Summary:





NtConnectPort(>)  1 
NtQueryInformationJobObject(>)  2 
NtUserSetCursorIconData(>)  7 
NtCreateFile(>)  31 


NtCreateProcessEx(>)  1 
NtQueryPerformanceCounter(>)  2 
NtCreateSemaphore(>)  8 
NtContinue(>)  32 


NtDuplicateToken(>)  1 
NtUserCloseWindowStation(>)  2 
NtEnumerateKey(>)  8 
NtUserRegisterClassExWOW(>)  33 


NtGdiCreatePaletteInternal(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenSection(>)  35 


NtGdiInit(>)  1 
NtCallbackReturn(>)  3 
NtSetValueKey(>)  8 
NtSetInformationThread(>)  35 


NtGdiQueryFontAssocInfo(>)  1 
NtGdiHfontCreate(>)  3 
NtUserSystemParametersInfo(>)  8 
NtQueryInformationToken(>)  39 


NtNotifyChangeKey(>)  1 
NtOpenDirectoryObject(>)  3 
NtWaitForMultipleObjects(>)  9 
NtRequestWaitReplyPort(>)  40 


NtOpenEvent(>)  1 
NtOpenMutant(>)  3 
NtGdiCreateCompatibleDC(>)  10 
NtQueryInformationProcess(>)  42 


NtOpenKeyedEvent(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtGdiExtGetObjectW(>)  10 
NtCreateEvent(>)  43 


NtOpenProcess(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtQueryInformationFile(>)  11 
NtCreateSection(>)  45 


NtQueryInstallUILanguage(>)  1 
NtReadVirtualMemory(>)  3 
NtUserGetDC(>)  11 
NtUserFindExistingCursorIcon(>)  48 


NtQueryObject(>)  1 
NtReleaseMutant(>)  3 
NtCreateKey(>)  12 
NtQueryDefaultLocale(>)  51 


NtQuerySystemTime(>)  1 
NtSetInformationObject(>)  3 
NtQueryDefaultUILanguage(>)  12 
NtFreeVirtualMemory(>)  54 


NtQueryTimerResolution(>)  1 
NtDuplicateObject(>)  4 
NtGdiDeleteObjectApp(>)  14 
NtGdiSelectBitmap(>)  57 


NtRaiseException(>)  1 
NtCreateMutant(>)  5 
NtQueryDebugFilterState(>)  14 
NtOpenFile(>)  61 


NtSecureConnectPort(>)  1 
NtWriteVirtualMemory(>)  5 
NtUserSelectPalette(>)  14 
NtUnmapViewOfSection(>)  64 


NtUserCallNoParam(>)  1 
NtQueryVolumeInformationFile(>)  6 
NtQuerySection(>)  19 
NtQueryVirtualMemory(>)  67 


NtUserEnumDisplayMonitors(>)  1 
NtSetInformationFile(>)  6 
NtUserCallOneParam(>)  19 
NtUserFindWindowEx(>)  70 


NtUserGetForegroundWindow(>)  1 
NtUserRegisterWindowMessage(>)  6 
NtDeviceIoControlFile(>)  22 
NtQueryAttributesFile(>)  75 


NtUserGetKeyboardLayoutList(>)  1 
NtFsControlFile(>)  7 
NtReadFile(>)  24 
NtSetEvent(>)  86 


NtUserGetObjectInformation(>)  1 
NtGdiBitBlt(>)  7 
NtQueryInformationThread(>)  25 
NtQuerySystemInformation(>)  91 


NtUserGetProcessWindowStation(>)  1 
NtGdiCreateDIBitmapInternal(>)  7 
NtSetInformationProcess(>)  25 
NtMapViewOfSection(>)  102 


NtUserGetThreadDesktop(>)  1 
NtGdiGetDCObject(>)  7 
NtCreateThread(>)  26 
NtWaitForSingleObject(>)  110 


NtUserOpenWindowStation(>)  1 
NtGdiGetDCforBitmap(>)  7 
NtRegisterThreadTerminatePort(>)  26 
NtFlushInstructionCache(>)  120 


NtUserQueryWindow(>)  1 
NtGdiGetStockObject(>)  7 
NtTestAlert(>)  26 
NtOpenKey(>)  189 


NtUserSetWindowsHookEx(>)  1 
NtGdiRestoreDC(>)  7 
NtResumeThread(>)  27 
NtQueryValueKey(>)  205 


NtUserValidateHandleSecure(>)  1 
NtGdiSaveDC(>)  7 
NtOpenProcessTokenEx(>)  30 
NtAllocateVirtualMemory(>)  228 


NtAccessCheck(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtOpenThreadTokenEx(>)  30 
NtProtectVirtualMemory(>)  274 


NtCreateIoCompletion(>)  2 
NtOpenProcessToken(>)  7 
NtQueryDirectoryFile(>)  30 
NtClose(>)  287 


NtGdiCreateSolidBrush(>)  2 
NtOpenThreadToken(>)  7 
NtWriteFile(>)  30 
NtDelayExecution(>)  341 





Trace:

