2\240h\350\260H\5\21\227K\15S\224\350\32Q$_\17"\376\23N\355O\324\350\360<\265\2268M\371\36\31)\375\17\203M:\30\272N1\223f\233.\201\353\262\244t\357\315P\247\201M\314\21\12\30F\14\322\340\226\213\261\234\32\341\227\210R\237\377\12\236\364\226\374\346w\36\\32\3\2152@~|\10U_\232\346\31\224\25\360s\301?\302\316%\25\257\323\360\217I\14\13\250\207\324\3\273\315\2046\2755\34n\16e\334\12\343\242\260\336\356~O\316\272p@\22\271\325w\237\27\340n\367\334\6\242\363\14\207"\370\341w\330\34\12\302\274k\264o\m59\34\303\306\317H\346\265\235\36a\346=\315n\3310d\376\134]\1c\237\14\301W\1\344"\311\334\265\273-\254M,!^N\370\334\374\277\243\364\235\34\351\2\255\216\202\272\251u\213cwUO\241\325L\346\360\225\312)d\203\370\375\177\235\262\273u\237\22\276\371Z(\276\346\275\323M\224\215c\377\311.\17\257\376\332DjyF\260\1K\25x\372\330\35\376r\314\314{>@Q\224\354\312L\1\324\333\320|\215\341\245\0\335F\177]\303\321\13\354\2709g\361r\216\212kF\273N\", ) M2\35\277\243/\47v\373\336o0\31\31\334P\353R\273\242\377\3052J\16\211o\330\12\222\200\265\1779\316u\0\251|8\213\35\237\266x`\225\2000u\252\14`B<\223\5\241z`\227MK\321\231\14%\235\16m\325\373\375Q\312\245\13\335\345TW\274\220\346\200\276\211\300_\255\203\367\24I\373g\32c\230U\24`\324\365?\233\366z|C\242\342\330NL\315\14q\335\255\202\311\34\337\330R\247K\304\245y\253oH\240\332\267*2\240h\350\260H\5\21\227K\15S\224\350\32Q$_\17 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2128X\205\317\213\261\6\262\271\306\22\254\26Es\206\26\323\242\307\371wC7\317\257\6\270"M2\35\277\243/\47v\373\336o0\31\31\334P\353R\273\242\377\3052J\16\211o\330\12\222\200\265\1779\316u\0\251|8\213\35\237\266x`\225\2000u\252\14`B<\223\5\241z`\227MK\321\231\14%\235\16m\325\373\375Q\312\245\13\335\345TW\274\220\346\200\276\211\300_\255\203\367\24I\373g\32c\230U\24`\324\365?\233\366z|C\242\342\330NL\315\14q\335\255\202\311\34\337\330R\247K\304\245y\253oH\240\332\267*2\240h\350\260H\5\21\227K\15S\224\350\32Q$_\17"\376\23N\355O\324\350\360<\265\2268M\371\36\31)\375\17\203M:\30\272N1\223f\233.\201\353\262\244t\357\315P\247\201M\314\21\12\30F\14\322\340\226\213\261\234\32\341\227\210R\237\377\12\236\364\226\374\346w\36\\32\3\2152@~|\10U_\232\346\31\224\25\360s\301?\302\316%\25\257\323\360\217I\14\13\250\207\324\3\273\315\2046\2755\34n\16e\334\12\343\242\260\336\356~O\316\272p@\22\271\325w\237\27\340n\367\334\6\242\363\14\207"\370\341w\330\34\12\302\274k\264o\m59\34\303\306\317H\346\265\235\36a\346=\315n\3310d\376\134]\1c\237\14\301W\1\344"\311\334\265\273-\254M,!^N\370\334\374\277\243\364\235\34\351\2\255\216\202\272\251u\213cwUO\241\325L\346\360\225\312)d\203\370\375\177\235\262\273u\237\22\276\371Z(\276\346\275\323M\224\215c\377\311.\17\257\376\332DjyF\260\1K\25x\372\330\35\376r\314\314{>@Q\224\354\312L\1\324\333\320|\215\341\245\0\335F\177]\303\321\13\354\2709g\361r\216\212kF\273N\", ) \370\341w\330\34\12\302\274k\264o\m59\34\303\306\317H\346\265\235\36a\346=\315n\3310d\376\134]\1c\237\14\301W\1\344 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2128X\205\317\213\261\6\262\271\306\22\254\26Es\206\26\323\242\307\371wC7\317\257\6\270"M2\35\277\243/\47v\373\336o0\31\31\334P\353R\273\242\377\3052J\16\211o\330\12\222\200\265\1779\316u\0\251|8\213\35\237\266x`\225\2000u\252\14`B<\223\5\241z`\227MK\321\231\14%\235\16m\325\373\375Q\312\245\13\335\345TW\274\220\346\200\276\211\300_\255\203\367\24I\373g\32c\230U\24`\324\365?\233\366z|C\242\342\330NL\315\14q\335\255\202\311\34\337\330R\247K\304\245y\253oH\240\332\267*2\240h\350\260H\5\21\227K\15S\224\350\32Q$_\17"\376\23N\355O\324\350\360<\265\2268M\371\36\31)\375\17\203M:\30\272N1\223f\233.\201\353\262\244t\357\315P\247\201M\314\21\12\30F\14\322\340\226\213\261\234\32\341\227\210R\237\377\12\236\364\226\374\346w\36\\32\3\2152@~|\10U_\232\346\31\224\25\360s\301?\302\316%\25\257\323\360\217I\14\13\250\207\324\3\273\315\2046\2755\34n\16e\334\12\343\242\260\336\356~O\316\272p@\22\271\325w\237\27\340n\367\334\6\242\363\14\207"\370\341w\330\34\12\302\274k\264o\m59\34\303\306\317H\346\265\235\36a\346=\315n\3310d\376\134]\1c\237\14\301W\1\344"\311\334\265\273-\254M,!^N\370\334\374\277\243\364\235\34\351\2\255\216\202\272\251u\213cwUO\241\325L\346\360\225\312)d\203\370\375\177\235\262\273u\237\22\276\371Z(\276\346\275\323M\224\215c\377\311.\17\257\376\332DjyF\260\1K\25x\372\330\35\376r\314\314{>@Q\224\354\312L\1\324\333\320|\215\341\245\0\335F\177]\303\321\13\354\2709g\361r\216\212kF\273N\", ) , ) == 0x0
 00440  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00441  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\312\203U!\205\366n\2643\316;B\350\231FD\275\314.t\351\203)t\275\252\14\14a\250\200\4\275\365n\220\5\206\332<*\351\21\310\226\205\244^\310Q\305\233\353\225n\364\352\4((\325\204A\240\1\223\31\5\332\322\205\3\250f\7D\254\216U\316\256\4\206H\250\316(\30\251\363i\313\13\347\225\7y\37\307A\203M\335\204\3557I\231)\6D:\211\210\33\7p&cM\205\272I\306\242)\1\201\352\215z\3_\5\27+\352AF|\301\215\3\232\275\314\321\2549Z\274J\256\202\353\357\370\220\233*\322\342\34\274ZZN%\31\241MO\26\202l\233\311\22\11\24\355\371EK\257!(\13\355\335n8\32\332\204\215-\216_\24\355)\236\14\321\311_S\354\305\366\11\220X\321S\234\210u\35k\235\225S\265\24253\245Zp\204=\222\206E\1\222\31a\25\5;/\374\305\276Eq\242\234\267e\271\30\303&\302yt\206\364\334_\3541\13\30\306Y\7\232\204\nH\21J\315\220\262\241NwGw\0p2\232\12\30\252\252J\246\311\355\364\1+\352L\271\301\316\264 P\315^4\251\232u\217T\313\251\0\370-Oi\33\235?\3\374\251+T\275\2=T\251\355\317*\21\24\343\27\373\365]\344\336\233\204&\256\325[P\270\272\33\1\34\3\\27R\276\215\354\5\307p\347\226\236-\20\271_LE\231Y\35TI3rSa\334"\351\23!\311\346\242\231\37\2v\221\206\30\211|\333\334r\316\303p\250\337\246\2b\212\361\367\20341\4\251\212\225H\275\356\7.\352\204\3658\360\5K\244\243\325\21\242\2556A\2\344\270]\257\341\316)\2\13k\25h\302(*p\262\324\251\3\6\341\204\360\220:I\4\272]O\3{\300I\266\245\315M\10\265\316\207\226\235\316\15 \272p\310M", ) \351\23!\311\346\242\231\37\2v\221\206\30\211|\333\334r\316\303p\250\337\246\2b\212\361\367\20341\4\251\212\225H\275\356\7.\352\204\3658\360\5K\244\243\325\21\242\2556A\2\344\270]\257\341\316)\2\13k\25h\302(*p\262\324\251\3\6\341\204\360\220:I\4\272]O\3{\300I\266\245\315M\10\265\316\207\226\235\316\15 \272p\310M", ) == 0x0
 00442  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00443  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "3\215]\214\253\321]\205"\234V\27i\366\18\370\354\250R\304j\33\210YsN|c\241\323\11\211\223\335\346\262\15\210h_\302`\330\271\374\375FB1\1\15\315\3066\301\245\315\225\17\225\307\13\21m\333\21kS\355+A\264\314\231k\341^G\345J+\305a\306\25F+\242\241\373\214\213s]\201\253o\246\301\26\314+@\25\24fv'\303\225\262\211\215B\21\31\375\325\315\343\377\0\263E\350\326@\321\303\313\14`\0_\226\201\205C\13\215\215\216@\271\210\307\261\360\326\314|\315\307D\221\236VH\20\16\334\36\360\24\16\377\11\340\306\21Bn\316S\357\36\301\213\217W\217\35\261-\347\21\203\310\14\17\20#6k\364\241O\347\211\223|!\26\15C_\14\217\276|\353>\317\326\11\307\351]sh\3437\266\220\220cY%\377*\20r\271\35\5\32\307d\370\33\304\206\352\276y\202:\245\351VB\371\307\31\20\241\333IM\257\234a\2\255\112d\254\246Y\6\357i\335\11\277\306\317\242\302\353S#\360\320O=A\1\325\5HX\2568\271\326T\263\254\2029\242C\337\333\260\272\344x\26\222\325K\234\377\250v;m\257\1\20%\336\356\10\311~u$\5\352\I\341U&\4\247\375=\232\204\266\n\244%-\300*\254}\211\206\341\224\214p\275Y\2U\303n\250\261\17\25\337\365\4\323-\246\270/\236\354\233\34\21\255\323B\22\353\301\13@\326\237\377Cc\307\377\14tsE\322\31o\36\344\304\311!Yjf\13\16+\324\376%4\302\357\336\232\271\206Fx\241E6\245\255\322)\2130\367A\245\225\215\340\310\361\14\315\205Z\360\2\313\234qs\275\311\274NQ\237\273h\342W\25\237\270\364\277\1\201\257\360\11N\372\336\226d\21A\224\240\220\225\222h\177)\20^\335\27x\377[\4", ) \234V\27i\366\18\370\354\250R\304j\33\210YsN|c\241\323\11\211\223\335\346\262\15\210h_\302`\330\271\374\375FB1\1\15\315\3066\301\245\315\225\17\225\307\13\21m\333\21kS\355+A\264\314\231k\341^G\345J+\305a\306\25F+\242\241\373\214\213s]\201\253o\246\301\26\314+@\25\24fv'\303\225\262\211\215B\21\31\375\325\315\343\377\0\263E\350\326@\321\303\313\14`\0_\226\201\205C\13\215\215\216@\271\210\307\261\360\326\314|\315\307D\221\236VH\20\16\334\36\360\24\16\377\11\340\306\21Bn\316S\357\36\301\213\217W\217\35\261-\347\21\203\310\14\17\20#6k\364\241O\347\211\223|!\26\15C_\14\217\276|\353>\317\326\11\307\351]sh\3437\266\220\220cY%\377*\20r\271\35\5\32\307d\370\33\304\206\352\276y\202:\245\351VB\371\307\31\20\241\333IM\257\234a\2\255\112d\254\246Y\6\357i\335\11\277\306\317\242\302\353S#\360\320O=A\1\325\5HX\2568\271\326T\263\254\2029\242C\337\333\260\272\344x\26\222\325K\234\377\250v;m\257\1\20%\336\356\10\311~u$\5\352\I\341U&\4\247\375=\232\204\266\n\244%-\300*\254}\211\206\341\224\214p\275Y\2U\303n\250\261\17\25\337\365\4\323-\246\270/\236\354\233\34\21\255\323B\22\353\301\13@\326\237\377Cc\307\377\14tsE\322\31o\36\344\304\311!Yjf\13\16+\324\376%4\302\357\336\232\271\206Fx\241E6\245\255\322)\2130\367A\245\225\215\340\310\361\14\315\205Z\360\2\313\234qs\275\311\274NQ\237\273h\342W\25\237\270\364\277\1\201\257\360\11N\372\336\226d\21A\224\240\220\225\222h\177)\20^\335\27x\377[\4", ) == 0x0
 00444  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (52, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00445  1736   NtReadFile  (44, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (44, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\351\206M\0\371\206M\0\315\226M\0\335\226M\0M\244M\0]\244M\0\255\247M\0\245\247M\0\275\247M\0\265\247M\0\215\247M\0\205\247M\0\235\247M\0\225\247M\0\355\247M\0\345\247M\0\11\247M\0\35\247M\0q\247M\0\265\246M\0\371\246M\0\1\246M\0y\246M\0\271\241M\09\241M\0A\241M\0-\243M\0Y\242M\0\231\275M\0\275\274M\0\11\274M\0\335\276M\0\325\270M\0\355\272M\0\201\265M\0a\265M\0\341\264M\0!\264M\0\325\267M\05\267M\0i\267M\0Y\267M\01\216H\0I\216H\0~\344J\0B\344J\0\253\347J\0\263\347J\0\235\347J\0\347\347J\0\300\347J\0-\347J\0\11\347J\0\20\347J\0}\347J\0A\347J\0W\347J\0\273\346J\0\201\346J\0\350\346J\0\371\346J\0\324\346J\0?\346J\0\36\346J\0x\346J\0Q\346J\0\262\341J\0\343\341J\0\306\341J\0;\341J\0h\341J\0H\341J\0\255\340J\0\220\340J\0\316\340J\0\325\340J\0;\340J\0\3\340J\0i\340J\0\177\340J\0E\340J\0\250\343J\0\263\343J\0\206\343J\0\355\343J\0\367\343J\0\320\343J\0-\343J\0#\343J\0:\343J\06\343J\0\265\315[\0\276\315T\0\275\315U\0\274\315W\0\255\315N\0\241\315J\0\257\315H\0\202\315V\0\264\315S\0\215\315m\0\201\315g\0\200\315l\0\212\315o\0\266\315h\0\217\315j\0\272\315\\0\273\315A\0\271\315C\0\246\315@\0\242\315G\0\240\315a\0\251\315O\0\250\315c\0\204\315M\0\251\315M\0\251\315M\0\251\315M@\215\265=$\230\377\3m\334\251=@\375\203\0U\355\235M@\215\265=$\230\370\3m", ) , ) == 0x0
 00446  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00447  1736   NtClose  (52, ... ) == 0x0
 00448  1736   NtClose  (44, ... ) == 0x0
 00449  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.tmp"}, 1242360, ... ) }, 1242360, ... ) == 0x0
 00450  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.tmp"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00451  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 44, ... 52, ) == 0x0
 00452  1736   NtClose  (44, ... ) == 0x0
 00453  1736   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa50000), 0x0, 176128, ) == 0x0
 00454  1736   NtClose  (52, ... ) == 0x0
 00455  1736   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00456  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00457  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00458  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.tmp"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00459  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 44, ) == 0x0
 00460  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00461  1736   NtClose  (52, ... ) == 0x0
 00462  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xa50000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00463  1736   NtMapViewOfSection  (44, -1, (0xa50000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00464  1736   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00465  1736   NtClose  (44, ... ) == 0x0
 00466  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 8, ) == 0x0
 00467  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 8, ... (0xac2000), 4096, 4, ) == 0x0
 00468  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00469  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00470  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00471  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00472  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00473  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00474  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00475  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00476  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00477  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00478  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 44, ) }, ... 44, ) == 0x0
 00479  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 00480  1736   NtClose  (44, ... ) == 0x0
 00481  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00482  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00483  1736   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00484  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00485  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00486  1736   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00487  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00488  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00489  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00490  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 44, ) }, ... 44, ) == 0x0
 00491  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00492  1736   NtClose  (44, ... ) == 0x0
 00493  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00494  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00495  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00496  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00497  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00498  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00499  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00500  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00501  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00502  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00503  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00504  1736   NtClose  (44, ... ) == 0x0
 00505  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00506  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00507  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00508  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00509  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00510  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00511  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00512  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00513  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00514  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00515  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00516  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00517  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00518  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00519  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00520  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00521  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00522  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00523  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 44, ) }, ... 44, ) == 0x0
 00524  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00525  1736   NtClose  (44, ... ) == 0x0
 00526  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00527  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00528  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00529  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00530  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00531  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00532  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00533  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00534  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00535  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00536  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00537  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00538  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00539  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00540  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00541  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00542  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00543  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00544  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00545  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00546  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00547  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00548  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00549  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00550  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00551  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00552  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00553  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241872, ... ) }, 1241872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WSOCK32.DLL"}, 1241872, ... ) }, 1241872, ... ) == 0x0
 00556  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WSOCK32.DLL"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00557  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 52, ) == 0x0
 00558  1736   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00559  1736   NtClose  (44, ... ) == 0x0
 00560  1736   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 36864, ) == 0x0
 00561  1736   NtClose  (52, ... ) == 0x0
 00562  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241056, ... ) }, 1241056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 00565  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00566  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 44, ) == 0x0
 00567  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00568  1736   NtClose  (52, ... ) == 0x0
 00569  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00570  1736   NtClose  (44, ... ) == 0x0
 00571  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00572  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00573  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00574  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240240, ... ) }, 1240240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1240240, ... ) }, 1240240, ... ) == 0x0
 00577  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00578  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 52, ) == 0x0
 00579  1736   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00580  1736   NtClose  (44, ... ) == 0x0
 00581  1736   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00582  1736   NtClose  (52, ... ) == 0x0
 00583  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00584  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00585  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00586  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00587  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00588  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00589  1736   NtProtectVirtualMemory  (-1, (0x71ad1000), 52, 4, ... (0x71ad1000), 4096, 32, ) == 0x0
 00590  1736   NtProtectVirtualMemory  (-1, (0x71ad1000), 4096, 32, ... (0x71ad1000), 4096, 4, ) == 0x0
 00591  1736   NtFlushInstructionCache  (-1, 1907167232, 52, ... ) == 0x0
 00592  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00593  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00594  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00595  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596  1736   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 52, ) == 0x0
 00597  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 44, ) == 0x0
 00598  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 56, ) }, ... 56, ) == 0x0
 00599  1736   NtNotifyChangeKey  (56, 44, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 00600  1736   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00601  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 60, ) == 0x0
 00602  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00603  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00605  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00606  1736   NtAllocateVirtualMemory  (-1, 11337728, 0, 4096, 4096, 4, ... 11337728, 4096, ) == 0x0
 00607  1736   NtAllocateVirtualMemory  (-1, 11341824, 0, 8192, 4096, 4, ... 11341824, 8192, ) == 0x0
 00608  1736   NtAllocateVirtualMemory  (-1, 11350016, 0, 4096, 4096, 4, ... 11350016, 4096, ) == 0x0
 00609  1736   NtAllocateVirtualMemory  (-1, 11354112, 0, 4096, 4096, 4, ... 11354112, 4096, ) == 0x0
 00610  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00611  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00612  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00613  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00614  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLE32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0
 00616  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222\243W5\306uZH\212\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00617  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00618  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00619  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00620  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00621  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00622  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00623  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00624  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00625  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "A[\32\373\\330\213\345t\301\246\340s\200\221s[Uf \372\2326\3149\264\314h=\352u\336\301\341\273\266U\2105\6,)\354 \1\303\217(\334r\311\232\333\3108K\261s\335\270\12\372\361\203#A\265\346\202\33\323q\325_x\346i\227", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "A[\32\373\\330\213\345t\301\246\340s\200\221s[Uf \372\2326\3149\264\314h=\352u\336\301\341\273\266U\2105\6,)\354 \1\303\217(\334r\311\232\333\3108K\261s\335\270\12\372\361\203#A\265\346\202\33\323q\325_x\346i\227", 80, ... ) , 80, ... ) == 0x0
 00626  1736   NtClose  (-2147482576, ... ) == 0x0
 00616  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "_F\5\365K\6w9\343^5D\20\274c'{\352W\203]\3318K\35 \350a3\20\351\301\4$\213\6h\356zm\334\372\322^\355\20l,\225\254\3139\206\231\351\340\314\210\377'\220n\244\377\221v;^Qd\373\377\241\3"5\226x\31h\222\352\245\200I|\3716\353\324\347E\3407\2521k\17\24<\226\331\326((xb\211\376\320\271\363\305y\234P\203\247\370\6\06p\211\352Eh\2360)\304`[\265\353g\331\377H\330\32\247;\3761\325E<\356\34:\7\25\26\314'W\274<\4\305\3b\210\21q\231\247\363\227Vm\342\201:3\247?/\333\3\226\361\362\15\212\360\14\256\235"9\204O\4\300\361F\347\307u\225\306\2001\215\341\357D5\20!t*\303, ) 5\226x\31h\222\352\245\200I|\3716\353\324\347E\3407\2521k\17\24<\226\331\326((xb\211\376\320\271\363\305y\234P\203\247\370\6\06p\211\352Eh\2360)\304`[\265\353g\331\377H\330\32\247;\3761\325E<\356\34:\7\25\26\314'W\274<\4\305\3b\210\21q\231\247\363\227Vm\342\201:3\247?/\333\3\226\361\362\15\212\360\14\256\235 ... {status=0x0, info=256}, "_F\5\365K\6w9\343^5D\20\274c'{\352W\203]\3318K\35 \350a3\20\351\301\4$\213\6h\356zm\334\372\322^\355\20l,\225\254\3139\206\231\351\340\314\210\377'\220n\244\377\221v;^Qd\373\377\241\3"5\226x\31h\222\352\245\200I|\3716\353\324\347E\3407\2521k\17\24<\226\331\326((xb\211\376\320\271\363\305y\234P\203\247\370\6\06p\211\352Eh\2360)\304`[\265\353g\331\377H\330\32\247;\3761\325E<\356\34:\7\25\26\314'W\274<\4\305\3b\210\21q\231\247\363\227Vm\342\201:3\247?/\333\3\226\361\362\15\212\360\14\256\235"9\204O\4\300\361F\347\307u\225\306\2001\215\341\357D5\20!t*\303, ) , ) == 0x0
 00627  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00628  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00629  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 72, ) }, ... 72, ) == 0x0
 00630  1736   NtQueryValueKey  (72,  (72, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00631  1736   NtClose  (72, ... ) == 0x0
 00632  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 72, ) }, ... 72, ) == 0x0
 00633  1736   NtQueryValueKey  (72,  (72, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634  1736   NtClose  (72, ... ) == 0x0
 00635  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00636  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00637  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00638  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00639  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 72, ) }, ... 72, ) == 0x0
 00640  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643  1736   NtClose  (72, ... ) == 0x0
 00644  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 72, ) }, ... 72, ) == 0x0
 00645  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00646  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647  1736   NtClose  (72, ... ) == 0x0
 00648  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 72, ) }, ... 72, ) == 0x0
 00649  1736   NtOpenEvent  (0x1f0003, {24, 72, 0x0, 0, 0,  (0x1f0003, {24, 72, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651  1736   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00652  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00654  1736   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00655  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00659  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00660  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00661  1736   NtQueryPerformanceCounter  (... {1106982175, 16}, {3579545, 0}, ) == 0x0
 00662  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fqe3.tmp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663  1736   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00664  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00665  1736   NtQueryVirtualMemory  (-1, 0x12f630, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00666  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 11534336, 1048576, ) == 0x0
 00667  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00668  1736   NtAllocateVirtualMemory  (-1, 11534336, 0, 16384, 4096, 4, ... 11534336, 16384, ) == 0x0
 00669  1736   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00670  1736   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00671  1736   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672  1736   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673  1736   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00674  1736   NtQueryInformationToken  (76, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00675  1736   NtClose  (76, ... ) == 0x0
 00676  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.ENU"}, 1241100, ... ) }, 1241100, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.ENU"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.ENU.DLL"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00679  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.EN"}, 1241100, ... ) }, 1241100, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00680  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.EN"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\fqe3.EN.DLL"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00682  1736   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 76, ) == 0x0
 00683  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00684  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00685  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00686  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00687  1736   NtGdiCreatePaletteInternal  (1241804, 16, ... ) == 0x72080651
 00688  1736   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00689  1736   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00690  1736   NtUserFindExistingCursorIcon  (1242168, 1242184, 1242232, ... ) == 0x10003
 00691  1736   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\06\06\04\0", 28, 1242732, ... ) , 28, 1242732, ... ) == 0x0
 00692  1736   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\0A\05\00\00\00\00\00\00\00\00\00\06\0C\08\0", 52, 1242732, ... ) , 52, 1242732, ... ) == 0x0
