Summary:


NtCallbackReturn(>)  1 
NtGdiCreateBitmap(>)  2 
NtUserSelectPalette(>)  4 
NtDeviceIoControlFile(>)  17 

NtConnectPort(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtWriteVirtualMemory(>)  4 
NtFlushInstructionCache(>)  19 

NtCreateMutant(>)  1 
NtGdiGetDCObject(>)  2 
NtGdiDeleteObjectApp(>)  5 
NtUnmapViewOfSection(>)  20 

NtCreateProcessEx(>)  1 
NtGdiGetDCforBitmap(>)  2 
NtGdiGetStockObject(>)  5 
NtSetInformationThread(>)  22 

NtCreateThread(>)  1 
NtGdiHfontCreate(>)  2 
NtUserBuildHwndList(>)  5 
NtQueryInformationProcess(>)  23 

NtDuplicateToken(>)  1 
NtGdiRestoreDC(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtSetInformationFile(>)  24 

NtEnumerateValueKey(>)  1 
NtGdiSaveDC(>)  2 
NtUserRegisterWindowMessage(>)  5 
NtRaiseException(>)  25 

NtGdiBitBlt(>)  1 
NtGdiSetDIBitsToDeviceInternal(>)  2 
NtCreateSemaphore(>)  6 
NtContinue(>)  26 

NtGdiCreateCompatibleBitmap(>)  1 
NtOpenDirectoryObject(>)  2 
NtEnumerateKey(>)  6 
NtReleaseMutant(>)  28 

NtGdiCreateDIBitmapInternal(>)  1 
NtOpenProcess(>)  2 
NtOpenProcessToken(>)  6 
NtCreateFile(>)  30 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryVolumeInformationFile(>)  7 
NtCreateSection(>)  30 

NtGdiExtGetObjectW(>)  1 
NtQueryVirtualMemory(>)  2 
NtUserCallNoParam(>)  7 
NtOpenProcessTokenEx(>)  32 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtOpenThreadTokenEx(>)  32 

NtGdiQueryFontAssocInfo(>)  1 
NtUserCloseDesktop(>)  2 
NtSetInformationProcess(>)  8 
NtProtectVirtualMemory(>)  39 

NtNotifyChangeKey(>)  1 
NtUserCreateWindowEx(>)  2 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  39 

NtOpenKeyedEvent(>)  1 
NtUserDestroyWindow(>)  2 
NtQueryInformationFile(>)  9 
NtWaitForSingleObject(>)  41 

NtQueryInformationJobObject(>)  1 
NtUserGetObjectInformation(>)  2 
NtReleaseSemaphore(>)  10 
NtAllocateVirtualMemory(>)  43 

NtQueryObject(>)  1 
NtUserMessageCall(>)  2 
NtUserGetWindowDC(>)  10 
NtUserUnregisterClass(>)  46 

NtQueryPerformanceCounter(>)  1 
NtAddAtom(>)  3 
NtRequestWaitReplyPort(>)  11 
NtMapViewOfSection(>)  48 

NtQuerySystemTime(>)  1 
NtDuplicateObject(>)  3 
NtSetValueKey(>)  11 
NtUserFindExistingCursorIcon(>)  49 

NtRegisterThreadTerminatePort(>)  1 
NtOpenEvent(>)  3 
NtUserSystemParametersInfo(>)  11 
NtOpenFile(>)  51 

NtResumeThread(>)  1 
NtOpenMutant(>)  3 
NtCreateEvent(>)  12 
NtOpenSection(>)  51 

NtSecureConnectPort(>)  1 
NtReadVirtualMemory(>)  3 
NtCreateKey(>)  12 
NtUserRegisterClassExWOW(>)  64 

NtTestAlert(>)  1 
NtUserGetDC(>)  3 
NtQueryKey(>)  12 
NtQueryAttributesFile(>)  68 

NtUserBuildNameList(>)  1 
NtUserOpenDesktop(>)  3 
NtGdiSelectBitmap(>)  13 
NtQuerySystemInformation(>)  76 

NtUserGetAtomName(>)  1 
NtUserRemoveProp(>)  3 
NtQueryDirectoryFile(>)  13 
NtUserGetClassInfo(>)  82 

NtUserGetGUIThreadInfo(>)  1 
NtFreeVirtualMemory(>)  4 
NtUserCallOneParam(>)  14 
NtReadFile(>)  87 

NtUserGetThreadDesktop(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtWriteFile(>)  14 
NtQueryValueKey(>)  97 

NtUserSetCursorIconData(>)  1 
NtOpenSymbolicLinkObject(>)  4 
NtOpenThreadToken(>)  15 
NtUserQueryWindow(>)  132 

NtUserSetProp(>)  1 
NtQuerySecurityObject(>)  4 
NtQuerySection(>)  15 
NtOpenKey(>)  157 

NtAccessCheck(>)  2 
NtQuerySymbolicLinkObject(>)  4 
NtFsControlFile(>)  16 
NtClose(>)  262 

NtCreateIoCompletion(>)  2 
NtSetInformationObject(>)  4 
NtQueryDefaultLocale(>)  16 