 00001  1736   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1736   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1736   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1736   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1736   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1736   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1736   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1736   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1736   NtClose  (12, ... ) == 0x0
 00015  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1736   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1736   NtClose  (16, ... ) == 0x0
 00021  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1736   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1736   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1736   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1736   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1736   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1736   NtClose  (16, ... ) == 0x0
 00030  1736   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1736   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1736   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1736   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75469, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75469, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1736   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1736   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1736   NtClose  (16, ... ) == 0x0
 00041  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1736   NtClose  (16, ... ) == 0x0
 00044  1736   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1736   NtClose  (16, ... ) == 0x0
 00048  1736   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1736   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1736   NtClose  (16, ... ) == 0x0
 00052  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1736   NtClose  (16, ... ) == 0x0
 00055  1736   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1736   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1736   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1636, 1736, 75470, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1636, 1736, 75470, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75471, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75471, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 4, ... (0x512000), 4096, 8, ) == 0x0
 00062  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 8, ... (0x512000), 4096, 4, ) == 0x0
 00063  1736   NtFlushInstructionCache  (-1, 5316608, 4096, ... ) == 0x0
 00064  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00065  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00066  1736   NtClose  (16, ... ) == 0x0
 00067  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00068  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00069  1736   NtClose  (16, ... ) == 0x0
 00070  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00071  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00072  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00073  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00074  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00075  1736   NtClose  (16, ... ) == 0x0
 00076  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00077  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00078  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00079  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00080  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00081  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00082  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00083  1736   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00084  1736   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00085  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00086  1736   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00087  1736   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00088  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00089  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00090  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00091  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00092  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00093  1736   NtClose  (16, ... ) == 0x0
 00094  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00098  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00099  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00100  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00101  1736   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00102  1736   NtClose  (16, ... ) == 0x0
 00103  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00107  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00108  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00109  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00110  1736   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00111  1736   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00112  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00113  1736   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00114  1736   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00115  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00116  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00117  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00118  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00119  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00120  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00121  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00122  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00123  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00124  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00125  1736   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00126  1736   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00127  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 4, ... (0x512000), 4096, 4, ) == 0x0
 00128  1736   NtProtectVirtualMemory  (-1, (0x512000), 4096, 4, ... (0x512000), 4096, 4, ) == 0x0
 00129  1736   NtFlushInstructionCache  (-1, 5316608, 4096, ... ) == 0x0
 00130  1736   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00131  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00132  1736   NtReadFile  (16, 0, 0, 0, 4, {718294, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {718294, 0}, 0, ... {status=0x0, info=4}, "\226\315\213\0", ) , ) == 0x0
 00133  1736   NtClose  (16, ... ) == 0x0
 00134  1736   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00135  1736   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00136  1736   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00137  1736   NtClose  (16, ... ) == 0x0
 00138  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00139  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00140  1736   NtClose  (16, ... ) == 0x0
 00141  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142  1736   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00143  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00144  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00145  1736   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00146  1736   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00147  1736   NtClose  (16, ... ) == 0x0
 00148  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00149  1736   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00150  1736   NtClose  (16, ... ) == 0x0
 00151  1736   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00152  1736   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00153  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00155  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00156  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6$\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75472, 0}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6$\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75472, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00157  1736   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00158  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00159  1736   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160  1736   NtClose  (28, ... ) == 0x0
 00161  1736   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00162  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00163  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00164  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00165  1736   NtClose  (28, ... ) == 0x0
 00166  1736   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x610000), 0x0, 110592, ) == 0x0
 00167  1736   NtClose  (32, ... ) == 0x0
 00168  1736   NtUnmapViewOfSection  (-1, 0x610000, ... ) == 0x0
 00169  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00170  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00171  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00172  1736   NtClose  (32, ... ) == 0x0
 00173  1736   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x610000), 0x0, 110592, ) == 0x0
 00174  1736   NtClose  (28, ... ) == 0x0
 00175  1736   NtUnmapViewOfSection  (-1, 0x610000, ... ) == 0x0
 00176  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00177  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00178  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00179  1736   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00180  1736   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00181  1736   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00182  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00184  1736   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00185  1736   NtClose  (40, ... ) == 0x0
 00186  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00187  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00188  1736   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00189  1736   NtClose  (40, ... ) == 0x0
 00190  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191  1736   NtClose  (36, ... ) == 0x0
 00192  1736   NtClose  (28, ... ) == 0x0
 00193  1736   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00194  1736   NtClose  (32, ... ) == 0x0
 00195  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00196  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00197  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00198  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00199  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00200  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00201  1736   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00202  1736   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00203  1736   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00204  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00206  1736   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00207  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00208  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00213  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00215  1736   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216  1736   NtClose  (32, ... ) == 0x0
 00217  1736   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x610000), 0x0, 1060864, ) == 0x0
 00218  1736   NtClose  (-2147482576, ... ) == 0x0
 00219  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00220  1736   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00221  1736   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00222  1736   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00223  1736   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00224  1736   NtClose  (-2147482576, ... ) == 0x0
 00225  1736   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00226  1736   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00227  1736   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00228  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00229  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230  1736   NtClose  (-2147482576, ... ) == 0x0
 00231  1736   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00232  1736   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233  1736   NtClose  (-2147482576, ... ) == 0x0
 00234  1736   NtQueryDefaultLocale  (0, -139347636, ... ) == 0x0
 00235  1736   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00236  1736   NtUserCallNoParam  (24, ... ) == 0x0
 00237  1736   NtGdiCreateCompatibleDC  (0, ...
 00238  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00237  1736   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00239  1736   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00240  1736   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00241  1736   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00242  1736   NtGdiCreateSolidBrush  (0, 0, ...
 00243  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10616832, 4096, ) == 0x0
 00242  1736   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00244  1736   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00245  1736   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00246  1736   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00247  1736   NtUserGetThreadDesktop  (1736, 0, ... ) == 0x24
 00248  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00249  1736   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00250  1736   NtClose  (44, ... ) == 0x0
 00251  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00252  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8173c017
 00253  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00254  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8173c01c
 00255  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00256  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8173c01e
 00257  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00258  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81738002
 00259  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00260  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8173c018
 00261  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00262  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8173c01a
 00263  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00264  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8173c01d
 00265  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00266  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8173c026
 00267  1736   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00268  1736   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8173c019
 00269  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c020
 00270  1736   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c022
 00271  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c023
 00272  1736   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8173c024
 00273  1736   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8173c025
 00274  1736   NtCallbackReturn  (0, 0, 0, ...
 00275  1736   NtGdiInit  (... ) == 0x1
 00276  1736   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00277  1736   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00278  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00279  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10682368, 65536, ) == 0x0
 00280  1736   NtAllocateVirtualMemory  (-1, 10682368, 0, 4096, 4096, 4, ... 10682368, 4096, ) == 0x0
 00281  1736   NtAllocateVirtualMemory  (-1, 10686464, 0, 8192, 4096, 4, ... 10686464, 8192, ) == 0x0
 00282  1736   NtAllocateVirtualMemory  (-1, 10694656, 0, 4096, 4096, 4, ... 10694656, 4096, ) == 0x0
 00283  1736   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00284  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 12288, ) == 0x0
 00285  1736   NtClose  (44, ... ) == 0x0
 00286  1736   NtAllocateVirtualMemory  (-1, 10698752, 0, 4096, 4096, 4, ... 10698752, 4096, ) == 0x0
 00287  1736   NtQueryDefaultUILanguage  (1241688, ...
 00288  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00289  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00290  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00291  1736   NtClose  (-2147482576, ... ) == 0x0
 00292  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00293  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00295  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296  1736   NtClose  (-2147481400, ... ) == 0x0
 00297  1736   NtClose  (-2147482576, ... ) == 0x0
 00287  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00298  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll"}, 1, 96, ... 44, {status=0x0, info=1}, ) }, 1, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00299  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 44, ... 48, ) == 0x0
 00300  1736   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa50000), 0x0, 618496, ) == 0x0
 00301  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302  1736   NtQueryDefaultUILanguage  (2090319928, ...
 00303  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00304  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00305  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00306  1736   NtClose  (-2147482576, ... ) == 0x0
 00307  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00308  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00310  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311  1736   NtClose  (-2147481400, ... ) == 0x0
 00312  1736   NtClose  (-2147482576, ... ) == 0x0
 00302  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 00313  1736   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00314  1736   NtQueryDefaultLocale  (1, 1239784, ... ) == 0x0
 00315  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75480, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75480, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75480, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1,\0\0\0\377\377\377\377\0\0\0\0\340q\254\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ) == 0x0
 00317  1736   NtClose  (44, ... ) == 0x0
 00318  1736   NtClose  (48, ... ) == 0x0
 00319  1736   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00320  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00321  1736   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1636, 0}, ... 48, ) == 0x0
 00322  1736   NtQueryInformationProcess  (48, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00323  1736   NtClose  (48, ... ) == 0x0
 00324  1736   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00325  1736   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00326  1736   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00327  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00328  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00329  1736   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00330  1736   NtClose  (48, ... ) == 0x0
 00331  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0
 00332  1736   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00333  1736   NtAccessCheck  (1329168, 44, 0x1, 1242880, 1242932, 56, 1242912, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00334  1736   NtClose  (44, ... ) == 0x0
 00335  1736   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Control Panel\Desktop"}, ... 44, ) }, ... 44, ) == 0x0
 00336  1736   NtQueryValueKey  (44,  (44, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337  1736   NtClose  (44, ... ) == 0x0
 00338  1736   NtUserSystemParametersInfo  (41, 500, 1243060, 0, ... ) == 0x1
 00339  1736   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00340  1736   NtClose  (48, ... ) == 0x0
 00341  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00342  1736   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00343  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03b
 00344  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03d
 00345  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00346  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c03f
 00347  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00348  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c041
 00349  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00350  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c043
 00351  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c045
 00352  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00353  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c047
 00354  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00355  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c049
 00356  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00357  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04b
 00358  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00359  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04d
 00360  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00361  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c04f
 00362  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c051
 00363  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00364  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c053
 00365  1736   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00366  1736   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8173c055
 00367  1736   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00368  1736   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8173c057
 00369  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00370  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c059
 00371  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10013
 00372  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05b
 00373  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00374  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05d
 00375  1736   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00376  1736   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8173c05f
 00377  1736   NtTestAlert  (... ) == 0x0
 00378  1736   NtContinue  (1244464, 1, ...
 00379  1736   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x60e000,}, 4, ... ) == 0x0
 00380  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00381  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00382  1736   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00383  1736   NtClose  (48, ... ) == 0x0
 00384  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0
 00385  1736   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00386  1736   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 44, ) }, ... 44, ) == 0x0
 00387  1736   NtQueryValueKey  (44,  (44, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388  1736   NtClose  (44, ... ) == 0x0
 00389  1736   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00390  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) == 0x0
 00391  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp"}, 1233816, ... ) }, 1233816, ... ) == 0x0
 00392  1736   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0/2\0\0\2\0\0\0" ... {20, 48, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\2\0\1\0\3\0\0\0/2\0\0\3\0\0\0" )  ... {20, 48, reply, 0, 1636, 1736, 75481, 0}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0/2\0\0\2\0\0\0" ... {20, 48, reply, 0, 1636, 1736, 75481, 0} "\0\0\0\0\2\0\1\0\3\0\0\0/2\0\0\3\0\0\0" )  ) == 0x0
 00393  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233824,  (0x80100080, {24, 0, 0x40, 0, 1233824, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00394  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00395  1736   NtClose  (-2147482576, ... ) == 0x0
 00396  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00397  1736   NtClose  (-2147482576, ... ) == 0x0
 00398  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00399  1736   NtClose  (-2147482576, ... ) == 0x0
 00393  1736   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 00400  1736   NtClose  (52, ... ) == 0x0
 00401  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00402  1736   NtClose  (-2147482576, ... ) == 0x0
 00403  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00404  1736   NtClose  (-2147482576, ... ) == 0x0
 00405  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00406  1736   NtClose  (-2147482576, ... ) == 0x0
 00407  1736   NtQueryDirectoryFile  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1,  (-2147482576, 0, 0, 0, -519716864, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00408  1736   NtClose  (-2147482576, ... ) == 0x0
 00401  1736   NtCreateFile  ... 52, {status=0x0, info=3}, ) == 0x0
 00409  1736   NtSetInformationFile  (44, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00410  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\333\227\333\0\224\315\213\0\222\315\204\0i2\213\0.\315\213\0\226\315\213\0\326\315\221\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\317\213\0,\335\213\16\211y\202\315\267u\212L[\354\33\220\302\245\342s\266\275\371o\361\277\352m\266\240\376s\342\355\351e\266\277\376n\266\270\345d\363\277\253W\377\243\2702\233\307\2577\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0\226\315\213\0", ) , ) == 0x0
 00411  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... , 10240, 0x0, 0, ...
 00412  1736   NtContinue  (-139350572, 0, ...
 00411  1736   NtWriteFile  ... {status=0x0, info=10240}, ) == 0x0
 00413  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\303\305\275\34\371\361\306E\371\277\362,6\240\352\10\246\316\12\7^\5\355\331\364\15\312\304^\216C<\224\201\371\334~<\341D\374\255\332\271\222\326\367\377\260\17\323}\23b\205D\315eC\270\36\234\364\300\360F\333\1\306[\340g\367\317\313\315\352\362\212\2(\211\246\32\25\17\216Rc\370\332\21\34\24\270e\266}!K\350\245\310,~oY\305\225\364c\353\310\232W\200\221J\13\302A\306\374C\272\334\251\301\207\315\201^\313\261\2058\333\R1\313\326\235\31\6]S\225-\177\333\12:\332\0Q\331\305\357\203\6\311\203#Z\37\247\210\246\13\360\22\327\303j\311n\213\243Ir\373\220\37\222\2{fF1?3\220\16j\15\247Os4H\241\311\266\306\251{X\250\373Y R\377\314W^IC\257\332\343\372P\177\211\213(\227\21\13\24\25\367\241\12\346\310\216\34\375f]\12~\235Y<\260\275%\10\300\271\376\310\323K\236\212K\0g\10P\315\354)\25\364s\251m\351A\232\324\216\262R\214\215\334\344\6\373\272\15\35\214\277\324?dF\\337\330\216-Z\351\23\365\326\300\331\314\306^\13\221;_e\334\17\34\257\3703\260\336uVF\326\304]\224\35\357\32\16#\306:}?F\306\303j\224\256\5\330\1\10e\274\225\260\31\243\217%~N\223`\367\254\2507\3155m\371\365\10x\316\240\273\213"F\301X\273\351\214\220\351\5\253^\217.\240\227\2022t\12\272\265\267\231\267\325\357\360B\\363]\253\343(\261B\250l\354\227\26\207p\234\23xP\361\256C\266\210\217\250\350\357%\2005\377{o&r\225\204\11K\20\273\2\224\255\313\3\4\205#\211\324\225\2602\262\226l\324B\236(\17\22\3349\1z\322:\22\362\205C\324\221\11\321\274\363dl$\235\306\220a\20\1\15[:=V\17", ) F\301X\273\351\214\220\351\5\253^\217.\240\227\2022t\12\272\265\267\231\267\325\357\360B\\363]\253\343(\261B\250l\354\227\26\207p\234\23xP\361\256C\266\210\217\250\350\357%\2005\377{o&r\225\204\11K\20\273\2\224\255\313\3\4\205#\211\324\225\2602\262\226l\324B\236(\17\22\3349\1z\322:\22\362\205C\324\221\11\321\274\363dl$\235\306\220a\20\1\15[:=V\17", ) == 0x0
 00414  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00415  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "A\17\200X.\337\236w\247\307\207HE\200H\30\334[\307\340\303h9H\226f\31\345&H<}\216\211\313\221s]\356Z\362\221\323Y\230\226\21\0\304\206\350T\306\251\262d\215\257\2376\362\255\32\345\6\250\341!\372\245\332\226\325[\371\14\342\275\247\35_\255@z\352\370\363@\274L\23C\206\261\221\301\351H\37\235\15\255\354\208\2750\363\257f\335%\204E\2079\275I\233\274\221F\159\14\214\7\14\36\242\313\323i:\241\276\276G\314\10\254\35\3779`\21303<\204^\256\16\21\334\4o\241\316]!\311\3154e\213\224\306 \217\237\2708!\237\5\232\203\216>\222Z\301V\246\273)\310|K\266\366\223\306\13K\326\225H\13\4J\336?\235\275Hk9\340`\221*)C\257\242\5\212\367\227\343s\27r\213\352l\345J\345\31rN\330T\344\270\356\1\270\316\3\4\3718\272\322\34\235\235D\206\317\274\304\23\263\0w\255\374B\212\336\216\317\10j2\311\267\311\315\203\215\343\302\0|\236\312\272\300\34\303\260Jj\270<~7\226\5\\234?\227\16`\16T\237\337\270io\315fz\371\201\215\257\16\227\364s~Kh\354\5\273\11\260\200\256\352\204M\222\226p\302\344)\16\257\371z4\202\342b\2\321\237\254\200\212\321G\241\201f\237e\356w2T\177MG\323c\2G\325\12\23\226\330o\372\261\225\13\200\325\4\36\233\364\177\355\2333\323\32\26*T9]1<\0\331\334\223\33\343!f\355\240\317: \1&C?\26(T: \15f\355\214&i\35\34\241\221\221\372\325\311\305\42I\11n*\300ufB(:\35\3628\4\26\362\216\266\313n\214\203G\202\212\267\231?t\255, ) , ) == 0x0
 00416  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00417  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\0&v\265\26\32'f\305D\16\6\200M\1\265\341\13\16\227\351\303\374\21\360r?\22\303\301\356\211\237m\322\6%\12\352\35\246q\227\210"\266\24\240\34@\36>\234\315?\274\361\343\314\263\347\347K0\217\224\204\227\12\211\316\22o\324\271\37Z\277t\236\227\217\310\13I\35\244\275\23zt\365\226\330\364\303\237\257\361\303\305\331"\321MM5\36A\316\13\336O \2008G\207&\277M\272\254\253)`\12\213\306\374\266`Kv\13\331G\336\373\201\234\316v\243\253Ji\246Lo1Q\221\375\214\263\265\247\2\234\215\11\32\22\306sB1\333\13{\243{\233\31XS\373\353\221\351_\350\245M\35t\25\217\254!\376\224\313{\5\317\6\5\202+H\377\273\340gN\360l\34\360\360j\253\364\203K+\266B\307\177\364F\7\233\240\264\235;\326\273\24\214Cj\200\344\0\255\235\267/\272\354\250\207\206\272\2678\215\277C\310\252\365\2678\277\354\255\2051*\304\210\221\26\260w\315\303\37\341\227\301+\346WP\213\233\236\267\215\243\215\317\245,S\12\335\272<\374\235z`\17\233\360\307@\31`\25\333\237\310r\221\31\2466~\304Xf&\227\30\312m a^~\233\35\245\4\337\17\1G\220\0\21!\223\1T\275R\224\303H^\251\314y\204\315J\240\271\3033\177\15#;\217\322\353;\316\376\341\233S\353\274\334\247\332\224\213w\26H\260\270:\252\260\200`\2\324\301\33\230W\343O\7\211\326\25\236\351\251\16\227\321\312\340\366Z\351\364\325G\231\20b\227-\266\220\304\344\21n='\0\216-\217U\270\304\242*\237\311,\26\236\235\347\253*9\230\4]E\254\247\324\313\241H~Ux9O\203>jc\313{\354x\246\331\321E\215s\234T\317\277\0\305\272\365\350\351\275\340\330:\335\224\322n\230\3268", ) \266\24\240\34@\36>\234\315?\274\361\343\314\263\347\347K0\217\224\204\227\12\211\316\22o\324\271\37Z\277t\236\227\217\310\13I\35\244\275\23zt\365\226\330\364\303\237\257\361\303\305\331 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\0&v\265\26\32'f\305D\16\6\200M\1\265\341\13\16\227\351\303\374\21\360r?\22\303\301\356\211\237m\322\6%\12\352\35\246q\227\210"\266\24\240\34@\36>\234\315?\274\361\343\314\263\347\347K0\217\224\204\227\12\211\316\22o\324\271\37Z\277t\236\227\217\310\13I\35\244\275\23zt\365\226\330\364\303\237\257\361\303\305\331"\321MM5\36A\316\13\336O \2008G\207&\277M\272\254\253)`\12\213\306\374\266`Kv\13\331G\336\373\201\234\316v\243\253Ji\246Lo1Q\221\375\214\263\265\247\2\234\215\11\32\22\306sB1\333\13{\243{\233\31XS\373\353\221\351_\350\245M\35t\25\217\254!\376\224\313{\5\317\6\5\202+H\377\273\340gN\360l\34\360\360j\253\364\203K+\266B\307\177\364F\7\233\240\264\235;\326\273\24\214Cj\200\344\0\255\235\267/\272\354\250\207\206\272\2678\215\277C\310\252\365\2678\277\354\255\2051*\304\210\221\26\260w\315\303\37\341\227\301+\346WP\213\233\236\267\215\243\215\317\245,S\12\335\272<\374\235z`\17\233\360\307@\31`\25\333\237\310r\221\31\2466~\304Xf&\227\30\312m a^~\233\35\245\4\337\17\1G\220\0\21!\223\1T\275R\224\303H^\251\314y\204\315J\240\271\3033\177\15#;\217\322\353;\316\376\341\233S\353\274\334\247\332\224\213w\26H\260\270:\252\260\200`\2\324\301\33\230W\343O\7\211\326\25\236\351\251\16\227\321\312\340\366Z\351\364\325G\231\20b\227-\266\220\304\344\21n='\0\216-\217U\270\304\242*\237\311,\26\236\235\347\253*9\230\4]E\254\247\324\313\241H~Ux9O\203>jc\313{\354x\246\331\321E\215s\234T\317\277\0\305\272\365\350\351\275\340\330:\335\224\322n\230\3268", ) , ) == 0x0
 00418  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (52, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00419  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\211\242I#\267\335K\11.\341Y\345\362\302"y\360\17\12\307\326\257\220\341\210\357\11|\227\305\11.\316\333\236&\265fc{\327\177H\270\230\3013%\327qZ\273\37\225\255w@@\373\30\201u:\263Q\307\2\34_\337\366\314\320w\200 \236\233\20\301\0eQ\233\373\300m{\32\315eYL\247\227\334J\345\214\361\343\30&\210\224\311L]\226s\252\264p%\232x\254\253\224a&\5\353\315b\320w\252\303_\241\262<\315\336\315\350Z\263\322\243\273\256_\342\322\334\307\230\306\211C\263\345\218}\314d\3054\356\345\5&\4\375Yz\240\206P\270\220g\271\341\201\363\353\253|1\370\206\271\202FJ\325\345\303\236k\254\25J\323\203D\351Uf\242\365\355>\347V\2152\14\245\214^\222\352\3145v\36\354\140"\3\373\302\217\4\302q\301\236\260\370%\222\237\237\343\204/;\323M\376>\362\240SC\302\273\277J\302\16\3=\226\307a\4&\367\253m\254\2440\303\360\4\343*\240\324^\241fB\243\30\243} \366\244\25\357$\10\244\206X\241\17\254h\32\376P\265\215Mg0\241\4\177\246\217\306\35, ) y\360\17\12\307\326\257\220\341\210\357\11|\227\305\11.\316\333\236&\265fc{\327\177H\270\230\3013%\327qZ\273\37\225\255w@@\373\30\201u:\263Q\307\2\34_\337\366\314\320w\200 \236\233\20\301\0eQ\233\373\300m{\32\315eYL\247\227\334J\345\214\361\343\30&\210\224\311L]\226s\252\264p%\232x\254\253\224a&\5\353\315b\320w\252\303_\241\262<\315\336\315\350Z\263\322\243\273\256_\342\322\334\307\230\306\211C\263\345\218}\314d\3054\356\345\5&\4\375Yz\240\206P\270\220g\271\341\201\363\353\253|1\370\206\271\202FJ\325\345\303\236k\254\25J\323\203D\351Uf\242\365\355>\347V\2152\14\245\214^\222\352\3145v\36\354\140 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\211\242I#\267\335K\11.\341Y\345\362\302"y\360\17\12\307\326\257\220\341\210\357\11|\227\305\11.\316\333\236&\265fc{\327\177H\270\230\3013%\327qZ\273\37\225\255w@@\373\30\201u:\263Q\307\2\34_\337\366\314\320w\200 \236\233\20\301\0eQ\233\373\300m{\32\315eYL\247\227\334J\345\214\361\343\30&\210\224\311L]\226s\252\264p%\232x\254\253\224a&\5\353\315b\320w\252\303_\241\262<\315\336\315\350Z\263\322\243\273\256_\342\322\334\307\230\306\211C\263\345\218}\314d\3054\356\345\5&\4\375Yz\240\206P\270\220g\271\341\201\363\353\253|1\370\206\271\202FJ\325\345\303\236k\254\25J\323\203D\351Uf\242\365\355>\347V\2152\14\245\214^\222\352\3145v\36\354\140"\3\373\302\217\4\302q\301\236\260\370%\222\237\237\343\204/;\323M\376>\362\240SC\302\273\277J\302\16\3=\226\307a\4&\367\253m\254\2440\303\360\4\343*\240\324^\241fB\243\30\243} \366\244\25\357$\10\244\206X\241\17\254h\32\376P\265\215Mg0\241\4\177\246\217\306\35, ) , ) == 0x0
 00420  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00421  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\244S\333\20Q\355\313\12$\205\267\350H\306\335\34\236\340\256\14\242\37\212\324]\352\177\377\26\2202A\264C\20\275I\205\200\250I\353y+Q\223\331 \212\6u\342\324x[R\12\323\0\373\6\242`\22\315\332\205\332\3602\235-\222\2526Ky\366`J\375W\240U\342\225\274W\240\355\354\22\225\351\256\21e\371\252%9Y\13\341\323\35\326N\14B\356\377r\352\362\336\204\277\5\252\23\334\377%\240\5\352\267t\212\15\312x\257{\330\334\313\347\25\225\346\333j\20\215fu\310z\21[\203\11\257\1\23TB\325\14k2t\2258A\21\273\203\344\11%k\342\237N)\307\223\257\241\356\206\337\245\220\3Y\315\333\13\365\335\253k\207\323\25\2120\355c\13\355\222\221\3\334\220\12x\202\11\321\357\270\365\365\23\303\353*'\332{\340'\341\251\337\317\304\313\233S\312\251\300c\35\320rJ\256\346\347\260A\\221\304\235\303Y \303\370\347\24\231\322%\32\202\263S;\305\351#\345Pl)]\223Z\310\30\30\11f\200c\201'#FD\251\306\325\312\16\373]\376b\1G\11\241e\226\214\17\12\300i\340\337\3502\230\211\222\13\313,\226\316\256@\373\371\211\324\5\341\355\210\13\245\357\242\222\34\360~\266-\232\360\351\361l:\314e\361\237`\210\377\371\232\26\306\21\215\327G-\242\35\365\4\371&\247\215\3226\215\205D\260\211\300\275\311\230\353]\233)j\303\320\225\14\342\303\217\217/\200\246\27\206\346I\263\243\272\374\4\350\313S\344^\346A\15\240\257\247>\35\302\326\20\342\320?\205\6\2141\0Ou\133\317"I\342h\232\312\36\242H\346\200M\366\342t\217=\207P\213\377\202'X\365B;\246M\327\310\226y\273\366\267m\3700%\302\3\4*\340\7\204\241\236\263\27\37\235\263\221\27g\32&$\316\237\275", ) I\342h\232\312\36\242H\346\200M\366\342t\217=\207P\213\377\202'X\365B;\246M\327\310\226y\273\366\267m\3700%\302\3\4*\340\7\204\241\236\263\27\37\235\263\221\27g\32&$\316\237\275", ) == 0x0
 00422  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (52, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00423  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\224>SH\343g!\277^\214\251\210KN\6\327\305\222;\337\201\15Cd\204\224\243`\300\310?a\215\3376\377\200\35h'.\227\262\212\332\314t\200\177\307\5\375L\2273\4\225R\301\215\260\251\277?\2218\6I\326\207\376\336\311\277 \14J\242\211\25\346\301yLu\304\361\4Q\263*\4\211\220\303\354\236/\311n\235\177\212\12|\4\205I\241\373H\3\224EB\26f\32336\312\35\2620\3529\275\213*\366\24\220\34\324\330\32\322\200v\37229\30\307\31\337\231D\204\200\250<\26\236\237C\227w\33j\6\252\30&\37\36\312"\350\336~C\236\255\207t\215\340t\257\222O\344\272\204L\310\4\34\235\314\351\337\343H\35}\274\204\270nJ\267\344\65sC\2225C\0\344\350s\370\363\15hMn\2772k\262\310\16\344\260]8<\341\301\1\343`uO\224\366\215JpMFJ \352\215O\30r\353Z7\262\364 \362\216V\1S\321J\205\16\226i\207\353\257?\236H\223~\211(\236N\331\362\223\317\254\350\212G\324R\327}2h\342\273C\246\24\14\3m\6t\343\214P\347\312\24\336\36\30Tf\10c0\375\317\213\311\205\4\254\357\224\345\204a\220\3356o\226\202\323a\307\34\351H\206\352 \360\246Y\357\24\252\315\315`U\345\303`\261\325\272\30", ) \211\220\303\354\236/\311n\235\177\212\12|\4\205I\241\373H\3\224EB\26f\32336\312\35\2620\3529\275\213*\366\24\220\34\324\330\32\322\200v\37229\30\307\31\337\231D\204\200\250<\26\236\237C\227w\33j\6\252\30&\37\36\312 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\224>SH\343g!\277^\214\251\210KN\6\327\305\222;\337\201\15Cd\204\224\243`\300\310?a\215\3376\377\200\35h'.\227\262\212\332\314t\200\177\307\5\375L\2273\4\225R\301\215\260\251\277?\2218\6I\326\207\376\336\311\277 \14J\242\211\25\346\301yLu\304\361\4Q\263*\4\211\220\303\354\236/\311n\235\177\212\12|\4\205I\241\373H\3\224EB\26f\32336\312\35\2620\3529\275\213*\366\24\220\34\324\330\32\322\200v\37229\30\307\31\337\231D\204\200\250<\26\236\237C\227w\33j\6\252\30&\37\36\312"\350\336~C\236\255\207t\215\340t\257\222O\344\272\204L\310\4\34\235\314\351\337\343H\35}\274\204\270nJ\267\344\65sC\2225C\0\344\350s\370\363\15hMn\2772k\262\310\16\344\260]8<\341\301\1\343`uO\224\366\215JpMFJ \352\215O\30r\353Z7\262\364 \362\216V\1S\321J\205\16\226i\207\353\257?\236H\223~\211(\236N\331\362\223\317\254\350\212G\324R\327}2h\342\273C\246\24\14\3m\6t\343\214P\347\312\24\336\36\30Tf\10c0\375\317\213\311\205\4\254\357\224\345\204a\220\3356o\226\202\323a\307\34\351H\206\352 \360\246Y\357\24\252\315\315`U\345\303`\261\325\272\30", ) , ) == 0x0
 00424  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (52, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00425  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\356\255\245\230\335\203\344\374\201?\244{\335\336\303S\346\241\342t\300aj,\267\222\306\4\377\235rb\351\224\14S\307\201\334a\276\256\217\205\26H\216\323"\352\211\366\206\200\213\227\222\312\277 \367vG\327\315\305\274\260\315:\20\0\241\257\240z\225\336\270\25$\351\274\12\15\200;\17\225\342\250\340\226\232\0\326\337\331\267\0\376\262\303S\337\211\212\340\233\265R\220\24/f\353\206\354@I,5\323\305\227/\350\262\245\305\22\260\244\261\310\214\202\17\325}\33\236\212\271\227\216\312\202\34\336\251|\343\315\260\200\217O\305`L\330\3\267\225-\203*\223l\202\12\256\310\262\327<\375\11\216\340\242\204\271\273\250\264\2424y\266\215\200D"(\206q\226 \5\314\37<#\314OuiM\237\6\203\360\13X\206*\262\242\303\363\211\201\212\315\354\307\264m\214\25t\303\243h_~'\221\231\234\200\5V\336\361r\371\326)\362b\366\363\4\2722\210\24\255\233\203I\302\336\1|]\312\227\325:\257>\252\222\31\7\325\223\327\377\364\6\342#\11\3516s\207\374\304\332-\216G\3;>\316\34\200\2\224\11'\322\242[\4\33\200s\346\26\255J\11~\354\203\313\265\302 \252\201\266\37q\16\306\251X\222\204\204\2445M\205\10\243\327\316\22\264\372=\24\302~\350\33\353$\237qZu\211\0\12\335\204\377Z\3356\2\250\200\303u\233\230\16"`0\3228}\3605\16R\3618 \226\11`&>\\224*\376\330~\205\222]\213|\323\272\241\12\374\317<\252!`)GJ3\376GQ\227\212\3\224\257\357\236\272\69l\223\301\207\20\206\3319,]\177\237\30\216\355\253\313$\341@$\262\345\243,\272\331\20\0\364\32z\202\306\214\7\355\302\315 S\2318\3f\307r\300\242\265\227\211\213G\316a\11Bn.v\366!\207\3", ) \352\211\366\206\200\213\227\222\312\277 \367vG\327\315\305\274\260\315:\20\0\241\257\240z\225\336\270\25$\351\274\12\15\200;\17\225\342\250\340\226\232\0\326\337\331\267\0\376\262\303S\337\211\212\340\233\265R\220\24/f\353\206\354@I,5\323\305\227/\350\262\245\305\22\260\244\261\310\214\202\17\325}\33\236\212\271\227\216\312\202\34\336\251|\343\315\260\200\217O\305`L\330\3\267\225-\203*\223l\202\12\256\310\262\327<\375\11\216\340\242\204\271\273\250\264\2424y\266\215\200D (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\356\255\245\230\335\203\344\374\201?\244{\335\336\303S\346\241\342t\300aj,\267\222\306\4\377\235rb\351\224\14S\307\201\334a\276\256\217\205\26H\216\323"\352\211\366\206\200\213\227\222\312\277 \367vG\327\315\305\274\260\315:\20\0\241\257\240z\225\336\270\25$\351\274\12\15\200;\17\225\342\250\340\226\232\0\326\337\331\267\0\376\262\303S\337\211\212\340\233\265R\220\24/f\353\206\354@I,5\323\305\227/\350\262\245\305\22\260\244\261\310\214\202\17\325}\33\236\212\271\227\216\312\202\34\336\251|\343\315\260\200\217O\305`L\330\3\267\225-\203*\223l\202\12\256\310\262\327<\375\11\216\340\242\204\271\273\250\264\2424y\266\215\200D"(\206q\226 \5\314\37<#\314OuiM\237\6\203\360\13X\206*\262\242\303\363\211\201\212\315\354\307\264m\214\25t\303\243h_~'\221\231\234\200\5V\336\361r\371\326)\362b\366\363\4\2722\210\24\255\233\203I\302\336\1|]\312\227\325:\257>\252\222\31\7\325\223\327\377\364\6\342#\11\3516s\207\374\304\332-\216G\3;>\316\34\200\2\224\11'\322\242[\4\33\200s\346\26\255J\11~\354\203\313\265\302 \252\201\266\37q\16\306\251X\222\204\204\2445M\205\10\243\327\316\22\264\372=\24\302~\350\33\353$\237qZu\211\0\12\335\204\377Z\3356\2\250\200\303u\233\230\16"`0\3228}\3605\16R\3618 \226\11`&>\\224*\376\330~\205\222]\213|\323\272\241\12\374\317<\252!`)GJ3\376GQ\227\212\3\224\257\357\236\272\69l\223\301\207\20\206\3319,]\177\237\30\216\355\253\313$\341@$\262\345\243,\272\331\20\0\364\32z\202\306\214\7\355\302\315 S\2318\3f\307r\300\242\265\227\211\213G\316a\11Bn.v\366!\207\3", ) `0\3228}\3605\16R\3618 \226\11`&>\\224*\376\330~\205\222]\213|\323\272\241\12\374\317<\252!`)GJ3\376GQ\227\212\3\224\257\357\236\272\69l\223\301\207\20\206\3319,]\177\237\30\216\355\253\313$\341@$\262\345\243,\272\331\20\0\364\32z\202\306\214\7\355\302\315 S\2318\3f\307r\300\242\265\227\211\213G\316a\11Bn.v\366!\207\3", ) == 0x0
 00426  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (52, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (52, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00427  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\203*Do\23\357\2321M&\213\314\212\231\230\32\371\273\352'E\340/P\212e{\354\271\267\337\36Y\225\322>\343\23\231\234t\304\347\1\222r\307  \231\207\360\247\312q\17\334\201!~\266\326\20l\317\265bP\335\321\205\212I\7\302\25jQ\261P\307\276\\16\207\314\211\216\31\204\236\45\356\363\203\203\315,\322\12\345\2100\265\256\200|\212K\2048X\312\233\213\323=\13\0\272S\3406\206\260_H\350\10\226 \303=Q\25\7\3771d\355\215\225\325\360\37\177Y\236\317\33C\230\364\210\4\223\206!`\344\376K\303\360!\220\311C\240;h2\301\236<\4\230U\222t\335\223IM\3\375\11\26\14\241\336\373o._&\325\253\206\232\205\317\3\36\4\200\211\300\364]\23\325\267\3311\6D\306\354]\265g\205F^\3\@\327\314`\322"\2121\215_\331\350\2\375gE\370\26\253\1\221\263\360\321\332\314\345z.\374o\27\347\257\317K\341\30\3L\217\311\273\37b\355\253\200j\317\\25\336\14i\262D\217\337\27\230\335\237h\303\344\313\0]\373~$\200c\0\1D=\177zW\326\200\200\321\311.9\204\305k%\273=o\200\342\334/\344A\321\2571\367@\240\364Q\277*\322&c\241{\217\314\332E\204\237\6H\307\341r\332N\306\260\203\303\316\360.\321.\374\24\0\305\223`I\252^#\237\265\1\206Q\22Z4\372\32S\22i\36\301\333\316\316\200\372\276\210q\2327\322$\300\267\2739\3\236\306\203$\270\201\363\24\341\327\222\177P\225\207\11U |\3360e\17\N\211$5\307\341\20\220d\330\2235\22\343Y\251,{E?\22\346\227E\353\334\311P{\213\374uc\312\260\271(\317\311\242\237g\13\200*\231d\2\227\245\234\13\277\227z=n\209\375\34\234\15\246\21X\23\14", ) \2121\215_\331\350\2\375gE\370\26\253\1\221\263\360\321\332\314\345z.\374o\27\347\257\317K\341\30\3L\217\311\273\37b\355\253\200j\317\\25\336\14i\262D\217\337\27\230\335\237h\303\344\313\0]\373~$\200c\0\1D=\177zW\326\200\200\321\311.9\204\305k%\273=o\200\342\334/\344A\321\2571\367@\240\364Q\277*\322&c\241{\217\314\332E\204\237\6H\307\341r\332N\306\260\203\303\316\360.\321.\374\24\0\305\223`I\252^#\237\265\1\206Q\22Z4\372\32S\22i\36\301\333\316\316\200\372\276\210q\2327\322$\300\267\2739\3\236\306\203$\270\201\363\24\341\327\222\177P\225\207\11U |\3360e\17\N\211$5\307\341\20\220d\330\2235\22\343Y\251,{E?\22\346\227E\353\334\311P{\213\374uc\312\260\271(\317\311\242\237g\13\200*\231d\2\227\245\234\13\277\227z=n\209\375\34\234\15\246\21X\23\14", ) == 0x0
