Summary:


NtAccessCheck(>)  1 
NtEnumerateKey(>)  2 
NtUserBuildHwndList(>)  4 
NtUserFindExistingCursorIcon(>)  25 

NtConnectPort(>)  1 
NtGdiCreateDIBSection(>)  2 
NtWriteVirtualMemory(>)  4 
NtOpenSection(>)  27 

NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtCreateSemaphore(>)  5 
NtQueryInformationThread(>)  27 

NtCreateProcessEx(>)  1 
NtGdiHfontCreate(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateThread(>)  28 

NtDuplicateObject(>)  1 
NtGdiSelectBitmap(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtOpenProcessTokenEx(>)  28 

NtDuplicateToken(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserRegisterWindowMessage(>)  5 
NtOpenThreadTokenEx(>)  28 

NtFsControlFile(>)  1 
NtOpenEvent(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtRegisterThreadTerminatePort(>)  28 

NtGdiCreateBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtUserFindWindowEx(>)  6 
NtResumeThread(>)  28 

NtGdiCreatePatternBrushInternal(>)  1 
NtOpenThreadToken(>)  2 
NtSetInformationProcess(>)  7 
NtTestAlert(>)  28 

NtGdiDoPalette(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserCallNoParam(>)  7 
NtUnmapViewOfSection(>)  28 

NtGdiInit(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtUserSystemParametersInfo(>)  7 
NtQueryAttributesFile(>)  31 

NtGdiQueryFontAssocInfo(>)  1 
NtReadVirtualMemory(>)  2 
NtQuerySection(>)  9 
NtQueryInformationToken(>)  34 

NtNotifyChangeKey(>)  1 
NtSetValueKey(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtUserRegisterClassExWOW(>)  35 

NtOpenKeyedEvent(>)  1 
NtUserCloseDesktop(>)  2 
NtQueryDirectoryFile(>)  10 
NtContinue(>)  37 

NtOpenProcess(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserCallOneParam(>)  10 
NtOpenFile(>)  39 

NtQueryInformationJobObject(>)  1 
NtUserGetObjectInformation(>)  2 
NtUserGetWindowDC(>)  10 
NtRequestWaitReplyPort(>)  39 

NtQueryObject(>)  1 
NtUserRemoveProp(>)  2 
NtCreateFile(>)  13 
NtSetInformationThread(>)  39 

NtQueryTimerResolution(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtQueryDefaultLocale(>)  14 
NtMapViewOfSection(>)  49 

NtRaiseException(>)  1 
NtOpenMutant(>)  3 
NtQueryInformationProcess(>)  14 
NtUserGetClassInfo(>)  54 

NtSecureConnectPort(>)  1 
NtQueryVirtualMemory(>)  3 
NtFlushInstructionCache(>)  16 
NtProtectVirtualMemory(>)  73 

NtUserBuildNameList(>)  1 
NtReleaseMutant(>)  3 
NtQueryInformationFile(>)  18 
NtQueryValueKey(>)  81 

NtUserGetForegroundWindow(>)  1 
NtSetInformationFile(>)  3 
NtUserUnregisterClass(>)  18 
NtSetEvent(>)  86 

NtUserGetGUIThreadInfo(>)  1 
NtSetInformationObject(>)  3 
NtWriteFile(>)  21 
NtOpenKey(>)  103 

NtUserGetMessage(>)  1 
NtTerminateProcess(>)  3 
NtCreateEvent(>)  22 
NtUserQueryWindow(>)  113 

NtUserGetThreadDesktop(>)  1 
NtUserGetDC(>)  3 
NtFreeVirtualMemory(>)  24 
NtWaitForSingleObject(>)  121 

NtUserGetThreadState(>)  1 
NtUserOpenDesktop(>)  3 
NtQuerySystemInformation(>)  24 
NtDelayExecution(>)  125 

NtUserShowWindow(>)  1 
NtCreateKey(>)  4 
NtCreateSection(>)  25 
NtAllocateVirtualMemory(>)  145 

NtAddAtom(>)  2 
NtGdiCreateCompatibleDC(>)  4 
NtQueryDebugFilterState(>)  25 
NtClose(>)  173 