 00693  1736   NtUserSystemParametersInfo  (104, 0, 11542084, 0, ... ) == 0x1
 00694  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10011
 00695  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10023
 00696  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00697  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00698  1736   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x540507cc
 00699  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00700  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x185000f
 00701  1736   NtGdiGetDCforBitmap  (1409615820, ... ) == 0xf2010663
 00702  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00703  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x540507cc
 00704  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00705  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00706  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11220492, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00707  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00708  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x540507cc
 00709  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00710  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x540507cc
 00711  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x46010482
 00712  1736   NtGdiExtGetObjectW  (1409615820, 24, 1241212, ... ) == 0x18
 00713  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x300503ba
 00714  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x185000f
 00715  1736   NtGdiSelectBitmap  (1174471810, 805635002, ... ) == 0x185000f
 00716  1736   NtGdiBitBlt  (1174471810, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00717  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x540507cc
 00718  1736   NtGdiSelectBitmap  (1174471810, 25493519, ... ) == 0x300503ba
 00719  1736   NtGdiDeleteObjectApp  (1409615820, ... ) == 0x1
 00720  1736   NtGdiDeleteObjectApp  (1174471810, ... ) == 0x1
 00721  1736   NtUserCallOneParam  (0, 33, ... ) == 0x6000a3
 00722  1736   NtUserSetCursorIconData  (6291619, 1241316, 1241332, 1241396, ... ) == 0x1
 00723  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10029
 00724  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10027
 00725  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10025
 00726  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00727  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00728  1736   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x570504d6
 00729  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00730  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x185000f
 00731  1736   NtGdiGetDCforBitmap  (1459946710, ... ) == 0xf2010663
 00732  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00733  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x570504d6
 00734  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00735  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00736  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11220800, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00737  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00738  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x570504d6
 00739  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00740  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x570504d6
 00741  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x560107cc
 00742  1736   NtGdiExtGetObjectW  (1459946710, 24, 1241212, ... ) == 0x18
 00743  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xeb0504a8
 00744  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x185000f
 00745  1736   NtGdiSelectBitmap  (1442908108, -351992664, ... ) == 0x185000f
 00746  1736   NtGdiBitBlt  (1442908108, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00747  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x570504d6
 00748  1736   NtGdiSelectBitmap  (1442908108, 25493519, ... ) == 0xeb0504a8
 00749  1736   NtGdiDeleteObjectApp  (1459946710, ... ) == 0x1
 00750  1736   NtGdiDeleteObjectApp  (1442908108, ... ) == 0x1
 00751  1736   NtUserCallOneParam  (0, 33, ... ) == 0x9500d3
 00752  1736   NtUserSetCursorIconData  (9765075, 1241316, 1241332, 1241396, ... ) == 0x1
 00753  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00754  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00755  1736   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x48050482
 00756  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00757  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x185000f
 00758  1736   NtGdiGetDCforBitmap  (1208288386, ... ) == 0xf2010663
 00759  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00760  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x48050482
 00761  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00762  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00763  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11221108, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00764  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00765  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x48050482
 00766  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00767  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x48050482
 00768  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x590104d6
 00769  1736   NtGdiExtGetObjectW  (1208288386, 24, 1241212, ... ) == 0x18
 00770  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x3505069c
 00771  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x185000f
 00772  1736   NtGdiSelectBitmap  (1493238998, 889521820, ... ) == 0x185000f
 00773  1736   NtGdiBitBlt  (1493238998, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00774  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x48050482
 00775  1736   NtGdiSelectBitmap  (1493238998, 25493519, ... ) == 0x3505069c
 00776  1736   NtGdiDeleteObjectApp  (1208288386, ... ) == 0x1
 00777  1736   NtGdiDeleteObjectApp  (1493238998, ... ) == 0x1
 00778  1736   NtUserCallOneParam  (0, 33, ... ) == 0x2e020d
 00779  1736   NtUserSetCursorIconData  (3015181, 1241316, 1241332, 1241396, ... ) == 0x1
 00780  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00781  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00782  1736   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x580507cc
 00783  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00784  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x185000f
 00785  1736   NtGdiGetDCforBitmap  (1476724684, ... ) == 0xf2010663
 00786  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00787  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x580507cc
 00788  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00789  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00790  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11221416, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00791  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00792  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x580507cc
 00793  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00794  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x580507cc
 00795  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x4a010482
 00796  1736   NtGdiExtGetObjectW  (1476724684, 24, 1241212, ... ) == 0x18
 00797  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x6e0507a9
 00798  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x185000f
 00799  1736   NtGdiSelectBitmap  (1241580674, 1845823401, ... ) == 0x185000f
 00800  1736   NtGdiBitBlt  (1241580674, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00801  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x580507cc
 00802  1736   NtGdiSelectBitmap  (1241580674, 25493519, ... ) == 0x6e0507a9
 00803  1736   NtGdiDeleteObjectApp  (1476724684, ... ) == 0x1
 00804  1736   NtGdiDeleteObjectApp  (1241580674, ... ) == 0x1
 00805  1736   NtUserCallOneParam  (0, 33, ... ) == 0x1401e3
 00806  1736   NtUserSetCursorIconData  (1311203, 1241316, 1241332, 1241396, ... ) == 0x1
 00807  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00808  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00809  1736   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x5b0504d6
 00810  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00811  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x185000f
 00812  1736   NtGdiGetDCforBitmap  (1527055574, ... ) == 0xf2010663
 00813  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00814  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x5b0504d6
 00815  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00816  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00817  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11221724, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00818  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00819  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x5b0504d6
 00820  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00821  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5b0504d6
 00822  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x5a0107cc
 00823  1736   NtGdiExtGetObjectW  (1527055574, 24, 1241212, ... ) == 0x18
 00824  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xe40505cb
 00825  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x185000f
 00826  1736   NtGdiSelectBitmap  (1510016972, -469432885, ... ) == 0x185000f
 00827  1736   NtGdiBitBlt  (1510016972, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00828  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5b0504d6
 00829  1736   NtGdiSelectBitmap  (1510016972, 25493519, ... ) == 0xe40505cb
 00830  1736   NtGdiDeleteObjectApp  (1527055574, ... ) == 0x1
 00831  1736   NtGdiDeleteObjectApp  (1510016972, ... ) == 0x1
 00832  1736   NtUserCallOneParam  (0, 33, ... ) == 0x701bd
 00833  1736   NtUserSetCursorIconData  (459197, 1241316, 1241332, 1241396, ... ) == 0x1
 00834  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00835  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00836  1736   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x4c050482
 00837  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00838  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x185000f
 00839  1736   NtGdiGetDCforBitmap  (1275397250, ... ) == 0xf2010663
 00840  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00841  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x4c050482
 00842  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00843  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00844  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11222340, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00845  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00846  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x4c050482
 00847  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00848  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x4c050482
 00849  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x5d0104d6
 00850  1736   NtGdiExtGetObjectW  (1275397250, 24, 1241212, ... ) == 0x18
 00851  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x4705066c
 00852  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x185000f
 00853  1736   NtGdiSelectBitmap  (1560347862, 1191511660, ... ) == 0x185000f
 00854  1736   NtGdiBitBlt  (1560347862, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00855  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x4c050482
 00856  1736   NtGdiSelectBitmap  (1560347862, 25493519, ... ) == 0x4705066c
 00857  1736   NtGdiDeleteObjectApp  (1275397250, ... ) == 0x1
 00858  1736   NtGdiDeleteObjectApp  (1560347862, ... ) == 0x1
 00859  1736   NtUserCallOneParam  (0, 33, ... ) == 0x210297
 00860  1736   NtUserSetCursorIconData  (2163351, 1241316, 1241332, 1241396, ... ) == 0x1
 00861  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00862  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00863  1736   NtGdiCreateDIBitmapInternal  (16842836, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x5c0507cc
 00864  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00865  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x185000f
 00866  1736   NtGdiGetDCforBitmap  (1543833548, ... ) == 0xf2010663
 00867  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00868  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x5c0507cc
 00869  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00870  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00871  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11222032, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00872  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00873  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x5c0507cc
 00874  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00875  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5c0507cc
 00876  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x4e010482
 00877  1736   NtGdiExtGetObjectW  (1543833548, 24, 1241212, ... ) == 0x18
 00878  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb8050697
 00879  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x185000f
 00880  1736   NtGdiSelectBitmap  (1308689538, -1207630185, ... ) == 0x185000f
 00881  1736   NtGdiBitBlt  (1308689538, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00882  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5c0507cc
 00883  1736   NtGdiSelectBitmap  (1308689538, 25493519, ... ) == 0xb8050697
 00884  1736   NtGdiDeleteObjectApp  (1543833548, ... ) == 0x1
 00885  1736   NtGdiDeleteObjectApp  (1308689538, ... ) == 0x1
 00886  1736   NtUserCallOneParam  (0, 33, ... ) == 0x420281
 00887  1736   NtUserSetCursorIconData  (4326017, 1241316, 1241332, 1241396, ... ) == 0x1
 00888  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10015
 00889  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10019
 00890  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001f
 00891  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001b
 00892  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10021
 00893  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001d
 00894  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10013
 00895  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10017
 00896  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10011
 00897  1736   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00898  1736   NtUserGetDC  (0, ... ) == 0x1010054
 00899  1736   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00900  1736   NtUserEnumDisplayMonitors  (0, 0, 10945124, 11542664, ... ) == 0x1
 00901  1736   NtUserSystemParametersInfo  (31, 60, 1241032, 0, ... ) == 0x1
 00902  1736   NtGdiHfontCreate  (1241912, 356, 0, 0, 1329240, ... ) == 0x4f0a0482
 00903  1736   NtGdiExtGetObjectW  (1326056578, 420, 1241736, ... ) == 0x164
 00904  1736   NtUserSystemParametersInfo  (41, 0, 1241232, 0, ... ) == 0x1
 00905  1736   NtGdiHfontCreate  (1241912, 356, 0, 0, 1329232, ... ) == 0x5f0a04d6
 00906  1736   NtGdiExtGetObjectW  (1594492118, 420, 1241736, ... ) == 0x164
 00907  1736   NtGdiHfontCreate  (1241912, 356, 0, 0, 1329224, ... ) == 0x5d0a07cc
 00908  1736   NtGdiExtGetObjectW  (1560938444, 420, 1241736, ... ) == 0x164
 00909  1736   NtUserFindExistingCursorIcon  (1241812, 1241828, 1241876, ... ) == 0x0
 00910  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 11403264, 4096, ) == 0x0
 00911  1736   NtUserGetKeyboardLayoutList  (64, 1242400, ... ) == 0x1
 00912  1736   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc13a
 00913  1736   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc13b
 00914  1736   NtOpenMutant  (0x1f0001, {24, 72, 0x0, 0, 0,  (0x1f0001, {24, 72, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915  1736   NtUserSetWindowsHookEx  (10813440, 1243784, 0, 4, 10821308, 2, ... ) == 0x35026b
 00916  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SIWVID"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\NTICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919  1736   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Wine"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00921  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00922  1736   NtQueryVirtualMemory  (-1, 0x5acbb9, Basic, 28, ... {BaseAddress=0x5ac000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x5b000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00923  1736   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00924  1736   NtContinue  (1244368, 0, ...
 00925  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00926  1736   NtQueryInformationFile  (80, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00927  1736   NtAllocateVirtualMemory  (-1, 0, 0, 984576, 4096, 64, ... 12582912, 987136, ) == 0x0
 00928  1736   NtReadFile  (80, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576},  (80, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) \10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0 (80, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) , ) == 0x0
 00929  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\system32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) == 0x0
 00930  1736   NtQueryInformationFile  (84, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00931  1736   NtAllocateVirtualMemory  (-1, 0, 0, 577536, 4096, 64, ... 13631488, 577536, ) == 0x0
 00932  1736   NtReadFile  (84, 0, 0, 0, 577536, 0x0, 0, ... {status=0x0, info=577536},  (84, 0, 0, 0, 577536, 0x0, 0, ... {status=0x0, info=577536}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\376\7\341\342\272f\217\261\272f\217\261\272f\217\261\272f\216\261\361g\217\261yi\322\261\275f\217\261yi\323\261\273f\217\261yi\321\261\273f\217\261yi\200\261\262f\217\261yi\320\261\315f\217\261yi\325\261\273f\217\261Rich\272f\217\261\0\0\0\0\0\0\0\0PE\0\0L\1\4\0|-\360E\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\360\5\0\0\342\2\0\0\0\0\0f\351\1\0\0\20\0\0\0\260\5\0\0\0A~\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\0\11\0\0\4\0\0\341@\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\3708\0\0\251K\0\0\250\343\5\0P\0\0\0\0 \6\0\230\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\10\0\350-\0\0\210\377\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\355\3\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\344\4\0\0\234\340\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\347\357\5\0\0\20\0\0\0\360\5\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00933  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\system32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) == 0x0
 00934  1736   NtQueryInformationFile  (88, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00935  1736   NtAllocateVirtualMemory  (-1, 0, 0, 616960, 4096, 64, ... 14221312, 618496, ) == 0x0
 00936  1736   NtReadFile  (88, 0, 0, 0, 616960, 0x0, 0, ... {status=0x0, info=616960},  (88, 0, 0, 0, 616960, 0x0, 0, ... {status=0x0, info=616960}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\250j\342h\354\13\214;\354\13\214;\354\13\214;/\4\321;\353\13\214;/\4\203;\341\13\214;=\7\323;\356\13\214;\354\13\215;T\12\214;/\4\320;\355\13\214;/\4\322;\355\13\214;/\4\354;\361\13\214;/\4\323;~\13\214;/\4\326;\355\13\214;Rich\354\13\214;\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\247\226\20A\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0D\7\0\0<\2\0\0\0\0\0\324p\0\0\0\20\0\0\0 \7\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\11\0\0\4\0\0\344\15\12\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\244\26\0\0\23R\0\04(\7\0P\0\0\0\0\260\7\0\200\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\11\08K\0\0xR\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0V\2\0H\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\244\6\0\0\340&\7\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\331B\7\0", ) , ) == 0x0
 00937  1736   NtClose  (88, ... ) == 0x0
 00938  1736   NtClose  (84, ... ) == 0x0
 00939  1736   NtClose  (80, ... ) == 0x0
 00940  1736   NtRaiseException  (1244376, 1243636, 1, ...
 00941  1736   NtQueryVirtualMemory  (-1, 0x7c85a0a0, Basic, 28, ... {BaseAddress=0x7c85a000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x2a000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00942  1736   NtContinue  (1242596, 0, ...
 00943  1736   NtOpenMutant  (0x120001, {24, 72, 0x2, 0, 0,  (0x120001, {24, 72, 0x2, 0, 0, "DBWinMutex"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1736   NtCreateMutant  (0x1f0001, {24, 72, 0x82, 1244396, 0,  (0x1f0001, {24, 72, 0x82, 1244396, 0, "DBWinMutex"}, 0, ... 80, ) }, 0, ... 80, ) == 0x0
 00945  1736   NtWaitForSingleObject  (80, 0, 0x0, ... ) == 0x0
 00946  1736   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947  1736   NtReleaseMutant  (80, ... 0x0, ) == 0x0
 00948  1736   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 14876672, 4096, ) == 0x0
 00949  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winmm.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 00952  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winmm.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00953  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 88, ) == 0x0
 00954  1736   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00955  1736   NtClose  (84, ... ) == 0x0
 00956  1736   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 00957  1736   NtClose  (88, ... ) == 0x0
 00958  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00959  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00960  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00961  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00962  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00963  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00964  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00965  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00966  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00967  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00968  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00969  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00970  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00972  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00973  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00974  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 96, ) }, ... 96, ) == 0x0
 00975  1736   NtQueryValueKey  (96,  (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00976  1736   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 14942208, 524288, ) == 0x0
 00977  1736   NtAllocateVirtualMemory  (-1, 14942208, 0, 4096, 4096, 4, ... 14942208, 4096, ) == 0x0
 00978  1736   NtQueryValueKey  (96,  (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00979  1736   NtQueryValueKey  (96,  (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00980  1736   NtQueryValueKey  (96,  (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00981  1736   NtQueryValueKey  (96,  (96, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982  1736   NtQueryValueKey  (96,  (96, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983  1736   NtQueryValueKey  (96,  (96, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984  1736   NtQueryValueKey  (96,  (96, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985  1736   NtQueryValueKey  (96,  (96, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986  1736   NtQueryValueKey  (96,  (96, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987  1736   NtQueryValueKey  (96,  (96, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988  1736   NtQueryValueKey  (96,  (96, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989  1736   NtQueryValueKey  (96,  (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00990  1736   NtQueryValueKey  (96,  (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00991  1736   NtQueryValueKey  (96,  (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00992  1736   NtQueryValueKey  (96,  (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00993  1736   NtQueryValueKey  (96,  (96, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994  1736   NtQueryValueKey  (96,  (96, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995  1736   NtQueryValueKey  (96,  (96, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996  1736   NtQueryValueKey  (96,  (96, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997  1736   NtQueryValueKey  (96,  (96, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998  1736   NtQueryValueKey  (96,  (96, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999  1736   NtQueryValueKey  (96,  (96, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000  1736   NtQueryValueKey  (96,  (96, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001  1736   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01002  1736   NtQueryValueKey  (96,  (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01003  1736   NtQueryValueKey  (96,  (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01004  1736   NtQueryValueKey  (96,  (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01005  1736   NtQueryValueKey  (96,  (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01006  1736   NtQueryValueKey  (96,  (96, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007  1736   NtQueryValueKey  (96,  (96, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008  1736   NtQueryValueKey  (96,  (96, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009  1736   NtQueryValueKey  (96,  (96, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010  1736   NtQueryValueKey  (96,  (96, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011  1736   NtQueryValueKey  (96,  (96, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012  1736   NtQueryValueKey  (96,  (96, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013  1736   NtQueryValueKey  (96,  (96, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014  1736   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc076
 01015  1736   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 100, ) }, ... 100, ) == 0x0
 01016  1736   NtQueryValueKey  (100,  (100, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01017  1736   NtClose  (100, ... ) == 0x0
 01018  1736   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 0, 0,  (0x1f0003, {24, 72, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01019  1736   NtQueryValueKey  (96,  (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01020  1736   NtQueryValueKey  (96,  (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01021  1736   NtQueryValueKey  (96,  (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01022  1736   NtQueryValueKey  (96,  (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01023  1736   NtQueryValueKey  (96,  (96, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024  1736   NtQueryValueKey  (96,  (96, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01025  1736   NtQueryValueKey  (96,  (96, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026  1736   NtQueryValueKey  (96,  (96, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027  1736   NtQueryValueKey  (96,  (96, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028  1736   NtQueryValueKey  (96,  (96, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01029  1736   NtQueryValueKey  (96,  (96, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030  1736   NtQueryValueKey  (96,  (96, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15466496, 1048576, ) == 0x0
 01032  1736   NtAllocateVirtualMemory  (-1, 16506880, 0, 8192, 4096, 4, ... 16506880, 8192, ) == 0x0
 01033  1736   NtProtectVirtualMemory  (-1, (0xfbe000), 4096, 260, ... (0xfbe000), 4096, 4, ) == 0x0
 01034  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 100, {1636, 1356}, ) == 0x0
 01035  1736   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 01036  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 5986764, 0, 65535, 2147348480}  (24, {28, 56, new_msg, 0, 5986764, 0, 65535, 2147348480} "\0\0\0\0\1\0\1\0\\23\264v\334\343\200|d\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 5986764, 0, 65535, 2147348480} "\0\0\0\0\1\0\1\0\\23\264v\334\343\200|d\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 01037  1736   NtResumeThread  (100, ... 1, ) == 0x0
 01038  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16515072, 1048576, ) == 0x0
 01039  1736   NtAllocateVirtualMemory  (-1, 17555456, 0, 8192, 4096, 4, ... 17555456, 8192, ) == 0x0
 01040  1736   NtProtectVirtualMemory  (-1, (0x10be000), 4096, 260, ...