 00428  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00429  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\227ltN2\30\203\22\311\320\357\262JI\240q\275\214\222\367\36\372\21644@\11:\31\2039C\370\241\322\205\350\355\270\31\263\207\247\13=\313\13\1\17\2155&\261\314\211\20\306\243\352\315R\276\3046\36J\203\370}\313\261\7-8\333\201\373\316j\367\254\317\20\315\302\274\376\32\377\177\31\254\304\227\227\254\327J\/\2\341\373x\27\20\234\367\304\320\245\14$\211?\254\332\313\270\204'\247\302\23^\3\320\251He\255\330xE\310\20`\365zE\346HD\300\3764\1\276 \314\241 \37\306\227F\225uv\11\341\215LF\322\323k?\12Q~mx\376\253&\236\310\323s\232\267\0\300\236\365\223*t\223\357V\15\323Z\352T\363\310\270\213\255`F\270\1\236\32\244\325\207\320\272M\307\204\267r\346\2zM\307\37\327\261'\360\215\306\300 \264\217\23\33\342\341\20[\256\240+ X\310\237\24v\210O\262\216\325\370K\261\6]\257\232\301\207\30\224\331\350\7}[\260u\234\305\6_\202*\235\212\33\270&\211\3611\314\327\321g}\276\366\372\357\353\201\7\230\30\210\325\11\220\13\271\207\301fI\21\20\203\204gO\326u\35\2529\330\0D\216G\321\31\316`\376\346\315\372C\213\327\301\205\33\234\261PY\345z\311\2\334\325\230\106\235, ) , ) == 0x0
 00430  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (52, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00431  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\374\311y\30\350#\10\332\327m_|\36\3028\237X\257\356\204~-H{\35\301\316\332\374U@0\20\34\262\35\207ZkD\205BG]\26\32\357D\276Z\365"6\266\376\15\344\314\365\34\300S\302\2170`s\226\203\340\14f\313\1O\353\346\327\22\14\206\304\200\25Z\310?8\211\14\357\333\330\25\364\360\230\317\337\5U@\244\370\273\32\210\11<\204\370\267<\0\337\23\211\353\310\271PM\321Qf\333\350\275\7\261\11\233\37)\261\234\332\277\177\236%\7\341\333O\33\343\2536\123\202\374\320\244_G\211\216(]\277\262\270E3\1TLpW\234\303\324\343\350\304L\20\236&X0\224\365\12m"\330m\216\270?\32\217\21\340\211~\223F\216\340 \221\32\311z[:\30\335\333\37\13j9\13\3\204\20\240\336\342\36\242\221\0\231\216D\2645\272!\26L\220\234\207\30\303\26\371\3110\235\27\303\32\35O\251\3K\0\261g\250\356\334\202E\7=\227\330m_\371\263J\256|\31\333\224\336\211j:\241*hg\252\3kQJL\202\254h|\231\311\217\373\6\5\204\267_\337\3!"/\270\5t\37\215\32\275\347\224b\211\321\320\30\237\230\326\364\37\275\366\254\34H\366\10\360LA\265T\226\13\16P\200\237\2434\345\275\25~\260\326d\262\257\301\365f\213\243D\355{\26\353\241J\8\256D\363\344r\7\375y\353\351\263\364\22\210\331\24"\3321\222\266M \4^\257\310`g\31u\0\310\307\317\211t]\276\375\222\353\3453\351\35\360\14\264\314\177\256\200b\202s\236\346|aU\23768\201\366E\302g\324\210\307g\231\237\217\326\341\212s\232\313+\350\267LHf\16\21\327\276k\304\377\14\3602B\4}\335\2P\235\314\215\3\306\347\312=\307\302\313S\336\354\14\214%^3D\227\352\252\353", ) 6\266\376\15\344\314\365\34\300S\302\2170`s\226\203\340\14f\313\1O\353\346\327\22\14\206\304\200\25Z\310?8\211\14\357\333\330\25\364\360\230\317\337\5U@\244\370\273\32\210\11<\204\370\267<\0\337\23\211\353\310\271PM\321Qf\333\350\275\7\261\11\233\37)\261\234\332\277\177\236%\7\341\333O\33\343\2536\123\202\374\320\244_G\211\216(]\277\262\270E3\1TLpW\234\303\324\343\350\304L\20\236&X0\224\365\12m (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\374\311y\30\350#\10\332\327m_|\36\3028\237X\257\356\204~-H{\35\301\316\332\374U@0\20\34\262\35\207ZkD\205BG]\26\32\357D\276Z\365"6\266\376\15\344\314\365\34\300S\302\2170`s\226\203\340\14f\313\1O\353\346\327\22\14\206\304\200\25Z\310?8\211\14\357\333\330\25\364\360\230\317\337\5U@\244\370\273\32\210\11<\204\370\267<\0\337\23\211\353\310\271PM\321Qf\333\350\275\7\261\11\233\37)\261\234\332\277\177\236%\7\341\333O\33\343\2536\123\202\374\320\244_G\211\216(]\277\262\270E3\1TLpW\234\303\324\343\350\304L\20\236&X0\224\365\12m"\330m\216\270?\32\217\21\340\211~\223F\216\340 \221\32\311z[:\30\335\333\37\13j9\13\3\204\20\240\336\342\36\242\221\0\231\216D\2645\272!\26L\220\234\207\30\303\26\371\3110\235\27\303\32\35O\251\3K\0\261g\250\356\334\202E\7=\227\330m_\371\263J\256|\31\333\224\336\211j:\241*hg\252\3kQJL\202\254h|\231\311\217\373\6\5\204\267_\337\3!"/\270\5t\37\215\32\275\347\224b\211\321\320\30\237\230\326\364\37\275\366\254\34H\366\10\360LA\265T\226\13\16P\200\237\2434\345\275\25~\260\326d\262\257\301\365f\213\243D\355{\26\353\241J\8\256D\363\344r\7\375y\353\351\263\364\22\210\331\24"\3321\222\266M \4^\257\310`g\31u\0\310\307\317\211t]\276\375\222\353\3453\351\35\360\14\264\314\177\256\200b\202s\236\346|aU\23768\201\366E\302g\324\210\307g\231\237\217\326\341\212s\232\313+\350\267LHf\16\21\327\276k\304\377\14\3602B\4}\335\2P\235\314\215\3\306\347\312=\307\302\313S\336\354\14\214%^3D\227\352\252\353", ) /\270\5t\37\215\32\275\347\224b\211\321\320\30\237\230\326\364\37\275\366\254\34H\366\10\360LA\265T\226\13\16P\200\237\2434\345\275\25~\260\326d\262\257\301\365f\213\243D\355{\26\353\241J\8\256D\363\344r\7\375y\353\351\263\364\22\210\331\24 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\374\311y\30\350#\10\332\327m_|\36\3028\237X\257\356\204~-H{\35\301\316\332\374U@0\20\34\262\35\207ZkD\205BG]\26\32\357D\276Z\365"6\266\376\15\344\314\365\34\300S\302\2170`s\226\203\340\14f\313\1O\353\346\327\22\14\206\304\200\25Z\310?8\211\14\357\333\330\25\364\360\230\317\337\5U@\244\370\273\32\210\11<\204\370\267<\0\337\23\211\353\310\271PM\321Qf\333\350\275\7\261\11\233\37)\261\234\332\277\177\236%\7\341\333O\33\343\2536\123\202\374\320\244_G\211\216(]\277\262\270E3\1TLpW\234\303\324\343\350\304L\20\236&X0\224\365\12m"\330m\216\270?\32\217\21\340\211~\223F\216\340 \221\32\311z[:\30\335\333\37\13j9\13\3\204\20\240\336\342\36\242\221\0\231\216D\2645\272!\26L\220\234\207\30\303\26\371\3110\235\27\303\32\35O\251\3K\0\261g\250\356\334\202E\7=\227\330m_\371\263J\256|\31\333\224\336\211j:\241*hg\252\3kQJL\202\254h|\231\311\217\373\6\5\204\267_\337\3!"/\270\5t\37\215\32\275\347\224b\211\321\320\30\237\230\326\364\37\275\366\254\34H\366\10\360LA\265T\226\13\16P\200\237\2434\345\275\25~\260\326d\262\257\301\365f\213\243D\355{\26\353\241J\8\256D\363\344r\7\375y\353\351\263\364\22\210\331\24"\3321\222\266M \4^\257\310`g\31u\0\310\307\317\211t]\276\375\222\353\3453\351\35\360\14\264\314\177\256\200b\202s\236\346|aU\23768\201\366E\302g\324\210\307g\231\237\217\326\341\212s\232\313+\350\267LHf\16\21\327\276k\304\377\14\3602B\4}\335\2P\235\314\215\3\306\347\312=\307\302\313S\336\354\14\214%^3D\227\352\252\353", ) , ) == 0x0
 00432  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (52, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00433  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\205\352\230\223\355\344\327\15l%\364\3\231\214.\240\373\240K+\257\351W?\337w\246\3358=\351\215\313\343I\10m\305\376\323\242\0\374\367[\352\250\363y\216X4\333\323\221$\266\236\253w`\16\315O4\31\327\273}\0=\306\2025\320\373\335\367\177\212\260Mw+\350\311\246uJ\377o\271\13{].>\214\3150\3074G\232#\256\332^\305G\375\214P\267\0-\315\333t[}E(\303i\263\3\12P\326\367\14\317\21tMN\263\340\245l\270}\353\2332\206\261U)\365\22}\214Yc\215[\243C\210\306\300\21v\263\272}$\323+\212"\306\340\271\220g\376\353\210P\201\27\267\226Q\25\306.\204\262^?\7M\374\335\336.(\305\270F?\231\303\322\214\5\255\303\300\236\220\371\272\241fO9g\215\343z\205\246\10 2\235\16\215h\256\364\224\360\215u\264\253|\240\\230LF\220S\232\35\342,\355\226\223\263\206\3\326\244MC(\341\373\267z$\316@M\3439?\377\15\233M\20F\211\336\223\14s\20\353$~\227~\340T\370O,A1\336\24w\333\273F\341\13Ik\373\330OVV\202\15\236y\350I\257\366A\342\304Q\273x5Tup@\360\3i \224\202\262V\1D\203(W\300~\311\13\344\231\253\216\360{zQ0\246,\352\353\244\15!\213r\316\366\10\357lm\340\313?\11;\353\301\260\4n\263p\27\354\337\370'\240\366\2105\344\350MD\220\315\304x\2333jni*\214\22\257\272f\353\211\253L\245\247\315\352\13\371}<^)_\257\31\266mz\333\255m\343\360\2155\355\301|\247\2\7\206-s\3\36\236\211\303\327\4\211\340;\317\262\310\235\7\366\201\315\\237\373\357\312\375\367NNQ\12\26`\273\12\360\306\306|n;\260z\222\261\224\277\230\214\246!", ) \306\340\271\220g\376\353\210P\201\27\267\226Q\25\306.\204\262^?\7M\374\335\336.(\305\270F?\231\303\322\214\5\255\303\300\236\220\371\272\241fO9g\215\343z\205\246\10 2\235\16\215h\256\364\224\360\215u\264\253|\240\\230LF\220S\232\35\342,\355\226\223\263\206\3\326\244MC(\341\373\267z$\316@M\3439?\377\15\233M\20F\211\336\223\14s\20\353$~\227~\340T\370O,A1\336\24w\333\273F\341\13Ik\373\330OVV\202\15\236y\350I\257\366A\342\304Q\273x5Tup@\360\3i \224\202\262V\1D\203(W\300~\311\13\344\231\253\216\360{zQ0\246,\352\353\244\15!\213r\316\366\10\357lm\340\313?\11;\353\301\260\4n\263p\27\354\337\370'\240\366\2105\344\350MD\220\315\304x\2333jni*\214\22\257\272f\353\211\253L\245\247\315\352\13\371}<^)_\257\31\266mz\333\255m\343\360\2155\355\301|\247\2\7\206-s\3\36\236\211\303\327\4\211\340;\317\262\310\235\7\366\201\315\\237\373\357\312\375\367NNQ\12\26`\273\12\360\306\306|n;\260z\222\261\224\277\230\214\246!", ) == 0x0
 00434  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00435  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\246\354\243\336\0\301`'\200\316\335\15\203\34\254\233\321\234\213I\366`uTX\235\13\274sN\237z\353\2777\234\224KZ\315\35p\213\3719\240\240\244V\371l\330\316\301\4\355\376\212\4\251\246Fw\310\3342\255\322\230\323\273\227\263S\31\326}\216).\211\357\20\347.\275\353\0\307\0\377\225\3\312\304\340\346\271\27\255\2v)\200\3152\266\13\353\237A,\270Z(4HE\213}M\335\24\204e_4\300\347\263\331\22&\207n\305\215;Fj\326\260\373\343H_\221?\233$Y\265\220\2\30\13\363V\236\220\344\12\306\242Lm<\257\315\221\1\246\322\223UW\337\332V\332,\334Q\2535\2;\201\363G\250\257\260\254Z\256\230$\26\364\210\350\226#*\272\336:p_\227S\5_\303%h`\374\273K\276'\311\304h\235\230\331u\211\265\216\315\260\212\217$\317\317g\24\341\273P0OM\251\243zE\203R\322\311\260\270wA\326\350x\316N\211cF\226T\201\327\365N}\234ys\31#\374\14J\340\247\200\225\273\260\31\341\366\260c>\267\23\333\20D\216\24\232\273\260b\25p\247t\300\277\16\12Q\30\352\234,\310\316\250\16\302T\251t\11$\252\316\270,Q\257\210\344kWh4\31\230\304\213\360\227\211\233\344\200\314\266\334\236\300%[)]+\10\315\35\0\352\27O\345[G(\213\376\225\301\12\302\243V\360\233\233Li\16P\364\317(z\255\324T\7\10\316\213\243\3\2\216\264\255\267\316\350q=\335\374\256p\217\340\307V;\355\3052/\231\332W\213\2232\375\36\301\335\240\373\301|\226v(\236KB3&\2026\263\304\1\317\230t7\210d\324\275&\275xx\241\27+B\20r\373\277\235}\316\304\310_\254VF`\346\215A\22\365]m\371\362\227$\345\316\0\4\255"\370\214", ) \370\214", ) == 0x0
 00436  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (52, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00437  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\205\340\0\274\25\367\265\334k\370\306\15\234D\212\241\220\21M\0\230\264\367\364\360\6\241\263)B\334\2A\310\36\32Q\304O\231\14\354\203\17\22^\254\353\275\210o\35\306\346\217\202oW\226\257\306$\366\217\236\235\2320\4\324\375\11\236C\37c\311\356\253 )\2\337p\16\177E\207\345[\357\177\0\261G-\36\221=;\22(\225\0W\205\336|=\365\217\270a\216\246\17\362\231\311\0\266\16dT\247\333\224\20B\336%\265\334\313,~\234\302\320\25\332\254\224t\253\244\334PV\333\354\34\331h \255\41'D\217\371\363\353\304\232\330\246\333\270\377_\301\315\237\360\216\3655\240\246@\373\30ai\330\300\326\214N\261L\275\206\211\234O`.\217_\300+*]#\222\237\364\301\320>\224\212d\362]#\33\12\364\2735\205\12\350\227\306\331K\3\15\226\336P\204\13\36\312u\312$\255\317\27i\330\345\257\343~\0\205\360\302\\363\360f\24\2\316;\222\357\10\377K$j]t\374dc\6wiF\366\14\2754\14\367\276=\306\21\372,\316\250\225\270\246\213K\233F\1\232\327C\1\226L\325\340!\0i\200", ) \204\13\36\312u\312$\255\317\27i\330\345\257\343~\0\205\360\302\\363\360f\24\2\316;\222\357\10\377K$j]t\374dc\6wiF\366\14\2754\14\367\276=\306\21\372,\316\250\225\270\246\213K\233F\1\232\327C\1\226L\325\340!\0i\200", ) == 0x0
 00438  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00439  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2658\236\205\360\213w\6\215\271\0\22\223\26\203s\271\26\25\242\370\371\261C\10\317i\6\207"\2132"\277e/;7\260\373\341o\366\31&\334\226\353m\273d\377\3722\214\16\266o\36\12\255\200s\177\6\316\263\0\226|\376\213"\237px_\225F0J\252\312`}"\366\334s\273\22\254\213,\36^\210\370\343\374y\243\313\235\332\351=\255H\202\205\251\263\213\w\223O\236\325\212\346\317\225\3372\26dE\370\302\177[\262\204uY\22\201\371\234(\201\346{\323r\224Kc\300\311\350\17\220\376\34DUy\200\260>K\323x\305\330\333\376M\314\12{\1@\227\224\323\312\212\1\353\333\26|\262\341c\0\342F\271]\374\321\315\354\2079\241\361M\216Lky\273\210\", ) \2132 (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2658\236\205\360\213w\6\215\271\0\22\223\26\203s\271\26\25\242\370\371\261C\10\317i\6\207"\2132"\277e/;7\260\373\341o\366\31&\334\226\353m\273d\377\3722\214\16\266o\36\12\255\200s\177\6\316\263\0\226|\376\213"\237px_\225F0J\252\312`}"\366\334s\273\22\254\213,\36^\210\370\343\374y\243\313\235\332\351=\255H\202\205\251\263\213\w\223O\236\325\212\346\317\225\3372\26dE\370\302\177[\262\204uY\22\201\371\234(\201\346{\323r\224Kc\300\311\350\17\220\376\34DUy\200\260>K\323x\305\330\333\376M\314\12{\1@\227\224\323\312\212\1\353\333\26|\262\341c\0\342F\271]\374\321\315\354\2079\241\361M\216Lky\273\210\", ) \237px_\225F0J\252\312`}5\236z\246\227rK\27\2313%[\16R\325=\375n\312c\13\342\345\222W\203\220 \200\201\211\6_\222\2031\24v\373\241\32\\230\223\24_\3243?\244\366\274||\242$\330qL\13\14N\335k\202\366\34\31\330m\247\215\304\232ymow\240\34\267\252fh\327\260\216\5.\227\215\15l\224.\32n$\231\17\35\376\325N\322O\22\350\317226\7M?\36&);\17\274M\374\30\205N\367\223Y\233\350\201\324\262bt\320\315\226\247\276M\12\215\30\200\14\355\340P\213\216\234\334\341\250\210\224\237\300\12X\364\251\374 w!\\334\3\2622\206~C\10\223_\245\346\337\224*\360\265\301\0\302\10%*\257\25\360\260I\312\13\227\207\22\3\204\315B6\2025\332n1e\32\12\334\242v\336\321~\211\316\205p\206\22\206\325\261\237(\340\250\367\343\6d\3633\207\344\370\336w\36\345\302zk\213o\232m\129\332\303\371\317\216\346\212\235\330a\331=\13n\3460\242\37644\233\1\\237\312\301h\1" (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2658\236\205\360\213w\6\215\271\0\22\223\26\203s\271\26\25\242\370\371\261C\10\317i\6\207"\2132"\277e/;7\260\373\341o\366\31&\334\226\353m\273d\377\3722\214\16\266o\36\12\255\200s\177\6\316\263\0\226|\376\213"\237px_\225F0J\252\312`}"\366\334s\273\22\254\213,\36^\210\370\343\374y\243\313\235\332\351=\255H\202\205\251\263\213\w\223O\236\325\212\346\317\225\3372\26dE\370\302\177[\262\204uY\22\201\371\234(\201\346{\323r\224Kc\300\311\350\17\220\376\34DUy\200\260>K\323x\305\330\333\376M\314\12{\1@\227\224\323\312\212\1\353\333\26|\262\341c\0\342F\271]\374\321\315\354\2079\241\361M\216Lky\273\210\", ) , ) == 0x0
 00440  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00441  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\365\203\223!\272\366\250\264\14\316\375B\327\231\200D\202\314\350t\326\203\357t\202\252\312\14^\250F\4\202\365\250\220:\206\34<\25\351\327\310\251\205b^\367Q\3\233\324\225\250\364\325\4\356(\352\204\207\240>\223\337\5\345\322C\3\227f\301D\223\216\223\316\221\4@H\227\316\356\30\226\363\257\3134\347S\7F\37\1A\274M\33\204\3227\217\231\26\6\202:\266\210\335\7O&\245M\272\272\217\306\235)\307\201\325\215\274\3`\5\321+\325A\200|\376\215\305\232\202\314\27\254\6ZzJ\221\202-\357\307\220]*\355\342\332\274eZ\210%&\241\213O)\202\252\233\366\22\317\24\322\371\203K\220!\356\13\322\335\2508%\332B\215\22\216\231\24\322)X\14\356\311\231S\323\3050\11\257X\27S\243\210\263\35T\235SS\212\242\3633\232Z\266\204\2\222@E>\222\337a*\5\375/\303\305xEN\242Z\267Z\271\336\303\31\302\277t\271\364\32_\3231\315\30\371Y\301\232\273\\250H.J\13\220\215\241\210wxw\306p\15\232\314\30\225\252\214\246\366\3552\1\24\352\212\271\376\316r o\315\2304\226\232\263\217k\313o\0\307-\211i$\235\371\3\303\251\355T\202\2\373T\226\355\11*.\24%\27\304\365\233\344\341\233B&\221\325\235P\207\272\335\1#\3\232\27m\276K\354:\307\266\347\251\236\353\20\206_\212E\246Y\333Tv3\264S^\334\344\351,!\17\346\235\231\331\2I\221@\30\266|\35\334M\316\5p\227\337`\2]\2127\367\2744\367\4\226\212SH\202\356\301.\325\20438\317\5\215\244\234\325\327\242\2226\207\2\333\270\233\257\336\316\357\24k\323h\375(\354p\215\324o\39\341B\360\257:\217\4\205]\211\3D\300\217\266\232\315\213\10\212\316A\226\242\316\313 \205p\16M", ) , ) == 0x0
 00442  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00443  1736   NtReadFile  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (44, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\14\215\233\214\224\321\233\205\35\234\220\27V\366\3078\307\354nR\373j\335\210fs\210|\\241\25\11\266\223\33\346\215\15Nh`\302\246\330\206\374;F}1\307\15\362\306\360\301\232\315S\17\252\307\315\21R\333\327kl\355\355A\213\314_k\336^\201\345u+\3a\371\25\200+\235\241=\214\264s\233\201\224o`\301)\314\355@*\24\240v\30\303S\262\266\215\204\21&\375\23\315\334\377\306\263z\350\20@\356\303\15\14_\0\231\226\276\205\205\13\262\215H@\206\210\1\261\317\326\12|\362\307\202\221\241V\216\201\334\330\360+\169\11\337\306\327BQ\316\225\357!\301M\217h\217\333\261\22\347\327\203\367\14\311\20\346\255\364\236O!\211\254|\347\262C\231\14\260\276\272\353\1\317\20\11\370\351\233sW\343\361\266\257\220\245Y\32\377\354\20M\271\333\5%\307\242\370$\304@\352\201yD:\232\351\220B\306\307\337\20\236\333\217M\220\234\247\2\222\11\364d\223\246\237\6\320i\33\11\200\306\11\242\375\353\225#\317\320\211=~\1\23\5wXh8\206\326\222\263\223\202\377\242|\337\35\260\205\344\276\26\255\325\215\234\300\250\260;R\257\307\20\32\336(\10\366~\263$:\352\232I\336U\340\4\230\375\373\232\273\266\232n\233%\353\300\25\254\273\211\271\341R\214O\275\237\2j\303\250\250\216\17\323\337\312\4\25-\231\270\351\236\323\233\332\21\222\323\204\22\324\301\315@\351\2379C\\3079\14Ks\203\322&o\330\344\373\311\347YUf\315\16\24\3248%\13\302)\336\245\271@FG\241\2036\232\255\24)\26401A\232\225K\340\367\361\312\315\272Z6\2\364\234\267s\202\311zNn\237}h\335W\323\237\207\364y\1\276\2576\11q\372\30\226[\21\207\224\237\220S\222W\177\357\20a\335\321x 7\235\4", ) , ) == 0x0
 00444  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (52, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00445  1736   NtReadFile  (44, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (44, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\326\206\213\0\306\206\213\0\362\226\213\0\342\226\213\0r\244\213\0b\244\213\0\222\247\213\0\232\247\213\0\202\247\213\0\212\247\213\0\262\247\213\0\272\247\213\0\242\247\213\0\252\247\213\0\322\247\213\0\332\247\213\06\247\213\0"\247\213\0N\247\213\0\212\246\213\0\306\246\213\0>\246\213\0F\246\213\0\206\241\213\0\6\241\213\0~\241\213\0\22\243\213\0f\242\213\0\246\275\213\0\202\274\213\06\274\213\0\342\276\213\0\352\270\213\0\322\272\213\0\276\265\213\0^\265\213\0\336\264\213\0\36\264\213\0\352\267\213\0\12\267\213\0V\267\213\0f\267\213\0\16\216\216\0v\216\216\0A\344\214\0}\344\214\0\224\347\214\0\214\347\214\0\242\347\214\0\330\347\214\0\377\347\214\0\22\347\214\06\347\214\0/\347\214\0B\347\214\0~\347\214\0h\347\214\0\204\346\214\0\276\346\214\0\327\346\214\0\306\346\214\0\353\346\214\0\0\346\214\0!\346\214\0G\346\214\0n\346\214\0\215\341\214\0\334\341\214\0\371\341\214\0\4\341\214\0W\341\214\0w\341\214\0\222\340\214\0\257\340\214\0\361\340\214\0\352\340\214\0\4\340\214\0<\340\214\0V\340\214\0@\340\214\0z\340\214\0\227\343\214\0\214\343\214\0\271\343\214\0\322\343\214\0\310\343\214\0\357\343\214\0\22\343\214\0\34\343\214\0\5\343\214\0\11\343\214\0\212\315\235\0\201\315\222\0\202\315\223\0\203\315\221\0\222\315\210\0\236\315\214\0\220\315\216\0\275\315\220\0\213\315\225\0\262\315\253\0\276\315\241\0\277\315\252\0\265\315\251\0\211\315\256\0\260\315\254\0\205\315\232\0\204\315\207\0\206\315\205\0\231\315\206\0\235\315\201\0\237\315\247\0\226\315\211\0\227\315\245\0\273\315\213\0\226\315\213\0\226\315\213\0\226\315\213@\262\265\373$\247\377\305m\343\251\373@\302\203\306U\322\235\213@\262\265\373$\247\370\305m", ) \247\213\0N\247\213\0\212\246\213\0\306\246\213\0>\246\213\0F\246\213\0\206\241\213\0\6\241\213\0~\241\213\0\22\243\213\0f\242\213\0\246\275\213\0\202\274\213\06\274\213\0\342\276\213\0\352\270\213\0\322\272\213\0\276\265\213\0^\265\213\0\336\264\213\0\36\264\213\0\352\267\213\0\12\267\213\0V\267\213\0f\267\213\0\16\216\216\0v\216\216\0A\344\214\0}\344\214\0\224\347\214\0\214\347\214\0\242\347\214\0\330\347\214\0\377\347\214\0\22\347\214\06\347\214\0/\347\214\0B\347\214\0~\347\214\0h\347\214\0\204\346\214\0\276\346\214\0\327\346\214\0\306\346\214\0\353\346\214\0\0\346\214\0!\346\214\0G\346\214\0n\346\214\0\215\341\214\0\334\341\214\0\371\341\214\0\4\341\214\0W\341\214\0w\341\214\0\222\340\214\0\257\340\214\0\361\340\214\0\352\340\214\0\4\340\214\0<\340\214\0V\340\214\0@\340\214\0z\340\214\0\227\343\214\0\214\343\214\0\271\343\214\0\322\343\214\0\310\343\214\0\357\343\214\0\22\343\214\0\34\343\214\0\5\343\214\0\11\343\214\0\212\315\235\0\201\315\222\0\202\315\223\0\203\315\221\0\222\315\210\0\236\315\214\0\220\315\216\0\275\315\220\0\213\315\225\0\262\315\253\0\276\315\241\0\277\315\252\0\265\315\251\0\211\315\256\0\260\315\254\0\205\315\232\0\204\315\207\0\206\315\205\0\231\315\206\0\235\315\201\0\237\315\247\0\226\315\211\0\227\315\245\0\273\315\213\0\226\315\213\0\226\315\213\0\226\315\213@\262\265\373$\247\377\305m\343\251\373@\302\203\306U\322\235\213@\262\265\373$\247\370\305m", ) == 0x0
 00446  1736   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00447  1736   NtClose  (52, ... ) == 0x0
 00448  1736   NtClose  (44, ... ) == 0x0
 00449  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.tmp"}, 1242360, ... ) }, 1242360, ... ) == 0x0
 00450  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.tmp"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00451  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 44, ... 52, ) == 0x0
 00452  1736   NtClose  (44, ... ) == 0x0
 00453  1736   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa50000), 0x0, 176128, ) == 0x0
 00454  1736   NtClose  (52, ... ) == 0x0
 00455  1736   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00456  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00457  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00458  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.tmp"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00459  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 44, ) == 0x0
 00460  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00461  1736   NtClose  (52, ... ) == 0x0
 00462  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xa50000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00463  1736   NtMapViewOfSection  (44, -1, (0xa50000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00464  1736   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00465  1736   NtClose  (44, ... ) == 0x0
 00466  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 8, ) == 0x0
 00467  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 8, ... (0xac2000), 4096, 4, ) == 0x0
 00468  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00469  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00470  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00471  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00472  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00473  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00474  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00475  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00476  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00477  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00478  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 44, ) }, ... 44, ) == 0x0
 00479  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 00480  1736   NtClose  (44, ... ) == 0x0
 00481  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00482  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00483  1736   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00484  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00485  1736   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00486  1736   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00487  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00488  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00489  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00490  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 44, ) }, ... 44, ) == 0x0
 00491  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00492  1736   NtClose  (44, ... ) == 0x0
 00493  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00494  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00495  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00496  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00497  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00498  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00499  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00500  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00501  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00502  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00503  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00504  1736   NtClose  (44, ... ) == 0x0
 00505  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00506  1736   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00507  1736   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00508  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00509  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00510  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00511  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00512  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00513  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00514  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00515  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00516  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00517  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00518  1736   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00519  1736   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00520  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00521  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00522  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00523  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 44, ) }, ... 44, ) == 0x0
 00524  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00525  1736   NtClose  (44, ... ) == 0x0
 00526  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00527  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00528  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00529  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00530  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00531  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00532  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00533  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00534  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00535  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00536  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00537  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00538  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00539  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00540  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00541  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00542  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00543  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00544  1736   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00545  1736   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00546  1736   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00547  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00548  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00549  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00550  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00551  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00552  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00553  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241872, ... ) }, 1241872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WSOCK32.DLL"}, 1241872, ... ) }, 1241872, ... ) == 0x0
 00556  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WSOCK32.DLL"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00557  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 52, ) == 0x0
 00558  1736   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00559  1736   NtClose  (44, ... ) == 0x0
 00560  1736   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 36864, ) == 0x0
 00561  1736   NtClose  (52, ... ) == 0x0
 00562  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241056, ... ) }, 1241056, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1241056, ... ) }, 1241056, ... ) == 0x0
 00565  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00566  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 44, ) == 0x0
 00567  1736   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00568  1736   NtClose  (52, ... ) == 0x0
 00569  1736   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00570  1736   NtClose  (44, ... ) == 0x0
 00571  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00572  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00573  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00574  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240240, ... ) }, 1240240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1240240, ... ) }, 1240240, ... ) == 0x0
 00577  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00578  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 52, ) == 0x0
 00579  1736   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00580  1736   NtClose  (44, ... ) == 0x0
 00581  1736   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00582  1736   NtClose  (52, ... ) == 0x0
 00583  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00584  1736   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00585  1736   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00586  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00587  1736   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00588  1736   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00589  1736   NtProtectVirtualMemory  (-1, (0x71ad1000), 52, 4, ... (0x71ad1000), 4096, 32, ) == 0x0
 00590  1736   NtProtectVirtualMemory  (-1, (0x71ad1000), 4096, 32, ... (0x71ad1000), 4096, 4, ) == 0x0
 00591  1736   NtFlushInstructionCache  (-1, 1907167232, 52, ... ) == 0x0
 00592  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00593  1736   NtProtectVirtualMemory  (-1, (0xac2000), 4096, 4, ... (0xac2000), 4096, 4, ) == 0x0
 00594  1736   NtFlushInstructionCache  (-1, 11280384, 4096, ... ) == 0x0
 00595  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596  1736   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 52, ) == 0x0
 00597  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 44, ) == 0x0
 00598  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 56, ) }, ... 56, ) == 0x0
 00599  1736   NtNotifyChangeKey  (56, 44, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 00600  1736   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00601  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 60, ) == 0x0
 00602  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00603  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00605  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11337728, 65536, ) == 0x0
 00606  1736   NtAllocateVirtualMemory  (-1, 11337728, 0, 4096, 4096, 4, ... 11337728, 4096, ) == 0x0
 00607  1736   NtAllocateVirtualMemory  (-1, 11341824, 0, 8192, 4096, 4, ... 11341824, 8192, ) == 0x0
 00608  1736   NtAllocateVirtualMemory  (-1, 11350016, 0, 4096, 4096, 4, ... 11350016, 4096, ) == 0x0
 00609  1736   NtAllocateVirtualMemory  (-1, 11354112, 0, 4096, 4096, 4, ... 11354112, 4096, ) == 0x0
 00610  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00611  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00612  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00613  1736   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00614  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLE32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0
 00616  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\17\375\10\20~\305"|\376\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... |\376\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 00617  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00618  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00619  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00620  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00621  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00622  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00623  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00624  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00625  1736   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\2125W;\356\224\201\343\256\203\363x7\272\342\\372B\327\343\345\350\0%\212k\343\15\270\1$\343]t\261\17g\300\357B\243\340\2106\23\203\30i05\275/(\313m\326\273w\4DI`z\210\13\33-%].J\255\234\311\267\304\313\23_2", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\2125W;\356\224\201\343\256\203\363x7\272\342\\372B\327\343\345\350\0%\212k\343\15\270\1$\343]t\261\17g\300\357B\243\340\2106\23\203\30i05\275/(\313m\326\273w\4DI`z\210\13\33-%].J\255\234\311\267\304\313\23_2", 80, ... ) , 80, ... ) == 0x0
 00626  1736   NtClose  (-2147482576, ... ) == 0x0
 00616  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\242y\275{/\270\371\356\306\341\201V\6M;w}4\35\327<\252R[\251\33\341ys\223\248\242\245)\264\13&B=,\356\275\305\1\226.\201\377\351s\336\13\304\33\377\203\3244\372lk\11o\344\225\13\256\325\2126\361\270\22\\204,\35\264\212\242;*\326\322=]\0\210\30E?u\32\35|C\262\215q\275a\37\353\373]\216\316\344\177\351\15zQc\266\N\377\324\223\330e\216\206\355#\233pr1&\204\334l\275\264\353\274\211d@\237\367\276\230\205\237\340\46b\313?\3052F\267\205q\320`\227kl7\11\215D\362\231hwM}\311\3\333PT\322\263\313\17\332u\315*\342t#oH1\336[\317\240]\5\275\211\225\307_\3532\344\316\221\244\16?\212\5\254l\217\256R\353\237E\7t\27*\326\11\13\357\245vR\270\317\273\341\34\253\335Ir\216\257tG\273\254L\36\15\177\17\15l", ) , ) == 0x0
 00627  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00628  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00629  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 72, ) }, ... 72, ) == 0x0
 00630  1736   NtQueryValueKey  (72,  (72, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00631  1736   NtClose  (72, ... ) == 0x0
 00632  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 72, ) }, ... 72, ) == 0x0
 00633  1736   NtQueryValueKey  (72,  (72, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634  1736   NtClose  (72, ... ) == 0x0
 00635  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00636  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00637  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00638  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00639  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 72, ) }, ... 72, ) == 0x0
 00640  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643  1736   NtClose  (72, ... ) == 0x0
 00644  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 72, ) }, ... 72, ) == 0x0
 00645  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00646  1736   NtQueryValueKey  (72,  (72, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647  1736   NtClose  (72, ... ) == 0x0
 00648  1736   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 72, ) }, ... 72, ) == 0x0
 00649  1736   NtOpenEvent  (0x1f0003, {24, 72, 0x0, 0, 0,  (0x1f0003, {24, 72, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651  1736   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00652  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00653  1736   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00654  1736   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00655  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00659  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00660  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00661  1736   NtQueryPerformanceCounter  (... {1106281419, 16}, {3579545, 0}, ) == 0x0
 00662  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqe3.tmp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663  1736   NtUserCallOneParam  (0, 41, ... ) == 0x4
 00664  1736   NtAllocateVirtualMemory  (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0
 00665  1736   NtQueryVirtualMemory  (-1, 0x12f630, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00666  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 11534336, 1048576, ) == 0x0
 00667  1736   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00668  1736   NtAllocateVirtualMemory  (-1, 11534336, 0, 16384, 4096, 4, ... 11534336, 16384, ) == 0x0
 00669  1736   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00670  1736   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00671  1736   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672  1736   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673  1736   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00674  1736   NtQueryInformationToken  (76, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00675  1736   NtClose  (76, ... ) == 0x0
 00676  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.ENU"}, 1241100, ... ) }, 1241100, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.ENU"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00678  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.ENU.DLL"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00679  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.EN"}, 1241100, ... ) }, 1241100, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00680  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.EN"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\sqe3.EN.DLL"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00682  1736   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 76, ) == 0x0
 00683  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00684  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00685  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00686  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00687  1736   NtGdiCreatePaletteInternal  (1241804, 16, ... ) == 0x71080651
 00688  1736   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00689  1736   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00690  1736   NtUserFindExistingCursorIcon  (1242168, 1242184, 1242232, ... ) == 0x10003
 00691  1736   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\06\06\04\0", 28, 1242732, ... ) , 28, 1242732, ... ) == 0x0
 00692  1736   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\0A\05\00\00\00\00\00\00\00\00\00\06\0C\08\0", 52, 1242732, ... ) , 52, 1242732, ... ) == 0x0
 00693  1736   NtUserSystemParametersInfo  (104, 0, 11542084, 0, ... ) == 0x1
 00694  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10011
 00695  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10023
 00696  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00697  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00698  1736   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x540507cc
 00699  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00700  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x185000f
 00701  1736   NtGdiGetDCforBitmap  (1409615820, ... ) == 0xf2010663
 00702  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00703  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x540507cc
 00704  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00705  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00706  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11220492, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00707  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00708  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x540507cc
 00709  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00710  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x540507cc
 00711  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x46010482
 00712  1736   NtGdiExtGetObjectW  (1409615820, 24, 1241212, ... ) == 0x18
 00713  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x300503ba
 00714  1736   NtGdiSelectBitmap  (-234813853, 1409615820, ... ) == 0x185000f
 00715  1736   NtGdiSelectBitmap  (1174471810, 805635002, ... ) == 0x185000f
 00716  1736   NtGdiBitBlt  (1174471810, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00717  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x540507cc
 00718  1736   NtGdiSelectBitmap  (1174471810, 25493519, ... ) == 0x300503ba
 00719  1736   NtGdiDeleteObjectApp  (1409615820, ... ) == 0x1
 00720  1736   NtGdiDeleteObjectApp  (1174471810, ... ) == 0x1
 00721  1736   NtUserCallOneParam  (0, 33, ... ) == 0x9500d3
 00722  1736   NtUserSetCursorIconData  (9765075, 1241316, 1241332, 1241396, ... ) == 0x1
 00723  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10029
 00724  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10027
 00725  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10025
 00726  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00727  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00728  1736   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x570504d6
 00729  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00730  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x185000f
 00731  1736   NtGdiGetDCforBitmap  (1459946710, ... ) == 0xf2010663
 00732  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00733  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x570504d6
 00734  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00735  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00736  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11220800, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00737  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00738  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x570504d6
 00739  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00740  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x570504d6
 00741  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x560107cc
 00742  1736   NtGdiExtGetObjectW  (1459946710, 24, 1241212, ... ) == 0x18
 00743  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xeb0504a8
 00744  1736   NtGdiSelectBitmap  (-234813853, 1459946710, ... ) == 0x185000f
 00745  1736   NtGdiSelectBitmap  (1442908108, -351992664, ... ) == 0x185000f
 00746  1736   NtGdiBitBlt  (1442908108, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00747  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x570504d6
 00748  1736   NtGdiSelectBitmap  (1442908108, 25493519, ... ) == 0xeb0504a8
 00749  1736   NtGdiDeleteObjectApp  (1459946710, ... ) == 0x1
 00750  1736   NtGdiDeleteObjectApp  (1442908108, ... ) == 0x1
 00751  1736   NtUserCallOneParam  (0, 33, ... ) == 0x2e020d
 00752  1736   NtUserSetCursorIconData  (3015181, 1241316, 1241332, 1241396, ... ) == 0x1
 00753  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00754  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00755  1736   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x48050482
 00756  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00757  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x185000f
 00758  1736   NtGdiGetDCforBitmap  (1208288386, ... ) == 0xf2010663
 00759  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00760  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x48050482
 00761  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00762  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00763  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11221108, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00764  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00765  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x48050482
 00766  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00767  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x48050482
 00768  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x590104d6
 00769  1736   NtGdiExtGetObjectW  (1208288386, 24, 1241212, ... ) == 0x18
 00770  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x3505069c
 00771  1736   NtGdiSelectBitmap  (-234813853, 1208288386, ... ) == 0x185000f
 00772  1736   NtGdiSelectBitmap  (1493238998, 889521820, ... ) == 0x185000f
 00773  1736   NtGdiBitBlt  (1493238998, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00774  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x48050482
 00775  1736   NtGdiSelectBitmap  (1493238998, 25493519, ... ) == 0x3505069c
 00776  1736   NtGdiDeleteObjectApp  (1208288386, ... ) == 0x1
 00777  1736   NtGdiDeleteObjectApp  (1493238998, ... ) == 0x1
 00778  1736   NtUserCallOneParam  (0, 33, ... ) == 0x1401e3
 00779  1736   NtUserSetCursorIconData  (1311203, 1241316, 1241332, 1241396, ... ) == 0x1
 00780  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00781  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00782  1736   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x580507cc
 00783  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00784  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x185000f
 00785  1736   NtGdiGetDCforBitmap  (1476724684, ... ) == 0xf2010663
 00786  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00787  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x580507cc