NtCallbackReturn(>)  2 
NtOpenProcessToken(>)  4 
NtReadFile(>)  25 

Trace:
 00001   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   460   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   460   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   460   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   460   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   460   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   460   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   460   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   460   NtClose  (12, ... ) == 0x0
 00014   460   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   460   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   460   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   460   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   460   NtClose  (16, ... ) == 0x0
 00021   460   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   460   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   460   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   460   NtClose  (16, ... ) == 0x0
 00026   460   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   460   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   460   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   460   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1438, 0} "`\23\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 456, 460, 1438, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1438, 0} "`\23\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   460   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   460   NtClose  (16, ... ) == 0x0
 00036   460   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   460   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   460   NtClose  (28, ... ) == 0x0
 00041   460   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   460   NtClose  (28, ... ) == 0x0
 00045   460   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   460   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   460   NtClose  (28, ... ) == 0x0
 00049   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   460   NtClose  (28, ... ) == 0x0
 00052   460   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1440, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1440, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1440, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   460   NtProtectVirtualMemory  (-1, (0x449000), 4096, 4, ... (0x449000), 4096, 8, ) == 0x0
 00057   460   NtProtectVirtualMemory  (-1, (0x449000), 4096, 8, ... (0x449000), 4096, 4, ) == 0x0
 00058   460   NtFlushInstructionCache  (-1, 4493312, 4096, ... ) == 0x0
 00059   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00061   460   NtClose  (28, ... ) == 0x0
 00062   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   460   NtClose  (28, ... ) == 0x0
 00065   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00067   460   NtClose  (28, ... ) == 0x0
 00068   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00070   460   NtClose  (28, ... ) == 0x0
 00071   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00073   460   NtClose  (28, ... ) == 0x0
 00074   460   NtProtectVirtualMemory  (-1, (0x449000), 4096, 4, ... (0x449000), 4096, 4, ) == 0x0
 00075   460   NtProtectVirtualMemory  (-1, (0x449000), 4096, 4, ... (0x449000), 4096, 4, ) == 0x0
 00076   460   NtFlushInstructionCache  (-1, 4493312, 4096, ... ) == 0x0
 00077   460   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00078   460   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00079   460   NtClose  (28, ... ) == 0x0
 00080   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00081   460   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00082   460   NtClose  (28, ... ) == 0x0
 00083   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00084   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1441, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1441, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1441, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00085   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x6c0000), 0x0, 1060864, ) == 0x0
 00087   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00088   460   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   460   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00090   460   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00091   460   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00092   460   NtClose  (-2147482208, ... ) == 0x0
 00093   460   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00094   460   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00095   460   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00096   460   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00097   460   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   460   NtClose  (-2147482208, ... ) == 0x0
 00099   460   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00100   460   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   460   NtClose  (-2147482208, ... ) == 0x0
 00102   460   NtQueryDefaultLocale  (0, -133527028, ... ) == 0x0
 00103   460   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00104   460   NtUserCallNoParam  (24, ... ) == 0x0
 00105   460   NtGdiCreateCompatibleDC  (0, ...
 00106   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00105   460   NtGdiCreateCompatibleDC  ... ) == 0x5010414
 00107   460   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00108   460   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00109   460   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x2050417
 00110   460   NtGdiCreateSolidBrush  (0, 0, ...
 00111   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 11337728, 4096, ) == 0x0
 00110   460   NtGdiCreateSolidBrush  ... ) == 0x1100418
 00112   460   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00113   460   NtGdiCreateCompatibleDC  (0, ... ) == 0x1010419
 00114   460   NtGdiSelectBitmap  (16843801, 33883159, ... ) == 0x185000f
 00115   460   NtUserGetThreadDesktop  (460, 0, ... ) == 0x28
 00116   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00117   460   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00118   460   NtClose  (48, ... ) == 0x0
 00119   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00120   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00121   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00122   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00123   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00124   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00125   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00126   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00127   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00128   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00129   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00131   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00133   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00135   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00136   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00137   460   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00138   460   NtAllocateVirtualMemory  (-1, 8286208, 0, 4096, 4096, 32, ... 8286208, 4096, ) == 0x0
 00137   460   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00139   460   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00140   460   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00141   460   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00142   460   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00143   460   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00144   460   NtCallbackReturn  (0, 0, 0, ...
 00145   460   NtGdiInit  (... ) == 0x1
 00146   460   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00147   460   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00148   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00149   460   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00150   460   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00151   460   NtClose  (48, ... ) == 0x0
 00152   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00153   460   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   460   NtClose  (48, ... ) == 0x0
 00155   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00156   460   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00157   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00159   460   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   460   NtClose  (52, ... ) == 0x0
 00161   460   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {456, 0}, ... 52, ) == 0x0
 00162   460   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00163   460   NtClose  (52, ... ) == 0x0
 00164   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00165   460   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00166   460   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00167   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00168   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00169   460   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00170   460   NtClose  (52, ... ) == 0x0
 00171   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00172   460   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00173   460   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00174   460   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   460   NtClose  (56, ... ) == 0x0
 00176   460   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00177   460   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00178   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00179   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00180   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03b
 00181   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00182   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03d
 00183   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00184   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00185   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03f
 00186   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00187   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00188   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc041
 00189   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00190   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00191   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc043
 00192   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00193   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc045
 00194   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00195   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00196   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc047
 00197   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00198   460   NtUserFindExistingCursorIcon  (1242920, 1242936, 1243504, ... ) == 0x10011
 00199   460   NtUserRegisterClassExWOW  (1243372, 1243452, 1243436, 1243468, 0, 384, 0, ... ) == 0x810dc049
 00200   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00201   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00202   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04b
 00203   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00204   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00205   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04d
 00206   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00207   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00208   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04f
 00209   460   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0x0
 00210   460   NtUserRegisterClassExWOW  (1243380, 1243460, 1243444, 1243476, 0, 384, 0, ... ) == 0x810dc051
 00211   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00212   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00213   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc053
 00214   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00215   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00216   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc055
 00217   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc057
 00218   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00219   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00220   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc059
 00221   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00222   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10013
 00223   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05b
 00224   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00225   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00226   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05d
 00227   460   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00228   460   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00229   460   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05f
 00230   460   NtTestAlert  (... ) == 0x0
 00231   460   NtContinue  (1244464, 1, ...
 00232   460   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x44a014,}, 4, ... ) == 0x0
 00233   460   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 64, ... 11403264, 8192, ) == 0x0
 00234   460   NtAllocateVirtualMemory  (-1, 0, 0, 252, 4096, 64, ... 11468800, 4096, ) == 0x0
 00235   460   NtAllocateVirtualMemory  (-1, 0, 0, 756, 4096, 64, ... 11534336, 4096, ) == 0x0
 00236   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 11599872, 4096, ) == 0x0
 00237   460   NtAllocateVirtualMemory  (-1, 0, 0, 1025519, 4096, 64, ... 11665408, 1028096, ) == 0x0
 00238   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 12713984, 4096, ) == 0x0
 00239   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SIWVID"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\NTICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00243   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00244   460   NtContinue  (1244368, 0, ...
 00245   460   NtContinue  (1244336, 0, ...
 00246   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00247   460   NtQueryInformationFile  (56, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00248   460   NtAllocateVirtualMemory  (-1, 0, 0, 926720, 4096, 64, ... 12779520, 929792, ) == 0x0
 00249   460   NtReadFile  (56, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720},  (56, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\233\10S\206\337i=\325\337i=\325\337i=\325\337i<\325]h=\325%J$\325\334i=\325\337i=\325\335i=\325%J\2\325\336i=\325HJx\325\336i=\325%J}\325\334i=\325\5J!\325\16i=\325\5J \325\334i=\325%J\0\325\336i=\325Rich\337i=\325\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0H\7\0\0\336\6\0\0\0\0\0A\242\1\0\0\20\0\0\0\20\7\0\0\0\346w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\16\0\0\4\0\0\222\207\16\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0@!\2\0\210i\0\0\304-\7\0(\0\0\0\0\220\7\0\330^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\15\0\20S\0\0 V\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250f\7\0@\0\0\0\220\2\0\0\34\0\0\0\0\20\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) , ) == 0x0
 00250   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00251   460   NtQueryInformationFile  (60, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00252   460   NtAllocateVirtualMemory  (-1, 0, 0, 561152, 4096, 64, ... 13762560, 561152, ) == 0x0
 00253   460   NtReadFile  (60, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152},  (60, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0cf;e'\7U6'\7U6'\7U6'\7T6`\6U6\335$L6 \7U6'\7U6%\7U6\335$j6&\7U6\260$\206&\7U6\335$\256!\7U6\375$I6U\7U6\335$h6&\7U6Rich'\7U6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\262\5\0\0\340\2\0\0\0\0\0KQ\0\0\0\20\0\0\0P\5\0\0\0\324w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\320\10\0\0\4\0\0\35?\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0pk\1\0\251K\0\0\230\244\5\0P\0\0\0\0\360\5\0\210\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\10\0\270+\0\0\0\300\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\324\4\0\0\300\241\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\08\260\5\0", ) , ) == 0x0
 00254   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00255   460   NtQueryInformationFile  (64, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00256   460   NtAllocateVirtualMemory  (-1, 0, 0, 549888, 4096, 64, ... 14352384, 552960, ) == 0x0
 00257   460   NtReadFile  (64, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888},  (64, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\375\343\244\227\271\202\312\304\271\202\312\304\271\202\312\304C\241\323\304\276\202\312\304\271\202\312\304\273\202\312\304C\241\212\304\275\202\312\304\364\241\326\304\262\202\312\304p\240\340\304\277\202\312\304\271\202\313\304\37\203\312\304C\241\365\304\270\202\312\304.\241\217\304\270\202\312\304c\241\327\304\255\202\312\304c\241\326\304:\202\312\304C\241\367\304\270\202\312\304Rich\271\202\312\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0B\6\0\02\2\0\0\0\0\0\373\34\0\0\0\20\0\0\0 \6\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\10\0\0\4\0\0\305\371\10\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\224\1\0YQ\0\0\204(\6\0P\0\0\0\0\260\6\0h\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\10\0\264D\0\0\330P\6\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0L\0\0\0\0\20\0\0\\6\0\0\360&\6\0`\0\0\0\0\0\0\0", ) , ) == 0x0
 00258   460   NtClose  (64, ... ) == 0x0
 00259   460   NtClose  (60, ... ) == 0x0
 00260   460   NtClose  (56, ... ) == 0x0
 00261   460   NtRaiseException  (1244384, 1243644, 1, ...
 00262   460   NtContinue  (1242440, 0, ...
 00263   460   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00264   460   NtOpenMutant  (0x120001, {24, 56, 0x2, 0, 0,  (0x120001, {24, 56, 0x2, 0, 0, "DBWinMutex"}, ... 60, ) }, ... 60, ) == 0x0
 00265   460   NtWaitForSingleObject  (60, 0, 0x0, ... ) == 0x0
 00266   460   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   460   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 00268   460   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 14942208, 4096, ) == 0x0
 00269   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == 0x0
 00273   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00274   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 68, ) == 0x0
 00275   460   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00276   460   NtOpenProcessToken  (-1, 0x8, ... 72, ) == 0x0
 00277   460   NtQueryInformationToken  (72, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   460   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 76, ) }, ... 76, ) == 0x0
 00280   460   NtQueryValueKey  (76,  (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (76, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00281   460   NtClose  (76, ... ) == 0x0
 00282   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00283   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 76, ) == 0x0
 00284   460   NtQueryInformationToken  (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00285   460   NtClose  (76, ... ) == 0x0
 00286   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00287   460   NtClose  (72, ... ) == 0x0
 00288   460   NtClose  (64, ... ) == 0x0
 00289   460   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00290   460   NtClose  (68, ... ) == 0x0
 00291   460   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00292   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00293   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 64, ) == 0x0
 00294   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00295   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 76, ) }, ... 76, ) == 0x0
 00296   460   NtQueryValueKey  (76,  (76, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297   460   NtQueryValueKey  (76,  (76, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   460   NtQueryValueKey  (76,  (76, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   460   NtQueryValueKey  (76,  (76, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   460   NtQueryValueKey  (76,  (76, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   460   NtQueryValueKey  (76,  (76, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   460   NtQueryValueKey  (76,  (76, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   460   NtQueryValueKey  (76,  (76, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   460   NtQueryValueKey  (76,  (76, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   460   NtQueryValueKey  (76,  (76, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   460   NtQueryValueKey  (76,  (76, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   460   NtQueryValueKey  (76,  (76, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   460   NtQueryValueKey  (76,  (76, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   460   NtQueryValueKey  (76,  (76, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   460   NtQueryValueKey  (76,  (76, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   460   NtQueryValueKey  (76,  (76, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   460   NtQueryValueKey  (76,  (76, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   460   NtQueryValueKey  (76,  (76, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   460   NtQueryValueKey  (76,  (76, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   460   NtQueryValueKey  (76,  (76, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   460   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00317   460   NtQueryValueKey  (76,  (76, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   460   NtQueryValueKey  (76,  (76, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00319   460   NtQueryValueKey  (76,  (76, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320   460   NtQueryValueKey  (76,  (76, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   460   NtQueryValueKey  (76,  (76, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   460   NtQueryValueKey  (76,  (76, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00323   460   NtQueryValueKey  (76,  (76, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   460   NtQueryValueKey  (76,  (76, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   460   NtQueryValueKey  (76,  (76, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   460   NtQueryValueKey  (76,  (76, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   460   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00328   460   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 80, ) }, ... 80, ) == 0x0
 00329   460   NtQueryValueKey  (80,  (80, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00330   460   NtClose  (80, ... ) == 0x0
 00331   460   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 0, 0,  (0x1f0003, {24, 56, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00332   460   NtQueryValueKey  (76,  (76, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   460   NtQueryValueKey  (76,  (76, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   460   NtQueryValueKey  (76,  (76, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   460   NtQueryValueKey  (76,  (76, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   460   NtQueryValueKey  (76,  (76, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337   460   NtQueryValueKey  (76,  (76, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   460   NtQueryValueKey  (76,  (76, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339   460   NtQueryValueKey  (76,  (76, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   460   NtQueryValueKey  (76,  (76, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00341   460   NtQueryValueKey  (76,  (76, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00342   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15007744, 1048576, ) == 0x0
 00343   460   NtAllocateVirtualMemory  (-1, 16048128, 0, 8192, 4096, 4, ... 16048128, 8192, ) == 0x0
 00344   460   NtProtectVirtualMemory  (-1, (0xf4e000), 4096, 260, ... (0xf4e000), 4096, 4, ) == 0x0
 00345   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 80, {456, 384}, ) == 0x0
 00346   460   NtQueryInformationThread  (80, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=456,Tid=384,}, 0x0, ) == 0x0
 00347   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (P\0\0\0\310\1\0\0\200\1\0\0" ... {28, 56, reply, 0, 456, 460, 1454, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (P\0\0\0\310\1\0\0\200\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1454, 0}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (P\0\0\0\310\1\0\0\200\1\0\0" ... {28, 56, reply, 0, 456, 460, 1454, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (P\0\0\0\310\1\0\0\200\1\0\0" )  ) == 0x0
 00348   460   NtResumeThread  (80, ... 1, ) == 0x0
 00349   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16056320, 1048576, ) == 0x0
 00350   460   NtAllocateVirtualMemory  (-1, 17096704, 0, 8192, 4096, 4, ... 17096704, 8192, ) == 0x0
 00351   460   NtProtectVirtualMemory  (-1, (0x104e000), 4096, 260, ...
 00352   384   NtTestAlert  (... ) == 0x0
 00353   384   NtContinue  (16055600, 1, ...
 00354   384   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00355   384   NtDelayExecution  (0, {-150000, -1}, ...
 00351   460   NtProtectVirtualMemory  ... (0x104e000), 4096, 4, ) == 0x0
 00356   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 84, {456, 380}, ) == 0x0
 00357   460   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=456,Tid=380,}, 0x0, ) == 0x0
 00358   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1454, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1454, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\310\1\0\0|\1\0\0" ... {28, 56, reply, 0, 456, 460, 1455, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\310\1\0\0|\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1455, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1454, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\310\1\0\0|\1\0\0" ... {28, 56, reply, 0, 456, 460, 1455, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (T\0\0\0\310\1\0\0|\1\0\0" )  ) == 0x0
 00359   460   NtResumeThread  (84, ... 1, ) == 0x0
 00360   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17104896, 1048576, ) == 0x0
 00361   380   NtTestAlert  (... ) == 0x0
 00362   380   NtContinue  (17104176, 1, ...
 00363   380   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00364   380   NtDelayExecution  (0, {-150000, -1}, ...
 00365   460   NtAllocateVirtualMemory  (-1, 18145280, 0, 8192, 4096, 4, ... 18145280, 8192, ) == 0x0
 00366   460   NtProtectVirtualMemory  (-1, (0x114e000), 4096, 260, ... (0x114e000), 4096, 4, ) == 0x0
 00367   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 88, {456, 568}, ) == 0x0
 00368   460   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=456,Tid=568,}, 0x0, ) == 0x0
 00369   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1455, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1455, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\310\1\0\08\2\0\0" ... {28, 56, reply, 0, 456, 460, 1456, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\310\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1456, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1455, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\310\1\0\08\2\0\0" ... {28, 56, reply, 0, 456, 460, 1456, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (X\0\0\0\310\1\0\08\2\0\0" )  ) == 0x0
 00370   460   NtResumeThread  (88, ... 1, ) == 0x0
 00371   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18153472, 1048576, ) == 0x0
 00372   460   NtAllocateVirtualMemory  (-1, 19193856, 0, 8192, 4096, 4, ... 19193856, 8192, ) == 0x0
 00373   460   NtProtectVirtualMemory  (-1, (0x124e000), 4096, 260, ...
 00374   568   NtTestAlert  (... ) == 0x0
 00375   568   NtContinue  (18152752, 1, ...
 00376   568   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00377   568   NtDelayExecution  (0, {-150000, -1}, ...
 00373   460   NtProtectVirtualMemory  ... (0x124e000), 4096, 4, ) == 0x0
 00378   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 92, {456, 572}, ) == 0x0
 00379   460   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=456,Tid=572,}, 0x0, ) == 0x0
 00380   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1456, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1456, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\310\1\0\0<\2\0\0" ... {28, 56, reply, 0, 456, 460, 1457, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\310\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1457, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1456, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\310\1\0\0<\2\0\0" ... {28, 56, reply, 0, 456, 460, 1457, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\\0\0\0\310\1\0\0<\2\0\0" )  ) == 0x0
 00381   460   NtResumeThread  (92, ... 1, ) == 0x0
 00382   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19202048, 1048576, ) == 0x0
 00383   572   NtTestAlert  (... ) == 0x0
 00384   572   NtContinue  (19201328, 1, ...
 00385   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00386   572   NtDelayExecution  (0, {-150000, -1}, ...
 00387   460   NtAllocateVirtualMemory  (-1, 20242432, 0, 8192, 4096, 4, ... 20242432, 8192, ) == 0x0
 00388   460   NtProtectVirtualMemory  (-1, (0x134e000), 4096, 260, ... (0x134e000), 4096, 4, ) == 0x0
 00389   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 96, {456, 588}, ) == 0x0
 00390   460   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=456,Tid=588,}, 0x0, ) == 0x0
 00391   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1457, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1457, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\310\1\0\0L\2\0\0" ... {28, 56, reply, 0, 456, 460, 1458, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\310\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1458, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1457, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\310\1\0\0L\2\0\0" ... {28, 56, reply, 0, 456, 460, 1458, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (`\0\0\0\310\1\0\0L\2\0\0" )  ) == 0x0
 00392   460   NtResumeThread  (96, ... 1, ) == 0x0
 00393   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20250624, 1048576, ) == 0x0
 00394   460   NtAllocateVirtualMemory  (-1, 21291008, 0, 8192, 4096, 4, ... 21291008, 8192, ) == 0x0
 00395   460   NtProtectVirtualMemory  (-1, (0x144e000), 4096, 260, ...
 00396   588   NtTestAlert  (... ) == 0x0
 00397   588   NtContinue  (20249904, 1, ...
 00398   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00399   588   NtDelayExecution  (0, {-150000, -1}, ...
 00395   460   NtProtectVirtualMemory  ... (0x144e000), 4096, 4, ) == 0x0
 00400   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 100, {456, 580}, ) == 0x0
 00401   460   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=456,Tid=580,}, 0x0, ) == 0x0
 00402   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1458, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1458, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\310\1\0\0D\2\0\0" ... {28, 56, reply, 0, 456, 460, 1459, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\310\1\0\0D\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1459, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1458, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\310\1\0\0D\2\0\0" ... {28, 56, reply, 0, 456, 460, 1459, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (d\0\0\0\310\1\0\0D\2\0\0" )  ) == 0x0
 00403   460   NtResumeThread  (100, ... 1, ) == 0x0
 00404   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21299200, 1048576, ) == 0x0
 00405   580   NtTestAlert  (... ) == 0x0
 00406   580   NtContinue  (21298480, 1, ...
 00407   580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00408   580   NtDelayExecution  (0, {-150000, -1}, ...
 00409   460   NtAllocateVirtualMemory  (-1, 22339584, 0, 8192, 4096, 4, ... 22339584, 8192, ) == 0x0
 00410   460   NtProtectVirtualMemory  (-1, (0x154e000), 4096, 260, ... (0x154e000), 4096, 4, ) == 0x0
 00411   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 104, {456, 584}, ) == 0x0
 00412   460   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=456,Tid=584,}, 0x0, ) == 0x0
 00413   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1459, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1459, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\310\1\0\0H\2\0\0" ... {28, 56, reply, 0, 456, 460, 1460, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\310\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1460, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1459, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\310\1\0\0H\2\0\0" ... {28, 56, reply, 0, 456, 460, 1460, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\310\1\0\0H\2\0\0" )  ) == 0x0
 00414   460   NtResumeThread  (104, ... 1, ) == 0x0
 00415   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22347776, 1048576, ) == 0x0
 00416   460   NtAllocateVirtualMemory  (-1, 23388160, 0, 8192, 4096, 4, ... 23388160, 8192, ) == 0x0
 00417   460   NtProtectVirtualMemory  (-1, (0x164e000), 4096, 260, ...
 00418   584   NtTestAlert  (... ) == 0x0
 00419   584   NtContinue  (22347056, 1, ...
 00420   584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00421   584   NtDelayExecution  (0, {-150000, -1}, ...
 00417   460   NtProtectVirtualMemory  ... (0x164e000), 4096, 4, ) == 0x0
 00422   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 108, {456, 576}, ) == 0x0
 00423   460   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=456,Tid=576,}, 0x0, ) == 0x0
 00424   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1460, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1460, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\310\1\0\0@\2\0\0" ... {28, 56, reply, 0, 456, 460, 1461, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\310\1\0\0@\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1461, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1460, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\310\1\0\0@\2\0\0" ... {28, 56, reply, 0, 456, 460, 1461, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\310\1\0\0@\2\0\0" )  ) == 0x0
 00425   460   NtResumeThread  (108, ... 1, ) == 0x0
 00426   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00427   576   NtTestAlert  (... ) == 0x0
 00428   576   NtContinue  (23395632, 1, ...
 00429   576   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00430   576   NtDelayExecution  (0, {-20010000, -1}, ...
 00431   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00432   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00433   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00434   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 128, ) == 0x0
 00435   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 00436   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 00437   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00438   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00439   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00440   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 00441   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 00442   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 00443   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 00444   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 00445   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 00446   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23396352, 1048576, ) == 0x0
 00447   460   NtAllocateVirtualMemory  (-1, 24436736, 0, 8192, 4096, 4, ... 24436736, 8192, ) == 0x0
 00448   460   NtProtectVirtualMemory  (-1, (0x174e000), 4096, 260, ... (0x174e000), 4096, 4, ) == 0x0
 00449   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 176, {456, 596}, ) == 0x0
 00450   460   NtQueryInformationThread  (176, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=456,Tid=596,}, 0x0, ) == 0x0
 00451   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 12886031, 6601017, 6567576, 6567576}  (24, {28, 56, new_msg, 0, 12886031, 6601017, 6567576, 6567576} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\260\0\0\0\310\1\0\0T\2\0\0" ... {28, 56, reply, 0, 456, 460, 1462, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\310\1\0\0T\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1462, 0}  (24, {28, 56, new_msg, 0, 12886031, 6601017, 6567576, 6567576} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\260\0\0\0\310\1\0\0T\2\0\0" ... {28, 56, reply, 0, 456, 460, 1462, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\260\0\0\0\310\1\0\0T\2\0\0" )  ) == 0x0
 00452   460   NtResumeThread  (176, ... 1, ) == 0x0
 00453   460   NtSetInformationThread  (176, BasePriority, {thread info, class 3, size 4}, 4, ...
 00454   596   NtTestAlert  (... ) == 0x0
 00455   596   NtContinue  (24444208, 1, ...
 00456   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00457   596   NtWaitForSingleObject  (112, 0, 0x0, ...
 00453   460   NtSetInformationThread  ... ) == 0x0
 00458   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24444928, 1048576, ) == 0x0
 00459   460   NtAllocateVirtualMemory  (-1, 25485312, 0, 8192, 4096, 4, ... 25485312, 8192, ) == 0x0
 00460   460   NtProtectVirtualMemory  (-1, (0x184e000), 4096, 260, ... (0x184e000), 4096, 4, ) == 0x0