 01041  1356   NtTestAlert  (... ) == 0x0
 01042  1356   NtContinue  (16514352, 1, ...
 01043  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01044  1356   NtDelayExecution  (0, {-150000, -1}, ...
 01040  1736   NtProtectVirtualMemory  ... (0x10be000), 4096, 4, ) == 0x0
 01045  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 104, {1636, 868}, ) == 0x0
 01046  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 01047  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 01048  1736   NtResumeThread  (104, ... 1, ) == 0x0
 01049  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17563648, 1048576, ) == 0x0
 01050   868   NtTestAlert  (... ) == 0x0
 01051   868   NtContinue  (17562928, 1, ...
 01052   868   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01053   868   NtDelayExecution  (0, {-150000, -1}, ...
 01054  1736   NtAllocateVirtualMemory  (-1, 18604032, 0, 8192, 4096, 4, ... 18604032, 8192, ) == 0x0
 01055  1736   NtProtectVirtualMemory  (-1, (0x11be000), 4096, 260, ... (0x11be000), 4096, 4, ) == 0x0
 01056  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 108, {1636, 808}, ) == 0x0
 01057  1736   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 01058  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 01059  1736   NtResumeThread  (108, ... 1, ) == 0x0
 01060  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18612224, 1048576, ) == 0x0
 01061  1736   NtAllocateVirtualMemory  (-1, 19652608, 0, 8192, 4096, 4, ... 19652608, 8192, ) == 0x0
 01062  1736   NtProtectVirtualMemory  (-1, (0x12be000), 4096, 260, ...
 01063   808   NtTestAlert  (... ) == 0x0
 01064   808   NtContinue  (18611504, 1, ...
 01065   808   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01066   808   NtDelayExecution  (0, {-150000, -1}, ...
 01062  1736   NtProtectVirtualMemory  ... (0x12be000), 4096, 4, ) == 0x0
 01067  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 112, {1636, 2020}, ) == 0x0
 01068  1736   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 01069  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 01070  1736   NtResumeThread  (112, ... 1, ) == 0x0
 01071  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19660800, 1048576, ) == 0x0
 01072  2020   NtTestAlert  (... ) == 0x0
 01073  2020   NtContinue  (19660080, 1, ...
 01074  2020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01075  2020   NtDelayExecution  (0, {-150000, -1}, ...
 01076  1736   NtAllocateVirtualMemory  (-1, 20701184, 0, 8192, 4096, 4, ... 20701184, 8192, ) == 0x0
 01077  1736   NtProtectVirtualMemory  (-1, (0x13be000), 4096, 260, ... (0x13be000), 4096, 4, ) == 0x0
 01078  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 116, {1636, 896}, ) == 0x0
 01079  1736   NtQueryInformationThread  (116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 01080  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 01081  1736   NtResumeThread  (116, ... 1, ) == 0x0
 01082  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20709376, 1048576, ) == 0x0
 01083  1736   NtAllocateVirtualMemory  (-1, 21749760, 0, 8192, 4096, 4, ... 21749760, 8192, ) == 0x0
 01084  1736   NtProtectVirtualMemory  (-1, (0x14be000), 4096, 260, ...
 01085   896   NtTestAlert  (... ) == 0x0
 01086   896   NtContinue  (20708656, 1, ...
 01087   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01088   896   NtDelayExecution  (0, {-150000, -1}, ...
 01084  1736   NtProtectVirtualMemory  ... (0x14be000), 4096, 4, ) == 0x0
 01089  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 120, {1636, 1252}, ) == 0x0
 01090  1736   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 01091  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 01092  1736   NtResumeThread  (120, ... 1, ) == 0x0
 01093  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21757952, 1048576, ) == 0x0
 01094  1252   NtTestAlert  (... ) == 0x0
 01095  1252   NtContinue  (21757232, 1, ...
 01096  1252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01097  1252   NtDelayExecution  (0, {-150000, -1}, ...
 01098  1736   NtAllocateVirtualMemory  (-1, 22798336, 0, 8192, 4096, 4, ... 22798336, 8192, ) == 0x0
 01099  1736   NtProtectVirtualMemory  (-1, (0x15be000), 4096, 260, ... (0x15be000), 4096, 4, ) == 0x0
 01100  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 124, {1636, 2016}, ) == 0x0
 01101  1736   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 01102  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 01103  1736   NtResumeThread  (124, ... 1, ) == 0x0
 01104  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22806528, 1048576, ) == 0x0
 01105  1736   NtAllocateVirtualMemory  (-1, 23846912, 0, 8192, 4096, 4, ... 23846912, 8192, ) == 0x0
 01106  1736   NtProtectVirtualMemory  (-1, (0x16be000), 4096, 260, ...
 01107  2016   NtTestAlert  (... ) == 0x0
 01108  2016   NtContinue  (22805808, 1, ...
 01109  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01110  2016   NtDelayExecution  (0, {-150000, -1}, ...
 01106  1736   NtProtectVirtualMemory  ... (0x16be000), 4096, 4, ) == 0x0
 01111  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 128, {1636, 2012}, ) == 0x0
 01112  1736   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 01113  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 01114  1736   NtResumeThread  (128, ... 1, ) == 0x0
 01115  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01116  2012   NtTestAlert  (... ) == 0x0
 01117  2012   NtContinue  (23854384, 1, ...
 01118  2012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01119  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 01120  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 01121  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 01122  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01123  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01124  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01125  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01126  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01127  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01128  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 01129  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01130  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 01131  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 01132  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 01133  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 01134  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01135  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23855104, 1048576, ) == 0x0
 01136  1736   NtAllocateVirtualMemory  (-1, 24895488, 0, 8192, 4096, 4, ... 24895488, 8192, ) == 0x0
 01137  1736   NtProtectVirtualMemory  (-1, (0x17be000), 4096, 260, ... (0x17be000), 4096, 4, ) == 0x0
 01138  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 196, {1636, 1028}, ) == 0x0
 01139  1736   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 01140  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872}  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 01141  1736   NtResumeThread  (196, ... 1, ) == 0x0
 01142  1736   NtSetInformationThread  (196, BasePriority, {thread info, class 3, size 4}, 4, ...
 01143  1028   NtTestAlert  (... ) == 0x0
 01144  1028   NtContinue  (24902960, 1, ...
 01145  1028   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01146  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01142  1736   NtSetInformationThread  ... ) == 0x0
 01147  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24903680, 1048576, ) == 0x0
 01148  1736   NtAllocateVirtualMemory  (-1, 25944064, 0, 8192, 4096, 4, ... 25944064, 8192, ) == 0x0
 01149  1736   NtProtectVirtualMemory  (-1, (0x18be000), 4096, 260, ... (0x18be000), 4096, 4, ) == 0x0
 01150  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 200, {1636, 384}, ) == 0x0
 01151  1736   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 01152  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 01153  1736   NtResumeThread  (200, ... 1, ) == 0x0
 01154  1736   NtSetInformationThread  (200, BasePriority, {thread info, class 3, size 4}, 4, ...
 01155   384   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01156   384   NtTestAlert  (... ) == 0x0
 01157   384   NtContinue  (25951536, 1, ...
 01158   384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01159   384   NtWaitForSingleObject  (136, 0, 0x0, ...
 01154  1736   NtSetInformationThread  ... ) == 0x0
 01160  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25952256, 1048576, ) == 0x0
 01161  1736   NtAllocateVirtualMemory  (-1, 26992640, 0, 8192, 4096, 4, ... 26992640, 8192, ) == 0x0
 01162  1736   NtProtectVirtualMemory  (-1, (0x19be000), 4096, 260, ... (0x19be000), 4096, 4, ) == 0x0
 01163  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 204, {1636, 1180}, ) == 0x0
 01164  1736   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 01165  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 01166  1736   NtResumeThread  (204, ... 1, ) == 0x0
 01167  1736   NtSetInformationThread  (204, BasePriority, {thread info, class 3, size 4}, 4, ...
 01168  1180   NtTestAlert  (... ) == 0x0
 01169  1180   NtContinue  (27000112, 1, ...
 01170  1180   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01171  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01167  1736   NtSetInformationThread  ... ) == 0x0
 01172  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27000832, 1048576, ) == 0x0
 01173  1736   NtAllocateVirtualMemory  (-1, 28041216, 0, 8192, 4096, 4, ... 28041216, 8192, ) == 0x0
 01174  1736   NtProtectVirtualMemory  (-1, (0x1abe000), 4096, 260, ... (0x1abe000), 4096, 4, ) == 0x0
 01175  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 208, {1636, 420}, ) == 0x0
 01176  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 01177  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 01178  1736   NtResumeThread  (208, ... 1, ) == 0x0
 01179   420   NtTestAlert  (... ) == 0x0
 01180   420   NtContinue  (28048688, 1, ...
 01181   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01182   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 01183  1736   NtSetInformationThread  (208, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01184  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28049408, 1048576, ) == 0x0
 01185  1736   NtAllocateVirtualMemory  (-1, 29089792, 0, 8192, 4096, 4, ... 29089792, 8192, ) == 0x0
 01186  1736   NtProtectVirtualMemory  (-1, (0x1bbe000), 4096, 260, ... (0x1bbe000), 4096, 4, ) == 0x0
 01187  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 212, {1636, 596}, ) == 0x0
 01188  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 01189  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 01190  1736   NtResumeThread  (212, ... 1, ) == 0x0
 01191  1736   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ...
 01192   596   NtTestAlert  (... ) == 0x0
 01193   596   NtContinue  (29097264, 1, ...
 01194   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01195   596   NtWaitForSingleObject  (148, 0, 0x0, ...
 01191  1736   NtSetInformationThread  ... ) == 0x0
 01196  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29097984, 1048576, ) == 0x0
 01197  1736   NtAllocateVirtualMemory  (-1, 30138368, 0, 8192, 4096, 4, ... 30138368, 8192, ) == 0x0
 01198  1736   NtProtectVirtualMemory  (-1, (0x1cbe000), 4096, 260, ... (0x1cbe000), 4096, 4, ) == 0x0
 01199  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 216, {1636, 376}, ) == 0x0
 01200  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 01201  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 01202  1736   NtResumeThread  (216, ... 1, ) == 0x0
 01203  1736   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ...
 01204   376   NtTestAlert  (... ) == 0x0
 01205   376   NtContinue  (30145840, 1, ...
 01206   376   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01207   376   NtWaitForSingleObject  (152, 0, 0x0, ...
 01203  1736   NtSetInformationThread  ... ) == 0x0
 01208  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30146560, 1048576, ) == 0x0
 01209  1736   NtAllocateVirtualMemory  (-1, 31186944, 0, 8192, 4096, 4, ... 31186944, 8192, ) == 0x0
 01044  1356   NtDelayExecution  ... ) == 0x0
 01210  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 01053   868   NtDelayExecution  ... ) == 0x0
 01211   868   NtDelayExecution  (0, {-20010000, -1}, ...
 01066   808   NtDelayExecution  ... ) == 0x0
 01212   808   NtDelayExecution  (0, {-20010000, -1}, ...
 01075  2020   NtDelayExecution  ... ) == 0x0
 01213  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 01088   896   NtDelayExecution  ... ) == 0x0
 01214   896   NtDelayExecution  (0, {-20010000, -1}, ...
 01097  1252   NtDelayExecution  ... ) == 0x0
 01215  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 01110  2016   NtDelayExecution  ... ) == 0x0
 01216  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 01217  1736   NtProtectVirtualMemory  (-1, (0x1dbe000), 4096, 260, ... (0x1dbe000), 4096, 4, ) == 0x0
 01218  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 220, {1636, 1168}, ) == 0x0
 01219  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 01220  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 01221  1736   NtResumeThread  (220, ... 1, ) == 0x0
 01222  1736   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ...
 01223  1168   NtTestAlert  (... ) == 0x0
 01224  1168   NtContinue  (31194416, 1, ...
 01225  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01226  1168   NtWaitForSingleObject  (156, 0, 0x0, ...
 01222  1736   NtSetInformationThread  ... ) == 0x0
 01227  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31195136, 1048576, ) == 0x0
 01228  1736   NtAllocateVirtualMemory  (-1, 32235520, 0, 8192, 4096, 4, ... 32235520, 8192, ) == 0x0
 01229  1736   NtProtectVirtualMemory  (-1, (0x1ebe000), 4096, 260, ... (0x1ebe000), 4096, 4, ) == 0x0
 01230  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 224, {1636, 120}, ) == 0x0
 01231  1736   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 01232  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 01233  1736   NtResumeThread  (224, ... 1, ) == 0x0
 01234  1736   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ...
 01235   120   NtTestAlert  (... ) == 0x0
 01236   120   NtContinue  (32242992, 1, ...
 01237   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01238   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01234  1736   NtSetInformationThread  ... ) == 0x0
 01239  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32243712, 1048576, ) == 0x0
 01240  1736   NtAllocateVirtualMemory  (-1, 33284096, 0, 8192, 4096, 4, ... 33284096, 8192, ) == 0x0
 01241  1736   NtProtectVirtualMemory  (-1, (0x1fbe000), 4096, 260, ... (0x1fbe000), 4096, 4, ) == 0x0
 01242  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 228, {1636, 928}, ) == 0x0
 01243  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 01244  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 01245  1736   NtResumeThread  (228, ... 1, ) == 0x0
 01246  1736   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 01247   928   NtTestAlert  (... ) == 0x0
 01248   928   NtContinue  (33291568, 1, ...
 01249   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01250   928   NtWaitForSingleObject  (164, 0, 0x0, ...
 01246  1736   NtSetInformationThread  ... ) == 0x0
 01251  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33292288, 1048576, ) == 0x0
 01252  1736   NtAllocateVirtualMemory  (-1, 34332672, 0, 8192, 4096, 4, ... 34332672, 8192, ) == 0x0
 01253  1736   NtProtectVirtualMemory  (-1, (0x20be000), 4096, 260, ... (0x20be000), 4096, 4, ) == 0x0
 01254  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 232, {1636, 1732}, ) == 0x0
 01255  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 01256  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 01257  1736   NtResumeThread  (232, ... 1, ) == 0x0
 01258  1736   NtSetInformationThread  (232, BasePriority, {thread info, class 3, size 4}, 4, ...
 01259  1732   NtTestAlert  (... ) == 0x0
 01260  1732   NtContinue  (34340144, 1, ...
 01261  1732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01262  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 01258  1736   NtSetInformationThread  ... ) == 0x0
 01263  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34340864, 1048576, ) == 0x0
 01264  1736   NtAllocateVirtualMemory  (-1, 35381248, 0, 8192, 4096, 4, ... 35381248, 8192, ) == 0x0
 01265  1736   NtProtectVirtualMemory  (-1, (0x21be000), 4096, 260, ... (0x21be000), 4096, 4, ) == 0x0
 01266  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 236, {1636, 428}, ) == 0x0
 01267  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 01268  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 01269  1736   NtResumeThread  (236, ... 1, ) == 0x0
 01270  1736   NtSetInformationThread  (236, BasePriority, {thread info, class 3, size 4}, 4, ...
 01271   428   NtTestAlert  (... ) == 0x0
 01272   428   NtContinue  (35388720, 1, ...
 01273   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01274   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 01270  1736   NtSetInformationThread  ... ) == 0x0
 01275  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35389440, 1048576, ) == 0x0
 01276  1736   NtAllocateVirtualMemory  (-1, 36429824, 0, 8192, 4096, 4, ... 36429824, 8192, ) == 0x0
 01277  1736   NtProtectVirtualMemory  (-1, (0x22be000), 4096, 260, ... (0x22be000), 4096, 4, ) == 0x0
 01278  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 240, {1636, 748}, ) == 0x0
 01279  1736   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 01280  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 01281  1736   NtResumeThread  (240, ... 1, ) == 0x0
 01282   748   NtTestAlert  (... ) == 0x0
 01283   748   NtContinue  (36437296, 1, ...
 01284   748   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01285   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 01286  1736   NtSetInformationThread  (240, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01287  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36438016, 1048576, ) == 0x0
 01288  1736   NtAllocateVirtualMemory  (-1, 37478400, 0, 8192, 4096, 4, ... 37478400, 8192, ) == 0x0
 01289  1736   NtProtectVirtualMemory  (-1, (0x23be000), 4096, 260, ... (0x23be000), 4096, 4, ) == 0x0
 01290  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 244, {1636, 1300}, ) == 0x0
 01291  1736   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 01292  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 01293  1736   NtResumeThread  (244, ... 1, ) == 0x0
 01294  1736   NtSetInformationThread  (244, BasePriority, {thread info, class 3, size 4}, 4, ...
 01295  1300   NtTestAlert  (... ) == 0x0
 01296  1300   NtContinue  (37485872, 1, ...
 01297  1300   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01298  1300   NtWaitForSingleObject  (180, 0, 0x0, ...
 01294  1736   NtSetInformationThread  ... ) == 0x0
 01299  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37486592, 1048576, ) == 0x0
 01300  1736   NtAllocateVirtualMemory  (-1, 38526976, 0, 8192, 4096, 4, ... 38526976, 8192, ) == 0x0
 01301  1736   NtProtectVirtualMemory  (-1, (0x24be000), 4096, 260, ... (0x24be000), 4096, 4, ) == 0x0
 01302  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 248, {1636, 1096}, ) == 0x0
 01303  1736   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 01304  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 01305  1736   NtResumeThread  (248, ... 1, ) == 0x0
 01306  1736   NtSetInformationThread  (248, BasePriority, {thread info, class 3, size 4}, 4, ...
 01307  1096   NtTestAlert  (... ) == 0x0
 01308  1096   NtContinue  (38534448, 1, ...
 01309  1096   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01310  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01306  1736   NtSetInformationThread  ... ) == 0x0
 01311  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38535168, 1048576, ) == 0x0
 01312  1736   NtAllocateVirtualMemory  (-1, 39575552, 0, 8192, 4096, 4, ... 39575552, 8192, ) == 0x0
 01313  1736   NtProtectVirtualMemory  (-1, (0x25be000), 4096, 260, ... (0x25be000), 4096, 4, ) == 0x0
 01314  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 252, {1636, 252}, ) == 0x0
 01315  1736   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 01316  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 01317  1736   NtResumeThread  (252, ... 1, ) == 0x0
 01318   252   NtTestAlert  (... ) == 0x0
 01319   252   NtContinue  (39583024, 1, ...
 01320   252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01321   252   NtWaitForSingleObject  (188, 0, 0x0, ...
 01322  1736   NtSetInformationThread  (252, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01323  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39583744, 1048576, ) == 0x0
 01324  1736   NtAllocateVirtualMemory  (-1, 40624128, 0, 8192, 4096, 4, ... 40624128, 8192, ) == 0x0
 01325  1736   NtProtectVirtualMemory  (-1, (0x26be000), 4096, 260, ... (0x26be000), 4096, 4, ) == 0x0
 01326  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 256, {1636, 500}, ) == 0x0
 01327  1736   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 01328  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75515, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 01329  1736   NtResumeThread  (256, ... 1, ) == 0x0
 01330  1736   NtSetInformationThread  (256, BasePriority, {thread info, class 3, size 4}, 4, ...