Trace:
 00001   744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   744   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   744   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   744   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   744   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   744   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   744   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   744   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   744   NtClose  (12, ... ) == 0x0
 00014   744   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   744   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   744   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   744   NtClose  (16, ... ) == 0x0
 00021   744   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   744   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   744   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   744   NtClose  (16, ... ) == 0x0
 00026   744   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   744   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   744   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   744   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 732, 744, 1523, 0} "X\257\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ... {28, 56, reply, 0, 732, 744, 1523, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 732, 744, 1523, 0} "X\257\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ) == 0x0
 00032   744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   744   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   744   NtClose  (16, ... ) == 0x0
 00036   744   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   744   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   744   NtClose  (28, ... ) == 0x0
 00041   744   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   744   NtClose  (28, ... ) == 0x0
 00045   744   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   744   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   744   NtClose  (28, ... ) == 0x0
 00049   744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   744   NtClose  (28, ... ) == 0x0
 00052   744   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 732, 744, 1524, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ... {28, 56, reply, 0, 732, 744, 1524, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 732, 744, 1524, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ) == 0x0
 00056   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00057   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00058   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00059   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   744   NtClose  (28, ... ) == 0x0
 00062   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   744   NtClose  (28, ... ) == 0x0
 00065   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   744   NtClose  (28, ... ) == 0x0
 00068   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   744   NtClose  (28, ... ) == 0x0
 00071   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00072   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00073   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00074   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00075   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00076   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00077   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00079   744   NtClose  (28, ... ) == 0x0
 00080   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00082   744   NtClose  (28, ... ) == 0x0
 00083   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00085   744   NtClose  (28, ... ) == 0x0
 00086   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00087   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00088   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00089   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00090   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00091   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00092   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00094   744   NtClose  (28, ... ) == 0x0
 00095   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00096   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00097   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00098   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00099   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   744   NtClose  (28, ... ) == 0x0
 00101   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00102   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00103   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00104   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00106   744   NtClose  (28, ... ) == 0x0
 00107   744   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00108   744   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00109   744   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00110   744   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00111   744   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00112   744   NtClose  (28, ... ) == 0x0
 00113   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00114   744   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00115   744   NtClose  (28, ... ) == 0x0
 00116   744   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00117   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00118   744   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00119   744   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00120   744   NtClose  (28, ... ) == 0x0
 00121   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00122   744   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   744   NtClose  (28, ... ) == 0x0
 00124   744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00125   744   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00126   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00128   744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\36\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 732, 744, 1533, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\36\1$\1\0\0" )  ... {28, 56, reply, 0, 732, 744, 1533, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\36\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 732, 744, 1533, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\36\1$\1\0\0" )  ) == 0x0
 00129   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00131   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00132   744   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00133   744   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147481996, ) == 0x0
 00134   744   NtQueryInformationToken  (-2147481996, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00135   744   NtQueryInformationToken  (-2147481996, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00136   744   NtClose  (-2147481996, ... ) == 0x0
 00137   744   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00138   744   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00139   744   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00140   744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147481996, ) }, ... -2147481996, ) == 0x0
 00141   744   NtQueryValueKey  (-2147481996,  (-2147481996, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   744   NtClose  (-2147481996, ... ) == 0x0
 00143   744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147481996, ) }, ... -2147481996, ) == 0x0
 00144   744   NtQueryValueKey  (-2147481996,  (-2147481996, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   744   NtClose  (-2147481996, ... ) == 0x0
 00146   744   NtQueryDefaultLocale  (0, -136050164, ... ) == 0x0
 00147   744   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00148   744   NtUserCallNoParam  (24, ... ) == 0x0
 00149   744   NtGdiCreateCompatibleDC  (0, ...
 00150   744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00149   744   NtGdiCreateCompatibleDC  ... ) == 0x1c010427
 00151   744   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00152   744   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00153   744   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x2d050434
 00154   744   NtGdiCreateSolidBrush  (0, 0, ...
 00155   744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00154   744   NtGdiCreateSolidBrush  ... ) == 0x18100438
 00156   744   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00157   744   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010428
 00158   744   NtGdiSelectBitmap  (100729896, 755303476, ... ) == 0x185000f
 00159   744   NtUserGetThreadDesktop  (744, 0, ... ) == 0x2c
 00160   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00161   744   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00162   744   NtClose  (52, ... ) == 0x0
 00163   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00164   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00165   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00166   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00167   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00168   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00169   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00170   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00171   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00172   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00173   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00174   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00175   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00176   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00177   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00178   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00179   744   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00180   744   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00181   744   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00182   744   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00183   744   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00184   744   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00185   744   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00186   744   NtCallbackReturn  (0, 0, 0, ...
 00187   744   NtGdiInit  (... ) == 0x1
 00188   744   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00189   744   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00190   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00191   744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00192   744   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00193   744   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00194   744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00195   744   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00196   744   NtClose  (52, ... ) == 0x0
 00197   744   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00198   744   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00200   744   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00201   744   NtClose  (52, ... ) == 0x0
 00202   744   NtQueryDefaultUILanguage  (1241756, ...
 00203   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00204   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481996, ) == 0x0
 00205   744   NtQueryInformationToken  (-2147481996, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00206   744   NtClose  (-2147481996, ... ) == 0x0
 00207   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481996, ) }, ... -2147481996, ) == 0x0
 00208   744   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   744   NtOpenKey  (0x80000000, {24, -2147481996, 0x640, 0, 0,  (0x80000000, {24, -2147481996, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481980, ) }, ... -2147481980, ) == 0x0
 00210   744   NtQueryValueKey  (-2147481980,  (-2147481980, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211   744   NtClose  (-2147481980, ... ) == 0x0
 00212   744   NtClose  (-2147481996, ... ) == 0x0
 00202   744   NtQueryDefaultUILanguage  ... ) == 0x0
 00213   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   744   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00215   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00216   744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00217   744   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 8323072, ) == 0x0
 00218   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   744   NtQueryDefaultUILanguage  (2013024600, ...
 00220   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00221   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481996, ) == 0x0
 00222   744   NtQueryInformationToken  (-2147481996, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00223   744   NtClose  (-2147481996, ... ) == 0x0
 00224   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481996, ) }, ... -2147481996, ) == 0x0
 00225   744   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226   744   NtOpenKey  (0x80000000, {24, -2147481996, 0x640, 0, 0,  (0x80000000, {24, -2147481996, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481980, ) }, ... -2147481980, ) == 0x0
 00227   744   NtQueryValueKey  (-2147481980,  (-2147481980, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   744   NtClose  (-2147481980, ... ) == 0x0
 00229   744   NtClose  (-2147481996, ... ) == 0x0
 00219   744   NtQueryDefaultUILanguage  ... ) == 0x0
 00230   744   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00231   744   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00232   744   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00233   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\36\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 732, 744, 1534, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 732, 744, 1534, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\36\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 732, 744, 1534, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00235   744   NtClose  (52, ... ) == 0x0
 00236   744   NtClose  (56, ... ) == 0x0
 00237   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00238   744   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00239   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00240   744   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00241   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00242   744   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   744   NtClose  (56, ... ) == 0x0
 00244   744   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00245   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00246   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00247   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00249   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00251   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00252   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00253   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00255   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00256   744   NtClose  (52, ... ) == 0x0
 00257   744   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 921600, ) == 0x0
 00258   744   NtClose  (60, ... ) == 0x0
 00259   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00260   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00261   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00262   744   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00263   744   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00264   744   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00265   744   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00266   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00267   744   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00268   744   NtClose  (68, ... ) == 0x0
 00269   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00270   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00271   744   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00272   744   NtClose  (68, ... ) == 0x0
 00273   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   744   NtClose  (64, ... ) == 0x0
 00275   744   NtClose  (60, ... ) == 0x0
 00276   744   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00277   744   NtClose  (52, ... ) == 0x0
 00278   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00279   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00280   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00281   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00282   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00283   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00284   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00285   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00286   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00287   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00288   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00289   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00290   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00291   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00292   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00293   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00294   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00295   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00296   744   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00297   744   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00298   744   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00299   744   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00300   744   NtQueryDefaultUILanguage  (1239368, ...
 00301   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00302   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481996, ) == 0x0
 00303   744   NtQueryInformationToken  (-2147481996, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00304   744   NtClose  (-2147481996, ... ) == 0x0
 00305   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481996, ) }, ... -2147481996, ) == 0x0
 00306   744   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   744   NtOpenKey  (0x80000000, {24, -2147481996, 0x640, 0, 0,  (0x80000000, {24, -2147481996, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481980, ) }, ... -2147481980, ) == 0x0
 00308   744   NtQueryValueKey  (-2147481980,  (-2147481980, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   744   NtClose  (-2147481980, ... ) == 0x0
 00310   744   NtClose  (-2147481996, ... ) == 0x0
 00300   744   NtQueryDefaultUILanguage  ... ) == 0x0
 00311   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00313   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00314   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00315   744   NtClose  (52, ... ) == 0x0
 00316   744   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 4096, ) == 0x0
 00317   744   NtClose  (60, ... ) == 0x0
 00318   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00319   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00320   744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00321   744   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00322   744   NtClose  (60, ... ) == 0x0
 00323   744   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 4096, ) == 0x0
 00324   744   NtClose  (52, ... ) == 0x0
 00325   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00326   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00327   744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00328   744   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 4096, ) == 0x0
 00329   744   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00330   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\36\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 732, 744, 1535, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 732, 744, 1535, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\36\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 732, 744, 1535, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00332   744   NtClose  (52, ... ) == 0x0
 00333   744   NtClose  (60, ... ) == 0x0
 00334   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00335   744   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00336   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00337   744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00338   744   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00339   744   NtUserGetDC  (0, ... ) == 0x1010051
 00340   744   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00341   744   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00342   744   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00343   744   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00344   744   NtAccessCheck  (1329160, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00345   744   NtClose  (60, ... ) == 0x0
 00346   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00347   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00348   744   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00349   744   NtClose  (60, ... ) == 0x0
 00350   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00351   744   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00352   744   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00353   744   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   744   NtClose  (52, ... ) == 0x0
 00355   744   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00356   744   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00357   744   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00358   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00359   744   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   744   NtClose  (64, ... ) == 0x0
 00361   744   NtClose  (52, ... ) == 0x0
 00362   744   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00363   744   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00364   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00365   744   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00366   744   NtClose  (52, ... ) == 0x0
 00367   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00368   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00369   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00370   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00371   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00372   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00373   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00374   744   NtAllocateVirtualMemory  (-1, 5677056, 0, 4096, 4096, 32, ... 5677056, 4096, ) == 0x0
 00373   744   NtUserRegisterClassExWOW  ... ) == 0x810dc041
 00375   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00376   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00377   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00378   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00379   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00380   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00381   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00382   744   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00383   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00384   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00385   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00386   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00387   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00388   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00389   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00390   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00391   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00392   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00393   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00394   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00395   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00396   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00397   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00398   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00399   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00400   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00401   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00402   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00403   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00404   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00405   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00406   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00407   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00408   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00409   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00410   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00411   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00412   744   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00413   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00414   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00415   744   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00416   744   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00417   744   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00418   744   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00419   744   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00420   744   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00421   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00422   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00423   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03b
 00424   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00425   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03d
 00426   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00427   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00428   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03f
 00429   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00430   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00431   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc041
 00432   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00433   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00434   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ...
 00435   744   NtAllocateVirtualMemory  (-1, 5681152, 0, 4096, 4096, 32, ... 5681152, 4096, ) == 0x0
 00434   744   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00436   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00437   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc045
 00438   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00439   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00440   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc047
 00441   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00442   744   NtUserFindExistingCursorIcon  (1242872, 1242888, 1243456, ... ) == 0x10011
 00443   744   NtUserRegisterClassExWOW  (1243324, 1243404, 1243388, 1243420, 0, 384, 0, ... ) == 0x810dc049
 00444   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00445   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00446   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04b
 00447   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00448   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00449   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04d