 00461   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 180, {456, 636}, ) == 0x0
 00462   460   NtQueryInformationThread  (180, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=456,Tid=636,}, 0x0, ) == 0x0
 00463   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1462, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1462, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\310\1\0\0|\2\0\0" ... {28, 56, reply, 0, 456, 460, 1463, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\310\1\0\0|\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1463, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1462, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\310\1\0\0|\2\0\0" ... {28, 56, reply, 0, 456, 460, 1463, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\264\0\0\0\310\1\0\0|\2\0\0" )  ) == 0x0
 00464   460   NtResumeThread  (180, ... 1, ) == 0x0
 00465   460   NtSetInformationThread  (180, BasePriority, {thread info, class 3, size 4}, 4, ...
 00466   636   NtTestAlert  (... ) == 0x0
 00467   636   NtContinue  (25492784, 1, ...
 00468   636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00469   636   NtWaitForSingleObject  (116, 0, 0x0, ...
 00465   460   NtSetInformationThread  ... ) == 0x0
 00470   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25493504, 1048576, ) == 0x0
 00471   460   NtAllocateVirtualMemory  (-1, 26533888, 0, 8192, 4096, 4, ... 26533888, 8192, ) == 0x0
 00472   460   NtProtectVirtualMemory  (-1, (0x194e000), 4096, 260, ... (0x194e000), 4096, 4, ) == 0x0
 00473   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 184, {456, 732}, ) == 0x0
 00474   460   NtQueryInformationThread  (184, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=456,Tid=732,}, 0x0, ) == 0x0
 00475   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1463, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1463, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\310\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 456, 460, 1464, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\310\1\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1464, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1463, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\310\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 456, 460, 1464, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\270\0\0\0\310\1\0\0\334\2\0\0" )  ) == 0x0
 00476   460   NtResumeThread  (184, ... 1, ) == 0x0
 00477   460   NtSetInformationThread  (184, BasePriority, {thread info, class 3, size 4}, 4, ...
 00478   732   NtTestAlert  (... ) == 0x0
 00479   732   NtContinue  (26541360, 1, ...
 00480   732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00481   732   NtWaitForSingleObject  (120, 0, 0x0, ...
 00477   460   NtSetInformationThread  ... ) == 0x0
 00482   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26542080, 1048576, ) == 0x0
 00483   460   NtAllocateVirtualMemory  (-1, 27582464, 0, 8192, 4096, 4, ... 27582464, 8192, ) == 0x0
 00484   460   NtProtectVirtualMemory  (-1, (0x1a4e000), 4096, 260, ... (0x1a4e000), 4096, 4, ) == 0x0
 00485   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 188, {456, 744}, ) == 0x0
 00486   460   NtQueryInformationThread  (188, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=456,Tid=744,}, 0x0, ) == 0x0
 00487   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1464, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1464, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\310\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 456, 460, 1465, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\310\1\0\0\350\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1465, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1464, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\310\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 456, 460, 1465, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\274\0\0\0\310\1\0\0\350\2\0\0" )  ) == 0x0
 00488   460   NtResumeThread  (188, ... 1, ) == 0x0
 00489   744   NtTestAlert  (... ) == 0x0
 00490   744   NtContinue  (27589936, 1, ...
 00491   744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00492   744   NtWaitForSingleObject  (124, 0, 0x0, ...
 00493   460   NtSetInformationThread  (188, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00494   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27590656, 1048576, ) == 0x0
 00495   460   NtAllocateVirtualMemory  (-1, 28631040, 0, 8192, 4096, 4, ... 28631040, 8192, ) == 0x0
 00496   460   NtProtectVirtualMemory  (-1, (0x1b4e000), 4096, 260, ... (0x1b4e000), 4096, 4, ) == 0x0
 00497   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 192, {456, 676}, ) == 0x0
 00498   460   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=456,Tid=676,}, 0x0, ) == 0x0
 00499   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1465, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1465, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\310\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 456, 460, 1466, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\310\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1466, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1465, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\310\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 456, 460, 1466, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\300\0\0\0\310\1\0\0\244\2\0\0" )  ) == 0x0
 00500   460   NtResumeThread  (192, ... 1, ) == 0x0
 00501   460   NtSetInformationThread  (192, BasePriority, {thread info, class 3, size 4}, 4, ...
 00502   676   NtTestAlert  (... ) == 0x0
 00503   676   NtContinue  (28638512, 1, ...
 00504   676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00505   676   NtWaitForSingleObject  (128, 0, 0x0, ...
 00501   460   NtSetInformationThread  ... ) == 0x0
 00506   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28639232, 1048576, ) == 0x0
 00507   460   NtAllocateVirtualMemory  (-1, 29679616, 0, 8192, 4096, 4, ... 29679616, 8192, ) == 0x0
 00508   460   NtProtectVirtualMemory  (-1, (0x1c4e000), 4096, 260, ... (0x1c4e000), 4096, 4, ) == 0x0
 00509   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 196, {456, 788}, ) == 0x0
 00510   460   NtQueryInformationThread  (196, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=456,Tid=788,}, 0x0, ) == 0x0
 00511   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1466, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1466, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\310\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 456, 460, 1467, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\310\1\0\0\24\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1467, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1466, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\310\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 456, 460, 1467, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\304\0\0\0\310\1\0\0\24\3\0\0" )  ) == 0x0
 00512   460   NtResumeThread  (196, ... 1, ) == 0x0
 00513   460   NtSetInformationThread  (196, BasePriority, {thread info, class 3, size 4}, 4, ...
 00514   788   NtTestAlert  (... ) == 0x0
 00515   788   NtContinue  (29687088, 1, ...
 00516   788   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00517   788   NtWaitForSingleObject  (132, 0, 0x0, ...
 00513   460   NtSetInformationThread  ... ) == 0x0
 00518   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29687808, 1048576, ) == 0x0
 00519   460   NtAllocateVirtualMemory  (-1, 30728192, 0, 8192, 4096, 4, ... 30728192, 8192, ) == 0x0
 00520   460   NtProtectVirtualMemory  (-1, (0x1d4e000), 4096, 260, ... (0x1d4e000), 4096, 4, ) == 0x0
 00521   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 200, {456, 784}, ) == 0x0
 00522   460   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=456,Tid=784,}, 0x0, ) == 0x0
 00523   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1467, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1467, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\310\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 456, 460, 1468, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\310\1\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1468, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1467, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\310\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 456, 460, 1468, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\310\1\0\0\20\3\0\0" )  ) == 0x0
 00524   460   NtResumeThread  (200, ... 1, ) == 0x0
 00525   460   NtSetInformationThread  (200, BasePriority, {thread info, class 3, size 4}, 4, ...
 00526   784   NtTestAlert  (... ) == 0x0
 00527   784   NtContinue  (30735664, 1, ...
 00528   784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00529   784   NtWaitForSingleObject  (136, 0, 0x0, ...
 00525   460   NtSetInformationThread  ... ) == 0x0
 00530   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30736384, 1048576, ) == 0x0
 00531   460   NtAllocateVirtualMemory  (-1, 31776768, 0, 8192, 4096, 4, ... 31776768, 8192, ) == 0x0
 00532   460   NtProtectVirtualMemory  (-1, (0x1e4e000), 4096, 260, ... (0x1e4e000), 4096, 4, ) == 0x0
 00533   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 204, {456, 716}, ) == 0x0
 00534   460   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=456,Tid=716,}, 0x0, ) == 0x0
 00355   384   NtDelayExecution  ... ) == 0x0
 00364   380   NtDelayExecution  ... ) == 0x0
 00377   568   NtDelayExecution  ... ) == 0x0
 00386   572   NtDelayExecution  ... ) == 0x0
 00399   588   NtDelayExecution  ... ) == 0x0
 00408   580   NtDelayExecution  ... ) == 0x0
 00421   584   NtDelayExecution  ... ) == 0x0
 00535   384   NtDelayExecution  (0, {-20010000, -1}, ...
 00536   380   NtDelayExecution  (0, {-20010000, -1}, ...
 00537   568   NtContinue  (18152676, 0, ...
 00538   572   NtDelayExecution  (0, {-20010000, -1}, ...
 00539   588   NtDelayExecution  (0, {-20010000, -1}, ...
 00540   580   NtDelayExecution  (0, {-20010000, -1}, ...
 00541   584   NtDelayExecution  (0, {-20010000, -1}, ...
 00542   568   NtDelayExecution  (0, {-20010000, -1}, ...
 00543   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1468, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1468, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\310\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 456, 460, 1469, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\310\1\0\0\314\2\0\0" )  ... {28, 56, reply, 0, 456, 460, 1469, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1468, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\310\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 456, 460, 1469, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\310\1\0\0\314\2\0\0" )  ) == 0x0
 00544   460   NtResumeThread  (204, ... 1, ) == 0x0
 00545   460   NtSetInformationThread  (204, BasePriority, {thread info, class 3, size 4}, 4, ...
 00546   716   NtTestAlert  (... ) == 0x0
 00547   716   NtContinue  (31784240, 1, ...
 00548   716   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00549   716   NtWaitForSingleObject  (140, 0, 0x0, ...
 00545   460   NtSetInformationThread  ... ) == 0x0
 00550   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31784960, 1048576, ) == 0x0
 00551   460   NtAllocateVirtualMemory  (-1, 32825344, 0, 8192, 4096, 4, ... 32825344, 8192, ) == 0x0
 00552   460   NtProtectVirtualMemory  (-1, (0x1f4e000), 4096, 260, ... (0x1f4e000), 4096, 4, ) == 0x0
 00553   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 208, {456, 308}, ) == 0x0
 00554   460   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=456,Tid=308,}, 0x0, ) == 0x0
 00555   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1469, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1469, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\310\1\0\04\1\0\0" ... {28, 56, reply, 0, 456, 460, 1470, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\310\1\0\04\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1470, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1469, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\310\1\0\04\1\0\0" ... {28, 56, reply, 0, 456, 460, 1470, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\310\1\0\04\1\0\0" )  ) == 0x0
 00556   460   NtResumeThread  (208, ... 1, ) == 0x0
 00557   460   NtSetInformationThread  (208, BasePriority, {thread info, class 3, size 4}, 4, ...
 00558   308   NtTestAlert  (... ) == 0x0
 00559   308   NtContinue  (32832816, 1, ...
 00560   308   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00561   308   NtWaitForSingleObject  (144, 0, 0x0, ...
 00557   460   NtSetInformationThread  ... ) == 0x0
 00562   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32833536, 1048576, ) == 0x0
 00563   460   NtAllocateVirtualMemory  (-1, 33873920, 0, 8192, 4096, 4, ... 33873920, 8192, ) == 0x0
 00564   460   NtProtectVirtualMemory  (-1, (0x204e000), 4096, 260, ... (0x204e000), 4096, 4, ) == 0x0
 00565   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 212, {456, 840}, ) == 0x0
 00566   460   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=456,Tid=840,}, 0x0, ) == 0x0
 00567   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1470, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1470, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\310\1\0\0H\3\0\0" ... {28, 56, reply, 0, 456, 460, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\310\1\0\0H\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1471, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1470, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\310\1\0\0H\3\0\0" ... {28, 56, reply, 0, 456, 460, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\310\1\0\0H\3\0\0" )  ) == 0x0
 00568   460   NtResumeThread  (212, ... 1, ) == 0x0
 00569   460   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ...
 00570   840   NtTestAlert  (... ) == 0x0
 00571   840   NtContinue  (33881392, 1, ...
 00572   840   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00573   840   NtWaitForSingleObject  (148, 0, 0x0, ...
 00569   460   NtSetInformationThread  ... ) == 0x0
 00574   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33882112, 1048576, ) == 0x0
 00575   460   NtAllocateVirtualMemory  (-1, 34922496, 0, 8192, 4096, 4, ... 34922496, 8192, ) == 0x0
 00576   460   NtProtectVirtualMemory  (-1, (0x214e000), 4096, 260, ... (0x214e000), 4096, 4, ) == 0x0
 00577   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 216, {456, 836}, ) == 0x0
 00578   460   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=456,Tid=836,}, 0x0, ) == 0x0
 00579   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1471, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\310\1\0\0D\3\0\0" ... {28, 56, reply, 0, 456, 460, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\310\1\0\0D\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1472, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\310\1\0\0D\3\0\0" ... {28, 56, reply, 0, 456, 460, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\310\1\0\0D\3\0\0" )  ) == 0x0
 00580   460   NtResumeThread  (216, ... 1, ) == 0x0
 00581   460   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ...
 00582   836   NtTestAlert  (... ) == 0x0
 00583   836   NtContinue  (34929968, 1, ...
 00584   836   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00585   836   NtWaitForSingleObject  (152, 0, 0x0, ...
 00581   460   NtSetInformationThread  ... ) == 0x0
 00586   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34930688, 1048576, ) == 0x0
 00587   460   NtAllocateVirtualMemory  (-1, 35971072, 0, 8192, 4096, 4, ... 35971072, 8192, ) == 0x0
 00588   460   NtProtectVirtualMemory  (-1, (0x224e000), 4096, 260, ... (0x224e000), 4096, 4, ) == 0x0
 00589   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 220, {456, 844}, ) == 0x0
 00590   460   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=456,Tid=844,}, 0x0, ) == 0x0
 00591   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1472, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\310\1\0\0L\3\0\0" ... {28, 56, reply, 0, 456, 460, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\310\1\0\0L\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1473, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\310\1\0\0L\3\0\0" ... {28, 56, reply, 0, 456, 460, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\310\1\0\0L\3\0\0" )  ) == 0x0
 00592   460   NtResumeThread  (220, ... 1, ) == 0x0
 00593   460   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ...
 00594   844   NtTestAlert  (... ) == 0x0
 00595   844   NtContinue  (35978544, 1, ...
 00596   844   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00597   844   NtWaitForSingleObject  (156, 0, 0x0, ...
 00593   460   NtSetInformationThread  ... ) == 0x0
 00598   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35979264, 1048576, ) == 0x0
 00599   460   NtAllocateVirtualMemory  (-1, 37019648, 0, 8192, 4096, 4, ... 37019648, 8192, ) == 0x0
 00600   460   NtProtectVirtualMemory  (-1, (0x234e000), 4096, 260, ... (0x234e000), 4096, 4, ) == 0x0
 00601   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 224, {456, 864}, ) == 0x0
 00602   460   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=456,Tid=864,}, 0x0, ) == 0x0
 00603   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1473, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\310\1\0\0`\3\0\0" ... {28, 56, reply, 0, 456, 460, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\310\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1474, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\310\1\0\0`\3\0\0" ... {28, 56, reply, 0, 456, 460, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\310\1\0\0`\3\0\0" )  ) == 0x0
 00604   460   NtResumeThread  (224, ... 1, ) == 0x0
 00605   864   NtTestAlert  (... ) == 0x0
 00606   864   NtContinue  (37027120, 1, ...
 00607   864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00608   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 00609   460   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00610   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37027840, 1048576, ) == 0x0
 00611   460   NtAllocateVirtualMemory  (-1, 38068224, 0, 8192, 4096, 4, ... 38068224, 8192, ) == 0x0
 00612   460   NtProtectVirtualMemory  (-1, (0x244e000), 4096, 260, ... (0x244e000), 4096, 4, ) == 0x0
 00613   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 228, {456, 868}, ) == 0x0
 00614   460   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=456,Tid=868,}, 0x0, ) == 0x0
 00615   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1474, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\310\1\0\0d\3\0\0" ... {28, 56, reply, 0, 456, 460, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\310\1\0\0d\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1475, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\310\1\0\0d\3\0\0" ... {28, 56, reply, 0, 456, 460, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\310\1\0\0d\3\0\0" )  ) == 0x0
 00616   460   NtResumeThread  (228, ... 1, ) == 0x0
 00617   460   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 00618   868   NtTestAlert  (... ) == 0x0
 00619   868   NtContinue  (38075696, 1, ...
 00620   868   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00621   868   NtWaitForSingleObject  (164, 0, 0x0, ...
 00617   460   NtSetInformationThread  ... ) == 0x0
 00622   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38076416, 1048576, ) == 0x0
 00623   460   NtAllocateVirtualMemory  (-1, 39116800, 0, 8192, 4096, 4, ... 39116800, 8192, ) == 0x0
 00624   460   NtProtectVirtualMemory  (-1, (0x254e000), 4096, 260, ... (0x254e000), 4096, 4, ) == 0x0
 00625   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 232, {456, 872}, ) == 0x0
 00626   460   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=456,Tid=872,}, 0x0, ) == 0x0
 00627   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1475, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\310\1\0\0h\3\0\0" ... {28, 56, reply, 0, 456, 460, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\310\1\0\0h\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1476, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\310\1\0\0h\3\0\0" ... {28, 56, reply, 0, 456, 460, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\310\1\0\0h\3\0\0" )  ) == 0x0
 00628   460   NtResumeThread  (232, ... 1, ) == 0x0
 00629   460   NtSetInformationThread  (232, BasePriority, {thread info, class 3, size 4}, 4, ...
 00630   872   NtTestAlert  (... ) == 0x0
 00631   872   NtContinue  (39124272, 1, ...
 00632   872   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00633   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 00629   460   NtSetInformationThread  ... ) == 0x0
 00634   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 39124992, 1048576, ) == 0x0
 00635   460   NtAllocateVirtualMemory  (-1, 40165376, 0, 8192, 4096, 4, ... 40165376, 8192, ) == 0x0
 00636   460   NtProtectVirtualMemory  (-1, (0x264e000), 4096, 260, ... (0x264e000), 4096, 4, ) == 0x0
 00637   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 236, {456, 876}, ) == 0x0
 00638   460   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=456,Tid=876,}, 0x0, ) == 0x0
 00639   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 456, 460, 1476, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\310\1\0\0l\3\0\0" ... {28, 56, reply, 0, 456, 460, 1477, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\310\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1477, 0}  (24, {28, 56, new_msg, 0, 456, 460, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\310\1\0\0l\3\0\0" ... {28, 56, reply, 0, 456, 460, 1477, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\310\1\0\0l\3\0\0" )  ) == 0x0
 00640   460   NtResumeThread  (236, ... 1, ) == 0x0
 00641   460   NtSetInformationThread  (236, BasePriority, {thread info, class 3, size 4}, 4, ...
 00642   876   NtTestAlert  (... ) == 0x0
 00643   876   NtContinue  (40172848, 1, ...
 00644   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00645   876   NtWaitForSingleObject  (172, 0, 0x0, ...
 00641   460   NtSetInformationThread  ... ) == 0x0
 00646   460   NtSetEvent  (152, ...
 00585   836   NtWaitForSingleObject  ... ) == 0x0
 00647   836   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00648   836   NtWaitForSingleObject  (152, 0, 0x0, ...
 00646   460   NtSetEvent  ... 0x0, ) == 0x0
 00649   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00650   460   NtSetEvent  (112, ...
 00457   596   NtWaitForSingleObject  ... ) == 0x0
 00651   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00652   596   NtWaitForSingleObject  (112, 0, 0x0, ...
 00650   460   NtSetEvent  ... 0x0, ) == 0x0
 00653   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00654   460   NtSetEvent  (168, ...
 00633   872   NtWaitForSingleObject  ... ) == 0x0
 00655   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00656   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 00654   460   NtSetEvent  ... 0x0, ) == 0x0
 00657   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00658   460   NtQueryVirtualMemory  (-1, 0x10000, Basic, 28, ... {BaseAddress=0x10000,AllocationBase=0x10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 00659   460   NtSetEvent  (140, ...
 00549   716   NtWaitForSingleObject  ... ) == 0x0
 00660   716   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00661   716   NtWaitForSingleObject  (140, 0, 0x0, ...
 00659   460   NtSetEvent  ... 0x0, ) == 0x0
 00662   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00663   460   NtSetEvent  (120, ...
 00481   732   NtWaitForSingleObject  ... ) == 0x0
 00664   732   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00665   732   NtWaitForSingleObject  (120, 0, 0x0, ...
 00663   460   NtSetEvent  ... 0x0, ) == 0x0
 00666   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00667   460   NtSetEvent  (168, ...
 00656   872   NtWaitForSingleObject  ... ) == 0x0
 00668   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00669   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 00667   460   NtSetEvent  ... 0x0, ) == 0x0
 00670   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00671   460   NtUserGetForegroundWindow  (... ) == 0x20064
 00672   460   NtUserQueryWindow  (131172, 0, ... ) == 0xe4
 00673   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40173568, 1048576, ) == 0x0
 00674   460   NtAllocateVirtualMemory  (-1, 41213952, 0, 8192, 4096, 4, ... 41213952, 8192, ) == 0x0
 00675   460   NtProtectVirtualMemory  (-1, (0x274e000), 4096, 260, ... (0x274e000), 4096, 4, ) == 0x0
 00676   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244208, 1244924, 1, ... 240, {456, 880}, ) == 0x0
 00677   460   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=456,Tid=880,}, 0x0, ) == 0x0
 00678   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 3670044, 2, 456, 460}  (24, {28, 56, new_msg, 0, 3670044, 2, 456, 460} "\0\0\0\0\1\0\1\0\0\0\0\0\1\0\1\0\360\0\0\0\310\1\0\0p\3\0\0" ... {28, 56, reply, 0, 456, 460, 1478, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\1\0\1\0\360\0\0\0\310\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1478, 0}  (24, {28, 56, new_msg, 0, 3670044, 2, 456, 460} "\0\0\0\0\1\0\1\0\0\0\0\0\1\0\1\0\360\0\0\0\310\1\0\0p\3\0\0" ... {28, 56, reply, 0, 456, 460, 1478, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\1\0\1\0\360\0\0\0\310\1\0\0p\3\0\0" )  ) == 0x0
 00679   460   NtResumeThread  (240, ... 1, ) == 0x0
 00680   460   NtDelayExecution  (0, {-400000, -1}, ...
 00681   880   NtTestAlert  (... ) == 0x0
 00682   880   NtContinue  (41221424, 1, ...
 00683   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00684   880   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 244, ) == 0x0
 00685   880   NtCallbackReturn  (0, 0, 0, ...
 00686   880   NtUserGetThreadState  (18, ... ) == 0x1
 00687   880   NtUserFindExistingCursorIcon  (41221336, 41221352, 41221920, ... ) == 0x1002d
 00688   880   NtUserRegisterClassExWOW  (41221848, 41221924, 41221940, 41221912, 0, 386, 0, ... ) == 0x810bc0cc
 00689   880   NtUserCreateWindowEx  (-2147483640, 41221832, 41221644, "", -2147483648, -2147483648, -2147483648, 426, 225, 0, 0, 4194304, 0, 1073742848, 0, ...
 00690   880   NtAllocateVirtualMemory  (-1, 41209856, 0, 4096, 4096, 260, ... 41209856, 4096, ) == 0x0
 00691   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 41218028, ... ) }, 41218028, ... ) == 0x0
 00692   880   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0
 00693   880   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 248, ... 252, ) == 0x0
 00694   880   NtClose  (248, ... ) == 0x0
 00695   880   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2750000), 0x0, 204800, ) == 0x0
 00696   880   NtClose  (252, ... ) == 0x0
 00697   880   NtUnmapViewOfSection  (-1, 0x2750000, ... ) == 0x0
 00698   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 41218344, ... ) }, 41218344, ... ) == 0x0
 00699   880   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 00700   880   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 248, ) == 0x0
 00701   880   NtQuerySection  (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00702   880   NtClose  (252, ... ) == 0x0
 00703   880   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00704   880   NtClose  (248, ... ) == 0x0
 00705   880   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 248, ) }, ... 248, ) == 0x0
 00706   880   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00707   880   NtClose  (248, ... ) == 0x0
 00708   880   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00709   880   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 41222144, 65536, ) == 0x0
 00710   880   NtAllocateVirtualMemory  (-1, 41222144, 0, 4096, 4096, 4, ... 41222144, 4096, ) == 0x0
 00711   880   NtAllocateVirtualMemory  (-1, 41226240, 0, 8192, 4096, 4, ... 41226240, 8192, ) == 0x0
 00712   880   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 248, ) }, ... 248, ) == 0x0
 00713   880   NtMapViewOfSection  (248, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2760000), 0x0, 12288, ) == 0x0
 00714   880   NtClose  (248, ... ) == 0x0
 00715   880   NtAllocateVirtualMemory  (-1, 41234432, 0, 4096, 4096, 4, ... 41234432, 4096, ) == 0x0
 00716   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00717   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00718   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00719   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 248, ) == 0x0
 00720   880   NtQueryInformationToken  (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00721   880   NtClose  (248, ... ) == 0x0
 00722   880   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 248, ) }, ... 248, ) == 0x0
 00723   880   NtOpenKey  (0x1, {24, 248, 0x40, 0, 0,  (0x1, {24, 248, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 252, ) }, ... 252, ) == 0x0
 00724   880   NtQueryValueKey  (252,  (252, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00725   880   NtClose  (252, ... ) == 0x0
 00726   880   NtClose  (248, ... ) == 0x0
 00727   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00728   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 248, ) == 0x0
 00729   880   NtQueryInformationToken  (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00730   880   NtClose  (248, ... ) == 0x0
 00731   880   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 248, ) }, ... 248, ) == 0x0
 00732   880   NtOpenKey  (0x1, {24, 248, 0x40, 0, 0,  (0x1, {24, 248, 0x40, 0, 0, "Control Panel\Desktop"}, ... 252, ) }, ... 252, ) == 0x0
 00733   880   NtQueryValueKey  (252,  (252, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00734   880   NtClose  (252, ... ) == 0x0
 00735   880   NtClose  (248, ... ) == 0x0
 00736   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 41217844, ... ) }, 41217844, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00737   880   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 41217844, ... ) }, 41217844, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 41217844, ... ) }, 41217844, ... ) == 0x0
 00739   880   NtUserGetProcessWindowStation  (... ) == 0x24
 00740   880   NtUserGetObjectInformation  (36, 2, 0, 0, 41220140, ... ) == 0x0
 00741   880   NtUserGetObjectInformation  (36, 2, 1326392, 16, 41220140, ... ) == 0x1
 00742   880   NtUserGetGUIThreadInfo  (880, 41220096, ... ) == 0x1
 00743   880   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 41219916, 64, ... 248, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 41219916, 64, ... 248, 0x0, 0x0, 0x0, 64, ) == 0x0
 00744   880   NtRequestWaitReplyPort  (248, {32, 56, new_msg, 0, 0, 0, 0, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 880, 1480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 880, 1480, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 880, 1480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00745   880   NtRequestWaitReplyPort  (248, {32, 56, new_msg, 0, 0, 0, 0, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 880, 1481, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 880, 1481, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 880, 1481, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00746   880   NtUserCallNoParam  (29, ...
 00747   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 41217388, ... ) }, 41217388, ... ) == 0x0
 00746   880   NtUserCallNoParam  ... ) == 0x0
 00748   880   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00749   880   NtGdiHfontCreate  (41219468, 356, 0, 0, 1328752, ... ) == 0x50a03d7
 00750   880   NtGdiHfontCreate  (41219468, 356, 0, 0, 1328744, ... ) == 0x30a03db
 00751   880   NtRequestWaitReplyPort  (248, {32, 56, new_msg, 0, 0, 0, 0, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 880, 1482, 0} "\0\0\0\0\0\0\0\0\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 880, 1482, 0}  (248, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 880, 1482, 0} "\0\0\0\0\0\0\0\0\374\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00752   880   NtMapViewOfSection  (252, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2770000), {0, 0}, 331776, ) == 0x0
 00753   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00754   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00755   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00756   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00757   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00758   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00759   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00760   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00761   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00762   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00763   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00764   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00765   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00766   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00767   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00768   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00769   880   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00770   880   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0xa10041e
 00771   880   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00772   880   NtUserCallNoParam  (29, ...
 00773   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 41216832, ... ) }, 41216832, ... ) == 0x0
 00772   880   NtUserCallNoParam  ... ) == 0x0
 00774   880   NtUserCallNoParam  (29, ...
 00775   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 41216828, ... ) }, 41216828, ... ) == 0x0
 00774   880   NtUserCallNoParam  ... ) == 0x0
 00776   880   NtUserRemoveProp  (131252, 43282, ... ) == 0x0
 00777   880   NtUserRemoveProp  (131252, 43287, ... ) == 0x0
 00689   880   NtUserCreateWindowEx  ... ) == 0x0
 00778   880   NtUserGetDC  (0, ... ) == 0x1010052
 00779   880   NtGdiCreateDIBSection  (16842834, 0, 0, 6695016, 0, 1064, 0, 0, 41221832, ...
 00780   880   NtAllocateVirtualMemory  (-1, 0, 0, 96300, 12288, 4, ... 41746432, 98304, ) == 0x0
 00779   880   NtGdiCreateDIBSection  ... ) == 0x405041d
 00781   880   NtGdiCreateCompatibleDC  (16842834, ... ) == 0x801041a
 00782   880   NtGdiSelectBitmap  (134284314, 67437597, ... ) == 0x185000f
 00783   880   NtGdiDoPalette  (134284314, 0, 255, 6690920, 5, 1, ... ) == 0xff
 00784   880   NtUserShowWindow  (0, 1, ... ) == 0x0
 00785   880   NtUserGetMessage  (0, 0, 0, ...
 00680   460   NtDelayExecution  ... ) == 0x0
 00786   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 41877504, 1048576, ) == 0x0
 00787   460   NtAllocateVirtualMemory  (-1, 42917888, 0, 8192, 4096, 4, ... 42917888, 8192, ) == 0x0
 00788   460   NtProtectVirtualMemory  (-1, (0x28ee000), 4096, 260, ... (0x28ee000), 4096, 4, ) == 0x0
 00789   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244212, 1244928, 1, ... 256, {456, 888}, ) == 0x0
 00790   460   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=456,Tid=888,}, 0x0, ) == 0x0
 00791   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 460, 1478, 0, 0}  (24, {28, 56, new_msg, 0, 460, 1478, 0, 0} "\0\0\0\0\1\0\1\0\1\0\1\0\360\0\0\0\0\1\0\0\310\1\0\0x\3\0\0" ... {28, 56, reply, 0, 456, 460, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\360\0\0\0\0\1\0\0\310\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1519, 0}  (24, {28, 56, new_msg, 0, 460, 1478, 0, 0} "\0\0\0\0\1\0\1\0\1\0\1\0\360\0\0\0\0\1\0\0\310\1\0\0x\3\0\0" ... {28, 56, reply, 0, 456, 460, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\360\0\0\0\0\1\0\0\310\1\0\0x\3\0\0" )  ) == 0x0
 00792   460   NtResumeThread  (256, ... 1, ) == 0x0
 00793   460   NtSetEvent  (116, ...
 00469   636   NtWaitForSingleObject  ... ) == 0x0
 00794   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00795   636   NtWaitForSingleObject  (116, 0, 0x0, ...
 00793   460   NtSetEvent  ... 0x0, ) == 0x0
 00796   460   NtDelayExecution  (0, {0, 0}, ...
 00797   888   NtTestAlert  (... ) == 0x0
 00798   888   NtContinue  (42925360, 1, ...
 00799   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00800   888   NtDelayExecution  (0, {-600000000, -1}, ...
 00796   460   NtDelayExecution  ... ) == 0x0
 00801   460   NtSetEvent  (140, ...
 00661   716   NtWaitForSingleObject  ... ) == 0x0
 00802   716   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00803   716   NtWaitForSingleObject  (140, 0, 0x0, ...
 00801   460   NtSetEvent  ... 0x0, ) == 0x0
 00804   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00805   460   NtSetEvent  (112, ...
 00652   596   NtWaitForSingleObject  ... ) == 0x0
 00806   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00807   596   NtWaitForSingleObject  (112, 0, 0x0, ...
 00805   460   NtSetEvent  ... 0x0, ) == 0x0
 00808   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00809   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 42926080, 65536, ) == 0x0
 00810   460   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00811   460   NtFreeVirtualMemory  (-1, (0x28f0000), 0, 32768, ... (0x28f0000), 65536, ) == 0x0
 00812   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 42926080, 65536, ) == 0x0
 00813   460   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00814   460   NtFreeVirtualMemory  (-1, (0x28f0000), 0, 32768, ... (0x28f0000), 65536, ) == 0x0
 00815   460   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00816   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 42926080, 65536, ) == 0x0