 00788  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00789  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00790  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11221416, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00791  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00792  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x580507cc
 00793  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00794  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x580507cc
 00795  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x4a010482
 00796  1736   NtGdiExtGetObjectW  (1476724684, 24, 1241212, ... ) == 0x18
 00797  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x6e0507a9
 00798  1736   NtGdiSelectBitmap  (-234813853, 1476724684, ... ) == 0x185000f
 00799  1736   NtGdiSelectBitmap  (1241580674, 1845823401, ... ) == 0x185000f
 00800  1736   NtGdiBitBlt  (1241580674, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00801  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x580507cc
 00802  1736   NtGdiSelectBitmap  (1241580674, 25493519, ... ) == 0x6e0507a9
 00803  1736   NtGdiDeleteObjectApp  (1476724684, ... ) == 0x1
 00804  1736   NtGdiDeleteObjectApp  (1241580674, ... ) == 0x1
 00805  1736   NtUserCallOneParam  (0, 33, ... ) == 0x701bd
 00806  1736   NtUserSetCursorIconData  (459197, 1241316, 1241332, 1241396, ... ) == 0x1
 00807  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00808  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00809  1736   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x5b0504d6
 00810  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00811  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x185000f
 00812  1736   NtGdiGetDCforBitmap  (1527055574, ... ) == 0xf2010663
 00813  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00814  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x5b0504d6
 00815  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00816  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00817  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11221724, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00818  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00819  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x5b0504d6
 00820  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00821  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5b0504d6
 00822  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x5a0107cc
 00823  1736   NtGdiExtGetObjectW  (1527055574, 24, 1241212, ... ) == 0x18
 00824  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xe40505cb
 00825  1736   NtGdiSelectBitmap  (-234813853, 1527055574, ... ) == 0x185000f
 00826  1736   NtGdiSelectBitmap  (1510016972, -469432885, ... ) == 0x185000f
 00827  1736   NtGdiBitBlt  (1510016972, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00828  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5b0504d6
 00829  1736   NtGdiSelectBitmap  (1510016972, 25493519, ... ) == 0xe40505cb
 00830  1736   NtGdiDeleteObjectApp  (1527055574, ... ) == 0x1
 00831  1736   NtGdiDeleteObjectApp  (1510016972, ... ) == 0x1
 00832  1736   NtUserCallOneParam  (0, 33, ... ) == 0x210297
 00833  1736   NtUserSetCursorIconData  (2163351, 1241316, 1241332, 1241396, ... ) == 0x1
 00834  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00835  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00836  1736   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x4c050482
 00837  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00838  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x185000f
 00839  1736   NtGdiGetDCforBitmap  (1275397250, ... ) == 0xf2010663
 00840  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00841  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x4c050482
 00842  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00843  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00844  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11222340, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00845  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00846  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x4c050482
 00847  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00848  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x4c050482
 00849  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x5d0104d6
 00850  1736   NtGdiExtGetObjectW  (1275397250, 24, 1241212, ... ) == 0x18
 00851  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x4705066c
 00852  1736   NtGdiSelectBitmap  (-234813853, 1275397250, ... ) == 0x185000f
 00853  1736   NtGdiSelectBitmap  (1560347862, 1191511660, ... ) == 0x185000f
 00854  1736   NtGdiBitBlt  (1560347862, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00855  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x4c050482
 00856  1736   NtGdiSelectBitmap  (1560347862, 25493519, ... ) == 0x4705066c
 00857  1736   NtGdiDeleteObjectApp  (1275397250, ... ) == 0x1
 00858  1736   NtGdiDeleteObjectApp  (1560347862, ... ) == 0x1
 00859  1736   NtUserCallOneParam  (0, 33, ... ) == 0x420281
 00860  1736   NtUserSetCursorIconData  (4326017, 1241316, 1241332, 1241396, ... ) == 0x1
 00861  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 00862  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00863  1736   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x5c0507cc
 00864  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00865  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x185000f
 00866  1736   NtGdiGetDCforBitmap  (1543833548, ... ) == 0xf2010663
 00867  1736   NtGdiSaveDC  (-234813853, ... ) == 0x1
 00868  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x5c0507cc
 00869  1736   NtGdiGetDCObject  (-234813853, 524288, ... ) == 0x188000b
 00870  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00871  1736   NtGdiSetDIBitsToDeviceInternal  (-234813853, 0, 0, 32, 64, 0, 0, 0, 64, 11222032, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00872  1736   NtUserSelectPalette  (-234813853, 25690123, 0, ... ) == 0x188000b
 00873  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x5c0507cc
 00874  1736   NtGdiRestoreDC  (-234813853, -1, ... ) == 0x1
 00875  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5c0507cc
 00876  1736   NtGdiCreateCompatibleDC  (-234813853, ... ) == 0x4e010482
 00877  1736   NtGdiExtGetObjectW  (1543833548, 24, 1241212, ... ) == 0x18
 00878  1736   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb8050697
 00879  1736   NtGdiSelectBitmap  (-234813853, 1543833548, ... ) == 0x185000f
 00880  1736   NtGdiSelectBitmap  (1308689538, -1207630185, ... ) == 0x185000f
 00881  1736   NtGdiBitBlt  (1308689538, 0, 0, 32, 64, -234813853, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00882  1736   NtGdiSelectBitmap  (-234813853, 25493519, ... ) == 0x5c0507cc
 00883  1736   NtGdiSelectBitmap  (1308689538, 25493519, ... ) == 0xb8050697
 00884  1736   NtGdiDeleteObjectApp  (1543833548, ... ) == 0x1
 00885  1736   NtGdiDeleteObjectApp  (1308689538, ... ) == 0x1
 00886  1736   NtUserCallOneParam  (0, 33, ... ) == 0x35026b
 00887  1736   NtUserSetCursorIconData  (3474027, 1241316, 1241332, 1241396, ... ) == 0x1
 00888  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10015
 00889  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10019
 00890  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001f
 00891  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001b
 00892  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10021
 00893  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001d
 00894  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10013
 00895  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10017
 00896  1736   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10011
 00897  1736   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00898  1736   NtUserGetDC  (0, ... ) == 0x1010053
 00899  1736   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00900  1736   NtUserEnumDisplayMonitors  (0, 0, 10945124, 11542664, ... ) == 0x1
 00901  1736   NtUserSystemParametersInfo  (31, 60, 1241032, 0, ... ) == 0x1
 00902  1736   NtGdiHfontCreate  (1241912, 356, 0, 0, 1329240, ... ) == 0x4f0a0482
 00903  1736   NtGdiExtGetObjectW  (1326056578, 420, 1241736, ... ) == 0x164
 00904  1736   NtUserSystemParametersInfo  (41, 0, 1241232, 0, ... ) == 0x1
 00905  1736   NtGdiHfontCreate  (1241912, 356, 0, 0, 1329232, ... ) == 0x5f0a04d6
 00906  1736   NtGdiExtGetObjectW  (1594492118, 420, 1241736, ... ) == 0x164
 00907  1736   NtGdiHfontCreate  (1241912, 356, 0, 0, 1329224, ... ) == 0x5d0a07cc
 00908  1736   NtGdiExtGetObjectW  (1560938444, 420, 1241736, ... ) == 0x164
 00909  1736   NtUserFindExistingCursorIcon  (1241812, 1241828, 1241876, ... ) == 0x0
 00910  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 11403264, 4096, ) == 0x0
 00911  1736   NtUserGetKeyboardLayoutList  (64, 1242400, ... ) == 0x1
 00912  1736   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc13a
 00913  1736   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc13b
 00914  1736   NtOpenMutant  (0x1f0001, {24, 72, 0x0, 0, 0,  (0x1f0001, {24, 72, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915  1736   NtUserSetWindowsHookEx  (10813440, 1243784, 0, 4, 10821308, 2, ... ) == 0x5701d7
 00916  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SIWVID"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\NTICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919  1736   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Wine"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00921  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00922  1736   NtQueryVirtualMemory  (-1, 0x5b0a20, Basic, 28, ... {BaseAddress=0x5b0000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x5e000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00923  1736   NtQueryInformationProcess  (-1, 34, 4, ... {process info, class 34, size 4}, 0x0, ) == 0x0
 00924  1736   NtContinue  (1244368, 0, ...
 00925  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00926  1736   NtQueryInformationFile  (80, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00927  1736   NtAllocateVirtualMemory  (-1, 0, 0, 984576, 4096, 64, ... 12582912, 987136, ) == 0x0
 00928  1736   NtReadFile  (80, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576},  (80, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) \10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0 (80, 0, 0, 0, 984576, 0x0, 0, ... {status=0x0, info=984576}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\27\206 \244S\347N\367S\347N\367S\347N\367S\347O\367\332\346N\367\220\350\23\367P\347N\367\220\350\22\367R\347N\367\220\350\20\367R\347N\367\220\350A\367V\347N\367\220\350\21\367\216\347N\367\220\350.\367W\347N\367\220\350\24\367R\347N\367RichS\347N\367\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\325\233#F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0"\10\0\0\0\7\0\0\0\0\0\256\265\0\0\0\20\0\0\0\360\7\0\0\0\200|\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\17\0\0\4\0\0\223\222\17\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\34&\0\0{l\0\0\314\7\10\0(\0\0\0\0\220\10\0\350^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\16\0\354[\0\0\2600\10\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\343\4\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\21!\10\0\0\20\0\0\0"\10\0", ) , ) == 0x0
 00929  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\system32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) == 0x0
 00930  1736   NtQueryInformationFile  (84, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00931  1736   NtAllocateVirtualMemory  (-1, 0, 0, 577536, 4096, 64, ... 13631488, 577536, ) == 0x0
 00932  1736   NtReadFile  (84, 0, 0, 0, 577536, 0x0, 0, ... {status=0x0, info=577536},  (84, 0, 0, 0, 577536, 0x0, 0, ... {status=0x0, info=577536}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\376\7\341\342\272f\217\261\272f\217\261\272f\217\261\272f\216\261\361g\217\261yi\322\261\275f\217\261yi\323\261\273f\217\261yi\321\261\273f\217\261yi\200\261\262f\217\261yi\320\261\315f\217\261yi\325\261\273f\217\261Rich\272f\217\261\0\0\0\0\0\0\0\0PE\0\0L\1\4\0|-\360E\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\360\5\0\0\342\2\0\0\0\0\0f\351\1\0\0\20\0\0\0\260\5\0\0\0A~\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\0\11\0\0\4\0\0\341@\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\3708\0\0\251K\0\0\250\343\5\0P\0\0\0\0 \6\0\230\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\10\0\350-\0\0\210\377\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\355\3\0@\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\344\4\0\0\234\340\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\347\357\5\0\0\20\0\0\0\360\5\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00933  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\system32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) == 0x0
 00934  1736   NtQueryInformationFile  (88, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00935  1736   NtAllocateVirtualMemory  (-1, 0, 0, 616960, 4096, 64, ... 14221312, 618496, ) == 0x0
 00936  1736   NtReadFile  (88, 0, 0, 0, 616960, 0x0, 0, ... {status=0x0, info=616960},  (88, 0, 0, 0, 616960, 0x0, 0, ... {status=0x0, info=616960}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\250j\342h\354\13\214;\354\13\214;\354\13\214;/\4\321;\353\13\214;/\4\203;\341\13\214;=\7\323;\356\13\214;\354\13\215;T\12\214;/\4\320;\355\13\214;/\4\322;\355\13\214;/\4\354;\361\13\214;/\4\323;~\13\214;/\4\326;\355\13\214;Rich\354\13\214;\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\247\226\20A\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0D\7\0\0<\2\0\0\0\0\0\324p\0\0\0\20\0\0\0 \7\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\11\0\0\4\0\0\344\15\12\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\244\26\0\0\23R\0\04(\7\0P\0\0\0\0\260\7\0\200\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\11\08K\0\0xR\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0V\2\0H\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\244\6\0\0\340&\7\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\331B\7\0", ) , ) == 0x0
 00937  1736   NtClose  (88, ... ) == 0x0
 00938  1736   NtClose  (84, ... ) == 0x0
 00939  1736   NtClose  (80, ... ) == 0x0
 00940  1736   NtRaiseException  (1244376, 1243636, 1, ...
 00941  1736   NtQueryVirtualMemory  (-1, 0x7c85a0a0, Basic, 28, ... {BaseAddress=0x7c85a000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x2a000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00942  1736   NtContinue  (1242596, 0, ...
 00943  1736   NtOpenMutant  (0x120001, {24, 72, 0x2, 0, 0,  (0x120001, {24, 72, 0x2, 0, 0, "DBWinMutex"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1736   NtCreateMutant  (0x1f0001, {24, 72, 0x82, 1244396, 0,  (0x1f0001, {24, 72, 0x82, 1244396, 0, "DBWinMutex"}, 0, ... 80, ) }, 0, ... 80, ) == 0x0
 00945  1736   NtWaitForSingleObject  (80, 0, 0x0, ... ) == 0x0
 00946  1736   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947  1736   NtReleaseMutant  (80, ... 0x0, ) == 0x0
 00948  1736   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 14876672, 4096, ) == 0x0
 00949  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winmm.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 00952  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\winmm.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00953  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 84, ... 88, ) == 0x0
 00954  1736   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00955  1736   NtClose  (84, ... ) == 0x0
 00956  1736   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 184320, ) == 0x0
 00957  1736   NtClose  (88, ... ) == 0x0
 00958  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00959  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00960  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00961  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00962  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00963  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00964  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00965  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00966  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00967  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 860, 4, ... (0x76b41000), 4096, 32, ) == 0x0
 00968  1736   NtProtectVirtualMemory  (-1, (0x76b41000), 4096, 32, ... (0x76b41000), 4096, 4, ) == 0x0
 00969  1736   NtFlushInstructionCache  (-1, 1991512064, 860, ... ) == 0x0
 00970  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00972  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 84, ) == 0x0
 00973  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00974  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 96, ) }, ... 96, ) == 0x0
 00975  1736   NtQueryValueKey  (96,  (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00976  1736   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 14942208, 524288, ) == 0x0
 00977  1736   NtAllocateVirtualMemory  (-1, 14942208, 0, 4096, 4096, 4, ... 14942208, 4096, ) == 0x0
 00978  1736   NtQueryValueKey  (96,  (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00979  1736   NtQueryValueKey  (96,  (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00980  1736   NtQueryValueKey  (96,  (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "wave1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00981  1736   NtQueryValueKey  (96,  (96, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982  1736   NtQueryValueKey  (96,  (96, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983  1736   NtQueryValueKey  (96,  (96, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984  1736   NtQueryValueKey  (96,  (96, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985  1736   NtQueryValueKey  (96,  (96, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986  1736   NtQueryValueKey  (96,  (96, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987  1736   NtQueryValueKey  (96,  (96, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988  1736   NtQueryValueKey  (96,  (96, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989  1736   NtQueryValueKey  (96,  (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00990  1736   NtQueryValueKey  (96,  (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00991  1736   NtQueryValueKey  (96,  (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00992  1736   NtQueryValueKey  (96,  (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "midi1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 00993  1736   NtQueryValueKey  (96,  (96, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994  1736   NtQueryValueKey  (96,  (96, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995  1736   NtQueryValueKey  (96,  (96, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996  1736   NtQueryValueKey  (96,  (96, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997  1736   NtQueryValueKey  (96,  (96, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998  1736   NtQueryValueKey  (96,  (96, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00999  1736   NtQueryValueKey  (96,  (96, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000  1736   NtQueryValueKey  (96,  (96, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001  1736   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01002  1736   NtQueryValueKey  (96,  (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01003  1736   NtQueryValueKey  (96,  (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01004  1736   NtQueryValueKey  (96,  (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01005  1736   NtQueryValueKey  (96,  (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "aux1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01006  1736   NtQueryValueKey  (96,  (96, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007  1736   NtQueryValueKey  (96,  (96, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008  1736   NtQueryValueKey  (96,  (96, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009  1736   NtQueryValueKey  (96,  (96, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010  1736   NtQueryValueKey  (96,  (96, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011  1736   NtQueryValueKey  (96,  (96, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012  1736   NtQueryValueKey  (96,  (96, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01013  1736   NtQueryValueKey  (96,  (96, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014  1736   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc076
 01015  1736   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 100, ) }, ... 100, ) == 0x0
 01016  1736   NtQueryValueKey  (100,  (100, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01017  1736   NtClose  (100, ... ) == 0x0
 01018  1736   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 0, 0,  (0x1f0003, {24, 72, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01019  1736   NtQueryValueKey  (96,  (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01020  1736   NtQueryValueKey  (96,  (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01021  1736   NtQueryValueKey  (96,  (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01022  1736   NtQueryValueKey  (96,  (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) , Partial, 536, ... TitleIdx=0, Type=1, Data= (96, "mixer1", Partial, 536, ... TitleIdx=0, Type=1, Data="w\0d\0m\0a\0u\0d\0.\0d\0r\0v\0\0\0"}, 34, ) }, 34, ) == 0x0
 01023  1736   NtQueryValueKey  (96,  (96, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024  1736   NtQueryValueKey  (96,  (96, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01025  1736   NtQueryValueKey  (96,  (96, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026  1736   NtQueryValueKey  (96,  (96, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027  1736   NtQueryValueKey  (96,  (96, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028  1736   NtQueryValueKey  (96,  (96, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01029  1736   NtQueryValueKey  (96,  (96, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030  1736   NtQueryValueKey  (96,  (96, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15466496, 1048576, ) == 0x0
 01032  1736   NtAllocateVirtualMemory  (-1, 16506880, 0, 8192, 4096, 4, ... 16506880, 8192, ) == 0x0
 01033  1736   NtProtectVirtualMemory  (-1, (0xfbe000), 4096, 260, ... (0xfbe000), 4096, 4, ) == 0x0
 01034  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 100, {1636, 1356}, ) == 0x0
 01035  1736   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1636,Tid=1356,}, 0x0, ) == 0x0
 01036  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 5997450, 5997478, 65535, 2147348480}  (24, {28, 56, new_msg, 0, 5997450, 5997478, 65535, 2147348480} "\0\0\0\0\1\0\1\0\\23\264v\334\343\200|d\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0d\6\0\0L\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 5997450, 5997478, 65535, 2147348480} "\0\0\0\0\1\0\1\0\\23\264v\334\343\200|d\0\0\0d\6\0\0L\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|d\0\0\0d\6\0\0L\5\0\0" )  ) == 0x0
 01037  1736   NtResumeThread  (100, ... 1, ) == 0x0
 01038  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16515072, 1048576, ) == 0x0
 01039  1356   NtTestAlert  (... ) == 0x0
 01040  1356   NtContinue  (16514352, 1, ...
 01041  1356   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01042  1356   NtDelayExecution  (0, {-150000, -1}, ...
 01043  1736   NtAllocateVirtualMemory  (-1, 17555456, 0, 8192, 4096, 4, ... 17555456, 8192, ) == 0x0
 01044  1736   NtProtectVirtualMemory  (-1, (0x10be000), 4096, 260, ... (0x10be000), 4096, 4, ) == 0x0
 01045  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 104, {1636, 868}, ) == 0x0
 01046  1736   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=1636,Tid=868,}, 0x0, ) == 0x0
 01047  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|h\0\0\0d\6\0\0d\3\0\0" )  ) == 0x0
 01048  1736   NtResumeThread  (104, ... 1, ) == 0x0
 01049  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17563648, 1048576, ) == 0x0
 01050  1736   NtAllocateVirtualMemory  (-1, 18604032, 0, 8192, 4096, 4, ... 18604032, 8192, ) == 0x0
 01051  1736   NtProtectVirtualMemory  (-1, (0x11be000), 4096, 260, ...
 01052   868   NtTestAlert  (... ) == 0x0
 01053   868   NtContinue  (17562928, 1, ...
 01054   868   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01055   868   NtDelayExecution  (0, {-150000, -1}, ...
 01051  1736   NtProtectVirtualMemory  ... (0x11be000), 4096, 4, ) == 0x0
 01056  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 108, {1636, 808}, ) == 0x0
 01057  1736   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1636,Tid=808,}, 0x0, ) == 0x0
 01058  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|l\0\0\0d\6\0\0(\3\0\0" )  ) == 0x0
 01059  1736   NtResumeThread  (108, ... 1, ) == 0x0
 01060  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18612224, 1048576, ) == 0x0
 01061   808   NtTestAlert  (... ) == 0x0
 01062   808   NtContinue  (18611504, 1, ...
 01063   808   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01064   808   NtDelayExecution  (0, {-150000, -1}, ...
 01065  1736   NtAllocateVirtualMemory  (-1, 19652608, 0, 8192, 4096, 4, ... 19652608, 8192, ) == 0x0
 01066  1736   NtProtectVirtualMemory  (-1, (0x12be000), 4096, 260, ... (0x12be000), 4096, 4, ) == 0x0
 01067  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 112, {1636, 2020}, ) == 0x0
 01068  1736   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1636,Tid=2020,}, 0x0, ) == 0x0
 01069  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|p\0\0\0d\6\0\0\344\7\0\0" )  ) == 0x0
 01070  1736   NtResumeThread  (112, ... 1, ) == 0x0
 01071  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19660800, 1048576, ) == 0x0
 01072  1736   NtAllocateVirtualMemory  (-1, 20701184, 0, 8192, 4096, 4, ... 20701184, 8192, ) == 0x0
 01073  1736   NtProtectVirtualMemory  (-1, (0x13be000), 4096, 260, ...
 01074  2020   NtTestAlert  (... ) == 0x0
 01075  2020   NtContinue  (19660080, 1, ...
 01076  2020   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01077  2020   NtDelayExecution  (0, {-150000, -1}, ...
 01073  1736   NtProtectVirtualMemory  ... (0x13be000), 4096, 4, ) == 0x0
 01078  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 116, {1636, 896}, ) == 0x0
 01079  1736   NtQueryInformationThread  (116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1636,Tid=896,}, 0x0, ) == 0x0
 01080  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|t\0\0\0d\6\0\0\200\3\0\0" )  ) == 0x0
 01081  1736   NtResumeThread  (116, ... 1, ) == 0x0
 01082  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20709376, 1048576, ) == 0x0
 01083   896   NtTestAlert  (... ) == 0x0
 01084   896   NtContinue  (20708656, 1, ...
 01085   896   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01086   896   NtDelayExecution  (0, {-150000, -1}, ...
 01087  1736   NtAllocateVirtualMemory  (-1, 21749760, 0, 8192, 4096, 4, ... 21749760, 8192, ) == 0x0
 01088  1736   NtProtectVirtualMemory  (-1, (0x14be000), 4096, 260, ... (0x14be000), 4096, 4, ) == 0x0
 01089  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 120, {1636, 1252}, ) == 0x0
 01090  1736   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1636,Tid=1252,}, 0x0, ) == 0x0
 01091  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|x\0\0\0d\6\0\0\344\4\0\0" )  ) == 0x0
 01092  1736   NtResumeThread  (120, ... 1, ) == 0x0
 01093  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21757952, 1048576, ) == 0x0
 01094  1736   NtAllocateVirtualMemory  (-1, 22798336, 0, 8192, 4096, 4, ... 22798336, 8192, ) == 0x0
 01095  1736   NtProtectVirtualMemory  (-1, (0x15be000), 4096, 260, ...
 01096  1252   NtTestAlert  (... ) == 0x0
 01097  1252   NtContinue  (21757232, 1, ...
 01098  1252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01099  1252   NtDelayExecution  (0, {-150000, -1}, ...
 01095  1736   NtProtectVirtualMemory  ... (0x15be000), 4096, 4, ) == 0x0
 01100  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 124, {1636, 2016}, ) == 0x0
 01101  1736   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1636,Tid=2016,}, 0x0, ) == 0x0
 01102  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200||\0\0\0d\6\0\0\340\7\0\0" )  ) == 0x0
 01103  1736   NtResumeThread  (124, ... 1, ) == 0x0
 01104  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22806528, 1048576, ) == 0x0
 01105  2016   NtTestAlert  (... ) == 0x0
 01106  2016   NtContinue  (22805808, 1, ...
 01107  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01108  2016   NtDelayExecution  (0, {-150000, -1}, ...
 01109  1736   NtAllocateVirtualMemory  (-1, 23846912, 0, 8192, 4096, 4, ... 23846912, 8192, ) == 0x0
 01110  1736   NtProtectVirtualMemory  (-1, (0x16be000), 4096, 260, ... (0x16be000), 4096, 4, ) == 0x0
 01111  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244080, 1244024, 1, ... 128, {1636, 2012}, ) == 0x0
 01112  1736   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1636,Tid=2012,}, 0x0, ) == 0x0
 01113  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75497, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" ... {28, 56, reply, 0, 1636, 1736, 75497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\343\200|\200\0\0\0d\6\0\0\334\7\0\0" )  ) == 0x0
 01114  1736   NtResumeThread  (128, ... 1, ) == 0x0
 01115  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01116  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 01117  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01118  2012   NtTestAlert  (... ) == 0x0
 01119  2012   NtContinue  (23854384, 1, ...
 01120  2012   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01121  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 01117  1736   NtCreateEvent  ... 140, ) == 0x0
 01122  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01123  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01124  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01125  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01126  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01127  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01128  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 01129  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01130  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 01131  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 01132  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 01133  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 01134  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01135  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23855104, 1048576, ) == 0x0
 01136  1736   NtAllocateVirtualMemory  (-1, 24895488, 0, 8192, 4096, 4, ... 24895488, 8192, ) == 0x0
 01137  1736   NtProtectVirtualMemory  (-1, (0x17be000), 4096, 260, ... (0x17be000), 4096, 4, ) == 0x0
 01138  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 196, {1636, 1028}, ) == 0x0
 01139  1736   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1636,Tid=1028,}, 0x0, ) == 0x0
 01140  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872}  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1991507968, 1244878, 1244872, 1244872} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0d\6\0\0\4\4\0\0" )  ) == 0x0
 01141  1736   NtResumeThread  (196, ... 1, ) == 0x0
 01142  1028   NtTestAlert  (... ) == 0x0
 01143  1028   NtContinue  (24902960, 1, ...
 01144  1028   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01145  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01146  1736   NtSetInformationThread  (196, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01147  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24903680, 1048576, ) == 0x0
 01148  1736   NtAllocateVirtualMemory  (-1, 25944064, 0, 8192, 4096, 4, ... 25944064, 8192, ) == 0x0
 01149  1736   NtProtectVirtualMemory  (-1, (0x18be000), 4096, 260, ... (0x18be000), 4096, 4, ) == 0x0
 01150  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 200, {1636, 384}, ) == 0x0
 01151  1736   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1636,Tid=384,}, 0x0, ) == 0x0
 01152  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0d\6\0\0\200\1\0\0" )  ) == 0x0
 01153  1736   NtResumeThread  (200, ... 1, ) == 0x0
 01154  1736   NtSetInformationThread  (200, BasePriority, {thread info, class 3, size 4}, 4, ...
 01155   384   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01156   384   NtTestAlert  (... ) == 0x0
 01157   384   NtContinue  (25951536, 1, ...
 01158   384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01159   384   NtWaitForSingleObject  (136, 0, 0x0, ...
 01154  1736   NtSetInformationThread  ... ) == 0x0
 01160  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25952256, 1048576, ) == 0x0
 01161  1736   NtAllocateVirtualMemory  (-1, 26992640, 0, 8192, 4096, 4, ... 26992640, 8192, ) == 0x0
 01162  1736   NtProtectVirtualMemory  (-1, (0x19be000), 4096, 260, ... (0x19be000), 4096, 4, ) == 0x0
 01163  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 204, {1636, 1180}, ) == 0x0
 01164  1736   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1636,Tid=1180,}, 0x0, ) == 0x0
 01165  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0d\6\0\0\234\4\0\0" )  ) == 0x0
 01166  1736   NtResumeThread  (204, ... 1, ) == 0x0
 01167  1736   NtSetInformationThread  (204, BasePriority, {thread info, class 3, size 4}, 4, ...
 01168  1180   NtTestAlert  (... ) == 0x0
 01169  1180   NtContinue  (27000112, 1, ...
 01170  1180   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01171  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01167  1736   NtSetInformationThread  ... ) == 0x0
 01172  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27000832, 1048576, ) == 0x0
 01173  1736   NtAllocateVirtualMemory  (-1, 28041216, 0, 8192, 4096, 4, ... 28041216, 8192, ) == 0x0
 01174  1736   NtProtectVirtualMemory  (-1, (0x1abe000), 4096, 260, ... (0x1abe000), 4096, 4, ) == 0x0
 01175  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 208, {1636, 420}, ) == 0x0
 01176  1736   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1636,Tid=420,}, 0x0, ) == 0x0
 01177  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0d\6\0\0\244\1\0\0" )  ) == 0x0
 01178  1736   NtResumeThread  (208, ... 1, ) == 0x0
 01179  1736   NtSetInformationThread  (208, BasePriority, {thread info, class 3, size 4}, 4, ...
 01180   420   NtTestAlert  (... ) == 0x0
 01181   420   NtContinue  (28048688, 1, ...
 01182   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01183   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 01179  1736   NtSetInformationThread  ... ) == 0x0
 01184  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28049408, 1048576, ) == 0x0
 01185  1736   NtAllocateVirtualMemory  (-1, 29089792, 0, 8192, 4096, 4, ... 29089792, 8192, ) == 0x0
 01186  1736   NtProtectVirtualMemory  (-1, (0x1bbe000), 4096, 260, ... (0x1bbe000), 4096, 4, ) == 0x0
 01187  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 212, {1636, 596}, ) == 0x0
 01188  1736   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1636,Tid=596,}, 0x0, ) == 0x0
 01189  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0d\6\0\0T\2\0\0" )  ) == 0x0
 01190  1736   NtResumeThread  (212, ... 1, ) == 0x0
 01191  1736   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ...
 01192   596   NtTestAlert  (... ) == 0x0
 01193   596   NtContinue  (29097264, 1, ...
 01194   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01195   596   NtWaitForSingleObject  (148, 0, 0x0, ...
 01191  1736   NtSetInformationThread  ... ) == 0x0
 01196  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29097984, 1048576, ) == 0x0
 01197  1736   NtAllocateVirtualMemory  (-1, 30138368, 0, 8192, 4096, 4, ... 30138368, 8192, ) == 0x0
 01198  1736   NtProtectVirtualMemory  (-1, (0x1cbe000), 4096, 260, ... (0x1cbe000), 4096, 4, ) == 0x0
 01199  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 216, {1636, 376}, ) == 0x0
 01200  1736   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1636,Tid=376,}, 0x0, ) == 0x0
 01201  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0d\6\0\0x\1\0\0" )  ) == 0x0
 01202  1736   NtResumeThread  (216, ... 1, ) == 0x0
 01203  1736   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ...
 01204   376   NtTestAlert  (... ) == 0x0
 01205   376   NtContinue  (30145840, 1, ...
 01206   376   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01207   376   NtWaitForSingleObject  (152, 0, 0x0, ...
 01203  1736   NtSetInformationThread  ... ) == 0x0
 01208  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30146560, 1048576, ) == 0x0
 01209  1736   NtAllocateVirtualMemory  (-1, 31186944, 0, 8192, 4096, 4, ... 31186944, 8192, ) == 0x0
 01210  1736   NtProtectVirtualMemory  (-1, (0x1dbe000), 4096, 260, ... (0x1dbe000), 4096, 4, ) == 0x0
 01211  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 220, {1636, 1168}, ) == 0x0
 01212  1736   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1636,Tid=1168,}, 0x0, ) == 0x0
 01213  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0d\6\0\0\220\4\0\0" )  ) == 0x0
 01214  1736   NtResumeThread  (220, ... 1, ) == 0x0
 01215  1168   NtTestAlert  (... ) == 0x0
 01216  1168   NtContinue  (31194416, 1, ...
 01217  1168   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01218  1168   NtWaitForSingleObject  (156, 0, 0x0, ...
 01219  1736   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01220  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31195136, 1048576, ) == 0x0
 01221  1736   NtAllocateVirtualMemory  (-1, 32235520, 0, 8192, 4096, 4, ... 32235520, 8192, ) == 0x0
 01222  1736   NtProtectVirtualMemory  (-1, (0x1ebe000), 4096, 260, ... (0x1ebe000), 4096, 4, ) == 0x0
 01223  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 224, {1636, 120}, ) == 0x0
 01224  1736   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1636,Tid=120,}, 0x0, ) == 0x0
 01225  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0d\6\0\0x\0\0\0" )  ) == 0x0
 01226  1736   NtResumeThread  (224, ... 1, ) == 0x0
 01227  1736   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ...
 01228   120   NtTestAlert  (... ) == 0x0
 01229   120   NtContinue  (32242992, 1, ...
 01230   120   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01231   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01227  1736   NtSetInformationThread  ... ) == 0x0
 01232  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32243712, 1048576, ) == 0x0
 01233  1736   NtAllocateVirtualMemory  (-1, 33284096, 0, 8192, 4096, 4, ... 33284096, 8192, ) == 0x0
 01234  1736   NtProtectVirtualMemory  (-1, (0x1fbe000), 4096, 260, ... (0x1fbe000), 4096, 4, ) == 0x0
 01235  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 228, {1636, 928}, ) == 0x0
 01236  1736   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1636,Tid=928,}, 0x0, ) == 0x0
 01237  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" ... {28, 56, reply, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0d\6\0\0\240\3\0\0" )  ) == 0x0
 01238  1736   NtResumeThread  (228, ... 1, ) == 0x0
 01239  1736   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 01240   928   NtTestAlert  (... ) == 0x0
 01241   928   NtContinue  (33291568, 1, ...
 01242   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01243   928   NtWaitForSingleObject  (164, 0, 0x0, ...
 01239  1736   NtSetInformationThread  ... ) == 0x0
 01244  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33292288, 1048576, ) == 0x0
 01245  1736   NtAllocateVirtualMemory  (-1, 34332672, 0, 8192, 4096, 4, ... 34332672, 8192, ) == 0x0
 01246  1736   NtProtectVirtualMemory  (-1, (0x20be000), 4096, 260, ... (0x20be000), 4096, 4, ) == 0x0
 01247  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 232, {1636, 1732}, ) == 0x0
 01248  1736   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1636,Tid=1732,}, 0x0, ) == 0x0
 01249  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" ... {28, 56, reply, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0d\6\0\0\304\6\0\0" )  ) == 0x0
 01250  1736   NtResumeThread  (232, ... 1, ) == 0x0
 01251  1736   NtSetInformationThread  (232, BasePriority, {thread info, class 3, size 4}, 4, ...
 01252  1732   NtTestAlert  (... ) == 0x0
 01253  1732   NtContinue  (34340144, 1, ...
 01254  1732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01255  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 01251  1736   NtSetInformationThread  ... ) == 0x0
 01256  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34340864, 1048576, ) == 0x0
 01257  1736   NtAllocateVirtualMemory  (-1, 35381248, 0, 8192, 4096, 4, ... 35381248, 8192, ) == 0x0
 01258  1736   NtProtectVirtualMemory  (-1, (0x21be000), 4096, 260, ... (0x21be000), 4096, 4, ) == 0x0
 01259  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 236, {1636, 428}, ) == 0x0
 01260  1736   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1636,Tid=428,}, 0x0, ) == 0x0
 01261  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0d\6\0\0\254\1\0\0" )  ) == 0x0
 01262  1736   NtResumeThread  (236, ... 1, ) == 0x0
 01263  1736   NtSetInformationThread  (236, BasePriority, {thread info, class 3, size 4}, 4, ...
 01264   428   NtTestAlert  (... ) == 0x0
 01265   428   NtContinue  (35388720, 1, ...
 01266   428   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01267   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 01263  1736   NtSetInformationThread  ... ) == 0x0
 01268  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35389440, 1048576, ) == 0x0
 01269  1736   NtAllocateVirtualMemory  (-1, 36429824, 0, 8192, 4096, 4, ... 36429824, 8192, ) == 0x0
 01270  1736   NtProtectVirtualMemory  (-1, (0x22be000), 4096, 260, ... (0x22be000), 4096, 4, ) == 0x0
 01271  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 240, {1636, 748}, ) == 0x0
 01272  1736   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1636,Tid=748,}, 0x0, ) == 0x0
 01273  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" ... {28, 56, reply, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0d\6\0\0\354\2\0\0" )  ) == 0x0
 01274  1736   NtResumeThread  (240, ...
 01042  1356   NtDelayExecution  ... ) == 0x0
 01055   868   NtDelayExecution  ... ) == 0x0
 01064   808   NtDelayExecution  ... ) == 0x0
 01077  2020   NtDelayExecution  ... ) == 0x0
 01086   896   NtDelayExecution  ... ) == 0x0
 01099  1252   NtDelayExecution  ... ) == 0x0
 01108  2016   NtDelayExecution  ... ) == 0x0
 01275  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 01276   868   NtDelayExecution  (0, {-20010000, -1}, ...
 01277   808   NtDelayExecution  (0, {-20010000, -1}, ...
 01278  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 01279   896   NtDelayExecution  (0, {-20010000, -1}, ...
 01280  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 01281  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 01274  1736   NtResumeThread  ... 1, ) == 0x0
 01282  1736   NtSetInformationThread  (240, BasePriority, {thread info, class 3, size 4}, 4, ...
 01283   748   NtTestAlert  (... ) == 0x0
 01284   748   NtContinue  (36437296, 1, ...
 01285   748   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01286   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 01282  1736   NtSetInformationThread  ... ) == 0x0
 01287  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36438016, 1048576, ) == 0x0
 01288  1736   NtAllocateVirtualMemory  (-1, 37478400, 0, 8192, 4096, 4, ... 37478400, 8192, ) == 0x0
 01289  1736   NtProtectVirtualMemory  (-1, (0x23be000), 4096, 260, ... (0x23be000), 4096, 4, ) == 0x0
 01290  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 244, {1636, 1300}, ) == 0x0
 01291  1736   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1636,Tid=1300,}, 0x0, ) == 0x0
 01292  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" ... {28, 56, reply, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0d\6\0\0\24\5\0\0" )  ) == 0x0
 01293  1736   NtResumeThread  (244, ... 1, ) == 0x0
 01294  1300   NtTestAlert  (... ) == 0x0
 01295  1300   NtContinue  (37485872, 1, ...
 01296  1300   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01297  1300   NtWaitForSingleObject  (180, 0, 0x0, ...
 01298  1736   NtSetInformationThread  (244, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01299  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37486592, 1048576, ) == 0x0
 01300  1736   NtAllocateVirtualMemory  (-1, 38526976, 0, 8192, 4096, 4, ... 38526976, 8192, ) == 0x0
 01301  1736   NtProtectVirtualMemory  (-1, (0x24be000), 4096, 260, ... (0x24be000), 4096, 4, ) == 0x0
 01302  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 248, {1636, 1096}, ) == 0x0
 01303  1736   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1636,Tid=1096,}, 0x0, ) == 0x0
 01304  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0d\6\0\0H\4\0\0" )  ) == 0x0
 01305  1736   NtResumeThread  (248, ... 1, ) == 0x0
 01306  1736   NtSetInformationThread  (248, BasePriority, {thread info, class 3, size 4}, 4, ...
 01307  1096   NtTestAlert  (... ) == 0x0
 01308  1096   NtContinue  (38534448, 1, ...
 01309  1096   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01310  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01306  1736   NtSetInformationThread  ... ) == 0x0
 01311  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38535168, 1048576, ) == 0x0
 01312  1736   NtAllocateVirtualMemory  (-1, 39575552, 0, 8192, 4096, 4, ... 39575552, 8192, ) == 0x0
 01313  1736   NtProtectVirtualMemory  (-1, (0x25be000), 4096, 260, ... (0x25be000), 4096, 4, ) == 0x0