 01331   500   NtTestAlert  (... ) == 0x0
 01332   500   NtContinue  (40631600, 1, ...
 01333   500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01334   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01330  1736   NtSetInformationThread  ... ) == 0x0
 01335  1736   NtSetEvent  (140, ...
 01171  1180   NtWaitForSingleObject  ... ) == 0x0
 01336  1180   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01337  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01335  1736   NtSetEvent  ... 0x0, ) == 0x0
 01338  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01339  1736   NtSetEvent  (184, ...
 01310  1096   NtWaitForSingleObject  ... ) == 0x0
 01340  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01341  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01339  1736   NtSetEvent  ... 0x0, ) == 0x0
 01342  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01343  1736   NtQueryVirtualMemory  (-1, 0x10000, Basic, 28, ... {BaseAddress=0x10000,AllocationBase=0x10000,AllocationProtect=0x4,RegionSize=0x2000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01344  1736   NtSetEvent  (144, ...
 01182   420   NtWaitForSingleObject  ... ) == 0x0
 01345   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01346   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 01344  1736   NtSetEvent  ... 0x0, ) == 0x0
 01347  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01348  1736   NtSetEvent  (192, ...
 01334   500   NtWaitForSingleObject  ... ) == 0x0
 01349   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01350   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01348  1736   NtSetEvent  ... 0x0, ) == 0x0
 01351  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01352  1736   NtUserGetForegroundWindow  (... ) == 0x13010c
 01353  1736   NtUserValidateHandleSecure  (1245452, ... ) == 0x1
 01354  1736   NtUserQueryWindow  (1245452, 0, ... ) == 0x5e8
 01355  1736   NtSetEvent  (140, ...
 01337  1180   NtWaitForSingleObject  ... ) == 0x0
 01356  1180   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01357  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01355  1736   NtSetEvent  ... 0x0, ) == 0x0
 01358  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01359  1736   NtSetEvent  (160, ...
 01238   120   NtWaitForSingleObject  ... ) == 0x0
 01360   120   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01361   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01359  1736   NtSetEvent  ... 0x0, ) == 0x0
 01362  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01363  1736   NtSetEvent  (172, ...
 01274   428   NtWaitForSingleObject  ... ) == 0x0
 01364   428   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01365   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 01363  1736   NtSetEvent  ... 0x0, ) == 0x0
 01366  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01367  1736   NtSetEvent  (132, ...
 01146  1028   NtWaitForSingleObject  ... ) == 0x0
 01368  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01369  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01367  1736   NtSetEvent  ... 0x0, ) == 0x0
 01370  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01371  1736   NtSetEvent  (192, ...
 01350   500   NtWaitForSingleObject  ... ) == 0x0
 01372   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01373   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01371  1736   NtSetEvent  ... 0x0, ) == 0x0
 01374  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01375  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01376  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01377  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01378  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01379  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01380  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01381  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01382  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01383  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01384  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01385  1736   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01386  1736   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 260, ) == 0x0
 01387  1736   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x26d0000), 0x0, 4194304, ) == 0x0
 01388  1736   NtAllocateVirtualMemory  (-1, 40697856, 0, 1, 4096, 4, ... 40697856, 4096, ) == 0x0
 01389  1736   NtAllocateVirtualMemory  (-1, 40701952, 0, 1116, 4096, 4, ... 40701952, 4096, ) == 0x0
 01390  1736   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 264, ) == 0x0
 01391  1736   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2ad0000), 0x0, 4194304, ) == 0x0
 01392  1736   NtAllocateVirtualMemory  (-1, 44892160, 0, 1, 4096, 4, ... 44892160, 4096, ) == 0x0
 01393  1736   NtCreateSection  (0xf0007, 0x0, {46508, 0}, 4, 134217728, 0, ... 268, ) == 0x0
 01394  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2ed0000), {0, 0}, 49152, ) == 0x0
 01395  1736   NtUnmapViewOfSection  (-1, 0x2ed0000, ... ) == 0x0
 01396  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2ed0000), {0, 0}, 49152, ) == 0x0
 01397  1736   NtClose  (264, ... ) == 0x0
 01398  1736   NtUnmapViewOfSection  (-1, 0x2ad0000, ... ) == 0x0
 01399  1736   NtClose  (260, ... ) == 0x0
 01400  1736   NtUnmapViewOfSection  (-1, 0x26d0000, ... ) == 0x0
 01401  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01402  1736   NtUnmapViewOfSection  (-1, 0x2ed0000, ... ) == 0x0
 01403  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x26c0000), {0, 0}, 49152, ) == 0x0
 01404  1736   NtUnmapViewOfSection  (-1, 0x26c0000, ... ) == 0x0
 01405  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x26c0000), {0, 0}, 49152, ) == 0x0
 01406  1736   NtUnmapViewOfSection  (-1, 0x26c0000, ... ) == 0x0
 01407  1736   NtSetEvent  (180, ...
 01298  1300   NtWaitForSingleObject  ... ) == 0x0
 01408  1300   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01409  1300   NtWaitForSingleObject  (180, 0, 0x0, ...
 01407  1736   NtSetEvent  ... 0x0, ) == 0x0
 01410  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01411  1736   NtSetEvent  (172, ...
 01365   428   NtWaitForSingleObject  ... ) == 0x0
 01412   428   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01413   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 01411  1736   NtSetEvent  ... 0x0, ) == 0x0
 01414  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01415  1736   NtSetEvent  (164, ...
 01250   928   NtWaitForSingleObject  ... ) == 0x0
 01416   928   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01417   928   NtWaitForSingleObject  (164, 0, 0x0, ...
 01415  1736   NtSetEvent  ... 0x0, ) == 0x0
 01418  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01419  1736   NtQueryVirtualMemory  (-1, 0x7c809e68, Basic, 28, ... {BaseAddress=0x7c809000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x7b000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01420  1736   NtContinue  (1243208, 0, ...
 01421  1736   NtSetEvent  (180, ...
 01409  1300   NtWaitForSingleObject  ... ) == 0x0
 01422  1300   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01423  1300   NtWaitForSingleObject  (180, 0, 0x0, ...
 01421  1736   NtSetEvent  ... 0x0, ) == 0x0
 01424  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01425  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1000, 4096, 4, ... 40632320, 4096, ) == 0x0
 01426  1736   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01427  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 4096, ) == 0x0
 01428  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01429  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01430  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01431  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01432  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01433  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01434  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01435  1736   NtSetEvent  (148, ...
 01195   596   NtWaitForSingleObject  ... ) == 0x0
 01436   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01437   596   NtWaitForSingleObject  (148, 0, 0x0, ...
 01435  1736   NtSetEvent  ... 0x0, ) == 0x0
 01438  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01439  1736   NtSetEvent  (180, ...
 01423  1300   NtWaitForSingleObject  ... ) == 0x0
 01440  1300   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01441  1300   NtWaitForSingleObject  (180, 0, 0x0, ...
 01439  1736   NtSetEvent  ... 0x0, ) == 0x0
 01442  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01443  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "RegmonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01444  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Registry Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01445  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01446  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01447  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01448  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01449  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01450  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01451  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01452  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01453  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01454  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01455  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01456  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01457  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01458  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "SOFTWARE\NuMega\DriverStudio"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  1736   NtSetEvent  (144, ...
 01346   420   NtWaitForSingleObject  ... ) == 0x0
 01460   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01461   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 01459  1736   NtSetEvent  ... 0x0, ) == 0x0
 01462  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01463  1736   NtSetEvent  (176, ...
 01285   748   NtWaitForSingleObject  ... ) == 0x0
 01464   748   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01465   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 01463  1736   NtSetEvent  ... 0x0, ) == 0x0
 01466  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01467  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work"}, 3, 33, ... 260, {status=0x0, info=1}, ) }, 3, 33, ... 260, {status=0x0, info=1}, ) == 0x0
 01468  1736   NtQueryVolumeInformationFile  (260, 1244936, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01469  1736   NtClose  (12, ... ) == 0x0
 01470  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 40632320, 4096, ) == 0x0
 01471  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVCP60.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01474  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01475  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 12, ... 264, ) == 0x0
 01476  1736   NtQuerySection  (264, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01477  1736   NtClose  (12, ... ) == 0x0
 01478  1736   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76080000), 0x0, 413696, ) == 0x0
 01479  1736   NtClose  (264, ... ) == 0x0
 01480  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 01481  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 01482  1736   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 01483  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 01484  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 01485  1736   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 01486  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487  1736   NtAllocateVirtualMemory  (-1, 11358208, 0, 4096, 4096, 4, ... 11358208, 4096, ) == 0x0
 01488  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01491  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01492  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 12, ) == 0x0
 01493  1736   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01494  1736   NtClose  (264, ... ) == 0x0
 01495  1736   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 01496  1736   NtClose  (12, ... ) == 0x0
 01497  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01498  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01499  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01500  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01501  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01502  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01503  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01504  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01505  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01506  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01507  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01508  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01509  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01510  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01511  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01512  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01513  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01514  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01515  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01517  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40697856, 65536, ) == 0x0
 01518  1736   NtAllocateVirtualMemory  (-1, 40697856, 0, 4096, 4096, 4, ... 40697856, 4096, ) == 0x0
 01519  1736   NtAllocateVirtualMemory  (-1, 40701952, 0, 8192, 4096, 4, ... 40701952, 8192, ) == 0x0
 01520  1736   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 12, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 12, {status=0x0, info=0}, ) == 0x0
 01521  1736   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) == 0x0
 01522  1736   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 01523  1736   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 276, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 276, {status=0x0, info=0}, ) == 0x0
 01524  1736   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242884,  (0x20100080, {24, 0, 0x40, 0, 1242884, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=0}, ) == 0x0
 01525  1736   NtAllocateVirtualMemory  (-1, 40710144, 0, 36864, 4096, 4, ... 40710144, 36864, ) == 0x0
 01526  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01527  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01528  1736   NtClose  (284, ... ) == 0x0
 01529  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01530  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01531  1736   NtClose  (284, ... ) == 0x0
 01532  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01533  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\223\201\1\0\0\0\5\0\0\0\232A\250\25\316\356M\3\20\305\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0s{+\0\330J\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363\223\201\1\0\0\0\5\0\0\0\232A\250\25\316\356M\3\20\305\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0s{+\0\330J\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01534  1736   NtClose  (284, ... ) == 0x0
 01535  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01536  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01537  1736   NtClose  (284, ... ) == 0x0
 01538  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01539  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01540  1736   NtClose  (284, ... ) == 0x0
 01541  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01542  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01543  1736   NtClose  (284, ... ) == 0x0
 01544  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 284, ) == 0x0
 01545  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 288, ) == 0x0
 01546  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01547  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01548  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01549  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01550  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01551  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01552  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01553  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01554  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01555  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01556  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01557  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01558  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01559  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01560  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01561  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01562  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01563  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01564  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01565  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01566  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01567  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01568  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01569  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01570  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01571  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01572  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01573  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01574  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01575  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01576  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01577  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01578  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01579  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01580  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01581  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01582  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01583  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01584  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01585  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01586  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01587  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01588  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01589  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01590  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01591  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01592  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01593  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01594  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01595  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01596  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01597  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01598  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01599  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01600  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01601  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01602  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01603  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01604  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01605  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01606  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01607  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01608  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01609  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01610  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01611  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01612  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01613  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01614  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01615  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01616  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01617  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01618  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01619  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01620  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01621  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01622  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01623  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01624  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01625  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01626  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01627  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01628  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01629  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01630  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01631  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01632  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01633  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01634  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01635  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01636  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01637  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01638  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01639  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01640  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01641  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01642  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01643  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01644  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01645  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01646  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01647  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01648  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01649  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01650  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01651  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01652  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01653  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01654  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01655  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01656  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01657  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01658  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01659  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01660  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01661  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01662  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01663  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01664  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01665  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01666  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01667  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01668  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01669  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01670  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01671  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 292, ) }, ... 292, ) == 0x0
 01672  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 296, ) }, ... 296, ) == 0x0
 01673  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 300, ) }, ... 300, ) == 0x0
 01674  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 304, ) }, ... 304, ) == 0x0
 01675  1736   NtQueryDefaultLocale  (1, 1242864, ... ) == 0x0
 01676  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 308, ) }, ... 308, ) == 0x0
 01677  1736   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01678  1736   NtClose  (308, ... ) == 0x0
 01679  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01680  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01681  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01682  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01683  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01684  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01685  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01686  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01687  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01688  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01689  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01690  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01691  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01692  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01693  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01694  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01695  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01696  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01697  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 308, ) }, ... 308, ) == 0x0
 01698  1736   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01699  1736   NtClose  (308, ... ) == 0x0
 01700  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01701  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01702  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01703  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01704  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01705  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01706  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01707  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01708  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01709  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01710  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01711  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01712  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01713  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01714  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01715  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01716  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01717  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01718  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01719  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01720  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01721  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01722  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01723  1736   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1355512, 0,  (0x1f0003, {24, 72, 0x80, 1355512, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 308, ) }, 0, 2147483647, ... 308, ) == STATUS_OBJECT_NAME_EXISTS
 01724  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01725  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 312, ) }, ... 312, ) == 0x0
 01726  1736   NtQueryValueKey  (312,  (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01727  1736   NtClose  (312, ... ) == 0x0
 01728  1736   NtQueryDefaultUILanguage  (1241288, ...
 01729  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01730  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01731  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01732  1736   NtClose  (-2147482576, ... ) == 0x0
 01733  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01734  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01736  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01737  1736   NtClose  (-2147481400, ... ) == 0x0
 01738  1736   NtClose  (-2147482576, ... ) == 0x0
 01728  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 01739  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 312, {status=0x0, info=1}, ) }, 1, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01740  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 312, ... 316, ) == 0x0
 01741  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x26e0000), 0x0, 8462336, ) == 0x0
 01742  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01743  1736   NtQueryDefaultLocale  (1, 1239384, ... ) == 0x0
 01744  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01745  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144}  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75516, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75516, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75516, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" )  ) == 0x0
 01746  1736   NtClose  (312, ... ) == 0x0
 01747  1736   NtClose  (316, ... ) == 0x0
 01748  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01749  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01750  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01751  1736   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01752  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01753  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01754  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238576, ... ) }, 1238576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01756  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01757  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01758  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1238640, ... ) }, 1238640, ... ) == 0x0
 01759  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 316, {status=0x0, info=1}, ) }, 3, 33, ... 316, {status=0x0, info=1}, ) == 0x0
 01760  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01761  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01762  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 312, ... 320, ) == 0x0
 01763  1736   NtClose  (312, ... ) == 0x0
 01764  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x26e0000), 0x0, 1056768, ) == 0x0
 01765  1736   NtClose  (320, ... ) == 0x0
 01766  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01767  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01768  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 312, ) == 0x0
 01769  1736   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01770  1736   NtClose  (320, ... ) == 0x0
 01771  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01772  1736   NtClose  (312, ... ) == 0x0
 01773  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01774  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01775  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01776  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01777  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01778  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01779  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01780  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01781  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01782  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01783  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01784  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01785  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01786  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01787  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01788  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01789  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01790  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01791  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01792  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01793  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01794  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01795  1736   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 01796  1736   NtQueryDefaultUILanguage  (1238804, ...
 01797  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01798  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01799  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01800  1736   NtClose  (-2147482576, ... ) == 0x0
 01801  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01802  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01804  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805  1736   NtClose  (-2147481400, ... ) == 0x0
 01806  1736   NtClose  (-2147482576, ... ) == 0x0
 01796  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 01807  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 01808  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01809  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 312, ... 320, ) == 0x0
 01810  1736   NtClose  (312, ... ) == 0x0
 01811  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x26e0000), 0x0, 4096, ) == 0x0
 01812  1736   NtClose  (320, ... ) == 0x0
 01813  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01814  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237240, ... ) }, 1237240, ... ) == 0x0
 01815  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237984,  (0x80100080, {24, 0, 0x40, 0, 1237984, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 01816  1736   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 320, ... 312, ) == 0x0
 01817  1736   NtClose  (320, ... ) == 0x0
 01818  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x26e0000), {0, 0}, 4096, ) == 0x0
 01819  1736   NtClose  (312, ... ) == 0x0
 01820  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01821  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 312, {status=0x0, info=1}, ) }, 1, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01822  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 312, ... 320, ) == 0x0
 01823  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x26e0000), 0x0, 4096, ) == 0x0
 01824  1736   NtQueryInformationFile  (312, 1237636, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01825  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660}  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75517, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75517, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75517, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" )  ) == 0x0
 01827  1736   NtClose  (312, ... ) == 0x0
 01828  1736   NtClose  (320, ... ) == 0x0
 01829  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01830  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01831  1736   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01832  1736   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01833  1736   NtUserGetDC  (0, ... ) == 0x1010054
 01834  1736   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01835  1736   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01836  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01837  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01838  1736   NtContinue  (1237844, 0, ...
 01839  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01840  1736   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 01841  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01842  1736   NtUnmapViewOfSection  (-1, 0x2f00000, ... ) == 0x0
 01843  1736   NtClose  (316, ... ) == 0x0
 01844  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "PSAPI.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\PSAPI.DLL"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\PSAPI.DLL"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01847  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\PSAPI.DLL"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01848  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01849  1736   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01850  1736   NtClose  (316, ... ) == 0x0
 01851  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01852  1736   NtClose  (320, ... ) == 0x0
 01853  1736   NtProtectVirtualMemory  (-1, (0x76bf1000), 236, 4, ... (0x76bf1000), 4096, 32, ) == 0x0
 01854  1736   NtProtectVirtualMemory  (-1, (0x76bf1000), 4096, 32, ... (0x76bf1000), 4096, 4, ) == 0x0
 01855  1736   NtFlushInstructionCache  (-1, 1992232960, 236, ... ) == 0x0
 01856  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01857  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01858  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01860  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01861  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 01862  1736   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01863  1736   NtClose  (320, ... ) == 0x0
 01864  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01865  1736   NtClose  (316, ... ) == 0x0
 01866  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01867  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01868  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01869  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01870  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01871  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01872  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01873  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01874  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01875  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01876  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01877  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01878  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01879  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01880  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01881  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01882  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01883  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01884  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885  1736   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 316, 2, ) }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 316, 2, ) , 0, ... 316, 2, ) == 0x0
 01886  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 320, ) }, ... 320, ) == 0x0
 01887  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01888  1736   NtQueryValueKey  (320,  (320, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889  1736   NtQueryValueKey  (316,  (316, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01890  1736   NtQueryValueKey  (320,  (320, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891  1736   NtQueryValueKey  (316,  (316, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01892  1736   NtQueryValueKey  (320,  (320, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893  1736   NtQueryValueKey  (316,  (316, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894  1736   NtQueryValueKey  (320,  (320, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01895  1736   NtQueryValueKey  (316,  (316, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01896  1736   NtQueryValueKey  (320,  (320, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01897  1736   NtQueryValueKey  (320,  (320, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01898  1736   NtQueryValueKey  (320,  (320, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899  1736   NtQueryValueKey  (320,  (320, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900  1736   NtQueryValueKey  (320,  (320, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01901  1736   NtQueryValueKey  (320,  (320, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902  1736   NtQueryValueKey  (320,  (320, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903  1736   NtQueryValueKey  (320,  (320, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01904  1736   NtQueryValueKey  (320,  (320, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905  1736   NtQueryValueKey  (316,  (316, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906  1736   NtQueryValueKey  (320,  (320, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01907  1736   NtQueryValueKey  (320,  (320, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01908  1736   NtQueryValueKey  (316,  (316, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01909  1736   NtQueryValueKey  (320,  (320, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910  1736   NtQueryValueKey  (316,  (316, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911  1736   NtQueryValueKey  (320,  (320, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01912  1736   NtQueryValueKey  (316,  (316, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913  1736   NtQueryValueKey  (320,  (320, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01914  1736   NtQueryValueKey  (316,  (316, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01915  1736   NtQueryValueKey  (320,  (320, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01916  1736   NtQueryValueKey  (316,  (316, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917  1736   NtQueryValueKey  (320,  (320, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01918  1736   NtQueryValueKey  (316,  (316, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919  1736   NtQueryValueKey  (320,  (320, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01920  1736   NtQueryValueKey  (316,  (316, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921  1736   NtQueryValueKey  (320,  (320, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01922  1736   NtQueryValueKey  (320,  (320, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923  1736   NtQueryValueKey  (320,  (320, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01924  1736   NtQueryValueKey  (320,  (320, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01925  1736   NtQueryValueKey  (320,  (320, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01926  1736   NtQueryValueKey  (320,  (320, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01927  1736   NtQueryValueKey  (320,  (320, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01928  1736   NtQueryValueKey  (320,  (320, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929  1736   NtQueryValueKey  (320,  (320, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01930  1736   NtQueryValueKey  (320,  (320, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01931  1736   NtQueryValueKey  (320,  (320, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01932  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 312, ) }, ... 312, ) == 0x0
 01933  1736   NtQueryValueKey  (312,  (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01934  1736   NtClose  (312, ... ) == 0x0
 01935  1736   NtClose  (316, ... ) == 0x0
 01936  1736   NtClose  (320, ... ) == 0x0
 01937  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 320, ) }, ... 320, ) == 0x0
 01938  1736   NtQueryValueKey  (320,  (320, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01939  1736   NtQueryValueKey  (320,  (320, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940  1736   NtQueryValueKey  (320,  (320, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941  1736   NtClose  (320, ... ) == 0x0
 01942  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts"}, 3, 33, ... 320, {status=0x0, info=1}, ) }, 3, 33, ... 320, {status=0x0, info=1}, ) == 0x0
 01943  1736   NtQueryVolumeInformationFile  (320, 1244940, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01944  1736   NtClose  (260, ... ) == 0x0
 01945  1736   NtSetEvent  (132, ...