 00817   460   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00818   460   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 260, ) == 0x0
 00819   460   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2900000), 0x0, 4194304, ) == 0x0
 00820   460   NtAllocateVirtualMemory  (-1, 42991616, 0, 1, 4096, 4, ... 42991616, 4096, ) == 0x0
 00821   460   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 264, ) == 0x0
 00822   460   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2d00000), 0x0, 4194304, ) == 0x0
 00823   460   NtAllocateVirtualMemory  (-1, 47185920, 0, 1, 4096, 4, ... 47185920, 4096, ) == 0x0
 00824   460   NtCreateSection  (0xf0007, 0x0, {31616, 0}, 4, 134217728, 0, ... 268, ) == 0x0
 00825   460   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3100000), {0, 0}, 32768, ) == 0x0
 00826   460   NtUnmapViewOfSection  (-1, 0x3100000, ... ) == 0x0
 00827   460   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3100000), {0, 0}, 32768, ) == 0x0
 00828   460   NtClose  (264, ... ) == 0x0
 00829   460   NtUnmapViewOfSection  (-1, 0x2d00000, ... ) == 0x0
 00830   460   NtClose  (260, ... ) == 0x0
 00831   460   NtUnmapViewOfSection  (-1, 0x2900000, ... ) == 0x0
 00832   460   NtFreeVirtualMemory  (-1, (0x28f0000), 0, 32768, ... (0x28f0000), 65536, ) == 0x0
 00833   460   NtUnmapViewOfSection  (-1, 0x3100000, ... ) == 0x0
 00834   460   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x28f0000), {0, 0}, 32768, ) == 0x0
 00835   460   NtUnmapViewOfSection  (-1, 0x28f0000, ... ) == 0x0
 00836   460   NtMapViewOfSection  (268, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x28f0000), {0, 0}, 32768, ) == 0x0
 00837   460   NtUnmapViewOfSection  (-1, 0x28f0000, ... ) == 0x0
 00838   460   NtSetEvent  (144, ...
 00561   308   NtWaitForSingleObject  ... ) == 0x0
 00839   308   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00840   308   NtWaitForSingleObject  (144, 0, 0x0, ...
 00838   460   NtSetEvent  ... 0x0, ) == 0x0
 00841   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00842   460   NtContinue  (1244316, 0, ...
 00843   460   NtSetEvent  (116, ...
 00795   636   NtWaitForSingleObject  ... ) == 0x0
 00844   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00845   636   NtWaitForSingleObject  (116, 0, 0x0, ...
 00843   460   NtSetEvent  ... 0x0, ) == 0x0
 00846   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00847   460   NtSetEvent  (112, ...
 00807   596   NtWaitForSingleObject  ... ) == 0x0
 00848   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00849   596   NtWaitForSingleObject  (112, 0, 0x0, ...
 00847   460   NtSetEvent  ... 0x0, ) == 0x0
 00850   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00851   460   NtSetEvent  (132, ...
 00517   788   NtWaitForSingleObject  ... ) == 0x0
 00852   788   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00853   788   NtWaitForSingleObject  (132, 0, 0x0, ...
 00851   460   NtSetEvent  ... 0x0, ) == 0x0
 00854   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00855   460   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00856   460   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00857   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 42926080, 65536, ) == 0x0
 00858   460   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00859   460   NtFreeVirtualMemory  (-1, (0x28f0000), 0, 32768, ... (0x28f0000), 65536, ) == 0x0
 00860   460   NtAllocateVirtualMemory  (-1, 0, 0, 1000, 4096, 4, ... 42926080, 4096, ) == 0x0
 00861   460   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 00862   460   NtFreeVirtualMemory  (-1, (0x28f0000), 0, 32768, ... (0x28f0000), 4096, ) == 0x0
 00863   460   NtSetEvent  (124, ...
 00492   744   NtWaitForSingleObject  ... ) == 0x0
 00864   744   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00865   744   NtWaitForSingleObject  (124, 0, 0x0, ...
 00863   460   NtSetEvent  ... 0x0, ) == 0x0
 00866   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00867   460   NtUserFindWindowEx  (0, 0,  (0, 0, "RegmonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00868   460   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Registry Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 00869   460   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00870   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 42926080, 65536, ) == 0x0
 00871   460   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00872   460   NtFreeVirtualMemory  (-1, (0x28f0000), 0, 32768, ... (0x28f0000), 65536, ) == 0x0
 00873   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 42926080, 65536, ) == 0x0
 00874   460   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 00875   460   NtFreeVirtualMemory  (-1, (0x28f0000), 0, 32768, ... (0x28f0000), 65536, ) == 0x0
 00876   460   NtSetEvent  (136, ...
 00529   784   NtWaitForSingleObject  ... ) == 0x0
 00877   784   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00878   784   NtWaitForSingleObject  (136, 0, 0x0, ...
 00876   460   NtSetEvent  ... 0x0, ) == 0x0
 00879   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00880   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "SOFTWARE\NuMega\DriverStudio"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 42926080, 4096, ) == 0x0
 00882   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 260, ) }, ... 260, ) == 0x0
 00883   460   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00884   460   NtClose  (260, ... ) == 0x0
 00885   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243000, ... ) }, 1243000, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243000, ... ) }, 1243000, ... ) == 0x0
 00890   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 00891   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 260, ... 264, ) == 0x0
 00892   460   NtQuerySection  (264, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00893   460   NtClose  (260, ... ) == 0x0
 00894   460   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00895   460   NtClose  (264, ... ) == 0x0
 00896   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242196, ... ) }, 1242196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242196, ... ) }, 1242196, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242196, ... ) }, 1242196, ... ) == 0x0
 00900   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 00901   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 260, ) == 0x0
 00902   460   NtQuerySection  (260, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00903   460   NtClose  (264, ... ) == 0x0
 00904   460   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00905   460   NtClose  (260, ... ) == 0x0
 00906   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00907   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00908   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 260, ) }, ... 260, ) == 0x0
 00909   460   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00910   460   NtClose  (260, ... ) == 0x0
 00911   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 260, ) }, ... 260, ) == 0x0
 00912   460   NtQueryValueKey  (260,  (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00913   460   NtClose  (260, ... ) == 0x0
 00914   460   NtQueryDefaultUILanguage  (1241356, ...
 00915   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00916   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482188, ) == 0x0
 00917   460   NtQueryInformationToken  (-2147482188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00918   460   NtClose  (-2147482188, ... ) == 0x0
 00919   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482188, ) }, ... -2147482188, ) == 0x0
 00920   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   460   NtOpenKey  (0x80000000, {24, -2147482188, 0x640, 0, 0,  (0x80000000, {24, -2147482188, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00922   460   NtQueryValueKey  (-2147482208,  (-2147482208, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   460   NtClose  (-2147482208, ... ) == 0x0
 00924   460   NtClose  (-2147482188, ... ) == 0x0
 00914   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00925   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   460   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00927   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 260, {status=0x0, info=1}, ) }, 1, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 00928   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 260, ... 264, ) == 0x0
 00929   460   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2900000), 0x0, 8323072, ) == 0x0
 00930   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   460   NtQueryDefaultUILanguage  (2013024600, ...
 00932   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00933   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00934   460   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00935   460   NtClose  (-2147482208, ... ) == 0x0
 00936   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00937   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   460   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00939   460   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   460   NtClose  (-2147482196, ... ) == 0x0
 00941   460   NtClose  (-2147482208, ... ) == 0x0
 00931   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00942   460   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00943   460   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00944   460   NtQueryDefaultLocale  (1, 1239392, ... ) == 0x0
 00945   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240248, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240248, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\4\1\0\0\377\377\377\377\0\0\0\0\20\311\307\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\270\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1537, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\4\1\0\0\377\377\377\377\0\0\0\0\20\311\307\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\270\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1537, 0}  (24, {128, 156, new_msg, 0, 1240248, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\4\1\0\0\377\377\377\377\0\0\0\0\20\311\307\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\270\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1537, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\4\1\0\0\377\377\377\377\0\0\0\0\20\311\307\2\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\270\363\22\0\0\0\0\0" )  ) == 0x0
 00947   460   NtClose  (260, ... ) == 0x0
 00948   460   NtClose  (264, ... ) == 0x0
 00949   460   NtUnmapViewOfSection  (-1, 0x2900000, ... ) == 0x0
 00950   460   NtUnmapViewOfSection  (-1, 0x12f3b8, ... ) == STATUS_NOT_MAPPED_VIEW
 00951   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00952   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00954   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00955   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238476, ... ) }, 1238476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00957   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00958   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00959   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239068, ... ) }, 1239068, ... ) == 0x0
 00960   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 264, {status=0x0, info=1}, ) }, 3, 33, ... 264, {status=0x0, info=1}, ) == 0x0
 00961   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00962   460   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00963   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 00964   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 260, ... 272, ) == 0x0
 00965   460   NtClose  (260, ... ) == 0x0
 00966   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2900000), 0x0, 921600, ) == 0x0
 00967   460   NtClose  (272, ... ) == 0x0
 00968   460   NtUnmapViewOfSection  (-1, 0x2900000, ... ) == 0x0
 00969   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 272, {status=0x0, info=1}, ) }, 5, 96, ... 272, {status=0x0, info=1}, ) == 0x0
 00970   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 272, ... 260, ) == 0x0
 00971   460   NtQuerySection  (260, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00972   460   NtClose  (272, ... ) == 0x0
 00973   460   NtMapViewOfSection  (260, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00974   460   NtClose  (260, ... ) == 0x0
 00975   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00976   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00977   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00978   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00979   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00980   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00981   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00982   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00983   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00984   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00985   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00986   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00987   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00988   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00989   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00990   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00991   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00992   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00993   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00994   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00995   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00996   460   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240252, ... ) , 42, 1240252, ... ) == 0x0
 00997   460   NtQueryDefaultUILanguage  (1238968, ...
 00998   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00999   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482188, ) == 0x0
 01000   460   NtQueryInformationToken  (-2147482188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01001   460   NtClose  (-2147482188, ... ) == 0x0
 01002   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482188, ) }, ... -2147482188, ) == 0x0
 01003   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   460   NtOpenKey  (0x80000000, {24, -2147482188, 0x640, 0, 0,  (0x80000000, {24, -2147482188, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 01005   460   NtQueryValueKey  (-2147482208,  (-2147482208, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   460   NtClose  (-2147482208, ... ) == 0x0
 01007   460   NtClose  (-2147482188, ... ) == 0x0
 00997   460   NtQueryDefaultUILanguage  ... ) == 0x0
 01008   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237820, ... ) }, 1237820, ... ) == 0x0
 01010   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 01011   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 260, ... 272, ) == 0x0
 01012   460   NtClose  (260, ... ) == 0x0
 01013   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2900000), 0x0, 4096, ) == 0x0
 01014   460   NtClose  (272, ... ) == 0x0
 01015   460   NtUnmapViewOfSection  (-1, 0x2900000, ... ) == 0x0
 01016   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237460, ... ) }, 1237460, ... ) == 0x0
 01017   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238160,  (0x80100080, {24, 0, 0x40, 0, 1238160, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 272, {status=0x0, info=1}, ) == 0x0
 01018   460   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 272, ... 260, ) == 0x0
 01019   460   NtClose  (272, ... ) == 0x0
 01020   460   NtMapViewOfSection  (260, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2900000), {0, 0}, 4096, ) == 0x0
 01021   460   NtClose  (260, ... ) == 0x0
 01022   460   NtUnmapViewOfSection  (-1, 0x2900000, ... ) == 0x0
 01023   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 260, {status=0x0, info=1}, ) }, 1, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 01024   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 260, ... 272, ) == 0x0
 01025   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2900000), 0x0, 4096, ) == 0x0
 01026   460   NtQueryInformationFile  (260, 1237780, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01027   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237860, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237860, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\4\1\0\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0d\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1542, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\4\1\0\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0d\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1542, 0}  (24, {128, 156, new_msg, 0, 1237860, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\4\1\0\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0d\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1542, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\4\1\0\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0d\352\22\0\0\0\0\0" )  ) == 0x0
 01029   460   NtClose  (260, ... ) == 0x0
 01030   460   NtClose  (272, ... ) == 0x0
 01031   460   NtUnmapViewOfSection  (-1, 0x2900000, ... ) == 0x0
 01032   460   NtUnmapViewOfSection  (-1, 0x12ea64, ... ) == STATUS_NOT_MAPPED_VIEW
 01033   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01034   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01035   460   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01036   460   NtUserGetDC  (0, ... ) == 0x1010051
 01037   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01038   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01039   460   NtContinue  (1237816, 0, ...
 01040   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01041   460   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01042   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01043   460   NtUnmapViewOfSection  (-1, 0x30f0000, ... ) == 0x0
 01044   460   NtClose  (264, ... ) == 0x0
 01045   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc03b
 01046   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc03d
 01047   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc03f
 01048   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc041
 01049   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc043
 01050   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc045
 01051   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc047
 01052   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc049
 01053   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc04b
 01054   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc04d
 01055   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc04f
 01056   460   NtUserGetClassInfo  (1999896576, 1243096, 1243048, 1243124, 0, ... ) == 0xc051
 01057   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc053
 01058   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc055
 01059   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc059
 01060   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc05b
 01061   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc05d
 01062   460   NtUserGetClassInfo  (1999896576, 1243092, 1243044, 1243120, 0, ... ) == 0xc05f
 01063   460   NtSetEvent  (172, ...
 00645   876   NtWaitForSingleObject  ... ) == 0x0
 01064   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01065   876   NtWaitForSingleObject  (172, 0, 0x0, ...
 01063   460   NtSetEvent  ... 0x0, ) == 0x0
 01066   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01067   460   NtSetEvent  (140, ...
 00803   716   NtWaitForSingleObject  ... ) == 0x0
 01068   716   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01069   716   NtWaitForSingleObject  (140, 0, 0x0, ...
 01067   460   NtSetEvent  ... 0x0, ) == 0x0
 01070   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01071   460   NtSetEvent  (152, ...
 00648   836   NtWaitForSingleObject  ... ) == 0x0
 01072   836   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01073   836   NtWaitForSingleObject  (152, 0, 0x0, ...
 01071   460   NtSetEvent  ... 0x0, ) == 0x0
 01074   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01075   460   NtAllocateVirtualMemory  (-1, 0, 0, 200000, 4096, 4, ... 43122688, 200704, ) == 0x0
 01076   460   NtAllocateVirtualMemory  (-1, 0, 0, 1024, 4096, 4, ... 42991616, 4096, ) == 0x0
 01077   460   NtSetEvent  (116, ...
 00845   636   NtWaitForSingleObject  ... ) == 0x0
 01078   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01079   636   NtWaitForSingleObject  (116, 0, 0x0, ...
 01077   460   NtSetEvent  ... 0x0, ) == 0x0
 01080   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01081   460   NtSetEvent  (116, ...
 01079   636   NtWaitForSingleObject  ... ) == 0x0
 01082   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01083   636   NtWaitForSingleObject  (116, 0, 0x0, ...
 01081   460   NtSetEvent  ... 0x0, ) == 0x0
 01084   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01085   460   NtSetEvent  (124, ...
 00865   744   NtWaitForSingleObject  ... ) == 0x0
 01086   744   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01087   744   NtWaitForSingleObject  (124, 0, 0x0, ...
 01085   460   NtSetEvent  ... 0x0, ) == 0x0
 01088   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01089   460   NtSetEvent  (160, ...
 00608   864   NtWaitForSingleObject  ... ) == 0x0
 01090   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01091   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 01089   460   NtSetEvent  ... 0x0, ) == 0x0
 01092   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01093   460   NtSetEvent  (144, ...
 00840   308   NtWaitForSingleObject  ... ) == 0x0
 01094   308   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01095   308   NtWaitForSingleObject  (144, 0, 0x0, ...
 01093   460   NtSetEvent  ... 0x0, ) == 0x0
 01096   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01097   460   NtSetEvent  (156, ...
 00597   844   NtWaitForSingleObject  ... ) == 0x0
 01098   844   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01099   844   NtWaitForSingleObject  (156, 0, 0x0, ...
 01097   460   NtSetEvent  ... 0x0, ) == 0x0
 01100   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01101   460   NtSetEvent  (112, ...
 00849   596   NtWaitForSingleObject  ... ) == 0x0
 01102   596   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01103   596   NtWaitForSingleObject  (112, 0, 0x0, ...
 01101   460   NtSetEvent  ... 0x0, ) == 0x0
 01104   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01105   460   NtSetEvent  (168, ...
 00669   872   NtWaitForSingleObject  ... ) == 0x0
 01106   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01107   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 01105   460   NtSetEvent  ... 0x0, ) == 0x0
 01108   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01109   460   NtSetEvent  (124, ...
 01087   744   NtWaitForSingleObject  ... ) == 0x0
 01110   744   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01111   744   NtWaitForSingleObject  (124, 0, 0x0, ...
 01109   460   NtSetEvent  ... 0x0, ) == 0x0
 01112   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01113   460   NtSetEvent  (172, ...
 01065   876   NtWaitForSingleObject  ... ) == 0x0
 01114   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01115   876   NtWaitForSingleObject  (172, 0, 0x0, ...
 01113   460   NtSetEvent  ... 0x0, ) == 0x0
 01116   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01117   460   NtSetEvent  (140, ...
 01069   716   NtWaitForSingleObject  ... ) == 0x0
 01118   716   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01119   716   NtWaitForSingleObject  (140, 0, 0x0, ...
 01117   460   NtSetEvent  ... 0x0, ) == 0x0
 01120   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01121   460   NtSetEvent  (156, ...
 01099   844   NtWaitForSingleObject  ... ) == 0x0
 01122   844   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01123   844   NtWaitForSingleObject  (156, 0, 0x0, ...
 01121   460   NtSetEvent  ... 0x0, ) == 0x0
 01124   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01125   460   NtSetEvent  (132, ...
 00853   788   NtWaitForSingleObject  ... ) == 0x0
 01126   788   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01127   788   NtWaitForSingleObject  (132, 0, 0x0, ...
 01125   460   NtSetEvent  ... 0x0, ) == 0x0
 01128   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01129   460   NtSetEvent  (156, ...
 01123   844   NtWaitForSingleObject  ... ) == 0x0
 01130   844   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01131   844   NtWaitForSingleObject  (156, 0, 0x0, ...
 01129   460   NtSetEvent  ... 0x0, ) == 0x0
 01132   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01133   460   NtProtectVirtualMemory  (-1, (0x401000), 13746, 64, ... (0x401000), 16384, 8, ) == 0x0
 01134   460   NtSetEvent  (172, ...
 01115   876   NtWaitForSingleObject  ... ) == 0x0
 01135   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01136   876   NtWaitForSingleObject  (172, 0, 0x0, ...
 01134   460   NtSetEvent  ... 0x0, ) == 0x0
 01137   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01138   460   NtSetEvent  (140, ...
 01119   716   NtWaitForSingleObject  ... ) == 0x0
 01139   716   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01140   716   NtWaitForSingleObject  (140, 0, 0x0, ...
 01138   460   NtSetEvent  ... 0x0, ) == 0x0
 01141   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01142   460   NtAllocateVirtualMemory  (-1, 0, 0, 290816, 4096, 4, ... 43384832, 290816, ) == 0x0
 01143   460   NtFreeVirtualMemory  (-1, (0x2960000), 0, 32768, ... (0x2960000), 290816, ) == 0x0
 01144   460   NtSetEvent  (156, ...
 01131   844   NtWaitForSingleObject  ... ) == 0x0
 01145   844   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01146   844   NtWaitForSingleObject  (156, 0, 0x0, ...
 01144   460   NtSetEvent  ... 0x0, ) == 0x0
 01147   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01148   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 43384832, 1048576, ) == 0x0
 01149   460   NtAllocateVirtualMemory  (-1, 44425216, 0, 8192, 4096, 4, ... 44425216, 8192, ) == 0x0
 01150   460   NtProtectVirtualMemory  (-1, (0x2a5e000), 4096, 260, ... (0x2a5e000), 4096, 4, ) == 0x0
 01151   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1244188, 1244904, 1, ... 264, {456, 920}, ) == 0x0
 01152   460   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=456,Tid=920,}, 0x0, ) == 0x0
 01153   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 6697952, 6567576, 1, 16}  (24, {28, 56, new_msg, 0, 6697952, 6567576, 1, 16} "\0\0\0\0\1\0\1\0\0\0\0\0d\373\22\0\10\1\0\0\310\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 456, 460, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0d\373\22\0\10\1\0\0\310\1\0\0\230\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1543, 0}  (24, {28, 56, new_msg, 0, 6697952, 6567576, 1, 16} "\0\0\0\0\1\0\1\0\0\0\0\0d\373\22\0\10\1\0\0\310\1\0\0\230\3\0\0" ... {28, 56, reply, 0, 456, 460, 1543, 0} "\0\0\0\0\1\0\1\0\0\0\0\0d\373\22\0\10\1\0\0\310\1\0\0\230\3\0\0" )  ) == 0x0
 01154   460   NtResumeThread  (264, ... 1, ) == 0x0
 01155   460   NtSetEvent  (168, ...
 01107   872   NtWaitForSingleObject  ... ) == 0x0
 01156   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01157   872   NtWaitForSingleObject  (168, 0, 0x0, ...
 01155   460   NtSetEvent  ... 0x0, ) == 0x0
 01158   460   NtDelayExecution  (0, {0, 0}, ...
 01159   920   NtTestAlert  (... ) == 0x0
 01160   920   NtContinue  (44432688, 1, ...
 01161   920   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01162   920   NtDelayExecution  (0, {-40000000, -1}, ...
 01158   460   NtDelayExecution  ... ) == 0x0
 01163   460   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01164   460   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ...
 01165   460   NtContinue  (-133529812, 0, ...
 01164   460   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 01166   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 44433408, 4096, ) == 0x0
 01167   460   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 4, ... 44498944, 8192, ) == 0x0
 01168   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 64, ... 44564480, 65536, ) == 0x0
 01169   460   NtAllocateVirtualMemory  (-1, 0, 0, 1184, 4096, 4, ... 44630016, 4096, ) == 0x0
 01170   460   NtFreeVirtualMemory  (-1, (0x2a90000), 0, 32768, ... (0x2a90000), 4096, ) == 0x0
 01171   460   NtAllocateVirtualMemory  (-1, 0, 0, 456, 4096, 4, ... 44630016, 4096, ) == 0x0
 01172   460   NtFreeVirtualMemory  (-1, (0x2a90000), 0, 32768, ... (0x2a90000), 4096, ) == 0x0
 01173   460   NtAllocateVirtualMemory  (-1, 0, 0, 3712, 4096, 4, ... 44630016, 4096, ) == 0x0
 01174   460   NtAllocateVirtualMemory  (-1, 0, 0, 757, 4096, 64, ... 44695552, 4096, ) == 0x0
 01175   460   NtAllocateVirtualMemory  (-1, 0, 0, 2584, 4096, 64, ... 44761088, 4096, ) == 0x0
 01176   460   NtAllocateVirtualMemory  (-1, 0, 0, 2999, 4096, 64, ... 44826624, 4096, ) == 0x0
 01177   460   NtAllocateVirtualMemory  (-1, 0, 0, 1462, 4096, 64, ... 44892160, 4096, ) == 0x0
 01178   460   NtAllocateVirtualMemory  (-1, 0, 0, 1228, 4096, 64, ... 44957696, 4096, ) == 0x0
 01179   460   NtAllocateVirtualMemory  (-1, 0, 0, 1809, 4096, 64, ... 45023232, 4096, ) == 0x0
 01180   460   NtAllocateVirtualMemory  (-1, 0, 0, 758, 4096, 64, ... 45088768, 4096, ) == 0x0
 01181   460   NtAllocateVirtualMemory  (-1, 0, 0, 816, 4096, 64, ... 45154304, 4096, ) == 0x0
 01182   460   NtAllocateVirtualMemory  (-1, 0, 0, 3107, 4096, 64, ... 45219840, 4096, ) == 0x0
 01183   460   NtAllocateVirtualMemory  (-1, 0, 0, 2158, 4096, 64, ... 45285376, 4096, ) == 0x0
 01184   460   NtAllocateVirtualMemory  (-1, 0, 0, 2473, 4096, 64, ... 45350912, 4096, ) == 0x0
 01185   460   NtAllocateVirtualMemory  (-1, 0, 0, 3847, 4096, 64, ... 45416448, 4096, ) == 0x0
 01186   460   NtAllocateVirtualMemory  (-1, 0, 0, 275, 4096, 64, ... 45481984, 4096, ) == 0x0
 01187   460   NtAllocateVirtualMemory  (-1, 0, 0, 870, 4096, 64, ... 45547520, 4096, ) == 0x0
 01188   460   NtAllocateVirtualMemory  (-1, 0, 0, 1288, 4096, 64, ... 45613056, 4096, ) == 0x0
 01189   460   NtAllocateVirtualMemory  (-1, 0, 0, 3237, 4096, 64, ... 45678592, 4096, ) == 0x0
 01190   460   NtAllocateVirtualMemory  (-1, 0, 0, 2315, 4096, 64, ... 45744128, 4096, ) == 0x0
 01191   460   NtAllocateVirtualMemory  (-1, 0, 0, 2360, 4096, 64, ... 45809664, 4096, ) == 0x0
 01192   460   NtAllocateVirtualMemory  (-1, 0, 0, 2952, 4096, 64, ... 45875200, 4096, ) == 0x0
 01193   460   NtAllocateVirtualMemory  (-1, 0, 0, 2483, 4096, 64, ... 45940736, 4096, ) == 0x0
 01194   460   NtFreeVirtualMemory  (-1, (0x2a90000), 0, 32768, ... (0x2a90000), 4096, ) == 0x0
 01195   460   NtAllocateVirtualMemory  (-1, 0, 0, 2928, 4096, 4, ... 44630016, 4096, ) == 0x0
 01196   460   NtFreeVirtualMemory  (-1, (0x2a90000), 0, 32768, ... (0x2a90000), 4096, ) == 0x0
 01197   460   NtAllocateVirtualMemory  (-1, 0, 0, 2676, 4096, 4, ... 44630016, 4096, ) == 0x0
 01198   460   NtAllocateVirtualMemory  (-1, 0, 0, 2479, 4096, 64, ... 46006272, 4096, ) == 0x0
 01199   460   NtFreeVirtualMemory  (-1, (0x2a90000), 0, 32768, ... (0x2a90000), 4096, ) == 0x0
 01200   460   NtAllocateVirtualMemory  (-1, 0, 0, 760, 4096, 4, ... 44630016, 4096, ) == 0x0
 01201   460   NtFreeVirtualMemory  (-1, (0x2a90000), 0, 32768, ... (0x2a90000), 4096, ) == 0x0
 01202   460   NtFreeVirtualMemory  (-1, (0x2920000), 0, 32768, ... (0x2920000), 200704, ) == 0x0
 01203   460   NtFreeVirtualMemory  (-1, (0x2900000), 0, 32768, ... (0x2900000), 4096, ) == 0x0
 01204   460   NtFreeVirtualMemory  (-1, (0x2a70000), 0, 32768, ... (0x2a70000), 8192, ) == 0x0
 01205   460   NtFreeVirtualMemory  (-1, (0x2a80000), 0, 32768, ... (0x2a80000), 65536, ) == 0x0
 01206   460   NtFreeVirtualMemory  (-1, (0x2a60000), 0, 32768, ... (0x2a60000), 4096, ) == 0x0
 01207   460   NtSetEvent  (160, ...
 01091   864   NtWaitForSingleObject  ... ) == 0x0
 01208   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01209   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 01207   460   NtSetEvent  ... 0x0, ) == 0x0
 01210   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01211   460   NtSetEvent  (164, ...
 00621   868   NtWaitForSingleObject  ... ) == 0x0
 01212   868   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01213   868   NtWaitForSingleObject  (164, 0, 0x0, ...
 01211   460   NtSetEvent  ... 0x0, ) == 0x0
 01214   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01215   460   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 4, ) == 0x0
 01216   460   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ...
 01217   460   NtContinue  (-133529812, 0, ...
 01216   460   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 01218   460   NtDelayExecution  (0, {-400000, -1}, ... ) == 0x0
 01219   460   NtSetEvent  (152, ...
 01073   836   NtWaitForSingleObject  ... ) == 0x0
 01220   836   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01221   836   NtWaitForSingleObject  (152, 0, 0x0, ...
 01219   460   NtSetEvent  ... 0x0, ) == 0x0
 01222   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01223   460   NtSetEvent  (116, ...
 01083   636   NtWaitForSingleObject  ... ) == 0x0
 01224   636   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01225   636   NtWaitForSingleObject  (116, 0, 0x0, ...
 01223   460   NtSetEvent  ... 0x0, ) == 0x0
 01226   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01227   460   NtSetEvent  (160, ...
 01209   864   NtWaitForSingleObject  ... ) == 0x0
 01228   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01229   864   NtWaitForSingleObject  (160, 0, 0x0, ...
 01227   460   NtSetEvent  ... 0x0, ) == 0x0
 01230   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01231   460   NtSetEvent  (148, ...
 00573   840   NtWaitForSingleObject  ... ) == 0x0
 01232   840   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01233   840   NtWaitForSingleObject  (148, 0, 0x0, ...
 01231   460   NtSetEvent  ... 0x0, ) == 0x0
 01234   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01235   460   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 4, ) == 0x0
 01236   460   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 4, ) == 0x0
 01237   460   NtSetEvent  (144, ...
 01095   308   NtWaitForSingleObject  ... ) == 0x0
 01238   308   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01239   308   NtWaitForSingleObject  (144, 0, 0x0, ...
 01237   460   NtSetEvent  ... 0x0, ) == 0x0
 01240   460   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01241   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 272, ) }, ... 272, ) == 0x0
 01242   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 01243   460   NtClose  (272, ... ) == 0x0
 01244   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 272, ) }, ... 272, ) == 0x0
 01245   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 01246   460   NtClose  (272, ... ) == 0x0
 01247   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 272, ) }, ... 272, ) == 0x0
 01248   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 01249   460   NtClose  (272, ... ) == 0x0
 01250   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 272, ) }, ... 272, ) == 0x0
 01251   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 01252   460   NtClose  (272, ... ) == 0x0
 01253   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 272, ) }, ... 272, ) == 0x0
 01254   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 01255   460   NtClose  (272, ... ) == 0x0
 01256   460   NtAllocateVirtualMemory  (-1, 41238528, 0, 4096, 4096, 4, ... 41238528, 4096, ) == 0x0
 01257   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   460   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 01259   460   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01260   460   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01261   460   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1240640, 0,  (0x1f0003, {24, 56, 0x80, 1240640, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01262   460   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 272, ) }, ... 272, ) == 0x0
 01263   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01264   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01265   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 260, ) }, ... 260, ) == 0x0
 01266   460   NtQueryValueKey  (260,  (260, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (260, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 01267   460   NtClose  (260, ... ) == 0x0
 01268   460   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01269   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01270   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01271   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01272   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01273   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 260, ) }, ... 260, ) == 0x0
 01274   460   NtQueryValueKey  (260,  (260, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   460   NtQueryValueKey  (260,  (260, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   460   NtQueryValueKey  (260,  (260, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   460   NtClose  (260, ... ) == 0x0
 01278   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 260, ) }, ... 260, ) == 0x0
 01279   460   NtQueryValueKey  (260,  (260, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   460   NtQueryValueKey  (260,  (260, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   460   NtClose  (260, ... ) == 0x0