 01314  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 252, {1636, 252}, ) == 0x0
 01315  1736   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1636,Tid=252,}, 0x0, ) == 0x0
 01316  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" ... {28, 56, reply, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0d\6\0\0\374\0\0\0" )  ) == 0x0
 01317  1736   NtResumeThread  (252, ... 1, ) == 0x0
 01318  1736   NtSetInformationThread  (252, BasePriority, {thread info, class 3, size 4}, 4, ...
 01319   252   NtTestAlert  (... ) == 0x0
 01320   252   NtContinue  (39583024, 1, ...
 01321   252   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01322   252   NtWaitForSingleObject  (188, 0, 0x0, ...
 01318  1736   NtSetInformationThread  ... ) == 0x0
 01323  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39583744, 1048576, ) == 0x0
 01324  1736   NtAllocateVirtualMemory  (-1, 40624128, 0, 8192, 4096, 4, ... 40624128, 8192, ) == 0x0
 01325  1736   NtProtectVirtualMemory  (-1, (0x26be000), 4096, 260, ... (0x26be000), 4096, 4, ) == 0x0
 01326  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244048, 1243992, 1, ... 256, {1636, 500}, ) == 0x0
 01327  1736   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1636,Tid=500,}, 0x0, ) == 0x0
 01328  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75513, 0}  (24, {28, 56, new_msg, 0, 1636, 1736, 75512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" ... {28, 56, reply, 0, 1636, 1736, 75513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0d\6\0\0\364\1\0\0" )  ) == 0x0
 01329  1736   NtResumeThread  (256, ... 1, ) == 0x0
 01330  1736   NtSetInformationThread  (256, BasePriority, {thread info, class 3, size 4}, 4, ...
 01331   500   NtTestAlert  (... ) == 0x0
 01332   500   NtContinue  (40631600, 1, ...
 01333   500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01334   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01330  1736   NtSetInformationThread  ... ) == 0x0
 01335  1736   NtSetEvent  (192, ...
 01334   500   NtWaitForSingleObject  ... ) == 0x0
 01336   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01337   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01335  1736   NtSetEvent  ... 0x0, ) == 0x0
 01338  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01339  1736   NtSetEvent  (168, ...
 01255  1732   NtWaitForSingleObject  ... ) == 0x0
 01340  1732   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01341  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 01339  1736   NtSetEvent  ... 0x0, ) == 0x0
 01342  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01343  1736   NtSetEvent  (160, ...
 01231   120   NtWaitForSingleObject  ... ) == 0x0
 01344   120   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01345   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01343  1736   NtSetEvent  ... 0x0, ) == 0x0
 01346  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01347  1736   NtSetEvent  (184, ...
 01310  1096   NtWaitForSingleObject  ... ) == 0x0
 01348  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01349  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01347  1736   NtSetEvent  ... 0x0, ) == 0x0
 01350  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01351  1736   NtQueryVirtualMemory  (-1, 0x10000, Basic, 28, ... {BaseAddress=0x10000,AllocationBase=0x10000,AllocationProtect=0x4,RegionSize=0x2000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01352  1736   NtUserGetForegroundWindow  (... ) == 0x13010c
 01353  1736   NtUserValidateHandleSecure  (1245452, ... ) == 0x1
 01354  1736   NtUserQueryWindow  (1245452, 0, ... ) == 0x5e8
 01355  1736   NtSetEvent  (164, ...
 01243   928   NtWaitForSingleObject  ... ) == 0x0
 01356   928   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01357   928   NtWaitForSingleObject  (164, 0, 0x0, ...
 01355  1736   NtSetEvent  ... 0x0, ) == 0x0
 01358  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01359  1736   NtSetEvent  (152, ...
 01207   376   NtWaitForSingleObject  ... ) == 0x0
 01360   376   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01361   376   NtWaitForSingleObject  (152, 0, 0x0, ...
 01359  1736   NtSetEvent  ... 0x0, ) == 0x0
 01362  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01363  1736   NtSetEvent  (172, ...
 01267   428   NtWaitForSingleObject  ... ) == 0x0
 01364   428   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01365   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 01363  1736   NtSetEvent  ... 0x0, ) == 0x0
 01366  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01367  1736   NtSetEvent  (192, ...
 01337   500   NtWaitForSingleObject  ... ) == 0x0
 01368   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01369   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 01367  1736   NtSetEvent  ... 0x0, ) == 0x0
 01370  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01371  1736   NtSetEvent  (132, ...
 01145  1028   NtWaitForSingleObject  ... ) == 0x0
 01372  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01373  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 01371  1736   NtSetEvent  ... 0x0, ) == 0x0
 01374  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01375  1736   NtSetEvent  (144, ...
 01183   420   NtWaitForSingleObject  ... ) == 0x0
 01376   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01377   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 01375  1736   NtSetEvent  ... 0x0, ) == 0x0
 01378  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01379  1736   NtSetEvent  (164, ...
 01357   928   NtWaitForSingleObject  ... ) == 0x0
 01380   928   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01381   928   NtWaitForSingleObject  (164, 0, 0x0, ...
 01379  1736   NtSetEvent  ... 0x0, ) == 0x0
 01382  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01383  1736   NtQueryVirtualMemory  (-1, 0x7c809e68, Basic, 28, ... {BaseAddress=0x7c809000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x7b000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01384  1736   NtContinue  (1243208, 0, ...
 01385  1736   NtSetEvent  (148, ...
 01195   596   NtWaitForSingleObject  ... ) == 0x0
 01386   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01387   596   NtWaitForSingleObject  (148, 0, 0x0, ...
 01385  1736   NtSetEvent  ... 0x0, ) == 0x0
 01388  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01389  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01390  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01391  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01392  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01393  1736   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01394  1736   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 260, ) == 0x0
 01395  1736   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x26d0000), 0x0, 4194304, ) == 0x0
 01396  1736   NtAllocateVirtualMemory  (-1, 40697856, 0, 1, 4096, 4, ... 40697856, 4096, ) == 0x0
 01397  1736   NtAllocateVirtualMemory  (-1, 40701952, 0, 1116, 4096, 4, ... 40701952, 4096, ) == 0x0
 01398  1736   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 264, ) == 0x0
 01399  1736   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2ad0000), 0x0, 4194304, ) == 0x0
 01400  1736   NtAllocateVirtualMemory  (-1, 44892160, 0, 1, 4096, 4, ... 44892160, 4096, ) == 0x0
 01401  1736   NtCreateSection  (0xf0007, 0x0, {46508, 0}, 4, 134217728, 0, ... 268, ) == 0x0
 01402  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2ed0000), {0, 0}, 49152, ) == 0x0
 01403  1736   NtUnmapViewOfSection  (-1, 0x2ed0000, ... ) == 0x0
 01404  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2ed0000), {0, 0}, 49152, ) == 0x0
 01405  1736   NtClose  (264, ... ) == 0x0
 01406  1736   NtUnmapViewOfSection  (-1, 0x2ad0000, ... ) == 0x0
 01407  1736   NtClose  (260, ... ) == 0x0
 01408  1736   NtUnmapViewOfSection  (-1, 0x26d0000, ... ) == 0x0
 01409  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01410  1736   NtUnmapViewOfSection  (-1, 0x2ed0000, ... ) == 0x0
 01411  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x26c0000), {0, 0}, 49152, ) == 0x0
 01412  1736   NtUnmapViewOfSection  (-1, 0x26c0000, ... ) == 0x0
 01413  1736   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x26c0000), {0, 0}, 49152, ) == 0x0
 01414  1736   NtUnmapViewOfSection  (-1, 0x26c0000, ... ) == 0x0
 01415  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01416  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01417  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01418  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01419  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01420  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01421  1736   NtSetEvent  (176, ...
 01286   748   NtWaitForSingleObject  ... ) == 0x0
 01422   748   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01423   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 01421  1736   NtSetEvent  ... 0x0, ) == 0x0
 01424  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01425  1736   NtSetEvent  (180, ...
 01297  1300   NtWaitForSingleObject  ... ) == 0x0
 01426  1300   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01427  1300   NtWaitForSingleObject  (180, 0, 0x0, ...
 01425  1736   NtSetEvent  ... 0x0, ) == 0x0
 01428  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01429  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1000, 4096, 4, ... 40632320, 4096, ) == 0x0
 01430  1736   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01431  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 4096, ) == 0x0
 01432  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01433  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01434  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01435  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01436  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01437  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01438  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01439  1736   NtSetEvent  (160, ...
 01345   120   NtWaitForSingleObject  ... ) == 0x0
 01440   120   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01441   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01439  1736   NtSetEvent  ... 0x0, ) == 0x0
 01442  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01443  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "RegmonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01444  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Registry Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01445  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01446  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01447  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01448  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01449  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01450  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01451  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01452  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01453  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01454  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01455  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40632320, 65536, ) == 0x0
 01456  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01457  1736   NtFreeVirtualMemory  (-1, (0x26c0000), 0, 32768, ... (0x26c0000), 65536, ) == 0x0
 01458  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "SOFTWARE\NuMega\DriverStudio"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459  1736   NtSetEvent  (148, ...
 01387   596   NtWaitForSingleObject  ... ) == 0x0
 01460   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01461   596   NtWaitForSingleObject  (148, 0, 0x0, ...
 01459  1736   NtSetEvent  ... 0x0, ) == 0x0
 01462  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01463  1736   NtSetEvent  (172, ...
 01365   428   NtWaitForSingleObject  ... ) == 0x0
 01464   428   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01465   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 01463  1736   NtSetEvent  ... 0x0, ) == 0x0
 01466  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01467  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work"}, 3, 33, ... 260, {status=0x0, info=1}, ) }, 3, 33, ... 260, {status=0x0, info=1}, ) == 0x0
 01468  1736   NtQueryVolumeInformationFile  (260, 1244936, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01469  1736   NtClose  (12, ... ) == 0x0
 01470  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 40632320, 4096, ) == 0x0
 01471  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVCP60.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01474  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0
 01475  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 12, ... 264, ) == 0x0
 01476  1736   NtQuerySection  (264, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01477  1736   NtClose  (12, ... ) == 0x0
 01478  1736   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76080000), 0x0, 413696, ) == 0x0
 01479  1736   NtClose  (264, ... ) == 0x0
 01480  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 01481  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 01482  1736   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 01483  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 01484  1736   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 01485  1736   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 01486  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487  1736   NtAllocateVirtualMemory  (-1, 11358208, 0, 4096, 4096, 4, ... 11358208, 4096, ) == 0x0
 01488  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01491  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01492  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 12, ) == 0x0
 01493  1736   NtQuerySection  (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01494  1736   NtClose  (264, ... ) == 0x0
 01495  1736   NtMapViewOfSection  (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 01496  1736   NtClose  (12, ... ) == 0x0
 01497  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01498  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01499  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01500  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01501  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01502  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01503  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01504  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01505  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01506  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01507  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01508  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01509  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01510  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01511  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01512  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 01513  1736   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 01514  1736   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 01515  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01517  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40697856, 65536, ) == 0x0
 01518  1736   NtAllocateVirtualMemory  (-1, 40697856, 0, 4096, 4096, 4, ... 40697856, 4096, ) == 0x0
 01519  1736   NtAllocateVirtualMemory  (-1, 40701952, 0, 8192, 4096, 4, ... 40701952, 8192, ) == 0x0
 01520  1736   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 12, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 12, {status=0x0, info=0}, ) == 0x0
 01521  1736   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 264, {status=0x0, info=0}, ) == 0x0
 01522  1736   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 272, {status=0x0, info=0}, ) == 0x0
 01523  1736   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 276, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 276, {status=0x0, info=0}, ) == 0x0
 01524  1736   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242884,  (0x20100080, {24, 0, 0x40, 0, 1242884, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=0}, ) == 0x0
 01525  1736   NtAllocateVirtualMemory  (-1, 40710144, 0, 36864, 4096, 4, ... 40710144, 36864, ) == 0x0
 01526  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01527  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01528  1736   NtClose  (284, ... ) == 0x0
 01529  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01530  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01531  1736   NtClose  (284, ... ) == 0x0
 01532  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01533  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363{\201\1\0\0\0\5\0\0\0\232A\250\2581N\3\33\305\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\256s+\0\262J\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (12, 284, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363{\201\1\0\0\0\5\0\0\0\232A\250\2581N\3\33\305\0\0\200\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\256s+\0\262J\0\0\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01534  1736   NtClose  (284, ... ) == 0x0
 01535  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01536  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (12, 284, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01537  1736   NtClose  (284, ... ) == 0x0
 01538  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01539  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01540  1736   NtClose  (284, ... ) == 0x0
 01541  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0
 01542  1736   NtDeviceIoControlFile  (12, 284, 0x0, 0x0, 0x120003,  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (12, 284, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01543  1736   NtClose  (284, ... ) == 0x0
 01544  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 284, ) == 0x0
 01545  1736   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 288, ) == 0x0
 01546  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01547  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01548  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01549  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01550  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01551  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01552  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01553  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01554  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01555  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01556  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01557  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01558  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01559  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01560  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01561  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01562  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01563  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01564  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01565  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01566  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01567  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01568  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01569  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01570  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01571  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01572  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01573  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01574  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01575  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01576  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01577  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01578  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01579  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01580  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01581  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01582  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01583  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01584  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01585  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01586  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01587  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01588  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01589  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01590  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01591  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01592  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01593  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01594  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01595  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01596  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01597  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01598  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01599  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01600  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01601  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01602  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01603  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01604  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01605  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01606  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01607  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01608  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01609  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01610  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01611  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01612  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01613  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01614  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01615  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01616  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01617  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01618  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01619  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01620  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01621  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01622  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01623  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01624  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01625  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01626  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01627  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01628  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01629  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01630  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01631  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01632  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01633  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01634  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01635  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01636  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01637  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01638  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01639  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01640  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01641  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01642  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01643  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01644  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01645  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01646  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01647  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01648  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01649  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01650  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01651  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01652  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01653  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01654  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01655  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01656  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01657  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01658  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01659  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01660  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01661  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01662  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01663  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01664  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01665  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01666  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 40763392, 65536, ) == 0x0
 01667  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01668  1736   NtAllocateVirtualMemory  (-1, 40763392, 0, 1, 4096, 4, ... 40763392, 4096, ) == 0x0
 01669  1736   NtQueryVirtualMemory  (-1, 0x26e0000, Basic, 28, ... {BaseAddress=0x26e0000,AllocationBase=0x26e0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01670  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 65536, ) == 0x0
 01671  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 292, ) }, ... 292, ) == 0x0
 01672  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 296, ) }, ... 296, ) == 0x0
 01673  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 300, ) }, ... 300, ) == 0x0
 01674  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 304, ) }, ... 304, ) == 0x0
 01675  1736   NtQueryDefaultLocale  (1, 1242864, ... ) == 0x0
 01676  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 308, ) }, ... 308, ) == 0x0
 01677  1736   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 01678  1736   NtClose  (308, ... ) == 0x0
 01679  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01680  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01681  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01682  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01683  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01684  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01685  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01686  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01687  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01688  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01689  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01690  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01691  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01692  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01693  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01694  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01695  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01696  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01697  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 308, ) }, ... 308, ) == 0x0
 01698  1736   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 01699  1736   NtClose  (308, ... ) == 0x0
 01700  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01701  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01702  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01703  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01704  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01705  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01706  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01707  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01708  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01709  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01710  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01711  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01712  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 01713  1736   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 01714  1736   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 01715  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01716  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01717  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01718  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 01719  1736   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 01720  1736   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 01721  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01722  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01723  1736   NtCreateSemaphore  (0x1f0003, {24, 72, 0x80, 1355512, 0,  (0x1f0003, {24, 72, 0x80, 1355512, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 308, ) }, 0, 2147483647, ... 308, ) == STATUS_OBJECT_NAME_EXISTS
 01724  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01725  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 312, ) }, ... 312, ) == 0x0
 01726  1736   NtQueryValueKey  (312,  (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01727  1736   NtClose  (312, ... ) == 0x0
 01728  1736   NtQueryDefaultUILanguage  (1241288, ...
 01729  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01730  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01731  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01732  1736   NtClose  (-2147482576, ... ) == 0x0
 01733  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01734  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01736  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01737  1736   NtClose  (-2147481400, ... ) == 0x0
 01738  1736   NtClose  (-2147482576, ... ) == 0x0
 01728  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 01739  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 312, {status=0x0, info=1}, ) }, 1, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01740  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 312, ... 316, ) == 0x0
 01741  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x26e0000), 0x0, 8462336, ) == 0x0
 01742  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01743  1736   NtQueryDefaultLocale  (1, 1239384, ... ) == 0x0
 01744  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01745  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144}  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75514, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75514, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240420, 1179817, 1240144} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75514, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\1\0\0\377\377\377\377\0\0\0\0@ \221\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0X\361\22\0\0\0\0\0" )  ) == 0x0
 01746  1736   NtClose  (312, ... ) == 0x0
 01747  1736   NtClose  (316, ... ) == 0x0
 01748  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01749  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01750  1736   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01751  1736   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01752  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01753  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01754  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238576, ... ) }, 1238576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01756  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01757  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01758  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1238640, ... ) }, 1238640, ... ) == 0x0
 01759  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 316, {status=0x0, info=1}, ) }, 3, 33, ... 316, {status=0x0, info=1}, ) == 0x0
 01760  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01761  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01762  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 312, ... 320, ) == 0x0
 01763  1736   NtClose  (312, ... ) == 0x0
 01764  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x26e0000), 0x0, 1056768, ) == 0x0
 01765  1736   NtClose  (320, ... ) == 0x0
 01766  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01767  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01768  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 312, ) == 0x0
 01769  1736   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01770  1736   NtClose  (320, ... ) == 0x0
 01771  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 01772  1736   NtClose  (312, ... ) == 0x0
 01773  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01774  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01775  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01776  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01777  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01778  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01779  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01780  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01781  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01782  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01783  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01784  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01785  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01786  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01787  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01788  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01789  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01790  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01791  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 01792  1736   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 01793  1736   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 01794  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01795  1736   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 01796  1736   NtQueryDefaultUILanguage  (1238804, ...
 01797  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01798  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 01799  1736   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01800  1736   NtClose  (-2147482576, ... ) == 0x0
 01801  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 01802  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803  1736   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 01804  1736   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805  1736   NtClose  (-2147481400, ... ) == 0x0
 01806  1736   NtClose  (-2147482576, ... ) == 0x0
 01796  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 01807  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 01808  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01809  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 312, ... 320, ) == 0x0
 01810  1736   NtClose  (312, ... ) == 0x0
 01811  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x26e0000), 0x0, 4096, ) == 0x0
 01812  1736   NtClose  (320, ... ) == 0x0
 01813  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01814  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237240, ... ) }, 1237240, ... ) == 0x0
 01815  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237984,  (0x80100080, {24, 0, 0x40, 0, 1237984, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 01816  1736   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 320, ... 312, ) == 0x0
 01817  1736   NtClose  (320, ... ) == 0x0
 01818  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x26e0000), {0, 0}, 4096, ) == 0x0
 01819  1736   NtClose  (312, ... ) == 0x0
 01820  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01821  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 312, {status=0x0, info=1}, ) }, 1, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01822  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 312, ... 320, ) == 0x0
 01823  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x26e0000), 0x0, 4096, ) == 0x0
 01824  1736   NtQueryInformationFile  (312, 1237636, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01825  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826  1736   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660}  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75517, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1636, 1736, 75517, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1237936, 1179817, 1237660} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" ... {128, 156, reply, 0, 1636, 1736, 75517, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\1\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\0\244\347\22\0\0\0\0\0" )  ) == 0x0
 01827  1736   NtClose  (312, ... ) == 0x0
 01828  1736   NtClose  (320, ... ) == 0x0
 01829  1736   NtUnmapViewOfSection  (-1, 0x26e0000, ... ) == 0x0
 01830  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01831  1736   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01832  1736   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 01833  1736   NtUserGetDC  (0, ... ) == 0x1010053
 01834  1736   NtQueryVirtualMemory  (-1, 0x7c91ca50, Basic, 28, ... {BaseAddress=0x7c91c000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x60000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01835  1736   NtQueryVirtualMemory  (-1, 0x7c9163a8, Basic, 28, ... {BaseAddress=0x7c916000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01836  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01837  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01838  1736   NtContinue  (1237844, 0, ...
 01839  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01840  1736   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 01841  1736   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01842  1736   NtUnmapViewOfSection  (-1, 0x2f00000, ... ) == 0x0
 01843  1736   NtClose  (316, ... ) == 0x0
 01844  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "PSAPI.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\PSAPI.DLL"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\PSAPI.DLL"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01847  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\PSAPI.DLL"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01848  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 320, ) == 0x0
 01849  1736   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01850  1736   NtClose  (316, ... ) == 0x0
 01851  1736   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76bf0000), 0x0, 45056, ) == 0x0
 01852  1736   NtClose  (320, ... ) == 0x0
 01853  1736   NtProtectVirtualMemory  (-1, (0x76bf1000), 236, 4, ... (0x76bf1000), 4096, 32, ) == 0x0
 01854  1736   NtProtectVirtualMemory  (-1, (0x76bf1000), 4096, 32, ... (0x76bf1000), 4096, 4, ) == 0x0
 01855  1736   NtFlushInstructionCache  (-1, 1992232960, 236, ... ) == 0x0
 01856  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01857  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01858  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1242956, ... ) }, 1242956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 1242956, ... ) }, 1242956, ... ) == 0x0
 01860  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01861  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 01862  1736   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01863  1736   NtClose  (320, ... ) == 0x0
 01864  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 159744, ) == 0x0
 01865  1736   NtClose  (316, ... ) == 0x0
 01866  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01867  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01868  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01869  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01870  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01871  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01872  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01873  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01874  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01875  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01876  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01877  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01878  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01879  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01880  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01881  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 01882  1736   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 01883  1736   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 01884  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885  1736   NtCreateKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 316, 2, ) }, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 316, 2, ) , 0, ... 316, 2, ) == 0x0
 01886  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 320, ) }, ... 320, ) == 0x0
 01887  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01888  1736   NtQueryValueKey  (320,  (320, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01889  1736   NtQueryValueKey  (316,  (316, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01890  1736   NtQueryValueKey  (320,  (320, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01891  1736   NtQueryValueKey  (316,  (316, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01892  1736   NtQueryValueKey  (320,  (320, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01893  1736   NtQueryValueKey  (316,  (316, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01894  1736   NtQueryValueKey  (320,  (320, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01895  1736   NtQueryValueKey  (316,  (316, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01896  1736   NtQueryValueKey  (320,  (320, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01897  1736   NtQueryValueKey  (320,  (320, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01898  1736   NtQueryValueKey  (320,  (320, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01899  1736   NtQueryValueKey  (320,  (320, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900  1736   NtQueryValueKey  (320,  (320, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01901  1736   NtQueryValueKey  (320,  (320, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01902  1736   NtQueryValueKey  (320,  (320, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903  1736   NtQueryValueKey  (320,  (320, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01904  1736   NtQueryValueKey  (320,  (320, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905  1736   NtQueryValueKey  (316,  (316, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906  1736   NtQueryValueKey  (320,  (320, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01907  1736   NtQueryValueKey  (320,  (320, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01908  1736   NtQueryValueKey  (316,  (316, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01909  1736   NtQueryValueKey  (320,  (320, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910  1736   NtQueryValueKey  (316,  (316, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911  1736   NtQueryValueKey  (320,  (320, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01912  1736   NtQueryValueKey  (316,  (316, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913  1736   NtQueryValueKey  (320,  (320, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01914  1736   NtQueryValueKey  (316,  (316, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01915  1736   NtQueryValueKey  (320,  (320, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01916  1736   NtQueryValueKey  (316,  (316, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01917  1736   NtQueryValueKey  (320,  (320, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01918  1736   NtQueryValueKey  (316,  (316, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919  1736   NtQueryValueKey  (320,  (320, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01920  1736   NtQueryValueKey  (316,  (316, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921  1736   NtQueryValueKey  (320,  (320, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01922  1736   NtQueryValueKey  (320,  (320, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923  1736   NtQueryValueKey  (320,  (320, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01924  1736   NtQueryValueKey  (320,  (320, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01925  1736   NtQueryValueKey  (320,  (320, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01926  1736   NtQueryValueKey  (320,  (320, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01927  1736   NtQueryValueKey  (320,  (320, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01928  1736   NtQueryValueKey  (320,  (320, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01929  1736   NtQueryValueKey  (320,  (320, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01930  1736   NtQueryValueKey  (320,  (320, "MulticastListenLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01931  1736   NtQueryValueKey  (320,  (320, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01932  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 312, ) }, ... 312, ) == 0x0