 00450   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00451   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00452   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04f
 00453   744   NtUserGetClassInfo  (0, 1243496, 1243448, 1243524, 0, ... ) == 0x0
 00454   744   NtUserRegisterClassExWOW  (1243332, 1243412, 1243396, 1243428, 0, 384, 0, ... ) == 0x810dc051
 00455   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00456   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00457   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc053
 00458   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00459   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00460   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc055
 00461   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc057
 00462   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00463   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00464   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc059
 00465   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00466   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10013
 00467   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05b
 00468   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00469   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00470   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05d
 00471   744   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00472   744   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00473   744   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05f
 00474   744   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {732, 0}, ... 52, ) == 0x0
 00475   744   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00476   744   NtClose  (52, ... ) == 0x0
 00477   744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00478   744   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00479   744   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00480   744   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00481   744   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   744   NtClose  (52, ... ) == 0x0
 00483   744   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00484   744   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00485   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03b
 00486   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03d
 00487   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03f
 00488   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc041
 00489   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc043
 00490   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc045
 00491   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc047
 00492   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc049
 00493   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04b
 00494   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04d
 00495   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04f
 00496   744   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0xc051
 00497   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc053
 00498   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc055
 00499   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc059
 00500   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05b
 00501   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05d
 00502   744   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05f
 00503   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00504   744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00505   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00506   744   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00507   744   NtClose  (52, ... ) == 0x0
 00508   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00509   744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00510   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00511   744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00512   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00513   744   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   744   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   744   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   744   NtClose  (52, ... ) == 0x0
 00517   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00518   744   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   744   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   744   NtClose  (52, ... ) == 0x0
 00521   744   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00522   744   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   744   NtTestAlert  (... ) == 0x0
 00524   744   NtContinue  (1244464, 1, ...
 00525   744   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403166,}, 4, ... ) == 0x0
 00526   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242296, ... ) }, 1242296, ... ) == 0x0
 00527   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00528   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0
 00529   744   NtClose  (64, ... ) == 0x0
 00530   744   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 262144, ) == 0x0
 00531   744   NtClose  (68, ... ) == 0x0
 00532   744   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00533   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00534   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00535   744   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00536   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00537   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0
 00538   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247]\353\346b\211\31\365L\365\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00539   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00540   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00541   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00542   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00543   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00544   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00545   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00546   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00547   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, "\21^\251k\31.\262\310DRW5\4-7\216\223\320C\1\377\362/\205\16h\3\355\275\270*\363i#\205\3626\306D\36Kb2\356\241\374\362\337a\213<\243\10\332\0\310h\302\307\373\275\350y\372\225\236\277,\376\312\377\215\26=5\215\345-\269", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, "\21^\251k\31.\262\310DRW5\4-7\216\223\320C\1\377\362/\205\16h\3\355\275\270*\363i#\205\3626\306D\36Kb2\356\241\374\362\337a\213<\243\10\332\0\310h\302\307\373\275\350y\372\225\236\277,\376\312\377\215\26=5\215\345-\269", 80, ... ) , 80, ... ) == 0x0
 00548   744   NtClose  (-2147481996, ... ) == 0x0
 00538   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "2\242@\242\24\260\363\211\220\254\357\276\6;\217M\300i\256\200L\31\205\307C\320\247\6g\20\236\343\36R\k\34\205\256y\202\366_\227\377h\255w\276\316\24\233l+>\267\301\213'\203"\26\37m\236\15\325^\266\267\322\224\330\\27\15\275\303g\12\326\13(KR_\307\237?\\367f\224\244\3\1\340\235\321\377o\24\317\351\1v\202\213\4?\327Y\360\202\33\375K\371_\314T,\24g~\302\217%<\270\264\200Z9\16j\375d\270\372\345#\363\302\3153#(\10_\20f\23\335\2226@\354\16\1{\267\306Sj\370l\233p\317\203\271\314\250^,\361=\322\313\60T\321\17\275\250\277\305\22c\265\14c\363\204.L\257\203\250\352\357d\361a\252\304\216\374`]U\326\271\4\315PH\250\302p\326\266z\367\333\221\307\217\377\215\214\247\316\373,4\32XG\351\177\224\221d\211\377{\217)\335!C\366", ) \26\37m\236\15\325^\266\267\322\224\330\\27\15\275\303g\12\326\13(KR_\307\237?\\367f\224\244\3\1\340\235\321\377o\24\317\351\1v\202\213\4?\327Y\360\202\33\375K\371_\314T,\24g~\302\217%<\270\264\200Z9\16j\375d\270\372\345#\363\302\3153#(\10_\20f\23\335\2226@\354\16\1{\267\306Sj\370l\233p\317\203\271\314\250^,\361=\322\313\60T\321\17\275\250\277\305\22c\265\14c\363\204.L\257\203\250\352\357d\361a\252\304\216\374`]U\326\271\4\315PH\250\302p\326\266z\367\333\221\307\217\377\215\214\247\316\373,4\32XG\351\177\224\221d\211\377{\217)\335!C\366", ) == 0x0
 00549   744   NtAllocateVirtualMemory  (-1, 1335296, 0, 16384, 4096, 4, ... 1335296, 16384, ) == 0x0
 00550   744   NtUserRegisterClassExWOW  (1244380, 1244460, 1244444, 1244476, 0, 384, 0, ... ) == 0x810dc038
 00551   744   NtUserGetAtomName  (49208, 1243144, ... ) == 0x15
 00552   744   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00553   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240668, ... ) }, 1240668, ... ) == 0x0
 00554   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00555   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 72, ) == 0x0
 00556   744   NtClose  (64, ... ) == 0x0
 00557   744   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 204800, ) == 0x0
 00558   744   NtClose  (72, ... ) == 0x0
 00559   744   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00560   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240984, ... ) }, 1240984, ... ) == 0x0
 00561   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00562   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 64, ) == 0x0
 00563   744   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00564   744   NtClose  (72, ... ) == 0x0
 00565   744   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00566   744   NtClose  (64, ... ) == 0x0
 00567   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00568   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00569   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00570   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00571   744   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00572   744   NtClose  (64, ... ) == 0x0
 00573   744   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00574   744   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 72, ) }, ... 72, ) == 0x0
 00575   744   NtQueryValueKey  (72,  (72, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   744   NtClose  (72, ... ) == 0x0
 00577   744   NtClose  (64, ... ) == 0x0
 00578   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00579   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00580   744   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00581   744   NtClose  (64, ... ) == 0x0
 00582   744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00583   744   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00584   744   NtQueryValueKey  (72,  (72, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   744   NtClose  (72, ... ) == 0x0
 00586   744   NtClose  (64, ... ) == 0x0
 00587   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == 0x0
 00590   744   NtUserGetProcessWindowStation  (... ) == 0x28
 00591   744   NtUserGetObjectInformation  (40, 2, 0, 0, 1242780, ... ) == 0x0
 00592   744   NtUserGetObjectInformation  (40, 2, 1350040, 16, 1242780, ... ) == 0x1
 00593   744   NtUserGetGUIThreadInfo  (744, 1242736, ... ) == 0x1
 00594   744   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242556, 64, ... 64, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242556, 64, ... 64, 0x0, 0x0, 0x0, 64, ) == 0x0
 00595   744   NtRequestWaitReplyPort  (64, {32, 56, new_msg, 0, 0, 0, 0, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 732, 744, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 732, 744, 1539, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 732, 744, 1539, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00596   744   NtRequestWaitReplyPort  (64, {32, 56, new_msg, 0, 0, 0, 0, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 732, 744, 1540, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 732, 744, 1540, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 732, 744, 1540, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00597   744   NtUserCallNoParam  (29, ...
 00598   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240028, ... ) }, 1240028, ... ) == 0x0
 00597   744   NtUserCallNoParam  ... ) == 0x0
 00599   744   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00600   744   NtGdiHfontCreate  (1242108, 356, 0, 0, 1329232, ... ) == 0x2a0a0426
 00601   744   NtGdiHfontCreate  (1242108, 356, 0, 0, 1329224, ... ) == 0x50a0424
 00602   744   NtRequestWaitReplyPort  (64, {32, 56, new_msg, 0, 0, 0, 0, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 732, 744, 1541, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 732, 744, 1541, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 732, 744, 1541, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00603   744   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8a0000), {0, 0}, 331776, ) == 0x0
 00604   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00605   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00606   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00607   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00608   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00609   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00610   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00611   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00612   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00613   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00614   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00615   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00616   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00617   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00618   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00619   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00620   744   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00621   744   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x4100421
 00622   744   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00623   744   NtUserCallNoParam  (29, ...
 00624   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239472, ... ) }, 1239472, ... ) == 0x0
 00623   744   NtUserCallNoParam  ... ) == 0x0
 00625   744   NtUserCallNoParam  (29, ...
 00626   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00625   744   NtUserCallNoParam  ... ) == 0x0
 00627   744   NtUserMessageCall  (0x100cc, WM_NCCREATE, 0x0, 0x12f7b4, 0, 670, 0, ... ) == 0x1
 00628   744   NtUserMessageCall  (0x100cc, WM_NCCALCSIZE, 0x0, 0x12f7dc, 0, 670, 0, ... ) == 0x0
 00629   744   NtUserSetProp  (65740, 43288, -1, ... ) == 0x1
 00552   744   NtUserCreateWindowEx  ... ) == 0x100cc
 00630   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247>+\355\341'38\11q\355\0`\2671X\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00631   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00632   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00633   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00634   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00635   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00636   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00637   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00638   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00639   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, "\216B1\343(\33g\4\34\14\321\37V\321\240\242Qm\217\215Ml\16\361q7\344\357G\360\266\36\271pB\350\264\7\217\276\31\265okL7\366\305\36h^\364r\35g&\321\333a=\350\256\322\247O \202p\236\243\7\330\5\36\201\230\243\202$", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, "\216B1\343(\33g\4\34\14\321\37V\321\240\242Qm\217\215Ml\16\361q7\344\357G\360\266\36\271pB\350\264\7\217\276\31\265okL7\366\305\36h^\364r\35g&\321\333a=\350\256\322\247O \202p\236\243\7\330\5\36\201\230\243\202$", 80, ... ) , 80, ... ) == 0x0
 00640   744   NtClose  (-2147481996, ... ) == 0x0
 00630   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\377\356\231\232;\227=\264wh\264\343\370v\10\266\220\205\257\321\270M\364\255\252s\353\2179]\26\350\230\234\21\203.!\214\263\367u\211\276\230\31Q\200\315\252\22;m\361^t%\14\207v\336w2\11\230{\1\375\331\33\10"9\316\14`0J\362-M\317P\207Q\23\360\370\346%O\35=I\257\365\\250\251,Pt\355\371\6-"*\234\374\21\2\320\222A\220c\301$C\323\257\221\276\235$\213br&\30\272\4`!2\221\230\353\37{C\275\242d&\217\335V\321:\231\226\13o\12\361\276p\262\16\346\0@0_\23\32.}\342;\333\10\242\150\277\357\36\7\226\314\313\30\331F\37\264\6", ) 9\316\14`0J\362-M\317P\207Q\23\360\370\346%O\35=I\257\365\\250\251,Pt\355\371\6- ... {status=0x0, info=256}, "\377\356\231\232;\227=\264wh\264\343\370v\10\266\220\205\257\321\270M\364\255\252s\353\2179]\26\350\230\234\21\203.!\214\263\367u\211\276\230\31Q\200\315\252\22;m\361^t%\14\207v\336w2\11\230{\1\375\331\33\10"9\316\14`0J\362-M\317P\207Q\23\360\370\346%O\35=I\257\365\\250\251,Pt\355\371\6-"*\234\374\21\2\320\222A\220c\301$C\323\257\221\276\235$\213br&\30\272\4`!2\221\230\353\37{C\275\242d&\217\335V\321:\231\226\13o\12\361\276p\262\16\346\0@0_\23\32.}\342;\333\10\242\150\277\357\36\7\226\314\313\30\331F\37\264\6", ) \357\36\7\226\314\313\30\331F\37\264\6", ) == 0x0
 00641   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247>+\355\341'38j\261\346\203\316\235\374\35\16\355\0`\2671X\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00642   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00643   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00644   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00645   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00646   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00647   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00648   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00649   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00650   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, "\23\177\217)W\340\243\5\204$<\365\376\353\227\234\34 H\357\15\337\263Q\30\373\252\260\204\25EO\13\206\16@\223\31'\23\30W$5\234\304TYx\360\311\362AW.>\351|\177rL\221\310b|\334\253/\300\217 fm\177\231\206a*\247\244", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, "\23\177\217)W\340\243\5\204$<\365\376\353\227\234\34 H\357\15\337\263Q\30\373\252\260\204\25EO\13\206\16@\223\31'\23\30W$5\234\304TYx\360\311\362AW.>\351|\177rL\221\310b|\334\253/\300\217 fm\177\231\206a*\247\244", 80, ... ) , 80, ... ) == 0x0
 00651   744   NtClose  (-2147481996, ... ) == 0x0
 00641   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\16\354\36\355\216h4\372\305\5\253\321%N\224\14\16\267\37\341{\262\236\337\312\370P\3141\2305\240\214w'\32\333\241J\251k\257\223\260I\261_\33\313\236\312-,&\363\340k\266\306%\266t[rg\312q\22\204\342\207\271X\202f\304\23\371\17l-\311\235\25\273\336\3736\335L}\350\221sZ\10\333\17I<\30|3\231if;}>\270\207\31]\236\246"j6\275\236\210\211\252\212F\367\5\233\177\351\325z\361 \2218v\3244y\275-\325\307\206\351\365\377\323\0pwK\260BB+\1D\334\17\3469\327"\240\7\275{\26y\341f\26\272\17\316\230BV\377\304\230\341\3}\324u\337", ) j6\275\236\210\211\252\212F\367\5\233\177\351\325z\361 \2218v\3244y\275-\325\307\206\351\365\377\323\0pwK\260BB+\1D\334\17\3469\3270\3604\13w\13O,\37\350j\223\34\35\32p\337-\241\327z\231u\353\24\232b\321m\332p\?$\316as\20N.\317\2117\265v,\177\226`B+@\227\301]\205\234X!\225\31r._ ... {status=0x0, info=256}, "\16\354\36\355\216h4\372\305\5\253\321%N\224\14\16\267\37\341{\262\236\337\312\370P\3141\2305\240\214w'\32\333\241J\251k\257\223\260I\261_\33\313\236\312-,&\363\340k\266\306%\266t[rg\312q\22\204\342\207\271X\202f\304\23\371\17l-\311\235\25\273\336\3736\335L}\350\221sZ\10\333\17I<\30|3\231if;}>\270\207\31]\236\246"j6\275\236\210\211\252\212F\367\5\233\177\351\325z\361 \2218v\3244y\275-\325\307\206\351\365\377\323\0pwK\260BB+\1D\334\17\3469\327"\240\7\275{\26y\341f\26\272\17\316\230BV\377\304\230\341\3}\324u\337", ) , ) == 0x0
 00652   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247>+\355\341'38j\261\346\203\316\235\374~\316\346\203\316\235\374\35\16\355\0`\2671X\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00653   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00654   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00655   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00656   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00657   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00658   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00659   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00660   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00661   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, ")\2707Jy\213\262\362\302]\11\342\5\353\234H\312\32\246\364\201A\354f\270\376\264\266C\367\242#\201\266\275\211d\314Up)\23\347\202\324*\210\371#1{w\355\35y\373\3609\205*+\232n\257=\347V\1N#U\36\311\245\201S\334\272\12\10", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, ")\2707Jy\213\262\362\302]\11\342\5\353\234H\312\32\246\364\201A\354f\270\376\264\266C\367\242#\201\266\275\211d\314Up)\23\347\202\324*\210\371#1{w\355\35y\373\3609\205*+\232n\257=\347V\1N#U\36\311\245\201S\334\272\12\10", 80, ... ) , 80, ... ) == 0x0
 00662   744   NtClose  (-2147481996, ... ) == 0x0
 00652   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\277\276\2637}\302\316\378\250\215\26\11\30|\323y\376h4\3716\27\360\275`\207I"\205\36rbYO_(\235=\325/\273\350\233\202~\367\365\231e1\301\323\17\373\330\6\10\221\316\344\325\247f\\271FR<\34F\341m\240\237\302O\217\341\370\214\4\321!\237Za+\253\2144\302g\220H\327x\200\256C,\326d\262\356Y\352\377\7{\247\351F\35\33^\227p\320J}\320\5\210\325\343/\240\233Z\221X\277\342\200u-\205\350\273Wjm\364\356\337\211\36D\363\304At\317\202/k\17']\374\341f\232\37543\32\25.205\36rbYO_(\235=\325/\273\350\233\202~\367\365\231e1\301\323\17\373\330\6\10\221\316\344\325\247f\\271FR<\34F\341m\240\237\302O\217\341\370\214\4\321!\237Za+\253\2144\302g\220H\327x\200\256C,\326d\262\356Y\352\377\7{\247\351F\35\33^\227p\320J}\320\5\210\325\343/\240\233Z\221X\277\342\200u-\205\350\273Wjm\364\356\337\211\36D\363\304At\317\202/k\17']\374\341f\232\37543\32\25.227\313\305/\227\224h\34\3T\310\262'X\204\302\375\212[\366\311\177\31\20E\267\6\3365\365c\365+\22n\227?K!V\350\252\272\30\306\352\251\230z\347\17k\260\235%*3\212\343\222#[\232\347\220\321'\272J\4\235.\13\27/X\3007\23\5\204TV", ) == 0x0
 00663   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247>+\355\341'38j\261\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374\35\16\355\0`\2671X\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00664   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00665   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00666   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00667   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00668   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00669   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00670   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00671   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00672   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, "\327kf\274t\0K\14>\254P\304\322\246\237\302\347\240\337Y[\364[\217\256\306\304\325\343\26\243\205\267\303\206Z\246N\266\247\4\264T\M4\231Y\4\356\353k\214K\225R\}\274H\31#/\7\225\216lx:\24\272\367\210\337|e\350\350s\21", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, "\327kf\274t\0K\14>\254P\304\322\246\237\302\347\240\337Y[\364[\217\256\306\304\325\343\26\243\205\267\303\206Z\246N\266\247\4\264T\M4\231Y\4\356\353k\214K\225R\}\274H\31#/\7\225\216lx:\24\272\367\210\337|e\350\350s\21", 80, ... ) , 80, ... ) == 0x0
 00673   744   NtClose  (-2147481996, ... ) == 0x0
 00663   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\323(\345\263b\324\322K\304\335\363\302m\6\217\265\210\353?\242\31?=\231\364\332\37\341\363S\315d\360\316\231\237\243B);\17\235\265\3664\377\300\2211\331\275\222\243\363\271L\311X\371\345\24\213\312\252}\243\313\207\236\11\231\210&\2624\253\262j \254\236\234k\304\33\271\270\251\25\247S\267\352\360\222pg\3041\251M\232\271\335R\300\304\275\320\307\315\13`dj\3\25\223\2618i\271\264]K\347\203,\260\251\4\325bhj\3\213m,`6\34Hii\10Bz\342\272S\260\344\201\353\2775A#\313\302\317\352_\376\305\212*\214\37\13\312Y\254\206\11K\221\225\217c\262\336,\177\3217\201\204\371\237\232\2631~Gb\250\300\231\265\272\36\226\365\305\315"\205\322\200\30\343\355\213\254\21B\360Eg\2dw\3201\337\261\347F\310\361\212\272\210\15\25o\232\14Hhgw\370\375\365+j}\214J0\264\232", ) \205\322\200\30\343\355\213\254\21B\360Eg\2dw\3201\337\261\347F\310\361\212\272\210\15\25o\232\14Hhgw\370\375\365+j}\214J0\264\232", ) == 0x0
 00674   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247>+\355\341'38j\261\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374\35\16\355\0`\2671X\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00675   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00676   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00677   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00678   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00679   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00680   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00681   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00682   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00683   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, "\27\237\307Nf\1\245\213|$\375+\230\274\17R\4U\364X\354X\0`\310\315\2511\374z;l]\347+\211~s\30r\7"@I\301o\204\231`6P7\300\310\252\217-\306\374\274\364iS\236\346\324\267\266o\2225\236a\321v\245M\360n", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, "\27\237\307Nf\1\245\213|$\375+\230\274\17R\4U\364X\354X\0`\310\315\2511\374z;l]\347+\211~s\30r\7"@I\301o\204\231`6P7\300\310\252\217-\306\374\274\364iS\236\346\324\267\266o\2225\236a\321v\245M\360n", 80, ... ) @I\301o\204\231`6P7\300\310\252\217-\306\374\274\364iS\236\346\324\267\266o\2225\236a\321v\245M\360n", 80, ... ) == 0x0
 00684   744   NtClose  (-2147481996, ... ) == 0x0
 00674   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\302\34\252\320\223\330\303\244'\354!kl\235f\353Y\223tR\324\206\6\5\375\23I\323\2\311I\215Q\336\314\2405\233\7\231_\230\2552\310\316\320\377Cc;C\346V\252\352;\214\305_?"\25\241A0\215\220\2168ZHY\374\11\336\372\12F\377$\313\323\17\262\340E\3753\330\322\23$-x\361\250\372+\215]m\304\314\201\262\330\23\277\34\236N\355\332\12\245b\177\373\364\217\202E\243O\331I\232S\267\25\301\37\371\326\344\346\371\223=f\247~\237\232\212\375Dv\244\303\235\16y\230\373\227^\217\217\3458\357\307\233\335{\3217\260\237\243\3\353\247\247\4\225\320\220\243\204\316C\246{\270C\202\267\214\311\324v!\311\3\2277*\365\232\362\342|\351\313?\271\236\361b\257\371}\266q@6V\201@^8$\242\373\270\257\231\206b\331\33\244\325\372\260\356\206\204=\211\203~\254\30\203\254n\254\241X\314\313\2", ) \25\241A0\215\220\2168ZHY\374\11\336\372\12F\377$\313\323\17\262\340E\3753\330\322\23$-x\361\250\372+\215]m\304\314\201\262\330\23\277\34\236N\355\332\12\245b\177\373\364\217\202E\243O\331I\232S\267\25\301\37\371\326\344\346\371\223=f\247~\237\232\212\375Dv\244\303\235\16y\230\373\227^\217\217\3458\357\307\233\335{\3217\260\237\243\3\353\247\247\4\225\320\220\243\204\316C\246{\270C\202\267\214\311\324v!\311\3\2277*\365\232\362\342|\351\313?\271\236\361b\257\371}\266q@6V\201@^8$\242\373\270\257\231\206b\331\33\244\325\372\260\356\206\204=\211\203~\254\30\203\254n\254\241X\314\313\2", ) == 0x0