 01282   460   NtOpenEvent  (0x1f0003, {24, 56, 0x0, 0, 0,  (0x1f0003, {24, 56, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   460   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 01284   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   460   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   460   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 01288   460   NtCreateKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 260, 2, ) }, 0, 0x0, 0, ... 260, 2, ) == 0x0
 01289   460   NtQueryDefaultUILanguage  (1238876, ...
 01290   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01291   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482188, ) == 0x0
 01292   460   NtQueryInformationToken  (-2147482188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01293   460   NtClose  (-2147482188, ... ) == 0x0
 01294   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482188, ) }, ... -2147482188, ) == 0x0
 01295   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   460   NtOpenKey  (0x80000000, {24, -2147482188, 0x640, 0, 0,  (0x80000000, {24, -2147482188, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 01297   460   NtQueryValueKey  (-2147482208,  (-2147482208, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   460   NtClose  (-2147482208, ... ) == 0x0
 01299   460   NtClose  (-2147482188, ... ) == 0x0
 01289   460   NtQueryDefaultUILanguage  ... ) == 0x0
 01300   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 276, {status=0x0, info=1}, ) }, 1, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01302   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 276, ... 280, ) == 0x0
 01303   460   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2bf0000), 0x0, 593920, ) == 0x0
 01304   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   460   NtQueryDefaultLocale  (1, 1236912, ... ) == 0x0
 01306   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237768, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237768, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0P\275\306\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1554, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0P\275\306\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1554, 0}  (24, {128, 156, new_msg, 0, 1237768, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0P\275\306\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1554, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\24\1\0\0\377\377\377\377\0\0\0\0P\275\306\2\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\10\352\22\0\0\0\0\0" )  ) == 0x0
 01308   460   NtClose  (276, ... ) == 0x0
 01309   460   NtClose  (280, ... ) == 0x0
 01310   460   NtUnmapViewOfSection  (-1, 0x2bf0000, ... ) == 0x0
 01311   460   NtUnmapViewOfSection  (-1, 0x12ea08, ... ) == STATUS_NOT_MAPPED_VIEW
 01312   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01313   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01315   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01316   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235452, ... ) }, 1235452, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01318   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01319   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01320   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236044, ... ) }, 1236044, ... ) == 0x0
 01321   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 280, {status=0x0, info=1}, ) }, 3, 33, ... 280, {status=0x0, info=1}, ) == 0x0
 01322   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01323   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01324   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 284, ) == 0x0
 01325   460   NtClose  (276, ... ) == 0x0
 01326   460   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2bf0000), 0x0, 921600, ) == 0x0
 01327   460   NtClose  (284, ... ) == 0x0
 01328   460   NtUnmapViewOfSection  (-1, 0x2bf0000, ... ) == 0x0
 01329   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01330   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 276, ) == 0x0
 01331   460   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01332   460   NtClose  (284, ... ) == 0x0
 01333   460   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 01334   460   NtClose  (276, ... ) == 0x0
 01335   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01336   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01337   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01338   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01339   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01340   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01341   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01342   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01343   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01344   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01345   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01346   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01347   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01348   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01349   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01350   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01351   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01352   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01353   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 01354   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 01355   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 01356   460   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1237228, ... ) , 42, 1237228, ... ) == 0x0
 01357   460   NtQueryDefaultUILanguage  (1235944, ...
 01358   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01359   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482188, ) == 0x0
 01360   460   NtQueryInformationToken  (-2147482188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01361   460   NtClose  (-2147482188, ... ) == 0x0
 01362   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482188, ) }, ... -2147482188, ) == 0x0
 01363   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364   460   NtOpenKey  (0x80000000, {24, -2147482188, 0x640, 0, 0,  (0x80000000, {24, -2147482188, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 01365   460   NtQueryValueKey  (-2147482208,  (-2147482208, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   460   NtClose  (-2147482208, ... ) == 0x0
 01367   460   NtClose  (-2147482188, ... ) == 0x0
 01357   460   NtQueryDefaultUILanguage  ... ) == 0x0
 01368   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234796, ... ) }, 1234796, ... ) == 0x0
 01370   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01371   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 284, ) == 0x0
 01372   460   NtClose  (276, ... ) == 0x0
 01373   460   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2920000), 0x0, 4096, ) == 0x0
 01374   460   NtClose  (284, ... ) == 0x0
 01375   460   NtUnmapViewOfSection  (-1, 0x2920000, ... ) == 0x0
 01376   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234436, ... ) }, 1234436, ... ) == 0x0
 01377   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235136,  (0x80100080, {24, 0, 0x40, 0, 1235136, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 284, {status=0x0, info=1}, ) == 0x0
 01378   460   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 284, ... 276, ) == 0x0
 01379   460   NtClose  (284, ... ) == 0x0
 01380   460   NtMapViewOfSection  (276, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2920000), {0, 0}, 4096, ) == 0x0
 01381   460   NtClose  (276, ... ) == 0x0
 01382   460   NtUnmapViewOfSection  (-1, 0x2920000, ... ) == 0x0
 01383   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 276, {status=0x0, info=1}, ) }, 1, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01384   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 276, ... 284, ) == 0x0
 01385   460   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x2920000), 0x0, 4096, ) == 0x0
 01386   460   NtQueryInformationFile  (276, 1234756, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 01387   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1234836, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1234836, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\24\1\0\0\34\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\224\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1555, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\24\1\0\0\34\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\224\336\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1555, 0}  (24, {128, 156, new_msg, 0, 1234836, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\24\1\0\0\34\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\224\336\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1555, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1\24\1\0\0\34\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\224\336\22\0\0\0\0\0" )  ) == 0x0
 01389   460   NtClose  (276, ... ) == 0x0
 01390   460   NtClose  (284, ... ) == 0x0
 01391   460   NtUnmapViewOfSection  (-1, 0x2920000, ... ) == 0x0
 01392   460   NtUnmapViewOfSection  (-1, 0x12de94, ... ) == STATUS_NOT_MAPPED_VIEW
 01393   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01394   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 01395   460   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 01396   460   NtUserGetDC  (0, ... ) == 0x1010050
 01397   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01398   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01399   460   NtContinue  (1234800, 0, ...
 01400   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01401   460   NtUnmapViewOfSection  (-1, 0x71950000, ... ) == 0x0
 01402   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 01403   460   NtUnmapViewOfSection  (-1, 0x2900000, ... ) == 0x0
 01404   460   NtClose  (280, ... ) == 0x0
 01405   460   NtCreateKey  (0x2001f, {24, 52, 0x40, 0, 0,  (0x2001f, {24, 52, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 280, 2, ) }, 0, 0x0, 0, ... 280, 2, ) == 0x0
 01406   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 284, ) }, ... 284, ) == 0x0
 01407   460   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 01408   460   NtClose  (284, ... ) == 0x0
 01409   460   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 284, ) == 0x0
 01410   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01411   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 288, ) }, ... 288, ) == 0x0
 01412   460   NtNotifyChangeKey  (288, 276, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 01413   460   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 01414   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 292, ) == 0x0
 01415   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 296, ) == 0x0
 01416   460   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 0, 0,  (0x1f0001, {24, 56, 0x80, 0, 0, "rxRizzo_v2.5"}, 0, ... 300, ) }, 0, ... 300, ) == 0x0
 01417   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01418   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01419   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242816,  (0x80100080, {24, 0, 0x40, 0, 1242816, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 304, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 304, {status=0x0, info=1}, ) == 0x0
 01420   460   NtQueryInformationFile  (304, 1243752, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01421   460   NtQueryInformationFile  (304, 1243724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01422   460   NtQueryInformationFile  (304, 1243676, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01423   460   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 01424   460   NtQueryInformationFile  (304, 1356296, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01425   460   NtQueryInformationFile  (304, 1242220, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01426   460   NtQueryInformationFile  (304, 1242064, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01427   460   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242072,  (0x40110080, {24, 0, 0x40, 0, 1242072, "\??\C:\WINDOWS\System32\nex.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01428   460   NtClose  (-2147482188, ... ) == 0x0
 01427   460   NtCreateFile  ... 308, {status=0x0, info=2}, ) == 0x0
 01429   460   NtQueryVolumeInformationFile  (308, 1241444, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01430   460   NtQueryInformationFile  (308, 1241404, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01431   460   NtQueryVolumeInformationFile  (304, 1241444, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01432   460   NtQueryVolumeInformationFile  (304, 1241128, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01433   460   NtSetInformationFile  (308, 1241232, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01434   460   NtAllocateVirtualMemory  (-1, 1368064, 0, 65536, 4096, 4, ... 1368064, 65536, ) == 0x0
 01435   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343\355\216\341\247\214\340\262\247\214\340\262\247\214\340\262\264\204\275\262\245\214\340\262$\204\275\262\241\214\340\262]\257\371\262\242\214\340\262\247\214\341\262\354\214\340\262\242\200\200\262\250\214\340\262\242\200\272\262\246\214\340\262Rich\247\214\340\262\0\0\0\0\0\0\0\0PE\0\0L\1\4\0UnPacKcN\0\0\0\0\340\0\17\1\13\1\7\12\0L\0\0\0\22\4\0\0\0\0\0\24\240\4\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`+\0\0\4\0\0hn\23\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\220\4\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0   \0    \0p\4\0\0\20\0\0\06\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsr", ) , ) == 0x0
 01436   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343\355\216\341\247\214\340\262\247\214\340\262\247\214\340\262\264\204\275\262\245\214\340\262$\204\275\262\241\214\340\262]\257\371\262\242\214\340\262\247\214\341\262\354\214\340\262\242\200\200\262\250\214\340\262\242\200\272\262\246\214\340\262Rich\247\214\340\262\0\0\0\0\0\0\0\0PE\0\0L\1\4\0UnPacKcN\0\0\0\0\340\0\17\1\13\1\7\12\0L\0\0\0\22\4\0\0\0\0\0\24\240\4\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`+\0\0\4\0\0hn\23\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\220\4\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0   \0    \0p\4\0\0\20\0\0\06\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsr", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01437   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\364<\351\252\200\221\213Yp_\316\32\06\270\2463xd\23\5\7j\363O\2\346\240\302\213\30\\3\252-\257:\250Z\200\203\305H\3X \373\225s\212\360\330\246Nx\13\5\360\353\312p\223\200\361\260U\275\01\27d\263B\341\17`\0\326\331\302Xh:\37\311X\30\365$\14[\17\350\273\0\3764\244\355|X\307`\0\25\364O\324Z%\370yW\1N\203\337\3\305\375\270\314\16\326\0s\1\31$\20P.)\2\370\211\2\23\210\324`\344\237\213X\247\204>}\200`\202{\301G_\241\17z\12\210\363 \34135\212(\0f/\277\364\263\23\340\350\0\276\22\365U\12WZ\272\0\257\205Q3\277d\225\305\27\206\23\303\0@T\273\350X\323\270L\0t\275b\236\270\262\32J\22.\374\267\0F\330q\273\20\311\09*L\231\26(\341\11\0c\340|\256\27\361\16\235\0\321\274\302Y+\350Zw\7\347@2\220\371`\346A\230l\0'.\15\354J\363\356|\\0\343\27\271]dy\331\30\37\223_\313\303\266\201Q>\200\16V \0\357\351FP\7\14\340\23\36\2\271\366R8\0\4D E=w\6I\30\3407\2638\3(8\320\276\313\304\320\13\252f\0x* gmOZ\361\0\226\370\363\210\354\213\306\305\1\315K \5\261_h\320C\215$fo\11\0\277F\36\12\376\351\0+\14\2462\266\324\301\2pA\17\263\33F\22\357\344\224\223>B\200P\213\367t?Ka\36G\372\354\300\203\26\365\364ZA\347p\2432\0\300\255\302j\223\205J,\36\354\252\326O\377\314\204\221x\2002\334\260\231\0\301\313\336\207\367"p(\372U\16\314\254\27\275\240\10\252*\3644\3\240)\244\261\371\227\220z\213w\7n\330A\370\212\360\14\207k\210\0\351S\306\13\211\340\366", ) p(\372U\16\314\254\27\275\240\10\252*\3644\3\240)\244\261\371\227\220z\213w\7n\330A\370\212\360\14\207k\210\0\351S\306\13\211\340\366", ) == 0x0
 01438   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\364<\351\252\200\221\213Yp_\316\32\06\270\2463xd\23\5\7j\363O\2\346\240\302\213\30\\3\252-\257:\250Z\200\203\305H\3X \373\225s\212\360\330\246Nx\13\5\360\353\312p\223\200\361\260U\275\01\27d\263B\341\17`\0\326\331\302Xh:\37\311X\30\365$\14[\17\350\273\0\3764\244\355|X\307`\0\25\364O\324Z%\370yW\1N\203\337\3\305\375\270\314\16\326\0s\1\31$\20P.)\2\370\211\2\23\210\324`\344\237\213X\247\204>}\200`\202{\301G_\241\17z\12\210\363 \34135\212(\0f/\277\364\263\23\340\350\0\276\22\365U\12WZ\272\0\257\205Q3\277d\225\305\27\206\23\303\0@T\273\350X\323\270L\0t\275b\236\270\262\32J\22.\374\267\0F\330q\273\20\311\09*L\231\26(\341\11\0c\340|\256\27\361\16\235\0\321\274\302Y+\350Zw\7\347@2\220\371`\346A\230l\0'.\15\354J\363\356|\\0\343\27\271]dy\331\30\37\223_\313\303\266\201Q>\200\16V \0\357\351FP\7\14\340\23\36\2\271\366R8\0\4D E=w\6I\30\3407\2638\3(8\320\276\313\304\320\13\252f\0x* gmOZ\361\0\226\370\363\210\354\213\306\305\1\315K \5\261_h\320C\215$fo\11\0\277F\36\12\376\351\0+\14\2462\266\324\301\2pA\17\263\33F\22\357\344\224\223>B\200P\213\367t?Ka\36G\372\354\300\203\26\365\364ZA\347p\2432\0\300\255\302j\223\205J,\36\354\252\326O\377\314\204\221x\2002\334\260\231\0\301\313\336\207\367"p(\372U\16\314\254\27\275\240\10\252*\3644\3\240)\244\261\371\227\220z\213w\7n\330A\370\212\360\14\207k\210\0\351S\306\13\211\340\366", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) p(\372U\16\314\254\27\275\240\10\252*\3644\3\240)\244\261\371\227\220z\213w\7n\330A\370\212\360\14\207k\210\0\351S\306\13\211\340\366", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01439   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\312+\336?\0\320J1\313\211\22\3470\0\304\243\36)\210\10\254\355\0\32=\364_v&V/\16\213\33}\20\200\351\302P\221\333\34\10-\337\217l\263\300*\277t\240\224\0\16:\32\341\264\3161'\3Sp\213\326\267\244\350\20\200i\2\376A\14\3148\360\300q_\361\7\243\7\W\5\363\312\265\360\200#\277\0\206\302>1\321\211\236e\0\6}\224\15\272\242\364\366~\201>{\331\201>\250\12\22\177\3\300\251#\0\322\221\367\321\346(t\302\16\15\350\5\305\200\327\324F\11\266\16\20\1\312X`\336 \313:\326t\263\0\200p\346`K\202\203G-\310\33\300\341PA\0\4\200\356\324\253\240\277\5\352\251\0\246*"\204&G\237\22\0\222\20\266\233 \21\23A\34\316\13\362\200\16\234_\3770\343\17\203O\35\230\240x\301\27\351\21w\31\0/\215g\335\322n\355\350\2\302\3\2\324\300&\340\223\17}\7\351k\314\334*\200\277\211SY:\374\22\6Gm\274\24\316\3b\3051\205h\1\330\322\3657\17\375\331+\225\300\242\63\3325\13\231\17\2\267\0\345V\243\14\177\0\345\236\4z\366\3*_\3I\224\321\26\217\365\317\207\32\227\351\260\13u\5\246\3\375\352\260\354\303\214\240\373a~q\361\0\32q\302F\372\16\371\2750\304\22<\334}\27\0E\201\375\262\230=\377\35\0\352\213\227\10\364m Z\35\346\357x\200\351['\300Nh|1>\246\242,f\233\1\202>\360}!\304\301s\1\370\12B\6P\266\212\341\351\324u\264\0\13[\323\34\306>\316\342\0~\200)\303h\312\37\237\0f5\22\251M\11\254\235\0\3502#&\2\32'\23v\365\0\236\26\20\227|\346\353\325x!\230+ya\36D\23[G\373\220\20p\254\377\261C\0\4 \366\203\27\262\21\211\4\230\362\246", ) \204&G\237\22\0\222\20\266\233 \21\23A\34\316\13\362\200\16\234_\3770\343\17\203O\35\230\240x\301\27\351\21w\31\0/\215g\335\322n\355\350\2\302\3\2\324\300&\340\223\17}\7\351k\314\334*\200\277\211SY:\374\22\6Gm\274\24\316\3b\3051\205h\1\330\322\3657\17\375\331+\225\300\242\63\3325\13\231\17\2\267\0\345V\243\14\177\0\345\236\4z\366\3*_\3I\224\321\26\217\365\317\207\32\227\351\260\13u\5\246\3\375\352\260\354\303\214\240\373a~q\361\0\32q\302F\372\16\371\2750\304\22<\334}\27\0E\201\375\262\230=\377\35\0\352\213\227\10\364m Z\35\346\357x\200\351['\300Nh|1>\246\242,f\233\1\202>\360}!\304\301s\1\370\12B\6P\266\212\341\351\324u\264\0\13[\323\34\306>\316\342\0~\200)\303h\312\37\237\0f5\22\251M\11\254\235\0\3502#&\2\32'\23v\365\0\236\26\20\227|\346\353\325x!\230+ya\36D\23[G\373\220\20p\254\377\261C\0\4 \366\203\27\262\21\211\4\230\362\246", ) == 0x0
 01440   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\312+\336?\0\320J1\313\211\22\3470\0\304\243\36)\210\10\254\355\0\32=\364_v&V/\16\213\33}\20\200\351\302P\221\333\34\10-\337\217l\263\300*\277t\240\224\0\16:\32\341\264\3161'\3Sp\213\326\267\244\350\20\200i\2\376A\14\3148\360\300q_\361\7\243\7\W\5\363\312\265\360\200#\277\0\206\302>1\321\211\236e\0\6}\224\15\272\242\364\366~\201>{\331\201>\250\12\22\177\3\300\251#\0\322\221\367\321\346(t\302\16\15\350\5\305\200\327\324F\11\266\16\20\1\312X`\336 \313:\326t\263\0\200p\346`K\202\203G-\310\33\300\341PA\0\4\200\356\324\253\240\277\5\352\251\0\246*"\204&G\237\22\0\222\20\266\233 \21\23A\34\316\13\362\200\16\234_\3770\343\17\203O\35\230\240x\301\27\351\21w\31\0/\215g\335\322n\355\350\2\302\3\2\324\300&\340\223\17}\7\351k\314\334*\200\277\211SY:\374\22\6Gm\274\24\316\3b\3051\205h\1\330\322\3657\17\375\331+\225\300\242\63\3325\13\231\17\2\267\0\345V\243\14\177\0\345\236\4z\366\3*_\3I\224\321\26\217\365\317\207\32\227\351\260\13u\5\246\3\375\352\260\354\303\214\240\373a~q\361\0\32q\302F\372\16\371\2750\304\22<\334}\27\0E\201\375\262\230=\377\35\0\352\213\227\10\364m Z\35\346\357x\200\351['\300Nh|1>\246\242,f\233\1\202>\360}!\304\301s\1\370\12B\6P\266\212\341\351\324u\264\0\13[\323\34\306>\316\342\0~\200)\303h\312\37\237\0f5\22\251M\11\254\235\0\3502#&\2\32'\23v\365\0\236\26\20\227|\346\353\325x!\230+ya\36D\23[G\373\220\20p\254\377\261C\0\4 \366\203\27\262\21\211\4\230\362\246", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \204&G\237\22\0\222\20\266\233 \21\23A\34\316\13\362\200\16\234_\3770\343\17\203O\35\230\240x\301\27\351\21w\31\0/\215g\335\322n\355\350\2\302\3\2\324\300&\340\223\17}\7\351k\314\334*\200\277\211SY:\374\22\6Gm\274\24\316\3b\3051\205h\1\330\322\3657\17\375\331+\225\300\242\63\3325\13\231\17\2\267\0\345V\243\14\177\0\345\236\4z\366\3*_\3I\224\321\26\217\365\317\207\32\227\351\260\13u\5\246\3\375\352\260\354\303\214\240\373a~q\361\0\32q\302F\372\16\371\2750\304\22<\334}\27\0E\201\375\262\230=\377\35\0\352\213\227\10\364m Z\35\346\357x\200\351['\300Nh|1>\246\242,f\233\1\202>\360}!\304\301s\1\370\12B\6P\266\212\341\351\324u\264\0\13[\323\34\306>\316\342\0~\200)\303h\312\37\237\0f5\22\251M\11\254\235\0\3502#&\2\32'\23v\365\0\236\26\20\227|\346\353\325x!\230+ya\36D\23[G\373\220\20p\254\377\261C\0\4 \366\203\27\262\21\211\4\230\362\246", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01441   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, " D\235\227\325\20\365\27\200\274\277\17#Y\0\326\224\250d\205\73\202\347\236U\11\200\270!\331\277\240\34w\12\346\0\1\3731\351_\201\0\311\5\235!\366\203\310\32\260\300\12\36\372b{U\206\374%R~\323t\253\0\322\264\24\273P\1G\320\177Y=*@\0\2040D\246V\351\30\0\223\353i\34\23(\354\357\0,\323\3737\355\232\244\344\0\316\260/\360\160\363Q\0\200k\335\272\266_\7\366\0\215\31@\271\315\3A\241\0cK\2\1\313Y\260\301\0^i\6 \3103p`w1^\266\274Q8d\200\346\253\273\367\256\23V~_\3\3Y\13[\260\345\260\341{\355\5\207\370t!\32\200n\266u\365P\230\216\234:\301\23\200\332\265\200(H\3\210\0\353Y \326\223\331\202\316\0\325\306\211\20Fh\5\213\0\270\340\311\351=A\364\202\0:\320[\266\334`?\3\16\356;0\31\300\315\27\351l\321\356\377\3)@\212SPh\260\325a\333\1\213"\365D\323\364\330\200\214\302[\377\11{\305p_\0n\267\266W\210J\323\372\0@\356\200\317\327\351\221/\0b\6q\277\340\347~\376$\377\205\3219\270\324\0\207\372\235\261\313>R\0\27215a\367\325\311\322\364\221\0HYP\4\305K\251\347\11% [q\0\305D\33\342\237|b\0\10\331Z\3610\224\262 \0\213\13\210Y\336\30\37P\7T\212\266#\345\0\211\360\203\343\0U^\2\12\374!\305\265\0Pr\261%\301G\260u\220#\0$E\255C/\1\216\200.\302~\342\3a?\322\345\351\210S\354\342\177\378\303\351\276\3!\241\337\235\376\371\205\201\3745\321\0$0\365E\222\353\301p\0\3\322/\243:J\2~\0\203\311\245\365\305\313\103\0\317\202\351\24\36\1W#'\2512p\244\3 K\3\312\354", ) \365D\323\364\330\200\214\302[\377\11{\305p_\0n\267\266W\210J\323\372\0@\356\200\317\327\351\221/\0b\6q\277\340\347~\376$\377\205\3219\270\324\0\207\372\235\261\313>R\0\27215a\367\325\311\322\364\221\0HYP\4\305K\251\347\11% [q\0\305D\33\342\237|b\0\10\331Z\3610\224\262 \0\213\13\210Y\336\30\37P\7T\212\266#\345\0\211\360\203\343\0U^\2\12\374!\305\265\0Pr\261%\301G\260u\220#\0$E\255C/\1\216\200.\302~\342\3a?\322\345\351\210S\354\342\177\378\303\351\276\3!\241\337\235\376\371\205\201\3745\321\0$0\365E\222\353\301p\0\3\322/\243:J\2~\0\203\311\245\365\305\313\103\0\317\202\351\24\36\1W#'\2512p\244\3 K\3\312\354", ) == 0x0
 01442   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, " D\235\227\325\20\365\27\200\274\277\17#Y\0\326\224\250d\205\73\202\347\236U\11\200\270!\331\277\240\34w\12\346\0\1\3731\351_\201\0\311\5\235!\366\203\310\32\260\300\12\36\372b{U\206\374%R~\323t\253\0\322\264\24\273P\1G\320\177Y=*@\0\2040D\246V\351\30\0\223\353i\34\23(\354\357\0,\323\3737\355\232\244\344\0\316\260/\360\160\363Q\0\200k\335\272\266_\7\366\0\215\31@\271\315\3A\241\0cK\2\1\313Y\260\301\0^i\6 \3103p`w1^\266\274Q8d\200\346\253\273\367\256\23V~_\3\3Y\13[\260\345\260\341{\355\5\207\370t!\32\200n\266u\365P\230\216\234:\301\23\200\332\265\200(H\3\210\0\353Y \326\223\331\202\316\0\325\306\211\20Fh\5\213\0\270\340\311\351=A\364\202\0:\320[\266\334`?\3\16\356;0\31\300\315\27\351l\321\356\377\3)@\212SPh\260\325a\333\1\213"\365D\323\364\330\200\214\302[\377\11{\305p_\0n\267\266W\210J\323\372\0@\356\200\317\327\351\221/\0b\6q\277\340\347~\376$\377\205\3219\270\324\0\207\372\235\261\313>R\0\27215a\367\325\311\322\364\221\0HYP\4\305K\251\347\11% [q\0\305D\33\342\237|b\0\10\331Z\3610\224\262 \0\213\13\210Y\336\30\37P\7T\212\266#\345\0\211\360\203\343\0U^\2\12\374!\305\265\0Pr\261%\301G\260u\220#\0$E\255C/\1\216\200.\302~\342\3a?\322\345\351\210S\354\342\177\378\303\351\276\3!\241\337\235\376\371\205\201\3745\321\0$0\365E\222\353\301p\0\3\322/\243:J\2~\0\203\311\245\365\305\313\103\0\317\202\351\24\36\1W#'\2512p\244\3 K\3\312\354", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \365D\323\364\330\200\214\302[\377\11{\305p_\0n\267\266W\210J\323\372\0@\356\200\317\327\351\221/\0b\6q\277\340\347~\376$\377\205\3219\270\324\0\207\372\235\261\313>R\0\27215a\367\325\311\322\364\221\0HYP\4\305K\251\347\11% [q\0\305D\33\342\237|b\0\10\331Z\3610\224\262 \0\213\13\210Y\336\30\37P\7T\212\266#\345\0\211\360\203\343\0U^\2\12\374!\305\265\0Pr\261%\301G\260u\220#\0$E\255C/\1\216\200.\302~\342\3a?\322\345\351\210S\354\342\177\378\303\351\276\3!\241\337\235\376\371\205\201\3745\321\0$0\365E\222\353\301p\0\3\322/\243:J\2~\0\203\311\245\365\305\313\103\0\317\202\351\24\36\1W#'\2512p\244\3 K\3\312\354", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01443   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\324uI\311\366[C\0\253xP4\313\353@+\0\11\267\341\346\15\237\300\335\0\273%\224^\201\213\365b\1|\35\226\320\5\246e\370\357"\1>_\13\325\211\250U\360\351\10\12(\276\217,\256>\17*2\346\200\312Jr\257\225\0\252\201\135<@\207\37\37RW\311\300\365\376\231k(\272\0\234\15<|\276{@\332\01\305V\260U\232\16\23\34\355\13\366\300N\304\1\376\202^\0r\213\323\3368Y\2101\354n\0\375\232\13\212\261\4{&\0\213"@\366\372\7\12\346\0Q\361\300\224\347\244\36\334\0\21\5Lb~%\360c\3006[\220\11!\320XR\373\0Z\331\256,|\k\1u\242]\277<\211C\334\261\376\2+\250\21\20\11\335\375c\334\261\367\3\310\27\331\353\353\257@\227\356!\335\204]\0\273'.\7\247\23Q\374\0x\205\266:\220Y\264\356O0\260\23\322\16\200\302P\10`\235\11\241\255T\0\376;\353`\37S\351\330\17P\257\233\367X\360\325\223\220\24\1\23\201\363\374pa\2770~\332\366 \0\355f\351\337\376\10\235\365\0\24\200\230\233\227\202@\301\36\22WQ\2\223\354\340\204`'H\325KX\300`\242\366l\0-)+\333\102.\377\7\344\323\177\2\240P;9\277\262\0\1\\21KY\252f\365\136$.\202\0\222\327<\304\27\0\212V\12\262a\13:\351\1\215\364\276%^BT\320u\323\0ACm\327\254R(\234\0\332\214\220/ kv$\0\275\244\301\204\351B\12\355\0\270\201\211\332+\356 m?\315-\0\11\342\207U\3746|\270,\7\322\333\327\33@\360h\13E\334\0\346z\240{X\244)\241\37\267\357\376\201\6\305\323\15\362\323\270\351\237\316\23\4\373\315\0V!\360R\330\361\346\262\16@'\272\20\347\204\255\240\355\15\371\304", ) \1>_\13\325\211\250U\360\351\10\12(\276\217,\256>\17*2\346\200\312Jr\257\225\0\252\201\135<@\207\37\37RW\311\300\365\376\231k(\272\0\234\15<|\276{@\332\01\305V\260U\232\16\23\34\355\13\366\300N\304\1\376\202^\0r\213\323\3368Y\2101\354n\0\375\232\13\212\261\4{&\0\213 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\324uI\311\366[C\0\253xP4\313\353@+\0\11\267\341\346\15\237\300\335\0\273%\224^\201\213\365b\1|\35\226\320\5\246e\370\357"\1>_\13\325\211\250U\360\351\10\12(\276\217,\256>\17*2\346\200\312Jr\257\225\0\252\201\135<@\207\37\37RW\311\300\365\376\231k(\272\0\234\15<|\276{@\332\01\305V\260U\232\16\23\34\355\13\366\300N\304\1\376\202^\0r\213\323\3368Y\2101\354n\0\375\232\13\212\261\4{&\0\213"@\366\372\7\12\346\0Q\361\300\224\347\244\36\334\0\21\5Lb~%\360c\3006[\220\11!\320XR\373\0Z\331\256,|\k\1u\242]\277<\211C\334\261\376\2+\250\21\20\11\335\375c\334\261\367\3\310\27\331\353\353\257@\227\356!\335\204]\0\273'.\7\247\23Q\374\0x\205\266:\220Y\264\356O0\260\23\322\16\200\302P\10`\235\11\241\255T\0\376;\353`\37S\351\330\17P\257\233\367X\360\325\223\220\24\1\23\201\363\374pa\2770~\332\366 \0\355f\351\337\376\10\235\365\0\24\200\230\233\227\202@\301\36\22WQ\2\223\354\340\204`'H\325KX\300`\242\366l\0-)+\333\102.\377\7\344\323\177\2\240P;9\277\262\0\1\\21KY\252f\365\136$.\202\0\222\327<\304\27\0\212V\12\262a\13:\351\1\215\364\276%^BT\320u\323\0ACm\327\254R(\234\0\332\214\220/ kv$\0\275\244\301\204\351B\12\355\0\270\201\211\332+\356 m?\315-\0\11\342\207U\3746|\270,\7\322\333\327\33@\360h\13E\334\0\346z\240{X\244)\241\37\267\357\376\201\6\305\323\15\362\323\270\351\237\316\23\4\373\315\0V!\360R\330\361\346\262\16@'\272\20\347\204\255\240\355\15\371\304", ) , ) == 0x0
 01444   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\324uI\311\366[C\0\253xP4\313\353@+\0\11\267\341\346\15\237\300\335\0\273%\224^\201\213\365b\1|\35\226\320\5\246e\370\357"\1>_\13\325\211\250U\360\351\10\12(\276\217,\256>\17*2\346\200\312Jr\257\225\0\252\201\135<@\207\37\37RW\311\300\365\376\231k(\272\0\234\15<|\276{@\332\01\305V\260U\232\16\23\34\355\13\366\300N\304\1\376\202^\0r\213\323\3368Y\2101\354n\0\375\232\13\212\261\4{&\0\213"@\366\372\7\12\346\0Q\361\300\224\347\244\36\334\0\21\5Lb~%\360c\3006[\220\11!\320XR\373\0Z\331\256,|\k\1u\242]\277<\211C\334\261\376\2+\250\21\20\11\335\375c\334\261\367\3\310\27\331\353\353\257@\227\356!\335\204]\0\273'.\7\247\23Q\374\0x\205\266:\220Y\264\356O0\260\23\322\16\200\302P\10`\235\11\241\255T\0\376;\353`\37S\351\330\17P\257\233\367X\360\325\223\220\24\1\23\201\363\374pa\2770~\332\366 \0\355f\351\337\376\10\235\365\0\24\200\230\233\227\202@\301\36\22WQ\2\223\354\340\204`'H\325KX\300`\242\366l\0-)+\333\102.\377\7\344\323\177\2\240P;9\277\262\0\1\\21KY\252f\365\136$.\202\0\222\327<\304\27\0\212V\12\262a\13:\351\1\215\364\276%^BT\320u\323\0ACm\327\254R(\234\0\332\214\220/ kv$\0\275\244\301\204\351B\12\355\0\270\201\211\332+\356 m?\315-\0\11\342\207U\3746|\270,\7\322\333\327\33@\360h\13E\334\0\346z\240{X\244)\241\37\267\357\376\201\6\305\323\15\362\323\270\351\237\316\23\4\373\315\0V!\360R\330\361\346\262\16@'\272\20\347\204\255\240\355\15\371\304", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \1>_\13\325\211\250U\360\351\10\12(\276\217,\256>\17*2\346\200\312Jr\257\225\0\252\201\135<@\207\37\37RW\311\300\365\376\231k(\272\0\234\15<|\276{@\332\01\305V\260U\232\16\23\34\355\13\366\300N\304\1\376\202^\0r\213\323\3368Y\2101\354n\0\375\232\13\212\261\4{&\0\213 (308, 0, 0, 0, "\324uI\311\366[C\0\253xP4\313\353@+\0\11\267\341\346\15\237\300\335\0\273%\224^\201\213\365b\1|\35\226\320\5\246e\370\357"\1>_\13\325\211\250U\360\351\10\12(\276\217,\256>\17*2\346\200\312Jr\257\225\0\252\201\135<@\207\37\37RW\311\300\365\376\231k(\272\0\234\15<|\276{@\332\01\305V\260U\232\16\23\34\355\13\366\300N\304\1\376\202^\0r\213\323\3368Y\2101\354n\0\375\232\13\212\261\4{&\0\213"@\366\372\7\12\346\0Q\361\300\224\347\244\36\334\0\21\5Lb~%\360c\3006[\220\11!\320XR\373\0Z\331\256,|\k\1u\242]\277<\211C\334\261\376\2+\250\21\20\11\335\375c\334\261\367\3\310\27\331\353\353\257@\227\356!\335\204]\0\273'.\7\247\23Q\374\0x\205\266:\220Y\264\356O0\260\23\322\16\200\302P\10`\235\11\241\255T\0\376;\353`\37S\351\330\17P\257\233\367X\360\325\223\220\24\1\23\201\363\374pa\2770~\332\366 \0\355f\351\337\376\10\235\365\0\24\200\230\233\227\202@\301\36\22WQ\2\223\354\340\204`'H\325KX\300`\242\366l\0-)+\333\102.\377\7\344\323\177\2\240P;9\277\262\0\1\\21KY\252f\365\136$.\202\0\222\327<\304\27\0\212V\12\262a\13:\351\1\215\364\276%^BT\320u\323\0ACm\327\254R(\234\0\332\214\220/ kv$\0\275\244\301\204\351B\12\355\0\270\201\211\332+\356 m?\315-\0\11\342\207U\3746|\270,\7\322\333\327\33@\360h\13E\334\0\346z\240{X\244)\241\37\267\357\376\201\6\305\323\15\362\323\270\351\237\316\23\4\373\315\0V!\360R\330\361\346\262\16@'\272\20\347\204\255\240\355\15\371\304", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01445   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\371\205\240\242\273\245\4\372@l\6\203\207\374\233\0\374[\375\242\13\77]\21\326C`R\215\300\17\0\27\266\376\323\356\263Z\224\0r}\235\331\236Q\34\206\2)\351o\324\254\17\377\340\332\260\22\13\4\276\23\210\0F\365\304X\34\354\352\0\35\333\355\260\372#\327L\0N-\10\371t\304K\26\7\305\340\324\230$@\331\271&E&\370 \250\22.\11R\364\200jS\261\230\231\0AB0\346_\32J\326\0\354%\334z\357\353\370\340\0\347\333\345P\10F+K\0\327\356\212\302y\26\346\341\36[\257`\200X\13\6\232u\362\1\351(s\30\234\225S\371\245\3013:\09!K\355\246\327\5&R\250\16\261\300\372\240\200\356\26\21\225Q\0\10\234\267\337P\374?\226x\200\306+\346\5\2621<8\315\1\1\351TA\265^,\330\2m\7U\213w\305\201\37\17\304`\303\371 \252\270\0)S%\317\27\335\1\221\11X\201\351!\211\301\4%W\300Y\354\356\364r\240p\302\0\261\22\213\32\200\345\346Z\2^X\212W\26\260\200\204o\14\351\17\2\333\264\13/\326]a\3\346\370N\31\0\322\365\325w.\246)\226\0\327\20\244U2X\306\37\0\242fb\274d"!)\0\330\10\324\213:\257\374\1\344\301\1\313\4k+s_\201\310\305|\0\211$0\21\3002\303X\7\353\365\24-q0\264:\265\324\30\234K\270$#\316\37\351\336;\0\344\262\1)\355CX\201\36\0\310o\224L\26\372\234\350#\0x\353\231\326\272\227lM\0\351k\27\260F\255B\305\0\1\303\372\5\234\275\365\222\0\212X\337\320>\341k\230\\312\263\0<\30\351\340iV\1\0\336p[H\305&\226\352\26`!\373\0\267eE\21\330\251\350\23\276\245\250\0\314+\307\2{\300\0\341\3Lu}"\220\345\0", ) !)\0\330\10\324\213:\257\374\1\344\301\1\313\4k+s_\201\310\305|\0\211$0\21\3002\303X\7\353\365\24-q0\264:\265\324\30\234K\270$#\316\37\351\336;\0\344\262\1)\355CX\201\36\0\310o\224L\26\372\234\350#\0x\353\231\326\272\227lM\0\351k\27\260F\255B\305\0\1\303\372\5\234\275\365\222\0\212X\337\320>\341k\230\\312\263\0<\30\351\340iV\1\0\336p[H\305&\226\352\26`!\373\0\267eE\21\330\251\350\23\276\245\250\0\314+\307\2{\300\0\341\3Lu} (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\371\205\240\242\273\245\4\372@l\6\203\207\374\233\0\374[\375\242\13\77]\21\326C`R\215\300\17\0\27\266\376\323\356\263Z\224\0r}\235\331\236Q\34\206\2)\351o\324\254\17\377\340\332\260\22\13\4\276\23\210\0F\365\304X\34\354\352\0\35\333\355\260\372#\327L\0N-\10\371t\304K\26\7\305\340\324\230$@\331\271&E&\370 \250\22.\11R\364\200jS\261\230\231\0AB0\346_\32J\326\0\354%\334z\357\353\370\340\0\347\333\345P\10F+K\0\327\356\212\302y\26\346\341\36[\257`\200X\13\6\232u\362\1\351(s\30\234\225S\371\245\3013:\09!K\355\246\327\5&R\250\16\261\300\372\240\200\356\26\21\225Q\0\10\234\267\337P\374?\226x\200\306+\346\5\2621<8\315\1\1\351TA\265^,\330\2m\7U\213w\305\201\37\17\304`\303\371 \252\270\0)S%\317\27\335\1\221\11X\201\351!\211\301\4%W\300Y\354\356\364r\240p\302\0\261\22\213\32\200\345\346Z\2^X\212W\26\260\200\204o\14\351\17\2\333\264\13/\326]a\3\346\370N\31\0\322\365\325w.\246)\226\0\327\20\244U2X\306\37\0\242fb\274d"!)\0\330\10\324\213:\257\374\1\344\301\1\313\4k+s_\201\310\305|\0\211$0\21\3002\303X\7\353\365\24-q0\264:\265\324\30\234K\270$#\316\37\351\336;\0\344\262\1)\355CX\201\36\0\310o\224L\26\372\234\350#\0x\353\231\326\272\227lM\0\351k\27\260F\255B\305\0\1\303\372\5\234\275\365\222\0\212X\337\320>\341k\230\\312\263\0<\30\351\340iV\1\0\336p[H\305&\226\352\26`!\373\0\267eE\21\330\251\350\23\276\245\250\0\314+\307\2{\300\0\341\3Lu}"\220\345\0", ) , ) == 0x0