 01933  1736   NtQueryValueKey  (312,  (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01934  1736   NtClose  (312, ... ) == 0x0
 01935  1736   NtClose  (316, ... ) == 0x0
 01936  1736   NtClose  (320, ... ) == 0x0
 01937  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 320, ) }, ... 320, ) == 0x0
 01938  1736   NtQueryValueKey  (320,  (320, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01939  1736   NtQueryValueKey  (320,  (320, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940  1736   NtQueryValueKey  (320,  (320, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941  1736   NtClose  (320, ... ) == 0x0
 01942  1736   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts"}, 3, 33, ... 320, {status=0x0, info=1}, ) }, 3, 33, ... 320, {status=0x0, info=1}, ) == 0x0
 01943  1736   NtQueryVolumeInformationFile  (320, 1244940, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01944  1736   NtClose  (260, ... ) == 0x0
 01945  1736   NtSetEvent  (188, ...
 01322   252   NtWaitForSingleObject  ... ) == 0x0
 01946   252   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01947   252   NtWaitForSingleObject  (188, 0, 0x0, ...
 01945  1736   NtSetEvent  ... 0x0, ) == 0x0
 01948  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01949  1736   NtAllocateVirtualMemory  (-1, 0, 0, 200000, 4096, 4, ... 40894464, 200704, ) == 0x0
 01950  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1024, 4096, 4, ... 40763392, 4096, ) == 0x0
 01951  1736   NtSetEvent  (164, ...
 01381   928   NtWaitForSingleObject  ... ) == 0x0
 01952   928   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01953   928   NtWaitForSingleObject  (164, 0, 0x0, ...
 01951  1736   NtSetEvent  ... 0x0, ) == 0x0
 01954  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01955  1736   NtSetEvent  (168, ...
 01341  1732   NtWaitForSingleObject  ... ) == 0x0
 01956  1732   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01957  1732   NtWaitForSingleObject  (168, 0, 0x0, ...
 01955  1736   NtSetEvent  ... 0x0, ) == 0x0
 01958  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01959  1736   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01960  1736   NtSetEvent  (140, ...
 01171  1180   NtWaitForSingleObject  ... ) == 0x0
 01961  1180   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01962  1180   NtWaitForSingleObject  (140, 0, 0x0, ...
 01960  1736   NtSetEvent  ... 0x0, ) == 0x0
 01963  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01964  1736   NtSetEvent  (176, ...
 01423   748   NtWaitForSingleObject  ... ) == 0x0
 01965   748   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01966   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 01964  1736   NtSetEvent  ... 0x0, ) == 0x0
 01967  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01968  1736   NtSetEvent  (148, ...
 01461   596   NtWaitForSingleObject  ... ) == 0x0
 01969   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01970   596   NtWaitForSingleObject  (148, 0, 0x0, ...
 01968  1736   NtSetEvent  ... 0x0, ) == 0x0
 01971  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01972  1736   NtSetEvent  (160, ...
 01441   120   NtWaitForSingleObject  ... ) == 0x0
 01973   120   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01974   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 01972  1736   NtSetEvent  ... 0x0, ) == 0x0
 01975  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01976  1736   NtSetEvent  (184, ...
 01349  1096   NtWaitForSingleObject  ... ) == 0x0
 01977  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01978  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01976  1736   NtSetEvent  ... 0x0, ) == 0x0
 01979  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01980  1736   NtSetEvent  (184, ...
 01978  1096   NtWaitForSingleObject  ... ) == 0x0
 01981  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01982  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01980  1736   NtSetEvent  ... 0x0, ) == 0x0
 01983  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01984  1736   NtSetEvent  (184, ...
 01982  1096   NtWaitForSingleObject  ... ) == 0x0
 01985  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01986  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01984  1736   NtSetEvent  ... 0x0, ) == 0x0
 01987  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01988  1736   NtSetEvent  (152, ...
 01361   376   NtWaitForSingleObject  ... ) == 0x0
 01989   376   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01990   376   NtWaitForSingleObject  (152, 0, 0x0, ...
 01988  1736   NtSetEvent  ... 0x0, ) == 0x0
 01991  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01992  1736   NtSetEvent  (176, ...
 01966   748   NtWaitForSingleObject  ... ) == 0x0
 01993   748   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01994   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 01992  1736   NtSetEvent  ... 0x0, ) == 0x0
 01995  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01996  1736   NtSetEvent  (184, ...
 01986  1096   NtWaitForSingleObject  ... ) == 0x0
 01997  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01998  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 01996  1736   NtSetEvent  ... 0x0, ) == 0x0
 01999  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02000  1736   NtSetEvent  (192, ...
 01369   500   NtWaitForSingleObject  ... ) == 0x0
 02001   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02002   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 02000  1736   NtSetEvent  ... 0x0, ) == 0x0
 02003  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02004  1736   NtSetEvent  (176, ...
 01994   748   NtWaitForSingleObject  ... ) == 0x0
 02005   748   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02006   748   NtWaitForSingleObject  (176, 0, 0x0, ...
 02004  1736   NtSetEvent  ... 0x0, ) == 0x0
 02007  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02008  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02009  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 02010  1736   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02011  1736   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 02012  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 41156608, 65536, ) == 0x0
 02013  1736   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 02014  1736   NtFreeVirtualMemory  (-1, (0x2740000), 0, 32768, ... (0x2740000), 65536, ) == 0x0
 02015  1736   NtProtectVirtualMemory  (-1, (0x401000), 93046, 64, ... (0x401000), 94208, 128, ) == 0x0
 02016  1736   NtSetEvent  (184, ...
 01998  1096   NtWaitForSingleObject  ... ) == 0x0
 02017  1096   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02018  1096   NtWaitForSingleObject  (184, 0, 0x0, ...
 02016  1736   NtSetEvent  ... 0x0, ) == 0x0
 02019  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02020  1736   NtSetEvent  (172, ...
 01465   428   NtWaitForSingleObject  ... ) == 0x0
 02021   428   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02022   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 02020  1736   NtSetEvent  ... 0x0, ) == 0x0
 02023  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02024  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1114112, 4096, 4, ... 41156608, 1114112, ) == 0x0
 02025  1736   NtFreeVirtualMemory  (-1, (0x2740000), 0, 32768, ... (0x2740000), 1114112, ) == 0x0
 02026  1736   NtSetEvent  (160, ...
 01974   120   NtWaitForSingleObject  ... ) == 0x0
 02027   120   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02028   120   NtWaitForSingleObject  (160, 0, 0x0, ...
 02026  1736   NtSetEvent  ... 0x0, ) == 0x0
 02029  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02030  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 41156608, 1048576, ) == 0x0
 02031  1736   NtAllocateVirtualMemory  (-1, 42196992, 0, 8192, 4096, 4, ... 42196992, 8192, ) == 0x0
 02032  1736   NtProtectVirtualMemory  (-1, (0x283e000), 4096, 260, ... (0x283e000), 4096, 4, ) == 0x0
 02033  1736   NtCreateThread  (0x1f03ff, 0x0, -1, 1244044, 1243988, 1, ... 260, {1636, 1064}, ) == 0x0
 02034  1736   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1636,Tid=1064,}, 0x0, ) == 0x0
 02035  1736   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2090320088, 2089917163, 6025663, 6025663}  (24, {28, 56, new_msg, 0, 2090320088, 2089917163, 6025663, 6025663} "\0\0\0\0\1\0\1\0\10.$\0\10\374\22\0\4\1\0\0d\6\0\0(\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\374\22\0\4\1\0\0d\6\0\0(\4\0\0" )  ... {28, 56, reply, 0, 1636, 1736, 75520, 0}  (24, {28, 56, new_msg, 0, 2090320088, 2089917163, 6025663, 6025663} "\0\0\0\0\1\0\1\0\10.$\0\10\374\22\0\4\1\0\0d\6\0\0(\4\0\0" ... {28, 56, reply, 0, 1636, 1736, 75520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\10\374\22\0\4\1\0\0d\6\0\0(\4\0\0" )  ) == 0x0
 02036  1736   NtResumeThread  (260, ... 1, ) == 0x0
 02037  1736   NtSetEvent  (192, ...
 02002   500   NtWaitForSingleObject  ... ) == 0x0
 02038   500   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02039   500   NtWaitForSingleObject  (192, 0, 0x0, ...
 02037  1736   NtSetEvent  ... 0x0, ) == 0x0
 02040  1064   NtTestAlert  (... ) == 0x0
 02041  1064   NtContinue  (42204464, 1, ...
 02042  1064   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02043  1064   NtDelayExecution  (0, {-40000000, -1}, ...
 02044  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02045  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 02046  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 02047  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 42205184, 4096, ) == 0x0
 02048  1736   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 4, ... 42270720, 8192, ) == 0x0
 02049  1736   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 64, ... 42336256, 65536, ) == 0x0
 02050  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3320, 4096, 4, ... 42401792, 4096, ) == 0x0
 02051  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02052  1736   NtAllocateVirtualMemory  (-1, 0, 0, 9152, 4096, 4, ... 42401792, 12288, ) == 0x0
 02053  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 12288, ) == 0x0
 02054  1736   NtAllocateVirtualMemory  (-1, 0, 0, 620, 4096, 4, ... 42401792, 4096, ) == 0x0
 02055  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02056  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3796, 4096, 4, ... 42401792, 4096, ) == 0x0
 02057  1736   NtAllocateVirtualMemory  (-1, 0, 0, 386, 4096, 64, ... 42467328, 4096, ) == 0x0
 02058  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1494, 4096, 64, ... 42532864, 4096, ) == 0x0
 02059  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2147, 4096, 64, ... 42598400, 4096, ) == 0x0
 02060  1736   NtAllocateVirtualMemory  (-1, 0, 0, 793, 4096, 64, ... 42663936, 4096, ) == 0x0
 02061  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1191, 4096, 64, ... 42729472, 4096, ) == 0x0
 02062  1736   NtAllocateVirtualMemory  (-1, 0, 0, 394, 4096, 64, ... 42795008, 4096, ) == 0x0
 02063  1736   NtAllocateVirtualMemory  (-1, 0, 0, 876, 4096, 64, ... 42860544, 4096, ) == 0x0
 02064  1736   NtAllocateVirtualMemory  (-1, 0, 0, 497, 4096, 64, ... 42926080, 4096, ) == 0x0
 02065  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1575, 4096, 64, ... 42991616, 4096, ) == 0x0
 02066  1736   NtAllocateVirtualMemory  (-1, 0, 0, 975, 4096, 64, ... 43057152, 4096, ) == 0x0
 02067  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3662, 4096, 64, ... 43122688, 4096, ) == 0x0
 02068  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2248, 4096, 64, ... 43188224, 4096, ) == 0x0
 02069  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3055, 4096, 64, ... 43253760, 4096, ) == 0x0
 02070  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2089, 4096, 64, ... 43319296, 4096, ) == 0x0
 02071  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1903, 4096, 64, ... 43384832, 4096, ) == 0x0
 02072  1736   NtAllocateVirtualMemory  (-1, 0, 0, 724, 4096, 64, ... 43450368, 4096, ) == 0x0
 02073  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4254, 4096, 64, ... 43515904, 8192, ) == 0x0
 02074  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2954, 4096, 64, ... 43581440, 4096, ) == 0x0
 02075  1736   NtAllocateVirtualMemory  (-1, 0, 0, 5467, 4096, 64, ... 43646976, 8192, ) == 0x0
 02076  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2004, 4096, 64, ... 43712512, 4096, ) == 0x0
 02077  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2942, 4096, 64, ... 43778048, 4096, ) == 0x0
 02078  1736   NtAllocateVirtualMemory  (-1, 0, 0, 773, 4096, 64, ... 43843584, 4096, ) == 0x0
 02079  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3291, 4096, 64, ... 43909120, 4096, ) == 0x0
 02080  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4287, 4096, 64, ... 43974656, 8192, ) == 0x0
 02081  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2082, 4096, 64, ... 44040192, 4096, ) == 0x0
 02082  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1073, 4096, 64, ... 44105728, 4096, ) == 0x0
 02083  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02084  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2928, 4096, 4, ... 42401792, 4096, ) == 0x0
 02085  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02086  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2700, 4096, 4, ... 42401792, 4096, ) == 0x0
 02087  1736   NtAllocateVirtualMemory  (-1, 0, 0, 5264, 4096, 64, ... 44171264, 8192, ) == 0x0
 02088  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4964, 4096, 64, ... 44236800, 8192, ) == 0x0
 02089  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2760, 4096, 64, ... 44302336, 4096, ) == 0x0
 02090  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3435, 4096, 64, ... 44367872, 4096, ) == 0x0
 02091  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1078, 4096, 64, ... 44433408, 4096, ) == 0x0
 02092  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1416, 4096, 64, ... 44498944, 4096, ) == 0x0
 02093  1736   NtAllocateVirtualMemory  (-1, 0, 0, 837, 4096, 64, ... 44564480, 4096, ) == 0x0
 02094  1736   NtAllocateVirtualMemory  (-1, 0, 0, 3626, 4096, 64, ... 44630016, 4096, ) == 0x0
 02095  1736   NtAllocateVirtualMemory  (-1, 0, 0, 508, 4096, 64, ... 44695552, 4096, ) == 0x0
 02096  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4518, 4096, 64, ... 44761088, 8192, ) == 0x0
 02097  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02098  1736   NtAllocateVirtualMemory  (-1, 0, 0, 1236, 4096, 4, ... 42401792, 4096, ) == 0x0
 02099  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02100  1736   NtAllocateVirtualMemory  (-1, 0, 0, 468, 4096, 4, ... 42401792, 4096, ) == 0x0
 02101  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02102  1736   NtAllocateVirtualMemory  (-1, 0, 0, 312, 4096, 4, ... 42401792, 4096, ) == 0x0
 02103  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02104  1736   NtAllocateVirtualMemory  (-1, 0, 0, 96, 4096, 4, ... 42401792, 4096, ) == 0x0
 02105  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02106  1736   NtAllocateVirtualMemory  (-1, 0, 0, 640, 4096, 4, ... 42401792, 4096, ) == 0x0
 02107  1736   NtFreeVirtualMemory  (-1, (0x2870000), 0, 32768, ... (0x2870000), 4096, ) == 0x0
 02108  1736   NtFreeVirtualMemory  (-1, (0x2700000), 0, 32768, ... (0x2700000), 200704, ) == 0x0
 02109  1736   NtFreeVirtualMemory  (-1, (0x26e0000), 0, 32768, ... (0x26e0000), 4096, ) == 0x0
 02110  1736   NtFreeVirtualMemory  (-1, (0x2850000), 0, 32768, ... (0x2850000), 8192, ) == 0x0
 02111  1736   NtFreeVirtualMemory  (-1, (0x2860000), 0, 32768, ... (0x2860000), 65536, ) == 0x0
 02112  1736   NtFreeVirtualMemory  (-1, (0x2840000), 0, 32768, ... (0x2840000), 4096, ) == 0x0
 02113  1736   NtSetEvent  (172, ...
 02022   428   NtWaitForSingleObject  ... ) == 0x0
 02114   428   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02115   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 02113  1736   NtSetEvent  ... 0x0, ) == 0x0
 02116  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02117  1736   NtSetEvent  (172, ...
 02115   428   NtWaitForSingleObject  ... ) == 0x0
 02118   428   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02119   428   NtWaitForSingleObject  (172, 0, 0x0, ...
 02117  1736   NtSetEvent  ... 0x0, ) == 0x0
 02120  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02121  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 02122  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 02123  1736   NtSetEvent  (180, ...
 01427  1300   NtWaitForSingleObject  ... ) == 0x0
 02124  1300   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02125  1300   NtWaitForSingleObject  (180, 0, 0x0, ...
 02123  1736   NtSetEvent  ... 0x0, ) == 0x0
 02126  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02127  1736   NtSetEvent  (188, ...
 01947   252   NtWaitForSingleObject  ... ) == 0x0
 02128   252   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02129   252   NtWaitForSingleObject  (188, 0, 0x0, ...
 02127  1736   NtSetEvent  ... 0x0, ) == 0x0
 02130  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02131  1736   NtSetEvent  (132, ...
 01373  1028   NtWaitForSingleObject  ... ) == 0x0
 02132  1028   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02133  1028   NtWaitForSingleObject  (132, 0, 0x0, ...
 02131  1736   NtSetEvent  ... 0x0, ) == 0x0
 02134  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02135  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 02136  1736   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 02137  1736   NtSetEvent  (144, ...
 01377   420   NtWaitForSingleObject  ... ) == 0x0
 02138   420   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02139   420   NtWaitForSingleObject  (144, 0, 0x0, ...
 02137  1736   NtSetEvent  ... 0x0, ) == 0x0
 02140  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02141  1736   NtSetEvent  (188, ...
 02129   252   NtWaitForSingleObject  ... ) == 0x0
 02142   252   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02143   252   NtWaitForSingleObject  (188, 0, 0x0, ...
 02141  1736   NtSetEvent  ... 0x0, ) == 0x0
 02144  1736   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 02145  1736   NtQueryVirtualMemory  (-1, 0x436c1e, Basic, 28, ... {BaseAddress=0x436000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xdb000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 02146  1736   NtQueryVirtualMemory  (-1, 0x43e1d8, Basic, 28, ... {BaseAddress=0x43e000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xd3000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 02147  1736   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 02148  1736   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02149  1736   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02150  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02151  1736   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 02152  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 316, ) }, ... 316, ) == 0x0
 02153  1736   NtQueryValueKey  (316,  (316, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) , Partial, 526, ... TitleIdx=0, Type=1, Data= (316, "Auto", Partial, 526, ... TitleIdx=0, Type=1, Data="0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02154  1736   NtQueryValueKey  (316,  (316, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) , Partial, 526, ... TitleIdx=0, Type=1, Data=" (316, "Debugger", Partial, 526, ... TitleIdx=0, Type=1, Data=""\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0V\0i\0s\0u\0a\0l\0 \0S\0t\0u\0d\0i\0o\0\\0C\0o\0m\0m\0o\0n\0\\0M\0S\0D\0e\0v\09\08\0\\0B\0i\0n\0\\0m\0s\0d\0e\0v\0.\0e\0x\0e\0"\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) \0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0\0\0"}, 184, ) == 0x0
 02155  1736   NtClose  (316, ... ) == 0x0
 02156  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1239748, ... ) }, 1239748, ... ) == 0x0
 02157  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02158  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02159  1736   NtClose  (316, ... ) == 0x0
 02160  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2700000), 0x0, 81920, ) == 0x0
 02161  1736   NtClose  (312, ... ) == 0x0
 02162  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02163  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 1240056, ... ) }, 1240056, ... ) == 0x0
 02164  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\faultrep.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02165  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02166  1736   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02167  1736   NtClose  (312, ... ) == 0x0
 02168  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 90112, ) == 0x0
 02169  1736   NtClose  (316, ... ) == 0x0
 02170  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02171  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 02172  1736   NtClose  (316, ... ) == 0x0
 02173  1736   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 02174  1736   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 02175  1736   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 02176  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 316, ) }, ... 316, ) == 0x0
 02177  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x769c0000), 0x0, 733184, ) == 0x0
 02178  1736   NtClose  (316, ... ) == 0x0
 02179  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02180  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02181  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02182  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02183  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02184  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02185  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02186  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02187  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02188  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 1244, 4, ... (0x769c1000), 4096, 32, ) == 0x0
 02189  1736   NtProtectVirtualMemory  (-1, (0x769c1000), 4096, 32, ... (0x769c1000), 4096, 4, ) == 0x0
 02190  1736   NtFlushInstructionCache  (-1, 1989939200, 1244, ... ) == 0x0
 02191  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02193  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 02194  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WINSTA.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02195  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 312, ) == 0x0
 02196  1736   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02197  1736   NtClose  (316, ... ) == 0x0
 02198  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 65536, ) == 0x0
 02199  1736   NtClose  (312, ... ) == 0x0
 02200  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02201  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02202  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02203  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02204  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02205  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02206  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... 312, ) }, ... 312, ) == 0x0
 02207  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5b860000), 0x0, 344064, ) == 0x0
 02208  1736   NtClose  (312, ... ) == 0x0
 02209  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02210  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02211  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02212  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02213  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02214  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02215  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02216  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02217  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02218  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02219  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02220  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02221  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 1168, 4, ... (0x5b861000), 4096, 32, ) == 0x0
 02222  1736   NtProtectVirtualMemory  (-1, (0x5b861000), 4096, 32, ... (0x5b861000), 4096, 4, ) == 0x0
 02223  1736   NtFlushInstructionCache  (-1, 1535512576, 1168, ... ) == 0x0
 02224  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02225  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02226  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02227  1736   NtProtectVirtualMemory  (-1, (0x76361000), 212, 4, ... (0x76361000), 4096, 32, ) == 0x0
 02228  1736   NtProtectVirtualMemory  (-1, (0x76361000), 4096, 32, ... (0x76361000), 4096, 4, ) == 0x0
 02229  1736   NtFlushInstructionCache  (-1, 1983254528, 212, ... ) == 0x0
 02230  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02231  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 02233  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WTSAPI32.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 02234  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 02235  1736   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02236  1736   NtClose  (312, ... ) == 0x0
 02237  1736   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 02238  1736   NtClose  (316, ... ) == 0x0
 02239  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02240  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02241  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02242  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02243  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02244  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02245  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02246  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02247  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02248  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 332, 4, ... (0x76f51000), 4096, 32, ) == 0x0
 02249  1736   NtProtectVirtualMemory  (-1, (0x76f51000), 4096, 32, ... (0x76f51000), 4096, 4, ) == 0x0
 02250  1736   NtFlushInstructionCache  (-1, 1995771904, 332, ... ) == 0x0
 02251  1736   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1239232, ... ) }, 1239232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02253  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1239232, ... ) }, 1239232, ... ) == 0x0
 02254  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02255  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 316, ... 312, ) == 0x0
 02256  1736   NtQuerySection  (312, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02257  1736   NtClose  (316, ... ) == 0x0
 02258  1736   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 02259  1736   NtClose  (312, ... ) == 0x0
 02260  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02261  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02262  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02263  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02264  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02265  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02266  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02267  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02268  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02269  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02270  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02271  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02272  1736   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 02273  1736   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 02274  1736   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 02275  1736   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 02276  1736   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 02277  1736   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 02278  1736   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 02279  1736   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 02280  1736   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 02281  1736   NtProtectVirtualMemory  (-1, (0x69451000), 736, 4, ... (0x69451000), 4096, 32, ) == 0x0
 02282  1736   NtProtectVirtualMemory  (-1, (0x69451000), 4096, 32, ... (0x69451000), 4096, 4, ) == 0x0
 02283  1736   NtFlushInstructionCache  (-1, 1766133760, 736, ... ) == 0x0
 02284  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USERENV.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02286  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 02287  1736   NtQueryValueKey  (312,  (312, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02288  1736   NtClose  (312, ... ) == 0x0
 02289  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 02290  1736   NtQueryValueKey  (312,  (312, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291  1736   NtClose  (312, ... ) == 0x0
 02292  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 312, ) }, ... 312, ) == 0x0
 02293  1736   NtQueryValueKey  (312,  (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 02294  1736   NtClose  (312, ... ) == 0x0
 02295  1736   NtCreateEvent  (0x1f0003, {24, 72, 0x80, 1237824, 0,  (0x1f0003, {24, 72, 0x80, 1237824, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 312, ) }, 0, 1, ... 312, ) == STATUS_OBJECT_NAME_EXISTS
 02296  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02297  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02298  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02299  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02300  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02301  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02302  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02303  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02304  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02305  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02306  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02307  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02308  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02309  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02310  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02311  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02312  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02313  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02314  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02315  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02316  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02317  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02318  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02319  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02320  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02321  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02322  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02323  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 02324  1736   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02325  1736   NtClose  (316, ... ) == 0x0
 02326  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 316, ) }, ... 316, ) == 0x0
 02327  1736   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 324, ) }, ... 324, ) == 0x0
 02328  1736   NtQueryValueKey  (324,  (324, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 02329  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02330  1736   NtQueryValueKey  (324,  (324, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 02331  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02332  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02333  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02334  1736   NtQueryDefaultLocale  (1, 1237576, ... ) == 0x0
 02335  1736   NtClose  (324, ... ) == 0x0
 02336  1736   NtClose  (316, ... ) == 0x0
 02337  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 02338  1736   NtQueryValueKey  (316,  (316, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02339  1736   NtClose  (316, ... ) == 0x0
 02340  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 02341  1736   NtQueryValueKey  (316,  (316, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342  1736   NtQueryValueKey  (316,  (316, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343  1736   NtClose  (316, ... ) == 0x0
 02344  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 02346  1736   NtQueryValueKey  (316,  (316, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02347  1736   NtClose  (316, ... ) == 0x0
 02348  1736   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02349  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02351  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02352  1736   NtQueryPerformanceCounter  (... {1110673997, 16}, {3579545, 0}, ) == 0x0
 02353  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02354  1736   NtQueryDefaultLocale  (1, 1239952, ... ) == 0x0
 02355  1736   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02356  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02357  1736   NtQueryValueKey  (316,  (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02358  1736   NtClose  (316, ... ) == 0x0
 02359  1736   NtUserGetProcessWindowStation  (... ) == 0x1c
 02360  1736   NtUserGetObjectInformation  (28, 1, 1239548, 12, 1239560, ... ) == 0x1
 02361  1736   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02362  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\WPA\PnP"}, ... 316, ) }, ... 316, ) == 0x0
 02363  1736   NtQueryValueKey  (316,  (316, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 02364  1736   NtClose  (316, ... ) == 0x0
 02365  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02366  1736   NtQueryValueKey  (316,  (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02367  1736   NtQueryValueKey  (316,  (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02368  1736   NtClose  (316, ... ) == 0x0
 02369  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02370  1736   NtQueryValueKey  (316,  (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02371  1736   NtQueryValueKey  (316,  (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02372  1736   NtClose  (316, ... ) == 0x0
 02373  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02374  1736   NtQueryValueKey  (316,  (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02375  1736   NtQueryValueKey  (316,  (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02376  1736   NtClose  (316, ... ) == 0x0
 02377  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02378  1736   NtQueryValueKey  (316,  (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02379  1736   NtQueryValueKey  (316,  (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02380  1736   NtClose  (316, ... ) == 0x0
 02381  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02382  1736   NtQueryValueKey  (316,  (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02383  1736   NtQueryValueKey  (316,  (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 02384  1736   NtClose  (316, ... ) == 0x0
 02385  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 316, ) }, ... 316, ) == 0x0
 02386  1736   NtQueryValueKey  (316,  (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02387  1736   NtQueryValueKey  (316,  (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02388  1736   NtClose  (316, ... ) == 0x0
 02389  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 316, ) }, ... 316, ) == 0x0
 02390  1736   NtQueryValueKey  (316,  (316, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02391  1736   NtQueryValueKey  (316,  (316, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (316, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 02392  1736   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 02393  1736   NtClose  (316, ... ) == 0x0
 02394  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 316, ) == 0x0
 02395  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 324, ) == 0x0
 02396  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 02397  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 332, ) == 0x0
 02398  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 336, ) == 0x0
 02399  1736   NtCreateMutant  (0x1f0001, 0x0, 0, ... 340, ) == 0x0
 02400  1736   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02401  1736   NtQueryValueKey  (344,  (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02402  1736   NtQueryValueKey  (344,  (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02403  1736   NtQueryValueKey  (344,  (344, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404  1736   NtOpenKey  (0x1, {24, 344, 0x40, 0, 0,  (0x1, {24, 344, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405  1736   NtClose  (344, ... ) == 0x0
 02406  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1239464, ... ) }, 1239464, ... ) == 0x0
 02407  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 344, ) }, ... 344, ) == 0x0
 02408  1736   NtQueryValueKey  (344,  (344, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (344, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (344, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02409  1736   NtClose  (344, ... ) == 0x0
 02410  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 02411  1736   NtQueryValueKey  (344,  (344, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (344, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (344, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 02412  1736   NtClose  (344, ... ) == 0x0
 02413  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 02415  1736   NtQueryValueKey  (344,  (344, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (344, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (344, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02416  1736   NtClose  (344, ... ) == 0x0
 02417  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\faultrep.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418  1736   NtOpenKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02419  1736   NtCreateKey  (0x20119, {24, 16, 0x40, 0, 0,  (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 344, 2, ) }, 0, 0x0, 0, ... 344, 2, ) == 0x0
 02420  1736   NtOpenKey  (0x10000, {24, 344, 0x40, 0, 0,  (0x10000, {24, 344, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421  1736   NtQueryValueKey  (344,  (344, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02422  1736   NtQueryValueKey  (344,  (344, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02423  1736   NtQueryValueKey  (344,  (344, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02424  1736   NtQueryValueKey  (344,  (344, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02425  1736   NtQueryValueKey  (344,  (344, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02426  1736   NtQueryValueKey  (344,  (344, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427  1736   NtQueryValueKey  (344,  (344, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02428  1736   NtQueryValueKey  (344,  (344, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429  1736   NtQueryValueKey  (344,  (344, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430  1736   NtQueryValueKey  (344,  (344, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431  1736   NtQueryValueKey  (344,  (344, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02432  1736   NtQueryValueKey  (344,  (344, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433  1736   NtCreateKey  (0x20119, {24, 344, 0x40, 0, 0,  (0x20119, {24, 344, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02434  1736   NtCreateKey  (0x20119, {24, 344, 0x40, 0, 0,  (0x20119, {24, 344, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 02435  1736   NtClose  (344, ... ) == 0x0
 02436  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02437  1736   NtQueryValueKey  (344,  (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02438  1736   NtClose  (344, ... ) == 0x0
 02439  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02440  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02441  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236992, ... ) }, 1236992, ... ) == 0x0
 02442  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02443  1736   NtQueryDirectoryFile  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1, "work", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02444  1736   NtClose  (344, ... ) == 0x0
 02445  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 344, {status=0x0, info=1}, ) }, 3, 16417, ... 344, {status=0x0, info=1}, ) == 0x0
 02446  1736   NtQueryDirectoryFile  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1,  (344, 0, 0, 0, 1236420, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02447  1736   NtClose  (344, ... ) == 0x0
 02448  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02449  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02450  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02451  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02452  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235640, ... ) }, 1235640, ... ) == 0x0
 02453  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234412, ... ) }, 1234412, ... ) == 0x0
 02454  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02455  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02456  1736   NtQueryValueKey  (348,  (348, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02457  1736   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02458  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02459  1736   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02460  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02461  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 344, ) }, ... 344, ) == 0x0
 02462  1736   NtQueryValueKey  (344,  (344, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02463  1736   NtClose  (344, ... ) == 0x0
 02464  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02465  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 344, ) == 0x0
 02466  1736   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 02467  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 02468  1736   NtQuerySystemTime  (... {1557626862, 29928128}, ) == 0x0
 02469  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 360, ) == 0x0
 02470  1736   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02471  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 02472  1736   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 02473  1736   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 02474  1736   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 364, ) == 0x0
 02475  1736   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 368, ) == 0x0
 02476  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\362\301\216]x^G\345dL\257\360\227|\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02477  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02478  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02479  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02480  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02481  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02482  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02483  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02484  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481380, 2, ) }, 0, 0x0, 0, ... -2147481380, 2, ) == 0x0
 02485  1736   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "\33v\364\277\265g[b\235\361\233\7\264\322\252~El\254\371i\23\325\24 .\337r\342$4\316w\344D\7\301B\306\204\266\205\327\373\365\317\270\220,y\367\232NP\226@\344\205G\247\342\10x\322P#\274oc!l\263.\331+\214\22\362\317~", 80, ... ) , 0, 3,  (-2147481380, "Seed", 0, 3, "\33v\364\277\265g[b\235\361\233\7\264\322\252~El\254\371i\23\325\24 .\337r\342$4\316w\344D\7\301B\306\204\266\205\327\373\365\317\270\220,y\367\232NP\226@\344\205G\247\342\10x\322P#\274oc!l\263.\331+\214\22\362\317~", 80, ... ) , 80, ... ) == 0x0
 02486  1736   NtClose  (-2147481380, ... ) == 0x0
 02476  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\372_\235\246{\223\241\376\300\243\311\201\322k\306uT\333%I\252\326\302(\33k\302\265\205\257K\212\364\227\272v\13\203d\2\355\341\1\33\260\2422\13d\6\224\323\270\212\303]\177\3}\367\2127\362\300]\236\337h\267\235\2\24\350\177\316\377\217\247=Y\273\3775pS\35\215:\241\315\226t\316W\251\376i\266\0\222\325\326\253\6\320\275\235\37\255\222`\3360\2325'W\2337~,\326A\320p?3\244\334\13\21\207Z\212\376"\313\226\267\361\215\302\257\335\322xh\214\214\21_\263\332\242\2565\260\34\327\341\351\217,\317\207z \7\242\225\352\321B\11I\157\360M\2019\2153p\213%\303\216{\21\4e5#\15hm\17\376\247S\244\267\312\5\223\326\2529eW\340dQd\260\34\244AS/\204'\323\264\206o\328\37\246c`;\342\247\27\372N\35F\220\11#\352m\2\300<\10)j\357Y\221\1", ) \313\226\267\361\215\302\257\335\322xh\214\214\21_\263\332\242\2565\260\34\327\341\351\217,\317\207z \7\242\225\352\321B\11I\157\360M\2019\2153p\213%\303\216{\21\4e5#\15hm\17\376\247S\244\267\312\5\223\326\2529eW\340dQd\260\34\244AS/\204'\323\264\206o\328\37\246c`;\342\247\27\372N\35F\220\11#\352m\2\300<\10)j\357Y\221\1", ) == 0x0