 01369  1028   NtWaitForSingleObject  ... ) == 0x0
 01946  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01947  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01945  1736   NtSetEvent  ... 0x0, ) == 0x0
 01948  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01949  1736   NtSetEvent  (132, ...
 01947  1028   NtWaitForSingleObject  ... ) == 0x0
 01950  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01951  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01949  1736   NtSetEvent  ... 0x0, ) == 0x0
 01952  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01953  1736   NtAllocateVirtualMemory  (-1, 0, 0, 200000, 4096, 4, ... 40894464, 200704, ) == 0x0
 01954  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1024, 4096, 4, ... 40763392, 4096, ) == 0x0
 01955  1736   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01956  1736   NtSetEvent  (168, ...
 01262  1732   NtWaitForSingleObject  ... ) == 0x0
 01957  1732   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01958  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 01956  1736   NtSetEvent  ... 0x0, ) == 0x0
 01959  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01960  1736   NtSetEvent  (132, ...
 01951  1028   NtWaitForSingleObject  ... ) == 0x0
 01961  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01962  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01960  1736   NtSetEvent  ... 0x0, ) == 0x0
 01963  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01964  1736   NtSetEvent  (164, ...
 01417   928   NtWaitForSingleObject  ... ) == 0x0
 01965   928   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01966   928   NtWaitForSingleObject  (164, 0, 0x0, ...
 01964  1736   NtSetEvent  ... 0x0, ) == 0x0
 01967  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01968  1736   NtSetEvent  (192, ...
 01373   500   NtWaitForSingleObject  ... ) == 0x0
 01969   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01970   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01968  1736   NtSetEvent  ... 0x0, ) == 0x0
 01971  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01972  1736   NtSetEvent  (140, ...
 01357  1180   NtWaitForSingleObject  ... ) == 0x0
 01973  1180   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01974  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01972  1736   NtSetEvent  ... 0x0, ) == 0x0
 01975  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01976  1736   NtSetEvent  (168, ...
 01958  1732   NtWaitForSingleObject  ... ) == 0x0
 01977  1732   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01978  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 01976  1736   NtSetEvent  ... 0x0, ) == 0x0
 01979  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01980  1736   NtSetEvent  (140, ...
 01974  1180   NtWaitForSingleObject  ... ) == 0x0
 01981  1180   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01982  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01980  1736   NtSetEvent  ... 0x0, ) == 0x0
 01983  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01984  1736   NtSetEvent  (192, ...
 01970   500   NtWaitForSingleObject  ... ) == 0x0
 01985   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01986   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01984  1736   NtSetEvent  ... 0x0, ) == 0x0
 01987  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01988  1736   NtSetEvent  (176, ...
 01465   748   NtWaitForSingleObject  ... ) == 0x0
 01989   748   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01990   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 01988  1736   NtSetEvent  ... 0x0, ) == 0x0
 01991  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01992  1736   NtSetEvent  (152, ...
 01207   376   NtWaitForSingleObject  ... ) == 0x0
 01993   376   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01994   376   NtWaitForSingleObject  (152, 0, 0x0, ...
 01992  1736   NtSetEvent  ... 0x0, ) == 0x0
 01995  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01996  1736   NtSetEvent  (132, ...
 01962  1028   NtWaitForSingleObject  ... ) == 0x0
 01997  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01998  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01996  1736   NtSetEvent  ... 0x0, ) == 0x0
 01999  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02000  1736   NtSetEvent  (144, ...
 01461   420   NtWaitForSingleObject  ... ) == 0x0
 02001   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02002   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 02000  1736   NtSetEvent  ... 0x0, ) == 0x0
 02003  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02004  1736   NtSetEvent  (168, ...
 01978  1732   NtWaitForSingleObject  ... ) == 0x0
 02005  1732   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02006  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 02004  1736   NtSetEvent  ... 0x0, ) == 0x0
 02007  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02008  1736   NtProtectVirtualMemory  (-1, (0x401000), 93076, 64, ... (0x401000), 94208, 128, ) == 0x0
 02009  1736   NtSetEvent  (160, ...
 01361   120   NtWaitForSingleObject  ... ) == 0x0
 02010   120   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02011   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 02009  1736   NtSetEvent  ... 0x0, ) == 0x0
 02012  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02013  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02014  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 02015  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02016  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 02017  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 41156608, 65536, ) == 0x0
 02018  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 02019  1736   NtFreeVirtualMemory  (-1, (0x2740000), 0, 32768, ... (0x2740000), 65536, ) == 0x0
 02020  1736   NtSetEvent  (144, ...
 02002   420   NtWaitForSingleObject  ... ) == 0x0
 02021   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02022   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 02020  1736   NtSetEvent  ... 0x0, ) == 0x0
 02023  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02024  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1114112, 4096, 4, ... 41156608, 1114112, ) == 0x0
 02025  1736   NtFreeVirtualMemory  (-1, (0x2740000), 0, 32768, ... (0x2740000), 1114112, ) == 0x0
 02026  1736   NtSetEvent  (136, ...
 01159   384   NtWaitForSingleObject  ... ) == 0x0
 02027   384   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02028   384   NtWaitForSingleObject  (136, 0, 0x0, ...
 02026  1736   NtSetEvent  ... 0x0, ) == 0x0
 02029  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02030  1736   NtSetEvent  (184, ...
 01341  1096   NtWaitForSingleObject  ... ) == 0x0
 02031  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02032  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 02030  1736   NtSetEvent  ... 0x0, ) == 0x0
 02033  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02034  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 41156608, 1048576, ) == 0x0
 02035  1736   NtAllocateVirtualMemory  (-1, 42196992, 0, 8192, 4096, 4, ... 42196992, 8192, ) == 0x0
 02036  1736   NtProtectVirtualMemory  (-1, (0x283e000), 4096, 260, ... (0x283e000), 4096, 4, ) == 0x0
 02037  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244044, 1243988, 1, ... 260, {1636, 588}, ) == 0x0
 02038  1736   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=588,}, 0x0, ) == 0x0
 02039  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089917163, 5981457, 5981457, 65535}  (24, {28, 56, new_msg, 0, 2089917163, 5981457, 5981457, 65535} "\0\0\0\0\1\0\1\0\2741\0\049\220|\4\1\0\0d\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\049\220|\4\1\0\0d\6\0\0L\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75518, 0}  (24, {28, 56, new_msg, 0, 2089917163, 5981457, 5981457, 65535} "\0\0\0\0\1\0\1\0\2741\0\049\220|\4\1\0\0d\6\0\0L\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75518, 0} "\0\0\0\0\1\0\1\0\0\0\0\049\220|\4\1\0\0d\6\0\0L\2\0\0" )  ) == 0x0
 02040  1736   NtResumeThread  (260, ... 1, ) == 0x0
 02041  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 02042   588   NtTestAlert  (... ) == 0x0
 02043   588   NtContinue  (42204464, 1, ...
 02044   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02045   588   NtDelayExecution  (0, {-40000000, -1}, ...
 02046  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 02047  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 42205184, 4096, ) == 0x0
 02048  1736   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 4, ... 42270720, 8192, ) == 0x0
 02049  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 64, ... 42336256, 65536, ) == 0x0
 02050  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3320, 4096, 4, ... 42401792, 4096, ) == 0x0
 02051  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02052  1736   NtAllocateVirtualMemory  (-1, 0, 0, 9152, 4096, 4, ... 42401792, 12288, ) == 0x0
 02053  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 12288, ) == 0x0
 02054  1736   NtAllocateVirtualMemory  (-1, 0, 0, 620, 4096, 4, ... 42401792, 4096, ) == 0x0
 02055  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02056  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3796, 4096, 4, ... 42401792, 4096, ) == 0x0
 02057  1736   NtAllocateVirtualMemory  (-1, 0, 0, 353, 4096, 64, ... 42467328, 4096, ) == 0x0
 02058  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1597, 4096, 64, ... 42532864, 4096, ) == 0x0
 02059  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1702, 4096, 64, ... 42598400, 4096, ) == 0x0
 02060  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1767, 4096, 64, ... 42663936, 4096, ) == 0x0
 02061  1736   NtAllocateVirtualMemory  (-1, 0, 0, 666, 4096, 64, ... 42729472, 4096, ) == 0x0
 02062  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1698, 4096, 64, ... 42795008, 4096, ) == 0x0
 02063  1736   NtAllocateVirtualMemory  (-1, 0, 0, 484, 4096, 64, ... 42860544, 4096, ) == 0x0
 02064  1736   NtAllocateVirtualMemory  (-1, 0, 0, 415, 4096, 64, ... 42926080, 4096, ) == 0x0
 02065  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1945, 4096, 64, ... 42991616, 4096, ) == 0x0
 02066  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3784, 4096, 64, ... 43057152, 4096, ) == 0x0
 02067  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2197, 4096, 64, ... 43122688, 4096, ) == 0x0
 02068  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3086, 4096, 64, ... 43188224, 4096, ) == 0x0
 02069  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2398, 4096, 64, ... 43253760, 4096, ) == 0x0
 02070  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2005, 4096, 64, ... 43319296, 4096, ) == 0x0
 02071  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1642, 4096, 64, ... 43384832, 4096, ) == 0x0
 02072  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4677, 4096, 64, ... 43450368, 8192, ) == 0x0
 02073  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2670, 4096, 64, ... 43515904, 4096, ) == 0x0
 02074  1736   NtAllocateVirtualMemory  (-1, 0, 0, 5490, 4096, 64, ... 43581440, 8192, ) == 0x0
 02075  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1975, 4096, 64, ... 43646976, 4096, ) == 0x0
 02076  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3062, 4096, 64, ... 43712512, 4096, ) == 0x0
 02077  1736   NtAllocateVirtualMemory  (-1, 0, 0, 675, 4096, 64, ... 43778048, 4096, ) == 0x0
 02078  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3827, 4096, 64, ... 43843584, 4096, ) == 0x0
 02079  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4462, 4096, 64, ... 43909120, 8192, ) == 0x0
 02080  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1478, 4096, 64, ... 43974656, 4096, ) == 0x0
 02081  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02082  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2928, 4096, 4, ... 42401792, 4096, ) == 0x0
 02083  1736   NtAllocateVirtualMemory  (-1, 0, 0, 756, 4096, 64, ... 44040192, 4096, ) == 0x0
 02084  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02085  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2700, 4096, 4, ... 42401792, 4096, ) == 0x0
 02086  1736   NtAllocateVirtualMemory  (-1, 0, 0, 5001, 4096, 64, ... 44105728, 8192, ) == 0x0
 02087  1736   NtAllocateVirtualMemory  (-1, 0, 0, 5185, 4096, 64, ... 44171264, 8192, ) == 0x0
 02088  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2386, 4096, 64, ... 44236800, 4096, ) == 0x0
 02089  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4025, 4096, 64, ... 44302336, 4096, ) == 0x0
 02090  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1235, 4096, 64, ... 44367872, 4096, ) == 0x0
 02091  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1223, 4096, 64, ... 44433408, 4096, ) == 0x0
 02092  1736   NtAllocateVirtualMemory  (-1, 0, 0, 888, 4096, 64, ... 44498944, 4096, ) == 0x0
 02093  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3599, 4096, 64, ... 44564480, 4096, ) == 0x0
 02094  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3071, 4096, 64, ... 44630016, 4096, ) == 0x0
 02095  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4252, 4096, 64, ... 44695552, 8192, ) == 0x0
 02096  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02097  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1236, 4096, 4, ... 42401792, 4096, ) == 0x0
 02098  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02099  1736   NtAllocateVirtualMemory  (-1, 0, 0, 468, 4096, 4, ... 42401792, 4096, ) == 0x0
 02100  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02101  1736   NtAllocateVirtualMemory  (-1, 0, 0, 312, 4096, 4, ... 42401792, 4096, ) == 0x0
 02102  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02103  1736   NtAllocateVirtualMemory  (-1, 0, 0, 96, 4096, 4, ... 42401792, 4096, ) == 0x0
 02104  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02105  1736   NtAllocateVirtualMemory  (-1, 0, 0, 640, 4096, 4, ... 42401792, 4096, ) == 0x0
 02106  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02107  1736   NtFreeVirtualMemory  (-1, (0x2700000), 0, 32768, ... (0x2700000), 200704, ) == 0x0
 02108  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 4096, ) == 0x0
 02109  1736   NtFreeVirtualMemory  (-1, (0x2850000), 0, 32768, ... (0x2850000), 8192, ) == 0x0
 02110  1736   NtFreeVirtualMemory  (-1, (0x2860000), 0, 32768, ... (0x2860000), 65536, ) == 0x0
 02111  1736   NtFreeVirtualMemory  (-1, (0x2840000), 0, 32768, ... (0x2840000), 4096, ) == 0x0
 02112  1736   NtSetEvent  (188, ...
 01321   252   NtWaitForSingleObject  ... ) == 0x0
 02113   252   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02114   252   NtWaitForSingleObject  (188, 0, 0x0, ...
 02112  1736   NtSetEvent  ... 0x0, ) == 0x0
 02115  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02116  1736   NtSetEvent  (140, ...
 01982  1180   NtWaitForSingleObject  ... ) == 0x0
 02117  1180   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02118  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 02116  1736   NtSetEvent  ... 0x0, ) == 0x0
 02119  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02120  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 02121  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 02122  1736   NtSetEvent  (152, ...
 01994   376   NtWaitForSingleObject  ... ) == 0x0
 02123   376   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02124   376   NtWaitForSingleObject  (152, 0, 0x0, ...
 02122  1736   NtSetEvent  ... 0x0, ) == 0x0
 02125  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02126  1736   NtSetEvent  (184, ...
 02032  1096   NtWaitForSingleObject  ... ) == 0x0
 02127  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02128  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 02126  1736   NtSetEvent  ... 0x0, ) == 0x0
 02129  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02130  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 02131  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 02132  1736   NtSetEvent  (168, ...
 02006  1732   NtWaitForSingleObject  ... ) == 0x0
 02133  1732   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02134  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 02132  1736   NtSetEvent  ... 0x0, ) == 0x0
 02135  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02136  1736   NtSetEvent  (136, ...
 02028   384   NtWaitForSingleObject  ... ) == 0x0
 02137   384   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02138   384   NtWaitForSingleObject  (136, 0, 0x0, ...
 02136  1736   NtSetEvent  ... 0x0, ) == 0x0
 02139  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02140  1736   NtSetEvent  (132, ...