 01446   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\371\205\240\242\273\245\4\372@l\6\203\207\374\233\0\374[\375\242\13\77]\21\326C`R\215\300\17\0\27\266\376\323\356\263Z\224\0r}\235\331\236Q\34\206\2)\351o\324\254\17\377\340\332\260\22\13\4\276\23\210\0F\365\304X\34\354\352\0\35\333\355\260\372#\327L\0N-\10\371t\304K\26\7\305\340\324\230$@\331\271&E&\370 \250\22.\11R\364\200jS\261\230\231\0AB0\346_\32J\326\0\354%\334z\357\353\370\340\0\347\333\345P\10F+K\0\327\356\212\302y\26\346\341\36[\257`\200X\13\6\232u\362\1\351(s\30\234\225S\371\245\3013:\09!K\355\246\327\5&R\250\16\261\300\372\240\200\356\26\21\225Q\0\10\234\267\337P\374?\226x\200\306+\346\5\2621<8\315\1\1\351TA\265^,\330\2m\7U\213w\305\201\37\17\304`\303\371 \252\270\0)S%\317\27\335\1\221\11X\201\351!\211\301\4%W\300Y\354\356\364r\240p\302\0\261\22\213\32\200\345\346Z\2^X\212W\26\260\200\204o\14\351\17\2\333\264\13/\326]a\3\346\370N\31\0\322\365\325w.\246)\226\0\327\20\244U2X\306\37\0\242fb\274d"!)\0\330\10\324\213:\257\374\1\344\301\1\313\4k+s_\201\310\305|\0\211$0\21\3002\303X\7\353\365\24-q0\264:\265\324\30\234K\270$#\316\37\351\336;\0\344\262\1)\355CX\201\36\0\310o\224L\26\372\234\350#\0x\353\231\326\272\227lM\0\351k\27\260F\255B\305\0\1\303\372\5\234\275\365\222\0\212X\337\320>\341k\230\\312\263\0<\30\351\340iV\1\0\336p[H\305&\226\352\26`!\373\0\267eE\21\330\251\350\23\276\245\250\0\314+\307\2{\300\0\341\3Lu}"\220\345\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) !)\0\330\10\324\213:\257\374\1\344\301\1\313\4k+s_\201\310\305|\0\211$0\21\3002\303X\7\353\365\24-q0\264:\265\324\30\234K\270$#\316\37\351\336;\0\344\262\1)\355CX\201\36\0\310o\224L\26\372\234\350#\0x\353\231\326\272\227lM\0\351k\27\260F\255B\305\0\1\303\372\5\234\275\365\222\0\212X\337\320>\341k\230\\312\263\0<\30\351\340iV\1\0\336p[H\305&\226\352\26`!\373\0\267eE\21\330\251\350\23\276\245\250\0\314+\307\2{\300\0\341\3Lu} (308, 0, 0, 0, "\371\205\240\242\273\245\4\372@l\6\203\207\374\233\0\374[\375\242\13\77]\21\326C`R\215\300\17\0\27\266\376\323\356\263Z\224\0r}\235\331\236Q\34\206\2)\351o\324\254\17\377\340\332\260\22\13\4\276\23\210\0F\365\304X\34\354\352\0\35\333\355\260\372#\327L\0N-\10\371t\304K\26\7\305\340\324\230$@\331\271&E&\370 \250\22.\11R\364\200jS\261\230\231\0AB0\346_\32J\326\0\354%\334z\357\353\370\340\0\347\333\345P\10F+K\0\327\356\212\302y\26\346\341\36[\257`\200X\13\6\232u\362\1\351(s\30\234\225S\371\245\3013:\09!K\355\246\327\5&R\250\16\261\300\372\240\200\356\26\21\225Q\0\10\234\267\337P\374?\226x\200\306+\346\5\2621<8\315\1\1\351TA\265^,\330\2m\7U\213w\305\201\37\17\304`\303\371 \252\270\0)S%\317\27\335\1\221\11X\201\351!\211\301\4%W\300Y\354\356\364r\240p\302\0\261\22\213\32\200\345\346Z\2^X\212W\26\260\200\204o\14\351\17\2\333\264\13/\326]a\3\346\370N\31\0\322\365\325w.\246)\226\0\327\20\244U2X\306\37\0\242fb\274d"!)\0\330\10\324\213:\257\374\1\344\301\1\313\4k+s_\201\310\305|\0\211$0\21\3002\303X\7\353\365\24-q0\264:\265\324\30\234K\270$#\316\37\351\336;\0\344\262\1)\355CX\201\36\0\310o\224L\26\372\234\350#\0x\353\231\326\272\227lM\0\351k\27\260F\255B\305\0\1\303\372\5\234\275\365\222\0\212X\337\320>\341k\230\\312\263\0<\30\351\340iV\1\0\336p[H\305&\226\352\26`!\373\0\267eE\21\330\251\350\23\276\245\250\0\314+\307\2{\300\0\341\3Lu}"\220\345\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01447   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\4\201R\1\351\330\231\10z\355\13 bs\0\365.\225\321~B\211\236\17\366;\343V\300\364\356K?\346\0%\377\315\262<\110\305p\1\230\27\26X\272\10\3\231\227=\353\347\340S\11\335P\00\324\270N<\350.\326\0\36\334`\7^\1\370)\0\353\337\23\322%!\375\11\0\326\32\14\360\273\225Te\17\311\2\354]\216!\240\37\6>\270\357\0\240WV\7\267\\200A\0\250\31\2z'\312\225\237\374\11:\253\5\200\264G\3606\221\322\35\0\256\310~\375\225A\276_\7%\300/\350+\236\\35\@\322\351xC\377\343.*\312_\0\275\236\260\30Z\305\36\375\263\256{\0w[\314\4l\361\233z\221\0\210\310\340\366\251*Y \0\2464G\36\370\273,\305\364\300\364\3\1QU\262\2523\275\263\360\203\340\0\33\351\215%\375\3\337\1\7Ih\235A\302p\305\362/\370\16\256\277l\12\300\261\252\375\204\313\0L\360i\300\270\336K]\0\356\212\352\20!\301\211\362\0U\202.(\343x,\224\230Z\1"/\267\364wt\241\350\30m\23*\370\274\0\262\316\252\377!.\0WY%\205(\5B\243\0\26\15\17\356\210\352\247o\2\226\360\255\234\130\300\262\265r\0\241^\372\376\20\377\3365\0\235{\201/i1\247\14\13V\300\16\371\0\373\354B\330\0q\314\216\274\275\334)@uU\16+f\3268\17\310@\350\351\331\242\220\0\230}Q\235^5a\275\17\363:\222\353\340I\322\212\2\324H\22\323\36\7\327@\334\4!\370Zh\0\207\3534\223\276\350A\310\0\213\27(\2\254\351\206\30\0x\315\363z0\2521\303zQ\7\271Y\7\357\361\320`.I\354;\351\3\0K\375\352\212\316];\0\305\376\234\5\270\261\211\301\0\2453Om\353&\13\215\1\10\220H\6\351\325", ) /\267\364wt\241\350\30m\23*\370\274\0\262\316\252\377!.\0WY%\205(\5B\243\0\26\15\17\356\210\352\247o\2\226\360\255\234\130\300\262\265r\0\241^\372\376\20\377\3365\0\235{\201/i1\247\14\13V\300\16\371\0\373\354B\330\0q\314\216\274\275\334)@uU\16+f\3268\17\310@\350\351\331\242\220\0\230}Q\235^5a\275\17\363:\222\353\340I\322\212\2\324H\22\323\36\7\327@\334\4!\370Zh\0\207\3534\223\276\350A\310\0\213\27(\2\254\351\206\30\0x\315\363z0\2521\303zQ\7\271Y\7\357\361\320`.I\354;\351\3\0K\375\352\212\316];\0\305\376\234\5\270\261\211\301\0\2453Om\353&\13\215\1\10\220H\6\351\325", ) == 0x0
 01448   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\4\201R\1\351\330\231\10z\355\13 bs\0\365.\225\321~B\211\236\17\366;\343V\300\364\356K?\346\0%\377\315\262<\110\305p\1\230\27\26X\272\10\3\231\227=\353\347\340S\11\335P\00\324\270N<\350.\326\0\36\334`\7^\1\370)\0\353\337\23\322%!\375\11\0\326\32\14\360\273\225Te\17\311\2\354]\216!\240\37\6>\270\357\0\240WV\7\267\\200A\0\250\31\2z'\312\225\237\374\11:\253\5\200\264G\3606\221\322\35\0\256\310~\375\225A\276_\7%\300/\350+\236\\35\@\322\351xC\377\343.*\312_\0\275\236\260\30Z\305\36\375\263\256{\0w[\314\4l\361\233z\221\0\210\310\340\366\251*Y \0\2464G\36\370\273,\305\364\300\364\3\1QU\262\2523\275\263\360\203\340\0\33\351\215%\375\3\337\1\7Ih\235A\302p\305\362/\370\16\256\277l\12\300\261\252\375\204\313\0L\360i\300\270\336K]\0\356\212\352\20!\301\211\362\0U\202.(\343x,\224\230Z\1"/\267\364wt\241\350\30m\23*\370\274\0\262\316\252\377!.\0WY%\205(\5B\243\0\26\15\17\356\210\352\247o\2\226\360\255\234\130\300\262\265r\0\241^\372\376\20\377\3365\0\235{\201/i1\247\14\13V\300\16\371\0\373\354B\330\0q\314\216\274\275\334)@uU\16+f\3268\17\310@\350\351\331\242\220\0\230}Q\235^5a\275\17\363:\222\353\340I\322\212\2\324H\22\323\36\7\327@\334\4!\370Zh\0\207\3534\223\276\350A\310\0\213\27(\2\254\351\206\30\0x\315\363z0\2521\303zQ\7\271Y\7\357\361\320`.I\354;\351\3\0K\375\352\212\316];\0\305\376\234\5\270\261\211\301\0\2453Om\353&\13\215\1\10\220H\6\351\325", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) /\267\364wt\241\350\30m\23*\370\274\0\262\316\252\377!.\0WY%\205(\5B\243\0\26\15\17\356\210\352\247o\2\226\360\255\234\130\300\262\265r\0\241^\372\376\20\377\3365\0\235{\201/i1\247\14\13V\300\16\371\0\373\354B\330\0q\314\216\274\275\334)@uU\16+f\3268\17\310@\350\351\331\242\220\0\230}Q\235^5a\275\17\363:\222\353\340I\322\212\2\324H\22\323\36\7\327@\334\4!\370Zh\0\207\3534\223\276\350A\310\0\213\27(\2\254\351\206\30\0x\315\363z0\2521\303zQ\7\271Y\7\357\361\320`.I\354;\351\3\0K\375\352\212\316];\0\305\376\234\5\270\261\211\301\0\2453Om\353&\13\215\1\10\220H\6\351\325", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01449   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\32>\2538\3:\27\272\0\315Q!x\245(\314\0\242K\311\321P\341\1w>\374\37\7\371\316\3\351\340\207_lL\0\26\2754\2\364S\10\5\0\210\307h\2567\220\7\347\177\211\0\266\343K\4R\207\274\243\0N\352aj2\302p\226r\32\1\312\350\344"d\265X\374\13\370\13h=z\304_\200\177x\243\32\10\0P\330m\322\12\357\367\363\270\265\0\305#"\313\275\373~\221\0\26\212\352\220\11\351\303\360\0\302\206\203\345\36F#\201\0\370\375n\200\33\30X\351\131\330$\320\0\240o(\333\267\5Y\232v\37\300\276\300H\1\25V\0\351\205s*\373,\303h\37\3638\261A\260m\315^\340p\227 \0\365\6\304.h\346\356\242\0\314\302\275[\363\336ZC\16N!Pl`\233^\231\331\362\0`\334\326\227\345C\276\275y:\0\33\313R\203\365^e1\3\14\37\325A\271\213\271o\254\344\247\321\0\346\210\365?\230\362\344P\0\305\232U\371\334_\367\277\02~\330a\206\32&*|0\0\5\200\373 \217T\37<\0\313\362%!\7/\231\327\23\306x\371\305\255\11\254\243_\213\211\0uW\270\26\320\22\345\(\360X\372\0\374\223\11\273\14\347/\23\3\200\353\4\214\331\211\330\201\240\275\0\6\272^\22;\\311\206=\361\312\2169\330L\340\212\247-qp\0\200\210\376\276\31'\332\374\0\177P\365oE\243M\25\0\320n\\250\370\277Y\362\0A[\325\3\134O\30\230~\7!_(\361\313\253\3Q3B\270\260&Y\0W\321\365\14\11_\306\263\0\343\247\212uE\21\351\324\37h\301\250\300\3/\314\266d\340\0\375\201J\245\13v;|\375\362E@\35:mw\226Q\1\24\200\363\207\11\202\273`-}\0\22\232]k\270\256\346&\171\177z\35G\204\267\300", ) d\265X\374\13\370\13h=z\304_\200\177x\243\32\10\0P\330m\322\12\357\367\363\270\265\0\305# (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\32>\2538\3:\27\272\0\315Q!x\245(\314\0\242K\311\321P\341\1w>\374\37\7\371\316\3\351\340\207_lL\0\26\2754\2\364S\10\5\0\210\307h\2567\220\7\347\177\211\0\266\343K\4R\207\274\243\0N\352aj2\302p\226r\32\1\312\350\344"d\265X\374\13\370\13h=z\304_\200\177x\243\32\10\0P\330m\322\12\357\367\363\270\265\0\305#"\313\275\373~\221\0\26\212\352\220\11\351\303\360\0\302\206\203\345\36F#\201\0\370\375n\200\33\30X\351\131\330$\320\0\240o(\333\267\5Y\232v\37\300\276\300H\1\25V\0\351\205s*\373,\303h\37\3638\261A\260m\315^\340p\227 \0\365\6\304.h\346\356\242\0\314\302\275[\363\336ZC\16N!Pl`\233^\231\331\362\0`\334\326\227\345C\276\275y:\0\33\313R\203\365^e1\3\14\37\325A\271\213\271o\254\344\247\321\0\346\210\365?\230\362\344P\0\305\232U\371\334_\367\277\02~\330a\206\32&*|0\0\5\200\373 \217T\37<\0\313\362%!\7/\231\327\23\306x\371\305\255\11\254\243_\213\211\0uW\270\26\320\22\345\(\360X\372\0\374\223\11\273\14\347/\23\3\200\353\4\214\331\211\330\201\240\275\0\6\272^\22;\\311\206=\361\312\2169\330L\340\212\247-qp\0\200\210\376\276\31'\332\374\0\177P\365oE\243M\25\0\320n\\250\370\277Y\362\0A[\325\3\134O\30\230~\7!_(\361\313\253\3Q3B\270\260&Y\0W\321\365\14\11_\306\263\0\343\247\212uE\21\351\324\37h\301\250\300\3/\314\266d\340\0\375\201J\245\13v;|\375\362E@\35:mw\226Q\1\24\200\363\207\11\202\273`-}\0\22\232]k\270\256\346&\171\177z\35G\204\267\300", ) , ) == 0x0
 01450   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\32>\2538\3:\27\272\0\315Q!x\245(\314\0\242K\311\321P\341\1w>\374\37\7\371\316\3\351\340\207_lL\0\26\2754\2\364S\10\5\0\210\307h\2567\220\7\347\177\211\0\266\343K\4R\207\274\243\0N\352aj2\302p\226r\32\1\312\350\344"d\265X\374\13\370\13h=z\304_\200\177x\243\32\10\0P\330m\322\12\357\367\363\270\265\0\305#"\313\275\373~\221\0\26\212\352\220\11\351\303\360\0\302\206\203\345\36F#\201\0\370\375n\200\33\30X\351\131\330$\320\0\240o(\333\267\5Y\232v\37\300\276\300H\1\25V\0\351\205s*\373,\303h\37\3638\261A\260m\315^\340p\227 \0\365\6\304.h\346\356\242\0\314\302\275[\363\336ZC\16N!Pl`\233^\231\331\362\0`\334\326\227\345C\276\275y:\0\33\313R\203\365^e1\3\14\37\325A\271\213\271o\254\344\247\321\0\346\210\365?\230\362\344P\0\305\232U\371\334_\367\277\02~\330a\206\32&*|0\0\5\200\373 \217T\37<\0\313\362%!\7/\231\327\23\306x\371\305\255\11\254\243_\213\211\0uW\270\26\320\22\345\(\360X\372\0\374\223\11\273\14\347/\23\3\200\353\4\214\331\211\330\201\240\275\0\6\272^\22;\\311\206=\361\312\2169\330L\340\212\247-qp\0\200\210\376\276\31'\332\374\0\177P\365oE\243M\25\0\320n\\250\370\277Y\362\0A[\325\3\134O\30\230~\7!_(\361\313\253\3Q3B\270\260&Y\0W\321\365\14\11_\306\263\0\343\247\212uE\21\351\324\37h\301\250\300\3/\314\266d\340\0\375\201J\245\13v;|\375\362E@\35:mw\226Q\1\24\200\363\207\11\202\273`-}\0\22\232]k\270\256\346&\171\177z\35G\204\267\300", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) d\265X\374\13\370\13h=z\304_\200\177x\243\32\10\0P\330m\322\12\357\367\363\270\265\0\305# (308, 0, 0, 0, "\32>\2538\3:\27\272\0\315Q!x\245(\314\0\242K\311\321P\341\1w>\374\37\7\371\316\3\351\340\207_lL\0\26\2754\2\364S\10\5\0\210\307h\2567\220\7\347\177\211\0\266\343K\4R\207\274\243\0N\352aj2\302p\226r\32\1\312\350\344"d\265X\374\13\370\13h=z\304_\200\177x\243\32\10\0P\330m\322\12\357\367\363\270\265\0\305#"\313\275\373~\221\0\26\212\352\220\11\351\303\360\0\302\206\203\345\36F#\201\0\370\375n\200\33\30X\351\131\330$\320\0\240o(\333\267\5Y\232v\37\300\276\300H\1\25V\0\351\205s*\373,\303h\37\3638\261A\260m\315^\340p\227 \0\365\6\304.h\346\356\242\0\314\302\275[\363\336ZC\16N!Pl`\233^\231\331\362\0`\334\326\227\345C\276\275y:\0\33\313R\203\365^e1\3\14\37\325A\271\213\271o\254\344\247\321\0\346\210\365?\230\362\344P\0\305\232U\371\334_\367\277\02~\330a\206\32&*|0\0\5\200\373 \217T\37<\0\313\362%!\7/\231\327\23\306x\371\305\255\11\254\243_\213\211\0uW\270\26\320\22\345\(\360X\372\0\374\223\11\273\14\347/\23\3\200\353\4\214\331\211\330\201\240\275\0\6\272^\22;\\311\206=\361\312\2169\330L\340\212\247-qp\0\200\210\376\276\31'\332\374\0\177P\365oE\243M\25\0\320n\\250\370\277Y\362\0A[\325\3\134O\30\230~\7!_(\361\313\253\3Q3B\270\260&Y\0W\321\365\14\11_\306\263\0\343\247\212uE\21\351\324\37h\301\250\300\3/\314\266d\340\0\375\201J\245\13v;|\375\362E@\35:mw\226Q\1\24\200\363\207\11\202\273`-}\0\22\232]k\270\256\346&\171\177z\35G\204\267\300", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01451   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\0X\5:^q"\267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\13B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0"-\356\1U89F\1\273\220\23'0\320\325\320\340\5\0\307\202\277\2172\227\352\11\0\247V\213d\321R\26"\16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32"\0\342\325\26\353Z)\254\206\0\240\11\27\375\200Q\333u\0\370\221\356\311\365\314\35\234\0\1\351\12h\236/\300\225\16\203_\367\302`T+\320Q\224\2\265\326A,\3419\200\200\200\312\12\336\0\5\332\2710\302\310#\327\2_Y\366\213\22\256\300\230\314+\0\307\212QJ\350\16F\344\0H\205-3@(\2271&\302\12\330\0.\202\340\210\373}\0\307\244\205 \367\\347\316\0", ) \267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\133\316\200*\141\253:\17>B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\0X\5:^q"\267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\13B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0"-\356\1U89F\1\273\220\23'0\320\325\320\340\5\0\307\202\277\2172\227\352\11\0\247V\213d\321R\26"\16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32"\0\342\325\26\353Z)\254\206\0\240\11\27\375\200Q\333u\0\370\221\356\311\365\314\35\234\0\1\351\12h\236/\300\225\16\203_\367\302`T+\320Q\224\2\265\326A,\3419\200\200\200\312\12\336\0\5\332\2710\302\310#\327\2_Y\366\213\22\256\300\230\314+\0\307\212QJ\350\16F\344\0H\205-3@(\2271&\302\12\330\0.\202\340\210\373}\0\307\244\205 \367\\347\316\0", ) \16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\0X\5:^q"\267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\13B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0"-\356\1U89F\1\273\220\23'0\320\325\320\340\5\0\307\202\277\2172\227\352\11\0\247V\213d\321R\26"\16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32"\0\342\325\26\353Z)\254\206\0\240\11\27\375\200Q\333u\0\370\221\356\311\365\314\35\234\0\1\351\12h\236/\300\225\16\203_\367\302`T+\320Q\224\2\265\326A,\3419\200\200\200\312\12\336\0\5\332\2710\302\310#\327\2_Y\366\213\22\256\300\230\314+\0\307\212QJ\350\16F\344\0H\205-3@(\2271&\302\12\330\0.\202\340\210\373}\0\307\244\205 \367\\347\316\0", ) , ) == 0x0
 01452   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\0X\5:^q"\267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\13B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0"-\356\1U89F\1\273\220\23'0\320\325\320\340\5\0\307\202\277\2172\227\352\11\0\247V\213d\321R\26"\16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32"\0\342\325\26\353Z)\254\206\0\240\11\27\375\200Q\333u\0\370\221\356\311\365\314\35\234\0\1\351\12h\236/\300\225\16\203_\367\302`T+\320Q\224\2\265\326A,\3419\200\200\200\312\12\336\0\5\332\2710\302\310#\327\2_Y\366\213\22\256\300\230\314+\0\307\212QJ\350\16F\344\0H\205-3@(\2271&\302\12\330\0.\202\340\210\373}\0\307\244\205 \367\\347\316\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\133\316\200*\141\253:\17>B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0 (308, 0, 0, 0, "\0X\5:^q"\267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\13B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0"-\356\1U89F\1\273\220\23'0\320\325\320\340\5\0\307\202\277\2172\227\352\11\0\247V\213d\321R\26"\16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32"\0\342\325\26\353Z)\254\206\0\240\11\27\375\200Q\333u\0\370\221\356\311\365\314\35\234\0\1\351\12h\236/\300\225\16\203_\367\302`T+\320Q\224\2\265\326A,\3419\200\200\200\312\12\336\0\5\332\2710\302\310#\327\2_Y\366\213\22\256\300\230\314+\0\307\212QJ\350\16F\344\0H\205-3@(\2271&\302\12\330\0.\202\340\210\373}\0\307\244\205 \367\\347\316\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32 (308, 0, 0, 0, "\0X\5:^q"\267\321\0\343b\201\23\200 )[q\346\0X\336\250\337\11\341Y\232\0t\327xTL\332\15Z\370\277\346\\13B\355P`S\323\16\352\300.\301\336\251\34\226\0a\275\360\11\222\337\0\371\273\23Q\250o\313\13s\1\0MF\6H7\211I\317\0L/Y\376\327A\351o\0\252\246*\374\240\215%!\22\335\I\0\356\5\230;\276E\0\33+\321\324O\354\350M\7\271\27\275\200\374\221\204\177b\317\342\376a\256[\354\6\240\0-\363\373C\377%\23b\37\247\337\344Ma\12\340\3745ot(\0"-\356\1U89F\1\273\220\23'0\320\325\320\340\5\0\307\202\277\2172\227\352\11\0\247V\213d\321R\26"\16\252\1o\351\3402\375\362\345\333\376\\0\304\337\300\211\203\341kJ\0Zb\331n\334\233\205U$&\3D\35#\200\201\27(\313X.\0\356a\241\234\215\213f\267\0#weV\11\31\375\2\27?(\371\4\272\37Q\200\13\373\260w\220\222q\334\37\7\340\29\207\313\212|\221\220\247`\6\12X\345e\0\356\321u\226\365\360f\2^%\260P|\223\340\242\246\\0\266\129\301\362x\324\4\1F\377-hp\353\206\354T_\0\11\16\201V\21\351H\244=\13\2\11\370Yu\0\314\340D1\31\0\230\360I[\324\13\32"\0\342\325\26\353Z)\254\206\0\240\11\27\375\200Q\333u\0\370\221\356\311\365\314\35\234\0\1\351\12h\236/\300\225\16\203_\367\302`T+\320Q\224\2\265\326A,\3419\200\200\200\312\12\336\0\5\332\2710\302\310#\327\2_Y\366\213\22\256\300\230\314+\0\307\212QJ\350\16F\344\0H\205-3@(\2271&\302\12\330\0.\202\340\210\373}\0\307\244\205 \367\\347\316\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01453   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\315~\370\1c\347r\351=^P\323\260\326\372\312\0\25Z\354\O\262\341y\0X\325\2508\351\223\224\34{\206\0;YS\367Ne\302\4\1y\361j\26\254a\6pU\247\352\239\230\37\0\214 \206\3%\351):vq\200\365efI}\321?s@\374\20\0\17\225y\363\320\201\342%\0Je^\364C\203\303\372\0Q\367\242\307\265\371un=\216\235\34R\210K\303\4\7\3541 \321c\300\357wa\37.\374\21\217\341\351\222\0\374x\356B\203\200\1\352\320Wvi\221\312\364h\3749\353\214\200S\267\341$^\336\12\14\274\22\35\255\2443\0L\11X\1\316\6\363\355K\321\303\37\325\340\245\3\342\3\7\365k\320\202X\340\335\203\347\0\323\322\1\262\251\351R\259k\304\277\205\371\7\343 \342\227\31P2\337\14\373\36\272VX\200\371-\313\375U\270\372\275\0\204Y\314\3P\15\325\22\0\273\336F@\312\345\377\3678\333\301\0\353\16+\350K\351#\0\25\322L\374\7'SH\0\30R\271[Y\364z\342\1\315\343l\311\313%\327\320\354|\260\364\352\7Y\235\341\11\262\320iE"\257\0\7GZRV\336U'.\3312 \13\250E\0\33\266\325S\273\0^\32\17\301C\342\303\373\0z\241\324\313\34l\21I\2'\366\370\6\260\263\342\4\0\306Ox\265\277\00\230\360I\35\330\31\365\13r\366Y\217\1\12[KV\360\363}q\2\0P\200\353\216\270*\310\355:\10\357\200-\371\302w\5R\13\\323@@\360xr\20\0\316p]N\364\240,3\0J\303\360\3"\5\363\\0\351\322\256\273\311\205:\377\22hJ\360\0\226\323`\362\261\210\177\330\0\373\320\307\351'\205\230_\354\247\3%W:\21\\314\230-\11\302\22\335\322\240\6\2612\320\7`{\321]pp", ) \257\0\7GZRV\336U'.\3312 \13\250E\0\33\266\325S\273\0^\32\17\301C\342\303\373\0z\241\324\313\34l\21I\2'\366\370\6\260\263\342\4\0\306Ox\265\277\00\230\360I\35\330\31\365\13r\366Y\217\1\12[KV\360\363}q\2\0P\200\353\216\270*\310\355:\10\357\200-\371\302w\5R\13\\323@@\360xr\20\0\316p]N\364\240,3\0J\303\360\3 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\315~\370\1c\347r\351=^P\323\260\326\372\312\0\25Z\354\O\262\341y\0X\325\2508\351\223\224\34{\206\0;YS\367Ne\302\4\1y\361j\26\254a\6pU\247\352\239\230\37\0\214 \206\3%\351):vq\200\365efI}\321?s@\374\20\0\17\225y\363\320\201\342%\0Je^\364C\203\303\372\0Q\367\242\307\265\371un=\216\235\34R\210K\303\4\7\3541 \321c\300\357wa\37.\374\21\217\341\351\222\0\374x\356B\203\200\1\352\320Wvi\221\312\364h\3749\353\214\200S\267\341$^\336\12\14\274\22\35\255\2443\0L\11X\1\316\6\363\355K\321\303\37\325\340\245\3\342\3\7\365k\320\202X\340\335\203\347\0\323\322\1\262\251\351R\259k\304\277\205\371\7\343 \342\227\31P2\337\14\373\36\272VX\200\371-\313\375U\270\372\275\0\204Y\314\3P\15\325\22\0\273\336F@\312\345\377\3678\333\301\0\353\16+\350K\351#\0\25\322L\374\7'SH\0\30R\271[Y\364z\342\1\315\343l\311\313%\327\320\354|\260\364\352\7Y\235\341\11\262\320iE"\257\0\7GZRV\336U'.\3312 \13\250E\0\33\266\325S\273\0^\32\17\301C\342\303\373\0z\241\324\313\34l\21I\2'\366\370\6\260\263\342\4\0\306Ox\265\277\00\230\360I\35\330\31\365\13r\366Y\217\1\12[KV\360\363}q\2\0P\200\353\216\270*\310\355:\10\357\200-\371\302w\5R\13\\323@@\360xr\20\0\316p]N\364\240,3\0J\303\360\3"\5\363\\0\351\322\256\273\311\205:\377\22hJ\360\0\226\323`\362\261\210\177\330\0\373\320\307\351'\205\230_\354\247\3%W:\21\\314\230-\11\302\22\335\322\240\6\2612\320\7`{\321]pp", ) , ) == 0x0
 01454   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\315~\370\1c\347r\351=^P\323\260\326\372\312\0\25Z\354\O\262\341y\0X\325\2508\351\223\224\34{\206\0;YS\367Ne\302\4\1y\361j\26\254a\6pU\247\352\239\230\37\0\214 \206\3%\351):vq\200\365efI}\321?s@\374\20\0\17\225y\363\320\201\342%\0Je^\364C\203\303\372\0Q\367\242\307\265\371un=\216\235\34R\210K\303\4\7\3541 \321c\300\357wa\37.\374\21\217\341\351\222\0\374x\356B\203\200\1\352\320Wvi\221\312\364h\3749\353\214\200S\267\341$^\336\12\14\274\22\35\255\2443\0L\11X\1\316\6\363\355K\321\303\37\325\340\245\3\342\3\7\365k\320\202X\340\335\203\347\0\323\322\1\262\251\351R\259k\304\277\205\371\7\343 \342\227\31P2\337\14\373\36\272VX\200\371-\313\375U\270\372\275\0\204Y\314\3P\15\325\22\0\273\336F@\312\345\377\3678\333\301\0\353\16+\350K\351#\0\25\322L\374\7'SH\0\30R\271[Y\364z\342\1\315\343l\311\313%\327\320\354|\260\364\352\7Y\235\341\11\262\320iE"\257\0\7GZRV\336U'.\3312 \13\250E\0\33\266\325S\273\0^\32\17\301C\342\303\373\0z\241\324\313\34l\21I\2'\366\370\6\260\263\342\4\0\306Ox\265\277\00\230\360I\35\330\31\365\13r\366Y\217\1\12[KV\360\363}q\2\0P\200\353\216\270*\310\355:\10\357\200-\371\302w\5R\13\\323@@\360xr\20\0\316p]N\364\240,3\0J\303\360\3"\5\363\\0\351\322\256\273\311\205:\377\22hJ\360\0\226\323`\362\261\210\177\330\0\373\320\307\351'\205\230_\354\247\3%W:\21\\314\230-\11\302\22\335\322\240\6\2612\320\7`{\321]pp", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \257\0\7GZRV\336U'.\3312 \13\250E\0\33\266\325S\273\0^\32\17\301C\342\303\373\0z\241\324\313\34l\21I\2'\366\370\6\260\263\342\4\0\306Ox\265\277\00\230\360I\35\330\31\365\13r\366Y\217\1\12[KV\360\363}q\2\0P\200\353\216\270*\310\355:\10\357\200-\371\302w\5R\13\\323@@\360xr\20\0\316p]N\364\240,3\0J\303\360\3 (308, 0, 0, 0, "\315~\370\1c\347r\351=^P\323\260\326\372\312\0\25Z\354\O\262\341y\0X\325\2508\351\223\224\34{\206\0;YS\367Ne\302\4\1y\361j\26\254a\6pU\247\352\239\230\37\0\214 \206\3%\351):vq\200\365efI}\321?s@\374\20\0\17\225y\363\320\201\342%\0Je^\364C\203\303\372\0Q\367\242\307\265\371un=\216\235\34R\210K\303\4\7\3541 \321c\300\357wa\37.\374\21\217\341\351\222\0\374x\356B\203\200\1\352\320Wvi\221\312\364h\3749\353\214\200S\267\341$^\336\12\14\274\22\35\255\2443\0L\11X\1\316\6\363\355K\321\303\37\325\340\245\3\342\3\7\365k\320\202X\340\335\203\347\0\323\322\1\262\251\351R\259k\304\277\205\371\7\343 \342\227\31P2\337\14\373\36\272VX\200\371-\313\375U\270\372\275\0\204Y\314\3P\15\325\22\0\273\336F@\312\345\377\3678\333\301\0\353\16+\350K\351#\0\25\322L\374\7'SH\0\30R\271[Y\364z\342\1\315\343l\311\313%\327\320\354|\260\364\352\7Y\235\341\11\262\320iE"\257\0\7GZRV\336U'.\3312 \13\250E\0\33\266\325S\273\0^\32\17\301C\342\303\373\0z\241\324\313\34l\21I\2'\366\370\6\260\263\342\4\0\306Ox\265\277\00\230\360I\35\330\31\365\13r\366Y\217\1\12[KV\360\363}q\2\0P\200\353\216\270*\310\355:\10\357\200-\371\302w\5R\13\\323@@\360xr\20\0\316p]N\364\240,3\0J\303\360\3"\5\363\\0\351\322\256\273\311\205:\377\22hJ\360\0\226\323`\362\261\210\177\330\0\373\320\307\351'\205\230_\354\247\3%W:\21\\314\230-\11\302\22\335\322\240\6\2612\320\7`{\321]pp", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01455   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\237\211\6TxB\261\1N\365Kj\14\351\271\370\330\34\1V'+\312`\222\331\360\22\241\34\371\376\343"\240\310\344\311\313\0zZ]\354SNP4\0\262\372\320h\310Y\351 \37$\261K@L\4\340\272\302\324\344d\0N\363\364\6\330\275\316\366\0\16$[-\200b\177\236>\202\314\377\17\310\312\14\364\240,\374"r\261\0\30\327\242S\360N\7\15\0\2263\321<\352\2570pZ\21\340\311\235\0a\4\350\240\230\231\3V\0Q\10\326\271\204I{\374{N\0\377\351\247\223Jd\344\360\5(K\346\256\11\0\236\337hy\275l\0a\274i\264]\366.!\0F\273\10,\2\206T\221\374\2279X\373\203\306>\235\16y\320\11\336\214=\12\272;\333\200\211\317\257oe!\373\267\217J\300&6\230\277\215\0\2\364\264o\261Ca\263\3>\212\225\210\372\324\220\335\267p\0\271\323\301\317r_\243\5\0\23)\361\274\203\264\2771\0\325g\312E\234\366\307_\0\204\177\2\207\177\372x\0\36421\300Q3\375H\7S\3\316\247F\3\13\352\300\351\168\0\277Q\177%\330\37\30\273\0g\23\315,ax\15\26\363\207\0v\360\354\260\350\267\1t}\14(\356E1\324\371\273\0Y\3i\327$\321\353\21\341\360\200\355\0\210C0\4\325\367\333\351\37\\261$\200\370R%\3\355l\0\26K\335\340\345\11w\365\1\240\306\213F\326\314B \30\353\0\7\331(@\205\312U\366\364P\0\335\225\221\263V/\370\231\0\3040\320\353\242\10\11\275\0\226D\23\360\271t\352)w\204\7\13\377\376\210P\202e\325aWC \303(\0\337\3I\261\34h\204S\0\13?\221\342\370\336\232\275\0\222 \365\272\210\263\335L\0[\206O\250\221\264\257\321\0\251=z`X\210>\325:ft\12\345", ) \240\310\344\311\313\0zZ]\354SNP4\0\262\372\320h\310Y\351 \37$\261K@L\4\340\272\302\324\344d\0N\363\364\6\330\275\316\366\0\16$[-\200b\177\236>\202\314\377\17\310\312\14\364\240,\374 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\237\211\6TxB\261\1N\365Kj\14\351\271\370\330\34\1V'+\312`\222\331\360\22\241\34\371\376\343"\240\310\344\311\313\0zZ]\354SNP4\0\262\372\320h\310Y\351 \37$\261K@L\4\340\272\302\324\344d\0N\363\364\6\330\275\316\366\0\16$[-\200b\177\236>\202\314\377\17\310\312\14\364\240,\374"r\261\0\30\327\242S\360N\7\15\0\2263\321<\352\2570pZ\21\340\311\235\0a\4\350\240\230\231\3V\0Q\10\326\271\204I{\374{N\0\377\351\247\223Jd\344\360\5(K\346\256\11\0\236\337hy\275l\0a\274i\264]\366.!\0F\273\10,\2\206T\221\374\2279X\373\203\306>\235\16y\320\11\336\214=\12\272;\333\200\211\317\257oe!\373\267\217J\300&6\230\277\215\0\2\364\264o\261Ca\263\3>\212\225\210\372\324\220\335\267p\0\271\323\301\317r_\243\5\0\23)\361\274\203\264\2771\0\325g\312E\234\366\307_\0\204\177\2\207\177\372x\0\36421\300Q3\375H\7S\3\316\247F\3\13\352\300\351\168\0\277Q\177%\330\37\30\273\0g\23\315,ax\15\26\363\207\0v\360\354\260\350\267\1t}\14(\356E1\324\371\273\0Y\3i\327$\321\353\21\341\360\200\355\0\210C0\4\325\367\333\351\37\\261$\200\370R%\3\355l\0\26K\335\340\345\11w\365\1\240\306\213F\326\314B \30\353\0\7\331(@\205\312U\366\364P\0\335\225\221\263V/\370\231\0\3040\320\353\242\10\11\275\0\226D\23\360\271t\352)w\204\7\13\377\376\210P\202e\325aWC \303(\0\337\3I\261\34h\204S\0\13?\221\342\370\336\232\275\0\222 \365\272\210\263\335L\0[\206O\250\221\264\257\321\0\251=z`X\210>\325:ft\12\345", ) , ) == 0x0
 01456   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\237\211\6TxB\261\1N\365Kj\14\351\271\370\330\34\1V'+\312`\222\331\360\22\241\34\371\376\343"\240\310\344\311\313\0zZ]\354SNP4\0\262\372\320h\310Y\351 \37$\261K@L\4\340\272\302\324\344d\0N\363\364\6\330\275\316\366\0\16$[-\200b\177\236>\202\314\377\17\310\312\14\364\240,\374"r\261\0\30\327\242S\360N\7\15\0\2263\321<\352\2570pZ\21\340\311\235\0a\4\350\240\230\231\3V\0Q\10\326\271\204I{\374{N\0\377\351\247\223Jd\344\360\5(K\346\256\11\0\236\337hy\275l\0a\274i\264]\366.!\0F\273\10,\2\206T\221\374\2279X\373\203\306>\235\16y\320\11\336\214=\12\272;\333\200\211\317\257oe!\373\267\217J\300&6\230\277\215\0\2\364\264o\261Ca\263\3>\212\225\210\372\324\220\335\267p\0\271\323\301\317r_\243\5\0\23)\361\274\203\264\2771\0\325g\312E\234\366\307_\0\204\177\2\207\177\372x\0\36421\300Q3\375H\7S\3\316\247F\3\13\352\300\351\168\0\277Q\177%\330\37\30\273\0g\23\315,ax\15\26\363\207\0v\360\354\260\350\267\1t}\14(\356E1\324\371\273\0Y\3i\327$\321\353\21\341\360\200\355\0\210C0\4\325\367\333\351\37\\261$\200\370R%\3\355l\0\26K\335\340\345\11w\365\1\240\306\213F\326\314B \30\353\0\7\331(@\205\312U\366\364P\0\335\225\221\263V/\370\231\0\3040\320\353\242\10\11\275\0\226D\23\360\271t\352)w\204\7\13\377\376\210P\202e\325aWC \303(\0\337\3I\261\34h\204S\0\13?\221\342\370\336\232\275\0\222 \365\272\210\263\335L\0[\206O\250\221\264\257\321\0\251=z`X\210>\325:ft\12\345", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \240\310\344\311\313\0zZ]\354SNP4\0\262\372\320h\310Y\351 \37$\261K@L\4\340\272\302\324\344d\0N\363\364\6\330\275\316\366\0\16$[-\200b\177\236>\202\314\377\17\310\312\14\364\240,\374 (308, 0, 0, 0, "\237\211\6TxB\261\1N\365Kj\14\351\271\370\330\34\1V'+\312`\222\331\360\22\241\34\371\376\343"\240\310\344\311\313\0zZ]\354SNP4\0\262\372\320h\310Y\351 \37$\261K@L\4\340\272\302\324\344d\0N\363\364\6\330\275\316\366\0\16$[-\200b\177\236>\202\314\377\17\310\312\14\364\240,\374"r\261\0\30\327\242S\360N\7\15\0\2263\321<\352\2570pZ\21\340\311\235\0a\4\350\240\230\231\3V\0Q\10\326\271\204I{\374{N\0\377\351\247\223Jd\344\360\5(K\346\256\11\0\236\337hy\275l\0a\274i\264]\366.!\0F\273\10,\2\206T\221\374\2279X\373\203\306>\235\16y\320\11\336\214=\12\272;\333\200\211\317\257oe!\373\267\217J\300&6\230\277\215\0\2\364\264o\261Ca\263\3>\212\225\210\372\324\220\335\267p\0\271\323\301\317r_\243\5\0\23)\361\274\203\264\2771\0\325g\312E\234\366\307_\0\204\177\2\207\177\372x\0\36421\300Q3\375H\7S\3\316\247F\3\13\352\300\351\168\0\277Q\177%\330\37\30\273\0g\23\315,ax\15\26\363\207\0v\360\354\260\350\267\1t}\14(\356E1\324\371\273\0Y\3i\327$\321\353\21\341\360\200\355\0\210C0\4\325\367\333\351\37\\261$\200\370R%\3\355l\0\26K\335\340\345\11w\365\1\240\306\213F\326\314B \30\353\0\7\331(@\205\312U\366\364P\0\335\225\221\263V/\370\231\0\3040\320\353\242\10\11\275\0\226D\23\360\271t\352)w\204\7\13\377\376\210P\202e\325aWC \303(\0\337\3I\261\34h\204S\0\13?\221\342\370\336\232\275\0\222 \365\272\210\263\335L\0[\206O\250\221\264\257\321\0\251=z`X\210>\325:ft\12\345", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01457   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "k\304R\0h\272\252K\311\371H\203vW\0\201" \251Yb\224\300\0+\356\325\330\376/\315P\0\354ZX\310\233\10\305\373\1\365\36\1E\351M"\246x\327\41\363U6\330\250\241\0\231\322\160\357Pk\177\373q\31\0\360N\1y\300E\335o\16\204)1\333N\322\340\343\21_O\270}\351\7 \1\364\260\262\300lB\241\2722\221\356\326\207`\316\202\301\0\25+\2\204{R\203\6\0mS>\221\365\226\371Z\17\357\235\315n\307\373X\260\372\265\334;\240\210\14\261\7\247R\24\351C\360\230Z\3734\7\270\11\207Y\375@\326]\224,\2\317z\266\260@\212cr\340\211p[\0\376\254\201\34\347\351\213\321?\375\221\0\210\324X)\3\352P\0\203\342iS\322\316]\331\7\356\257\212>j $\271\241\36\23\262dP\1\377F\3\201\311\354g\34\0\15\341/`^A\304c\3\12\226\26\250\245\327\310\334\3130wd\4J\366\253a[\200\200~\202\221\3\36\7\237\210'{\230\232\216\31<\334\370\201\37=\13\11\362"\200v\306L\317\220\236 \7^\;\210\303\321\3200\275\320\256Y\0v\245[\306\234\262Q\25H\350\260\5", )  \251Yb\224\300\0+\356\325\330\376/\315P\0\354ZX\310\233\10\305\373\1\365\36\1E\351M5\0\304h\210\343\303\15\363\26\0\22\353d\244\277yzr\0\367j9\+\6\257\32\3\215;O\2V\356\210\317\312\37\0\300\347%\204\273+\252\301\0Oj\2318C\177J\306\0\360g\332\227V\261\300\13\230\204\0U\355\245\366\335\272\331}\1\324\303x\326\265\260$ \12\254\0\217`\13L\331\266\304\351\0J\335\5Y\3\353\366z:Z\250\200He\2\341Q\351\325\0_\207\237\267\273p7T\372\31\0\211-W\30%r\241\372\0\7G\276\6\120\2!s\360\366Y\3\@\321\350\275 \270\240n\27.h\254~\0)\316\34\351 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "k\304R\0h\272\252K\311\371H\203vW\0\201" \251Yb\224\300\0+\356\325\330\376/\315P\0\354ZX\310\233\10\305\373\1\365\36\1E\351M"\246x\327\41\363U6\330\250\241\0\231\322\160\357Pk\177\373q\31\0\360N\1y\300E\335o\16\204)1\333N\322\340\343\21_O\270}\351\7 \1\364\260\262\300lB\241\2722\221\356\326\207`\316\202\301\0\25+\2\204{R\203\6\0mS>\221\365\226\371Z\17\357\235\315n\307\373X\260\372\265\334;\240\210\14\261\7\247R\24\351C\360\230Z\3734\7\270\11\207Y\375@\326]\224,\2\317z\266\260@\212cr\340\211p[\0\376\254\201\34\347\351\213\321?\375\221\0\210\324X)\3\352P\0\203\342iS\322\316]\331\7\356\257\212>j $\271\241\36\23\262dP\1\377F\3\201\311\354g\34\0\15\341/`^A\304c\3\12\226\26\250\245\327\310\334\3130wd\4J\366\253a[\200\200~\202\221\3\36\7\237\210'{\230\232\216\31<\334\370\201\37=\13\11\362"\200v\306L\317\220\236 \7^\;\210\303\321\3200\275\320\256Y\0v\245[\306\234\262Q\25H\350\260\5", ) \200v\306L\317\220\236 \7^\;\210\303\321\3200\275\320\256Y\0v\245[\306\234\262Q\25H\350\260\5", ) == 0x0
 01458   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "k\304R\0h\272\252K\311\371H\203vW\0\201" \251Yb\224\300\0+\356\325\330\376/\315P\0\354ZX\310\233\10\305\373\1\365\36\1E\351M"\246x\327\41\363U6\330\250\241\0\231\322\160\357Pk\177\373q\31\0\360N\1y\300E\335o\16\204)1\333N\322\340\343\21_O\270}\351\7 \1\364\260\262\300lB\241\2722\221\356\326\207`\316\202\301\0\25+\2\204{R\203\6\0mS>\221\365\226\371Z\17\357\235\315n\307\373X\260\372\265\334;\240\210\14\261\7\247R\24\351C\360\230Z\3734\7\270\11\207Y\375@\326]\224,\2\317z\266\260@\212cr\340\211p[\0\376\254\201\34\347\351\213\321?\375\221\0\210\324X)\3\352P\0\203\342iS\322\316]\331\7\356\257\212>j $\271\241\36\23\262dP\1\377F\3\201\311\354g\34\0\15\341/`^A\304c\3\12\226\26\250\245\327\310\334\3130wd\4J\366\253a[\200\200~\202\221\3\36\7\237\210'{\230\232\216\31<\334\370\201\37=\13\11\362"\200v\306L\317\220\236 \7^\;\210\303\321\3200\275\320\256Y\0v\245[\306\234\262Q\25H\350\260\5", 61440, 0x0, 0, ... {status=0x0, info=61440}, )  \251Yb\224\300\0+\356\325\330\376/\315P\0\354ZX\310\233\10\305\373\1\365\36\1E\351M5\0\304h\210\343\303\15\363\26\0\22\353d\244\277yzr\0\367j9\+\6\257\32\3\215;O\2V\356\210\317\312\37\0\300\347%\204\273+\252\301\0Oj\2318C\177J\306\0\360g\332\227V\261\300\13\230\204\0U\355\245\366\335\272\331}\1\324\303x\326\265\260$ \12\254\0\217`\13L\331\266\304\351\0J\335\5Y\3\353\366z:Z\250\200He\2\341Q\351\325\0_\207\237\267\273p7T\372\31\0\211-W\30%r\241\372\0\7G\276\6\120\2!s\360\366Y\3\@\321\350\275 \270\240n\27.h\254~\0)\316\34\351 (308, 0, 0, 0, "k\304R\0h\272\252K\311\371H\203vW\0\201" \251Yb\224\300\0+\356\325\330\376/\315P\0\354ZX\310\233\10\305\373\1\365\36\1E\351M"\246x\327\41\363U6\330\250\241\0\231\322\160\357Pk\177\373q\31\0\360N\1y\300E\335o\16\204)1\333N\322\340\343\21_O\270}\351\7 \1\364\260\262\300lB\241\2722\221\356\326\207`\316\202\301\0\25+\2\204{R\203\6\0mS>\221\365\226\371Z\17\357\235\315n\307\373X\260\372\265\334;\240\210\14\261\7\247R\24\351C\360\230Z\3734\7\270\11\207Y\375@\326]\224,\2\317z\266\260@\212cr\340\211p[\0\376\254\201\34\347\351\213\321?\375\221\0\210\324X)\3\352P\0\203\342iS\322\316]\331\7\356\257\212>j $\271\241\36\23\262dP\1\377F\3\201\311\354g\34\0\15\341/`^A\304c\3\12\226\26\250\245\327\310\334\3130wd\4J\366\253a[\200\200~\202\221\3\36\7\237\210'{\230\232\216\31<\334\370\201\37=\13\11\362"\200v\306L\317\220\236 \7^\;\210\303\321\3200\275\320\256Y\0v\245[\306\234\262Q\25H\350\260\5", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \200v\306L\317\220\236 \7^\;\210\303\321\3200\275\320\256Y\0v\245[\306\234\262Q\25H\350\260\5", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01459   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\364l`\11\201\313c\31\0\220S\307}\37B\3411\0\22Y\26\33\277\3nh<\276"\0A\332\257\377!\3633\3\335+\270u\242\344\360\265\320\240\1\275\321\22\4\351Gz0E\273\35\3537-B\11\5P\304\300\15\375_\7l\7L\262\226\260g\335'\365\7\374}\224\360\336\362e\304\300\276(\350\235x\374\0\202O\16"\330-\314\0m\333\263_t#g\265\0\264\257\210(!/\303\10\370Iy\213\0\306}\260{=<\202\207\2\225\15\356\262\255\361@\240*\311\0\277\374\364A\351Y+!?\2(\200\17\331\2131B2\347\22[@C\3 \1Q\266\7\350,\2\370\226 \306\245\213j\0\201\10\316\327?\264V\372\16\30\351\217M\303\275\271U\347\360>\240\1\200{\350\0\220\265\226=\210\311<\23=X\160QX\261\200@\23K"\346\374\323\0D\270-1T\273=\0\211\3453\31\326~\221_\220\326\7\262i\224z^\201&\347\313\324\177=\0\200\3033+[\272\236\237\0\317\32X\330\376h]N\0o\243\336/\326\340;(\0\301\221\302\367\15\251\363\\14\376\0?\30^\16(\325\220\\273\251\0\331H\277\225T\375\34\362f\346\360\7\324S\241\230\337 \372\7\2540\16\343\272\211'`\317P\252\261\6\1l69\224\334\302B\354\202\311\1\210\323\203\341fZ\1\370\3050\0\331\351\24\255?^\321\371\0\337\367d\322\276\246\257B\352\26\0\224\312\262\340N\1\3\315\34\272Q\10\02\311\3514\7\363\0n\276\233\303\32\264'\262\0\365h\312\334>\361\342\21,\324\215\330\0\307\12;\256qN\3\312Vz\274M\207\350(<*\0^\227\2\303\367\333\206\203>\331\334\200\234\36\263\35\351S\264\0g\326\260P\360\203^\373\23\255<7\377\7V\344\13\0\1\336\12", ) \0A\332\257\377!\3633\3\335+\270u\242\344\360\265\320\240\1\275\321\22\4\351Gz0E\273\35\3537-B\11\5P\304\300\15\375_\7l\7L\262\226\260g\335'\365\7\374}\224\360\336\362e\304\300\276(\350\235x\374\0\202O\16 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\364l`\11\201\313c\31\0\220S\307}\37B\3411\0\22Y\26\33\277\3nh<\276"\0A\332\257\377!\3633\3\335+\270u\242\344\360\265\320\240\1\275\321\22\4\351Gz0E\273\35\3537-B\11\5P\304\300\15\375_\7l\7L\262\226\260g\335'\365\7\374}\224\360\336\362e\304\300\276(\350\235x\374\0\202O\16"\330-\314\0m\333\263_t#g\265\0\264\257\210(!/\303\10\370Iy\213\0\306}\260{=<\202\207\2\225\15\356\262\255\361@\240*\311\0\277\374\364A\351Y+!?\2(\200\17\331\2131B2\347\22[@C\3 \1Q\266\7\350,\2\370\226 \306\245\213j\0\201\10\316\327?\264V\372\16\30\351\217M\303\275\271U\347\360>\240\1\200{\350\0\220\265\226=\210\311<\23=X\160QX\261\200@\23K"\346\374\323\0D\270-1T\273=\0\211\3453\31\326~\221_\220\326\7\262i\224z^\201&\347\313\324\177=\0\200\3033+[\272\236\237\0\317\32X\330\376h]N\0o\243\336/\326\340;(\0\301\221\302\367\15\251\363\\14\376\0?\30^\16(\325\220\\273\251\0\331H\277\225T\375\34\362f\346\360\7\324S\241\230\337 \372\7\2540\16\343\272\211'`\317P\252\261\6\1l69\224\334\302B\354\202\311\1\210\323\203\341fZ\1\370\3050\0\331\351\24\255?^\321\371\0\337\367d\322\276\246\257B\352\26\0\224\312\262\340N\1\3\315\34\272Q\10\02\311\3514\7\363\0n\276\233\303\32\264'\262\0\365h\312\334>\361\342\21,\324\215\330\0\307\12;\256qN\3\312Vz\274M\207\350(<*\0^\227\2\303\367\333\206\203>\331\334\200\234\36\263\35\351S\264\0g\326\260P\360\203^\373\23\255<7\377\7V\344\13\0\1\336\12", ) \346\374\323\0D\270-1T\273=\0\211\3453\31\326~\221_\220\326\7\262i\224z^\201&\347\313\324\177=\0\200\3033+[\272\236\237\0\317\32X\330\376h]N\0o\243\336/\326\340;(\0\301\221\302\367\15\251\363\\14\376\0?\30^\16(\325\220\\273\251\0\331H\277\225T\375\34\362f\346\360\7\324S\241\230\337 \372\7\2540\16\343\272\211'`\317P\252\261\6\1l69\224\334\302B\354\202\311\1\210\323\203\341fZ\1\370\3050\0\331\351\24\255?^\321\371\0\337\367d\322\276\246\257B\352\26\0\224\312\262\340N\1\3\315\34\272Q\10\02\311\3514\7\363\0n\276\233\303\32\264'\262\0\365h\312\334>\361\342\21,\324\215\330\0\307\12;\256qN\3\312Vz\274M\207\350(<*\0^\227\2\303\367\333\206\203>\331\334\200\234\36\263\35\351S\264\0g\326\260P\360\203^\373\23\255<7\377\7V\344\13\0\1\336\12", ) == 0x0