 02487  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\362\301\216]x^G\30X\312\342\30\253\362\345\214L\257\360\227|\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02488  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02489  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02490  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02491  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02492  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02493  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02494  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02495  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481380, 2, ) }, 0, 0x0, 0, ... -2147481380, 2, ) == 0x0
 02496  1736   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "\201m\314\206\373\16\314:3\3579f\310\304\363\2014i\376\221\332\14\27\365T\304fk\232\260%Od\316\20380Z{\327\234<\343\375\263\356\340\234\351\361\266\340\262\15\27\212]\364\243_\257f\225+\216AT\262rl\357\35\16\201\3474\330\246B\347", 80, ... ) , 0, 3,  (-2147481380, "Seed", 0, 3, "\201m\314\206\373\16\314:3\3579f\310\304\363\2014i\376\221\332\14\27\365T\304fk\232\260%Od\316\20380Z{\327\234<\343\375\263\356\340\234\351\361\266\340\262\15\27\212]\364\243_\257f\225+\216AT\262rl\357\35\16\201\3474\330\246B\347", 80, ... ) , 80, ... ) == 0x0
 02497  1736   NtClose  (-2147481380, ... ) == 0x0
 02487  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\210\252\242\2602OIZ\322\257H}\233*\303B\172\376\251\360\223U]4\14\266\307\177\360\277&;<\217\230\203\254\346\257\246~\14\245\13\246\224$\233\2319\1\223(\351\5w\271\3\3\313e\3\303\250\303\5hM\7\317\213\25i\2179J\7+\303\214s\374\213\307\354\345\223\232\20S\256\237`:\345\352\3704\366\33\166\232\12W\12\343\226\270\177+\323\235r\3G\16\363\306\37\344 y\231\340\26\227\4\337<\214\2209\232>\23\33N-\317\205\251T\256M\204\246\323\363\205\15\252){\33\312\254\14O\266\373\21\276`\211L\3F\261\256yu\331\37j.\31*\215\3258\312\267\303\[IQ]\332(\363>\314\200\21\271\312~\37\215Q\204Y\266H\222, ) , ) == 0x0
 02498  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\362\301\216]x^G\30X\312\342\30\253\362\30\260\312\342\30\253\362\345\214L\257\360\227|\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02499  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02500  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02501  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02502  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02503  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02504  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02505  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02506  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481380, 2, ) }, 0, 0x0, 0, ... -2147481380, 2, ) == 0x0
 02507  1736   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "\256\214Ay\344P\253q\355\374\6\12\217{\351-\240\2064\215\331Xw\320\303\2375}\240\273\306\303\14E\25\343\353\352\376%\203\233&\334L\364o|\21\221\11\4\324I\14\370\210\266kW\210\203\26#3\14<~\11\247\257\235\13\333\270lw\206\315", 80, ... ) , 0, 3,  (-2147481380, "Seed", 0, 3, "\256\214Ay\344P\253q\355\374\6\12\217{\351-\240\2064\215\331Xw\320\303\2375}\240\273\306\303\14E\25\343\353\352\376%\203\233&\334L\364o|\21\221\11\4\324I\14\370\210\266kW\210\203\26#3\14<~\11\247\257\235\13\333\270lw\206\315", 80, ... ) , 80, ... ) == 0x0
 02508  1736   NtClose  (-2147481380, ... ) == 0x0
 02498  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\351\243\322\236V\321$G\54\261K\234\261\236\270\340\226\366\2\327\273\234\317\15\226~b\336\376\363\27i\247\234\11al\331V\354\303\372x\16\364Z\232\215\373N\337\33\235\335SUK8\236\237\300\214\254k:\373\337\6z\376\306\315b'\24\250\325.\239`\235M*,k\231Cv=\254\372z\341\302\23\370\247\20c;\216\342\10\377\357Se\337IJ\222\366cN!\354\215\347\32\244h(#7I\306~o\27\316\376 xd\362(\314\16~T\212\4\316}xB\252\311\206\361\264\342\325\22\233AB\7\202\12!\206\15\230h\27\324\301\24~[\263\351\222\12a1\32\334N\341\303*7q\202\364\261R\376\337\316\27\3\321N;\321\217\277\316\316\276\367"H_\230\243\364\254\17\317\215\325\300\370\263I9\223\305\k\331Y\356\314\377d\305/\377&\232T\207\323\374\226)\15\332\4h\302|Q\305aRC", ) H_\230\243\364\254\17\317\215\325\300\370\263I9\223\305\k\331Y\356\314\377d\305/\377&\232T\207\323\374\226)\15\332\4h\302|Q\305aRC", ) == 0x0
 02509  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\362\301\216]x^G\30X\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\345\214L\257\360\227|\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02510  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02511  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02512  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02513  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02514  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02515  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02516  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02517  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481380, 2, ) }, 0, 0x0, 0, ... -2147481380, 2, ) == 0x0
 02518  1736   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "\201\226S\27\347\226\213NI\204\311\3713]\313+\265\10N\375\265\322\340\21N\216f\17\\213\221/)\256|\13o\245\260f\0+\158\207&\13\350\246\315\242\261\343\302h\235\3308\225\366\23398\334\37\25X\240ep\204\334\177\1\265SVs\203s", 80, ... ) , 0, 3,  (-2147481380, "Seed", 0, 3, "\201\226S\27\347\226\213NI\204\311\3713]\313+\265\10N\375\265\322\340\21N\216f\17\\213\221/)\256|\13o\245\260f\0+\158\207&\13\350\246\315\242\261\343\302h\235\3308\225\366\23398\334\37\25X\240ep\204\334\177\1\265SVs\203s", 80, ... ) , 80, ... ) == 0x0
 02519  1736   NtClose  (-2147481380, ... ) == 0x0
 02509  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\326\341\225\354\342\250\276\230\210\272\277\310\204wp\216\236\244PT\16\226\266\363\330@\230\361\240\15^\226\13\25\215\1\316\367\216.\305\243\374P\257\244\202\216\257\236i"\254g+\225t\243\257\314\231\11\3\337\36\234#\21\266\221\373\261o\210\235K\360\350l\251\337q\177\347S<(\277\15,\247dcA\346_\372s\326\306\324LK%\245\2\13\243T\230\33L\320n\7\14R\216\6H4\1Bl\211ld1LQ!\26\220\236\205C\237A\17\246l\10\262\14\245W\236\275\1\323\217\305]\264\212\277Qz_?gkkN\273\7b1\14\351\320\177\232t1\317\301x\255\205a{S\253Pnr>\316h\17\217 \20\252\354\273D\224\214#m\345\320\26\1:-\347\340\364\24k\3022\326z\275\211\345\271'e\17\4\33{\227\231\363\213\27\324\262\245dT\324F7\253\306\234\25K0\277g\177\342\234\373\201\325\205", ) \254g+\225t\243\257\314\231\11\3\337\36\234#\21\266\221\373\261o\210\235K\360\350l\251\337q\177\347S<(\277\15,\247dcA\346_\372s\326\306\324LK%\245\2\13\243T\230\33L\320n\7\14R\216\6H4\1Bl\211ld1LQ!\26\220\236\205C\237A\17\246l\10\262\14\245W\236\275\1\323\217\305]\264\212\277Qz_?gkkN\273\7b1\14\351\320\177\232t1\317\301x\255\205a{S\253Pnr>\316h\17\217 \20\252\354\273D\224\214#m\345\320\26\1:-\347\340\364\24k\3022\326z\275\211\345\271'e\17\4\33{\227\231\363\213\27\324\262\245dT\324F7\253\306\234\25K0\277g\177\342\234\373\201\325\205", ) == 0x0
 02520  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\362\301\216]x^G\30X\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\345\214L\257\360\227|\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02521  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02522  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02523  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02524  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02525  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02526  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02527  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02528  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481380, 2, ) }, 0, 0x0, 0, ... -2147481380, 2, ) == 0x0
 02529  1736   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "}\213\341\370\333\336\264\317\377\323\37\25\2464\321\375\336\304\33\3703\332~wl\373P\353b-\11(_\360\275;\212\221\335\24\17\3476\332\22\350"P\205\301\16\250!K_\260`\220\356\13\241v\337\310\346:,\305\261l\334s\204\307\302$\236\204z\12", 80, ... ) , 0, 3,  (-2147481380, "Seed", 0, 3, "}\213\341\370\333\336\264\317\377\323\37\25\2464\321\375\336\304\33\3703\332~wl\373P\353b-\11(_\360\275;\212\221\335\24\17\3476\332\22\350"P\205\301\16\250!K_\260`\220\356\13\241v\337\310\346:,\305\261l\334s\204\307\302$\236\204z\12", 80, ... ) P\205\301\16\250!K_\260`\220\356\13\241v\337\310\346:,\305\261l\334s\204\307\302$\236\204z\12", 80, ... ) == 0x0
 02530  1736   NtClose  (-2147481380, ... ) == 0x0
 02520  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "(J\366\237&\246T\361\16N.#\274m\370C\230\276\273b\260\54zVSs\233H\277\377\320[\312\205\3346k@J\324\306fF\20\357\375\334Hd\24x\311\303\265\216a\343\362\277\224F\14\21\353\253\342Z\253\276\252`\276\13\3553\214\277Qm\375U=BnIr]\247K\266\351TO\35\276\237\215\241Q$V\341\277\356\24\321\313\361\3\32>\267K;\2119\357DL\23\234\237[\37\15\231}W5\370\245-Q\213\324\267o{OLfg`\311\351\246\224\337\217I\320\367\235\20\362u'qm\275S\322\5\365\31\251\276Vy\322\347B\351\4\20273\364in+\33\322I\225d]\256\201q[d\230\2547=_\313\350sM\354)\247|\307\4_\257"\300~<\30T\277pB\360\16x.\256gY\0\24\270$'\227?ml[\315wwo%\24(>\201\252\231NS\345,\216\307\243S_", ) \300~<\30T\277pB\360\16x.\256gY\0\24\270$'\227?ml[\315wwo%\24(>\201\252\231NS\345,\216\307\243S_", ) == 0x0
 02531  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\362\301\216]x^G\30X\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\345\214L\257\360\227|\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02532  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02533  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02534  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02535  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02536  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02537  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02538  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02539  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481380, 2, ) }, 0, 0x0, 0, ... -2147481380, 2, ) == 0x0
 02540  1736   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "\12\335\307\231\337\203\351l\15\247\330\272\306\275\203T\347O\231B\257\0\267\327\211=\310U\263\264R/\311\372\352\202\253\276\276\303\20F\263q\210e S(\325'\332\11=\256\236\10o\342\262,V&7 _G\226\252\25ZYj\312\212\30\322\272\364=", 80, ... ) , 0, 3,  (-2147481380, "Seed", 0, 3, "\12\335\307\231\337\203\351l\15\247\330\272\306\275\203T\347O\231B\257\0\267\327\211=\310U\263\264R/\311\372\352\202\253\276\276\303\20F\263q\210e S(\325'\332\11=\256\236\10o\342\262,V&7 _G\226\252\25ZYj\312\212\30\322\272\364=", 80, ... ) , 80, ... ) == 0x0
 02541  1736   NtClose  (-2147481380, ... ) == 0x0
 02531  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\303Y\242\321\215m\306\30\312e\367\305B\2256\225[\326pho\214\337\217\305n=\354\206\265\301\203\26\372\274\7;C\33B\11Q\320w\240\326d\234<\366\24D+\262:\310%Pa\12?\3\215\326LUg\200\210\353K\16\177`\34\34\35\4\241\337\360J\314\220\2209\237\374\4y\275\330\232\330F\34EZU\356\3152\12\376\1\231y\225\277\11\265!\377\277Z\2\345\250\357\315t\372t\331\255>\20\25\262\217>\202Cr\30\376\225\37qU\323-u\33\333L@\232\355H\322\34m\3\302L\262L\225I\352\343\341\344\w\365\27\376\30\34rfHJ[[\211\211<\3674 \22<\23\262\31|+\256n\347\367fG*y\370\11\301\202\202\321\227\275\307\312 \311\337@\204\301\303\37\375\275s~.\350\326\31=T\241 \330\360yu\311\12\214\331\34\346\317\36V13e \372\13e\251[\350\202\311\263\46", ) , ) == 0x0
 02542  1736   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\266^\265\3\343\213\266\362\301\216]x^G\30X\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\30\260\312\342\30\253\362\345\214L\257\360\227|\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 02543  1736   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 02544  1736   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 02545  1736   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 02546  1736   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 02547  1736   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 02548  1736   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 02549  1736   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 02550  1736   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481380, 2, ) }, 0, 0x0, 0, ... -2147481380, 2, ) == 0x0
 02551  1736   NtSetValueKey  (-2147481380,  (-2147481380, "Seed", 0, 3, "t@\361\255)uYS\202,\324:7\221T\35\206mS\250jS\222#\244\315\373\232y\350\314u\253y\277z1\264M\367\206#e\227q\312/\17\201\326\11n\\346\277\10\5}\215\360\3\335\214\2606m\276\260$f8\354/~\35\237\232C\330`", 80, ... ) , 0, 3,  (-2147481380, "Seed", 0, 3, "t@\361\255)uYS\202,\324:7\221T\35\206mS\250jS\222#\244\315\373\232y\350\314u\253y\277z1\264M\367\206#e\227q\312/\17\201\326\11n\\346\277\10\5}\215\360\3\335\214\2606m\276\260$f8\354/~\35\237\232C\330`", 80, ... ) , 80, ... ) == 0x0
 02552  1736   NtClose  (-2147481380, ... ) == 0x0
 02542  1736   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\235\373`\202gq\235U\312\25\234\247\316;\222#\307\306\23;P\332Q\346\233\363\352\33G.\31\230qP\24W>\321\254\374< o\276Y\362~\206\262|J5\23\265\202\36\207\212S\36p\357'\356\3522!\250bWVf\334\245\10\3349&,\14\377\366\242\10\336%\34\12\27\222\7\307\352u\202|i,\272\265\0\251^\221\273\313\307\337\254\212\211\371g\31Uz2\251SR\344\10\306V\324\366\370I\213\311\1\236\4\202\366a\375\\207T\267\367P\244k\204\213p>\274r\254\7\344\217\345\203\365\353S\15\316>\244\\345\15HHrU\341\303\347W\321\253\223\331\246\372\340:c\311\213%\350K~\33^\201\233h\37\16\257\244\274GX\314\215\333VL\322\375\27@\352M3X\251IN\205\16C$\275m}1s\236\34\251\204\213\13y\22\374\250}c\2457\335[\177\321\253\6\334]`\361\34D\32\177\177", ) , ) == 0x0
 02553  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 02554  1736   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1234784, 188, ... 376, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 0}, 0x0, 0x0, 1234784, 188, ... 376, 0x0, 0x0, 0x0, 188, ) == 0x0
 02555  1736   NtRequestWaitReplyPort  (376, {200, 224, new_msg, 0, 2621478, 1366728, 12, 2}  (376, {200, 224, new_msg, 0, 2621478, 1366728, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\260/\24\0\240\332\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\304\325\345;L\267)\327\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\335\16v\243x\1\24\0(\0\0\0\254\254\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1636, 1736, 75619, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260/\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\304\325\345;L\267)\327\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\335\16v\243x\1\24\0(\0\0\0\254\254\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ... {200, 224, reply, 0, 1636, 1736, 75619, 0}  (376, {200, 224, new_msg, 0, 2621478, 1366728, 12, 2} "\0\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\2\0\4\0\0\0\260/\24\0\240\332\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\304\325\345;L\267)\327\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\335\16v\243x\1\24\0(\0\0\0\254\254\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ... {200, 224, reply, 0, 1636, 1736, 75619, 0} "\7\0\24\0\10\0\0\0\274\0\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\260/\24\0\377\377\377\377\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\24\0\2\0\0\0\304\325\345;L\267)\327\230\332\24\0h\1\24\0\12\0\0\0\0\0\0\0\230\332\24\0(\0\0\0\240\332\24\0\335\16v\243x\1\24\0(\0\0\0\254\254\0\0\0\0\24\0\274\325\22\0\255\0\0\0\0\0\0\0\370_\24\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\340\325\22\0\372\31\221|t\335\22\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 02556  1736   NtRequestWaitReplyPort  (376, {32, 56, new_msg, 0, 0, 0, 0, 0}  (376, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1636, 1736, 75620, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0\313\10\267\300jhJK\246\276<_\2017\216R\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ... {124, 148, reply, 0, 1636, 1736, 75620, 0}  (376, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 1636, 1736, 75620, 0} "\2\31\221|\1\0\221|\200\300\227|p\31\221|\250$\12\0\330\0\0\0d\365\11\0\0\300\372\177\0\0\0\0\0\0\0\0\313\10\267\300jhJK\246\276<_\2017\216R\1\0\0\0\0\0\0\0\4\0\0\0\1\365\11\0\1\0\0\0d\365\11\0\0\0\0\0\0\0\0\0\1\0\0\0\10\376\257\0\0\0\0\0\334\377\257\0\30\356\220|p\5\221|\377\377\377\377m\5\221|\344f\347w" )  ) == 0x0
 02557  1736   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 02558  1736   NtRequestWaitReplyPort  (376, {44, 68, new_msg, 56, 1636, 1736, 75620, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75620, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75621, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ... {40, 64, reply, 0, 1636, 1736, 75621, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75620, 0} "\1\31\0\0B\2\5\0\200\300\227|p\31\221|\250$\12\0\330\0\0\0\377\377\377\377\0\300\372\177\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75621, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ) == 0x0
 02559  1736   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75622, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1636, 1736, 75622, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75622, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02560  1736   NtRequestWaitReplyPort  (376, {44, 68, new_msg, 56, 1636, 1736, 75621, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75621, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75623, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ... {40, 64, reply, 0, 1636, 1736, 75623, 0}  (376, {44, 68, new_msg, 56, 1636, 1736, 75621, 0} "\1\0\0\0B\2\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0H\335\24\0\10\5\0\0" ... {40, 64, reply, 0, 1636, 1736, 75623, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\5\0\0\30h\15\0" )  ) == 0x0
 02561  1736   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75624, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ... {64, 88, reply, 56, 1636, 1736, 75624, 0}  (376, {64, 88, new_msg, 56, 1367088, 1235360, 1367360, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" ... {64, 88, reply, 56, 1636, 1736, 75624, 0} "\10\0\0\0@\0\1\1X\2\0\0\230\330\22\0H\335\24\0\264\335\22\0\30\356\220|p\5\221|\1\0\0\0H\335\24\0\14\5\0\0\14\5\0\0\30h\15\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 02562  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 02563  1736   NtOpenKey  (0x20019, {24, 380, 0x40, 0, 0,  (0x20019, {24, 380, 0x40, 0, 0, "ActiveComputerName"}, ... 384, ) }, ... 384, ) == 0x0
 02564  1736   NtQueryValueKey  (384,  (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 02565  1736   NtClose  (384, ... ) == 0x0
 02566  1736   NtClose  (380, ... ) == 0x0
 02567  1736   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 380, ) == 0x0
 02568  1736   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 384, ) == 0x0
 02569  1736   NtDuplicateObject  (-1, 380, -1, 0x0, 0, 2, ... 388, ) == 0x0
 02570  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02571  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 02572  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02573  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02574  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234820,  (0xc0100080, {24, 0, 0x40, 0, 1234820, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02575  1736   NtSetInformationFile  (396, 1234876, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02576  1736   NtSetInformationFile  (396, 1234864, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02577  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02578  1736   NtWriteFile  (396, 365, 0, 0,  (396, 365, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02579  1736   NtReadFile  (396, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20R+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02580  1736   NtFsControlFile  (396, 365, 0x0, 0x0, 0x11c017,  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20R+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20R+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02581  1736   NtFsControlFile  (396, 365, 0x0, 0x0, 0x11c017,  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\34-\262\3274[\30F\205\266\361yT\263\265\15\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\34-\262\3274[\30F\205\266\361yT\263\265\15\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\34-\262\3274[\30F\205\266\361yT\263\265\15\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\34-\262\3274[\30F\205\266\361yT\263\265\15\0\0\0\0", ) , ) == 0x103
 02582  1736   NtFsControlFile  (396, 365, 0x0, 0x0, 0x11c017,  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\34-\262\3274[\30F\205\266\361yT\263\265\15", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\0\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (396, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\34-\262\3274[\30F\205\266\361yT\263\265\15", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\0\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02583  1736   NtClose  (392, ... ) == 0x0
 02584  1736   NtClose  (396, ... ) == 0x0
 02585  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02586  1736   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02587  1736   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02588  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02589  1736   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234792,  (0xc0100080, {24, 0, 0x40, 0, 1234792, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 02590  1736   NtSetInformationFile  (392, 1234848, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02591  1736   NtSetInformationFile  (392, 1234836, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02592  1736   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02593  1736   NtWriteFile  (392, 365, 0, 0,  (392, 365, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02594  1736   NtReadFile  (392, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (392, 365, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20S+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02595  1736   NtFsControlFile  (392, 365, 0x0, 0x0, 0x11c017,  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20S+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\336\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20S+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02596  1736   NtFsControlFile  (392, 365, 0x0, 0x0, 0x11c017,  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\10-^\252\353\262\335D\245@\225\241v\342*\251\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\10-^\252\353\262\335D\245@\225\241v\342*\251\0\0\0\0", ) , 140, 1024, ... {status=0x103, info=48},  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\214\0\0\0\2\0\0\0t\0\0\0\0\0D\0\0\0\0\0\10-^\252\353\262\335D\245@\225\241v\342*\251\1\0\0\0\1\0\0\0,\0.\0\0\341\22\0\27\0\0\0\0\0\0\0\26\0\0\0V\0I\0R\0T\0U\0A\0L\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 140, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\10-^\252\353\262\335D\245@\225\241v\342*\251\0\0\0\0", ) , ) == 0x103
 02597  1736   NtFsControlFile  (392, 365, 0x0, 0x0, 0x11c017,  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\10-^\252\353\262\335D\245@\225\241v\342*\251", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\0\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (392, 365, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\10-^\252\353\262\335D\245@\225\241v\342*\251", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\350\24\0\1\0\0\0t\350\24\0 \0\0\0\1\0\0\0\16\0\20\0\200\350\24\0\220\350\24\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\1\0\0\0\320\350\24\0\1\0\0\0\1\0\0\0\340\350\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02598  1736   NtClose  (396, ... ) == 0x0
 02599  1736   NtClose  (392, ... ) == 0x0
 02600  1736   NtOpenProcessToken  (-1, 0x20008, ... 392, ) == 0x0
 02601  1736   NtQueryInformationToken  (392, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02602  1736   NtQueryInformationToken  (392, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 02603  1736   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 396, ) }, ... 396, ) == 0x0
 02604  1736   NtUserOpenWindowStation  ({24, 396, 0x40, 0, 0,  ({24, 396, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x190
 02605  1736   NtClose  (396, ... ) == 0x0
 02606  1736   NtUserCloseWindowStation  (400, ...
 02607  1736   NtClose  (400, ... ) == 0x0
 02606  1736   NtUserCloseWindowStation  ... ) == 0x1
 02608  1736   NtClose  (392, ... ) == 0x0
 02609  1736   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 392, ) == 0x0
 02610  1736   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 400, ) == 0x0
 02611  1736   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 396, ) == 0x0
 02612  1736   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 404, ) == 0x0
 02613  1736   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 408, ) == 0x0
 02614  1736   NtMapViewOfSection  (408, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x26e0000), {0, 0}, 8192, ) == 0x0
 02615  1736   NtQueryDefaultUILanguage  (1235484, ...
 02616  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02617  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481380, ) == 0x0
 02618  1736   NtQueryInformationToken  (-2147481380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02619  1736   NtClose  (-2147481380, ... ) == 0x0
 02620  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481380, ) }, ... -2147481380, ) == 0x0
 02621  1736   NtOpenKey  (0x80000000, {24, -2147481380, 0x240, 0, 0,  (0x80000000, {24, -2147481380, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02622  1736   NtOpenKey  (0x80000000, {24, -2147481380, 0x640, 0, 0,  (0x80000000, {24, -2147481380, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482128, ) }, ... -2147482128, ) == 0x0
 02623  1736   NtQueryValueKey  (-2147482128,  (-2147482128, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02624  1736   NtClose  (-2147482128, ... ) == 0x0
 02625  1736   NtClose  (-2147481380, ... ) == 0x0
 02615  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 02626  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02627  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02628  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233728, ... ) }, 1233728, ... ) == 0x0
 02629  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232500, ... ) }, 1232500, ... ) == 0x0
 02630  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02631  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02632  1736   NtCreateFile  (0x10100080, {24, 0, 0x40, 0, 1234836,  (0x10100080, {24, 0, 0x40, 0, 1234836, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ab8a_appcompat.txt"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 02633  1736   NtQueryDirectoryFile  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1,  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02634  1736   NtClose  (-2147481380, ... ) == 0x0
 02635  1736   NtQueryDirectoryFile  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1,  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02636  1736   NtClose  (-2147481380, ... ) == 0x0
 02637  1736   NtQueryDirectoryFile  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1,  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02638  1736   NtClose  (-2147481380, ... ) == 0x0
 02632  1736   NtCreateFile  ... 412, {status=0x0, info=2}, ) == 0x0
 02639  1736   NtClose  (412, ... ) == 0x0
 02640  1736   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 412, ) == 0x0
 02641  1736   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2ac0000), 0x0, 4194304, ) == 0x0
 02642  1736   NtAllocateVirtualMemory  (-1, 44826624, 0, 1, 4096, 4, ... 44826624, 4096, ) == 0x0
 02643  1736   NtAllocateVirtualMemory  (-1, 44830720, 0, 4808, 4096, 4, ... 44830720, 8192, ) == 0x0
 02644  1736   NtCreateSection  (0xf0007, 0x0, {33036, 0}, 4, 134217728, 0, ... 416, ) == 0x0
 02645  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02646  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02647  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02648  1736   NtClose  (412, ... ) == 0x0
 02649  1736   NtUnmapViewOfSection  (-1, 0x2ac0000, ... ) == 0x0
 02650  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02651  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02652  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02653  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02654  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02655  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02656  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02657  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02658  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02659  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02660  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02661  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02662  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02663  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02664  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02665  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02666  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02667  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02668  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02669  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02670  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02671  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02672  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02673  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02674  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02675  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02676  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02677  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02678  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02679  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02680  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02681  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02682  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02683  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02684  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02685  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02686  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02687  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02688  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02689  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02690  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02691  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02692  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02693  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02694  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02695  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02696  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02697  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02698  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02699  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02700  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02701  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02702  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02703  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02704  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02705  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02706  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02707  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02708  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02709  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02710  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02711  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02712  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02713  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 36864, ) == 0x0
 02714  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02715  1736   NtClose  (416, ... ) == 0x0
 02716  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02717  1736   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 416, {status=0x0, info=1}, ) }, 3, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 02718  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 412, ) }, ... 412, ) == 0x0
 02719  1736   NtQuerySymbolicLinkObject  (412, ...  (412, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 02720  1736   NtClose  (412, ... ) == 0x0
 02721  1736   NtQueryVolumeInformationFile  (416, 1234052, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02722  1736   NtClose  (416, ... ) == 0x0
 02723  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1232848, ... ) }, 1232848, ... ) == 0x0
 02724  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 02725  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 416, ... 412, ) == 0x0
 02726  1736   NtClose  (416, ... ) == 0x0
 02727  1736   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2700000), 0x0, 126976, ) == 0x0
 02728  1736   NtClose  (412, ... ) == 0x0
 02729  1736   NtUnmapViewOfSection  (-1, 0x2700000, ... ) == 0x0
 02730  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 1233156, ... ) }, 1233156, ... ) == 0x0
 02731  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\apphelp.dll"}, 5, 96, ... 412, {status=0x0, info=1}, ) }, 5, 96, ... 412, {status=0x0, info=1}, ) == 0x0
 02732  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 412, ... 416, ) == 0x0
 02733  1736   NtQuerySection  (416, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02734  1736   NtClose  (412, ... ) == 0x0
 02735  1736   NtMapViewOfSection  (416, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02736  1736   NtClose  (416, ... ) == 0x0
 02737  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02738  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02739  1736   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02740  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02741  1736   NtAllocateVirtualMemory  (-1, 1372160, 0, 12288, 4096, 4, ... 1372160, 12288, ) == 0x0
 02742  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234544, ... ) }, 1234544, ... ) == 0x0
 02743  1736   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234552,  (0x40100080, {24, 0, 0x40, 0, 1234552, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ab8a_appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02744  1736   NtClose  (-2147481380, ... ) == 0x0
 02745  1736   NtQueryDirectoryFile  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1,  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 02746  1736   NtClose  (-2147481380, ... ) == 0x0
 02747  1736   NtQueryDirectoryFile  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1,  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02748  1736   NtClose  (-2147481380, ... ) == 0x0
 02749  1736   NtQueryDirectoryFile  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1,  (-2147481380, 0, 0, 0, -519454720, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 02750  1736   NtClose  (-2147481380, ... ) == 0x0
 02743  1736   NtCreateFile  ... 416, {status=0x0, info=3}, ) == 0x0
 02751  1736   NtAllocateVirtualMemory  (-1, 1384448, 0, 12288, 4096, 4, ... 1384448, 12288, ) == 0x0
 02752  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 412, {status=0x0, info=1}, ) }, 3, 16417, ... 412, {status=0x0, info=1}, ) == 0x0
 02753  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1,  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 02754  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 02755  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (416, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (416, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 02756  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 02757  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233636, ... ) }, 1233636, ... ) == 0x0
 02758  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 02759  1736   NtQueryDirectoryFile  (420, 0, 0, 0, 1233248, 592, Directory, 1,  (420, 0, 0, 0, 1233248, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 02760  1736   NtClose  (420, ... ) == 0x0
 02761  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02762  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02763  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232168, ... ) }, 1232168, ... ) == 0x0
 02764  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1230940, ... ) }, 1230940, ... ) == 0x0
 02765  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02766  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02767  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 02768  1736   NtQueryInformationFile  (420, 1233724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02769  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 420, ... 424, ) == 0x0
 02770  1736   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2ac0000), 0x0, 720896, ) == 0x0
 02771  1736   NtUnmapViewOfSection  (-1, 0x2ac0000, ... ) == 0x0
 02772  1736   NtClose  (424, ... ) == 0x0
 02773  1736   NtClose  (420, ... ) == 0x0
 02774  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \07\01\08\02\09\08\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\0E\04\02\07\08\0F\0F\09\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \0W\0I\0N\03\02\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\08\07\03\0C\02\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \00\0x\00\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... \01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\01\08\02\09\08\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0E\04\02\07\08\0F\0F\09\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\07\03\0C\02\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\01\01\0/\02\04\0/\02\00\00\07\0 \01\03\0:\00\05\0:\01\04\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... , 418, 0x0, 0, ...
 02775  1736   NtContinue  (-139350572, 0, ...
 02774  1736   NtWriteFile  ... {status=0x0, info=418}, ) == 0x0
 02776  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1387312, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02777  1736   NtClose  (412, ... ) == 0x0
 02778  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 02779  1736   NtClose  (416, ... ) == 0x0
 02780  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1234544, ... ) }, 1234544, ... ) == 0x0
 02781  1736   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1234552,  (0x40100080, {24, 0, 0x40, 0, 1234552, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ab8a_appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 02782  1736   NtQueryInformationFile  (416, 1234576, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02783  1736   NtSetInformationFile  (416, 1234608, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02784  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 412, {status=0x0, info=1}, ) }, 3, 16417, ... 412, {status=0x0, info=1}, ) == 0x0
 02785  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1,  (412, 0, 0, 0, 1233256, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02786  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (416, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 02787  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1233608, ... ) }, 1233608, ... ) == 0x0
 02788  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 02789  1736   NtQueryDirectoryFile  (420, 0, 0, 0, 1233248, 592, Directory, 1,  (420, 0, 0, 0, 1233248, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 02790  1736   NtClose  (420, ... ) == 0x0
 02791  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02792  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02793  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232168, ... ) }, 1232168, ... ) == 0x0
 02794  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230940, ... ) }, 1230940, ... ) == 0x0
 02795  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02796  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02797  1736   NtQueryDefaultLocale  (1, 1233128, ... ) == 0x0
 02798  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02799  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02800  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1232160, ... ) }, 1232160, ... ) == 0x0
 02801  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 1230932, ... ) }, 1230932, ... ) == 0x0
 02802  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02803  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02804  1736   NtQueryDefaultLocale  (1, 1233120, ... ) == 0x0
 02805  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 02806  1736   NtQueryInformationFile  (420, 1233724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02807  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 420, ... 424, ) == 0x0
 02808  1736   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2ac0000), 0x0, 987136, ) == 0x0
 02809  1736   NtUnmapViewOfSection  (-1, 0x2ac0000, ... ) == 0x0
 02810  1736   NtClose  (424, ... ) == 0x0
 02811  1736   NtClose  (420, ... ) == 0x0
 02812  1736   NtQueryDefaultUILanguage  (1233080, ...
 02813  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02814  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481380, ) == 0x0
 02815  1736   NtQueryInformationToken  (-2147481380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02816  1736   NtClose  (-2147481380, ... ) == 0x0
 02817  1736   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147481380, ) }, ... -2147481380, ) == 0x0
 02818  1736   NtOpenKey  (0x80000000, {24, -2147481380, 0x240, 0, 0,  (0x80000000, {24, -2147481380, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02819  1736   NtOpenKey  (0x80000000, {24, -2147481380, 0x640, 0, 0,  (0x80000000, {24, -2147481380, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482128, ) }, ... -2147482128, ) == 0x0
 02820  1736   NtQueryValueKey  (-2147482128,  (-2147482128, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02821  1736   NtClose  (-2147482128, ... ) == 0x0
 02822  1736   NtClose  (-2147481380, ... ) == 0x0
 02812  1736   NtQueryDefaultUILanguage  ... ) == 0x0
 02823  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \09\08\04\05\07\06\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \00\0x\0F\00\0B\03\03\01\0F\06\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (416, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\08\04\05\07\06\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\0F\00\0B\03\03\01\0F\06\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\03\01\01\09\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0", 1666, 0x0, 0, ... {status=0x0, info=1666}, ) == 0x0
 02824  1736   NtQueryDirectoryFile  (412, 0, 0, 0, 1378608, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 02825  1736   NtClose  (412, ... ) == 0x0
 02826  1736   NtWriteFile  (416, 0, 0, 0,  (416, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 02827  1736   NtClose  (416, ... ) == 0x0
 02828  1736   NtUnmapViewOfSection  (-1, 0x77b40000, ... ) == 0x0
 02829  1736   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02830  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1231816, ... ) }, 1231816, ... ) == 0x0
 02831  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1232552, ... ) }, 1232552, ... ) == 0x0
 02832  1736   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 416, {status=0x0, info=1}, ) }, 5, 96, ... 416, {status=0x0, info=1}, ) == 0x0
 02833  1736   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 416, ... 412, ) == 0x0
 02834  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02835  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 420, ) }, ... 420, ) == 0x0
 02836  1736   NtQueryValueKey  (420,  (420, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02837  1736   NtClose  (420, ... ) == 0x0
 02838  1736   NtQueryVolumeInformationFile  (416, 1231828, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02839  1736   NtOpenMutant  (0x120001, {24, 72, 0x0, 0, 0,  (0x120001, {24, 72, 0x0, 0, 0, "ShimCacheMutex"}, ... 420, ) }, ... 420, ) == 0x0
 02840  1736   NtWaitForSingleObject  (420, 0, {-1000000, -1}, ... ) == 0x0
 02841  1736   NtOpenSection  (0x2, {24, 72, 0x0, 0, 0,  (0x2, {24, 72, 0x0, 0, 0, "ShimSharedMemory"}, ... 424, ) }, ... 424, ) == 0x0
 02842  1736   NtMapViewOfSection  (424, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2700000), {0, 0}, 57344, ) == 0x0
 02843  1736   NtReleaseMutant  (420, ... 0x0, ) == 0x0
 02844  1736   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 02845  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229760, ... ) }, 1229760, ... ) == 0x0
 02846  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 428, {status=0x0, info=1}, ) }, 5, 96, ... 428, {status=0x0, info=1}, ) == 0x0
 02847  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 428, ... 432, ) == 0x0
 02848  1736   NtClose  (428, ... ) == 0x0
 02849  1736   NtMapViewOfSection  (432, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2710000), 0x0, 126976, ) == 0x0
 02850  1736   NtClose  (432, ... ) == 0x0
 02851  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02852  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230068, ... ) }, 1230068, ... ) == 0x0
 02853  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 432, {status=0x0, info=1}, ) }, 5, 96, ... 432, {status=0x0, info=1}, ) == 0x0
 02854  1736   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 432, ... 428, ) == 0x0
 02855  1736   NtQuerySection  (428, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02856  1736   NtClose  (432, ... ) == 0x0