 01998  1028   NtWaitForSingleObject  ... ) == 0x0
 02141  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02142  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 02140  1736   NtSetEvent  ... 0x0, ) == 0x0
 02143  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02144  1736   NtQueryVirtualMemory  (-1, 0x436c1e, Basic, 28, ... {BaseAddress=0x436000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xdb000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 02145  1736   NtQueryVirtualMemory  (-1, 0x43e1d8, Basic, 28, ... {BaseAddress=0x43e000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xd3000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 02146  1736   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 02147  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02148  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02149  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02150  1736   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 02151  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 316, ) }, ... 316, ) == 0x0
 02152  1736   NtQueryValueKey  (316,  (316, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (316, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02153  1736   NtQueryValueKey  (316,  (316, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (316, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 02154  1736   NtClose  (316, ... ) == 0x0
 02155  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239748, ... ) }, 1239748, ... ) == 0x0
 02156  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02157  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02158  1736   NtClose  (316, ... ) == 0x0
 02159  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2700000), 0x0, 81920, ) == 0x0
 02160  1736   NtClose  (312, ... ) == 0x0
 02161  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02162  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240056, ... ) }, 1240056, ... ) == 0x0
 02163  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02164  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02165  1736   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02166  1736   NtClose  (312, ... ) == 0x0
 02167  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 02168  1736   NtClose  (316, ... ) == 0x0
 02169  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02170  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 02171  1736   NtClose  (316, ... ) == 0x0
 02172  1736   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 02173  1736   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 02174  1736   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 02175  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02176  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 02177  1736   NtClose  (316, ... ) == 0x0
 02178  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02179  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02180  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02181  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02182  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02183  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02184  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02185  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02186  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02187  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02188  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02189  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02190  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 02193  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02194  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 312, ) == 0x0
 02195  1736   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02196  1736   NtClose  (316, ... ) == 0x0
 02197  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 02198  1736   NtClose  (312, ... ) == 0x0
 02199  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02200  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02201  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02202  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02203  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02204  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02205  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 312, ) }, ... 312, ) == 0x0
 02206  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 02207  1736   NtClose  (312, ... ) == 0x0
 02208  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02209  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02210  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02211  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02212  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02213  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02214  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02215  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02216  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02217  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02218  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02219  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02220  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02221  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02222  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02223  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02224  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02225  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02226  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02227  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02228  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02229  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 02232  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02233  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02234  1736   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02235  1736   NtClose  (312, ... ) == 0x0
 02236  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 02237  1736   NtClose  (316, ... ) == 0x0
 02238  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02239  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02240  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02241  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02242  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02243  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02244  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02245  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02246  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02247  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02248  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02249  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02250  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02251  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 02253  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02254  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 312, ) == 0x0
 02255  1736   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02256  1736   NtClose  (316, ... ) == 0x0
 02257  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02258  1736   NtClose  (312, ... ) == 0x0
 02259  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02260  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02261  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02262  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02263  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02264  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02265  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02266  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02267  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02268  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02269  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02270  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02271  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02272  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02273  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02274  1736   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 02275  1736   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 02276  1736   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 02277  1736   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 02278  1736   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 02279  1736   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 02280  1736   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 02281  1736   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 02282  1736   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 02283  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02284  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 02286  1736   NtQueryValueKey  (312,  (312, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287  1736   NtClose  (312, ... ) == 0x0
 02288  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 02289  1736   NtQueryValueKey  (312,  (312, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290  1736   NtClose  (312, ... ) == 0x0
 02291  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 312, ) }, ... 312, ) == 0x0
 02292  1736   NtQueryValueKey  (312,  (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 02293  1736   NtClose  (312, ... ) == 0x0
 02294  1736   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 1237824, 0,  (0x1f0003, {24, 72, 0x80, 1237824, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 312, ) }, 0, 1, ... 312, ) == STATUS_OBJECT_NAME_EXISTS
 02295  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02296  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02297  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02298  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02299  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02300  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02301  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02302  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02303  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02304  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02305  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02306  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02307  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02308  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02309  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02310  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02311  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02312  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02313  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02314  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02315  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02316  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02317  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02318  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02319  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02320  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02321  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02322  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 02323  1736   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02324  1736   NtClose  (316, ... ) == 0x0
 02325  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 316, ) }, ... 316, ) == 0x0
 02326  1736   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 324, ) }, ... 324, ) == 0x0
 02327  1736   NtQueryValueKey  (324,  (324, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 02328  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02329  1736   NtQueryValueKey  (324,  (324, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 02330  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02331  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02332  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02333  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02334  1736   NtClose  (324, ... ) == 0x0
 02335  1736   NtClose  (316, ... ) == 0x0
 02336  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 02337  1736   NtQueryValueKey  (316,  (316, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02338  1736   NtClose  (316, ... ) == 0x0
 02339  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 02340  1736   NtQueryValueKey  (316,  (316, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02341  1736   NtQueryValueKey  (316,  (316, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342  1736   NtClose  (316, ... ) == 0x0
 02343  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 02345  1736   NtQueryValueKey  (316,  (316, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346  1736   NtClose  (316, ... ) == 0x0
 02347  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02348  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02349  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02351  1736   NtQueryPerformanceCounter  (... {1108970520, 16}, {3579545, 0}, ) == 0x0
 02352  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02353  1736   NtQueryDefaultLocale  (1, 1239952, ... ) == 0x0
 02354  1736   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02355  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02356  1736   NtQueryValueKey  (316,  (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02357  1736   NtClose  (316, ... ) == 0x0
 02358  1736   NtUserGetProcessWindowStation  (... ) == 0x1c
 02359  1736   NtUserGetObjectInformation  (28, 1, 1239548, 12, 1239560, ... ) == 0x1
 02360  1736   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02361  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 316, ) }, ... 316, ) == 0x0
 02362  1736   NtQueryValueKey  (316,  (316, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02363  1736   NtClose  (316, ... ) == 0x0
 02364  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02365  1736   NtQueryValueKey  (316,  (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02366  1736   NtQueryValueKey  (316,  (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02367  1736   NtClose  (316, ... ) == 0x0
 02368  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02369  1736   NtQueryValueKey  (316,  (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02370  1736   NtQueryValueKey  (316,  (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02371  1736   NtClose  (316, ... ) == 0x0
 02372  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02373  1736   NtQueryValueKey  (316,  (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02374  1736   NtQueryValueKey  (316,  (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02375  1736   NtClose  (316, ... ) == 0x0
 02376  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02377  1736   NtQueryValueKey  (316,  (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02378  1736   NtQueryValueKey  (316,  (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02379  1736   NtClose  (316, ... ) == 0x0
 02380  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02381  1736   NtQueryValueKey  (316,  (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02382  1736   NtQueryValueKey  (316,  (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02383  1736   NtClose  (316, ... ) == 0x0
 02384  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02385  1736   NtQueryValueKey  (316,  (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02386  1736   NtQueryValueKey  (316,  (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02387  1736   NtClose  (316, ... ) == 0x0
 02388  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 316, ) }, ... 316, ) == 0x0
 02389  1736   NtQueryValueKey  (316,  (316, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02390  1736   NtQueryValueKey  (316,  (316, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (316, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02391  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 02392  1736   NtClose  (316, ... ) == 0x0
 02393  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 316, ) == 0x0
 02394  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 324, ) == 0x0
 02395  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 02396  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 332, ) == 0x0
 02397  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 336, ) == 0x0
 02398  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 340, ) == 0x0
 02399  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02400  1736   NtQueryValueKey  (344,  (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02401  1736   NtQueryValueKey  (344,  (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02402  1736   NtQueryValueKey  (344,  (344, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403  1736   NtOpenKey  (0x1, {24, 344, 0x40, 0, 0,  (0x1, {24, 344, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404  1736   NtClose  (344, ... ) == 0x0
 02405  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239464, ... ) }, 1239464, ... ) == 0x0
 02406  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 344, ) }, ... 344, ) == 0x0
 02407  1736   NtQueryValueKey  (344,  (344, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (344, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (344, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02408  1736   NtClose  (344, ... ) == 0x0
 02409  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 02410  1736   NtQueryValueKey  (344,  (344, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (344, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (344, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02411  1736   NtClose  (344, ... ) == 0x0
 02412  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02413  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 02414  1736   NtQueryValueKey  (344,  (344, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (344, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (344, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02415  1736   NtClose  (344, ... ) == 0x0
 02416  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02417  1736   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418  1736   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 344, 2, ) }, 0, 0x0, 0, ... 344, 2, ) == 0x0
 02419  1736   NtOpenKey  (0x10000, {24, 344, 0x40, 0, 0,  (0x10000, {24, 344, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02420  1736   NtQueryValueKey  (344,  (344, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02421  1736   NtQueryValueKey  (344,  (344, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02422  1736   NtQueryValueKey  (344,  (344, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02423  1736   NtQueryValueKey  (344,  (344, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02424  1736   NtQueryValueKey  (344,  (344, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02425  1736   NtQueryValueKey  (344,  (344, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426  1736   NtQueryValueKey  (344,  (344, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02427  1736   NtQueryValueKey  (344,  (344, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428  1736   NtQueryValueKey  (344,  (344, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429  1736   NtQueryValueKey  (344,  (344, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430  1736   NtQueryValueKey  (344,  (344, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431  1736   NtQueryValueKey  (344,  (344, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02432  1736   NtCreateKey  (0x20119, {24, 344, 0x40, 0, 0,  (0x20119, {24, 344, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02433  1736   NtCreateKey  (0x20119, {24, 344, 0x40, 0, 0,  (0x20119, {24, 344, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 02434  1736   NtClose  (344, ... ) == 0x0
 02435  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02436  1736   NtQueryValueKey  (344,  (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02437  1736   NtClose  (344, ... ) == 0x0
 02438  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02439  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02440  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236992, ... ) }, 1236992, ... ) == 0x0
 02441  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02442  1736   NtQueryDirectoryFile  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02443  1736   NtClose  (344, ... ) == 0x0
 02444  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02445  1736   NtQueryDirectoryFile  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02446  1736   NtClose  (344, ... ) == 0x0
 02447  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02448  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02449  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02450  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02451  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235640, ... ) }, 1235640, ... ) == 0x0
 02452  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234412, ... ) }, 1234412, ... ) == 0x0
 02453  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02454  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02455  1736   NtQueryValueKey  (348,  (348, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02456  1736   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02457  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02458  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02459  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02460  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 344, ) }, ... 344, ) == 0x0
 02461  1736   NtQueryValueKey  (344,  (344, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02462  1736   NtClose  (344, ... ) == 0x0
 02463  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02464  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 344, ) == 0x0
 02465  1736   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 02466  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 02467  1736   NtQuerySystemTime  (... {44916670, 29928605}, ) == 0x0
 02468  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 360, ) == 0x0
 02469  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02470  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02471  1736   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02472  1736   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02473  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 364, ) == 0x0
 02474  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 368, ) == 0x0
 02475  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222d\33\205\6\276\276\242\361\322s\315\246\336\353~_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02476  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02477  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02478  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02479  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02480  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02481  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02482  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02483  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 02484  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\17\25\250G\320\373\322\344\207\353\331\36\211]O\374*;bmY\16\312B\3121\212\310\34A\353\32\33\360\337\2\350/t\364oHJ%O\365\16\357\13\270\261\230\315\262\212\234#\362\345Mb\16\2171\13\225\365\306\2115\216\256D\245>\33_\203\244I", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\17\25\250G\320\373\322\344\207\353\331\36\211]O\374*;bmY\16\312B\3121\212\310\34A\353\32\33\360\337\2\350/t\364oHJ%O\365\16\357\13\270\261\230\315\262\212\234#\362\345Mb\16\2171\13\225\365\306\2115\216\256D\245>\33_\203\244I", 80, ... ) , 80, ... ) == 0x0
 02485  1736   NtClose  (-2147482576, ... ) == 0x0
 02475  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\324\274\327\33\265\273\2474\213\376m\33\305c\332@@\2210\311\16\310\376\303U\220\254F\267\263@Z\201$IF"\340Zj\207\327y\3677KuM\310{\332\375\351h)\250v\207\217\35\4\213+T\323\336v\302\304/\5"\201\223\353\366\375l\263.-\22(j\23\6\261\326w\233\251\375\2741\213\240\277\367\360t\261\327\303d\246_"|\15\207z\271*\310\20\372Q\271\17\257\2448'E\1\232\327\22\355fIac,$,I\224F\26\377r\264z2Q\357O\347\231j\14\24\227\344\213\367S[\335\316;\230\266\320k\363\6"\30\3363\334$\240v8]~\203\217\j\206J\352\225\24/_\27Q\262La\22\266N\20\14\3217\325\224\214$\245\361\267\360\23\267,O\254\14Y'<\306\344\352I\200\334\352x\344m\277,gN6/t\330\\270\245\364\356\354\200\344\6`\206\257\223\242\270\223\201#", ) \340Zj\207\327y\3677KuM\310{\332\375\351h)\250v\207\217\35\4\213+T\323\336v\302\304/\5 ... {status=0x0, info=256}, "\324\274\327\33\265\273\2474\213\376m\33\305c\332@@\2210\311\16\310\376\303U\220\254F\267\263@Z\201$IF"\340Zj\207\327y\3677KuM\310{\332\375\351h)\250v\207\217\35\4\213+T\323\336v\302\304/\5"\201\223\353\366\375l\263.-\22(j\23\6\261\326w\233\251\375\2741\213\240\277\367\360t\261\327\303d\246_"|\15\207z\271*\310\20\372Q\271\17\257\2448'E\1\232\327\22\355fIac,$,I\224F\26\377r\264z2Q\357O\347\231j\14\24\227\344\213\367S[\335\316;\230\266\320k\363\6"\30\3363\334$\240v8]~\203\217\j\206J\352\225\24/_\27Q\262La\22\266N\20\14\3217\325\224\214$\245\361\267\360\23\267,O\254\14Y'<\306\344\352I\200\334\352x\344m\277,gN6/t\330\\270\245\364\356\354\200\344\6`\206\257\223\242\270\223\201#", ) |\15\207z\271*\310\20\372Q\271\17\257\2448'E\1\232\327\22\355fIac,$,I\224F\26\377r\264z2Q\357O\347\231j\14\24\227\344\213\367S[\335\316;\230\266\320k\363\6 ... {status=0x0, info=256}, "\324\274\327\33\265\273\2474\213\376m\33\305c\332@@\2210\311\16\310\376\303U\220\254F\267\263@Z\201$IF"\340Zj\207\327y\3677KuM\310{\332\375\351h)\250v\207\217\35\4\213+T\323\336v\302\304/\5"\201\223\353\366\375l\263.-\22(j\23\6\261\326w\233\251\375\2741\213\240\277\367\360t\261\327\303d\246_"|\15\207z\271*\310\20\372Q\271\17\257\2448'E\1\232\327\22\355fIac,$,I\224F\26\377r\264z2Q\357O\347\231j\14\24\227\344\213\367S[\335\316;\230\266\320k\363\6"\30\3363\334$\240v8]~\203\217\j\206J\352\225\24/_\27Q\262La\22\266N\20\14\3217\325\224\214$\245\361\267\360\23\267,O\254\14Y'<\306\344\352I\200\334\352x\344m\277,gN6/t\330\\270\245\364\356\354\200\344\6`\206\257\223\242\270\223\201#", ) , ) == 0x0
 02486  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222d\33\205\6\276\276\2426\236\303\15m:\1\5\206s\315\246\336\353~_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02487  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02488  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02489  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02490  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02491  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02492  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02493  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02494  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 02495  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "R\207\214\21k!?n\250;k\307p\221\14\342A/\224\337\220\256\233\265\321eP\253\21\353\27\3\351+r%\23\315d\330o\221\331P\215})\252\266\250\34\252\262@A5\347\234\3172\3102~\340\3319\36\14\214\305\257X*\310\240\377\235mv\304", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "R\207\214\21k!?n\250;k\307p\221\14\342A/\224\337\220\256\233\265\321eP\253\21\353\27\3\351+r%\23\315d\330o\221\331P\215})\252\266\250\34\252\262@A5\347\234\3172\3102~\340\3319\36\14\214\305\257X*\310\240\377\235mv\304", 80, ... ) , 80, ... ) == 0x0
 02496  1736   NtClose  (-2147482576, ... ) == 0x0
 02486  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "@\3038zJ\336\356\332\243\362\224\356\2161A\353J\115u\231\36\377t\16\346v\202NL\361ps\271\210s\335\2023.\210sj\351N\212\240\2\340\23\353\25x\237\225_\350\345\270\33h=\316\256\242V=Z\253\272\310B\345}\271\375\246\225\3\2\12E\1\4\11\260\234\200\221\224\300\24\346/u\356\200aag\333A\214\246\336\212|\313\256\376S%\211,=\262\370\326\376\206\24\344\346\251Dj\366\362D\233\37)\322!YE4\14}\230\223*\315w\343\11\362\3510\370\313\225\211S\323dL\201\305K\337\377w\226yt\233AT\240\27\177\27\352\237\4\304n\31\37\347Y1,B\263\271'(\377\314\225\4\1\2U\26Cc\233|Dj\301\215\321\352zR\3x\33\267*q\11eVM\202\235\276\373o!\332 \262\363\22\255Of\277\236s\3028\252Y\262Lyy=$\352q\321\333\247\266\371\316\272,", ) , ) == 0x0
 02497  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222d\33\205\6\276\276\2426\236\303\15m:\1\302\312\303\15m:\1\5\206s\315\246\336\353~_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02498  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02499  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02500  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02501  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02502  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02503  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02504  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02505  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 02506  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "M\6\5\252\364$z'\225\276pN9(\260\212E^\3\247\343\244\364\341G2ES\142Z\25}\263vU\3143F\324\262^\304\227\335\301\316vg\2058f*\315\312\212\350\242\4\235\277S\375\245\215O\350\216\322\277\20t\214\253~\271\263\335\277\345", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "M\6\5\252\364$z'\225\276pN9(\260\212E^\3\247\343\244\364\341G2ES\142Z\25}\263vU\3143F\324\262^\304\227\335\301\316vg\2058f*\315\312\212\350\242\4\235\277S\375\245\215O\350\216\322\277\20t\214\253~\271\263\335\277\345", 80, ... ) , 80, ... ) == 0x0
 02507  1736   NtClose  (-2147482576, ... ) == 0x0
 02497  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\315\0\264}\201\311\304\22oC\323{\201\32\212X\200#\205\207rE\264\325#\243M\301\246\31\345J\14{\6\300)\366[\334n\2244\215x\177I\233\0\200\255<\365#\274+\4\21\301\307\36\341rKu\36\257\267\347\372\333\13z\361Gi\251.\313a\235!\177*\305\2\317\315\267hR\203\267\273\347'&3-_\235\363\312\233\13\250-=\240h\354\234O\21\214\23\3648 X\343\202\376l\373\36\o\0\261}\w\260D=\365\274r\215\25\314\301\37\257{G\246\311\237\333Td\352\204\337\275C\243\364\7\207\21\315c=qe\336_\244\342\4\256\206\\215\6\224/H/iT\254\265\311nJw\270\322X\1\360\315\32H\350Z;T\355\340\305"\3524\221U\246~\365v\241\244\363]\315W\363\310\27\256\30\211\242!\301\11\274\37|\32\314\321\342\345\31\361\0\5\355h\204\267\361y\215O\302\15\210\254|", ) \3524\221U\246~\365v\241\244\363]\315W\363\310\27\256\30\211\242!\301\11\274\37|\32\314\321\342\345\31\361\0\5\355h\204\267\361y\215O\302\15\210\254|", ) == 0x0
 02508  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222d\33\205\6\276\276\2426\236\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\5\206s\315\246\336\353~_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02509  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02510  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02511  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02512  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02513  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02514  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02515  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02516  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 02517  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\272$n{\1\323\33\255\316\374\343\37\265_^\356\332\255g\346\255\230\242^T\306|797Y,\23O\261\3n?h:^5\310\20\263\14\55J{\343\201\267\322p\336K\333g\n\245\341\237\22#SB\244*@\17JR\363\257\307v\17\235", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\272$n{\1\323\33\255\316\374\343\37\265_^\356\332\255g\346\255\230\242^T\306|797Y,\23O\261\3n?h:^5\310\20\263\14\55J{\343\201\267\322p\336K\333g\n\245\341\237\22#SB\244*@\17JR\363\257\307v\17\235", 80, ... ) , 80, ... ) == 0x0
 02518  1736   NtClose  (-2147482576, ... ) == 0x0