 01460   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\364l`\11\201\313c\31\0\220S\307}\37B\3411\0\22Y\26\33\277\3nh<\276"\0A\332\257\377!\3633\3\335+\270u\242\344\360\265\320\240\1\275\321\22\4\351Gz0E\273\35\3537-B\11\5P\304\300\15\375_\7l\7L\262\226\260g\335'\365\7\374}\224\360\336\362e\304\300\276(\350\235x\374\0\202O\16"\330-\314\0m\333\263_t#g\265\0\264\257\210(!/\303\10\370Iy\213\0\306}\260{=<\202\207\2\225\15\356\262\255\361@\240*\311\0\277\374\364A\351Y+!?\2(\200\17\331\2131B2\347\22[@C\3 \1Q\266\7\350,\2\370\226 \306\245\213j\0\201\10\316\327?\264V\372\16\30\351\217M\303\275\271U\347\360>\240\1\200{\350\0\220\265\226=\210\311<\23=X\160QX\261\200@\23K"\346\374\323\0D\270-1T\273=\0\211\3453\31\326~\221_\220\326\7\262i\224z^\201&\347\313\324\177=\0\200\3033+[\272\236\237\0\317\32X\330\376h]N\0o\243\336/\326\340;(\0\301\221\302\367\15\251\363\\14\376\0?\30^\16(\325\220\\273\251\0\331H\277\225T\375\34\362f\346\360\7\324S\241\230\337 \372\7\2540\16\343\272\211'`\317P\252\261\6\1l69\224\334\302B\354\202\311\1\210\323\203\341fZ\1\370\3050\0\331\351\24\255?^\321\371\0\337\367d\322\276\246\257B\352\26\0\224\312\262\340N\1\3\315\34\272Q\10\02\311\3514\7\363\0n\276\233\303\32\264'\262\0\365h\312\334>\361\342\21,\324\215\330\0\307\12;\256qN\3\312Vz\274M\207\350(<*\0^\227\2\303\367\333\206\203>\331\334\200\234\36\263\35\351S\264\0g\326\260P\360\203^\373\23\255<7\377\7V\344\13\0\1\336\12", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \0A\332\257\377!\3633\3\335+\270u\242\344\360\265\320\240\1\275\321\22\4\351Gz0E\273\35\3537-B\11\5P\304\300\15\375_\7l\7L\262\226\260g\335'\365\7\374}\224\360\336\362e\304\300\276(\350\235x\374\0\202O\16 (308, 0, 0, 0, "\364l`\11\201\313c\31\0\220S\307}\37B\3411\0\22Y\26\33\277\3nh<\276"\0A\332\257\377!\3633\3\335+\270u\242\344\360\265\320\240\1\275\321\22\4\351Gz0E\273\35\3537-B\11\5P\304\300\15\375_\7l\7L\262\226\260g\335'\365\7\374}\224\360\336\362e\304\300\276(\350\235x\374\0\202O\16"\330-\314\0m\333\263_t#g\265\0\264\257\210(!/\303\10\370Iy\213\0\306}\260{=<\202\207\2\225\15\356\262\255\361@\240*\311\0\277\374\364A\351Y+!?\2(\200\17\331\2131B2\347\22[@C\3 \1Q\266\7\350,\2\370\226 \306\245\213j\0\201\10\316\327?\264V\372\16\30\351\217M\303\275\271U\347\360>\240\1\200{\350\0\220\265\226=\210\311<\23=X\160QX\261\200@\23K"\346\374\323\0D\270-1T\273=\0\211\3453\31\326~\221_\220\326\7\262i\224z^\201&\347\313\324\177=\0\200\3033+[\272\236\237\0\317\32X\330\376h]N\0o\243\336/\326\340;(\0\301\221\302\367\15\251\363\\14\376\0?\30^\16(\325\220\\273\251\0\331H\277\225T\375\34\362f\346\360\7\324S\241\230\337 \372\7\2540\16\343\272\211'`\317P\252\261\6\1l69\224\334\302B\354\202\311\1\210\323\203\341fZ\1\370\3050\0\331\351\24\255?^\321\371\0\337\367d\322\276\246\257B\352\26\0\224\312\262\340N\1\3\315\34\272Q\10\02\311\3514\7\363\0n\276\233\303\32\264'\262\0\365h\312\334>\361\342\21,\324\215\330\0\307\12;\256qN\3\312Vz\274M\207\350(<*\0^\227\2\303\367\333\206\203>\331\334\200\234\36\263\35\351S\264\0g\326\260P\360\203^\373\23\255<7\377\7V\344\13\0\1\336\12", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \346\374\323\0D\270-1T\273=\0\211\3453\31\326~\221_\220\326\7\262i\224z^\201&\347\313\324\177=\0\200\3033+[\272\236\237\0\317\32X\330\376h]N\0o\243\336/\326\340;(\0\301\221\302\367\15\251\363\\14\376\0?\30^\16(\325\220\\273\251\0\331H\277\225T\375\34\362f\346\360\7\324S\241\230\337 \372\7\2540\16\343\272\211'`\317P\252\261\6\1l69\224\334\302B\354\202\311\1\210\323\203\341fZ\1\370\3050\0\331\351\24\255?^\321\371\0\337\367d\322\276\246\257B\352\26\0\224\312\262\340N\1\3\315\34\272Q\10\02\311\3514\7\363\0n\276\233\303\32\264'\262\0\365h\312\334>\361\342\21,\324\215\330\0\307\12;\256qN\3\312Vz\274M\207\350(<*\0^\227\2\303\367\333\206\203>\331\334\200\234\36\263\35\351S\264\0g\326\260P\360\203^\373\23\255<7\377\7V\344\13\0\1\336\12", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01461   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\330\3\267\0X\305=\353\231T\354\2\374\318'*\200\356\220? \360W\22\0Z0\355\330\16\370\265\366HF+\0\33-\200\3421\301_\00\332S\11\266\274\273\12\0\2334\334\277\23*\30\250\0\340\275>\251\264S\177\331\7\160\26\360\13N_\202\233X\11\5\300\206\351g\0\366\246\361\10\303\232\362\33:i\32\02w\3055\226Z\342\1\360\207\261o\5\310\252\375\223`\342\243\7\367\301\200\311k9\200\6&\267\202\300\0dwH\337\253\230P\254\220\371|\11\340\2X\201\360e\374\1\363\376`\245\264\213\12\5-1\242\274\0\25\212\20XT\302\270\337=\221\352\0\310\317\204\350'\210\375\0W\306\342\12\267<\272\346\0\303\246\5 \323\20\312\15Ls\342\16\352\332r\340\302?gBa\1\303\272\376-[9\203`h\7\2\366_\20\370\340\13c\254\251 \270p\200n,0wq\2ZP\260\275@\4_\371\16\322\36U\241a\351Xd\356\374\225%\1\213\12\334\10\4Z+\354\353\227\16NvS^\200\320\256\210u\351\364z\0\23\33\365Z)\377%#\0\326V\2R\11\360\272F\376\23\2\372(\334\273\310\316\200\341\314\351J"\364a\34P\275\366\204\245\250\32\353\3n\371\337\25\250\205\364\217\0\326\341\36+\245\206\212$\0\315\362\344\213hY\340\20\240\337X\325\177q\0p\36\245\3101\265\225\313\0![Z\377$\270\30\27\0\205\316\2\320\277\343\203v\0\304\224\225t\11\353\10\0\356\244O\7\23\361\2629\356G\17\316\351\242\306 \332\267\233\203\362\17\323\375\2z\240\235\334\15\5\270\0t\250\210\376\37\220 \14r\256\11p,<\11\0\276\350\305\336\13\0\315\22\244\257\310\212U\32\7\351\17!P\20\200\220i\200)\0G\22\10XV\24\\263\0\11\346 \305\213\337", ) \364a\34P\275\366\204\245\250\32\353\3n\371\337\25\250\205\364\217\0\326\341\36+\245\206\212$\0\315\362\344\213hY\340\20\240\337X\325\177q\0p\36\245\3101\265\225\313\0![Z\377$\270\30\27\0\205\316\2\320\277\343\203v\0\304\224\225t\11\353\10\0\356\244O\7\23\361\2629\356G\17\316\351\242\306 \332\267\233\203\362\17\323\375\2z\240\235\334\15\5\270\0t\250\210\376\37\220 \14r\256\11p,<\11\0\276\350\305\336\13\0\315\22\244\257\310\212U\32\7\351\17!P\20\200\220i\200)\0G\22\10XV\24\\263\0\11\346 \305\213\337", ) == 0x0
 01462   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\330\3\267\0X\305=\353\231T\354\2\374\318'*\200\356\220? \360W\22\0Z0\355\330\16\370\265\366HF+\0\33-\200\3421\301_\00\332S\11\266\274\273\12\0\2334\334\277\23*\30\250\0\340\275>\251\264S\177\331\7\160\26\360\13N_\202\233X\11\5\300\206\351g\0\366\246\361\10\303\232\362\33:i\32\02w\3055\226Z\342\1\360\207\261o\5\310\252\375\223`\342\243\7\367\301\200\311k9\200\6&\267\202\300\0dwH\337\253\230P\254\220\371|\11\340\2X\201\360e\374\1\363\376`\245\264\213\12\5-1\242\274\0\25\212\20XT\302\270\337=\221\352\0\310\317\204\350'\210\375\0W\306\342\12\267<\272\346\0\303\246\5 \323\20\312\15Ls\342\16\352\332r\340\302?gBa\1\303\272\376-[9\203`h\7\2\366_\20\370\340\13c\254\251 \270p\200n,0wq\2ZP\260\275@\4_\371\16\322\36U\241a\351Xd\356\374\225%\1\213\12\334\10\4Z+\354\353\227\16NvS^\200\320\256\210u\351\364z\0\23\33\365Z)\377%#\0\326V\2R\11\360\272F\376\23\2\372(\334\273\310\316\200\341\314\351J"\364a\34P\275\366\204\245\250\32\353\3n\371\337\25\250\205\364\217\0\326\341\36+\245\206\212$\0\315\362\344\213hY\340\20\240\337X\325\177q\0p\36\245\3101\265\225\313\0![Z\377$\270\30\27\0\205\316\2\320\277\343\203v\0\304\224\225t\11\353\10\0\356\244O\7\23\361\2629\356G\17\316\351\242\306 \332\267\233\203\362\17\323\375\2z\240\235\334\15\5\270\0t\250\210\376\37\220 \14r\256\11p,<\11\0\276\350\305\336\13\0\315\22\244\257\310\212U\32\7\351\17!P\20\200\220i\200)\0G\22\10XV\24\\263\0\11\346 \305\213\337", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \364a\34P\275\366\204\245\250\32\353\3n\371\337\25\250\205\364\217\0\326\341\36+\245\206\212$\0\315\362\344\213hY\340\20\240\337X\325\177q\0p\36\245\3101\265\225\313\0![Z\377$\270\30\27\0\205\316\2\320\277\343\203v\0\304\224\225t\11\353\10\0\356\244O\7\23\361\2629\356G\17\316\351\242\306 \332\267\233\203\362\17\323\375\2z\240\235\334\15\5\270\0t\250\210\376\37\220 \14r\256\11p,<\11\0\276\350\305\336\13\0\315\22\244\257\310\212U\32\7\351\17!P\20\200\220i\200)\0G\22\10XV\24\\263\0\11\346 \305\213\337", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01463   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\247\212\224\334\372\15\255\257\21hA\315IZ\220\14\253\310\247d\2632\257\31\243\14\237\212\204\12\233\230\34\321\244\7\20I\35\232P\6\11`,\325\304$j@\312$\273\31Z[\360\274%\1\230\205\213\3010\350\24\337FDJ>2\201\200\237-H\345b\357\210\0O\274\3G\222\267~\201\1\343v\261An_P#!\0tk7\220\270\273J9\317\234\0^\323Y\225\32Z\201*\307\240\247\260\210D\31\351\240B\237|sk\0x9(\202\310\243-D\0\253\14\303\335H5\356\210h\333?\200\354UO^\2304\362\34\374dl\237\213CV`\351\16\0\37K^7\15\344\11\1\1\341PZ?\264\246\26s\301\0\337=\16\360\317b\1\177\204\237\0\203aX\201\361\1WD\277\177Q\263F\201\24\351\301\37\24  \2349\30`n!\30\231E9\273\31\1\375\343\235\\211\17: \326\222Df\11\237M\325_A\356w\316\340\305\357\2\226\325@\376%N\307:\245\177\096\324\22\347XO\342\200\11\3233\203\356am)J\260\0g\3@\27[\326\221\0\330N\342\252\306"\305\0\354\235\202\257\22"\215\377\0\205\373\362\224\374\237\337\214\17\17\222u\344`\10>\15!p\0\352$\330\22,\374\2216\34rH\331\200\354\212f>0\243\0/p\3214\2543\320!\0\273jF\231:\240\362\2628a7\261\11P\275\210\350V\254\364\266", ) \305\0\354\235\202\257\22 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\247\212\224\334\372\15\255\257\21hA\315IZ\220\14\253\310\247d\2632\257\31\243\14\237\212\204\12\233\230\34\321\244\7\20I\35\232P\6\11`,\325\304$j@\312$\273\31Z[\360\274%\1\230\205\213\3010\350\24\337FDJ>2\201\200\237-H\345b\357\210\0O\274\3G\222\267~\201\1\343v\261An_P#!\0tk7\220\270\273J9\317\234\0^\323Y\225\32Z\201*\307\240\247\260\210D\31\351\240B\237|sk\0x9(\202\310\243-D\0\253\14\303\335H5\356\210h\333?\200\354UO^\2304\362\34\374dl\237\213CV`\351\16\0\37K^7\15\344\11\1\1\341PZ?\264\246\26s\301\0\337=\16\360\317b\1\177\204\237\0\203aX\201\361\1WD\277\177Q\263F\201\24\351\301\37\24  \2349\30`n!\30\231E9\273\31\1\375\343\235\\211\17: \326\222Df\11\237M\325_A\356w\316\340\305\357\2\226\325@\376%N\307:\245\177\096\324\22\347XO\342\200\11\3233\203\356am)J\260\0g\3@\27[\326\221\0\330N\342\252\306"\305\0\354\235\202\257\22"\215\377\0\205\373\362\224\374\237\337\214\17\17\222u\344`\10>\15!p\0\352$\330\22,\374\2216\34rH\331\200\354\212f>0\243\0/p\3214\2543\320!\0\273jF\231:\240\362\2628a7\261\11P\275\210\350V\254\364\266", ) , ) == 0x0
 01464   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\247\212\224\334\372\15\255\257\21hA\315IZ\220\14\253\310\247d\2632\257\31\243\14\237\212\204\12\233\230\34\321\244\7\20I\35\232P\6\11`,\325\304$j@\312$\273\31Z[\360\274%\1\230\205\213\3010\350\24\337FDJ>2\201\200\237-H\345b\357\210\0O\274\3G\222\267~\201\1\343v\261An_P#!\0tk7\220\270\273J9\317\234\0^\323Y\225\32Z\201*\307\240\247\260\210D\31\351\240B\237|sk\0x9(\202\310\243-D\0\253\14\303\335H5\356\210h\333?\200\354UO^\2304\362\34\374dl\237\213CV`\351\16\0\37K^7\15\344\11\1\1\341PZ?\264\246\26s\301\0\337=\16\360\317b\1\177\204\237\0\203aX\201\361\1WD\277\177Q\263F\201\24\351\301\37\24  \2349\30`n!\30\231E9\273\31\1\375\343\235\\211\17: \326\222Df\11\237M\325_A\356w\316\340\305\357\2\226\325@\376%N\307:\245\177\096\324\22\347XO\342\200\11\3233\203\356am)J\260\0g\3@\27[\326\221\0\330N\342\252\306"\305\0\354\235\202\257\22"\215\377\0\205\373\362\224\374\237\337\214\17\17\222u\344`\10>\15!p\0\352$\330\22,\374\2216\34rH\331\200\354\212f>0\243\0/p\3214\2543\320!\0\273jF\231:\240\362\2628a7\261\11P\275\210\350V\254\364\266", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \305\0\354\235\202\257\22 (308, 0, 0, 0, "\247\212\224\334\372\15\255\257\21hA\315IZ\220\14\253\310\247d\2632\257\31\243\14\237\212\204\12\233\230\34\321\244\7\20I\35\232P\6\11`,\325\304$j@\312$\273\31Z[\360\274%\1\230\205\213\3010\350\24\337FDJ>2\201\200\237-H\345b\357\210\0O\274\3G\222\267~\201\1\343v\261An_P#!\0tk7\220\270\273J9\317\234\0^\323Y\225\32Z\201*\307\240\247\260\210D\31\351\240B\237|sk\0x9(\202\310\243-D\0\253\14\303\335H5\356\210h\333?\200\354UO^\2304\362\34\374dl\237\213CV`\351\16\0\37K^7\15\344\11\1\1\341PZ?\264\246\26s\301\0\337=\16\360\317b\1\177\204\237\0\203aX\201\361\1WD\277\177Q\263F\201\24\351\301\37\24  \2349\30`n!\30\231E9\273\31\1\375\343\235\\211\17: \326\222Df\11\237M\325_A\356w\316\340\305\357\2\226\325@\376%N\307:\245\177\096\324\22\347XO\342\200\11\3233\203\356am)J\260\0g\3@\27[\326\221\0\330N\342\252\306"\305\0\354\235\202\257\22"\215\377\0\205\373\362\224\374\237\337\214\17\17\222u\344`\10>\15!p\0\352$\330\22,\374\2216\34rH\331\200\354\212f>0\243\0/p\3214\2543\320!\0\273jF\231:\240\362\2628a7\261\11P\275\210\350V\254\364\266", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01465   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\2\351\246]\326\324vF\30\2\367)7\356\203`\337\232[\12\316\\307\205>7\267\11\7\353]\262\353\2F]\0-~m\312\237\201\351\23\0\344\307\353N\355Kr\277>j\256\200\356~\365\37\13^\351iM\2637\356\201\343H\313\351\13\20q\33S\7\2679\335\266\247\362\37.\301z\371\315\214rnY\26D\256\307C\205@\20\215I}\215u\246\344\3\201\357\337E\342\35\260#\377\376\345\317\343\347\310GA\17\34f\214\333\375\16\366\373\242e\303\4\15\332^\355.\357k\215|8\350Q\204\370\335\17\267\222\270%*\307\10\365/?\254\200\370\302\362\220a7Z{\3\265x\2757\277\265\351\310pr\0[\243\226!\244\312\240\252\0\201N\253\276:J\250\217$\365U2\10.\4:\267\11=\240\330\266t7qS\34\257z\260&\315tF\35\0\343\3\34p[)\263\22\346\362\373\4\2231\13\2\1\215=K\371\372p\267\246\205\257n\265\302+E\200\336\324\336\5R<\344q\3\306U\30\246\\20n%\11\12\17\266\330\275\11\366\272\22\26\315\1\340\216\350K/\376\326\5\12t\17\25#\302\311(\3\213\303\20\366\35'\11\301\350\4u\373\217Z@\214N\265$\247\l\10\241\26>\24\367\342\240\350\30\214\4\376R\341C\363\214!\207\07\14/L.|h\306\0^\4\13B\262\267\236\342\12I8X+\243\222\377\10\17\7\235\206\214\363l\226\333\305\200\34$\302O}\304Q"\205Q\224fo\202\275\301,[l\252}\200\243\261\21\201\260\302]\\360\326\4\366\347\21-Z\273\270\331\214Pd\361H^E\22\213\363\12 `\271\3\367\312a<\220\17\203\224\272\327L\350U\200\316\221\340\223\303\1\32\11\257\320kc_%3L0)%\265M%\202\303:\330#\34\37\352\300\204\263S", ) \205Q\224fo\202\275\301,[l\252}\200\243\261\21\201\260\302]\\360\326\4\366\347\21-Z\273\270\331\214Pd\361H^E\22\213\363\12 `\271\3\367\312a<\220\17\203\224\272\327L\350U\200\316\221\340\223\303\1\32\11\257\320kc_%3L0)%\265M%\202\303:\330#\34\37\352\300\204\263S", ) == 0x0
 01466   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\2\351\246]\326\324vF\30\2\367)7\356\203`\337\232[\12\316\\307\205>7\267\11\7\353]\262\353\2F]\0-~m\312\237\201\351\23\0\344\307\353N\355Kr\277>j\256\200\356~\365\37\13^\351iM\2637\356\201\343H\313\351\13\20q\33S\7\2679\335\266\247\362\37.\301z\371\315\214rnY\26D\256\307C\205@\20\215I}\215u\246\344\3\201\357\337E\342\35\260#\377\376\345\317\343\347\310GA\17\34f\214\333\375\16\366\373\242e\303\4\15\332^\355.\357k\215|8\350Q\204\370\335\17\267\222\270%*\307\10\365/?\254\200\370\302\362\220a7Z{\3\265x\2757\277\265\351\310pr\0[\243\226!\244\312\240\252\0\201N\253\276:J\250\217$\365U2\10.\4:\267\11=\240\330\266t7qS\34\257z\260&\315tF\35\0\343\3\34p[)\263\22\346\362\373\4\2231\13\2\1\215=K\371\372p\267\246\205\257n\265\302+E\200\336\324\336\5R<\344q\3\306U\30\246\\20n%\11\12\17\266\330\275\11\366\272\22\26\315\1\340\216\350K/\376\326\5\12t\17\25#\302\311(\3\213\303\20\366\35'\11\301\350\4u\373\217Z@\214N\265$\247\l\10\241\26>\24\367\342\240\350\30\214\4\376R\341C\363\214!\207\07\14/L.|h\306\0^\4\13B\262\267\236\342\12I8X+\243\222\377\10\17\7\235\206\214\363l\226\333\305\200\34$\302O}\304Q"\205Q\224fo\202\275\301,[l\252}\200\243\261\21\201\260\302]\\360\326\4\366\347\21-Z\273\270\331\214Pd\361H^E\22\213\363\12 `\271\3\367\312a<\220\17\203\224\272\327L\350U\200\316\221\340\223\303\1\32\11\257\320kc_%3L0)%\265M%\202\303:\330#\34\37\352\300\204\263S", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \205Q\224fo\202\275\301,[l\252}\200\243\261\21\201\260\302]\\360\326\4\366\347\21-Z\273\270\331\214Pd\361H^E\22\213\363\12 `\271\3\367\312a<\220\17\203\224\272\327L\350U\200\316\221\340\223\303\1\32\11\257\320kc_%3L0)%\265M%\202\303:\330#\34\37\352\300\204\263S", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01467   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "x\3 \264\301\351\250X8\244\243\315\237\20\341S\221\250f\210}h\204\24\312Q\217\24\30\341\200\205\353<\346;B$\16t`:\217\327\237HWh\331PI\340\16\306\320\240\204o9\262\34\244\373RLl\270\231\346\314(0H\360\252\200\4\244\3\215\364\28\263\223\3242@\344P\316\210\230\24\36\315$\240S\305T\4\260\244\0(B^,\206\354\260VH\215\244t\0\266\30\333\5\216\321\235J\7\206\346\252\3\207\207\304J,\17\27\4`\20\325\34418\220\200\251T\342\342I\214\310 \200\11\6\222\20\265\354\357\241\240|\320\34\330H\341\20\27x\6\344x\220`I:\254\231\301\354\353\302\316A\2545\212X\357\337\350:\340`\344\34\3\261\222\334\22\273P\320\14\240\347\200\266S\31\210P\270+\300\261\11\320~\265\14<\3506:\7\15\20\2\345\250!\0\272 m\230@A\3448x\321\317\362@\354\325\26<\273\374H\340\300\263T\227P\6L\16x\202\306{ I\244#\321<&\254|D\210\346\30}y\3378\314\331&\223B\204\31\237\30\333\342C\250d\30\20\336\227\254M\21\361\251%x\250\20\200\370C\220, ) , ) == 0x0
 01468   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "x\3 \264\301\351\250X8\244\243\315\237\20\341S\221\250f\210}h\204\24\312Q\217\24\30\341\200\205\353<\346;B$\16t`:\217\327\237HWh\331PI\340\16\306\320\240\204o9\262\34\244\373RLl\270\231\346\314(0H\360\252\200\4\244\3\215\364\28\263\223\3242@\344P\316\210\230\24\36\315$\240S\305T\4\260\244\0(B^,\206\354\260VH\215\244t\0\266\30\333\5\216\321\235J\7\206\346\252\3\207\207\304J,\17\27\4`\20\325\34418\220\200\251T\342\342I\214\310 \200\11\6\222\20\265\354\357\241\240|\320\34\330H\341\20\27x\6\344x\220`I:\254\231\301\354\353\302\316A\2545\212X\357\337\350:\340`\344\34\3\261\222\334\22\273P\320\14\240\347\200\266S\31\210P\270+\300\261\11\320~\265\14<\3506:\7\15\20\2\345\250!\0\272 m\230@A\3448x\321\317\362@\354\325\26<\273\374H\340\300\263T\227P\6L\16x\202\306{ I\244#\321<&\254|D\210\346\30}y\3378\314\331&\223B\204\31\237\30\333\342C\250d\30\20\336\227\254M\21\361\251%x\250\20\200\370C\220, 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01469   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, ">\346\277yc;b\231\376\0F\322\217\323#\206\264q\7\216\2601\241"\247\336P\3676\274b\260/\0D\:$A0s\322\0Od\360\3113k\303\302\11\310n\255\342\200\330\213El\236\0*\3238\334y\21\301XL0L\7\206\2579\30@\122,\321\35\255\213\363\200\3034\20c\325\242\230\320\250\3341\234\300\250\361>F;\25\0qj\316]3\323S0\17\27\301,\1o%@\233\231\211\343X\243\374\300B\303C\74a\323r\206`\255Zp1\1\341\220\345{\36\20~0\300q\0\316\367\221\322Dg\310\327\26VXcL\31\212\204P\11.\237d<\353p49\225\200\344`e0\311\0-\373\227WQ\25JX\0\2311\343A\36\33\2557t\224H\374\365|sE=H\277\0\221=AW\316\362b\36831\253\353\230psR\29\237/\322!\345a0H\354\374\246\270\25\340\1$\33\366P\36\263\5\200\211\237\200=\32$Q\11\304\312-l\0\30\216v\302\260\0(i\323\262BF\255\37\240\214\22\223H\326\354\1?Y\307\256\260\207\342@\14\237Q\366h,\346L\162{\17@\2001\215RC\345\262\270\3\223\204\374M\376\320\0p\340\3553)\34On\37,\17b9\30\326ys9\240\262$\341\17\255\276\212,\203\322\201\35\230'6\21*\303\362\270\0\270P0\360\344\257\334\331\0r\254\221M\3431\2119\17\322(37\340mw\361\37\341\0\3\267\227\2661\324<,\1\250#/\336q6\210\355j`\270r\372\15\0\242J\232\205S\7-\341\0\316\3341\246q +\257\37"j\365R}\20b\343\3594\301k\3667\305X \321\244\13\325\162\374"\324\327\3012\0\200\205\360E\3\7.\347xr\314EK\320\23\306\325\346", ) \247\336P\3676\274b\260/\0D\:$A0s\322\0Od\360\3113k\303\302\11\310n\255\342\200\330\213El\236\0*\3238\334y\21\301XL0L\7\206\2579\30@\122,\321\35\255\213\363\200\3034\20c\325\242\230\320\250\3341\234\300\250\361>F;\25\0qj\316]3\323S0\17\27\301,\1o%@\233\231\211\343X\243\374\300B\303C\74a\323r\206`\255Zp1\1\341\220\345{\36\20~0\300q\0\316\367\221\322Dg\310\327\26VXcL\31\212\204P\11.\237d<\353p49\225\200\344`e0\311\0-\373\227WQ\25JX\0\2311\343A\36\33\2557t\224H\374\365|sE=H\277\0\221=AW\316\362b\36831\253\353\230psR\29\237/\322!\345a0H\354\374\246\270\25\340\1$\33\366P\36\263\5\200\211\237\200=\32$Q\11\304\312-l\0\30\216v\302\260\0(i\323\262BF\255\37\240\214\22\223H\326\354\1?Y\307\256\260\207\342@\14\237Q\366h,\346L\162{\17@\2001\215RC\345\262\270\3\223\204\374M\376\320\0p\340\3553)\34On\37,\17b9\30\326ys9\240\262$\341\17\255\276\212,\203\322\201\35\230'6\21*\303\362\270\0\270P0\360\344\257\334\331\0r\254\221M\3431\2119\17\322(37\340mw\361\37\341\0\3\267\227\2661\324<,\1\250#/\336q6\210\355j`\270r\372\15\0\242J\232\205S\7-\341\0\316\3341\246q +\257\37 (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, ">\346\277yc;b\231\376\0F\322\217\323#\206\264q\7\216\2601\241"\247\336P\3676\274b\260/\0D\:$A0s\322\0Od\360\3113k\303\302\11\310n\255\342\200\330\213El\236\0*\3238\334y\21\301XL0L\7\206\2579\30@\122,\321\35\255\213\363\200\3034\20c\325\242\230\320\250\3341\234\300\250\361>F;\25\0qj\316]3\323S0\17\27\301,\1o%@\233\231\211\343X\243\374\300B\303C\74a\323r\206`\255Zp1\1\341\220\345{\36\20~0\300q\0\316\367\221\322Dg\310\327\26VXcL\31\212\204P\11.\237d<\353p49\225\200\344`e0\311\0-\373\227WQ\25JX\0\2311\343A\36\33\2557t\224H\374\365|sE=H\277\0\221=AW\316\362b\36831\253\353\230psR\29\237/\322!\345a0H\354\374\246\270\25\340\1$\33\366P\36\263\5\200\211\237\200=\32$Q\11\304\312-l\0\30\216v\302\260\0(i\323\262BF\255\37\240\214\22\223H\326\354\1?Y\307\256\260\207\342@\14\237Q\366h,\346L\162{\17@\2001\215RC\345\262\270\3\223\204\374M\376\320\0p\340\3553)\34On\37,\17b9\30\326ys9\240\262$\341\17\255\276\212,\203\322\201\35\230'6\21*\303\362\270\0\270P0\360\344\257\334\331\0r\254\221M\3431\2119\17\322(37\340mw\361\37\341\0\3\267\227\2661\324<,\1\250#/\336q6\210\355j`\270r\372\15\0\242J\232\205S\7-\341\0\316\3341\246q +\257\37"j\365R}\20b\343\3594\301k\3667\305X \321\244\13\325\162\374"\324\327\3012\0\200\205\360E\3\7.\347xr\314EK\320\23\306\325\346", ) \324\327\3012\0\200\205\360E\3\7.\347xr\314EK\320\23\306\325\346", ) == 0x0
 01470   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, ">\346\277yc;b\231\376\0F\322\217\323#\206\264q\7\216\2601\241"\247\336P\3676\274b\260/\0D\:$A0s\322\0Od\360\3113k\303\302\11\310n\255\342\200\330\213El\236\0*\3238\334y\21\301XL0L\7\206\2579\30@\122,\321\35\255\213\363\200\3034\20c\325\242\230\320\250\3341\234\300\250\361>F;\25\0qj\316]3\323S0\17\27\301,\1o%@\233\231\211\343X\243\374\300B\303C\74a\323r\206`\255Zp1\1\341\220\345{\36\20~0\300q\0\316\367\221\322Dg\310\327\26VXcL\31\212\204P\11.\237d<\353p49\225\200\344`e0\311\0-\373\227WQ\25JX\0\2311\343A\36\33\2557t\224H\374\365|sE=H\277\0\221=AW\316\362b\36831\253\353\230psR\29\237/\322!\345a0H\354\374\246\270\25\340\1$\33\366P\36\263\5\200\211\237\200=\32$Q\11\304\312-l\0\30\216v\302\260\0(i\323\262BF\255\37\240\214\22\223H\326\354\1?Y\307\256\260\207\342@\14\237Q\366h,\346L\162{\17@\2001\215RC\345\262\270\3\223\204\374M\376\320\0p\340\3553)\34On\37,\17b9\30\326ys9\240\262$\341\17\255\276\212,\203\322\201\35\230'6\21*\303\362\270\0\270P0\360\344\257\334\331\0r\254\221M\3431\2119\17\322(37\340mw\361\37\341\0\3\267\227\2661\324<,\1\250#/\336q6\210\355j`\270r\372\15\0\242J\232\205S\7-\341\0\316\3341\246q +\257\37"j\365R}\20b\343\3594\301k\3667\305X \321\244\13\325\162\374"\324\327\3012\0\200\205\360E\3\7.\347xr\314EK\320\23\306\325\346", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \247\336P\3676\274b\260/\0D\:$A0s\322\0Od\360\3113k\303\302\11\310n\255\342\200\330\213El\236\0*\3238\334y\21\301XL0L\7\206\2579\30@\122,\321\35\255\213\363\200\3034\20c\325\242\230\320\250\3341\234\300\250\361>F;\25\0qj\316]3\323S0\17\27\301,\1o%@\233\231\211\343X\243\374\300B\303C\74a\323r\206`\255Zp1\1\341\220\345{\36\20~0\300q\0\316\367\221\322Dg\310\327\26VXcL\31\212\204P\11.\237d<\353p49\225\200\344`e0\311\0-\373\227WQ\25JX\0\2311\343A\36\33\2557t\224H\374\365|sE=H\277\0\221=AW\316\362b\36831\253\353\230psR\29\237/\322!\345a0H\354\374\246\270\25\340\1$\33\366P\36\263\5\200\211\237\200=\32$Q\11\304\312-l\0\30\216v\302\260\0(i\323\262BF\255\37\240\214\22\223H\326\354\1?Y\307\256\260\207\342@\14\237Q\366h,\346L\162{\17@\2001\215RC\345\262\270\3\223\204\374M\376\320\0p\340\3553)\34On\37,\17b9\30\326ys9\240\262$\341\17\255\276\212,\203\322\201\35\230'6\21*\303\362\270\0\270P0\360\344\257\334\331\0r\254\221M\3431\2119\17\322(37\340mw\361\37\341\0\3\267\227\2661\324<,\1\250#/\336q6\210\355j`\270r\372\15\0\242J\232\205S\7-\341\0\316\3341\246q +\257\37 (308, 0, 0, 0, ">\346\277yc;b\231\376\0F\322\217\323#\206\264q\7\216\2601\241"\247\336P\3676\274b\260/\0D\:$A0s\322\0Od\360\3113k\303\302\11\310n\255\342\200\330\213El\236\0*\3238\334y\21\301XL0L\7\206\2579\30@\122,\321\35\255\213\363\200\3034\20c\325\242\230\320\250\3341\234\300\250\361>F;\25\0qj\316]3\323S0\17\27\301,\1o%@\233\231\211\343X\243\374\300B\303C\74a\323r\206`\255Zp1\1\341\220\345{\36\20~0\300q\0\316\367\221\322Dg\310\327\26VXcL\31\212\204P\11.\237d<\353p49\225\200\344`e0\311\0-\373\227WQ\25JX\0\2311\343A\36\33\2557t\224H\374\365|sE=H\277\0\221=AW\316\362b\36831\253\353\230psR\29\237/\322!\345a0H\354\374\246\270\25\340\1$\33\366P\36\263\5\200\211\237\200=\32$Q\11\304\312-l\0\30\216v\302\260\0(i\323\262BF\255\37\240\214\22\223H\326\354\1?Y\307\256\260\207\342@\14\237Q\366h,\346L\162{\17@\2001\215RC\345\262\270\3\223\204\374M\376\320\0p\340\3553)\34On\37,\17b9\30\326ys9\240\262$\341\17\255\276\212,\203\322\201\35\230'6\21*\303\362\270\0\270P0\360\344\257\334\331\0r\254\221M\3431\2119\17\322(37\340mw\361\37\341\0\3\267\227\2661\324<,\1\250#/\336q6\210\355j`\270r\372\15\0\242J\232\205S\7-\341\0\316\3341\246q +\257\37"j\365R}\20b\343\3594\301k\3667\305X \321\244\13\325\162\374"\324\327\3012\0\200\205\360E\3\7.\347xr\314EK\320\23\306\325\346", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \324\327\3012\0\200\205\360E\3\7.\347xr\314EK\320\23\306\325\346", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01471   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "g%\320\24\215\374u\140m\222\374\310\234\11: \206\312\202\0\356z\334LB\314g`\330$n\5ST\255\310\243\200\200\230\4\220\26\336\11N\7\20\225\177\300\27\13]\205\114\334\317\242\0\327Se\32w\0l1\377\221\3530\243\276\0~r\272\275\34>Uh\1\337=\301\363`\365\244{\7\320\305\3739\2000w\141B \302_\34x\222\203@l\3632\332g\326\372\353\240\270Tp\0\264\254\261R\206\2570=xO'\277\273l\14\20K\204\307Q4=L\211\215\21\30/;,|\277\240\214oS\0K*\360\2441\314nj\3\216\3050_u\272\301\372\6\300h\3\3O\326g\347\376\273\304\206l4\0\215=\321\230\254}\226gHo\264\0\344^\233\257\6(V\234\34\21\17\0}\273\15\236\34\346\272\3\213X\221\322R\256\270\207f\327-\332\302\350,\277\330\0O\266\A\245\10\270I\0\232\215\121@.\352T\260\200\0:m\262\203\375\213\212\33\13`1\305\231\201\354\255\330\230pX\363\2\206\276w\204I\320cL\220\212\247o\35\300\352\327^\203\356\354\237V\236\240\200\221[\377\261o\13\6\333\21\272\200DQg\232\\23\264\22\204\361\254B\30\207@\300\354\307\1\316g\340\201\327\240B\340\302\344\230\200\225f\250>\242\303\35V\z\0D!\200\334x\223\4\17\351g_4\200\232u\233Gn}\345\0|\201]\6S\341\N\0\315\347\230\15\273C\260\275Jp@\\262<,B\205\0\3341\251\165z\245\237O\\217$H0\24\276\373\374\2mg\356\327'|$\1\4]I\245\216\300\237\342\3\355z\27\240\335\227\200\273mVJ\22\300\304\321\323\203\24\7\223H\214\4\251Z4\240\340\340\357\0\16\302\20_\6\273\316G=\256\226\200'7\222m]", ) , ) == 0x0
 01472   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "g%\320\24\215\374u\140m\222\374\310\234\11: \206\312\202\0\356z\334LB\314g`\330$n\5ST\255\310\243\200\200\230\4\220\26\336\11N\7\20\225\177\300\27\13]\205\114\334\317\242\0\327Se\32w\0l1\377\221\3530\243\276\0~r\272\275\34>Uh\1\337=\301\363`\365\244{\7\320\305\3739\2000w\141B \302_\34x\222\203@l\3632\332g\326\372\353\240\270Tp\0\264\254\261R\206\2570=xO'\277\273l\14\20K\204\307Q4=L\211\215\21\30/;,|\277\240\214oS\0K*\360\2441\314nj\3\216\3050_u\272\301\372\6\300h\3\3O\326g\347\376\273\304\206l4\0\215=\321\230\254}\226gHo\264\0\344^\233\257\6(V\234\34\21\17\0}\273\15\236\34\346\272\3\213X\221\322R\256\270\207f\327-\332\302\350,\277\330\0O\266\A\245\10\270I\0\232\215\121@.\352T\260\200\0:m\262\203\375\213\212\33\13`1\305\231\201\354\255\330\230pX\363\2\206\276w\204I\320cL\220\212\247o\35\300\352\327^\203\356\354\237V\236\240\200\221[\377\261o\13\6\333\21\272\200DQg\232\\23\264\22\204\361\254B\30\207@\300\354\307\1\316g\340\201\327\240B\340\302\344\230\200\225f\250>\242\303\35V\z\0D!\200\334x\223\4\17\351g_4\200\232u\233Gn}\345\0|\201]\6S\341\N\0\315\347\230\15\273C\260\275Jp@\\262<,B\205\0\3341\251\165z\245\237O\\217$H0\24\276\373\374\2mg\356\327'|$\1\4]I\245\216\300\237\342\3\355z\27\240\335\227\200\273mVJ\22\300\304\321\323\203\24\7\223H\214\4\251Z4\240\340\340\357\0\16\302\20_\6\273\316G=\256\226\200'7\222m]", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01473   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=61440}, "\177\361&\257rC\314\313\250\270\321\306(\234\27\334\17\223\373\220#!^ \277\363\30D\12\7\3339O\330!\334\21\276\04\362\11(\374S^\0\251\213\255\302CMd\5H\204\274\354=!\4\204\0q\212\213C{\272\26\336\2454A\270\301\16\375\223\204Yb\263\7 \354\240\340\10MZ\352\266B\257\3\0\244\274\213b\0\276\304\342\337\37\333\23\33H\2259\0@\231\343\235\277z\20\17]\335N\357L\270\350\331\35\10I\362\246<\2\307\354\33\11\307\360B\217\253\30\3505\4\216g\341N1\210\254\301J\177\2\\346\303\336@F\345s\0\323Q\232\376\215\236\224p\2\305N\325\15d?\342\314\200\310S*\310\250$|\334\220\200\217\20\245\312\224-\0\10\210KNU|\335\27\6\342P\1\35\216qX-\360\25\17\272d}\2tr9\320\3521E0\7S\300~@\313\214\15\221\0\304\212,G\361\303b\11\356z\26*\314\2r+\225\335U{A\250\342)\304\08\255\14}\324"v\0V+\2601\271\256|H\26hM\307\0\2404\305\272\223\253$\251e<\202\353\344\257\24@\3404*`g\31\3a\347\213\37\27\361\234\0;\260\327\310\4\324\169\335\377\325 8_n\347{\22\34\370\316\200l0\244\206\0LP\330\7\344\224\5\334\1\347\25O\220K\325`\20v*\17t\227\346\201\0\304\211 D\270\321\357\277J\2243h;\367\12\347\246\14\276\210\377\237?\311\310\0&\304\320\34KS\242\365@\350H\265k\26\324\11h5x\12<4\330\300\363Y\337OF\330\30\265\221 V\342\0\200\225Y\15@*|\275\3p\3222601\271\256|H\26hM\307\0\2404\305\272\223\253$\251e<\202\353\344\257\24@\3404*`g\31\3a\347\213\37\27\361\234\0;\260\327\310\4\324\169\335\377\325 8_n\347{\22\34\370\316\200l0\244\206\0LP\330\7\344\224\5\334\1\347\25O\220K\325`\20v*\17t\227\346\201\0\304\211 D\270\321\357\277J\2243h;\367\12\347\246\14\276\210\377\237?\311\310\0&\304\320\34KS\242\365@\350H\265k\26\324\11h5x\12<4\330\300\363Y\337OF\330\30\265\221 V\342\0\200\225Y\15@*|\275\3p\32224\364\201\330\5\367\11K\254\223T\224\254\216\207`\237\326*\344\2\360\334\2r\31\375x\243\324@\334bT\30108:\15\274 \10\242", ) == 0x0
 01474   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "\177\361&\257rC\314\313\250\270\321\306(\234\27\334\17\223\373\220#!^ \277\363\30D\12\7\3339O\330!\334\21\276\04\362\11(\374S^\0\251\213\255\302CMd\5H\204\274\354=!\4\204\0q\212\213C{\272\26\336\2454A\270\301\16\375\223\204Yb\263\7 \354\240\340\10MZ\352\266B\257\3\0\244\274\213b\0\276\304\342\337\37\333\23\33H\2259\0@\231\343\235\277z\20\17]\335N\357L\270\350\331\35\10I\362\246<\2\307\354\33\11\307\360B\217\253\30\3505\4\216g\341N1\210\254\301J\177\2\\346\303\336@F\345s\0\323Q\232\376\215\236\224p\2\305N\325\15d?\342\314\200\310S*\310\250$|\334\220\200\217\20\245\312\224-\0\10\210KNU|\335\27\6\342P\1\35\216qX-\360\25\17\272d}\2tr9\320\3521E0\7S\300~@\313\214\15\221\0\304\212,G\361\303b\11\356z\26*\314\2r+\225\335U{A\250\342)\304\08\255\14}\324"v\0V+\2601\271\256|H\26hM\307\0\2404\305\272\223\253$\251e<\202\353\344\257\24@\3404*`g\31\3a\347\213\37\27\361\234\0;\260\327\310\4\324\169\335\377\325 8_n\347{\22\34\370\316\200l0\244\206\0LP\330\7\344\224\5\334\1\347\25O\220K\325`\20v*\17t\227\346\201\0\304\211 D\270\321\357\277J\2243h;\367\12\347\246\14\276\210\377\237?\311\310\0&\304\320\34KS\242\365@\350H\265k\26\324\11h5x\12<4\330\300\363Y\337OF\330\30\265\221 V\342\0\200\225Y\15@*|\275\3p\3222601\271\256|H\26hM\307\0\2404\305\272\223\253$\251e<\202\353\344\257\24@\3404*`g\31\3a\347\213\37\27\361\234\0;\260\327\310\4\324\169\335\377\325 8_n\347{\22\34\370\316\200l0\244\206\0LP\330\7\344\224\5\334\1\347\25O\220K\325`\20v*\17t\227\346\201\0\304\211 D\270\321\357\277J\2243h;\367\12\347\246\14\276\210\377\237?\311\310\0&\304\320\34KS\242\365@\350H\265k\26\324\11h5x\12<4\330\300\363Y\337OF\330\30\265\221 V\342\0\200\225Y\15@*|\275\3p\32224\364\201\330\5\367\11K\254\223T\224\254\216\207`\237\326*\344\2\360\334\2r\31\375x\243\324@\334bT\30108:\15\274 \10\242", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01475   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=8704},  (304, 0, 0, 0, 61440, 0x0, 0, ... {status=0x0, info=8704}, "9\240\204\15m\353\364\0MNV\361X\26\221\354}x\1}F\376y\119\4\310N\234\30\202\244\210@>\\5\310\236[\260u\300\23\251\33\277\30\241\366\244\250\232\201R\202\204~\3\243\7\302\25\320\1\330@>%\0\313\6\351;\366\374\347\231t \0\344\204\337\11\223\242`\335\0\332\325w\244\1\14g\276\303QH\231e\250\2\334\316\14\206\3323p\330\211\34%\356Y\0wIA.\365D\0\\367\255|\7\325)\220\34CF@\332\215\351\4\27\340(\323\16\26\223\255I!\304}\376\226\217q8C\7AO\340\206\36<~ \24\246\0|\32\27\355\14\371@\177\1\242K`\255\244\377e\320\251\277\37\235\357E\300+Q}9L\10\3:A\375\4\24\227\241lr\200\301K\324\322@\22\215\3t'\\362\244\10\375O\360\361\300\11\234\23\203\3450lt9f\312\276\1h\223\313\204P\361o\207`\351\14\14\255\200\3347{\331\240\2504.\16\16\344\236w^\244\14\200\232\265Ro\322\264\0\1y\377\213\216q\241\371\16\237\344\11>\3004M(\322\323\6\2\247\221\21\214A\25\332\360}\214P\34\234\0\373\224\24\35\276\6\237u\300)b\363\326y\220\0a\33\215_d<\236\3327\245\200A`\366\306F\14\25W0G\200s$\214\300\373\12\220\26\320\276$\313X\1w\254\255\221;"\220(<\270\25\2500s\224\0\2\350\311B63g\4\224H\324\10\344\257\200\201\352\206\377Lvt\0\376\300\136h\12\373\3@\220,;\23\243\0\241\233z\364\35\20\374W\220\324\3m\10\27\324\366+\230,\\267\300\300e\374\242\377Q\11\331=4\261\0hU \356p>9\\30\376\245Yg\235\300\331\272\356~\2\203q\343\17\332\375\366\352\311\21\23\344\3021w\14[\21$\0", ) \220(<\270\25\2500s\224\0\2\350\311B63g\4\224H\324\10\344\257\200\201\352\206\377Lvt\0\376\300\136h\12\373\3@\220,;\23\243\0\241\233z\364\35\20\374W\220\324\3m\10\27\324\366+\230,\\267\300\300e\374\242\377Q\11\331=4\261\0hU \356p>9\\30\376\245Yg\235\300\331\272\356~\2\203q\343\17\332\375\366\352\311\21\23\344\3021w\14[\21$\0", ) == 0x0
 01476   460   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "9\240\204\15m\353\364\0MNV\361X\26\221\354}x\1}F\376y\119\4\310N\234\30\202\244\210@>\\5\310\236[\260u\300\23\251\33\277\30\241\366\244\250\232\201R\202\204~\3\243\7\302\25\320\1\330@>%\0\313\6\351;\366\374\347\231t \0\344\204\337\11\223\242`\335\0\332\325w\244\1\14g\276\303QH\231e\250\2\334\316\14\206\3323p\330\211\34%\356Y\0wIA.\365D\0\\367\255|\7\325)\220\34CF@\332\215\351\4\27\340(\323\16\26\223\255I!\304}\376\226\217q8C\7AO\340\206\36<~ \24\246\0|\32\27\355\14\371@\177\1\242K`\255\244\377e\320\251\277\37\235\357E\300+Q}9L\10\3:A\375\4\24\227\241lr\200\301K\324\322@\22\215\3t'\\362\244\10\375O\360\361\300\11\234\23\203\3450lt9f\312\276\1h\223\313\204P\361o\207`\351\14\14\255\200\3347{\331\240\2504.\16\16\344\236w^\244\14\200\232\265Ro\322\264\0\1y\377\213\216q\241\371\16\237\344\11>\3004M(\322\323\6\2\247\221\21\214A\25\332\360}\214P\34\234\0\373\224\24\35\276\6\237u\300)b\363\326y\220\0a\33\215_d<\236\3327\245\200A`\366\306F\14\25W0G\200s$\214\300\373\12\220\26\320\276$\313X\1w\254\255\221;"\220(<\270\25\2500s\224\0\2\350\311B63g\4\224H\324\10\344\257\200\201\352\206\377Lvt\0\376\300\136h\12\373\3@\220,;\23\243\0\241\233z\364\35\20\374W\220\324\3m\10\27\324\366+\230,\\267\300\300e\374\242\377Q\11\331=4\261\0hU \356p>9\\30\376\245Yg\235\300\331\272\356~\2\203q\343\17\332\375\366\352\311\21\23\344\3021w\14[\21$\0", 8704, 0x0, 0, ... {status=0x0, info=8704}, ) \220(<\270\25\2500s\224\0\2\350\311B63g\4\224H\324\10\344\257\200\201\352\206\377Lvt\0\376\300\136h\12\373\3@\220,;\23\243\0\241\233z\364\35\20\374W\220\324\3m\10\27\324\366+\230,\\267\300\300e\374\242\377Q\11\331=4\261\0hU \356p>9\\30\376\245Yg\235\300\331\272\356~\2\203q\343\17\332\375\366\352\311\21\23\344\3021w\14[\21$\0", 8704, 0x0, 0, ... {status=0x0, info=8704}, ) == 0x0
 01477   460   NtReadFile  (304, 0, 0, 0, 61440, 0x0, 0, ... ) == STATUS_END_OF_FILE
 01478   460   NtFreeVirtualMemory  (-1, (0x14d000), 69632, 16384, ... (0x14d000), 69632, ) == 0x0
 01479   460   NtSetInformationFile  (308, 1243676, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01480   460   NtClose  (304, ... ) == 0x0
 01481   460   NtClose  (308, ... ) == 0x0
 01482   460   NtClose  (300, ... ) == 0x0
 01483   460   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01484   460   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\nex.exe"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01485   460   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 300, ... 308, ) == 0x0
 01486   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 304, ) }, ... 304, ) == 0x0
 01488   460   NtQueryValueKey  (304,  (304, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   460   NtClose  (304, ... ) == 0x0
 01490   460   NtQueryVolumeInformationFile  (300, 1240372, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01491   460   NtOpenMutant  (0x120001, {24, 56, 0x0, 0, 0,  (0x120001, {24, 56, 0x0, 0, 0, "ShimCacheMutex"}, ... 304, ) }, ... 304, ) == 0x0
 01492   460   NtWaitForSingleObject  (304, 0, {-1000000, -1}, ... ) == 0x0
 01493   460   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "ShimSharedMemory"}, ... 312, ) }, ... 312, ) == 0x0
 01494   460   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2900000), {0, 0}, 57344, ) == 0x0
 01495   460   NtReleaseMutant  (304, ... 0x0, ) == 0x0
 01496   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238356, ... ) }, 1238356, ... ) == 0x0
 01497   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 01498   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 320, ) == 0x0
 01499   460   NtClose  (316, ... ) == 0x0
 01500   460   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2940000), 0x0, 106496, ) == 0x0
 01501   460   NtClose  (320, ... ) == 0x0
 01502   460   NtUnmapViewOfSection  (-1, 0x2940000, ... ) == 0x0
 01503   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238672, ... ) }, 1238672, ... ) == 0x0
 01504   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 01505   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 320, ... 316, ) == 0x0