 02857  1736   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02858  1736   NtClose  (428, ... ) == 0x0
 02859  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02860  1736   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02861  1736   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02862  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02863  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 02864  1736   NtQueryInformationFile  (428, 1230084, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02865  1736   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 428, ... 432, ) == 0x0
 02866  1736   NtMapViewOfSection  (432, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2ac0000), 0x0, 1191936, ) == 0x0
 02867  1736   NtQueryInformationFile  (428, 1230184, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02868  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02869  1736   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02870  1736   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02871  1736   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02872  1736   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 436, ) }, ... 436, ) == 0x0
 02873  1736   NtQueryValueKey  (436,  (436, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (436, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02874  1736   NtClose  (436, ... ) == 0x0
 02875  1736   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02876  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02877  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227780, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227780, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02878  1736   NtClose  (436, ... ) == 0x0
 02879  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02880  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02881  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228156, ... ) }, 1228156, ... ) == 0x0
 02882  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02883  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02884  1736   NtClose  (436, ... ) == 0x0
 02885  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02886  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02887  1736   NtClose  (436, ... ) == 0x0
 02888  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02889  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1,  (436, 0, 0, 0, 1227584, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02890  1736   NtClose  (436, ... ) == 0x0
 02891  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02892  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02893  1736   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02894  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02895  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02896  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 02897  1736   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02898  1736   NtClose  (436, ... ) == 0x0
 02899  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02900  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02901  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228988, ... ) }, 1228988, ... ) == 0x0
 02902  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02903  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02904  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227856, ... ) }, 1227856, ... ) == 0x0
 02905  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 436, {status=0x0, info=1}, ) }, 5, 96, ... 436, {status=0x0, info=1}, ) == 0x0
 02906  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 436, ... 440, ) == 0x0
 02907  1736   NtClose  (436, ... ) == 0x0
 02908  1736   NtMapViewOfSection  (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2710000), 0x0, 180224, ) == 0x0
 02909  1736   NtClose  (440, ... ) == 0x0
 02910  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02911  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227452, ... ) }, 1227452, ... ) == 0x0
 02912  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228196,  (0x80100080, {24, 0, 0x40, 0, 1228196, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) == 0x0
 02913  1736   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 440, ... 436, ) == 0x0
 02914  1736   NtClose  (440, ... ) == 0x0
 02915  1736   NtMapViewOfSection  (436, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2710000), {0, 0}, 180224, ) == 0x0
 02916  1736   NtClose  (436, ... ) == 0x0
 02917  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02918  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02919  1736   NtQueryDefaultLocale  (1, 1228816, ... ) == 0x0
 02920  1736   NtQueryVirtualMemory  (-1, 0x2710000, Basic, 28, ... {BaseAddress=0x2710000,AllocationBase=0x2710000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02921  1736   NtQueryVirtualMemory  (-1, 0x2710000, Basic, 28, ... {BaseAddress=0x2710000,AllocationBase=0x2710000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02922  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02923  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02924  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02925  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227848, ... ) }, 1227848, ... ) == 0x0
 02926  1736   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 5, 96, ... 436, {status=0x0, info=1}, ) }, 5, 96, ... 436, {status=0x0, info=1}, ) == 0x0
 02927  1736   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 436, ... 440, ) == 0x0
 02928  1736   NtClose  (436, ... ) == 0x0
 02929  1736   NtMapViewOfSection  (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2710000), 0x0, 180224, ) == 0x0
 02930  1736   NtClose  (440, ... ) == 0x0
 02931  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02932  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1227444, ... ) }, 1227444, ... ) == 0x0
 02933  1736   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1228188,  (0x80100080, {24, 0, 0x40, 0, 1228188, "\??\C:\WINDOWS\system32\dwwin.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 440, {status=0x0, info=1}, ) == 0x0
 02934  1736   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 440, ... 436, ) == 0x0
 02935  1736   NtClose  (440, ... ) == 0x0
 02936  1736   NtMapViewOfSection  (436, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2710000), {0, 0}, 180224, ) == 0x0
 02937  1736   NtClose  (436, ... ) == 0x0
 02938  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02939  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02940  1736   NtQueryDefaultLocale  (1, 1228808, ... ) == 0x0
 02941  1736   NtQueryVirtualMemory  (-1, 0x2710000, Basic, 28, ... {BaseAddress=0x2710000,AllocationBase=0x2710000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 02942  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 02943  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02944  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02945  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 02946  1736   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02947  1736   NtClose  (436, ... ) == 0x0
 02948  1736   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02949  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02950  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02951  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1229408, ... ) }, 1229408, ... ) == 0x0
 02952  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02953  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02954  1736   NtClose  (436, ... ) == 0x0
 02955  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02956  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02957  1736   NtClose  (436, ... ) == 0x0
 02958  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 02959  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228836, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02960  1736   NtClose  (436, ... ) == 0x0
 02961  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02962  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02963  1736   NtWaitForSingleObject  (420, 0, {-1000000, -1}, ... ) == 0x0
 02964  1736   NtReleaseMutant  (420, ... 0x0, ) == 0x0
 02965  1736   NtUnmapViewOfSection  (-1, 0x2ac0000, ... ) == 0x0
 02966  1736   NtClose  (432, ... ) == 0x0
 02967  1736   NtClose  (428, ... ) == 0x0
 02968  1736   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02969  1736   NtOpenProcessToken  (-1, 0xa, ... 428, ) == 0x0
 02970  1736   NtQueryInformationToken  (428, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02971  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02972  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 02973  1736   NtQueryValueKey  (432,  (432, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (432, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02974  1736   NtQueryValueKey  (432,  (432, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (432, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02975  1736   NtClose  (432, ... ) == 0x0
 02976  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02977  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 02978  1736   NtQueryValueKey  (432,  (432, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02979  1736   NtClose  (432, ... ) == 0x0
 02980  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02981  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02982  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02983  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02984  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02985  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02986  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02987  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02988  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02989  1736   NtQueryDefaultLocale  (1, 1231256, ... ) == 0x0
 02990  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 432, ) }, ... 432, ) == 0x0
 02991  1736   NtEnumerateKey  (432, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (432, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02992  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 436, ) }, ... 436, ) == 0x0
 02993  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02994  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02995  1736   NtClose  (436, ... ) == 0x0
 02996  1736   NtEnumerateKey  (432, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02997  1736   NtClose  (432, ... ) == 0x0
 02998  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 432, ) }, ... 432, ) == 0x0
 02999  1736   NtEnumerateKey  (432, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 03000  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 436, ) }, ... 436, ) == 0x0
 03001  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 03002  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03003  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03004  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03005  1736   NtClose  (436, ... ) == 0x0
 03006  1736   NtEnumerateKey  (432, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 03007  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 436, ) }, ... 436, ) == 0x0
 03008  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 03009  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03010  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03011  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03012  1736   NtClose  (436, ... ) == 0x0
 03013  1736   NtEnumerateKey  (432, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 03014  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 436, ) }, ... 436, ) == 0x0
 03015  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 03016  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03017  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03018  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03019  1736   NtClose  (436, ... ) == 0x0
 03020  1736   NtEnumerateKey  (432, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 03021  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 436, ) }, ... 436, ) == 0x0
 03022  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 03023  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03024  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03025  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03026  1736   NtClose  (436, ... ) == 0x0
 03027  1736   NtEnumerateKey  (432, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (432, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 03028  1736   NtOpenKey  (0x20019, {24, 432, 0x40, 0, 0,  (0x20019, {24, 432, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 436, ) }, ... 436, ) == 0x0
 03029  1736   NtQueryValueKey  (436,  (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (436, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 03030  1736   NtQueryValueKey  (436,  (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 03031  1736   NtQueryValueKey  (436,  (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (436, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 03032  1736   NtQueryValueKey  (436,  (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (436, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03033  1736   NtClose  (436, ... ) == 0x0
 03034  1736   NtEnumerateKey  (432, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 03035  1736   NtClose  (432, ... ) == 0x0
 03036  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03037  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03038  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03039  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03040  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03041  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03043  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03044  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03045  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03046  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03047  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03048  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03049  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03050  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03051  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03052  1736   NtClose  (432, ... ) == 0x0
 03053  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03054  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03055  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03056  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03057  1736   NtClose  (432, ... ) == 0x0
 03058  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03059  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03060  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03061  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03062  1736   NtClose  (432, ... ) == 0x0
 03063  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03064  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03065  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03066  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03067  1736   NtClose  (432, ... ) == 0x0
 03068  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03069  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03070  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03071  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03072  1736   NtClose  (432, ... ) == 0x0
 03073  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03074  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03075  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03076  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03077  1736   NtClose  (432, ... ) == 0x0
 03078  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03079  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03080  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03081  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03082  1736   NtClose  (432, ... ) == 0x0
 03083  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03084  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03085  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03086  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03087  1736   NtClose  (432, ... ) == 0x0
 03088  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03089  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03090  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03091  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03092  1736   NtClose  (432, ... ) == 0x0
 03093  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03094  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03095  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03096  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03097  1736   NtClose  (432, ... ) == 0x0
 03098  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03099  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03100  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03101  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03102  1736   NtClose  (432, ... ) == 0x0
 03103  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03104  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03105  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03106  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03107  1736   NtClose  (432, ... ) == 0x0
 03108  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03109  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03110  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03111  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03112  1736   NtClose  (432, ... ) == 0x0
 03113  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03114  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03115  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03116  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03117  1736   NtClose  (432, ... ) == 0x0
 03118  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03119  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03120  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03121  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03122  1736   NtClose  (432, ... ) == 0x0
 03123  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03124  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 03125  1736   NtQueryValueKey  (432,  (432, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (432, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (432, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 03126  1736   NtClose  (432, ... ) == 0x0
 03127  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03128  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 432, ) == 0x0
 03129  1736   NtQueryInformationToken  (432, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03130  1736   NtClose  (432, ... ) == 0x0
 03131  1736   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03132  1736   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 03133  1736   NtOpenProcessToken  (-1, 0xa, ... 432, ) == 0x0
 03134  1736   NtDuplicateToken  (432, 0xc, {24, 0, 0x0, 0, 1231688, 0x0}, 0, 2, ... 436, ) == 0x0
 03135  1736   NtClose  (432, ... ) == 0x0
 03136  1736   NtAccessCheck  (1396048, 436, 0x1, 1231764, 1231816, 56, 1231796, ... (0x1), ) == 0x0
 03137  1736   NtClose  (436, ... ) == 0x0
 03138  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 436, ) }, ... 436, ) == 0x0
 03139  1736   NtQueryValueKey  (436,  (436, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (436, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03140  1736   NtClose  (436, ... ) == 0x0
 03141  1736   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 436, ) }, ... 436, ) == 0x0
 03142  1736   NtQuerySymbolicLinkObject  (436, ...  (436, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 03143  1736   NtClose  (436, ... ) == 0x0
 03144  1736   NtQueryVolumeInformationFile  (416, 1229520, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03145  1736   NtQueryInformationFile  (416, 1229636, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 03146  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03147  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03148  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe"}, 1228808, ... ) }, 1228808, ... ) == 0x0
 03149  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03150  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 03151  1736   NtClose  (436, ... ) == 0x0
 03152  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03153  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03154  1736   NtClose  (436, ... ) == 0x0
 03155  1736   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 436, {status=0x0, info=1}, ) }, 3, 16417, ... 436, {status=0x0, info=1}, ) == 0x0
 03156  1736   NtQueryDirectoryFile  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1,  (436, 0, 0, 0, 1228236, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03157  1736   NtClose  (436, ... ) == 0x0
 03158  1736   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03159  1736   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03160  1736   NtQueryInformationFile  (416, 1231676, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03161  1736   NtCreateSection  (0xf0005, 0x0, {180224, 0}, 2, 134217728, 416, ... 436, ) == 0x0
 03162  1736   NtMapViewOfSection  (436, -1, (0x0), 0, 0, {0, 0}, 180224, 1, 0, 2, ... (0x2710000), {0, 0}, 180224, ) == 0x0
 03163  1736   NtClose  (436, ... ) == 0x0
 03164  1736   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03165  1736   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 436, ) == 0x0
 03166  1736   NtQueryInformationToken  (436, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03167  1736   NtClose  (436, ... ) == 0x0
 03168  1736   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 436, ) }, ... 436, ) == 0x0
 03169  1736   NtOpenKey  (0x20019, {24, 436, 0x40, 0, 0,  (0x20019, {24, 436, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 432, ) }, ... 432, ) == 0x0
 03170  1736   NtClose  (436, ... ) == 0x0
 03171  1736   NtQueryValueKey  (432,  (432, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03172  1736   NtQueryValueKey  (432,  (432, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (432, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 03173  1736   NtClose  (432, ... ) == 0x0
 03174  1736   NtUnmapViewOfSection  (-1, 0x2710000, ... ) == 0x0
 03175  1736   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 40960000, 4096, ) == 0x0
 03176  1736   NtAllocateVirtualMemory  (-1, 40960000, 0, 4096, 4096, 4, ... 40960000, 4096, ) == 0x0
 03177  1736   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 432, ) }, ... 432, ) == 0x0
 03178  1736   NtQueryValueKey  (432,  (432, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03179  1736   NtClose  (432, ... ) == 0x0
 03180  1736   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03181  1736   NtQueryInformationToken  (428, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 03182  1736   NtQueryInformationToken  (428, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 03183  1736   NtClose  (428, ... ) == 0x0
 03184  1736   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03185  1736   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03186  1736   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 03187  1736   NtCreateProcessEx  (1233600, 2035711, 0, -1, 4, 412, 0, 0, 0, ... ) == 0x0
 03188  1736   NtSetInformationProcess  (428, PriorityClass, {process info, class 18, size 2}, 512, ... ) == 0x0
 03189  1736   NtSetInformationProcess  (428, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03190  1736   NtQueryInformationProcess  (428, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd7000,AffinityMask=0x1,BasePriority=8,Pid=1740,ParentPid=1636,}, 0x0, ) == 0x0
 03191  1736   NtReadVirtualMemory  (428, 0x7ffd7008, 4, ...  (428, 0x7ffd7008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 03192  1736   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03193  1736   NtReadVirtualMemory  (428, 0x30000000, 4096, ...  (428, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0$\206\244\23`\347\312@`\347\312@`\347\312@9\304\331@b\347\312@`\347\313@d\347\312@\210\370\301@a\347\312@\343\373\304@j\347\312@\210\370\300@I\347\312@6\370\331@h\347\312@\272\304\326@i\347\312@\220\370\301@p\347\312@`\347\312@H\346\312@Rich`\347\312@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0N\23\216?\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\0\220\2\0\0\240\0\0\0\0\0\0\232t\0\0\0\20\0\0\0\320\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\3\0\0\20\0\0\237*\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\327\211\2\0z\1\0\0\00\3\0\244\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Z\236\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0\370\0\0\0\0\20\0\0\270\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222\216\2\0", 4096, ) , 4096, ) == 0x0
 03194  1736   NtReadVirtualMemory  (428, 0x30033000, 256, ...  (428, 0x30033000, 256, ... "\0\0\0\0J\23\216?\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0J\23\216?\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\3600\3\0\26\3\0\0\0\0\0\0\0\0\0\0\104\3\0\254\1\0\0\0\0\0\0\0\0\0\0\2645\3\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 03195  1736   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03196  1736   NtQueryInformationProcess  (428, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd7000,AffinityMask=0x1,BasePriority=8,Pid=1740,ParentPid=1636,}, 0x0, ) == 0x0
 03197  1736   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32"}, 1232552, ... ) }, 1232552, ... ) == 0x0
 03198  1736   NtAllocateVirtualMemory  (-1, 0, 0, 2428, 4096, 4, ... 41025536, 4096, ) == 0x0
 03199  1736   NtAllocateVirtualMemory  (428, 0, 0, 6464, 4096, 4, ... 65536, 8192, ) == 0x0
 03200  1736   NtWriteVirtualMemory  (428, 0x10000,  (428, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6464, ... 0x0, ) , 6464, ... 0x0, ) == 0x0
 03201  1736   NtAllocateVirtualMemory  (428, 0, 0, 2428, 4096, 4, ... 131072, 4096, ) == 0x0
 03202  1736   NtWriteVirtualMemory  (428, 0x20000,  (428, 0x20000, "\0\20\0\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0B\1\0\0\364\3\366\3\230\4\0\0:\0<\0\220\10\0\0N\0P\0\314\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0\34\11\0\0\36\0 \0X\11\0\0\0\0\2\0x\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2428, ... 0x0, ) , 2428, ... 0x0, ) == 0x0
 03203  1736   NtWriteVirtualMemory  (428, 0x7ffd7010,  (428, 0x7ffd7010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03204  1736   NtAllocateVirtualMemory  (428, 0, 0, 388, 4096, 4, ... 196608, 4096, ) == 0x0
 03205  1736   NtWriteVirtualMemory  (428, 0x30000,  (428, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\1\0\0\253\355\15\254\210\255\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 388, ... 0x0, ) , 388, ... 0x0, ) == 0x0
 03206  1736   NtWriteVirtualMemory  (428, 0x7ffd71e8,  (428, 0x7ffd71e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 03207  1736   NtFreeVirtualMemory  (-1, (0x2720000), 0, 32768, ... (0x2720000), 4096, ) == 0x0
 03208  1736   NtAllocateVirtualMemory  (428, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 03209  1736   NtAllocateVirtualMemory  (428, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 03210  1736   NtProtectVirtualMemory  (428, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 03211  1736   NtCreateThread  (0x1f03ff, 0x0, 428, 1233608, 1233272, 1, ... 432, {1740, 1852}, ) == 0x0
 03212  1736   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\257\1\0\0\260\1\0\0\314\6\0\0<\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1636, 1736, 75628, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\254\1\0\0\260\1\0\0\314\6\0\0<\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ... {168, 196, reply, 0, 1636, 1736, 75628, 0}  (24, {168, 196, new_msg, 0, 0, 2147348480, 2008285840, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\257\1\0\0\260\1\0\0\314\6\0\0<\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\24\0\10 \0\0" ... {168, 196, reply, 0, 1636, 1736, 75628, 0} "\0\0\0\0\0\0\1\0\0\0\0\0x\2\264w\254\1\0\0\260\1\0\0\314\6\0\0<\7\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\260\326\22\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\375\177\0\0\0\0\0\0\24\0\10 \0\0" )  ) == 0x0
 03213  1736   NtResumeThread  (432, ... 1, ) == 0x0
 03214  1736   NtClose  (416, ... ) == 0x0
 03215  1736   NtClose  (412, ... ) == 0x0
 03216  1736   NtClose  (432, ... ) == 0x0
 03217  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 03218  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03219  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ... ) == 0x0
 03220  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03221  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 01121  2012   NtDelayExecution  ... ) == 0x0
 03222  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 01275  1356   NtDelayExecution  ... ) == 0x0
 03223  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 01276   868   NtDelayExecution  ... ) == 0x0
 03224   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03225   868   NtCallbackReturn  (0, 0, 0, ...
 03226   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01277   808   NtDelayExecution  ... ) == 0x0
 01278  2020   NtDelayExecution  ... ) == 0x0
 01279   896   NtDelayExecution  ... ) == 0x0
 01280  1252   NtDelayExecution  ... ) == 0x0
 01281  2016   NtDelayExecution  ... ) == 0x0
 03227   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03228  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03229   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03230  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03231  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03232   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03233   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03234   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03227   808   NtDelayExecution  ... ) == 0x0
 03235   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03228  2020   NtDelayExecution  ... ) == 0x0
 03236  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03229   896   NtDelayExecution  ... ) == 0x0
 03237   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03230  1252   NtDelayExecution  ... ) == 0x0
 03238  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03231  2016   NtDelayExecution  ... ) == 0x0
 03239  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03222  2012   NtDelayExecution  ... ) == 0x0
 03240  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03223  1356   NtDelayExecution  ... ) == 0x0
 03241  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03234   868   NtDelayExecution  ... ) == 0x0
 03242   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03243   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03244   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03245   868   NtDelayExecution  (0, {-20010000, -1}, ...
 02043  1064   NtDelayExecution  ... ) == 0x0
 03246  1064   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 412, ) == 0x0
 03247  1064   NtCallbackReturn  (0, 0, 0, ...
 03248  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03249  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03250  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03251  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03252  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03253  1064   NtDelayExecution  (0, {-40000000, -1}, ...
 03235   808   NtDelayExecution  ... ) == 0x0
 03254   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03236  2020   NtDelayExecution  ... ) == 0x0
 03255  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03237   896   NtDelayExecution  ... ) == 0x0
 03256   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03238  1252   NtDelayExecution  ... ) == 0x0
 03257  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03239  2016   NtDelayExecution  ... ) == 0x0
 03258  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03240  2012   NtDelayExecution  ... ) == 0x0
 03259  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03241  1356   NtDelayExecution  ... ) == 0x0
 03260  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03245   868   NtDelayExecution  ... ) == 0x0
 03261   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03262   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03263   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03264   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03254   808   NtDelayExecution  ... ) == 0x0
 03265   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03255  2020   NtDelayExecution  ... ) == 0x0
 03266  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03256   896   NtDelayExecution  ... ) == 0x0
 03267   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03257  1252   NtDelayExecution  ... ) == 0x0
 03268  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03258  2016   NtDelayExecution  ... ) == 0x0
 03269  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03259  2012   NtDelayExecution  ... ) == 0x0
 03270  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03260  1356   NtDelayExecution  ... ) == 0x0
 03271  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03264   868   NtDelayExecution  ... ) == 0x0
 03272   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03273   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03274   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03275   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03221  1736   NtWaitForMultipleObjects  ... ) == 0x0
 03276  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03277  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 03253  1064   NtDelayExecution  ... ) == 0x0
 03278  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03279  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03280  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03281  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03282  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03283  1064   NtDelayExecution  (0, {-40000000, -1}, ...
 03265   808   NtDelayExecution  ... ) == 0x0
 03284   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03266  2020   NtDelayExecution  ... ) == 0x0
 03285  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03267   896   NtDelayExecution  ... ) == 0x0
 03286   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03268  1252   NtDelayExecution  ... ) == 0x0
 03287  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03269  2016   NtDelayExecution  ... ) == 0x0
 03288  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03270  2012   NtDelayExecution  ... ) == 0x0
 03289  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03271  1356   NtDelayExecution  ... ) == 0x0
 03290  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03275   868   NtDelayExecution  ... ) == 0x0
 03291   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03292   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03293   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03294   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03284   808   NtDelayExecution  ... ) == 0x0
 03295   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03285  2020   NtDelayExecution  ... ) == 0x0
 03296  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03286   896   NtDelayExecution  ... ) == 0x0
 03297   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03287  1252   NtDelayExecution  ... ) == 0x0
 03298  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03288  2016   NtDelayExecution  ... ) == 0x0
 03299  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03289  2012   NtDelayExecution  ... ) == 0x0
 03300  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03290  1356   NtDelayExecution  ... ) == 0x0
 03301  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03294   868   NtDelayExecution  ... ) == 0x0
 03302   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03303   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03304   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03305   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03283  1064   NtDelayExecution  ... ) == 0x0
 03306  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03307  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03308  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03309  1064   NtDelayExecution  (0, {-3000000, -1}, ...
 03295   808   NtDelayExecution  ... ) == 0x0
 03310   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03296  2020   NtDelayExecution  ... ) == 0x0
 03311  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03297   896   NtDelayExecution  ... ) == 0x0
 03312   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03298  1252   NtDelayExecution  ... ) == 0x0
 03313  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03299  2016   NtDelayExecution  ... ) == 0x0
 03314  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03300  2012   NtDelayExecution  ... ) == 0x0
 03315  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03301  1356   NtDelayExecution  ... ) == 0x0
 03316  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03305   868   NtDelayExecution  ... ) == 0x0
 03317   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03318   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03319   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03320   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03309  1064   NtDelayExecution  ... ) == 0x0
 03321  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03322  1064   NtDelayExecution  (0, {-40000000, -1}, ...
 03277  1736   NtWaitForMultipleObjects  ... ) == 0x0
 03323  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03324  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 03310   808   NtDelayExecution  ... ) == 0x0
 03325   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03311  2020   NtDelayExecution  ... ) == 0x0
 03326  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03312   896   NtDelayExecution  ... ) == 0x0
 03327   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03313  1252   NtDelayExecution  ... ) == 0x0
 03328  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03314  2016   NtDelayExecution  ... ) == 0x0
 03329  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03315  2012   NtDelayExecution  ... ) == 0x0
 03330  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03316  1356   NtDelayExecution  ... ) == 0x0
 03331  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03320   868   NtDelayExecution  ... ) == 0x0
 03332   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03333   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03334   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03335   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03325   808   NtDelayExecution  ... ) == 0x0
 03336   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03326  2020   NtDelayExecution  ... ) == 0x0
 03337  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03327   896   NtDelayExecution  ... ) == 0x0
 03338   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03328  1252   NtDelayExecution  ... ) == 0x0
 03339  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03329  2016   NtDelayExecution  ... ) == 0x0
 03340  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03330  2012   NtDelayExecution  ... ) == 0x0
 03341  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03331  1356   NtDelayExecution  ... ) == 0x0
 03342  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03335   868   NtDelayExecution  ... ) == 0x0
 03343   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03344   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03345   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03346   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03322  1064   NtDelayExecution  ... ) == 0x0
 03347  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03348  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03349  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03350  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03351  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03352  1064   NtDelayExecution  (0, {-40000000, -1}, ...
 03336   808   NtDelayExecution  ... ) == 0x0
 03353   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03337  2020   NtDelayExecution  ... ) == 0x0
 03354  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03338   896   NtDelayExecution  ... ) == 0x0
 03355   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03339  1252   NtDelayExecution  ... ) == 0x0
 03356  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03340  2016   NtDelayExecution  ... ) == 0x0
 03357  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03341  2012   NtDelayExecution  ... ) == 0x0
 03358  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03342  1356   NtDelayExecution  ... ) == 0x0
 03359  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03346   868   NtDelayExecution  ... ) == 0x0
 03360   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03361   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03362   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03363   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03324  1736   NtWaitForMultipleObjects  ... ) == 0x0
 03364  1736   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 03365  1736   NtWaitForMultipleObjects  (2, (400, 428, ), 1, 0, {1294967296, -1}, ...
 03353   808   NtDelayExecution  ... ) == 0x0
 03366   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03354  2020   NtDelayExecution  ... ) == 0x0
 03367  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03355   896   NtDelayExecution  ... ) == 0x0
 03368   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03356  1252   NtDelayExecution  ... ) == 0x0
 03369  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03357  2016   NtDelayExecution  ... ) == 0x0
 03370  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03358  2012   NtDelayExecution  ... ) == 0x0
 03371  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03359  1356   NtDelayExecution  ... ) == 0x0
 03372  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03363   868   NtDelayExecution  ... ) == 0x0
 03373   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03374   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03375   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03376   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03352  1064   NtDelayExecution  ... ) == 0x0
 03377  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03378  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03379  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03380  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03381  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03382  1064   NtDelayExecution  (0, {-40000000, -1}, ...
 03366   808   NtDelayExecution  ... ) == 0x0
 03383   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03367  2020   NtDelayExecution  ... ) == 0x0
 03384  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03368   896   NtDelayExecution  ... ) == 0x0
 03385   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03369  1252   NtDelayExecution  ... ) == 0x0
 03386  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03370  2016   NtDelayExecution  ... ) == 0x0
 03387  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03371  2012   NtDelayExecution  ... ) == 0x0
 03388  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03372  1356   NtDelayExecution  ... ) == 0x0
 03389  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03376   868   NtDelayExecution  ... ) == 0x0
 03390   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03391   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03392   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03393   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03383   808   NtDelayExecution  ... ) == 0x0
 03394   808   NtDelayExecution  (0, {-20010000, -1}, ...
 03384  2020   NtDelayExecution  ... ) == 0x0
 03395  2020   NtDelayExecution  (0, {-20010000, -1}, ...
 03385   896   NtDelayExecution  ... ) == 0x0
 03396   896   NtDelayExecution  (0, {-20010000, -1}, ...
 03386  1252   NtDelayExecution  ... ) == 0x0
 03397  1252   NtDelayExecution  (0, {-20010000, -1}, ...
 03387  2016   NtDelayExecution  ... ) == 0x0
 03398  2016   NtDelayExecution  (0, {-20010000, -1}, ...
 03388  2012   NtDelayExecution  ... ) == 0x0
 03399  2012   NtDelayExecution  (0, {-20010000, -1}, ...
 03389  1356   NtDelayExecution  ... ) == 0x0
 03400  1356   NtDelayExecution  (0, {-20010000, -1}, ...
 03393   868   NtDelayExecution  ... ) == 0x0
 03401   868   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03402   868   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03403   868   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03404   868   NtDelayExecution  (0, {-20010000, -1}, ...
 03382  1064   NtDelayExecution  ... ) == 0x0
 03405  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03406  1064   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 03407  1064   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 03408  1064   NtDelayExecution  (0, {-3000000, -1}, ...