 00685   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247>+\355\341'38j\261\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374\35\16\355\0`\2671X\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00686   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00687   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00688   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00689   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00690   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00691   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00692   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00693   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00694   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, "\21>5x\347F\301\224M\321\316\320\331GK?\252(X\373W\276\215[\227\226=\212a-)\22\207\365\34\271\263'\14T\275X\200\237\33\235f\372\302X\237\345\2234YN\3l^\370O\264\16\233\313\370&\203\16\2159\362\204\264\231\251\372nC", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, "\21>5x\347F\301\224M\321\316\320\331GK?\252(X\373W\276\215[\227\226=\212a-)\22\207\365\34\271\263'\14T\275X\200\237\33\235f\372\302X\237\345\2234YN\3l^\370O\264\16\233\313\370&\203\16\2159\362\204\264\231\251\372nC", 80, ... ) , 80, ... ) == 0x0
 00695   744   NtClose  (-2147481996, ... ) == 0x0
 00685   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\225i'\344l:Gq\250!\269\30w\213\20\266\352\357r.UJz\254\344\324\361S`1\372\307+\224\316\37)\253\274\306\223\13\37\1\301\351#\357\272\2\300\305\234\17F\6\224\2124\335\377W~\250\205rQ\355\206\334\34T\273\24\200\355\326\376\357\275H\241nq\331\204\346\274\316\351\7$\215\0o\337\302\2*8\12\215\236\243\32;\37'\251\326\332\16\346\333\252\35\23\27]S\217\267\271\2635!\223PF\247]\326\252\240>\226\232@e\13\326\246(\243\266\4]_x7\17\323\364u\375\314\376k\265!W\24\216\275\271\200\33 i\310\217[\34\270z\330\302l&\215h\310S\32\310\360\2205I\5\320\372\200+\36\261-\235\245O\363\226M\241\251\2J\245\336\234\7N\241u\306R\320\334\215\262\235\242\357Q=\255p\265'\210\230\326\302\302\242\370A\212?v\206,\201\310\331V\376k\370\15\275\326Jr", ) , ) == 0x0
 00696   744   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247>+\355\341'38j\261\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374~\316\346\203\316\235\374\35\16\355\0`\2671X\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00697   744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00698   744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00699   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00700   744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00701   744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00702   744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00703   744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00704   744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147481996, 2, ) }, 0, 0x0, 0, ... -2147481996, 2, ) == 0x0
 00705   744   NtSetValueKey  (-2147481996,  (-2147481996, "Seed", 0, 3, "\212\302\212\261R\327\247\21#\337\275\332U\14\306\230\347\213mkI\15\343v\330u$I\235\260\3541=\366}z\6\177\333y\321#\343$)\340\363\234\251\23\252\366:\3\347 \360oC\37\220\207\352\217\212X\241\342\377=o=\337\345eN\345rg\314", 80, ... ) , 0, 3,  (-2147481996, "Seed", 0, 3, "\212\302\212\261R\327\247\21#\337\275\332U\14\306\230\347\213mkI\15\343v\330u$I\235\260\3541=\366}z\6\177\333y\321#\343$)\340\363\234\251\23\252\366:\3\347 \360oC\37\220\207\352\217\212X\241\342\377=o=\337\345eN\345rg\314", 80, ... ) , 80, ... ) == 0x0
 00706   744   NtClose  (-2147481996, ... ) == 0x0
 00696   744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\204\250\330\357\27\263.\360-\17\2238\307\263\201\334+\364\261\353\216<\305=\2249\36s\20gW\261\223\262\327\11\27\270:.\266e\333\230:<\215\261\225Ti\202\304\275\216\343+]f\32\27`#4&,9\23\265\223Ak\14\334\263gx7\266\321\33\330\216F\243\264w\273*E\333bD\335i\227\6wC\313\233\22\3507\366\275f\256\243\234$I\364\272\336\341h\14\376\362\307\345\306#\217z\254\376\366\3233!z\223i\311W5\317\2302\271q\273b1\363A\25\235A\301/\317=_\273Y\374\336\216\367\226\372X\352\206R\221\366\22j\30J\344\344\335\210\376\261&\230X\375 \233F\10\245/\17uXv\34.Fg\202\3+\323z?\301\205U\311\375 "\34\336N\13\5h\31\236\234^\4\26:\260\246\302`o\12}\206\374h\363\32s\263\325\33\220\237\306\10\320D\211\\317\334@,\231\33 K", ) \34\336N\13\5h\31\236\234^\4\26:\260\246\302`o\12}\206\374h\363\32s\263\325\33\220\237\306\10\320D\211\\317\334@,\231\33 K", ) == 0x0
 00707   744   NtUserRegisterWindowMessage  ( ("ObjectLink", ... ) , ... ) == 0xc002
 00708   744   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0I\0n\0t\0e\0r\0f\0a\0c\0e\0", 44, 1244632, ... ) , 44, 1244632, ... ) == 0x0
 00709   744   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0M\0a\0r\0s\0h\0a\0l\0H\0w\0n\0d\0", 48, 1244632, ... ) , 48, 1244632, ... ) == 0x0
 00710   744   NtUserRegisterWindowMessage  ( ("OM_POST_WM_COMMAND", ... ) , ... ) == 0xc08e
 00711   744   NtUserRegisterWindowMessage  ( ("OLE_MESSAHE", ... ) , ... ) == 0xc08f
 00712   744   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1350648, 0,  (0x1f0003, {24, 52, 0x80, 1350648, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 76, ) }, 0, 2147483647, ... 76, ) == STATUS_OBJECT_NAME_EXISTS
 00713   744   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00714   744   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00715   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00716   744   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00717   744   NtQueryValueKey  (80,  (80, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   744   NtClose  (80, ... ) == 0x0
 00719   744   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00720   744   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00721   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00722   744   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00723   744   NtQueryValueKey  (80,  (80, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   744   NtClose  (80, ... ) == 0x0
 00725   744   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00726   744   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00727   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   744   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00729   744   NtQueryValueKey  (80,  (80, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   744   NtClose  (80, ... ) == 0x0
 00731   744   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   744   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00733   744   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00734   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00735   744   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00736   744   NtQueryValueKey  (80,  (80, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00737   744   NtClose  (80, ... ) == 0x0
 00738   744   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00739   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00740   744   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00741   744   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00742   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   744   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00744   744   NtQueryValueKey  (80,  (80, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00745   744   NtClose  (80, ... ) == 0x0
 00746   744   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00747   744   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00748   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749   744   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00750   744   NtQueryValueKey  (80,  (80, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751   744   NtClose  (80, ... ) == 0x0
 00752   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00753   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00754   744   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00755   744   NtClose  (80, ... ) == 0x0
 00756   744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00757   744   NtSetInformationObject  (82, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00758   744   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00759   744   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00760   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 84, ) }, ... 84, ) == 0x0
 00761   744   NtQueryKey  (86, Name, 392, ... {Name= (86, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 00762   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00763   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00764   744   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00765   744   NtClose  (88, ... ) == 0x0
 00766   744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767   744   NtQueryValueKey  (86, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (86, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00768   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1238300, ... ) }, 1238300, ... ) == 0x0
 00769   744   NtClose  (86, ... ) == 0x0
 00770   744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00771   744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 84, {status=0x0, info=1}, ) }, 3, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00772   744   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 88, ) }, ... 88, ) == 0x0
 00773   744   NtQuerySymbolicLinkObject  (88, ...  (88, ... "\Device\WinDfs\U:00000000000091f8", 66, ) , 66, ) == 0x0
 00774   744   NtClose  (88, ... ) == 0x0
 00775   744   NtQueryVolumeInformationFile  (84, 1241652, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00776   744   NtClose  (84, ... ) == 0x0
 00777   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00778   744   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00779   744   NtClose  (84, ... ) == 0x0
 00780   744   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 84, ) == 0x0
 00781   744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00782   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 92, ) }, ... 92, ) == 0x0
 00783   744   NtNotifyChangeKey  (92, 88, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00784   744   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00785   744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00786   744   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 100, ) == 0x0
 00787   744   NtWaitForSingleObject  (88, 0, {0, 0}, ... ) == 0x102
 00788   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 104, ) }, ... 104, ) == 0x0
 00789   744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 108, ) }, ... 108, ) == 0x0
 00790   744   NtQueryValueKey  (108,  (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 00791   744   NtQueryValueKey  (108,  (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 00792   744   NtClose  (108, ... ) == 0x0
 00793   744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00794   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 00795   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 00796   744   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00797   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00798   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00799   744   NtClose  (108, ... ) == 0x0
 00800   744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00801   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 00802   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 00803   744   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 00805   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 00806   744   NtClose  (108, ... ) == 0x0
 00807   744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00808   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 00809   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 00810   744   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00811   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00812   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00813   744   NtClose  (108, ... ) == 0x0
 00814   744   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00815   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00816   744   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00817   744   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 00819   744   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 00820   744   NtClose  (108, ... ) == 0x0
 00821   744   NtClose  (104, ... ) == 0x0
 00822   744   NtQueryDefaultLocale  (1, 1241204, ... ) == 0x0
 00823   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00824   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00825   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0
 00826   744   NtClose  (104, ... ) == 0x0
 00827   744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 12288, ) == 0x0
 00828   744   NtClose  (108, ... ) == 0x0
 00829   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00830   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0
 00831   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00832   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00833   744   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00834   744   NtClose  (108, ... ) == 0x0
 00835   744   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 00836   744   NtClose  (104, ... ) == 0x0
 00837   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 104, ) }, ... 104, ) == 0x0
 00838   744   NtQueryValueKey  (104,  (104, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 00839   744   NtClose  (104, ... ) == 0x0
 00840   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00841   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00842   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0
 00843   744   NtClose  (104, ... ) == 0x0
 00844   744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 40960, ) == 0x0
 00845   744   NtClose  (108, ... ) == 0x0
 00846   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00847   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0
 00848   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00849   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00850   744   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00851   744   NtClose  (108, ... ) == 0x0
 00852   744   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 00853   744   NtClose  (104, ... ) == 0x0
 00854   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1238720, ... ) }, 1238720, ... ) == 0x0
 00856   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00857   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00858   744   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00859   744   NtClose  (104, ... ) == 0x0
 00860   744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 00861   744   NtClose  (108, ... ) == 0x0
 00862   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1238720, ... ) }, 1238720, ... ) == 0x0
 00864   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00865   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00866   744   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00867   744   NtClose  (108, ... ) == 0x0
 00868   744   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 00869   744   NtClose  (104, ... ) == 0x0
 00870   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0
 00872   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00873   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00874   744   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00875   744   NtClose  (104, ... ) == 0x0
 00876   744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00877   744   NtClose  (108, ... ) == 0x0
 00878   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0
 00880   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00881   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00882   744   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00883   744   NtClose  (108, ... ) == 0x0
 00884   744   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 00885   744   NtClose  (104, ... ) == 0x0
 00886   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0
 00888   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00889   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00890   744   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00891   744   NtClose  (104, ... ) == 0x0
 00892   744   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 00893   744   NtClose  (108, ... ) == 0x0
 00894   744   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00895   744   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 108, ) }, ... 108, ) == 0x0
 00896   744   NtQueryValueKey  (108,  (108, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   744   NtOpenProcessToken  (-1, 0x8, ... 104, ) == 0x0
 00898   744   NtQueryInformationToken  (104, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00899   744   NtClose  (104, ... ) == 0x0
 00900   744   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00901   744   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 104, ) == 0x0
 00902   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00903   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00904   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0
 00905   744   NtClose  (112, ... ) == 0x0
 00906   744   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 24576, ) == 0x0
 00907   744   NtClose  (116, ... ) == 0x0
 00908   744   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00909   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0
 00910   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00911   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 00912   744   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00913   744   NtClose  (116, ... ) == 0x0
 00914   744   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 00915   744   NtClose  (112, ... ) == 0x0
 00916   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 112, ) }, ... 112, ) == 0x0
 00917   744   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 00918   744   NtClose  (112, ... ) == 0x0
 00919   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00920   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00921   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00922   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00923   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == 0x0
 00924   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00925   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0
 00926   744   NtClose  (112, ... ) == 0x0
 00927   744   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 122880, ) == 0x0
 00928   744   NtClose  (116, ... ) == 0x0
 00929   744   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00930   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00931   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00932   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00933   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00934   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == 0x0
 00935   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00936   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 00937   744   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00938   744   NtClose  (116, ... ) == 0x0
 00939   744   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 00940   744   NtClose  (112, ... ) == 0x0
 00941   744   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00942   744   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00943   744   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00944   744   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00945   744   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00946   744   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00947   744   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00948   744   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00949   744   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00950   744   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00951   744   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00952   744   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00953   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00954   744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8912896, 65536, ) == 0x0
 00955   744   NtAllocateVirtualMemory  (-1, 8912896, 0, 4096, 4096, 4, ... 8912896, 4096, ) == 0x0
 00956   744   NtAllocateVirtualMemory  (-1, 8916992, 0, 8192, 4096, 4, ... 8916992, 8192, ) == 0x0
 00957   744   NtAllocateVirtualMemory  (-1, 8925184, 0, 4096, 4096, 4, ... 8925184, 4096, ) == 0x0
 00958   744   NtQueryPerformanceCounter  (... {129492797, 0}, {3579545, 0}, ) == 0x0
 00959   744   NtRaiseException  (1239016, 1238276, 1, ...
 00960   744   NtContinue  (1237072, 0, ...
 00961   744   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 112, ) }, ... 112, ) == 0x0
 00962   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00963   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00965   744   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00966   744   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00967   744   NtRaiseException  (1228992, 1228252, 1, ...
 00968   744   NtContinue  (1227048, 0, ...
 00969   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00970   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00972   744   NtRaiseException  (1230752, 1230012, 1, ...
 00973   744   NtContinue  (1228808, 0, ...
 00974   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00975   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00977   744   NtRaiseException  (1230756, 1230016, 1, ...
 00978   744   NtContinue  (1228812, 0, ...
 00979   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00980   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00982   744   NtRaiseException  (1230752, 1230012, 1, ...
 00983   744   NtContinue  (1228808, 0, ...
 00984   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00985   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00987   744   NtRaiseException  (1230756, 1230016, 1, ...
 00988   744   NtContinue  (1228812, 0, ...
 00989   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00990   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00992   744   NtRaiseException  (1230752, 1230012, 1, ...
 00993   744   NtContinue  (1228808, 0, ...
 00994   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00995   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00997   744   NtRaiseException  (1230756, 1230016, 1, ...
 00998   744   NtContinue  (1228812, 0, ...
 00999   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01000   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01002   744   NtRaiseException  (1230752, 1230012, 1, ...
 01003   744   NtContinue  (1228808, 0, ...
 01004   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01005   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01007   744   NtRaiseException  (1230756, 1230016, 1, ...
 01008   744   NtContinue  (1228812, 0, ...
 01009   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01010   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01012   744   NtRaiseException  (1230752, 1230012, 1, ...
 01013   744   NtContinue  (1228808, 0, ...
 01014   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01015   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01017   744   NtRaiseException  (1230756, 1230016, 1, ...
 01018   744   NtContinue  (1228812, 0, ...
 01019   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01020   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01022   744   NtRaiseException  (1230752, 1230012, 1, ...
 01023   744   NtContinue  (1228808, 0, ...
 01024   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01025   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01027   744   NtRaiseException  (1230756, 1230016, 1, ...
 01028   744   NtContinue  (1228812, 0, ...
 01029   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01030   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01032   744   NtRaiseException  (1230752, 1230012, 1, ...
 01033   744   NtContinue  (1228808, 0, ...
 01034   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01035   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01037   744   NtRaiseException  (1230756, 1230016, 1, ...
 01038   744   NtContinue  (1228812, 0, ...
 01039   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01040   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01042   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0
 01043   744   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {732, 0}, ... 116, ) == 0x0
 01044   744   NtQueryInformationProcess  (116, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01045   744   NtClose  (116, ... ) == 0x0
 01046   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0
 01047   744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01048   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 01050   744   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   744   NtClose  (116, ... ) == 0x0
 01052   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01054   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01055   744   NtQuerySystemTime  (... {-1569452192, 29873101}, ) == 0x0
 01056   744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01057   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01058   744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01059   744   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01060   744   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01061   744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01062   744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01063   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01064   744   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01065   744   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01066   744   NtClose  (140, ... ) == 0x0
 01067   744   NtClose  (136, ... ) == 0x0
 01068   744   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 01069   744   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 01070   744   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01071   744   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01072   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01073   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01074   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01075   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01076   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238232,  (0xc0100080, {24, 0, 0x40, 0, 1238232, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01077   744   NtSetInformationFile  (152, 1238288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01078   744   NtSetInformationFile  (152, 1238280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01079   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01080   744   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01081   744   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01082   744   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\252$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01083   744   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\252$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\252$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01084   744   NtClose  (148, ... ) == 0x0
 01085   744   NtClose  (152, ... ) == 0x0
 01086   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01087   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01088   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01089   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01090   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238232,  (0xc0100080, {24, 0, 0x40, 0, 1238232, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01091   744   NtSetInformationFile  (148, 1238288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01092   744   NtSetInformationFile  (148, 1238280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01093   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01094   744   NtWriteFile  (148, 129, 0, 0,  (148, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01095   744   NtReadFile  (148, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\253$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01096   744   NtFsControlFile  (148, 129, 0x0, 0x0, 0x11c017,  (148, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\253$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (148, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\253$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01097   744   NtClose  (152, ... ) == 0x0