 02508  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\331\333TI\200\2562\204\256\343\21S\351\317\5\15\354\272(\234+\200\357QIT,\22\370S\216\32\326\231\215ou\206u\261\337\227\366\355\211\216A\13\210\374g^/VB\233\234\24p\242'\357\243p\342u\230\266h\27\304\302ea\273\323\344'\5\274*Jf\217\217\200F\231\236\263\320R\317\233\25\24'\342Wh\271U\232\360\322\337\221\323\367\22WW\305\2608\345m\313O\301\204\242K\216\233"z@\216\257\244\311\371\303kK\246\337\13\\245\7CSX\220r\334C\314W\343\232\341:\23\307\370\376\224\336?\361L\252\216\217\371sK\267\374Q{\335\366\343\374U\233B<\233\35h\231\266\201\2gi\5\225\250U\244!\227\211B\14\262\222\333!\203$\236\200\225\3413s\20TZT\374\207\327\341\206\11F\203\232\227\316\277\221\24\316\355\264\377\307\265%J\202jg\326\335\21b\270|\350T\7\354\34\31\312", ) z@\216\257\244\311\371\303kK\246\337\13\\245\7CSX\220r\334C\314W\343\232\341:\23\307\370\376\224\336?\361L\252\216\217\371sK\267\374Q{\335\366\343\374U\233B<\233\35h\231\266\201\2gi\5\225\250U\244!\227\211B\14\262\222\333!\203$\236\200\225\3413s\20TZT\374\207\327\341\206\11F\203\232\227\316\277\221\24\316\355\264\377\307\265%J\202jg\326\335\21b\270|\350T\7\354\34\31\312", ) == 0x0
 02519  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222d\33\205\6\276\276\2426\236\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\5\206s\315\246\336\353~_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02520  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02521  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02522  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02523  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02524  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02525  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02526  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02527  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 02528  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\2533d\22\351G\313;\323-R\21\361\244\255V\256\3148hA\315m\304a\11\16\360*)L\300\254PK\302\221\342\217\253\200\223\224\301Y_\320\221\360\333\327\257\350\13\116\21K\341N\310q \254Y\0D>\257R\313\356\257\21\256\270<[T\2", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\2533d\22\351G\313;\323-R\21\361\244\255V\256\3148hA\315m\304a\11\16\360*)L\300\254PK\302\221\342\217\253\200\223\224\301Y_\320\221\360\333\327\257\350\13\116\21K\341N\310q \254Y\0D>\257R\313\356\257\21\256\270<[T\2", 80, ... ) , 80, ... ) == 0x0
 02529  1736   NtClose  (-2147482576, ... ) == 0x0
 02519  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\352nz\250\273\335\246\224\312\334\335\4C\\306/\37\317\266\35\336H\261D\377\367\301y\15\307Y\35309\344D\35 ]\116\213\255\207\6G\247E\261\4\317R\263\267\244\1\200E\306\365\300\210\27\230\371m\255\245Y\370v\225I\241FL'\303\273T7\232\241\353\210xz\341/\16~\213z\302\244r\375\237\303R\211\272h\2\230Q%\217\237F\372\6 :\21C2\{3?\251e\313\217\271%\251\224\227\327\263BCe\275\354q\3637\310\2236\342F\334Q\6H\376\351\370e8\251u7\300\323\233p\277h.\273\246\356q\33WX`\267\266\226\177\275f\204D\30\235c\2369\310\264\226\22\271d\331\211x\367/\215\11\237\363=@\5\375\247x\231J\6\2378\354\201\302\326I\343\227\355P\17\374^\237\3159\336 3\212\357\0J\304\3[?\257\2\357i\347\314\202\234\331\370\22);omO@", ) , ) == 0x0
 02530  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222d\33\205\6\276\276\2426\236\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\5\206s\315\246\336\353~_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02531  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02532  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02533  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02534  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02535  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02536  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02537  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02538  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 02539  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\327\17T\331\265u\2651\240=\37\35\221\371\315\3171\261\370\352\252\217_(\25C\214\243\30\343\2077s\213oc\263;\12\232\366_:|\351\32\201\33s\224\364\11\361P\352\370 @\240\37\212RU\334\3\231\262\246\4\203\253\241\235\264N\321\316]\306", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\327\17T\331\265u\2651\240=\37\35\221\371\315\3171\261\370\352\252\217_(\25C\214\243\30\343\2077s\213oc\263;\12\232\366_:|\351\32\201\33s\224\364\11\361P\352\370 @\240\37\212RU\334\3\231\262\246\4\203\253\241\235\264N\321\316]\306", 80, ... ) , 80, ... ) == 0x0
 02540  1736   NtClose  (-2147482576, ... ) == 0x0
 02530  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "o\204PE\312e\214\370\35\36\300\373iJ{ \272$e\323\327\207LX\10x\222=\334\364\306\255\4\320\355\251f\7{h\307\25\261N\222Qs\213\270\326e\361_\3372d\2~\330\357\226\214k\316B]\327\257\32\323\222Fqm\362\245\362QW\224\201r\3.\346|\333s\237\3242uPq\372x\375\333\17\34\276\245\224}n\264\223\337\341\344\375\3743\277'\237N\324\0\370\5\313\361\355\305\2t\262-\\342\376&#\1\220P\10\225v\242\207K\277\240.\267 \210\264\264\314\260r\337[\264>\374U\236\235\336\315\224\247\254\242]\206\341\301]\264\220\17\356\272?\357\346\354NcC\340W#\5\30\305T!$\205S\302\272e%\235\262\310\32\316\372\357\330<\354\241\376\311aV,_I\363<8\262\222?!\211R+\271\2124\7\3501Z+\320\205Q\241E\24`Y\233\220\352M\3023d\272\316\266\6", ) , ) == 0x0
 02541  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\212P^\224ZU\222d\33\205\6\276\276\2426\236\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\302\312\303\15m:\1\5\206s\315\246\336\353~_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02542  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02543  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02544  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02545  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02546  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02547  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02548  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02549  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 02550  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\200 <\327\217\241\210\3\3}\260\233P\363*\25212\270I\274\334j\324\335\300D\374xy=rU]\370\373G7\224Jmg\220\205c\15\3319-\350\37\203\256X\217\314v\352:\242jk\256\4\345\235?\312N\365\264\33\21\367\323~\234\320R\22", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\200 <\327\217\241\210\3\3}\260\233P\363*\25212\270I\274\334j\324\335\300D\374xy=rU]\370\373G7\224Jmg\220\205c\15\3319-\350\37\203\256X\217\314v\352:\242jk\256\4\345\235?\312N\365\264\33\21\367\323~\234\320R\22", 80, ... ) , 80, ... ) == 0x0
 02551  1736   NtClose  (-2147482576, ... ) == 0x0
 02541  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\357g\271\2561:\210\265\255\10\277F\30\376:\310\335\246\343\305\243>\4\242\361\303\333Nh\3417[\24\312\246R0\23\2558>\34>\320\372C6y9\312\303y\325g!=2\204&\270\254u\11~\34dP<_A\246fA\203\243,\5\2\337\31\275\303\26\317\335\213/\36\352\37et\205Uc\341^\334\371\215i\7\371\303\221lei\323\21\367\215\372\350\11P\302&W\24k\5\22t\207\21\202!0\305|,\2556\2737s\353n\20-{\251*\0_9%\360\273\231\22X\200\301d\373\323"z+\372\300\3221\377\221\222\212\350\306\342\30\34F\254\227P\224\254\316\330j'w\371H\245F\223\5\340V\37Z(O\247\356a\21*\234\354Y\31\246F\33\331-5zw\356\22016b\205\260gi\3$\3325}.S7\27\220\15\273\205-\272\301\336-W\25\232\256\241\260\222J\220\227\0\227e\246q", ) z+\372\300\3221\377\221\222\212\350\306\342\30\34F\254\227P\224\254\316\330j'w\371H\245F\223\5\340V\37Z(O\247\356a\21*\234\354Y\31\246F\33\331-5zw\356\22016b\205\260gi\3$\3325}.S7\27\220\15\273\205-\272\301\336-W\25\232\256\241\260\222J\220\227\0\227e\246q", ) == 0x0
 02552  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 02553  1736   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234784, 188, ... 376, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234784, 188, ... 376, 0x0, 0x0, 0x0, 188, ) == 0x0
 02554  1736   NtRequestWaitReplyPort  (376, {200, 224, new_msg, 0, 2621478, 1366728, 12, 2}  (376, {200, 224, new_msg, 0, 2621478, 1366728, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\260/\24\0\240\332\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0YA\335\376Xe48\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\227\372wWx\1\24\0(\0\0\0\23\231\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1636, 1736, 75520, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260/\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0YA\335\376Xe48\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\227\372wWx\1\24\0(\0\0\0\23\231\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 1636, 1736, 75520, 0}  (376, {200, 224, new_msg, 0, 2621478, 1366728, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\260/\24\0\240\332\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0YA\335\376Xe48\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\227\372wWx\1\24\0(\0\0\0\23\231\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1636, 1736, 75520, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260/\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0YA\335\376Xe48\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\227\372wWx\1\24\0(\0\0\0\23\231\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02555  1736   NtRequestWaitReplyPort  (376, {32, 56, new_msg, 0, 0, 0, 0, 0}  (376, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1636, 1736, 75521, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0\313\10\267\300jhJK\246\276<_\2017\216R\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ... {124, 148, reply, 0, 1636, 1736, 75521, 0}  (376, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1636, 1736, 75521, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0\313\10\267\300jhJK\246\276<_\2017\216R\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ) == 0x0
 02556  1736   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 02557  1736   NtRequestWaitReplyPort  (376, {44, 68, new_msg, 56, 1636, 1736, 75521, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75521, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75522, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ... {40, 64, reply, 0, 1636, 1736, 75522, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75521, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75522, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ) == 0x0
 02558  1736   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75523, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1636, 1736, 75523, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75523, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02559  1736   NtRequestWaitReplyPort  (376, {44, 68, new_msg, 56, 1636, 1736, 75522, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75522, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75524, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ... {40, 64, reply, 0, 1636, 1736, 75524, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75522, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75524, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ) == 0x0
 02560  1736   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75525, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1636, 1736, 75525, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75525, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02561  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 02562  1736   NtOpenKey  (0x20019, {24, 380, 0x40, 0, 0,  (0x20019, {24, 380, 0x40, 0, 0, "ActiveComputerName"}, ... 384, ) }, ... 384, ) == 0x0
 02563  1736   NtQueryValueKey  (384,  (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02564  1736   NtClose  (384, ... ) == 0x0
 02565  1736   NtClose  (380, ... ) == 0x0
 02566  1736   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 380, ) == 0x0
 02567  1736   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 384, ) == 0x0
 02568  1736   NtDuplicateObject  (-1, 380, -1, 0x0, 0, 2, ... 388, ) == 0x0
 02569  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02570  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 02571  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02572  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02573  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234820,  (0xc0100080, {24, 0, 0x40, 0, 1234820, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02574  1736   NtSetInformationFile  (396, 1234876, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02575  1736   NtSetInformationFile  (396, 1234864, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02576  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02577  1736   NtWriteFile  (396, 365, 0, 0,  (396, 365, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02578  1736   NtReadFile  (396, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02579  1736   NtFsControlFile  (396, 365, 0x0, 0x0, 0x11c017,  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02580  1736   NtFsControlFile  (396, 365, 0x0, 0x0, 0x11c017,  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\375\271P\223\13\357@O\201\3455\34\245\274C\246\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\375\271P\223\13\357@O\201\3455\34\245\274C\246\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\375\271P\223\13\357@O\201\3455\34\245\274C\246\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\375\271P\223\13\357@O\201\3455\34\245\274C\246\0\0\0\0", ) , ) == 0x103
 02581  1736   NtFsControlFile  (396, 365, 0x0, 0x0, 0x11c017,  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\375\271P\223\13\357@O\201\3455\34\245\274C\246", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\14\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\375\271P\223\13\357@O\201\3455\34\245\274C\246", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\14\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02582  1736   NtClose  (392, ... ) == 0x0
 02583  1736   NtClose  (396, ... ) == 0x0
 02584  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02585  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02586  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02587  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02588  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234792,  (0xc0100080, {24, 0, 0x40, 0, 1234792, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 02589  1736   NtSetInformationFile  (392, 1234848, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02590  1736   NtSetInformationFile  (392, 1234836, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02591  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02592  1736   NtWriteFile  (392, 365, 0, 0,  (392, 365, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02593  1736   NtReadFile  (392, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (392, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02594  1736   NtFsControlFile  (392, 365, 0x0, 0x0, 0x11c017,  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20P+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02595  1736   NtFsControlFile  (392, 365, 0x0, 0x0, 0x11c017,  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\321\253\15\32\216\235sH\223\374\344z\353\367>\307\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\321\253\15\32\216\235sH\223\374\344z\353\367>\307\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\321\253\15\32\216\235sH\223\374\344z\353\367>\307\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\321\253\15\32\216\235sH\223\374\344z\353\367>\307\0\0\0\0", ) , ) == 0x103
 02596  1736   NtFsControlFile  (392, 365, 0x0, 0x0, 0x11c017,  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\321\253\15\32\216\235sH\223\374\344z\353\367>\307", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\14\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\321\253\15\32\216\235sH\223\374\344z\353\367>\307", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\14\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02597  1736   NtClose  (396, ... ) == 0x0
 02598  1736   NtClose  (392, ... ) == 0x0
 02599  1736   NtOpenProcessToken  (-1, 0x20008, ... 392, ) == 0x0
 02600  1736   NtQueryInformationToken  (392, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02601  1736   NtQueryInformationToken  (392, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 02602  1736   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 396, ) }, ... 396, ) == 0x0
 02603  1736   NtUserOpenWindowStation  ({24, 396, 0x40, 0, 0,  ({24, 396, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x190
 02604  1736   NtClose  (396, ... ) == 0x0
 02605  1736   NtUserCloseWindowStation  (400, ...
 02606  1736   NtClose  (400, ... ) == 0x0
 02605  1736   NtUserCloseWindowStation  ... ) == 0x1
 02607  1736   NtClose  (392, ... ) == 0x0
 02608  1736   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 392, ) == 0x0
 02609  1736   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 400, ) == 0x0
 02610  1736   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 396, ) == 0x0
 02611  1736   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 404, ) == 0x0
 02612  1736   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 408, ) == 0x0
 02613  1736   NtMapViewOfSection  (408, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x26e0000), {0, 0}, 8192, ) == 0x0
 02614  1736   NtQueryDefaultUILanguage  (1235484, ...
 02615  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02616  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 02617  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02618  1736   NtClose  (-2147482576, ... ) == 0x0
 02619  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 02620  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02621  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 02622  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02623  1736   NtClose  (-2147481400, ... ) == 0x0
 02624  1736   NtClose  (-2147482576, ... ) == 0x0
 02614  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 02625  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02626  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02627  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233728, ... ) }, 1233728, ... ) == 0x0
 02628  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232500, ... ) }, 1232500, ... ) == 0x0
 02629  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02630  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02631  1736   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234836,  (0x10100080, {24, 0, 0x40, 0, 1234836, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ad0a_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 02632  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02633  1736   NtClose  (-2147482576, ... ) == 0x0
 02634  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02635  1736   NtClose  (-2147482576, ... ) == 0x0
 02636  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02637  1736   NtClose  (-2147482576, ... ) == 0x0
 02631  1736   NtCreateFile  ... 412, {status=0x0, info=2}, ) == 0x0
 02638  1736   NtClose  (412, ... ) == 0x0
 02639  1736   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 412, ) == 0x0
 02640  1736   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2ab0000), 0x0, 4194304, ) == 0x0
 02641  1736   NtAllocateVirtualMemory  (-1, 44761088, 0, 1, 4096, 4, ... 44761088, 4096, ) == 0x0
 02642  1736   NtAllocateVirtualMemory  (-1, 44765184, 0, 4808, 4096, 4, ... 44765184, 8192, ) == 0x0
 02643  1736   NtCreateSection  (0xf0007, 0x0, {33036, 0}, 4, 134217728, 0, ... 416, ) == 0x0
 02644  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02645  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02646  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02647  1736   NtClose  (412, ... ) == 0x0
 02648  1736   NtUnmapViewOfSection  (-1, 0x2ab0000, ... ) == 0x0
 02649  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02650  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02651  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02652  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02653  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02654  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02655  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02656  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02657  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02658  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02659  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02660  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02661  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02662  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02663  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02664  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02665  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02666  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02667  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02668  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02669  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02670  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02671  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02672  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02673  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02674  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02675  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02676  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02677  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02678  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02679  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02680  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02681  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02682  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02683  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02684  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02685  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02686  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02687  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02688  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02689  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02690  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02691  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02692  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02693  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02694  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02695  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02696  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02697  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02698  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02699  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02700  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02701  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02702  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02703  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02704  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02705  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02706  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02707  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02708  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02709  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02710  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02711  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02712  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02713  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02714  1736   NtClose  (416, ... ) == 0x0
 02715  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02716  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 416, {status=0x0, info=1}, ) }, 3, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 02717  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 412, ) }, ... 412, ) == 0x0
 02718  1736   NtQuerySymbolicLinkObject  (412, ...  (412, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 02719  1736   NtClose  (412, ... ) == 0x0
 02720  1736   NtQueryVolumeInformationFile  (416, 1234052, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02721  1736   NtClose  (416, ... ) == 0x0
 02722  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232848, ... ) }, 1232848, ... ) == 0x0
 02723  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 02724  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 416, ... 412, ) == 0x0
 02725  1736   NtClose  (416, ... ) == 0x0
 02726  1736   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2700000), 0x0, 126976, ) == 0x0
 02727  1736   NtClose  (412, ... ) == 0x0
 02728  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02729  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233156, ... ) }, 1233156, ... ) == 0x0
 02730  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 02731  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 412, ... 416, ) == 0x0
 02732  1736   NtQuerySection  (416, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02733  1736   NtClose  (412, ... ) == 0x0
 02734  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02735  1736   NtClose  (416, ... ) == 0x0
 02736  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02737  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02738  1736   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02739  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02740  1736   NtAllocateVirtualMemory  (-1, 1372160, 0, 12288, 4096, 4, ... 1372160, 12288, ) == 0x0
 02741  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234544, ... ) }, 1234544, ... ) == 0x0
 02742  1736   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234552,  (0x40100080, {24, 0, 0x40, 0, 1234552, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ad0a_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02743  1736   NtClose  (-2147482576, ... ) == 0x0
 02744  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02745  1736   NtClose  (-2147482576, ... ) == 0x0
 02746  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02747  1736   NtClose  (-2147482576, ... ) == 0x0
 02748  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519598080, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02749  1736   NtClose  (-2147482576, ... ) == 0x0
 02742  1736   NtCreateFile  ... 416, {status=0x0, info=3}, ) == 0x0
 02750  1736   NtAllocateVirtualMemory  (-1, 1384448, 0, 12288, 4096, 4, ... 1384448, 12288, ) == 0x0
 02751  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 412, {status=0x0, info=1}, ) }, 3, 16417, ... 412, {status=0x0, info=1}, ) == 0x0
 02752  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1,  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02753  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 02754  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (416, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (416, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 02755  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 02756  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233636, ... ) }, 1233636, ... ) == 0x0
 02757  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 02758  1736   NtQueryDirectoryFile  (420, 0, 0, 0, 1233248, 592, Directory, 1,  (420, 0, 0, 0, 1233248, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 02759  1736   NtClose  (420, ... ) == 0x0
 02760  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02761  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02762  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232168, ... ) }, 1232168, ... ) == 0x0
 02763  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230940, ... ) }, 1230940, ... ) == 0x0
 02764  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02765  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02766  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 02767  1736   NtQueryInformationFile  (420, 1233724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02768  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 420, ... 424, ) == 0x0
 02769  1736   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2ab0000), 0x0, 704512, ) == 0x0
 02770  1736   NtUnmapViewOfSection  (-1, 0x2ab0000, ... ) == 0x0
 02771  1736   NtClose  (424, ... ) == 0x0
 02772  1736   NtClose  (420, ... ) == 0x0
 02773  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \07\00\01\09\02\02\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \00\0x\0D\05\0C\0A\06\05\0C\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \0W\0I\0N\03\02\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \00\0x\08\09\07\04\02\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \00\0x\00\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... \01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\00\01\09\02\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0D\05\0C\0A\06\05\0C\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\09\07\04\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\02\0/\02\00\00\07\0 \01\08\0:\01\07\0:\01\00\0"\0 \0/\0>\0\15\0\12\0", 416, 0x0, 0, ... , 416, 0x0, 0, ...
 02774  1736   NtContinue  (-139350572, 0, ...
 02773  1736   NtWriteFile  ... {status=0x0, info=416}, ) == 0x0
 02775  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1387312, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02776  1736   NtClose  (412, ... ) == 0x0
 02777  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 02778  1736   NtClose  (416, ... ) == 0x0
 02779  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234544, ... ) }, 1234544, ... ) == 0x0
 02780  1736   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234552,  (0x40100080, {24, 0, 0x40, 0, 1234552, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ad0a_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 02781  1736   NtQueryInformationFile  (416, 1234576, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02782  1736   NtSetInformationFile  (416, 1234608, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02783  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 412, {status=0x0, info=1}, ) }, 3, 16417, ... 412, {status=0x0, info=1}, ) == 0x0
 02784  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1,  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02785  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 02786  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233608, ... ) }, 1233608, ... ) == 0x0
 02787  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 02788  1736   NtQueryDirectoryFile  (420, 0, 0, 0, 1233248, 592, Directory, 1,  (420, 0, 0, 0, 1233248, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 02789  1736   NtClose  (420, ... ) == 0x0
 02790  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02791  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02792  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232168, ... ) }, 1232168, ... ) == 0x0
 02793  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230940, ... ) }, 1230940, ... ) == 0x0
 02794  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02795  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02796  1736   NtQueryDefaultLocale  (1, 1233128, ... ) == 0x0
 02797  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02798  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02799  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232160, ... ) }, 1232160, ... ) == 0x0
 02800  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230932, ... ) }, 1230932, ... ) == 0x0
 02801  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02802  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02803  1736   NtQueryDefaultLocale  (1, 1233120, ... ) == 0x0
 02804  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 02805  1736   NtQueryInformationFile  (420, 1233724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02806  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 420, ... 424, ) == 0x0
 02807  1736   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2ab0000), 0x0, 987136, ) == 0x0
 02808  1736   NtUnmapViewOfSection  (-1, 0x2ab0000, ... ) == 0x0
 02809  1736   NtClose  (424, ... ) == 0x0
 02810  1736   NtClose  (420, ... ) == 0x0
 02811  1736   NtQueryDefaultUILanguage  (1233080, ...