 01506   460   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01507   460   NtClose  (320, ... ) == 0x0
 01508   460   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01509   460   NtClose  (316, ... ) == 0x0
 01510   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 01511   460   NtQueryInformationFile  (316, 1238960, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01512   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 316, ... 320, ) == 0x0
 01513   460   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2bf0000), 0x0, 1028096, ) == 0x0
 01514   460   NtQueryInformationFile  (316, 1239056, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01515   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01517   460   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01518   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01519   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1236620, 616, BothDirectory, 1,  (324, 0, 0, 0, 1236620, 616, BothDirectory, 1, "nex.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01520   460   NtClose  (324, ... ) == 0x0
 01521   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01522   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01523   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\nex.exe"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 01524   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01525   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1235368, 616, BothDirectory, 1,  (324, 0, 0, 0, 1235368, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01526   460   NtClose  (324, ... ) == 0x0
 01527   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01528   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1235368, 616, BothDirectory, 1,  (324, 0, 0, 0, 1235368, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01529   460   NtClose  (324, ... ) == 0x0
 01530   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01531   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1235368, 616, BothDirectory, 1,  (324, 0, 0, 0, 1235368, 616, BothDirectory, 1, "nex.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01532   460   NtClose  (324, ... ) == 0x0
 01533   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01534   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01535   460   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01536   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01537   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01538   460   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01539   460   NtClose  (324, ... ) == 0x0
 01540   460   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541   460   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\nex.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01542   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01543   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01544   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\nex.exe"}, 1238288, ... ) }, 1238288, ... ) == 0x0
 01545   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01546   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1237648, 616, BothDirectory, 1,  (324, 0, 0, 0, 1237648, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01547   460   NtClose  (324, ... ) == 0x0
 01548   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01549   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1237648, 616, BothDirectory, 1,  (324, 0, 0, 0, 1237648, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01550   460   NtClose  (324, ... ) == 0x0
 01551   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01552   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1237648, 616, BothDirectory, 1,  (324, 0, 0, 0, 1237648, 616, BothDirectory, 1, "nex.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01553   460   NtClose  (324, ... ) == 0x0
 01554   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01555   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01556   460   NtWaitForSingleObject  (304, 0, {-1000000, -1}, ... ) == 0x0
 01557   460   NtQueryVolumeInformationFile  (300, 1238932, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01558   460   NtQueryInformationFile  (300, 1238912, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01559   460   NtQueryInformationFile  (300, 1238952, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01560   460   NtReleaseMutant  (304, ... 0x0, ) == 0x0
 01561   460   NtUnmapViewOfSection  (-1, 0x2bf0000, ... ) == 0x0
 01562   460   NtClose  (320, ... ) == 0x0
 01563   460   NtClose  (316, ... ) == 0x0
 01564   460   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01565   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nex.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01566   460   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01567   460   NtOpenProcessToken  (-1, 0xa, ... 316, ) == 0x0
 01568   460   NtQueryInformationToken  (316, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01569   460   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01571   460   NtQueryValueKey  (320,  (320, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (320, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01572   460   NtQueryValueKey  (320,  (320, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (320, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01573   460   NtClose  (320, ... ) == 0x0
 01574   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01575   460   NtQueryValueKey  (320,  (320, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01576   460   NtQueryValueKey  (320,  (320, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (320, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01577   460   NtClose  (320, ... ) == 0x0
 01578   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01580   460   NtQueryValueKey  (320,  (320, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   460   NtClose  (320, ... ) == 0x0
 01582   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01583   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01584   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01585   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01586   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01587   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01588   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01589   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01590   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01591   460   NtQueryDefaultLocale  (1, 1239744, ... ) == 0x0
 01592   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 320, ) }, ... 320, ) == 0x0
 01593   460   NtEnumerateKey  (320, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (320, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01594   460   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 324, ) }, ... 324, ) == 0x0
 01595   460   NtQueryValueKey  (324,  (324, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (324, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01596   460   NtQueryValueKey  (324,  (324, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (324, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01597   460   NtClose  (324, ... ) == 0x0
 01598   460   NtEnumerateKey  (320, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01599   460   NtClose  (320, ... ) == 0x0
 01600   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01615   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01616   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01617   460   NtClose  (320, ... ) == 0x0
 01618   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01619   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01620   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01621   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01622   460   NtClose  (320, ... ) == 0x0
 01623   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01625   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01626   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01627   460   NtClose  (320, ... ) == 0x0
 01628   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01630   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01631   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01632   460   NtClose  (320, ... ) == 0x0
 01633   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01635   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01636   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01637   460   NtClose  (320, ... ) == 0x0
 01638   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01639   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01640   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01641   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01642   460   NtClose  (320, ... ) == 0x0
 01643   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01645   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01646   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01647   460   NtClose  (320, ... ) == 0x0
 01648   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01650   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01651   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01652   460   NtClose  (320, ... ) == 0x0
 01653   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01654   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01655   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01656   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01657   460   NtClose  (320, ... ) == 0x0
 01658   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01660   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01661   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01662   460   NtClose  (320, ... ) == 0x0
 01663   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01664   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01665   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01666   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01667   460   NtClose  (320, ... ) == 0x0
 01668   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01670   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01671   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01672   460   NtClose  (320, ... ) == 0x0
 01673   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01674   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01675   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01676   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01677   460   NtClose  (320, ... ) == 0x0
 01678   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01679   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01680   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01681   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01682   460   NtClose  (320, ... ) == 0x0
 01683   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01684   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01685   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01686   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01687   460   NtClose  (320, ... ) == 0x0
 01688   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01689   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01690   460   NtQueryValueKey  (320,  (320, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (320, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (320, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01691   460   NtClose  (320, ... ) == 0x0
 01692   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01693   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 01694   460   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01695   460   NtClose  (320, ... ) == 0x0
 01696   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01697   460   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01698   460   NtOpenProcessToken  (-1, 0xa, ... 320, ) == 0x0
 01699   460   NtDuplicateToken  (320, 0xc, {24, 0, 0x0, 0, 1240264, 0x0}, 0, 2, ... 324, ) == 0x0
 01700   460   NtClose  (320, ... ) == 0x0
 01701   460   NtAccessCheck  (1363184, 324, 0x1, 1240392, 1240336, 56, 1240420, ... (0x1), ) == 0x0
 01702   460   NtClose  (324, ... ) == 0x0
 01703   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 324, ) }, ... 324, ) == 0x0
 01704   460   NtQueryValueKey  (324,  (324, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (324, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01705   460   NtClose  (324, ... ) == 0x0
 01706   460   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 324, ) }, ... 324, ) == 0x0
 01707   460   NtQuerySymbolicLinkObject  (324, ...  (324, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01708   460   NtClose  (324, ... ) == 0x0
 01709   460   NtQueryInformationFile  (300, 1238724, 528, Name, ... {status=0x0, info=54}, ) == 0x0
 01710   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01711   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01712   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\nex.exe"}, 1237404, ... ) }, 1237404, ... ) == 0x0
 01713   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01714   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1236764, 616, BothDirectory, 1,  (324, 0, 0, 0, 1236764, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01715   460   NtClose  (324, ... ) == 0x0
 01716   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01717   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1236764, 616, BothDirectory, 1,  (324, 0, 0, 0, 1236764, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01718   460   NtClose  (324, ... ) == 0x0
 01719   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 324, {status=0x0, info=1}, ) }, 3, 16417, ... 324, {status=0x0, info=1}, ) == 0x0
 01720   460   NtQueryDirectoryFile  (324, 0, 0, 0, 1236764, 616, BothDirectory, 1,  (324, 0, 0, 0, 1236764, 616, BothDirectory, 1, "nex.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01721   460   NtClose  (324, ... ) == 0x0
 01722   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01723   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01724   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01725   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01726   460   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01727   460   NtClose  (324, ... ) == 0x0
 01728   460   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 324, ) }, ... 324, ) == 0x0
 01729   460   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 320, ) }, ... 320, ) == 0x0
 01730   460   NtClose  (324, ... ) == 0x0
 01731   460   NtQueryValueKey  (320,  (320, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01732   460   NtQueryValueKey  (320,  (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (320, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01733   460   NtClose  (320, ... ) == 0x0
 01734   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 43122688, 4096, ) == 0x0
 01735   460   NtAllocateVirtualMemory  (-1, 43122688, 0, 4096, 4096, 4, ... 43122688, 4096, ) == 0x0
 01736   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 320, ) }, ... 320, ) == 0x0
 01737   460   NtQueryValueKey  (320,  (320, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01738   460   NtClose  (320, ... ) == 0x0
 01739   460   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01740   460   NtQueryInformationToken  (316, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01741   460   NtQueryInformationToken  (316, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01742   460   NtClose  (316, ... ) == 0x0
 01743   460   NtCreateProcessEx  (1243000, 2035711, 0, -1, 0, 308, 0, 0, 0, ... ) == 0x0
 01744   460   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01745   460   NtQueryInformationProcess  (316, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=936,ParentPid=456,}, 0x0, ) == 0x0
 01746   460   NtReadVirtualMemory  (316, 0x7ffdf008, 4, ...  (316, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01747   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\nex.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748   460   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01749   460   NtReadVirtualMemory  (316, 0x400000, 4096, ...  (316, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343\355\216\341\247\214\340\262\247\214\340\262\247\214\340\262\264\204\275\262\245\214\340\262$\204\275\262\241\214\340\262]\257\371\262\242\214\340\262\247\214\341\262\354\214\340\262\242\200\200\262\250\214\340\262\242\200\272\262\246\214\340\262Rich\247\214\340\262\0\0\0\0\0\0\0\0PE\0\0L\1\4\0UnPacKcN\0\0\0\0\340\0\17\1\13\1\7\12\0L\0\0\0\22\4\0\0\0\0\0\24\240\4\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`+\0\0\4\0\0hn\23\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\24\220\4\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0   \0    \0p\4\0\0\20\0\0\06\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsr", 4096, ) , 4096, ) == 0x0
 01750   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01751   460   NtQueryInformationProcess  (316, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=936,ParentPid=456,}, 0x0, ) == 0x0
 01752   460   NtAllocateVirtualMemory  (-1, 0, 0, 1640, 4096, 4, ... 43253760, 4096, ) == 0x0
 01753   460   NtAllocateVirtualMemory  (316, 0, 0, 1942, 4096, 4, ... 65536, 4096, ) == 0x0
 01754   460   NtWriteVirtualMemory  (316, 0x10000,  (316, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1942, ... 0x0, ) , 1942, ... 0x0, ) == 0x0
 01755   460   NtAllocateVirtualMemory  (316, 0, 0, 1640, 4096, 4, ... 131072, 4096, ) == 0x0
 01756   460   NtWriteVirtualMemory  (316, 0x20000,  (316, 0x20000, "\0\20\0\0h\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0:\0<\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\06\08\0\14\6\0\0\36\0 \0D\6\0\0\0\0\2\0d\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1640, ... 0x0, ) , 1640, ... 0x0, ) == 0x0
 01757   460   NtWriteVirtualMemory  (316, 0x7ffdf010,  (316, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01758   460   NtWriteVirtualMemory  (316, 0x7ffdf1e8,  (316, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01759   460   NtFreeVirtualMemory  (-1, (0x2940000), 0, 32768, ... (0x2940000), 4096, ) == 0x0
 01760   460   NtAllocateVirtualMemory  (316, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01761   460   NtAllocateVirtualMemory  (316, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01762   460   NtProtectVirtualMemory  (316, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01763   460   NtCreateThread  (0x1f03ff, 0x0, 316, 1241264, 1241984, 1, ... 320, {936, 940}, ) == 0x0
 01764   460   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312776, 1310720, 1348536, 1243084}  (24, {168, 196, new_msg, 0, 1312776, 1310720, 1348536, 1243084} "\0\0\0\0\0\0\1\0\2$\370w U\367w?\1\0\0@\1\0\0\250\3\0\0\254\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0ntoh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 456, 460, 1556, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w<\1\0\0@\1\0\0\250\3\0\0\254\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0ntoh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 456, 460, 1556, 0}  (24, {168, 196, new_msg, 0, 1312776, 1310720, 1348536, 1243084} "\0\0\0\0\0\0\1\0\2$\370w U\367w?\1\0\0@\1\0\0\250\3\0\0\254\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0ntoh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 456, 460, 1556, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w<\1\0\0@\1\0\0\250\3\0\0\254\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0ntoh\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01765   460   NtResumeThread  (320, ... 1, ) == 0x0
 01766   460   NtClose  (300, ... ) == 0x0
 01767   460   NtClose  (308, ... ) == 0x0
 01768   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 308, {status=0x0, info=1}, ) }, 7, 2113568, ... 308, {status=0x0, info=1}, ) == 0x0
 01769   460   NtQueryInformationFile  (308, 1243768, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01770   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 300, 0x0, ) }, 0, 0x0, 0, ... 300, 0x0, ) == 0x0
 01771   460   NtQueryValueKey  (300,  (300, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01772   460   NtClose  (300, ... ) == 0x0
 01773   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 300, 0x0, ) }, 0, 0x0, 0, ... 300, 0x0, ) == 0x0
 01774   460   NtQueryValueKey  (300,  (300, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01775   460   NtSetValueKey  (300,  (300, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 0, 7,  (300, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 50, ...
 01776   460   NtSetInformationFile  (-2147482844, -133527756, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01775   460   NtSetValueKey  ... ) == 0x0
 01777   460   NtClose  (300, ... ) == 0x0
 01778   460   NtClose  (308, ... ) == 0x0
 01779   460   NtTerminateProcess  (0, 0, ...
 00535   384   NtDelayExecution  ... ) == 0xc0
 00536   380   NtDelayExecution  ... ) == 0xc0
 00542   568   NtDelayExecution  ... ) == 0xc0
 00538   572   NtDelayExecution  ... ) == 0xc0
 00539   588   NtDelayExecution  ... ) == 0xc0
 00540   580   NtDelayExecution  ... ) == 0xc0
 00541   584   NtDelayExecution  ... ) == 0xc0
 00430   576   NtDelayExecution  ... ) == 0xc0
 01103   596   NtWaitForSingleObject  ... ) == 0xc0
 01225   636   NtWaitForSingleObject  ... ) == 0xc0
 00665   732   NtWaitForSingleObject  ... ) == 0xc0
 01111   744   NtWaitForSingleObject  ... ) == 0xc0
 00505   676   NtWaitForSingleObject  ... ) == 0xc0
 01127   788   NtWaitForSingleObject  ... ) == 0xc0
 00878   784   NtWaitForSingleObject  ... ) == 0xc0
 01140   716   NtWaitForSingleObject  ... ) == 0xc0
 01239   308   NtWaitForSingleObject  ... ) == 0xc0
 01233   840   NtWaitForSingleObject  ... ) == 0xc0
 01221   836   NtWaitForSingleObject  ... ) == 0xc0
 01146   844   NtWaitForSingleObject  ... ) == 0xc0
 01229   864   NtWaitForSingleObject  ... ) == 0xc0
 01213   868   NtWaitForSingleObject  ... ) == 0xc0
 01157   872   NtWaitForSingleObject  ... ) == 0xc0
 01136   876   NtWaitForSingleObject  ... ) == 0xc0
 00800   888   NtDelayExecution  ... ) == 0xc0
 01162   920   NtDelayExecution  ... ) == 0xc0
 01779   460   NtTerminateProcess  ... ) == 0x0
 01780   460   NtClose  (280, ... ) == 0x0
 01781   460   NtClose  (260, ... ) == 0x0
 01782   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01783   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01784   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01785   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01786   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01787   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01788   460   NtUnmapViewOfSection  (-1, 0x2770000, ... ) == 0x0
 01789   460   NtClose  (252, ... ) == 0x0
 01790   460   NtGdiDeleteObjectApp  (168821790, ... ) == 0x1
 01791   460   NtUserGetProcessWindowStation  (... ) == 0x24
 01792   460   NtUserBuildNameList  (36, 256, 1326520, 1243424, ... ) == 0x0
 01793   460   NtUserGetProcessWindowStation  (... ) == 0x24
 01794   460   NtUserOpenDesktop  ({24, 36, 0x40, 0, 0,  ({24, 36, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0xfc
 01795   460   NtUserBuildHwndList  (252, 0, 0, 0, 64, ... (0x100ac, 0x100aa, 0x100a8, 0x20060, 0x100a2, 0x10082, 0x10076, 0x1006a, 0x3004c, 0x10068, 0x10066, 0x3003e, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x100c2, 0x100c0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b2, 0x100b0, 0x20064, 0x100ae, 0x20062, 0x1006e, 0x50050, 0x40054, 0x5004e, 0x10080, 0x10078, 0x1, ), 34, ) == 0x0
 01796   460   NtUserQueryWindow  (65708, 0, ... ) == 0xd8
 01797   460   NtUserQueryWindow  (65708, 1, ... ) == 0xdc
 01798   460   NtUserQueryWindow  (65706, 0, ... ) == 0xd8
 01799   460   NtUserQueryWindow  (65706, 1, ... ) == 0xdc
 01800   460   NtUserQueryWindow  (65704, 0, ... ) == 0xd8
 01801   460   NtUserQueryWindow  (65704, 1, ... ) == 0xdc
 01802   460   NtUserQueryWindow  (131168, 0, ... ) == 0xd8
 01803   460   NtUserQueryWindow  (131168, 1, ... ) == 0xdc
 01804   460   NtUserQueryWindow  (65698, 0, ... ) == 0x7d4
 01805   460   NtUserQueryWindow  (65698, 1, ... ) == 0x7e4
 01806   460   NtUserQueryWindow  (65666, 0, ... ) == 0x7d4
 01807   460   NtUserQueryWindow  (65666, 1, ... ) == 0x7e4
 01808   460   NtUserBuildHwndList  (0, 65666, 1, 0, 64, ... (0x10084, 0x10088, 0x1008a, 0x1008c, 0x10090, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009c, 0x1009e, 0x100a0, 0x1, ), 13, ) == 0x0
 01809   460   NtUserQueryWindow  (65668, 0, ... ) == 0x7d4
 01810   460   NtUserQueryWindow  (65668, 1, ... ) == 0x7e4
 01811   460   NtUserQueryWindow  (65672, 0, ... ) == 0x7d4
 01812   460   NtUserQueryWindow  (65672, 1, ... ) == 0x7e4
 01813   460   NtUserQueryWindow  (65674, 0, ... ) == 0x7d4
 01814   460   NtUserQueryWindow  (65674, 1, ... ) == 0x7e4
 01815   460   NtUserQueryWindow  (65676, 0, ... ) == 0x7d4
 01816   460   NtUserQueryWindow  (65676, 1, ... ) == 0x7e4
 01817   460   NtUserQueryWindow  (65680, 0, ... ) == 0x7d4
 01818   460   NtUserQueryWindow  (65680, 1, ... ) == 0x7e4
 01819   460   NtUserQueryWindow  (65682, 0, ... ) == 0x7d4
 01820   460   NtUserQueryWindow  (65682, 1, ... ) == 0x7e4
 01821   460   NtUserQueryWindow  (65684, 0, ... ) == 0x7d4
 01822   460   NtUserQueryWindow  (65684, 1, ... ) == 0x7e4
 01823   460   NtUserQueryWindow  (65686, 0, ... ) == 0x7d4
 01824   460   NtUserQueryWindow  (65686, 1, ... ) == 0x7e4
 01825   460   NtUserQueryWindow  (65688, 0, ... ) == 0x7d4
 01826   460   NtUserQueryWindow  (65688, 1, ... ) == 0x7e4
 01827   460   NtUserQueryWindow  (65692, 0, ... ) == 0x7d4
 01828   460   NtUserQueryWindow  (65692, 1, ... ) == 0x7e4
 01829   460   NtUserQueryWindow  (65694, 0, ... ) == 0x7d4
 01830   460   NtUserQueryWindow  (65694, 1, ... ) == 0x7e4
 01831   460   NtUserQueryWindow  (65696, 0, ... ) == 0x7d4
 01832   460   NtUserQueryWindow  (65696, 1, ... ) == 0x7e4
 01833   460   NtUserQueryWindow  (65654, 0, ... ) == 0x7d4
 01834   460   NtUserQueryWindow  (65654, 1, ... ) == 0x7e4
 01835   460   NtUserQueryWindow  (65642, 0, ... ) == 0x7d4
 01836   460   NtUserQueryWindow  (65642, 1, ... ) == 0x7e4
 01837   460   NtUserQueryWindow  (196684, 0, ... ) == 0x7d4
 01838   460   NtUserQueryWindow  (196684, 1, ... ) == 0x7e4
 01839   460   NtUserQueryWindow  (65640, 0, ... ) == 0x7d4
 01840   460   NtUserQueryWindow  (65640, 1, ... ) == 0x7e4
 01841   460   NtUserQueryWindow  (65638, 0, ... ) == 0x7d4
 01842   460   NtUserQueryWindow  (65638, 1, ... ) == 0x7e4
 01843   460   NtUserQueryWindow  (196670, 0, ... ) == 0x7d4
 01844   460   NtUserQueryWindow  (196670, 1, ... ) == 0x7e4
 01845   460   NtUserBuildHwndList  (0, 196670, 1, 0, 64, ... (0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x3004a, 0x1006c, 0x10070, 0x10074, 0x1, ), 10, ) == 0x0
 01846   460   NtUserQueryWindow  (196674, 0, ... ) == 0x7d4
 01847   460   NtUserQueryWindow  (196674, 1, ... ) == 0x7e4
 01848   460   NtUserQueryWindow  (196672, 0, ... ) == 0x7d4
 01849   460   NtUserQueryWindow  (196672, 1, ... ) == 0x7e4
 01850   460   NtUserQueryWindow  (196676, 0, ... ) == 0x7d4
 01851   460   NtUserQueryWindow  (196676, 1, ... ) == 0x7e4
 01852   460   NtUserQueryWindow  (196678, 0, ... ) == 0x7d4
 01853   460   NtUserQueryWindow  (196678, 1, ... ) == 0x7e4
 01854   460   NtUserQueryWindow  (196680, 0, ... ) == 0x7d4
 01855   460   NtUserQueryWindow  (196680, 1, ... ) == 0x7e4
 01856   460   NtUserQueryWindow  (196682, 0, ... ) == 0x7d4
 01857   460   NtUserQueryWindow  (196682, 1, ... ) == 0x7e4
 01858   460   NtUserQueryWindow  (65644, 0, ... ) == 0x7d4
 01859   460   NtUserQueryWindow  (65644, 1, ... ) == 0x7e4
 01860   460   NtUserQueryWindow  (65648, 0, ... ) == 0x7d4
 01861   460   NtUserQueryWindow  (65648, 1, ... ) == 0x7e4
 01862   460   NtUserQueryWindow  (65652, 0, ... ) == 0x7d4
 01863   460   NtUserQueryWindow  (65652, 1, ... ) == 0x7e4
 01864   460   NtUserQueryWindow  (65690, 0, ... ) == 0x7d4
 01865   460   NtUserQueryWindow  (65690, 1, ... ) == 0x7e4
 01866   460   NtUserQueryWindow  (65678, 0, ... ) == 0x7d4
 01867   460   NtUserQueryWindow  (65678, 1, ... ) == 0x7e4
 01868   460   NtUserQueryWindow  (65662, 0, ... ) == 0x7d4
 01869   460   NtUserQueryWindow  (65662, 1, ... ) == 0x7d8
 01870   460   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 01871   460   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 01872   460   NtUserQueryWindow  (65730, 0, ... ) == 0xe0
 01873   460   NtUserQueryWindow  (65730, 1, ... ) == 0xbc
 01874   460   NtUserQueryWindow  (65728, 0, ... ) == 0xe0
 01875   460   NtUserQueryWindow  (65728, 1, ... ) == 0xbc
 01876   460   NtUserQueryWindow  (65726, 0, ... ) == 0xe0
 01877   460   NtUserQueryWindow  (65726, 1, ... ) == 0xbc
 01878   460   NtUserQueryWindow  (65724, 0, ... ) == 0xe0
 01879   460   NtUserQueryWindow  (65724, 1, ... ) == 0xbc
 01880   460   NtUserQueryWindow  (65722, 0, ... ) == 0xe0
 01881   460   NtUserQueryWindow  (65722, 1, ... ) == 0xbc
 01882   460   NtUserQueryWindow  (65720, 0, ... ) == 0xe0
 01883   460   NtUserQueryWindow  (65720, 1, ... ) == 0xbc
 01884   460   NtUserQueryWindow  (65714, 0, ... ) == 0xe0
 01885   460   NtUserQueryWindow  (65714, 1, ... ) == 0xbc
 01886   460   NtUserQueryWindow  (65712, 0, ... ) == 0xe0
 01887   460   NtUserQueryWindow  (65712, 1, ... ) == 0xbc
 01888   460   NtUserQueryWindow  (131172, 0, ... ) == 0xe4
 01889   460   NtUserQueryWindow  (131172, 1, ... ) == 0xe8
 01890   460   NtUserQueryWindow  (65710, 0, ... ) == 0xd8
 01891   460   NtUserQueryWindow  (65710, 1, ... ) == 0xdc
 01892   460   NtUserQueryWindow  (131170, 0, ... ) == 0xd0
 01893   460   NtUserQueryWindow  (131170, 1, ... ) == 0xd4
 01894   460   NtUserQueryWindow  (65646, 0, ... ) == 0x7d4
 01895   460   NtUserQueryWindow  (65646, 1, ... ) == 0x94
 01896   460   NtUserQueryWindow  (327760, 0, ... ) == 0x7d4
 01897   460   NtUserQueryWindow  (327760, 1, ... ) == 0x7d8
 01898   460   NtUserQueryWindow  (262228, 0, ... ) == 0x7d4
 01899   460   NtUserQueryWindow  (262228, 1, ... ) == 0x7d8
 01900   460   NtUserQueryWindow  (327758, 0, ... ) == 0x7d4
 01901   460   NtUserQueryWindow  (327758, 1, ... ) == 0x7d8
 01902   460   NtUserQueryWindow  (65664, 0, ... ) == 0x7d4
 01903   460   NtUserQueryWindow  (65664, 1, ... ) == 0x7d8
 01904   460   NtUserQueryWindow  (65656, 0, ... ) == 0x7d4
 01905   460   NtUserQueryWindow  (65656, 1, ... ) == 0x7d8
 01906   460   NtUserBuildHwndList  (0, 65656, 1, 0, 64, ... (0x1007a, 0x1007c, 0x1, ), 3, ) == 0x0
 01907   460   NtUserQueryWindow  (65658, 0, ... ) == 0x7d4
 01908   460   NtUserQueryWindow  (65658, 1, ... ) == 0x7d8
 01909   460   NtUserQueryWindow  (65660, 0, ... ) == 0x7d4
 01910   460   NtUserQueryWindow  (65660, 1, ... ) == 0x7d8
 01911   460   NtUserCloseDesktop  (252, ...
 01912   460   NtClose  (252, ... ) == 0x0
 01911   460   NtUserCloseDesktop  ... ) == 0x1
 01913   460   NtUserGetProcessWindowStation  (... ) == 0x24
 01914   460   NtUserOpenDesktop  ({24, 36, 0x40, 0, 0,  ({24, 36, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01915   460   NtUserGetProcessWindowStation  (... ) == 0x24
 01916   460   NtUserOpenDesktop  ({24, 36, 0x40, 0, 0,  ({24, 36, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01917   460   NtGdiDeleteObjectApp  (84542423, ... ) == 0x1
 01918   460   NtGdiDeleteObjectApp  (50987995, ... ) == 0x1
 01919   460   NtClose  (248, ... ) == 0x0
 01920   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01921   460   NtClose  (76, ... ) == 0x0
 01922   460   NtClose  (68, ... ) == 0x0
 01923   460   NtClose  (64, ... ) == 0x0
 01924   460   NtClose  (72, ... ) == 0x0
 01925   460   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x0,}, 4, ... ) == 0x0
 01926   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc03b
 01927   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01928   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc03d
 01929   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01930   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc03f
 01931   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01932   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc041
 01933   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01934   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc043
 01935   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01936   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc045
 01937   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01938   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc047
 01939   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01940   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc049
 01941   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01942   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc04b
 01943   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01944   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc04d
 01945   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01946   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc04f
 01947   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01948   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc051
 01949   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01950   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc053
 01951   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01952   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc057
 01953   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01954   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc059
 01955   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01956   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc05b
 01957   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01958   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc05d
 01959   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01960   460   NtUserGetClassInfo  (1999896576, 1243472, 1243424, 1243500, 0, ... ) == 0xc05f
 01961   460   NtUserUnregisterClass  (1243476, 1999896576, 1243464, ... ) == 0x1
 01962   460   NtFreeVirtualMemory  (-1, (0x2920000), 4096, 32768, ... (0x2920000), 4096, ) == 0x0
 01963   460   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1311096, 0, 32, 0}  (24, {20, 48, new_msg, 0, 1311096, 0, 32, 0} "\0\0\0\0\3\0\1\0\10\0\0\0 @\0\0\0\0\0\0" ... {20, 48, reply, 0, 456, 460, 1618, 0} "\0\0\0\0\3\0\1\0\0\0\0\0 @\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 456, 460, 1618, 0}  (24, {20, 48, new_msg, 0, 1311096, 0, 32, 0} "\0\0\0\0\3\0\1\0\10\0\0\0 @\0\0\0\0\0\0" ... {20, 48, reply, 0, 456, 460, 1618, 0} "\0\0\0\0\3\0\1\0\0\0\0\0 @\0\0\0\0\0\0" )  ) == 0x0
 01964   460   NtTerminateProcess  (-1, 0, ...
 01965   460   NtClose  (40, ... ) == 0x0
 01966   460   NtFreeVirtualMemory  (-1, (0x27d0000), 0, 32768, ... (0x27d0000), 98304, ) == 0x0
NtAccessCheck(>)	1	NtEnumerateKey(>)	2	NtUserBuildHwndList(>)	4	NtUserFindExistingCursorIcon(>)	25
NtConnectPort(>)	1	NtGdiCreateDIBSection(>)	2	NtWriteVirtualMemory(>)	4	NtOpenSection(>)	27
NtCreateMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtCreateSemaphore(>)	5	NtQueryInformationThread(>)	27
NtCreateProcessEx(>)	1	NtGdiHfontCreate(>)	2	NtGdiGetStockObject(>)	5	NtCreateThread(>)	28
NtDuplicateObject(>)	1	NtGdiSelectBitmap(>)	2	NtUserGetProcessWindowStation(>)	5	NtOpenProcessTokenEx(>)	28
NtDuplicateToken(>)	1	NtOpenDirectoryObject(>)	2	NtUserRegisterWindowMessage(>)	5	NtOpenThreadTokenEx(>)	28
NtFsControlFile(>)	1	NtOpenEvent(>)	2	NtQueryVolumeInformationFile(>)	6	NtRegisterThreadTerminatePort(>)	28
NtGdiCreateBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtUserFindWindowEx(>)	6	NtResumeThread(>)	28
NtGdiCreatePatternBrushInternal(>)	1	NtOpenThreadToken(>)	2	NtSetInformationProcess(>)	7	NtTestAlert(>)	28
NtGdiDoPalette(>)	1	NtQueryInstallUILanguage(>)	2	NtUserCallNoParam(>)	7	NtUnmapViewOfSection(>)	28
NtGdiInit(>)	1	NtQuerySymbolicLinkObject(>)	2	NtUserSystemParametersInfo(>)	7	NtQueryAttributesFile(>)	31
NtGdiQueryFontAssocInfo(>)	1	NtReadVirtualMemory(>)	2	NtQuerySection(>)	9	NtQueryInformationToken(>)	34
NtNotifyChangeKey(>)	1	NtSetValueKey(>)	2	NtQueryDefaultUILanguage(>)	10	NtUserRegisterClassExWOW(>)	35
NtOpenKeyedEvent(>)	1	NtUserCloseDesktop(>)	2	NtQueryDirectoryFile(>)	10	NtContinue(>)	37
NtOpenProcess(>)	1	NtUserCreateWindowEx(>)	2	NtUserCallOneParam(>)	10	NtOpenFile(>)	39
NtQueryInformationJobObject(>)	1	NtUserGetObjectInformation(>)	2	NtUserGetWindowDC(>)	10	NtRequestWaitReplyPort(>)	39
NtQueryObject(>)	1	NtUserRemoveProp(>)	2	NtCreateFile(>)	13	NtSetInformationThread(>)	39
NtQueryTimerResolution(>)	1	NtGdiDeleteObjectApp(>)	3	NtQueryDefaultLocale(>)	14	NtMapViewOfSection(>)	49
NtRaiseException(>)	1	NtOpenMutant(>)	3	NtQueryInformationProcess(>)	14	NtUserGetClassInfo(>)	54
NtSecureConnectPort(>)	1	NtQueryVirtualMemory(>)	3	NtFlushInstructionCache(>)	16	NtProtectVirtualMemory(>)	73
NtUserBuildNameList(>)	1	NtReleaseMutant(>)	3	NtQueryInformationFile(>)	18	NtQueryValueKey(>)	81
NtUserGetForegroundWindow(>)	1	NtSetInformationFile(>)	3	NtUserUnregisterClass(>)	18	NtSetEvent(>)	86
NtUserGetGUIThreadInfo(>)	1	NtSetInformationObject(>)	3	NtWriteFile(>)	21	NtOpenKey(>)	103
NtUserGetMessage(>)	1	NtTerminateProcess(>)	3	NtCreateEvent(>)	22	NtUserQueryWindow(>)	113
NtUserGetThreadDesktop(>)	1	NtUserGetDC(>)	3	NtFreeVirtualMemory(>)	24	NtWaitForSingleObject(>)	121
NtUserGetThreadState(>)	1	NtUserOpenDesktop(>)	3	NtQuerySystemInformation(>)	24	NtDelayExecution(>)	125
NtUserShowWindow(>)	1	NtCreateKey(>)	4	NtCreateSection(>)	25	NtAllocateVirtualMemory(>)	145
NtAddAtom(>)	2	NtGdiCreateCompatibleDC(>)	4	NtQueryDebugFilterState(>)	25	NtClose(>)	173
NtCallbackReturn(>)	2	NtOpenProcessToken(>)	4	NtReadFile(>)	25