 01098   744   NtClose  (148, ... ) == 0x0
 01099   744   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 148, ) }, ... 148, ) == 0x0
 01100   744   NtQueryKey  (148, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 01101   744   NtQuerySecurityObject  (148, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01102   744   NtQuerySecurityObject  (148, 15, 0, ... ) == STATUS_ACCESS_DENIED
 01103   744   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9437184, 524288, ) == 0x0
 01104   744   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 01105   744   NtQueryValueKey  (148,  (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 01106   744   NtClose  (148, ... ) == 0x0
 01107   744   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01108   744   NtFsControlFile  (148, 0, 0x0, 0x0, 0x600bc,  (148, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (148, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01109   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01110   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01111   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01112   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01113   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239672,  (0xc0100080, {24, 0, 0x40, 0, 1239672, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01114   744   NtSetInformationFile  (156, 1239728, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01115   744   NtSetInformationFile  (156, 1239720, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01116   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01117   744   NtWriteFile  (156, 129, 0, 0,  (156, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01118   744   NtReadFile  (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\254$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01119   744   NtFsControlFile  (156, 129, 0x0, 0x0, 0x11c017,  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\340\360\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\254$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\340\360\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\254$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01120   744   NtClose  (152, ... ) == 0x0
 01121   744   NtClose  (156, ... ) == 0x0
 01122   744   NtWaitForSingleObject  (104, 0, {-70000000, -1}, ... ) == 0x0
 01123   744   NtReleaseSemaphore  (104, 1, ... 0x0, ) == 0x0
 01124   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0
 01125   744   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 156, ) }, ... 156, ) == 0x0
 01126   744   NtWaitForSingleObject  (156, 0, {-1800000000, -1}, ... ) == 0x0
 01127   744   NtClose  (156, ... ) == 0x0
 01128   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01129   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01130   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01131   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01132   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239708,  (0xc0100080, {24, 0, 0x40, 0, 1239708, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01133   744   NtSetInformationFile  (152, 1239764, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01134   744   NtSetInformationFile  (152, 1239756, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01135   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01136   744   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01137   744   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01138   744   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20-#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01139   744   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\220\7\244\335\300?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\220\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\220\7\244\335\300?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\220\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01140   744   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\221\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\221\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\221\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\221\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01141   744   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\220\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\220\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01142   744   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\221\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\221\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01143   744   NtClose  (156, ... ) == 0x0
 01144   744   NtClose  (152, ... ) == 0x0
 01145   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01146   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01147   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01148   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01149   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == 0x0
 01150   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 152, ) }, ... 152, ) == 0x0
 01151   744   NtQueryValueKey  (152,  (152, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 01152   744   NtClose  (152, ... ) == 0x0
 01153   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 152, ) }, ... 152, ) == 0x0
 01154   744   NtQueryValueKey  (152,  (152, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 01155   744   NtClose  (152, ... ) == 0x0
 01156   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 152, ) }, ... 152, ) == 0x0
 01157   744   NtQueryValueKey  (152,  (152, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01158   744   NtClose  (152, ... ) == 0x0
 01159   744   NtRaiseException  (1229676, 1228936, 1, ...
 01160   744   NtContinue  (1227732, 0, ...
 01161   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01162   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01164   744   NtRaiseException  (1229672, 1228932, 1, ...
 01165   744   NtContinue  (1227728, 0, ...
 01166   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01167   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01169   744   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1240340, 0,  (0x1f0001, {24, 52, 0x80, 1240340, 0, "HGFSMUTEX"}, 1, ... 152, ) }, 1, ... 152, ) == 0x0
 01170   744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   744   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == 0x0
 01174   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01175   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 160, ) == 0x0
 01176   744   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01177   744   NtClose  (156, ... ) == 0x0
 01178   744   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 01179   744   NtClose  (160, ... ) == 0x0
 01180   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01181   744   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1350648, 0,  (0x1f0003, {24, 52, 0x80, 1350648, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 160, ) }, 0, 2147483647, ... 160, ) == STATUS_OBJECT_NAME_EXISTS
 01182   744   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 01183   744   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 01184   744   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01185   744   NtQueryValueKey  (156,  (156, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 01186   744   NtClose  (156, ... ) == 0x0
 01187   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1237892, ... ) }, 1237892, ... ) == 0x0
 01188   744   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01189   744   NtSetValueKey  (156,  (156, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (156, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 01190   744   NtClose  (156, ... ) == 0x0
 01191   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 156, {status=0x0, info=1}, ) }, 3, 16417, ... 156, {status=0x0, info=1}, ) == 0x0
 01192   744   NtQueryDirectoryFile  (156, 0, 0, 0, 1238032, 616, BothDirectory, 1,  (156, 0, 0, 0, 1238032, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 01193   744   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 01194   744   NtRaiseException  (1229312, 1228572, 1, ...
 01195   744   NtContinue  (1227368, 0, ...
 01196   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01197   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01199   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1240340, 1239916,  (0xc0100080, {24, 0, 0x40, 1240340, 1239916, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01200   744   NtRaiseException  (1229312, 1228572, 1, ...
 01201   744   NtContinue  (1227368, 0, ...
 01202   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01203   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01205   744   NtCreateSection  (0xf0007, {24, 52, 0x80, 1240340, 0,  (0xf0007, {24, 52, 0x80, 1240340, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 164, ... 168, ) }, {27876, 0}, 4, 134217728, 164, ... 168, ) == 0x0
 01206   744   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x980000), {0, 0}, 28672, ) == 0x0
 01207   744   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01208   744   NtRaiseException  (1230728, 1229988, 1, ...
 01209   744   NtContinue  (1228784, 0, ...
 01210   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01211   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01213   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1241384, 1240972,  (0xc0100080, {24, 0, 0x40, 1241384, 1240972, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 172, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 172, {status=0x0, info=0}, ) == 0x0
 01214   744   NtDeviceIoControlFile  (172, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (172, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 01215   744   NtClose  (172, ... ) == 0x0
 01216   744   NtRaiseException  (1230708, 1229968, 1, ...
 01217   744   NtContinue  (1228764, 0, ...
 01218   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01219   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01221   744   NtRaiseException  (1230728, 1229988, 1, ...
 01222   744   NtContinue  (1228784, 0, ...
 01223   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01224   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01226   744   NtAllocateVirtualMemory  (-1, 1368064, 0, 20480, 4096, 4, ... 1368064, 20480, ) == 0x0
 01227   744   NtAllocateVirtualMemory  (-1, 1388544, 0, 20480, 4096, 4, ... 1388544, 20480, ) == 0x0
 01228   744   NtWaitForSingleObject  (104, 0, {-70000000, -1}, ... ) == 0x0
 01229   744   NtReleaseSemaphore  (104, 1, ... 0x0, ) == 0x0
 01230   744   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 172, ) }, ... 172, ) == 0x0
 01231   744   NtWaitForSingleObject  (172, 0, {-1800000000, -1}, ... ) == 0x0
 01232   744   NtClose  (172, ... ) == 0x0
 01233   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01234   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01235   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01236   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01237   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239648,  (0xc0100080, {24, 0, 0x40, 0, 1239648, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01238   744   NtSetInformationFile  (176, 1239704, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01239   744   NtSetInformationFile  (176, 1239696, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01240   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01241   744   NtWriteFile  (176, 129, 0, 0,  (176, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01242   744   NtReadFile  (176, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (176, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20.#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01243   744   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20.#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20.#\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01244   744   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\222\7\244\335\300?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\222\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\222\7\244\335\300?\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\222\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01245   744   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\223\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\223\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\223\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\223\7\244\335\300?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01246   744   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\222\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\222\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01247   744   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\223\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\223\7\244\335\300?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01248   744   NtClose  (172, ... ) == 0x0
 01249   744   NtClose  (176, ... ) == 0x0
 01250   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01251   744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 01252   744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01253   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01254   744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239740,  (0xc0100080, {24, 0, 0x40, 0, 1239740, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01255   744   NtSetInformationFile  (172, 1239796, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01256   744   NtSetInformationFile  (172, 1239788, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01257   744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01258   744   NtWriteFile  (172, 129, 0, 0,  (172, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01259   744   NtReadFile  (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\241)\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01260   744   NtFsControlFile  (172, 129, 0x0, 0x0, 0x11c017,  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\241)\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\241)\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01261   744   NtClose  (176, ... ) == 0x0
 01262   744   NtClose  (172, ... ) == 0x0
 01263   744   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01264   744   NtSetValueKey  (172,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01265   744   NtClose  (172, ... ) == 0x0
 01266   744   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 172, ) }, ... 172, ) == 0x0
 01267   744   NtQueryValueKey  (172,  (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01268   744   NtClose  (172, ... ) == 0x0
 01269   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   744   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01271   744   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   744   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01275   744   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   744   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01278   744   NtSetValueKey  (172,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01279   744   NtClose  (172, ... ) == 0x0
 01280   744   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 172, ) }, ... 172, ) == 0x0
 01281   744   NtQueryValueKey  (172,  (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01282   744   NtClose  (172, ... ) == 0x0
 01283   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   744   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01285   744   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01288   744   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01289   744   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   744   NtWaitForSingleObject  (104, 0, {-70000000, -1}, ... ) == 0x0
 01292   744   NtReleaseSemaphore  (104, 1, ... 0x0, ) == 0x0
 01293   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01294   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01295   744   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01296   744   NtClose  (172, ... ) == 0x0
 01297   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 172, ) }, ... 172, ) == 0x0
 01298   744   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "Network"}, ... 176, ) }, ... 176, ) == 0x0
 01299   744   NtClose  (172, ... ) == 0x0
 01300   744   NtQueryKey  (176, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (176, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 01301   744   NtQuerySecurityObject  (176, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01302   744   NtQuerySecurityObject  (176, 15, 0, ... ) == STATUS_ACCESS_DENIED
 01303   744   NtWaitForSingleObject  (88, 0, {0, 0}, ... ) == 0x102
 01304   744   NtEnumerateKey  (176, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (176, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 01305   744   NtOpenKey  (0x2001f, {24, 176, 0x40, 0, 0,  (0x2001f, {24, 176, 0x40, 0, 0, "f"}, ... 172, ) }, ... 172, ) == 0x0
 01306   744   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01307   744   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01308   744   NtQueryValueKey  (172,  (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01309   744   NtQueryValueKey  (172,  (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 01310   744   NtQueryValueKey  (172,  (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01311   744   NtQueryValueKey  (172,  (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01312   744   NtQueryValueKey  (172,  (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01313   744   NtClose  (172, ... ) == 0x0
 01314   744   NtEnumerateKey  (176, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (176, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 01315   744   NtOpenKey  (0x2001f, {24, 176, 0x40, 0, 0,  (0x2001f, {24, 176, 0x40, 0, 0, "u"}, ... 172, ) }, ... 172, ) == 0x0
 01316   744   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01317   744   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01318   744   NtQueryValueKey  (172,  (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01319   744   NtQueryValueKey  (172,  (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 01320   744   NtQueryValueKey  (172,  (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01321   744   NtQueryValueKey  (172,  (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01322   744   NtQueryValueKey  (172,  (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01323   744   NtClose  (172, ... ) == 0x0
 01324   744   NtClose  (176, ... ) == 0x0
 01325   744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01326   744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01327   744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01328   744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01329   744   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01330   744   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 176, ) }, ... 176, ) == 0x0
 01332   744   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01333   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01334   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01335   744   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01336   744   NtClose  (172, ... ) == 0x0
 01337   744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01338   744   NtEnumerateKey  (178, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (178, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01339   744   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01340   744   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 172, ) }, ... 172, ) == 0x0
 01342   744   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01343   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01344   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01345   744   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01346   744   NtClose  (180, ... ) == 0x0
 01347   744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   744   NtQueryValueKey  (174,  (174, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (174, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01349   744   NtClose  (174, ... ) == 0x0
 01350   744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01351   744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 172, {status=0x0, info=1}, ) }, 3, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01352   744   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 180, ) }, ... 180, ) == 0x0
 01353   744   NtQuerySymbolicLinkObject  (180, ...  (180, ... "\Device\WinDfs\U:00000000000091f8", 66, ) , 66, ) == 0x0
 01354   744   NtClose  (180, ... ) == 0x0
 01355   744   NtQueryVolumeInformationFile  (172, 1241060, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01356   744   NtClose  (172, ... ) == 0x0
 01357   744   NtEnumerateKey  (178, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01358   744   NtClose  (178, ... ) == 0x0
 01359   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 176, {status=0x0, info=1}, ) }, 3, 16417, ... 176, {status=0x0, info=1}, ) == 0x0
 01360   744   NtQueryDirectoryFile  (176, 0, 0, 0, 1239848, 616, BothDirectory, 1,  (176, 0, 0, 0, 1239848, 616, BothDirectory, 1, "startupscripts", 0, ... {status=0x0, info=128}, ) , 0, ... {status=0x0, info=128}, ) == 0x0
 01361   744   NtClose  (176, ... ) == 0x0
 01362   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01363   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1244288, ... ) }, 1244288, ... ) == 0x0
 01364   744   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456}  (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 732, 744, 1543, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 732, 744, 1543, 0}  (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 732, 744, 1543, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 01365   744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244296,  (0x80100080, {24, 0, 0x40, 0, 1244296, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsk1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 176, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 176, {status=0x0, info=2}, ) == 0x0
 01366   744   NtClose  (176, ... ) == 0x0
 01367   744   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsk1.tmp"}, 7, 2113600, ... 176, {status=0x0, info=1}, ) }, 7, 2113600, ... 176, {status=0x0, info=1}, ) == 0x0
 01368   744   NtQueryInformationFile  (176, 1244668, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01369   744   NtSetInformationFile  (176, 1244719, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01370   744   NtClose  (176, ... ) == 0x0
 01371   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1244540, ... ) }, 1244540, ... ) == 0x0
 01372   744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244520,  (0x80100080, {24, 0, 0x40, 0, 1244520, "\??\u:\work\packed.exe"}, 0x0, 32, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 32, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01373   744   NtQueryInformationFile  (176, 1244588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01374   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345lJ\250\241\15$\373\241\15$\373\241\15$\373/\5{\373\243\15$\373\241\15%\3739\15$\373"\5y\373\260\15$\373\365.\24\373\250\15$\373f\13"\373\240\15$\373Rich\241\15$\373\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\206\271\246D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\212\2\0\0\4\0\0f1\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0Pt\0\0\264\0\0\0\0\200\3\0\310\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\376[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) \5y\373\260\15$\373\365.\24\373\250\15$\373f\13 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345lJ\250\241\15$\373\241\15$\373\241\15$\373/\5{\373\243\15$\373\241\15%\3739\15$\373"\5y\373\260\15$\373\365.\24\373\250\15$\373f\13"\373\240\15$\373Rich\241\15$\373\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\206\271\246D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\212\2\0\0\4\0\0f1\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0Pt\0\0\264\0\0\0\0\200\3\0\310\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\376[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01375   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\376\21\0\0\0p\0\0\0\22\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.data\0\0\0\324d\2\0\0\220\0\0\0\4\0\0\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ndata\0\0\0\200\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\310\6\0\0\0\200\3\0\0\10\0\0\0v\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01376   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "U\213\354\203\354\\203}\14\17t+\203}\14F\213E\24u\15\203H\30\20\213\15$\364B\0\211H\4P\377u\20\377u\14\377u\10\377\25@r@\0\351B\1\0\0SV\2135(\364B\0\215E\244WP\377u\10\377\25Dr@\0\203e\364\0\211E\14\215E\344P\377u\10\377\25Hr@\0\213}\360\203e\360\0\213\35Dp@\0\351\200\0\0\0\17\266FR\17\266VV\17\257U\350\213\317+M\350\17\257\301\3\302\211M\20\231\367\3773\322\212\360\17\266FQ\17\257\301\17\266NU\17\257M\350\3\301\213\312\231\367\377\17\266VT\17\257U\350\212\310\17\266FP\17\257E\20\3\302\231\367\377\301\341\10\17\266\300\13\310\215E\364P\211M\370\377\25Hp@\0\203E\360\4\211E\24P\215E\344P\377u\14\377\25Lr@\0\377u\24\377\323\203E\350\49}\350\17\214w\377\377\377\203~X\377te\377v4\377\25Lp@\0\205\300\211E\24tU\213}\14j\1W\307E\344\20\0\0\0\307E\350\10\0\0\0\377\25Pp@\0\377vXW\377\25Tp@\0\377u\24\2135Xp@\0W\377\326\211E\14\215E\344h \10\0\0Pj\377h \354B\0W\377\25Pr@\0\377u\14W\377\326\377u\24\377\323\215E\244P\377u\10\377\25Tr@\0_^3\300[\311\302\20\0\213L$\4\241H\364B\0\213\321Si\322\30\4\0\0VW\213T\2\10\366\302\2tO\215q\13\377;5L\364B\0sB\213\316i\311\30\4\0\0\215D\1\10\213\10\366\301\2t\3G\353\36\366\301\4t\11\213\317O\205\311t \353\20\366\301\20u\13\213\3313\332\203\343\13\331\211\30F\5\30\4\0\0;5L\364B\0r\312_^[\302\4\0U\213\354QQ", ) , ) == 0x0
 01377   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\213\35H\364B\03\311\3\363W\211M\374\211M\370\213F\10\250\2t\139M\14t\6$\276B\211F\10;\25L\364B\0sD\213\302i\300\30\4\0\0\215|\30\10\215B\1\213\17\366\301\2t\12j\1R\350\245\377\377\377\213\17\366\301\4u(\366\301@t\3\377E\374\366\301\1t\5\377E\374\353\3\377E\370;\5L\364B\0\213\320r\2743\300_^[\311\302\10\0\203}\374\0t\363\203}\370\0t\6\203N\10@\353\347\213N\10\200\341\177\203\311\1\211N\10\353\331\213L$\4\241H\364B\0V3\366\203\371 s495L\364B\0v,\215P\10W\213\2\250\6u\223\377G\323\347\205z\374t\4\14\1\353\2$\376\211\2F\201\302\30\4\0\0;5L\364B\0r\331_^\302\4\0U\213\354\203\354\14\241(\364B\0\203e\374\0SV\5\224\0\0\0W\213=L\364B\0\211E\370\213E\3703\3339\30tK;\337sE\2135H\364B\0\203\306\10\213\26\366\302\6u(\213E\10\205\300t\6\203<\230\0t\33\213M\3743\300@\203\342\1\323\340\213N\374#\310\213\301\213M\374\323\342;\302u\13C\201\306\30\4\0\0;\337r\306;\337t\15\377E\374\203E\370\4\203}\374 r\237\213E\374_^[\311\302\4\0V\213t$\10\351\204\0\0\0\213\306\213\15P\364B\0k\300\34\3\301\2038\1tzP\350\252\0\0\0=\377\377\377\177ts\205\300}\23@\271\0\0C\0\301\340\12+\310Q\350\247E\0\0\205\300u\63\300@F\353\7H\213\316\213\360+\301\203|$\14\0t8\1\5\14\354B\0\241\364\353B\03\311j\0\205\300\17\224\301\3\310Qh0u\0\0\3775\14\354B\0\377\25,q@\0Ph\2\4\0\0\377t$", ) , ) == 0x0