 02812  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02813  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 02814  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02815  1736   NtClose  (-2147482576, ... ) == 0x0
 02816  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 02817  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02818  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 02819  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02820  1736   NtClose  (-2147481400, ... ) == 0x0
 02821  1736   NtClose  (-2147482576, ... ) == 0x0
 02811  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 02822  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 02823  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1378608, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02824  1736   NtClose  (412, ... ) == 0x0
 02825  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 02826  1736   NtClose  (416, ... ) == 0x0
 02827  1736   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 02828  1736   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02829  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231816, ... ) }, 1231816, ... ) == 0x0
 02830  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232552, ... ) }, 1232552, ... ) == 0x0
 02831  1736   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 02832  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 02833  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02834  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 420, ) }, ... 420, ) == 0x0
 02835  1736   NtQueryValueKey  (420,  (420, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02836  1736   NtClose  (420, ... ) == 0x0
 02837  1736   NtQueryVolumeInformationFile  (416, 1231828, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02838  1736   NtOpenMutant  (0x120001, {24, 72, 0x0, 0, 0,  (0x120001, {24, 72, 0x0, 0, 0, "ShimCacheMutex"}, ... 420, ) }, ... 420, ) == 0x0
 02839  1736   NtWaitForSingleObject  (420, 0, {-1000000, -1}, ... ) == 0x0
 02840  1736   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "ShimSharedMemory"}, ... 424, ) }, ... 424, ) == 0x0
 02841  1736   NtMapViewOfSection  (424, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 57344, ) == 0x0
 02842  1736   NtReleaseMutant  (420, ... 0x0, ) == 0x0
 02843  1736   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02844  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229760, ... ) }, 1229760, ... ) == 0x0
 02845  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 428, {status=0x0, info=1}, ) }, 5, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 02846  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 428, ... 432, ) == 0x0
 02847  1736   NtClose  (428, ... ) == 0x0
 02848  1736   NtMapViewOfSection  (432, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2710000), 0x0, 126976, ) == 0x0
 02849  1736   NtClose  (432, ... ) == 0x0
 02850  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02851  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230068, ... ) }, 1230068, ... ) == 0x0
 02852  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 432, {status=0x0, info=1}, ) }, 5, 96, ... 432, {status=0x0, info=1}, ) == 0x0
 02853  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 432, ... 428, ) == 0x0
 02854  1736   NtQuerySection  (428, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02855  1736   NtClose  (432, ... ) == 0x0
 02856  1736   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02857  1736   NtClose  (428, ... ) == 0x0
 02858  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02859  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02860  1736   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02861  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02862  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 02863  1736   NtQueryInformationFile  (428, 1230084, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02864  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 428, ... 432, ) == 0x0
 02865  1736   NtMapViewOfSection  (432, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2ab0000), 0x0, 1191936, ) == 0x0
 02866  1736   NtQueryInformationFile  (428, 1230184, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02867  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02868  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02869  1736   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02870  1736   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02871  1736   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 436, ) }, ... 436, ) == 0x0
 02872  1736   NtQueryValueKey  (436,  (436, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (436, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02873  1736   NtClose  (436, ... ) == 0x0
 02874  1736   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02875  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02876  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227780, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227780, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02877  1736   NtClose  (436, ... ) == 0x0
 02878  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02879  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02880  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228156, ... ) }, 1228156, ... ) == 0x0
 02881  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02882  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02883  1736   NtClose  (436, ... ) == 0x0
 02884  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02885  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02886  1736   NtClose  (436, ... ) == 0x0
 02887  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02888  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02889  1736   NtClose  (436, ... ) == 0x0
 02890  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02891  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02892  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02893  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02894  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02895  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 02896  1736   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02897  1736   NtClose  (436, ... ) == 0x0
 02898  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02899  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02900  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228988, ... ) }, 1228988, ... ) == 0x0
 02901  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02902  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02903  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227856, ... ) }, 1227856, ... ) == 0x0
 02904  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 436, {status=0x0, info=1}, ) }, 5, 96, ... 436, {status=0x0, info=1}, ) == 0x0
 02905  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 436, ... 440, ) == 0x0
 02906  1736   NtClose  (436, ... ) == 0x0
 02907  1736   NtMapViewOfSection  (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2710000), 0x0, 180224, ) == 0x0
 02908  1736   NtClose  (440, ... ) == 0x0
 02909  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02910  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227452, ... ) }, 1227452, ... ) == 0x0
 02911  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228196,  (0x80100080, {24, 0, 0x40, 0, 1228196, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) == 0x0
 02912  1736   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 440, ... 436, ) == 0x0
 02913  1736   NtClose  (440, ... ) == 0x0
 02914  1736   NtMapViewOfSection  (436, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2710000), {0, 0}, 180224, ) == 0x0
 02915  1736   NtClose  (436, ... ) == 0x0
 02916  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02917  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02918  1736   NtQueryDefaultLocale  (1, 1228816, ... ) == 0x0
 02919  1736   NtQueryVirtualMemory  (-1, 0x2710000, Basic, 28, ... {BaseAddress=0x2710000,AllocationBase=0x2710000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02920  1736   NtQueryVirtualMemory  (-1, 0x2710000, Basic, 28, ... {BaseAddress=0x2710000,AllocationBase=0x2710000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02921  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02922  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02923  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02924  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227848, ... ) }, 1227848, ... ) == 0x0
 02925  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 436, {status=0x0, info=1}, ) }, 5, 96, ... 436, {status=0x0, info=1}, ) == 0x0
 02926  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 436, ... 440, ) == 0x0
 02927  1736   NtClose  (436, ... ) == 0x0
 02928  1736   NtMapViewOfSection  (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2710000), 0x0, 180224, ) == 0x0
 02929  1736   NtClose  (440, ... ) == 0x0
 02930  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02931  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227444, ... ) }, 1227444, ... ) == 0x0
 02932  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228188,  (0x80100080, {24, 0, 0x40, 0, 1228188, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) == 0x0
 02933  1736   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 440, ... 436, ) == 0x0
 02934  1736   NtClose  (440, ... ) == 0x0
 02935  1736   NtMapViewOfSection  (436, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2710000), {0, 0}, 180224, ) == 0x0
 02936  1736   NtClose  (436, ... ) == 0x0
 02937  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02938  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02939  1736   NtQueryDefaultLocale  (1, 1228808, ... ) == 0x0
 02940  1736   NtQueryVirtualMemory  (-1, 0x2710000, Basic, 28, ... {BaseAddress=0x2710000,AllocationBase=0x2710000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02941  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02942  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02943  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02944  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 02945  1736   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02946  1736   NtClose  (436, ... ) == 0x0
 02947  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02948  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02949  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02950  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229408, ... ) }, 1229408, ... ) == 0x0
 02951  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02952  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02953  1736   NtClose  (436, ... ) == 0x0
 02954  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02955  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02956  1736   NtClose  (436, ... ) == 0x0
 02957  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02958  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02959  1736   NtClose  (436, ... ) == 0x0
 02960  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02961  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02962  1736   NtWaitForSingleObject  (420, 0, {-1000000, -1}, ... ) == 0x0
 02963  1736   NtReleaseMutant  (420, ... 0x0, ) == 0x0
 02964  1736   NtUnmapViewOfSection  (-1, 0x2ab0000, ... ) == 0x0
 02965  1736   NtClose  (432, ... ) == 0x0
 02966  1736   NtClose  (428, ... ) == 0x0
 02967  1736   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02968  1736   NtOpenProcessToken  (-1, 0xa, ... 428, ) == 0x0
 02969  1736   NtQueryInformationToken  (428, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02970  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02971  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 02972  1736   NtQueryValueKey  (432,  (432, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (432, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02973  1736   NtQueryValueKey  (432,  (432, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (432, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02974  1736   NtClose  (432, ... ) == 0x0
 02975  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02976  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 02977  1736   NtQueryValueKey  (432,  (432, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02978  1736   NtClose  (432, ... ) == 0x0
 02979  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02980  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02981  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02982  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02983  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02984  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02985  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02986  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02987  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02988  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02989  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 432, ) }, ... 432, ) == 0x0
 02990  1736   NtEnumerateKey  (432, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (432, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02991  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 436, ) }, ... 436, ) == 0x0
 02992  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02993  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02994  1736   NtClose  (436, ... ) == 0x0
 02995  1736   NtEnumerateKey  (432, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02996  1736   NtClose  (432, ... ) == 0x0
 02997  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 432, ) }, ... 432, ) == 0x0
 02998  1736   NtEnumerateKey  (432, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02999  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 436, ) }, ... 436, ) == 0x0
 03000  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 03001  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03002  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03003  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03004  1736   NtClose  (436, ... ) == 0x0
 03005  1736   NtEnumerateKey  (432, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 03006  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 436, ) }, ... 436, ) == 0x0
 03007  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 03008  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03009  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03010  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03011  1736   NtClose  (436, ... ) == 0x0
 03012  1736   NtEnumerateKey  (432, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 03013  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 436, ) }, ... 436, ) == 0x0
 03014  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 03015  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03016  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03017  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03018  1736   NtClose  (436, ... ) == 0x0
 03019  1736   NtEnumerateKey  (432, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 03020  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 436, ) }, ... 436, ) == 0x0
 03021  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 03022  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03023  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03024  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03025  1736   NtClose  (436, ... ) == 0x0
 03026  1736   NtEnumerateKey  (432, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 03027  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 436, ) }, ... 436, ) == 0x0
 03028  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 03029  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03030  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03031  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03032  1736   NtClose  (436, ... ) == 0x0
 03033  1736   NtEnumerateKey  (432, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 03034  1736   NtClose  (432, ... ) == 0x0
 03035  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03036  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03037  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03039  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03041  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03043  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03044  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03045  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03046  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03047  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03048  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03049  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03050  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03051  1736   NtClose  (432, ... ) == 0x0
 03052  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03053  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03054  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03055  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03056  1736   NtClose  (432, ... ) == 0x0
 03057  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03058  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03059  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03060  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03061  1736   NtClose  (432, ... ) == 0x0
 03062  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03063  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03064  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03065  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03066  1736   NtClose  (432, ... ) == 0x0
 03067  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03068  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03069  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03070  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03071  1736   NtClose  (432, ... ) == 0x0
 03072  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03073  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03074  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03075  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03076  1736   NtClose  (432, ... ) == 0x0
 03077  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03078  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03079  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03080  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03081  1736   NtClose  (432, ... ) == 0x0
 03082  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03083  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03084  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03085  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03086  1736   NtClose  (432, ... ) == 0x0
 03087  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03088  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03089  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03090  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03091  1736   NtClose  (432, ... ) == 0x0
 03092  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03093  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03094  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03095  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03096  1736   NtClose  (432, ... ) == 0x0
 03097  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03098  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03099  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03100  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03101  1736   NtClose  (432, ... ) == 0x0
 03102  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03103  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03104  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03105  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03106  1736   NtClose  (432, ... ) == 0x0
 03107  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03108  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03109  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03110  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03111  1736   NtClose  (432, ... ) == 0x0
 03112  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03113  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03114  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03115  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03116  1736   NtClose  (432, ... ) == 0x0
 03117  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03118  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03119  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03120  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03121  1736   NtClose  (432, ... ) == 0x0
 03122  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03123  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 03124  1736   NtQueryValueKey  (432,  (432, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (432, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (432, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 03125  1736   NtClose  (432, ... ) == 0x0
 03126  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03127  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03128  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03129  1736   NtClose  (432, ... ) == 0x0
 03130  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03131  1736   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 03132  1736   NtOpenProcessToken  (-1, 0xa, ... 432, ) == 0x0
 03133  1736   NtDuplicateToken  (432, 0xc, {24, 0, 0x0, 0, 1231688, 0x0}, 0, 2, ... 436, ) == 0x0
 03134  1736   NtClose  (432, ... ) == 0x0
 03135  1736   NtAccessCheck  (1396048, 436, 0x1, 1231764, 1231816, 56, 1231796, ... (0x1), ) == 0x0
 03136  1736   NtClose  (436, ... ) == 0x0
 03137  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 436, ) }, ... 436, ) == 0x0
 03138  1736   NtQueryValueKey  (436,  (436, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (436, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03139  1736   NtClose  (436, ... ) == 0x0
 03140  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 436, ) }, ... 436, ) == 0x0
 03141  1736   NtQuerySymbolicLinkObject  (436, ...  (436, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03142  1736   NtClose  (436, ... ) == 0x0
 03143  1736   NtQueryVolumeInformationFile  (416, 1229520, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03144  1736   NtQueryInformationFile  (416, 1229636, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 03145  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03146  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03147  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228808, ... ) }, 1228808, ... ) == 0x0
 03148  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03149  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03150  1736   NtClose  (436, ... ) == 0x0
 03151  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03152  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03153  1736   NtClose  (436, ... ) == 0x0
 03154  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03155  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03156  1736   NtClose  (436, ... ) == 0x0
 03157  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03158  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03159  1736   NtQueryInformationFile  (416, 1231676, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03160  1736   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 416, ... 436, ) == 0x0
 03161  1736   NtMapViewOfSection  (436, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0x2710000), {0, 0}, 180224, ) == 0x0
 03162  1736   NtClose  (436, ... ) == 0x0
 03163  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03164  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03165  1736   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03166  1736   NtClose  (436, ... ) == 0x0
 03167  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 436, ) }, ... 436, ) == 0x0
 03168  1736   NtOpenKey  (0x20019, {24, 436, 0x40, 0, 0,  (0x20019, {24, 436, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 432, ) }, ... 432, ) == 0x0
 03169  1736   NtClose  (436, ... ) == 0x0
 03170  1736   NtQueryValueKey  (432,  (432, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03171  1736   NtQueryValueKey  (432,  (432, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (432, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 03172  1736   NtClose  (432, ... ) == 0x0
 03173  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 03174  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 40960000, 4096, ) == 0x0
 03175  1736   NtAllocateVirtualMemory  (-1, 40960000, 0, 4096, 4096, 4, ... 40960000, 4096, ) == 0x0
 03176  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 03177  1736   NtQueryValueKey  (432,  (432, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03178  1736   NtClose  (432, ... ) == 0x0
 03179  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03180  1736   NtQueryInformationToken  (428, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03181  1736   NtQueryInformationToken  (428, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03182  1736   NtClose  (428, ... ) == 0x0
 03183  1736   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03184  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03185  1736   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 03186  1736   NtCreateProcessEx  (1233600, 2035711, 0, -1, 4, 412, 0, 0, 0, ... ) == 0x0
 03187  1736   NtSetInformationProcess  (428, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 03188  1736   NtSetInformationProcess  (428, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03189  1736   NtQueryInformationProcess  (428, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd8000,AffinityMask=0x1,BasePriority=8,Pid=1480,ParentPid=1636,}, 0x0, ) == 0x0
 03190  1736   NtReadVirtualMemory  (428, 0x7ffd8008, 4, ...  (428, 0x7ffd8008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 03191  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03192  1736   NtReadVirtualMemory  (428, 0x30000000, 4096, ...  (428, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 03193  1736   NtReadVirtualMemory  (428, 0x30033000, 256, ...  (428, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 03194  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03195  1736   NtQueryInformationProcess  (428, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd8000,AffinityMask=0x1,BasePriority=8,Pid=1480,ParentPid=1636,}, 0x0, ) == 0x0
 03196  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232552, ... ) }, 1232552, ... ) == 0x0
 03197  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 41025536, 4096, ) == 0x0
 03198  1736   NtAllocateVirtualMemory  (428, 0, 0, 6464, 4096, 4, ... 65536, 8192, ) == 0x0
 03199  1736   NtWriteVirtualMemory  (428, 0x10000,  (428, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6464, ... 0x0, ) , 6464, ... 0x0, ) == 0x0
 03200  1736   NtAllocateVirtualMemory  (428, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 03201  1736   NtWriteVirtualMemory  (428, 0x20000,  (428, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0B\1\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 03202  1736   NtWriteVirtualMemory  (428, 0x7ffd8010,  (428, 0x7ffd8010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03203  1736   NtAllocateVirtualMemory  (428, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 03204  1736   NtWriteVirtualMemory  (428, 0x30000,  (428, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 03205  1736   NtWriteVirtualMemory  (428, 0x7ffd81e8,  (428, 0x7ffd81e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03206  1736   NtFreeVirtualMemory  (-1, (0x2720000), 0, 32768, ... (0x2720000), 4096, ) == 0x0
 03207  1736   NtAllocateVirtualMemory  (428, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 03208  1736   NtAllocateVirtualMemory  (428, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 03209  1736   NtProtectVirtualMemory  (428, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 03210  1736   NtCreateThread  (0x1f03ff, 0x0, 428, 1233608, 1233272, 1, ... 432, {1480, 1068}, ) == 0x0
 03211  1736   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\257\1\0\0\260\1\0\0\310\5\0\0,\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\254\1\0\0\260\1\0\0\310\5\0\0,\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 1636, 1736, 75526, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\257\1\0\0\260\1\0\0\310\5\0\0,\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1636, 1736, 75526, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\254\1\0\0\260\1\0\0\310\5\0\0,\4\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 03212  1736   NtResumeThread  (432, ... 1, ) == 0x0
 03213  1736   NtClose  (416, ... ) == 0x0
 03214  1736   NtClose  (412, ... ) == 0x0
 03215  1736   NtClose  (432, ... ) == 0x0
 03216  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 03217  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03218  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 03219  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03220  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 01119  2012   NtDelayExecution  ... ) == 0x0
 03221  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 01210  1356   NtDelayExecution  ... ) == 0x0
 03222  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 01211   868   NtDelayExecution  ... ) == 0x0
 03223   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03224   868   NtCallbackReturn  (0, 0, 0, ...
 03225   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01212   808   NtDelayExecution  ... ) == 0x0
 01213  2020   NtDelayExecution  ... ) == 0x0
 01214   896   NtDelayExecution  ... ) == 0x0
 01215  1252   NtDelayExecution  ... ) == 0x0
 01216  2016   NtDelayExecution  ... ) == 0x0
 03226   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03227  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03228   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03229  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03230  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03231   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03232   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03233   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03226   808   NtDelayExecution  ... ) == 0x0
 03234   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03227  2020   NtDelayExecution  ... ) == 0x0
 03235  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03228   896   NtDelayExecution  ... ) == 0x0
 03236   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03229  1252   NtDelayExecution  ... ) == 0x0
 03237  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03230  2016   NtDelayExecution  ... ) == 0x0
 03238  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03221  2012   NtDelayExecution  ... ) == 0x0
 03239  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03222  1356   NtDelayExecution  ... ) == 0x0
 03240  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03233   868   NtDelayExecution  ... ) == 0x0
 03241   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03242   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03243   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03244   868   NtDelayExecution  (0, {-20010000, -1}, ...
 02045   588   NtDelayExecution  ... ) == 0x0
 03245   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 412, ) == 0x0
 03246   588   NtCallbackReturn  (0, 0, 0, ...
 03247   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03248   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03249   588   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03250   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03251   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03252   588   NtDelayExecution  (0, {-40000000, -1}, ...
 03234   808   NtDelayExecution  ... ) == 0x0
 03253   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03235  2020   NtDelayExecution  ... ) == 0x0
 03254  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03236   896   NtDelayExecution  ... ) == 0x0
 03255   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03237  1252   NtDelayExecution  ... ) == 0x0
 03256  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03238  2016   NtDelayExecution  ... ) == 0x0
 03257  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03239  2012   NtDelayExecution  ... ) == 0x0
 03258  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03240  1356   NtDelayExecution  ... ) == 0x0
 03259  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03244   868   NtDelayExecution  ... ) == 0x0
 03260   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03261   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03262   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03263   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03220  1736   NtWaitForMultipleObjects  ... ) == 0x0
 03264  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03265  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 03253   808   NtDelayExecution  ... ) == 0x0
 03266   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03254  2020   NtDelayExecution  ... ) == 0x0
 03267  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03255   896   NtDelayExecution  ... ) == 0x0
 03268   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03256  1252   NtDelayExecution  ... ) == 0x0
 03269  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03257  2016   NtDelayExecution  ... ) == 0x0
 03270  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03258  2012   NtDelayExecution  ... ) == 0x0
 03271  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03259  1356   NtDelayExecution  ... ) == 0x0
 03272  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03263   868   NtDelayExecution  ... ) == 0x0
 03273   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03274   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03275   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03276   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03252   588   NtDelayExecution  ... ) == 0x0
 03277   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03278   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03279   588   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03280   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03281   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03282   588   NtDelayExecution  (0, {-40000000, -1}, ...
 03266   808   NtDelayExecution  ... ) == 0x0
 03283   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03267  2020   NtDelayExecution  ... ) == 0x0
 03284  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03268   896   NtDelayExecution  ... ) == 0x0
 03285   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03269  1252   NtDelayExecution  ... ) == 0x0
 03286  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03270  2016   NtDelayExecution  ... ) == 0x0
 03287  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03271  2012   NtDelayExecution  ... ) == 0x0
 03288  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03272  1356   NtDelayExecution  ... ) == 0x0
 03289  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03276   868   NtDelayExecution  ... ) == 0x0
 03290   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03291   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03292   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03293   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03283   808   NtDelayExecution  ... ) == 0x0
 03294   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03284  2020   NtDelayExecution  ... ) == 0x0
 03295  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03285   896   NtDelayExecution  ... ) == 0x0
 03296   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03286  1252   NtDelayExecution  ... ) == 0x0
 03297  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03287  2016   NtDelayExecution  ... ) == 0x0
 03298  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03288  2012   NtDelayExecution  ... ) == 0x0
 03299  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03289  1356   NtDelayExecution  ... ) == 0x0
 03300  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03293   868   NtDelayExecution  ... ) == 0x0
 03301   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03302   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03303   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03304   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03282   588   NtDelayExecution  ... ) == 0x0
 03305   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03306   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03307   588   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03308   588   NtDelayExecution  (0, {-3000000, -1}, ...
 03265  1736   NtWaitForMultipleObjects  ... ) == 0x0
 03309  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03310  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 03294   808   NtDelayExecution  ... ) == 0x0
 03311   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03295  2020   NtDelayExecution  ... ) == 0x0
 03312  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03296   896   NtDelayExecution  ... ) == 0x0
 03313   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03297  1252   NtDelayExecution  ... ) == 0x0
 03314  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03298  2016   NtDelayExecution  ... ) == 0x0
 03315  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03299  2012   NtDelayExecution  ... ) == 0x0
 03316  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03300  1356   NtDelayExecution  ... ) == 0x0
 03317  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03304   868   NtDelayExecution  ... ) == 0x0
 03318   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03308   588   NtDelayExecution  ... ) == 0x0
 03319   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03320   588   NtDelayExecution  (0, {-40000000, -1}, ...
 03321   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03322   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03323   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03311   808   NtDelayExecution  ... ) == 0x0
 03324   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03312  2020   NtDelayExecution  ... ) == 0x0
 03325  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03313   896   NtDelayExecution  ... ) == 0x0
 03326   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03314  1252   NtDelayExecution  ... ) == 0x0
 03327  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03315  2016   NtDelayExecution  ... ) == 0x0
 03328  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03316  2012   NtDelayExecution  ... ) == 0x0
 03329  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03317  1356   NtDelayExecution  ... ) == 0x0
 03330  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03323   868   NtDelayExecution  ... ) == 0x0
 03331   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03332   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03333   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03334   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03320   588   NtDelayExecution  ... ) == 0x0
 03335   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03336   588   NtDelayExecution  (0, {-3000000, -1}, ...
 03324   808   NtDelayExecution  ... ) == 0x0
 03337   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03325  2020   NtDelayExecution  ... ) == 0x0
 03338  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03326   896   NtDelayExecution  ... ) == 0x0
 03339   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03327  1252   NtDelayExecution  ... ) == 0x0
 03340  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03328  2016   NtDelayExecution  ... ) == 0x0
 03341  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03329  2012   NtDelayExecution  ... ) == 0x0
 03342  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03330  1356   NtDelayExecution  ... ) == 0x0
 03343  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03334   868   NtDelayExecution  ... ) == 0x0
 03344   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03345   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03346   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03347   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03336   588   NtDelayExecution  ... ) == 0x0
 03348   588   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03349   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03350   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03351   588   NtDelayExecution  (0, {-40000000, -1}, ...
 03337   808   NtDelayExecution  ... ) == 0x0
 03352   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03338  2020   NtDelayExecution  ... ) == 0x0
 03353  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03339   896   NtDelayExecution  ... ) == 0x0
 03354   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03340  1252   NtDelayExecution  ... ) == 0x0
 03355  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03341  2016   NtDelayExecution  ... ) == 0x0
 03356  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03342  2012   NtDelayExecution  ... ) == 0x0
 03357  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03343  1356   NtDelayExecution  ... ) == 0x0
 03358  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03347   868   NtDelayExecution  ... ) == 0x0
 03359   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03360   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03361   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03362   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03310  1736   NtWaitForMultipleObjects  ... ) == 0x0
 03363  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03364  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 03352   808   NtDelayExecution  ... ) == 0x0
 03365   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03353  2020   NtDelayExecution  ... ) == 0x0
 03366  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03354   896   NtDelayExecution  ... ) == 0x0
 03367   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03355  1252   NtDelayExecution  ... ) == 0x0
 03368  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03356  2016   NtDelayExecution  ... ) == 0x0
 03369  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03357  2012   NtDelayExecution  ... ) == 0x0
 03370  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03358  1356   NtDelayExecution  ... ) == 0x0
 03371  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03362   868   NtDelayExecution  ... ) == 0x0
 03372   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03373   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03374   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03375   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03351   588   NtDelayExecution  ... ) == 0x0
 03376   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03377   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03378   588   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03379   588   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03380   588   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03381   588   NtDelayExecution  (0, {-40000000, -1}, ...
 03365   808   NtDelayExecution  ... ) == 0x0
 03382   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03366  2020   NtDelayExecution  ... ) == 0x0
 03383  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03367   896   NtDelayExecution  ... ) == 0x0
 03384   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03368  1252   NtDelayExecution  ... ) == 0x0
 03385  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03369  2016   NtDelayExecution  ... ) == 0x0
 03386  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03370  2012   NtDelayExecution  ... ) == 0x0
 03387  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03371  1356   NtDelayExecution  ... ) == 0x0
 03388  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03375   868   NtDelayExecution  ... ) == 0x0
 03389   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03390   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03391   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03392   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03382   808   NtDelayExecution  ... ) == 0x0
 03393   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03383  2020   NtDelayExecution  ... ) == 0x0
 03394  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03384   896   NtDelayExecution  ... ) == 0x0
 03395   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03385  1252   NtDelayExecution  ... ) == 0x0
 03396  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03386  2016   NtDelayExecution  ... ) == 0x0
 03397  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03387  2012   NtDelayExecution  ... ) == 0x0
 03398  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03388  1356   NtDelayExecution  ... ) == 0x0
 03399  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03392   868   NtDelayExecution  ... ) == 0x0
 03400   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03401   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03402   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03403   868   NtDelayExecution  (0, {-20010000, -1}, ...