 01378   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\377\377\3773\300^\302\10\0\270\377\377\377\177\353\365\213D$\4\213\15(\364B\0j\0\377t\201l\350H\377\377\377\302\4\0h@\240@\0\377t$\10\350H9\0\0\302\4\0U\213\354\201\354\244\1\0\0\241$\364B\0SV\213u\10Wj\7Y\215}\330\211E\3703\333\363\245\213E\334\213}\340\213\360\271\0\0C\0\301\346\12\301\347\12\3\361\3\371\215M\334\211]\374\211\15<\224@\0\213M\330\203\301\376\203\371A\17\207\243\24\0\0\377$\215A)@\0SP\350\3448\0\0\351\364\15\0\0\377\5\354\353B\09]\370\17\204\345\15\0\0S\377\25\354q@\0\351\331\15\0\0;\303}\21@\271\0\0C\0\301\340\12+\310Q\350\203D\0\0HSP\350\226\376\377\377\351^\24\0\0\213M\340;\313t)\366\301\10t\17\241\14\220@\0\243\240\222@\0\3518\24\0\0\241\240\222@\0\211\15\240\222@\0\243\14\220@\0\351#\24\0\0SP\350k8\0\0\351\27\24\0\0S\350_\25\0\0\203\370\1\177\33\300@P\377\25\220p@\0\351\375\23\0\0\377u\370\377\25\360q@\0\351\357\23\0\0j\1\3506\25\0\0\213M\334\211\4\215\240\364B\0\351\331\23\0\0\213E\344\2154\205\240\364B\03\300\213\16;\313\17\224\300#M\350\213D\205\334\211\16\351\303\23\0\0\213E\340\3774\205\240\364B\0V\351P\23\0\0\213\15\360\353B\0\2135Xr@\0;\313t\11\377u\340Q\377\326\213E\334\213\15\4\354B\0;\313\17\204\201\23\0\0PQ\377\326\351x\23\0\0j\360\350\334\24\0\0\377u\340P\377\25\214p@\0\205\300\17\205_\23\0\0\351\5\21\0\0j\360\350\276\24\0\0\213\370W\350\227?\0\08\37\213\360tF;\363tBj\V\350\35?", ) , ) == 0x0
 01379   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\13\377\25\210p@\0\205\300u\33\377\25\204p@\0=\267\0\0\0u\13W\377\25\200p@\0\250\20u\3\377E\374\212E\13\210\6F:\303u\2769]\340t\36j\346\350\354\375\377\377Wh\0XC\0\350\224C\0\0W\377\25|p@\0\351\334\22\0\0j\365\351\216\13\0\0S\350:\24\0\0P\350JF\0\0\351}\6\0\0j\320\350(\24\0\0j\337\211E\10\350\36\24\0\0\377u\10\276@\240@\0\211E\370V\350NC\0\0\377u\370\350\C\0\0\377u\10\213\370\350RC\0\0\3\370\201\377\375\3\0\0}\24h\34\220@\0V\350CC\0\0\377u\370V\350:C\0\0\377u\370\377u\10\377\25xp@\0\205\300t\7j\343\351\24\13\0\09]\344\17\204\375\17\0\0\377u\10\350\313E\0\0\205\300\17\204\355\17\0\0\377u\370\377u\10\350+@\0\0j\344\351\351\12\0\0S\350\225\23\0\0\213\360\215E\10PWh\0\4\0\0V\377\25tp@\0\205\300t#\213E\10;\306v%8\30t!V\350\203E\0\0;\303t\16\203\300,P\377u\10\350\236B\0\0\353\11\307E\374\1\0\0\0\210\379]\344\17\205\336\21\0\0h\0\4\0\0WW\377\25pp@\0\351\314\21\0\0j\377\3500\23\0\0\215M\10QVh\0\4\0\0SPS\377\25lp@\0\205\300\17\205\252\21\0\0\351$\17\0\0j\357\350\11\23\0\0PV\350C?\0\0\351+\376\377\377j1\350\366\22\0\0\213\360\213E\334\203\340\7V\211u\314\211E\10\350\234=\0\0V\276@\234@\0\205\300t\10V\350\23B\0\0\353\27h\0XC\0V\350\6B\0\0P\350\15=\0\0P\350\26B\0\0V\3500D\0\0\277@\244@\0\203}\10\3|1V\350", ) , ) == 0x0
 01380   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\350\203\300\24QP\377\25hp@\0\213\310\213E\10\203\300\375\15\0\0\0\200#\301\367\330\33\300@\211E\109]\10u\21V\377\25\200p@\0$\376PV\377\25\214p@\03\300\203}\10\1\17\225\300@Ph\0\0\0@V\350]>\0\0\203\370\377\211E\370uv9]\10uSh\0\0C\0W\350tA\0\0Vh\0\0C\0\350iA\0\0\377u\360h@\240@\0\350~A\0\0Wh\0\0C\0\350QA\0\0\213E\334\301\370\3Ph@\240@\0\350@:\0\0\203\350\4\17\204H\377\377\377Ht\33Vj\372\351\346\373\377\377\377u\314j\342\350\3054\0\0\203}\10\2\351\10\375\377\377\377\5\250\364B\0\351k\20\0\0\377u\314j\352\350\2474\0\0\377\5\240\222@\0SS\377u\370\377u\344\350\323\25\0\0\377\15\240\222@\0\203}\350\377\213\370u\6\203}\354\377t\22\215E\350P\215E\350SP\377u\370\377\25dp@\0\377u\370\377\25`p@\0;\373\17\215\16\20\0\0\203\377\376u\23j\351V\350\317@\0\0\377u\314V\350\300@\0\0\353\10j\356V\350\274@\0\0h\20\0 \0V\351B\11\0\0S\3534j1\350D\21\0\0\377u\334P\350|9\0\0;\303\17\204s\15\0\0;E\344\17\204A\1\0\0;E\354\17\205\266\17\0\0\213E\360\351\271\17\0\0j\360\350\22\21\0\0\377u\340P\350\2149\0\0\351\231\17\0\0j\1\350\375\20\0\0P\350N@\0\0\351\216\13\0\0j\2\350\316\20\0\0j\3\211E\10\350\304\20\0\0j\1\213\370\350\330\20\0\09]\344\211E\324\210\36t\119]\10\17\204Z\17\0\0P\350\26@\0\0;\373}\10\3\370\17\210H\17\0\0;\370~\2\213\370\213E\324\3\307PV", ) , ) == 0x0
 01381   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\17\0\0}\17V\350\345?\0\0\3\370y\5\211]\10\213\373\201\377\0\4\0\0\17\215\16\17\0\0\210\347\351\6\17\0\0j \350j\20\0\0j1\213\360\350a\20\0\09]\354PVu\22\377\25\244p@\0\205\300ug\213E\344\351\350\16\0\0\377\25\350p@\0\353\3543\377GW\3507\20\0\09]\344h\0\4\0\0VPt\10\377\25\354p@\0\353\6\377\25\360p@\0\205\300u\5\211}\374\210\36\210\236\377\3\0\0\351\236\16\0\0S\350\346\17\0\0j\1\213\360\350\335\17\0\09]\360u\10;\360|\10~\237\353\16;\360s\10\213E\350\351\201\16\0\0v\217\213E\354\351w\16\0\0j\1\350\263\17\0\0j\2\213\370\350\252\17\0\0\213\310\213E\350\203\370\14wm\377$\205I*@\0\3\371\353b+\371\353^\17\257\317\213\371\353W;\313tB\213\307\231\367\371\213\370\353J\13\371\353F#\371\353B3\371\353>3\300;\373\17\224\300\353\347;\373u\16\353\103\377\353+;\373t\370;\313t\3643\377G\353\36;\313t\11\213\307\231\367\371\213\372\353\213\377\307E\374\1\0\0\0\353\6\323\347\353\2\323\377W\3511\372\377\377j\1\350C\17\0\0j\2\213\370\350\35\17\0\0PWV\377\25\364q@\0\203\304\14\351\276\15\0\0\213E\344\213=@\260@\0;\303tDH;\373\17\204\371\6\0\0\213?;\303u\361;\373\17\204\353\6\0\0\203\307\4\276@\234@\0WV\3507>\0\0\241@\260@\0\203\300\4PW\350(>\0\0\241@\260@\0V\203\300\4P\351\223\14\0\09]\340t%;\373\17\204\13\13\0\0\215G\4PV\350\2>\0\0\213\7W\243@\260@\0\377\25\364p@\0\351C\15\0\0h\4\4\0\0j@\377", ) , ) == 0x0
 01382   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4P\350\366=\0\0\241@\260@\0\211\6\2115@\260@\0\351\26\15\0\0j3\350z\16\0\0jD\211E\370\350p\16\0\0\366E\360\1\211E\10u\13\377u\370\350\27=\0\0\211E\370\366E\360\2u\13\377u\10\350\6=\0\0\211E\10\203}\330!j\1uD\350!\16\0\0j\2\213\370\350\30\16\0\0\213M\360\301\371\2t\36\215U\314RQS\377u\10\377u\370PW\377\25\370q@\0\367\330\33\300@\211E\374\353?\377u\10\377u\370PW\377\25, ) , ) == 0x0
 01383   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "p@\0\351.\7\0\0S\350o\14\0\0j\1\213\360\350f\14\0\09]\350PVu\13\377\25Xr@\0\351\6\13\0\0\377\254r@\0\351\373\12\0\0S\350`\14\0\0j1\213\360\350W\14\0\0j"\213\330\350N\14\0\0SVh\24\220@\0h@\240@\0\213\370\377\25\364q@\0\203\304\20j\354\350\276\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\230\12\0\0\351>\10\0\0S\350\370\13\0\0\213\360Vj\353\350\322.\0\0h\0XC\0V\350\2543\0\0;\303\211E\10\17\204\30\10\0\09]\344tF\2135\374p@\0\353\7j\17\350B>\0\0jd\377u\10\377\326=\2\1\0\0t\353\215E\314P\377u\10\377\25\0q@\09]\340|\13\377u\314W\350::\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25`p@\0\351\24\12\0\0j\2\350x\13\0\0P\350\210=\0\0;\303\211E\10t\23\213\330\377s\24W\350\3779\0\0\377s\30\351?\366\377\377\210\36\210\37\351\217\7\0\0\215E\250j\356\211E\10\350B\13\0\0\215M\320\211E\324QP\350\223L\0\0\210\36;\303\211E\370\210\37\307E\374\1\0\0\0\17\204\264\11\0\0Pj@\377\25\370p@\0;\303\211E\314\17\204\240\11\0\0P\377u\370S\377u\324\350VL\0\0\205\300t4\215E\274P\215E\10Ph\20\220@\0\377u\314\3507L\0\0\205\300t\33\213E\10\377p\10V\350t9\0\0\213E\10\377p\14W\350h9\0\0\211]\374\377u\314\351\5\374\377\3773\377h\1\200\0\0G\211}\374\377\25\4q@\09\35\320\364B\0\17", ) \213\330\350N\14\0\0SVh\24\220@\0h@\240@\0\213\370\377\25\364q@\0\203\304\20j\354\350\276\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\230\12\0\0\351>\10\0\0S\350\370\13\0\0\213\360Vj\353\350\322.\0\0h\0XC\0V\350\2543\0\0;\303\211E\10\17\204\30\10\0\09]\344tF\2135\374p@\0\353\7j\17\350B>\0\0jd\377u\10\377\326=\2\1\0\0t\353\215E\314P\377u\10\377\25\0q@\09]\340|\13\377u\314W\350::\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25`p@\0\351\24\12\0\0j\2\350x\13\0\0P\350\210=\0\0;\303\211E\10t\23\213\330\377s\24W\350\3779\0\0\377s\30\351?\366\377\377\210\36\210\37\351\217\7\0\0\215E\250j\356\211E\10\350B\13\0\0\215M\320\211E\324QP\350\223L\0\0\210\36;\303\211E\370\210\37\307E\374\1\0\0\0\17\204\264\11\0\0Pj@\377\25\370p@\0;\303\211E\314\17\204\240\11\0\0P\377u\370S\377u\324\350VL\0\0\205\300t4\215E\274P\215E\10Ph\20\220@\0\377u\314\3507L\0\0\205\300t\33\213E\10\377p\10V\350t9\0\0\213E\10\377p\14W\350h9\0\0\211]\374\377u\314\351\5\374\377\3773\377h\1\200\0\0G\211}\374\377\25\4q@\09\35\320\364B\0\17", ) == 0x0
 01384   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "W\213\360\350\222\12\0\09]\354\211E\10t\15V\377\25\10q@\0\213\370;\373u\15V\377\25\14q@\0\213\370;\373te\377u\10W\377\25\20q@\0\213\360;\363t=9]\344\211]\374t\27\377u\344\350\336\363\377\377\377\326\205\300t1\307E\374\1\0\0\0\353(h\0\220@\0h@\260@\0h\0\0C\0h\0\4\0\0\377u\370\377\326\203\304\24\353\12\377u\10j\367\350\375,\0\09]\350u\24W\377\25\24q@\0\353\13j\366\353\2j\347\350\216\363\377\377S\377\25\4q@\0\351\211\10\0\0j\360\350\355\11\0\0j\337\211E\320\350\343\11\0\0j\2\213\360\350\332\11\0\0j\315\211E\324\350\320\11\0\0jE\211E\314\350\306\11\0\0V\211E\274\350w4\0\0\205\300u\7j!\350\262\11\0\0\215E\10Ph t@\0j\1Sh0t@\0\377\25xr@\0;\303\17\214\330\0\0\0\213E\10\215U\370Rh@t@\0\213\10P\377\21\213\370;\373\17\214\260\0\0\0\213E\10VP\213\10\377QP\213\370\213E\10h\0XC\0P\213\10\377Q$\213M\354\276\377\0\0\0\213\301\301\370\10#\306t\15\213M\10PQ\213\21\377R<\213M\354\213E\10\301\371\20\213\20QP\377R4\213E\3148\30t\22\213U\354\213E\10#\326\213\10R\377u\314P\377QD\213E\10\377u\324\213\10P\377Q,\213E\10\377u\274\213\10P\377Q\34;\373|-\276@\224@\0h\0\4\0\0Vj\377\377u\320f\211\35@\224@\0SS\377\25\30q@\0\213E\370j\1VP\213\10\377Q\30\213\370\213E\370P\213\10\377Q\10\213E\10P\213\10\377Q\10;\373}\23\307E\374\1\0\0\0j\360\350;\362\377\377\351=\7\0\0j\364", ) , ) == 0x0
 01385   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\211}\10\350\222\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3247\0\0V\210\8\1\350\3127\0\0\277@\244@\0j\370W\210\0\1\350\3057\0\0VW\350\2707\0\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350$+\0\0\215E\234P\377\25`q@\0\205\300\17\204\303\6\0\0Sj\371\350\12+\0\0\351a\4\0\0=\15\360\255\13t\35h\20\0 \0j\350S\350p7\0\0P\350H0\0\0\270\377\377\377\177\351\235\6\0\0\377\5\264\364B\0\351\207\6\0\03\3663\377;\303t\10S\350\344\7\0\0\213\3609]\340t\11j\21\350\326\7\0\0\213\3709]\354t\11j"\350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j"\3509\7\0\0\213M\354\203\341\2QP\377u\340\350\360\7\0\0P\350c\7\0\0\213\370;\373\17\204\256\5\0\0\351T\3\0\0P\350\325\7\0\0\213u\354\213\370\213E\360j\2\211E\320\350\374\6\0\0j\21\211E\274\350\362\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25 p@\0\205\300\17\205e\5\0\0\203\376\1\277@\244@\0u\16j#\350\277\6\0\0W\350\206\0\0@\203\376\4u\16j\3\350\217\6\0\0V\243@\244@\0", ) \350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\211}\10\350\222\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3247\0\0V\210\8\1\350\3127\0\0\277@\244@\0j\370W\210\0\1\350\3057\0\0VW\350\2707\0\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350$+\0\0\215E\234P\377\25`q@\0\205\300\17\204\303\6\0\0Sj\371\350\12+\0\0\351a\4\0\0=\15\360\255\13t\35h\20\0 \0j\350S\350p7\0\0P\350H0\0\0\270\377\377\377\177\351\235\6\0\0\377\5\264\364B\0\351\207\6\0\03\3663\377;\303t\10S\350\344\7\0\0\213\3609]\340t\11j\21\350\326\7\0\0\213\3709]\354t\11j"\350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j"\3509\7\0\0\213M\354\203\341\2QP\377u\340\350\360\7\0\0P\350c\7\0\0\213\370;\373\17\204\256\5\0\0\351T\3\0\0P\350\325\7\0\0\213u\354\213\370\213E\360j\2\211E\320\350\374\6\0\0j\21\211E\274\350\362\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25 p@\0\205\300\17\205e\5\0\0\203\376\1\277@\244@\0u\16j#\350\277\6\0\0W\350\206\0\0@\203\376\4u\16j\3\350\217\6\0\0V\243@\244@\0", ) , ) == 0x0
 01386   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "S\377u\350\350\264\12\0\0PW\377u\320S\377u\274\377u\10\377\25\4p@\0\205\300u\3\211]\374\377u\10\351\321\0\0\0h\31\0\2\0\350B\7\0\0j3\213\370\350]\6\0\0;\373\210\36\17\204\223\2\0\0\215M\314\307E\314\377\3\0\0Q\215M\10VQSPW\377\25\0p@\03\311A\205\300u7\203}\10\4t\339M\10t\6\203}\10\2u&9]\354t\3\211M\374\213E\314\210\340\353r9]\354u\7\307E\374\1\0\0\0\3776V\350\2354\0\0\353\\210\36\211M\374\353Uh\31\0\2\0\350\307\6\0\0j\3\213\370\350\305\5\0\0;\373\210\36\17\204\30\2\0\09]\354\271\377\3\0\0\211M\10t\14QVPW\377\25\10p@\0\353\31SSS\215M\10SQVPW\377\25\14p@\0\205\300\17\205\346\1\0\0\210\236\377\3\0\0W\377\25\34p@\0\351)\4\0\08\36\17\204!\4\0\0V\350>4\0\0P\351\366\371\377\377j\355\350y\5\0\0\377u\344\377u\340P\350\1771\0\0\203\370\377\17\204\242\1\0\0P\351E\360\377\3779]\344t\21j\1\3505\5\0\0\242@\240@\03\300@\353\15j\21\350A\5\0\0P\350\2224\0\08\36\17\204s\1\0\0\215M\10SQPh@\240@\0V\350\3323\0\0P\377\25$q@\0\351D\360\377\377j\2\211]\324\350\357\4\0\0\203\370\1\211E\370\17\214\225\3\0\0\271\377\3\0\0;\301~\3\211M\3708\36\17\204\216\0\0\0V\210]\13\350\2333\0\09]\370\211E\314~}\213u\324\215E\320SP\215E\367j\1P\377u\314\377\25(q@\0\205\300te\203}\320\1u_9]\350u!\200}\13\15t+\200}\13\12t%\212E\367", ) , ) == 0x0
 01387   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\370|\276\3539\17\266E\367PW\350(3\0\0\351"\3\0\0\212E\3678E\13t\16<\15t\4<\12u\6\210\4>F\353\23j\1Sj\377\377u\314\377\250q@\0\353\3\213u\324\210\34>;\363\351\201\357\377\3778\36\17\204\336\2\0\0\377u\350Sj\2\350!\4\0\0PV\350\3572\0\0P\377\250q@\09]\340\17\214\274\2\0\0\351]\2\0\08\36\17\204\257\2\0\0V\350\3142\0\0P\377\254q@\0\351\235\2\0\08\37t\30\215\205\\376\377\377PW\350\2572\0\0P\377\258q@\0\205\300u?\307E\374\1\0\0\0\210\36\351s\2\0\0j\2\350\327\3\0\0\215\215\\376\377\377QP\377\253\0\0\212E\3678E\13t\16<\15t\4<\12u\6\210\4>F\353\23j\1Sj\377\377u\314\377\250q@\0\353\3\213u\324\210\34>;\363\351\201\357\377\3778\36\17\204\336\2\0\0\377u\350Sj\2\350!\4\0\0PV\350\3572\0\0P\377\250q@\09]\340\17\214\274\2\0\0\351]\2\0\08\36\17\204\257\2\0\0V\350\3142\0\0P\377\254q@\0\351\235\2\0\08\37t\30\215\205\\376\377\377PW\350\2572\0\0P\377\258q@\0\205\300u?\307E\374\1\0\0\0\210\36\351s\2\0\0j\2\350\327\3\0\0\215\215\\376\377\377QP\377\250\203\370\377u\20\210\37\210\36\307E\374\1\0\0\0\351I\2\0\0PW\350L2\0\0\215\205\210\376\377\377PV\351[\1\0\0S\307E\314f\375\377\377\350\223\3\0\0\213\360V\350E.\0\0\205\300Vt\15\276@\240@\0V\350\2742\0\0\353 h\0TC\0h@\240@\0\350\2532\0\0P\350\262-\0\0P\350\2732\0\0\276@\240@\0V\350\3204\0\0j\2h\0\0\0@V\350X/\0\0\203\370\377\211E\10\17\204\242\0\0\0\241,\364B\0\2135\370p@\0Pj@\211E\324\377\326\213\370;\373t{S\350\234\11\0\0\377u\324W\350a\11\0\0\377u\344j@\377\326\213\360;\363\211u\320t4\377u\344VS\377u\340\350\30\7\0\0\353\30\213\16\213F\4\203\306\10Q\3\307VP\211M\310\350\320.\0\0\3u\3108\36u\344\377u\320\377\25\364p@\0\215E\274SP\377u\324W\377u\10\377\25$q@\0W\377\25\364p@\0SS\377u\10j\377\350\314\6\0\0\211E\314", ) == 0x0
 01388   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\09]\314j\363_}\21j\357_V\377\25@q@\0\307E\374\1\0\0\0W\351\307\371\377\377S\350V\2\0\0;\5L\364B\0\211E\10\17\203\244\376\377\377\213\360\213E\344i\366\30\4\0\0\35H\364B\0;\303|\27\213\14\206u\17\203\306\30VW\350\2011\0\0\351\320\0\0\0Q\353t\203\311\377+\310\211M\344t\14j\1\350\12\2\0\0\211E\340\353\20\377u\354\215F\30P\350y1\0\0\200N\11\1\213E\344\213M\340\211\14\2069]\350\17\204\225\0\0\0\377u\10\350\333\350\377\377\351\210\0\0\0S\350\320\1\0\0\203\370 \17\203$\376\377\3779]\350t#9]\344t\17P\350\323\351\377\377SS\350"\351\377\377\353`S\350\15\352\377\377PW\350]0\0\0\353Q9]\344t\22\213\25(\364B\0\213M\340\211\214\202\224\0\0\0\353:\213\15(\364B\0\377\264\201\224\0\0\0W\350\3650\0\0\353%\213\15\240\270B\0S#\310Qj\13\377u\370\377\25351\377\377\353`S\350\15\352\377\377PW\350]0\0\0\353Q9]\344t\22\213\25(\364B\0\213M\340\211\214\202\224\0\0\0\353:\213\15(\364B\0\377\264\201\224\0\0\0W\350\3650\0\0\353%\213\15\240\270B\0S#\310Qj\13\377u\370\377\2509]\334t\13SS\377u\370\377\258r@\0\213E\374\1\5\250\364B\03\300_^[\311\302\4\0:)@\0\223\24@\0\237\24@\0\272\24@\0\334\24@\0\30\25@\02\25@\0\207\25@\0\267\25@\0\325\25@\0Z\26@\0@\25@\0V\25@\0w\25@\0k\26@\0\377\26@\0c\27@\0\212\27@\0\235\27@\0L\31@\0O\31@\0\201\31@\0\226\31@\0\250\31@\0)\32@\0Z\32@\0\221\32@\0\303\32@\0P\33@\0q\33@\0\31\34@\0\31\34@\0\333\34@\0\370\34@\0\23\35@\02\35@\0\216\35@\0\10\36@\04\36@\0\234\36@\0\33\37@\0K\37@\0\334\37@\0\246 @\0\366!@", ) == 0x0
 01389   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0*#@\0\206#@\0*$@\0\245$@\0\6%@\0\32%@\0<%@\0\204%@\0I&@\0x&@\0\222&@\0\274&@\0\372&@\0!(@\0\247(@\0/)@\0/)@\0\12)@\0\344\32@\0\350\32@\0\354\32@\0\363\32@\0\0\33@\0\4\33@\0\10\33@\0\14\33@\0\25\33@\0\37\33@\0,\33@\0D\33@\0H\33@\0\213D$\4\213\15<\224@\0\3774\201j\0\350l/\0\0P\350\273.\0\0\302\4\0V\213t$\10\205\366W\213\306}\2\367\330\213\25<\224@\0\213\310\203\341\17\301\370\4\3774\212\301\340\12\5@\234@\0P\3506/\0\0\205\366\213\370}\6W\350D1\0\0\213\307_^\302\4\0U\213\354\201\354\14\1\0\0SV\215E\374WP3\333j\10S\377u\14\377u\10\377\25\20p@\0;\303uM\2135\10p@\0\277\5\1\0\0\353\319]\20uB\215\205\364\376\377\377SP\377u\374\350\271\377\377\377\205\300u\22\215\205\364\376\377\377WPS\377u\374\377\326\205\300t\325\377u\374\377\25\34p@\0\377u\14\377u\10\377\25\24p@\0_^[\311\302\14\0\377u\374\377\25\34p@\03\300@\353\353\213D$\4\205\300u\12\241\244\364B\0\5\1\0\0\200\302\4\0U\213\354\215E\10P\377u\10j\0j"\350\21\377\377\377P\241<\224@\0\377p\4\350\312\377\377\377P\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\344q@\0\213E\24\211u\14\243H\260@\09u\14uN\213\15PLA\0\241X\214B\0;\310|\2\213\310Pj", ) \350\21\377\377\377P\241<\224@\0\377p\4\350\312\377\377\377P\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\344q@\0\213E\24\211u\14\243H\260@\09u\14uN\213\15PLA\0\241X\214B\0;\310|\2\213\310Pj", ) == 0x0
 01390   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "A\0\3775H\260@\0V\377\25\364q@\0\203\304\14VW\377\25\350q@\0Vh\6\4\0\0W\350\223&\0\0j\5W\377\25Xr@\0_3\300^]\302\20\0U\213\354\203\354,SV3\366W\211u\374\377\25\234p@\0\211u\364\211u\370\276\0\C\0h\0\4\0\0V\213\370\3775 \364B\0\201\307\350\3\0\0\377\25\230p@\0j\3h\0\0\0\200V\350/*\0\0\213\330\203\373\377\211]\360\211\35 \220@\0u\12\270x\221@\0\351\37\2\0\0V\350\222(\0\0j\0S\377\25\224p@\0\205\300\243X\214B\0\213\360\17\216)\1\0\0\241,\364B\0\213\336\367\330\33\300%\0~\0\0\5\0\2\0\0;\360|\2\213\330ShX\14B\0\350\16\4\0\0\205\300\17\204f\1\0\03\3009\5,\364B\0u\177j\34\215E\324hX\14B\0P\350\217)\0\0\213M\324\367\301\360\377\377\377\17\205\232\0\0\0\201}\330\357\276\255\336\17\205\215\0\0\0\201}\344Inst\17\205\200\0\0\0\201}\340softuw\201}\334Nullun\213E\354;\306\17\217\377\0\0\0\11M\10\213\25PLA\0\366E\10\10\211\25,\364B\0u\6\366E\10\4uq\377E\370\215p\374;\336v>\213\336\353:\366E\10\2u49E\374t\10P\350\233/\0\0\353'\377\25\234p@\0;\307v\35h\\221@\0h\253+@\0j\0jo\3775 \364B\0\377\25\334q@\0\211E\374;5X\214B\0}\21ShX\14B\0\377u\364\350\217/\0\0\211E\364\1\35PLA\0+\363\205\366\17\217\346\376\377\377\203}\374\0t\11\377u\374\377\25\340q@\03\3779=,\364B\0tZ9}\370t"\3775PLA\0\350", ) \3775PLA\0\350", ) == 0x0
 01391   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\205\300t;\213E\364;E\370u3\377u\350j@\377\25\370p@\0\213\360\241,\364B\0\203\300\34P\350\361\2\0\0\377u\350VWj\377\350\207\0\0\0;E\350t\37V\377\25\364p@\0\270(\220@\0\353m\203}\374\0t\363\377u\374\377\25\340q@\0\353\350\366E\10\2\2115(\364B\0t\3\203\16\10\213\6\203\340\30\366E\324\1\243\300\364B\0\213\6\2430\364B\0t\6\377\54\364B\0j\10\215FDY\203\350\10\10Iu\370j\1WW\377u\360\377\250q@\0\211F<\203\306\4j@Vh@\364B\0\350\330'\0\03\300_^[\311\302\4\0U\213\354\203\354XSV\213u\24W\213}\20\211u\370\205\377u\7\307E\370\0\200\0\0\203e\374\0\211}\364\205\377u\7\307E\364X\214A\0\213E\10\205\300|\16\213\15x\364B\0\3\310Q\350\32\2\0\0\215E\24j\4P\350\335\1\0\0\205\300\17\204\200\1\0\0\366E\27\200\17\204_\1\0\0\213\35\234p@\0\377\323\203%|\265@\0\0\203%x\265@\0\0\201e\24\377\377\377\177\211E\360\270\0\314@\0\307\5`\260@\0\10\0\0\0\243\10LA\0\243\4LA\0\213E\24\307\5\0LA\0\0LA\0\211E\10\17\216r\1\0\0\276\0@\0\09u\24}\3\213u\24\277XLA\0VW\350c\1\0\0\205\300\17\204\6\1\0\0)u\24\211=P\260@\0\2115T\260@\0\213}\364\213E\370hP\260@\0\211=X\260@\0\243\\260@\0\350\1.\0\0\205\300\211E\350\17\214\262\0\0\0\2135X\260@\0+\367\377\323\366\5\240\222@\0\1\213\370tC+E\360=\310\0\0\0w\6\203}\24\0u3\213E\10\377u\10+E\24jdP", ) , ) == 0x0
 01392   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\221@\0P\377\25\364q@\0\203\304\14\215E\250Pj\0\350f\35\0\0\211}\3603\300;\360tI9E\20u P\215E\354PV\377u\364\377u\14\377\25$q@\0\205\300t=9u\354u8\1u\374\353\30)u\370\1u\374\241X\260@\0\203}\370\1\211E\364\17\214\201\0\0\0\203}\350\1\17\2055\377\377\377\353u9E\24\17\217\372\376\377\377\353jj\374\353\35j\376\353\31\205\377tS9u\24}\3\213u\24VW\350Y\0\0\0\205\300uHj\375X\353I\213u\3709u\24}\3\213u\24\277XLA\0VW\3509\0\0\0\205\300t\340\215E\20j\0PVW\377u\14\377\25$q@\0\205\300t\260;u\20u\253\1u\374)u\24\203}\24\0\177\277\353\3\211u\374\213E\374_^[\311\302\20\0U\213\354V\213u\14\215E\14j\0PV\377u\10\3775 \220@\0\377\25(q@\0\205\300t\129u\14u\53\300@\353\23\300^]\302\10\0j\0j\0\377t$\14\3775 \220@\0\377\250q@\0\302\4\0V\276\0dC\0V\350\331*\0\0V\350\20$\0\0\205\300u\2^\303V\350\230#\0\0j\0V\377\25\210p@\0Vh\0PC\0\350w%\0\0^\303\201\354|\1\0\0SUV3\366W\211t$\30\275@\222@\0\306D$\20 \377\250p@\0V\377\25pr@\0\243\320\364B\0V\215D$0h`\1\0\0PVh`\230B\0\377\25Xq@\0h0\222@\0h \354B\0\350#(\0\0\273\0dC\0Sh\0\4\0\0\377\25\264p@\0\350d\377\377\377\205\300u$h\373\3\0\0S\377\25\260p@\0h(\222@\0S\350\16(\0\0\350D\377\377\377\205\300\17\204<\1", ) , ) == 0x0
 01393   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \243 \364B\0\213\307u\12\306D$\20 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) , ) == 0x0
 01394   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0W\350\324%\0\0\353\6W\350 !\0\0h\30\222@\0V\350\335%\0\0\377t$\24V\350\323%\0\0h\20\222@\0V\350\310%\0\0WV\350\301%\0\0V\350\254 \0\0SV\350 \36\0\0\205\300t\11P\377\25`p@\03\355\376\5\240\221@\0\377D$\20\203|$\20\32\17\214\26\377\377\377\351\310\376\377\377\203=\264\364B\0\0\17\204\216\0\0\0\276\0\222@\0h\354\221@\0V\350g(\0\0h\324\221@\0V\213\350\350Z(\0\0h\274\221@\0V\213\370\350M(\0\03\366\213\330;\356tH;\376tD;\336t@\215D$\24Pj(\377\25\240p@\0P\377\325\205\300t,\215D$ Ph\250\221@\0V\377\327VV\215D$$VPV\377t$(\307D$4\1\0\0\0\307D$@\2\0\0\0\377\323Vj\2\377\25\34r@\0\205\300u\7j\11\350\13\337\377\377\241\314\364B\0\203\370\377t\4\211D$\30\377t$\30\377\25\250p@\0\241 \220@\0\203\370\377t\16P\377\25`p@\0\203\15 \220@\0\377j\7h\0hC\0\350\334\35\0\0\303\203\354\24SUV\2135(\364B\0Wh\364r@\0h\310\222@\0\350\220'\0\03\333;\303t\22\377\320\17\267\300Ph\0`C\0\350\305#\0\0\353H\277\240\250B\0\307\5\0`C\00x\0\0WSh\314r@\0h\1\0\0\200\3509#\0\08\35\240\250B\0u\25Wh\304r@\0h\234r@\0h\3\0\0\200\350\34#\0\0Wh\0`C\0\3509$\0\0\350K\2\0\0\2410\364B\0\275\0TC\0\203\340 U\243\240\364B\0\350\355\37\0\0\205\300\17\205\200\0\0\0\213NH;\313ty\213VL\241X\364B\0\277\300", ) , ) == 0x0
 01395   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "D\350\311"\0\0\240\300\343B\0:\303tT<"u\17\277\301\343B\0j"W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) \0\0\240\300\343B\0:\303tT< (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "D\350\311"\0\0\240\300\343B\0:\303tT<"u\17\277\301\343B\0j"W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) == 0x0
 01396   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\14\334\377\3773\300_^][\203\304\24\303SUVW\277\0`C\0\273\377\377\0\0W\3500!\0\0\2135d\364B\0\205\366tE\213\15(\364B\0\213Id\213\321\17\257\316\367\332\3\15`\364B\0\3\312Nf\213)f3\350#\353f\205\355t\6\205\366u\354\353\31\213Q\2\211\25\0\354B\0\213Q\6\211\25\310\364B\0\215Q\12\205\322u\22f\201\373\377\377u\7\273\377\3\0\0\353\2433\333\353\237\211\25\374\353B\0\17\267\1PW\350\246 \0\0j\376h \354B\0\350^!\0\0P\3775\200\250B\0\377\25\350q@\0\241L\364B\0\2135H\364B\0\205\300t\33\213\370\213\6\205\300t\12P\215F\30P\3500!\0\0\201\306\30\4\0\0Ou\347_^][\303\203\354\20\271\20\1\0\0SU\213l$ V;\351W\17\204s\1\0\0\201\375\10\4\0\0\17\204g\1\0\0\213\$$\203\375Gu\253\300j\23PPPPS\3775\200\250B\0\377\25|q@\0\203\375\5u\30\213D$,H\367\330\33\300#\305P\3775\200\250B\0\377\25Xr@\0\201\375\15\4\0\0u\32\3775\370\353B\0\377\25\340q@\0\213D$,\243\370\353B\0\351\17\4\0\0\203\375\21u\23j\0j\0S\377\25(r@\03\300@\351\36\4\0\0\203\375\20u3\241D\364B\0H9\5\204\222@\0\17\205\310\0\0\0\3775h\230B\0\377\25xq@\0\205\300\17\205\264\0\0\0\275\21\1\0\0\307D$,\1\0\0\0\201\375\21\1\0\0\17\205\233\0\0\0\17\267t$,VS\377\25$r@\0\213\35, ) , ) == 0x0
 01397   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0~:j\377\353\34\203\376\2u1\203=\254\364B\0\0t\25V\350\364\331\377\377\2115p\234B\0jx\350s\3\0\0\353(j\3\350\336\331\377\377\205\300u\35\211=p\234B\0\353\344\377t$0\377t$0h\21\1\0\0\3775\370\353B\0\377\323\377t$0\377t$0U\350\311\3\0\0\351,\3\0\0\213D$,\213\$$;\351\243\214\250B\0uM\2135$r@\0j\1S\211\35$\364B\0\377\326j\2S\243\234\250B\0\377\326j\377j\34S\243h\230B\0\350"\3\0\0\3775\10\354B\0j\362S\377\25tq@\0j\4\350Y\331\377\377\243\354\353B\03\300@\243\214\250B\0\213\15\204\222@\03\377\213\361\301\346\6\35@\364B\0;\317|>\203\370\1u1W\377v\20\350\204\330\377\377\205\300t$j\1Wh\17\4\0\0\3775\370\353B\0\377\25\17\204w\2\0\0h\13\4\0\0\350\354\2\0\0\241\214\250B\0\1\5\204\222@\0\301\340\6\3\360\241\204\222@\0;\5D\364B\0u\7j\1\350\311\330\377\377\203=\354\353B\0\0\17\205\367\1\0\0\241D\364B\09\5\204\222@\0\17\203\346\1\0\0\377v$\213~\24h\0pC\0\350\210\36\0\0\377v h\31\374\377\377S\350@\2\0\0\377v\34h\33\374\377\377S\3502\2\0\0\377v(h\32\374\377\377S\350$\2\0\0j\3S\377\25$r@\0\203=\254\364B\0\0\213\350t\10f\201\347\375\376\203\317\4\213\307\203\340\10PU\377\25Xr@\0\213\307%\0\1\0\0PU\377\254r@\0\213\307\203\340\2P\350\3\2\0\0\203\347\4W\3775h\230B\0\377\254r@\03\377", ) \3\0\0\3775\10\354B\0j\362S\377\25tq@\0j\4\350Y\331\377\377\243\354\353B\03\300@\243\214\250B\0\213\15\204\222@\03\377\213\361\301\346\6\35@\364B\0;\317|>\203\370\1u1W\377v\20\350\204\330\377\377\205\300t$j\1Wh\17\4\0\0\3775\370\353B\0\377\2503\3009=\354\353B\0\17\224\300\351\201\2\0\09>\17\204w\2\0\0h\13\4\0\0\350\354\2\0\0\241\214\250B\0\1\5\204\222@\0\301\340\6\3\360\241\204\222@\0;\5D\364B\0u\7j\1\350\311\330\377\377\203=\354\353B\0\0\17\205\367\1\0\0\241D\364B\09\5\204\222@\0\17\203\346\1\0\0\377v$\213~\24h\0pC\0\350\210\36\0\0\377v h\31\374\377\377S\350@\2\0\0\377v\34h\33\374\377\377S\3502\2\0\0\377v(h\32\374\377\377S\350$\2\0\0j\3S\377\25$r@\0\203=\254\364B\0\0\213\350t\10f\201\347\375\376\203\317\4\213\307\203\340\10PU\377\25Xr@\0\213\307%\0\1\0\0PU\377\254r@\0\213\307\203\340\2P\350\3\2\0\0\203\347\4W\3775h\230B\0\377\254r@\03\377", ) == 0x0
 01398   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "r@\0\377\3259=\254\364B\0t\23Wj\2h\1\4\0\0S\377\325\3775h\230B\0\353\6\3775\234\250B\0\350\315\1\0\0\275\240\250B\0h \354B\0U\350\240\35\0\0\377v\30U\350\255\35\0\0\3\305P\350\261\35\0\0US\377\25\350q@\0W\377v\10\350\20\327\377\377\205\300\17\205\276\376\377\3779\6\17\204\266\376\377\377\203~\4\5u\359\5\254\364B\0\17\205\21\1\0\09\5\240\364B\0\17\205\230\376\377\377\351\0\1\0\0\3775\370\353B\0\377\25\340q@\0\2115x\240B\0\203>\0\17\216\300\0\0\0\213F\4V\3774\205\210\222@\0f\213\6f\3\5\0\354B\0S\17\267\300P\3775 \364B\0\377\25\334q@\0\205\300\243\370\353B\0\17\204\215\0\0\0\377v,j\6P\350\332\0\0\0\215D$\20Ph\372\3\0\0S\377\25$r@\0P\377\25pq@\0\215D$\20PS\377\25lq@\03\377j\25WW\377t$ \377t$ W\3775\370\353B\0\377\25|q@\0W\377v\14\350<\326\377\377j\10\3775\370\353B\0\377\25Xr@\0h\5\4\0\0\350\306\0\0\0\353 \3775\370\353B\0\377\25\340q@\0\3775p\234B\0\203%$\364B\0\0S\377\25\264q@\0\203=\240\270B\0\0u\34\203=\370\353B\0\0t\23j\12S\377\25Xr@\0\307\5\240\270B\0\1\0\0\03\300_^][\203\304\20\302\20\0\203|$\4xu\6\377\5\354\353B\0j\0\377t$\10h\10\4\0\0\3775$\364B\0\377\25, ) , ) == 0x0
 01399   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\3775$\364B\0\377\25\17\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\327>@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\220q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25$r@\0\213\330S\350@\376\377\377\213517\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\327>@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\220q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25$r@\0\213\330S\350@\376\377\377\21354\0\0S\377\326\241(\364B\0\213@h\205\300}\11\367\330P\377\25\200q@\0Pj\0hC\4\0\0S\377\326h\0\0\1\4j\0hE\4", ) == 0x0
 01400   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "W\350\353\31\0\0Pj\0h5\4\0\0S\377\326\215E\364P\377u\24hI\4\0\0S\377\326\203%\210\250B\0\03\300\351a\1\0\0\201}\14\21\1\0\0\213\35$r@\0\2135, ) , ) == 0x0
 01401   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0U\213\354\203\354H\241x\240B\0SV\211E\340\213p<\213@8\301\346\12\201\306\0\0C\0\201}\14\13\4\0\0W\211E\370\273\373\3\0\0u\15VS\350\206\20\0\0V\350\330\31\0\0\201}\14\20\1\0\0uxS\377u\10\377\25$r@\0V\213\370\350\372\22\0\0\205\300t\20V\350\27\23\0\0\205\300u\6V\350z\22\0\0\213E\10VW\243\370\353B\0\377\25\350q@\0\213E\24\377p4j\1\377u\10\3505\373\377\377\213E\24\377p0j\24\377u\10\350%\373\377\377W\350T\373\377\377h\214r@\0h\200r@\0\350;\32\0\0\205\300\17\204+\2\0\0j\1W\377\320\201}\14\21\1\0\0\17\205\306\0\0\0\17\267E\20;\303u\30\213M\20\301\351\20f\201\371\0\3\17\205\0\2\0\0\307E\14\17\4\0\0=\351\3\0\0\17\205\233\0\0\0j\73\300Y\215}\274\377u\370\363\253\213E\10\277\240\250B\0hx\234B\0\211E\270\211}\300\307E\314\373D@\0\211u\320\350\326\26\0\0\211E\304\215E\270P\307E\310A\0\0\0\377\25Tq@\0\205\300tMP\350\363\16\0\0V\350\235\21\0\0\241(\364B\0\213\200\34\1\0\0\205\300t Pj\0\350\233\26\0\0W\277\300\343B\0W\377\25\244p@\0\205\300t\7WV\350}\26\0\0\377\5\220\250B\0VS\377u\10\350/\17\0\0\353\7\307E\14\17\4\0\0\201}\14\17\4\0\0t\15\201}\14\5\4\0\0\17\205=\1\0\0\203e\374\0\203e\370\0VS\203\317\377\350\4\17\0\0V\350\7\22\0\0\205\300u\7\307E\374\1\0\0\0V\276p\230B\0V\350\3\26\0\0V\350\235\21\0\0\205\300t\3\200 \0h\340\222@\0h\310\222@\0\350\372\30\0\0", ) , ) == 0x0
 01402   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "Q\215M\354Q\215M\330QV\377\320\205\300t\17\213}\330\213E\334\17\254\307\12\301\350\12\353/\215E\334P\215E\364P\215E\350P\215E\360PV\377\25\274p@\0\205\300t\33\213E\360S\17\257E\350\377u\364P\377\25,q@\0\213\370\307E\370\1\0\0\0j\5\350\272\1\0\0;\370s\7\307E\374\2\0\0\0\213\15\374\353B\03\3669q\20t+Pj\373h\377\3\0\0\350\340\0\0\09u\370t\13Wj\374S\350\322\0\0\0\353\16h`\230B\0S\377u\10\350\32\16\0\0\213E\374;\306\243\304\364B\0u\12j\7\350^\317\377\377\211E\374\213E\340\205X\24t\3\211u\3743\3009u\374\17\224\300P\350\27\371\377\3779u\374u\1595\220\250B\0u\5\350\266\374\377\377\2115\220\250B\0\377u\24\377u\20\377u\14\3506\371\377\377_^[\311\302\20\0U\213\354\203}\14\1V\2135, ) , ) == 0x0
 01403   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "V\377u\10\3775\370\353B\0\350\252\14\0\0_^[\311\302\14\0\213\25L\364B\0\213\15H\364B\03\300\205\322t\30V\366A\10\1t\7\213t$\10\3\4\261\201\301\30\4\0\0Ju\352^\302\4\0U\213\354\203\3548V\2135, ) , ) == 0x0
 01404   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2370j\25\377u\10\350\267\365\377\377\377t\2374j\26\377u\10\350\251\365\377\3773\3773\3339=L\364B\0\17\216\304\0\0\0\213E\344\215P\10\211U\354\215B\20\2008\0\17\204\220\0\0\0\211E\310\213\2j \213\320Y\211]\260#\321\307E\264\2\0\377\377\250\2\307E\270\15\0\0\0\211M\304\211}\334\211U\300t8\215E\260\307E\270M\0\0\0Pj\0h\0\21\0\0\307E\330\1\0\0\0\377u\374\377\326\213\15\230\250B\0\307E\350\1\0\0\0\211\4\271\241\230\250B\0\213\34\270\353.\250\4t\21Sj\3h\12\21\0\0\377u\374\377\326\213\330\353\31\215E\260Pj\0h\0\21\0\0\377u\374\377\326\213\15\230\250B\0\211\4\271\213U\354G\201\302\30\4\0\0;=L\364B\0\211U\354\17\214K\377\377\377\203}\350\0u\31j\360\377u\374\377\25\204q@\0$\373Pj\360\377u\374\377\25(r@\0\203}\364\0u\30j\5\377u\370\377\25Xr@\0\377u\370\350\330\364\377\377\351\203\3\0\0\377u\374\350\313\364\377\377\213]\3443\377\201}\14\5\4\0\0u\223\311\211}\20A\307E\14\17\4\0\0\211M\24\353\3\213M\24\203}\14N\270\23\4\0\0t\119E\14\17\205\347\0\0\09E\14\211M\364t\15\201y\4\10\4\0\0\17\205\322\0\0\0\366\51\364B\0\2uv9E\14t\11\213M\24\203y\10\376uh3\3119E\14\17\225\301Q\377u\374\350\242\374\377\377;\307|S\213\310i\311\30\4\0\0\215T\31\10\213\12\366\301\20u@\366\301@t\24\201\361\200\0\0\0\204\311y\5\203\311\1\353\10\203\341\376\353\3\203\361\1P\211\12\350\241\307\377\377\2410\364B\03\311\367\320A\307E\14\17\4\0\0\301\350\10#\301\211M", ) , ) == 0x0
 01405   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\201x\10n\376\377\377u\16\377p\Wh\31\4\0\0\377u\374\377\326\213E\364\201x\10j\376\377\377u(\203x\14\2u\22\213@\i\300\30\4\0\0\215D\30\10\203\10 \353\20\213@\i\300\30\4\0\0\215\\30\10\203#\337\201}\14\21\1\0\0urf\201}\20\371\3\17\205H\2\0\0\213E\20\301\350\20f=\1\0\17\2058\2\0\0WWhG\1\0\0\377u\370\377\326\203\370\377\17\204#\2\0\0WPhP\1\0\0\377u\370\377\326\213\330\203\373\377t\10\213E\3609<\230u\3j [S\350\360\307\377\377SWh \4\0\0\377u\10\377\326\307E\20\1\0\0\0\211}\24\307E\14\17\4\0\0\201}\14\0\2\0\0u\14WWh\0\2\0\0\377u\374\377\326\201}\14\13\4\0\0u2\241\204\250B\0;\307t\7P\377\25,p@\0\241\230\250B\0;\307t\7P\377\25\364p@\0\211=\204\250B\0\211=\230\250B\0\211=\200\364B\0\201}\14\17\4\0\0\17\205G\1\0\0WW\350\305\306\377\3779}\20t\7j\10\350\332\310\377\3779}\24t?\3775\230\250B\0\350\234\307\377\377\213\330S\350K\307\377\3773\3003\311;\337~\16\213U\3609<\202t\1A@;\303|\362WQhN\1\0\0\377u\370\377\326\211]\24\307E\14 \4\0\0WW\350n\306\377\377\241\230\250B\09=L\364B\0\211E\344\241H\364B\0\307E\3100\360\0\0\211}\364\17\216\234\0\0\0\215X\10\213E\344\213M\364\213\4\210;\307tt\213\13\211E\300\366\305\1\307E\274\10\0\0\0t\21\215C\20\307E\274\11\0\0\0\211E\314\200c\1\376\366\301@t\5j\3X\353\16\213\301\203\340\1@\366\301\20t\3\203\300\3\213\321\377u\300\301", ) , ) == 0x0
 01406   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\3\300\203\342 \203\341\1\13\302A\211E\304Qh\2\21\0\0\377u\374\377\326\215E\274PWh\15\21\0\0\377u\374\377\326\377E\364\201\303\30\4\0\0\213E\364;\5L\364B\0\17\214g\377\377\377j\1W\377u\374\377\258r@\0\241\374\353B\09x\20t\24j\5\350\271\371\377\377Pj\373h\377\3\0\0\350\367\370\377\377\201}\14 \4\0\0u5\366\51\364B\0\1t,3\300\203}\24 \2135Xr@\0\17\224\300\301\340\3\213\370W\377u\374\377\326Wh\376\3\0\0\377u\10\377\25$r@\0P\377\326\377u\24\377u\20\377u\14\350t\361\377\377_^[\311\302\20\0U\213\354\201}\14\2\1\0\0SVu\33\203}\20 \17\205\212\0\0\0h\23\4\0\0\3500\361\377\3773\300\351\222\0\0\0\203}\14\2u\7\203\15\234\222@\0\377\201}\14\0\2\0\0\276\31\4\0\0u\36\377u\10\377\25\240q@\0\205\300tQj\1\377u\10\350+\371\377\377\213\330\211u\14\353\3\213]\249u\14u;9\35\234\222@\0t3W\276\0\0C\0\277\240\250B\0VW\211\35\234\222@\0\350\224\14\0\0SV\350\353\13\0\0j\6\350\273\306\377\377WV\350\177\14\0\0_\353\3\213]\24S\377u\20\377u\14\377u\10\3775\224\250B\0\377\25\234q@\0^[]\302\20\0U\213\354\203\3540\241\4\354B\0S3\333V;\303W\211E\374\17\204\260\0\0\0\241\240\222@\0\276\200\240B\0\213\370\211E\370\203\347\1u\11\377u\10V\350G\14\0\0V\3505\14\0\09]\14\211E\10t\33\377u\14\350%\14\0\0\3E\10=\0\10\0\0ss\377u\14V\350\30\14\0\0\366E\370\4t\15V\3775\350\353B\0\377\25\350q@\0\366E", ) , ) == 0x0
 01407   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\344\377u\374\2135, ) , ) == 0x0
 01408   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\364B\0\2u\15j\10\377u\374\377\25Xr@\0\353\6\211\35\360\353B\0h\354\3\0\0\377u\10\377\327h\0\00u\213\370Sh\1\4\0\0W\377\326\366\50\364B\0\4\17\204\361\1\0\0\377u\20Sh\11\4\0\0W\377\326\377u\14Sh\1 \0\0W\377\326\351\324\1\0\0\201}\14\5\4\0\0u(\215E\10PSh\354\3\0\0\377u\10\377\25$r@\0PhPN@\0SS\377\25\310p@\0P\377\25`p@\0\201}\14\21\1\0\0\2135Xr@\0u\33f\201}\20\3\4u5S\3775\360\353B\0\377\326j\10W\377\326\350\336\360\377\377\201}\14\4\4\0\0uU9\35\354\353B\0t&jx\307\5p\234B\0\2\0\0\0\350\302\354\377\377\377u\24\377u\20\377u\14\350B\355\377\377_^[\311\302\20\0j\10\3775$\364B\0\377\3269\35\254\364B\0u\16\241x\240B\0S\377p4\350o\374\377\377j\1\350\206\354\377\377\203}\14{u\2769}\20u\271SSh\4\20\0\0W\377\25, ) , ) == 0x0
 01409   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0V\350\351\7\0\0\3\360f\307\6\15\12FFC;]\14|\331\377u\10\377\25\300p@\0\377u\10j\1\377\25\250q@\0\377\25\244q@\03\300\351\260\376\377\377U\213\354Q\215E\374P\377\25Lq@\0\213E\374\205\300t\22\377u\10\213\10P\377Q\24\213E\374P\213\10\377Q\10\311\302\4\0U\213\354\203\354\20\377u\14\307\5\250\310B\0D\0\0\0\377\25\200p@\03\311\203\370\377t\4\250\20u\3\211M\14\215E\360Ph\250\310B\0\377u\14QQQQQ\377u\10Q\377\25\314p@\0\205\300t\14\377u\364\377\25`p@\0\213E\360\311\302\10\0\377%\304q@\0h\0\4\0\0\377t$\14\377t$\14\3775\370\353B\0\377\25\310q@\0\302\10\0\213D$\10\213\310\201\341\377\377\37\0\203=\300\364B\0\0t\5\301\350\25u%\203=\310\364B\0\0t\6\201\361\0\0\30\0Qh \354B\0\377t$\14\3775$\364B\0\377\25\314q@\0\302\10\0U\213\354\201\354H\1\0\0VW\213}\10W\350\227\2\0\0\366E\14\10\211E\370t\27W\377\25@q@\0\367\330\33\300@\1\5\250\364B\0\351\221\1\0\0S\213]\14\203\343\1\211]\374t\22\205\300\17\204"\1\0\0\366E\14\2\17\204\30\1\0\0\276\250\270B\0WV\350`\6\0\0\205\333t\15h\0\223@\0V\350m\6\0\0\353\6W\350\235\1\0\0h\20\220@\0W\350Z\6\0\0W\350N\6\0\0\213\330\215\205\270\376\377\377PV\3\337\377\25\1\0\0\2008\0t\11\200}\350\0t\3\215u\350\200>.u\21\212F\1\204\300tm<.u\6\200", ) \1\0\0\366E\14\2\17\204\30\1\0\0\276\250\270B\0WV\350`\6\0\0\205\333t\15h\0\223@\0V\350m\6\0\0\353\6W\350\235\1\0\0h\20\220@\0W\350Z\6\0\0W\350N\6\0\0\213\330\215\205\270\376\377\377PV\3\337\377\250\203\370\377\211E\10\17\204\274\0\0\0\215\205\344\376\377\377j?P\215\265\344\376\377\377\350>\1\0\0\2008\0t\11\200}\350\0t\3\215u\350\200>.u\21\212F\1\204\300tm<.u\6\200", ) == 0x0
 01410   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\205\270\376\377\377\250\20t\25\213E\14\203\340\3<\3uH\377u\14W\350\0\377\377\377\353=$\376PW\377\25\214p@\0W\377\25@q@\0\205\300u \366E\14\4t\22Wj\361\350<\371\377\377j\0W\350\331\2\0\0\353\20\377\5\250\364B\0\353\10Wj\362\350"\371\377\377\215\205\270\376\377\377P\377u\10\377\258q@\0\205\300\17\205M\377\377\377\377u\10\377\254q@\0\203}\374\0t\4\200c\377\03\366[9u\374tS9u\370u\10\377\5\250\364B\0\353FW\350\16\10\0\0\205\300t371\377\377\215\205\270\376\377\377P\377u\10\377\258q@\0\205\300\17\205M\377\377\377\377u\10\377\254q@\0\203}\374\0t\4\200c\377\03\366[9u\374tS9u\370u\10\377\5\250\364B\0\353FW\350\16\10\0\0\205\300t350<\0\0\0h\200\0\0\0W\377\25\214p@\0W\377\25\320p@\0\205\300u\27\366E\14\4t\313Wj\361\350\255\370\377\377VW\350K\2\0\0\353\10Wj\345\350\234\370\377\377_^\311\302\10\0V\213t$\10V\350\376\4\0\0\3\306PV\377\25\320q@\0\2008\t\13h\20\220@\0V\350\352\4\0\0\213\306^\302\4\0\213D$\4\353\15:L$\10t\15P\377\25\24r@\0\212\10\204\311u\355\302\10\0V\213t$\10V\350\267\4\0\0\3\306\2008\t\14PV\377\25\320q@\0;\306w\357\200 \0^\302\4\0\213L$\4\212\1\14 f\2019\\t\2212177\6\200y\1:t\43\300\353\33\300@\302\4\0SV\2135\24r@\0W\213|$\20W\377\326\213\330S\377\326\200?\0t\14f\201;:\u\5P\377\326\353!f\201?\\u\30j\2^j\PN\350_\377\377\377\2008\0t\7@\205\366u\355\353\23\300_^[\302\4\0VW\377t$\14\276\250\274B\0V\350\2\4\0\0V\350\234\377\377\377\213\370\205\377u\43\300\353RW\350(\6\0\0\366\50\364B", ) == 0x0
 01411   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "t\343+\376\353\24\350\245\6\0\0\205\300t\5\366\0\20t\321V\350\25\377\377\377V\350\321\3\0\0;\307V\177\341\350\276\376\377\377V\377\25\200p@\03\311\203\370\377\17\225\301\213\301_^\302\4\0SVW\377t$\24\350\245\3\0\0\213\370\213t$\20\353"\377t$\24\212\347\200$7\0V\377\25\244p@\0\205\300\210\347t\33V\377\25\24r@\0\213\360V\350u\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25\200p@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\324p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\234p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\330p@\0\205\300u\15\205\377u\320\200&\0_^]\302\10\0\213\306\353\366SUVWh0\223@\0h\310\222@\0\350\270\5\0\0\205\300\213t$\30t\21j\5V\377t$\34\377\320\205\300\17\205F\1\0\0\213\35pp@\0\307\50\312B\0NUL\0\205\366\277\0\4\0\0\2750\312B\0t&j\1j\0V\3505\377\377\377P\377\25`p@\0WUV\377\323\205\300\17\204\20\1\0\0;\307\17\217\10\1\0\0\276\250\304B\0WV\377t$\34\377\323\205\300\17\204\363\0\0\0;\307\17\217\353\0\0\0VUh(\223@\0h\250\300B\0\377\25\364q@\0\203\304\20\213\330h\360\3\0\0V\377\25\260p@\0h\30\223@\0V\350\31\2\0\03\300Ph\200\0\0\10j\4PPh\0\0\0\300V\377\25\324p", ) \377t$\24\212\347\200$7\0V\377\25\244p@\0\205\300\210\347t\33V\377\25\24r@\0\213\360V\350u\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25\200p@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\324p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\234p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\330p@\0\205\300u\15\205\377u\320\200&\0_^]\302\10\0\213\306\353\366SUVWh0\223@\0h\310\222@\0\350\270\5\0\0\205\300\213t$\30t\21j\5V\377t$\34\377\320\205\300\17\205F\1\0\0\213\35pp@\0\307\50\312B\0NUL\0\205\366\277\0\4\0\0\2750\312B\0t&j\1j\0V\3505\377\377\377P\377\25`p@\0WUV\377\323\205\300\17\204\20\1\0\0;\307\17\217\10\1\0\0\276\250\304B\0WV\377t$\34\377\323\205\300\17\204\363\0\0\0;\307\17\217\353\0\0\0VUh(\223@\0h\250\300B\0\377\25\364q@\0\203\304\20\213\330h\360\3\0\0V\377\25\260p@\0h\30\223@\0V\350\31\2\0\03\300Ph\200\0\0\10j\4PPh\0\0\0\300V\377\25\324p", ) == 0x0
 01412   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0j\0U\377\25\224p@\0\213\370\215D\37\12Pj@\377\25\370p@\0\213\360\205\366to\215D$\30j\0PWVU\377\25(q@\0\205\300t[;|$\30uUh\14\223@\0V\350\374\375\377\377\205\300uZ\215\4>h\14\223@\0P\350\205\1\0\0\203\307\12\213\307S\3\306h\250\300B\0P\350#\376\377\3773\300PPPU\377\250q@\0\215D$\30j\0\3\373PWVU\377\25$q@\0V\377\25\364p@\0U\377\25`p@\0\377\5\260\364B\0_^][\302\10\0\203\300\12h\10\223@\0P\350\220\375\377\377\205\300t\245@\215\24>;\302\213\310s\15\212\21\210\24\31A\215\24>;\312r\363+\306\353\214U\213\354S\215E\14V\213u\243\333Ph\31\0\2\0S\377u\14\210\36\377u\10\377\25\20p@\0\205\300u>\215E\10\307E\10\0\4\0\0P\215E\24VPS\377u\20\377u\14\377\25\0p@\0\205\300u\14\203}\24\1t\10\203}\24\2t\2\210\36\377u\14\210\236\377\3\0\0\377\25\34p@\0^[]\302\20\0\377t$\10h\20s@\0\377t$\14\377\25\364q@\0\203\304\14\302\10\0U\213\354Q\213M\10SVW3\377\2009-\307E\374\1\0\0\0\260\12\2639u\5A\203M\374\377\20090u\34A\212\21\200\3720|\11\200\3727\177\4\260\10\2637\200\342\337\200\372Xu\3\260\20A\17\276\21A\203\3720|\14\17\276\363;\326\177\5\203\3520\353\31<\20u!\213\362\203\346\337\203\376A|\27\203\376F\177\22\203\342\7\203\302\11\17\276\360\17\257\367\3\362\213\376\353\306\213E\374\17\257\307_^[\311\302\4\0h\0\4\0\0\377t$\14\377t$\14\377\25\270p@\0\302\10\0\377%\334", ) , ) == 0x0
 01413   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\203\354\30S\213]\14VW\205\333}\21\213\15\374\353B\0\215\4\235\4\0\0\0+\310\213\31\241X\364B\0\213M\10\3\330\270\300\343B\0+\310\213\370\201\371\0\10\0\0\17\203\264\1\0\0\213}\10\203e\10\0\351\250\1\0\0\213\327+\320\201\372\0\4\0\0\17\215\245\1\0\0C\200\371\374\17\206\201\1\0\0\17\276C\1\17\276\13\213\360\213\321\203\346\177\203\342\177\301\346\7\13\362\272\0\200\0\0\211M\350\211E\360\13\312\13\302C\211M\354C\200}\17\376\211E\364\17\205\365\0\0\0\203e\14\0\200'\0j\4^9u\360u\11\307E\14\234\223@\0\353x\213E\350\203\370+u\27Wh\214\223@\0h`\223@\0h\2\0\0\200\350\0\376\377\377\353T\203\370&u+WhP\223@\0h`\223@\0h\2\0\0\200\350\344\375\377\377\200?\0\17\205\223\0\0\0h<\223@\0W\350\334\376\377\377\353$\203\370%u\16h\0\4\0\0W\377\25\344p@\0\353\21\203\370$u\21h\0\4\0\0W\377\25\260p@\0\200?\0u]\203=\244\364B\0\0u\3j\2^\215E\374NP\377t\265\350\3775$\364B\0\377\25dq@\0\205\300u\35W\377u\374\377\25Pq@\0\377u\374\211E\370\350\324\366\377\377\203}\370\0u\11\353\3\200'\0\205\366u\303\200?\0t\17\203}\14\0t\11\377u\14W\350p\376\377\377W\350\212\0\0\0\353F\200}\17\375u.\203\376\33u\16\3775$\364B\0W\350\223\375\377\377\353\21\213\306\301\340\12\5\0\0C\0PW\350"\376\377\377\203\306\353\203\376\6s\24\353\304\200}\17\377u\14\203\310\377+\306PW\350(\376\377\377W\350\26\376\377\377\3\370\270\300\343B\0\353\15u\10\212\13\210\17GC\353\3\210\17G\212\13\204", ) \376\377\377\203\306\353\203\376\6s\24\353\304\200}\17\377u\14\203\310\377+\306PW\350(\376\377\377W\350\26\376\377\377\3\370\270\300\343B\0\353\15u\10\212\13\210\17GC\353\3\210\17G\212\13\204", ) == 0x0
 01414   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\203}\10\0_^[t\11P\377u\10\350\310\375\377\377\311\302\10\0SV\213t$\14W\200>\u\25\200~\1\u\17\200~\2?u\11\200~\3\u\3\203\306\4\200>\0t\14V\350\21\371\377\377\205\300t\2FF\212\6\213\336\204\300\213\376t9U\213-\24r@\0<\37v"Ph\310\223@\0\350\252\370\377\377\2008\0u\22V\377\325+\306PVW\350\21\372\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317]\200'\0WS\377\25\320q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^[\302\4\0SV\2135\4q@\0Wh\1\200\0\0\377\326\277\360\310B\0W\377t$\24\377\25310\223@\0\350\252\370\377\377\2008\0u\22V\377\325+\306PVW\350\21\372\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317]\200'\0WS\377\25\320q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^[\302\4\0SV\2135\4q@\0Wh\1\200\0\0\377\326\277\360\310B\0W\377t$\24\377\250\213\330\377\326\203\373\377t\13S\377\254q@\0\213\307\353\23\300_^[\302\4\0\377t$\4\377\25\10q@\0\205\300u\16\377t$\4\377\25\14q@\0\205\300t\13\377t$\10P\377\25\20q@\0\302\10\0U\213\354\203\354\34V\213u\10W\213=\330q@\0\353\12\215E\344P\377\25\324q@\0j\1VV\215E\344j\0P\377\327\205\300u\346_^\311\302\4\0\203=4\316B\0\0Vu-3\311j\10\213\301^\213\320\200\342\1\366\332\33\322\201\342 \203\270\355\321\3503\302Nu\352\211\4\2150\316B\0A\201\371\0\1\0\0|\325\213T$\20\213D$\10\205\322\367\320v#\213L$\14W\17\2669\213\360\201\346\377\0\0\03\367\301\350\10\2134\2650\316B\03\306AJu\343_\367\320^\302\14\0U\213\354\203\354D\213E\10SVW\213\10\215p\20\213@\4\211M\310\213\216\250\233\0\0\213\236\30\5\0\0\211E\314\213\206\34\5\0\0\211E\300\213\206\244\233\0\0;\310\211M\320s", ) == 0x0
 01415   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\301\211E\324\351\303\11\0\0\377$\205\10h@\0\203}\314\0\17\204\302\11\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213E\300\203\353\3\301m\300\3\203\340\7\213\310\200\341\1\366\331\33\311\203\341\7\321\350\203\301\10\203\350\0\211\216\24\5\0\0\17\204.\1\0\0HtVHtHH\17\205]\11\0\0\203\317\377\307\6\21\0\0\0\213E\300\213M\10\211\206\34\5\0\0\213E\314\211\236\30\5\0\0\211A\4\213E\10\213M\310P\211\10\213M\320\211\216\250\233\0\0\350\240\11\0\0\213\307_^[\311\302\4\0\307\6\13\0\0\0\351\21\11\0\0\200=\270\343B\0\0\17\205\240\0\0\0\203e\370\0\2708\322B\0=t\324B\0\261\10~\24=8\326B\0}\4\376\301\353\11=\230\326B\0}\2\261\7\17\276\311\211\10\203\300\4=\270\326B\0|\324\215E\370\2778\322B\0Ph8\333B\0h\370\223@\0h4\322B\0hhs@\0h(s@\0h\1\1\0\0h \1\0\0W\350\200\11\0\0j\36Yj\5X\363\253\215E\370Ph8\333B\0h\374\223@\0h0\322B\0h\344s@\0h\250s@\0j\0j\36h8\322B\0\350M\11\0\0\376\5\270\343B\0\240\370\223@\0\210F\20\240\374\223@\0\210F\21\2414\322B\0\211F\24\2410\322B\0\211F\30\203&\0\351<\10\0\0\213\313\307\6\11\0\0\0\203\341\7\323m\300+\331\351'\10\0\0\203}\314\0\17\204-\10\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\20r\333\213E\3003\333%\377\377\0\0\211]\300;\303\211F\4\17\204\351\0\0\0j\12X\351\347\0\0\0\203}\314\0\17\204\350\7\0", ) , ) == 0x0
 01416   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\216\240\233\0\0\213U\320;\321u)\213\206\244\233\0\0\215\276\240\33\0\0;\307t\31\213\327;\320\211U\320s\5+\302H\353\4+\312\213\301\205\300\211E\324ub\377u\10\211\226\250\233\0\0\350\4\10\0\0\213\226\250\233\0\0\213\216\244\233\0\0;\321\211U\320s\7\213\301+\302H\353\10\213\206\240\233\0\0+\302\213\276\240\233\0\0\211E\324;\327u\35\215\226\240\33\0\0;\321t\23\211U\320s\7+\312I\213\301\353\4+\372\213\307\211E\324\205\300\17\204a\7\0\0;E\314r\3\213E\314\213N\4;\310\213\371r\2\213\370W\377u\310\377u\320\350\325\365\377\377\1}\310)}\314\1}\320)}\324)~\4\17\205\1\7\0\0\213\206\24\5\0\0\211\6\351\364\6\0\0\203}\314\0\17\204\372\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\16r\333\213E\300%\377?\0\0\213\310\211F\4\203\341\37\200\371\35\17\207Y\375\377\377%\340\3\0\0=\240\3\0\0\17\207I\375\377\377\301m\300\16\203\353\16\203f\10\0\307\6\14\0\0\0\213F\4\301\350\12\203\300\49F\10si\353 \203}\314\0\17\204\213\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213N\10\213E\300\203\340\7\203\353\3\17\276\211\24s@\0\301m\300\3\211D\216\14\213N\4\377F\10\213F\10\301\351\12\203\301\4;\301r\315\353\22\213F\10\17\276\200\24s@\0\203d\206\14\0\377F\10\203~\10\23r\350\215M\370\215\276\14\5\0\0Q\215\216 \5\0\0Q\215\216\20\5\0\03\300WQP\211E\370Pj\23\215F\14j\23P\307\7\7\0\0\0\350\310\6\0\0\205\300u\229\7t\16!F\10\307", ) , ) == 0x0
 01417   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\21\0\0\0\351\304\5\0\0\213\206\14\5\0\0\353 \203}\314\0\17\204\302\5\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213\216\20\5\0\0\215\4\201\17\266P\1\17\267@\2\203\370\20\211E\354s\26\213\312+\332\323m\300\213N\10\211D\216\14\377F\10\351\254\0\0\0\203\370\22u\14j\7\307E\370\13\0\0\0X\353,\203\300\362\307E\370\3\0\0\0\353 \203}\314\0\17\204G\5\0\0\213M\310\377M\314\17\2669\213\313\323\347\11}\300\377E\310\203\303\10\215\14\20;\331r\331\213\312+\332\323m\300\17\267\14E\324\223@\0#M\300\213U\370+\330\3\321\213\310\213F\4\323m\300\213N\10\213\370\301\357\5\203\347\37\203\340\37\215\204\7\2\1\0\0\215<\12;\370\17\207|\373\377\377\203}\354\20u\17\203\371\1\17\202m\373\377\377\213|\216\10\353\23\377\215D\216\14\2118A\203\300\4Ju\367\211N\10\213F\4\213N\10\213\320\203\340\37\301\352\5\203\342\37\215\204\2\2\1\0\0;\310\17\202\316\376\377\377\213F\4\203\246\20\5\0\0\0\203e\364\0\213\370\301\350\5\203\347\37\271\1\1\0\0\203\340\37\3\371@\215U\364\211E\354\215\206 \5\0\0RP\215E\374\307E\374\11\0\0\0P\215E\350Phhs@\0h(s@\0Q\215F\14WP\307E\360\6\0\0\0\350\33\5\0\0\203}\374\0u\3\203\310\377\205\300\17\205\312\372\377\377\215E\364P\215\206 \5\0\0P\215E\360P\215E\344Ph\344s@\0h\250s@\0j\0\377u\354\215D\276\14P\350\336\4\0\0\205\300\17\205\226\372\377\377\213E\360\205\300u\14\201\377\1\1\0\0\17\217\203\372\377\377\212M\374\203&\0\210", ) , ) == 0x0
 01418   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "N\20\211F\30\17\266F\20\211F\14\213F\24\211F\10\307\6\1\0\0\0\213F\14\353 \203}\314\0\17\204\266\3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\205\311u\22\17\267@\2\211F\10\307\6\6\0\0\0\351Y\3\0\0\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\4\307\6\2\0\0\0\351<\3\0\0\366\301@\17\204\321\0\0\0\366\301 \17\204\315\371\377\377\307\6\7\0\0\0\351\37\3\0\0\213F\10\353 \203}\314\0\17\204 \3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\4\213\310\323m\300+\330\17\266F\21\211F\14\213F\30\211F\10\307\6\3\0\0\0\213F\14\353 \203}\314\0\17\204\317\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\14\307\6\4\0\0\0\351k\2\0\0\366\301@\17\205\5\371\377\377\211N\14\17\267H\2\215\4\210\211F\10\351P\2\0\0\213F\10\353 \203}\314\0\17\204Q\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\14\213\310\323m\300+\330\307\6\5\0\0\0\213E\320\213V\14\213\310+\316\201\351\240\33\0\0;\312s\23\213\216\240\233\0\0+\312+\316\215\214\1`\344\377\377\353\4\213\310+\312\203~\4\0\211M\340\17", ) , ) == 0x0
 01419   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\221\0\0\0\213\276\240\233\0\0;\307u#\213\216\244\233\0\0\215\226\240\33\0\0;\312t\23\213\302;\301s\7+\310I\213\371\353\2+\370\205\377ud\377u\10\211\206\250\233\0\0\350\11\2\0\0\213\206\250\233\0\0\213\216\244\233\0\0;\301\211E\320s\7\213\371+\370O\353\10\213\276\240\233\0\0+\370\213\226\240\233\0\0;\302\211U\370u\37\215\226\240\33\0\0;\312t\25\213\302;\301\211E\320s\7+\310I\213\371\353\5\213}\370+\370\205\377\17\204d\1\0\0\213M\340\212\21\210\20@AO;\216\240\233\0\0\211E\320\211M\340\211}\324u\11\215\216\240\33\0\0\211M\340\377N\4\17\205:\377\377\377\351\302\370\377\377\213E\324\213}\320\205\300\17\205\221\0\0\0\213\216\240\233\0\0;\371u#\213\206\244\233\0\0\215\226\240\33\0\0;\302t\23\213\372;\370s\5+\307H\353\4+\317\213\301\205\300ud\377u\10\211\276\250\233\0\0\3508\1\0\0\213\276\250\233\0\0\213\216\244\233\0\0;\371\211}\320s\7\213\301+\307H\353\10\213\206\240\233\0\0+\307\213\226\240\233\0\0;\372\211U\370u\37\215\226\240\33\0\0;\312t\25\213\372;\371\211}\320s\7+\317I\213\301\353\5\213E\370+\307\205\300\17\204\223\0\0\0\212N\10\210\17GH\211}\320\211E\324\351\21\370\377\377\203\373\7v\11\203\353\10\377E\314\377M\310\213E\320\377u\10\211\206\250\233\0\0\350\261\0\0\0\213\216\250\233\0\0\213\226\244\233\0\0;\312\211M\320s\7\213\302+\301H\353\10\213\206\240\233\0\0+\301;\312\211E\324u9\213\206\24\5\0\0\203\370\10\211\6u3\213\6\203\370\17\17\2062\366\377\377\351\223\366\377\377\213E\3003\377\211\206\34\5\0\0\213E\10\211\236\30\5\0\0\211x\4", ) , ) == 0x0
 01420   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "3\377G\351q\366\377\377\5d@\0\30d@\0\256d@\0\377d@\0}e@\0\301e@\0\307f@\0xg@\01^@\0\306_@\0\353_@\0\371`@\08a@\0\33c@\0p^@\0\206g@\0SV\213t$\14W\213\276\264\233\0\0\213\236\270\233\0\0;\373v\6\213\236\260\233\0\0\213F\14+\337;\330r\2\213\330SW\377v\10+\303\211F\14\350\15\356\377\377\1^\10\213\206\260\233\0\0\3\373;\370u\269\206\270\233\0\0\215\276\260\33\0\0u\271\211\276\270\233\0\0\353\261\211\276\264\233\0\0_^[\302\4\0U\213\354\201\354\354\0\0\0SV\213u\14Wj\203\300Y\215}\220\363\253\213M\10\213\326\213\1\203\301\4\215D\205\220\377\0Ju\3629u\220u\23\213E\34\203 \0\213E \203 \03\300\351\360\2\0\0\213u 3\333Cj\17\213>\213\313\211} Z3\3009D\215\220u\5A;\312v\363;\371\211M\374s\3\211M 9D\225\220u\3Ju\3679U \211U\350v\3\211U \213} \211>\323\343\353\15+\\215\220\17\210\237\2\0\0A\3\333;\312r\357\213\362\301\346\2\215L5\220\2139+\337\211]\320\17\210\202\2\0\0\3\373\211\205T\377\377\377\21193\311Jt\233\377\3L=\224\203\307\4J\211\214=T\377\377\377u\357\213]\103\377\213\13\203\303\4;\310t\23\215\214\215P\377\377\377\213\21\211<\225\270\326B\0B\211\21G;}\14r\336\213\2145P\377\377\377\213] \203M\364\377\203e\334\0\211M\14\213M\374\367\333;M\350\211E\370\211\205P\377\377\377\307E\340\270\326B\0\211\205\24\377\377\377\17\217\363\1\0\0\215Q\377\215L\215\220\211U\330\211M\344\213M\344\2131\205", ) , ) == 0x0
 01421   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213M N\3\313\211u\3249M\374\211M\354\17\216\314\0\0\0F\211u\360\213u\350\377E\364+u\354;u v\3\213u \213M\3743\322+M\354B\323\342;U\360v#\213}\344\203\310\377+E\324\3\320;\316s\24\353\15\203\307\4\3\322\213\7;\320v\7+\320A;\316r\356\213U(3\300@\213\22\323\340\211E\334\215<\2\201\377\240\5\0\0\17\207h\1\0\0\213E$\215\4\220\213U\364\215\264\225\24\377\377\377\213U(\211:\213U\364\205\322\211\6t1\213}\370\213v\374\211\274\225P\377\377\377\212U \210U\11\210M\10\213\327\213\313\323\352\213\310+\316\301\371\2+\312f\211M\12\213M\10\211\14\226\353\5\213M\34\211\1\213M\354\213\331\3M 9M\374\211M\354\17\2178\377\377\377\212M\374\213u\340*\313\210M\11\213M\14\215\14\215\270\326B\0;\361r\6\306E\10\300\353C\213\16;M\20s\34\201\371\0\1\0\0\17\222\301\376\311\203\341`\210M\10f\213\16\203\306\4\211u\340\353\34+M\20\213U\30\3\311\212\24\21\200\302P\203E\340\4\210U\10\213U\24f\213\14\21f\211M\12\213M\374\213U\3703\377+\313G\213\367\323\346\213\313\323\352\353\10\213M\10\211\14\220\3\326;U\334r\363\213M\330\213u\370\213\327\323\342\353\43\362\321\352\205\326u\370\213\3173\362\211M\360\213\313\213\327\211u\370\323\342J#\326\213\312\213U\364;\214\225P\377\377\377t\32+] \213\367J\213\313\323\346N#u\370;\264\225P\377\377\377u\351\211U\364\203}\324\0\17\205?\376\377\377\377E\374\203E\344\4\213M\374\377E\330;M\350\17\216\32\376\377\3773\3009E\320t\11\203}\350\1t\3\203\310\377_^[\311\302$\0\314\377%hr@\0\377%", ) , ) == 0x0
 01422   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\236\200\0\0\262\200\0\0\220\200\0\0\200\200\0\0\6\201\0\0\366\200\0\0\344\200\0\0\326\200\0\0\304\200\0\0\0\0\0\08\201\0\0$\201\0\0\21\0\0\200N\201\0\0\0\0\0\0\314\177\0\0\274\177\0\0\254\177\0\0\226\177\0\0\200\177\0\0t\177\0\0d\177\0\0T\177\0\0\0\0\0\0.y\0\0y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) == 0x0
 01423   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0shlwapi.dll\0SHAutoComplete\0\0.DEFAULT\Control Panel\International\0\0\0\0Locale\0\0Control Panel\Desktop\ResourceLocale\0\0\0\0GetUserDefaultUILanguage\0\0\0\0%d\0\0\20\21\22\0\10\7\11\6\12\5\13\4\14\3\15\2\16\1\17\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\15\0\17\0\21\0\23\0\27\0\33\0\37\0#\0+\03\0;\0C\0S\0c\0s\0\203\0\243\0\303\0\343\0\2\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\1\0\1\0\2\0\2\0\2\0\2\0\3\0\3\0\3\0\3\0\4\0\4\0\4\0\4\0\5\0\5\0\5\0\5\0\0\0p\0p\0\0\0\1\0\2\0\3\0\4\0\5\0\7\0\11\0\15\0\21\0\31\0!\01\0A\0a\0\201\0\301\0\1\1\201\1\1\2\1\3\1\4\1\6\1\10\1\14\1\20\1\30\1 \10\1@\1`\0\0\0\0\0\0\0\0\1\0\1\0\2\0\2\0", ) , ) == 0x0
 01424   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\6\0\6\0\7\0\7\0\10\0\10\0\11\0\11\0\12\0\12\0\13\0\13\0\14\0\14\0\15\0\15\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\13\1\0\0\0\0\0\0\300\0\0\0\0\0\0Fdu\0\0\0\0\0\0\0\0\0\0n{\0\0`p\0\0pv\0\0\0\0\0\0\0\0\0\0H\177\0\0lq\0\0@u\0\0\0\0\0\0\0\0\0\0\332\177\0\0y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) == 0x0
 01425   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0j|\0\0T|\0\0D|\0\0X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0j\2MulDiv\0\0|\0DeleteFileA\0\311\0FindFirstFileA\0\0\323\0FindNextFileA\0\305\0FindClose\0\20\3SetFilePointer\0\0\253\2ReadFile\0\0\227\3WriteFile\0", ) , ) == 0x0
 01426   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ProfileStringA\0\0\234\3WritePrivateProfileStringA\0\0k\2MultiByteToWideChar\0\357\0FreeLibrary\0\230\1GetProcAddress\0\0H\2LoadLibraryA\0\0w\1GetModuleHandleA\0\0\12\3SetErrorMode\0\0R\1GetExitCodeProcess\0\0\205\3WaitForSingleObject\0\356\1GlobalAlloc\0\365\1GlobalFree\0\0\262\0ExpandEnvironmentStringsA\0P\1GetEnvironmentVariableA\0\263\3lstrcmpA\0\0\266\3lstrcmpiA\0.\0CloseHandle\0\24\3SetFileTime\03\0CompareFileTime\0\320\2SearchPathA\0\255\1GetShortPathNameA\0a\1GetFullPathNameA\0\0d\2MoveFileA\0\377\2SetCurrentDirectoryA\0\0V\1GetFileAttributesA\0\0i\1GetLastError\0\0E\0CreateDirectoryA\0\0\16\3Se", ) , ) == 0x0
 01427   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tesA\0\0I\3Sleep\0[\1GetFileSize\0u\1GetModuleFileNameA\0\0\325\1GetTickCount\0\0:\1GetCurrentProcess\0=\0CopyFileA\0\257\0ExitProcess\0\10\1GetCommandLineA\0\351\1GetWindowsDirectoryA\0\0\313\1GetTempPathA\0\0\274\3lstrcpynA\0E\1GetDiskFreeSpaceA\0\0\2GlobalUnlock\0\0\371\1GlobalLock\0\0i\0CreateThread\0\0`\0CreateProcessA\0\0\272\2RemoveDirectoryA\0\0M\0CreateFileA\0\311\1GetTempFileNameA\0\0\277\3lstrlenA\0\0\260\3lstrcatA\0\0\271\1GetSystemDirectoryA\0KERNEL32.dll\0\0\310\0EndPaint\0\0\274\0DrawTextA\0\342\0FillRect\0\0\377\0GetClientRect\0\15\0BeginPaint\0\0\216\0DefWindowProcA\0\0:\2SendMessageA\0\0\223\1InvalidateRect\0\0\304\0", ) , ) == 0x0
 01428   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\14\1GetDC\0\277\1LoadImageA\0\0\177\2SetWindowLongA\0\0\21\1GetDlgItem\0\0\255\1IsWindow\0\0\344\0FindWindowExA\0=\2SendMessageTimeoutA\0\325\2wsprintfA\0\221\2ShowWindow\0\0V\2SetForegroundWindow\0\3\2PostQuitMessage\0\205\2SetWindowTextA\0\0y\2SetTimer\0\0\231\0DestroyWindow\0U\0CreateDialogParamA\0\0\341\0ExitWindowsEx\0*\0CharNextA\0\236\0DialogBoxParamA\0\366\0GetClassInfoA\0`\0CreateWindowExA\0\230\2SystemParametersInfoA\0\25\2RegisterClassA\0\0\306\0EndDialog\00\2ScreenToClient\0\0t\1GetWindowRect\0F\2SetClassLongA\0\256\1IsWindowEnabled\0\202\2SetWindowPos\0\0Z\1GetSysColor\0n\1GetWindowLongA\0\0L\2SetCurso", ) , ) == 0x0
 01429   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "orA\08\0CheckDlgButton\0\0<\1GetMessagePos\0\267\1LoadBitmapA\0\33\0CallWindowProcA\0\261\1IsWindowVisible\0B\0CloseClipboard\0\0I\2SetClipboardData\0\0\301\0EmptyClipboard\0\0\365\1OpenClipboard\0\243\2TrackPopupMenu\0\0\10\0AppendMenuA\0^\0CreatePopupMenu\0]\1GetSystemMetrics\0\0R\2SetDlgItemTextA\0\23\1GetDlgItemTextA\0\336\1MessageBoxA\0-\0CharPrevA\0\241\0DispatchMessageA\0\0\377\1PeekMessageA\0\0USER32.dll\0\0\16\2SelectObject\0\0<\2SetTextColor\0\0\26\2SetBkMode\0:\0CreateFontIndirectA\0)\0CreateBrushIndirect\0\217\0DeleteObject\0\0k\1GetDeviceCaps\0\25\2SetBkColor\0\0GDI32.dll\0\232\0SHFileOperatio", ) , ) == 0x0
 01430   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "xecuteA\0\254\0SHGetFileInfoA\0\0y\0SHBrowseForFolderA\0\0\274\0SHGetPathFromIDListA\0\0\267\0SHGetMalloc\0\303\0SHGetSpecialFolderLocation\0\0SHELL32.dll\0\331\1RegEnumValueA\0\325\1RegEnumKeyA\0\354\1RegQueryValueExA\0\0\371\1RegSetValueExA\0\0\315\1RegCreateKeyExA\0\311\1RegCloseKey\0\322\1RegDeleteValueA\0\320\1RegDeleteKeyA\0\342\1RegOpenKeyExA\0ADVAPI32.dll\0\08\0ImageList_Destroy\04\0ImageList_AddMasked\07\0ImageList_Create\0\0COMCTL32.dll\0\0\20\0CoCreateInstance\0\0\4\1OleUninitialize\0\355\0OleInitialize\0ole32.dll\0\12\0VerQueryValueA\0\0\0\0GetFileVersionInfoA\0\1\0GetFileVersionInfoSizeA\0VE", ) , ) == 0x0
 01431   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\240\364B\0m\23@\0\27\@\0\6\0\0\0\\0\0\0%s %s\0\0\0->\0\0\377\377\377\377\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC command line switch\12(NOT RECOMMENDED).\0verifying installer: %d%%\0\0\0Error launching installer\0\0\0... %d%%\0\0\0\0Au_.exe\0SeShutdownPrivilege\0AdjustTokenPrivileges\0\0\0LookupPrivilegeValueA\0\0\0OpenProc", ) , ) == 0x0
 01432   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", )  \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/ (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", ) , ) == 0x0
 01433   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\3\0\0\0(\0\0\200\5\0\0\0@\0\0\200\16\0\0\0h\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0i\0\0\0\230\0\0\200j\0\0\0\260\0\0\200o\0\0\0\310\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0g\0\0\0\340\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0(\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\08\1\0\0H\201\3\0\350\2\0\0\0\0\0\0\0\0\0\00\204\3\0\0\1\0\0\0\0\0\0\0\0\0\00\205\3\0\34\1\0\0\0\0\0\0\0\0\0\0P\206\3\0`\0\0\0\0\0\0\0\0\0\0\0\260\206\3\0\24\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \0\0\0@\0\0\0\1\0\4\0\0\0\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\200\0\0\0\200\200\0\0\0\0\200\0\0\200\200\0\200\0\200\0\200\200\200\0\300\300\300\0\0\377\0\0\377\0\0\0\377\377\0\0\0\0\377\0\0\377\377\0\377\0\377\0\377\377\377\0\0\0\0\0\0\0\0\7w\0\0\0\0\0\0\0\0\0\0\0\0\0\7x\215\335\220\0\0\0\0\0\0x\370\360\0\0\177\217\210\335\231\220\0\0\0\0\0\177\217\200p\7\207\370\375\331\231\210\0\0\0\0\0x\370\360", ) , ) == 0x0
 01434   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\177\217\200xw\207\207\370\331\210\213\260\0\0\0\0x\370\360\207xxxp\11\213\273\260\0\0\0\0\177\217\200xw\207\207\0\0\273\270\200\0\0\0\0x\370\360\207x\210\273\0\0xxp\0\0\0\0\177\217\200xx\273\211\260\7\207\207\200\0\0\0\0\177\377\360\207{\270\233\275\377xxp\0\0\0\0\177\377\360xw\211\273\275\370\367\207\0\0\0\0\0\177\377\360\207\207\233\273\335\217\217x\10\210\210\0\0\177\377\360\210\210{\275\335\210\370\360\0\0\210p\0\177\377\360\210\210\7}\335\210\200\7ww\210p\0\177\377\360\210\210\17\367ww\177\377\377\377\377p\0wwp\210\210\7wwwwwwwxp\0wwp\210\210\0\0\0\0\0\0\0\0\0\200\7\377\377\367\10\210\7\210\210\210\210\210\210\210\207\0wwwwp\210\7\377\377\377\377\377\377\377\207\0\0\0\7ww\10\7\360\0\0\0\0\0\17\207\0\0\0\0wwp\7\360\0\0\0\0\0\17\207\0\0\0\0\7\377\377\7\360\0\0\360\17\0\17\207\0\0\0\0\0wwp\360\0\0\360\17\0\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\17\377\360\0\0\17\207\0\0\0\0\0\0\0\7\360\0\377\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\377\377\377\377\377\377\377\207\0\0\0\0\0\0\0\0wwwwwwww\0\377\376\7\377\300\370\1\377\300p\0\377\300 \0\177\300\0\0\177\300\0\0?\300\0\0?\300\0`?\300\0`?\300\0\0?\300\0\0?\300\0\0\3\300\0\0\1\300\0\0\0\300\0\0\0\300\0\0\0\300\0\0\0", ) , ) == 0x0
 01435   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\370\0\0\1\374\0\0\1\376\0\0\1\377\0\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\374\0\3\1\0\377\377\0\0\0\0\0\0\0\0H\10\312\200\6\0\0\0\0\0\30\1\242\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\3@\253\0\216\02\0\16\0\3\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\337\0\216\02\0\16\0\1\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\7\0\216\02\0\16\0\2\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\2P\7\0\212\0\13\1\1\0\377\377\377\377\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\2@\7\0\6\0\12\1\202\0\372\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\2X;\0\221\0l\0\10\0\4\4\0\0\377\377\202\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0H\4\0@\5\0\0\0\0\0\12\1\202\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\200P\30\0\12\0\361\0\13\0\354\3\0\0m\0s\0c\0t\0l\0s\0_\0p\0r\0o\0g\0r\0e\0s\0s\03\02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\0\0P\30\0\0\0\361\0\10\0\356\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\5@\201@\0\0\31\0\11\1h\0\370\3\0\0S\0y\0s\0L\0i\0s\0", ) , ) == 0x0
 01436   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0P\0\0\0\0\26\0\24\0\7\4\0\0\377\377\202\0\377\377g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\34\0<\0\16\0\3\4\0\0\377\377\200\0\0\0\0\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0\310\10\0\200\1\0\0\0\0\0\242\0\26\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\1\0\2P\7\0\7\0\224\0\10\0\6\4\0\0\377\377\202\0\0\0\0\0\0\0\1\0\1\0  \20\0\1\0\4\0\350\2\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01437   744   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\360\10\0\0\370-\1\0C\2\0\200\355T1\213\23Q\20\236\23\357\270\313\31T\320\306\352\35x\210r\204;\5\11i$\354\255\30\3416\301DTH\341Kv\222[nw\337\343\355[\223t\301F+Q\301\306F\260\260\25+\261\260\272\342j\253\3m\374\11j#\26g\234\315f\2755\230\323\316\302|0\373\315\233\331\371fv\31\336}\0`30D\304\221\233\237\5\310\20W\346\342\2705\37\307?\315\303\371H!\16\0<'\372<\370{\300?\306{\232a\364K`v\304\311y\201\354\25L1\305\24\3773\26\311\216\247\356\205\361\334\311\11uG\310\226 \276_\17\217\345N\220=\246+'\237\4n\337x\350=};\363\201\356\243$g\20\227\17\321\343u\361\353\366\275\235_r\26q\347\34=>\276{p\372Y\\27\315rk\302\234I\35\22_Y\2447^\34\335\355l\307\232g)\26N\370\206\231\203~\314\367\345e\330(\226\254\252i\324Je\13\366\236\364\301(\324k\350\311zC\251\264_\257p\245=\231sE\336\252%\313\254\345\326\315J\342\212&O\334\262q3\322\2557V/^\266\257#\214xm5\177!\207]L\347\352\3439+t\335@\2644+\371\201\346\256\313\252\275@\243\307\356\234\317\255\345ap\267\317\252\250C\11\6\367\317h\326Q\216\306\2\3C!\327\310Z\302\265Q\321\331TJ(fcSxRa\208~\233\331\\363%f\10\245B\251\321fN\334\0\325%0\273\330\14\207BfW+\336\324i\17\207ZQ\247HE\13\326r\dP\16\265\14\365~\313\352\226#%\332\3210B\366\330:j\356\270\1\253\11f\270\216l\10\256\354\321XB\242\37I\15uZ\373\332\5\226", ) , ) == 0x0
 01438   744   NtReadFile  (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768},  (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\206P:\352\31h!\231\336\304dj\256\35\341\257d3\327P\253^\364BD\274\315\35\177\205\11\225\315\224\332\276P8\254\244\271\250\322\11\206\375r`\204\244\345\201\305=\204\205\237+\375\210\354%\331\267\324\262\274\371\315\272\354\34\260J\273)\177\216t\216\221\235J\351\25\306\26\361*\235k\23\226\323\247\370\27\262\37K\2\0\200\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370", ) \233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2 (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\206P:\352\31h!\231\336\304dj\256\35\341\257d3\327P\253^\364BD\274\315\35\177\205\11\225\315\224\332\276P8\254\244\271\250\322\11\206\375r`\204\244\345\201\305=\204\205\237+\375\210\354%\331\267\324\262\274\371\315\272\354\34\260J\273)\177\216t\216\221\235J\351\25\306\26\361*\235k\23\226\323\247\370\27\262\37K\2\0\200\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370", ) , ) == 0x0
 01439   744   NtReadFile  (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768},  (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "O\27\347\321<\201\220\265\230P\233\7\360\36\204\247\323\342\361\236\27\31\352cZF\266\345g\361\214r{^\220v\206qy\2661\314K\342\202\304\256g;{\374N\367(\360\274\302\36\353Lr\226\24*\241\277\22m6\313n{\341U\355\25\236\201\224\257\260\307\4\213\205\237\13\303\205\244\203\341\13\305\253u\230\230Ep\316i0\34G\253\26\246'\304\251)\271\25\205X\337\210\224\240\352\226\320\314\337%r\11\375R\321\1\207G\0m\14\230\333\371\236\10P"\1d"\21M\331\271E\4|\241\350\1\37q\300D\221\364\215"i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346\11\346OD*\206\2130\14\222\12\376$&\234\212\231\265\27", ) \1d (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "O\27\347\321<\201\220\265\230P\233\7\360\36\204\247\323\342\361\236\27\31\352cZF\266\345g\361\214r{^\220v\206qy\2661\314K\342\202\304\256g;{\374N\367(\360\274\302\36\353Lr\226\24*\241\277\22m6\313n{\341U\355\25\236\201\224\257\260\307\4\213\205\237\13\303\205\244\203\341\13\305\253u\230\230Ep\316i0\34G\253\26\246'\304\251)\271\25\205X\337\210\224\240\352\226\320\314\337%r\11\375R\321\1\207G\0m\14\230\333\371\236\10P"\1d"\21M\331\271E\4|\241\350\1\37q\300D\221\364\215"i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346\11\346OD*\206\2130\14\222\12\376$&\234\212\231\265\27", ) i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346\11\346OD*\206\2130\14\222\12\376$&\234\212\231\265\27", ) == 0x0
 01440   744   NtReadFile  (176, 0, 0, 0, 11252, 0x0, 0, ... {status=0x0, info=11252},  (176, 0, 0, 0, 11252, 0x0, 0, ... {status=0x0, info=11252}, "\331;h{\244\255\207\333\0\275w@\213\201\331E\306d\343\210|H_\245d\11\204<\234\220%e\24\332\22i\256\24\360\11hb.\20\242d\203\12EC\220\36\332\215N\326\232\2202\317\0yD\362\12\225\364$J\242!#\244@K*((A\11\4\323J?\37\237`\210\213\15\357\35\33\27\2332\310\20\36\21\21\225\230\22\25\31b\10\316\354\316\322\6\373>\220v-\33\2634B\242\30B\3\306"\203\341#\213b8j\372\370\337?\201\262\25\2662\327\3019.e\257\202\334g\273\226\225\271\234\115\334\311\231\24\3223\264,\350C\217\217\326\371lo\326\370\205K\311\27\307\=\212\367\370\350\354o^/\22\367~\250x\344\345[\363\325s\203w\236\370\376\267Y\37.\257~\245\313\217\223S\375\212G\216\377|t\363\207\237\245\376\326}c\352\320E\372\207=3\232\245\226\5\35\33\275\340\\307\324^\347\216\7\272O\247v-x\257\252_\337\37~\342;n\36\270dJ\207e\2713\253\373\366ykd\325Z\352\\275W\3173U\354RW\320;]\3\225p\203qq\315\226\315p\227N\377P\372\347\304s\33\356o\232P\357^\277P\34\335i\303\363\301\337\314\13\310\236\375(\344\25\335\353\203\337\3168\326l]\351\375\355{\3\267\1771p\311(\317\214\250\317V\275{\211\234\352\336\361\353\242\236\372\231\356\353&y\265\230\37\30q\347\367\26\375\3167zm\251_n\352#o\362\255c\263W|\243/\\326cr\372k\373n\370\214~{\375\341\341\31\275\305\205\13:b\213;\316\236\363 \313\263\363\257\247\37\200\376\236\200\277\224ks\227O\232\275})\342v\207?\243S\247\317>\26=\253\242\313O\201\303\376\367)\361&\264\33\322Ek\270\335\323\207a\236\251\317\23g\372\37\15\321", ) \203\341#\213b8j\372\370\337?\201\262\25\2662\327\3019.e\257\202\334g\273\226\225\271\234\115\334\311\231\24\3223\264,\350C\217\217\326\371lo\326\370\205K\311\27\307\=\212\367\370\350\354o^/\22\367~\250x\344\345[\363\325s\203w\236\370\376\267Y\37.\257~\245\313\217\223S\375\212G\216\377|t\363\207\237\245\376\326}c\352\320E\372\207=3\232\245\226\5\35\33\275\340\\307\324^\347\216\7\272O\247v-x\257\252_\337\37~\342;n\36\270dJ\207e\2713\253\373\366ykd\325Z\352\\275W\3173U\354RW\320;]\3\225p\203qq\315\226\315p\227N\377P\372\347\304s\33\356o\232P\357^\277P\34\335i\303\363\301\337\314\13\310\236\375(\344\25\335\353\203\337\3168\326l]\351\375\355{\3\267\1771p\311(\317\214\250\317V\275{\211\234\352\336\361\353\242\236\372\231\356\353&y\265\230\37\30q\347\367\26\375\3167zm\251_n\352#o\362\255c\263W|\243/\\326cr\372k\373n\370\214~{\375\341\341\31\275\305\205\13:b\213;\316\236\363 \313\263\363\257\247\37\200\376\236\200\277\224ks\227O\232\275})\342v\207?\243S\247\317>\26=\253\242\313O\201\303\376\367)\361&\264\33\322Ek\270\335\323\207a\236\251\317\23g\372\37\15\321", ) == 0x0
 01441   744   NtSetInformationFile  (176, 1244620, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01442   744   NtReadFile  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\340\337D\376", ) , ) == 0x0
 01443   744   NtSetInformationFile  (176, 1244620, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01444   744   NtReadFile  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "C\2\0\200", ) , ) == 0x0
 01445   744   NtReadFile  (176, 0, 0, 0, 579, 0x0, 0, ... {status=0x0, info=579},  (176, 0, 0, 0, 579, 0x0, 0, ... {status=0x0, info=579}, "\355T1\213\23Q\20\236\23\357\270\313\31T\320\306\352\35x\210r\204;\5\11i$\354\255\30\3416\301DTH\341Kv\222[nw\337\343\355[\223t\301F+Q\301\306F\260\260\25+\261\260\272\342j\253\3m\374\11j#\26g\234\315f\2755\230\323\316\302|0\373\315\233\331\371fv\31\336}\0`30D\304\221\233\237\5\310\20W\346\342\2705\37\307?\315\303\371H!\16\0<'\372<\370{\300?\306{\232a\364K`v\304\311y\201\354\25L1\305\24\3773\26\311\216\247\356\205\361\334\311\11uG\310\226 \276_\17\217\345N\220=\246+'\237\4n\337x\350=};\363\201\356\243$g\20\227\17\321\343u\361\353\366\275\235_r\26q\347\34=>\276{p\372Y\\27\315rk\302\234I\35\22_Y\2447^\34\335\355l\307\232g)\26N\370\206\231\203~\314\367\345e\330(\226\254\252i\324Je\13\366\236\364\301(\324k\350\311zC\251\264_\257p\245=\231sE\336\252%\313\254\345\326\315J\342\212&O\334\262q3\322\2557V/^\266\257#\214xm5\177!\207]L\347\352\3439+t\335@\2644+\371\201\346\256\313\252\275@\243\307\356\234\317\255\345ap\267\317\252\250C\11\6\367\317h\326Q\216\306\2\3C!\327\310Z\302\265Q\321\331TJ(fcSxRa\208~\233\331\\363%f\10\245B\251\321fN\334\0\325%0\273\330\14\207BfW+\336\324i\17\207ZQ\247HE\13\326r\dP\16\265\14\365~\313\352\226#%\332\3210B\366\330:j\356\270\1\253\11f\270\216l\10\256\354\321XB\242\37I\15uZ\373\332\5\226\315d3{\375~DT\324\334b\305\206P:\352\31h!\231\336\304dj\256\35\341\257d3\327P", ) , ) == 0x0
 01446   744   NtQueryInformationFile  (176, 1244628, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01447   744   NtSetInformationFile  (176, 1244628, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01448   744   NtQueryDefaultUILanguage  (1244676, ...
 01449   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01450   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147481996, ) == 0x0
 01451   744   NtQueryInformationToken  (-2147481996, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01452   744   NtClose  (-2147481996, ... ) == 0x0
 01453   744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147481996, ) }, ... -2147481996, ) == 0x0
 01454   744   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   744   NtOpenKey  (0x80000000, {24, -2147481996, 0x640, 0, 0,  (0x80000000, {24, -2147481996, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481980, ) }, ... -2147481980, ) == 0x0
 01456   744   NtQueryValueKey  (-2147481980,  (-2147481980, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   744   NtClose  (-2147481980, ... ) == 0x0
 01458   744   NtClose  (-2147481996, ... ) == 0x0
 01448   744   NtQueryDefaultUILanguage  ... ) == 0x0
 01459   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   744   NtUserFindExistingCursorIcon  (1244008, 1244024, 1244592, ... ) == 0x0
 01461   744   NtQueryDefaultLocale  (1, 1243692, ... ) == 0x0
 01462   744   NtQueryDefaultLocale  (1, 1243708, ... ) == 0x0
 01463   744   NtUserGetDC  (0, ... ) == 0x1010052
 01464   744   NtGdiCreateCompatibleBitmap  (16842834, 32, 32, ... ) == 0x5050455
 01465   744   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01466   744   NtGdiSelectBitmap  (469828647, 84214869, ... ) == 0x185000f
 01467   744   NtGdiGetDCforBitmap  (84214869, ... ) == 0x1c010427
 01468   744   NtGdiSaveDC  (469828647, ... ) == 0x1
 01469   744   NtGdiSelectBitmap  (469828647, 84214869, ... ) == 0x5050455
 01470   744   NtGdiGetDCObject  (469828647, 524288, ... ) == 0x188000b
 01471   744   NtUserSelectPalette  (469828647, 25690123, 0, ... ) == 0x188000b
 01472   744   NtGdiSetDIBitsToDeviceInternal  (469828647, 0, 0, 32, 32, 0, 0, 0, 32, 4424112, 1406624, 0, 512, 104, 1, 0, ... ) == 0x20
 01473   744   NtUserSelectPalette  (469828647, 25690123, 0, ... ) == 0x188000b
 01474   744   NtGdiSelectBitmap  (469828647, 84214869, ... ) == 0x5050455
 01475   744   NtGdiRestoreDC  (469828647, -1, ... ) == 0x1
 01476   744   NtGdiSelectBitmap  (469828647, 25493519, ... ) == 0x5050455
 01477   744   NtUserGetDC  (0, ... ) == 0x1010052
 01478   744   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x12050458
 01479   744   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01480   744   NtGdiSelectBitmap  (469828647, 302318680, ... ) == 0x185000f
 01481   744   NtGdiGetDCforBitmap  (302318680, ... ) == 0x1c010427
 01482   744   NtGdiSaveDC  (469828647, ... ) == 0x1
 01483   744   NtGdiSelectBitmap  (469828647, 302318680, ... ) == 0x12050458
 01484   744   NtGdiGetDCObject  (469828647, 524288, ... ) == 0x188000b
 01485   744   NtUserSelectPalette  (469828647, 25690123, 0, ... ) == 0x188000b
 01486   744   NtGdiSetDIBitsToDeviceInternal  (469828647, 0, 0, 32, 64, 0, 0, 0, 64, 4424496, 1406624, 0, 256, 48, 1, 0, ... ) == 0x40
 01487   744   NtUserSelectPalette  (469828647, 25690123, 0, ... ) == 0x188000b
 01488   744   NtGdiSelectBitmap  (469828647, 302318680, ... ) == 0x12050458
 01489   744   NtGdiRestoreDC  (469828647, -1, ... ) == 0x1
 01490   744   NtGdiSelectBitmap  (469828647, 25493519, ... ) == 0x12050458
 01491   744   NtGdiCreateCompatibleDC  (469828647, ... ) == 0xe010445
 01492   744   NtGdiExtGetObjectW  (302318680, 24, 1243236, ... ) == 0x18
 01493   744   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xe050450
 01494   744   NtGdiSelectBitmap  (469828647, 302318680, ... ) == 0x185000f
 01495   744   NtGdiSelectBitmap  (234947653, 235209808, ... ) == 0x185000f
 01496   744   NtGdiBitBlt  (234947653, 0, 0, 32, 64, 469828647, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01497   744   NtGdiSelectBitmap  (469828647, 25493519, ... ) == 0x12050458
 01498   744   NtGdiSelectBitmap  (234947653, 25493519, ... ) == 0xe050450
 01499   744   NtGdiDeleteObjectApp  (302318680, ... ) == 0x1
 01500   744   NtGdiDeleteObjectApp  (234947653, ... ) == 0x1
 01501   744   NtUserCallOneParam  (0, 33, ... ) == 0x100ab
 01502   744   NtUserSetCursorIconData  (65707, 1243288, 1243304, 1243884, ... ) == 0x1
 01503   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242240, ... ) }, 1242240, ... ) == 0x0
 01504   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01505   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 172, ... 180, ) == 0x0
 01506   744   NtClose  (172, ... ) == 0x0
 01507   744   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x990000), 0x0, 262144, ) == 0x0
 01508   744   NtClose  (180, ... ) == 0x0
 01509   744   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01510   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01511   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 1244108, ... ) }, 1244108, ... ) == 0x0
 01512   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01513   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1244108, ... ) }, 1244108, ... ) == 0x0
 01514   744   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\WINDOWS\System32"}, 3, 33, ... 180, {status=0x0, info=1}, ) }, 3, 33, ... 180, {status=0x0, info=1}, ) == 0x0
 01515   744   NtQueryVolumeInformationFile  (180, 1244076, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01516   744   NtClose  (12, ... ) == 0x0
 01517   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0
 01518   744   NtClose  (12, ... ) == 0x0
 01519   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp\brr"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0
 01520   744   NtClose  (12, ... ) == 0x0
 01521   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01522   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01523   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp\brr\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 01524   744   NtQueryDirectoryFile  (12, 0, 0, 0, 1242836, 616, BothDirectory, 1,  (12, 0, 0, 0, 1242836, 616, BothDirectory, 1, "Partmp.log", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01525   744   NtClose  (12, ... ) == 0x0
 01526   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01527   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01528   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.DEP"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529   744   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244072,  (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.DEP"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ...
 01530   744   NtClose  (-2147481996, ... ) == 0x0
 01529   744   NtCreateFile  ... 12, {status=0x0, info=2}, ) == 0x0
 01531   744   NtSetInformationFile  (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01532   744   NtReadFile  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "K\2\0\200", ) , ) == 0x0
 01533   744   NtReadFile  (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587},  (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, "\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370\325)\243#\316)\207U\316"m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) \233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2 (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, "\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370\325)\243#\316)\207U\316"m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) == 0x0
 01534   744   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\15\12; Dependency file for setup wizards.\15\12\15\12[Version]\15\12Version=6.0.81.69\15\12\15\12; Default Dependencies ----------------------------------------------\15\12\15\12[MSInet.ocx]\15\12Dest=$(WinSysPath)\15\12Register=$(DLLSelfRegister)\15\12Version=6.0.81.69\15\12Uses1=ComCat.dll\15\12Uses2=\15\12CABFileName=MSInet.cab\15\12CABDefaultURL=http://activex.microsoft.com/controls/vb6\15\12CABINFFile=MSInet.inf\15\12\15\12[ComCat.dll]\15\12Dest=$(WinSysPathSysFile)\15\12Register=$(DLLSelfRegister)\15\12Uses1=\15\12\15\12; Localized Dependencies ----------------------------------", 2407, 0x0, 0, ... {status=0x0, info=2407}, ) , 2407, 0x0, 0, ... {status=0x0, info=2407}, ) == 0x0
 01535   744   NtSetInformationFile  (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01536   744   NtClose  (12, ... ) == 0x0
 01537   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.oca"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   744   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244072,  (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.oca"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ...
 01539   744   NtClose  (-2147481996, ... ) == 0x0
 01538   744   NtCreateFile  ... 12, {status=0x0, info=2}, ) == 0x0
 01540   744   NtSetInformationFile  (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01541   744   NtReadFile  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "$(\0\200", ) , ) == 0x0
 01542   744   NtReadFile  (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276},  (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, "\355}\17x\224\325\231\357\231$\344\377_\22\371\243Q>\4\5\225\304\17\11\22\220\352\4\2\6\15\20Ip\20Q2\314|IF'3\343\314\204\4\313n\323>leo\322J\325\333\313\355\372\334u}\274\312*\325\264\245\327X\331\26\25-UT\254\330e\273T\321EE\253-ui\27[\252\367\367\276\347|\337w\276I\202n\367\336\347\331\336\313\350\313\314w\316\357\234\367\374y\317{\336\363~\347\234,_\273Md\13!r@\237~*\304\260\220\37\277\370\354O?\250t\312\17J\305\256\202\27\247\16\373\232_\234\332\326\25I\31\211d\2743\31\3546B\301X,\23666XF\262'fDbF\343\312V\243;\36\266jKJ\12\247\253\37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132:"Q\353L\363\374\177\361!\335\353c=\352#\225\320_\17*\224\352\246_\217\227\10\350\3111\302\373F\11\247\17\251\325!\350\244&L4C9#\371\332\270m\240\223s\204X\23vqy\242M\334\0\216KD\263X\6us\3317\244\312\272\262\342\325k~t\354\353+\36K\233\217O|\334\34jz\312'\366l\3326\227\322\34\3\325+\276;\24\257/\326\325/\231;\377\262\371f\315\374\372z\263f\366\354", ) \37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132: (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, "\355}\17x\224\325\231\357\231$\344\377_\22\371\243Q>\4\5\225\304\17\11\22\220\352\4\2\6\15\20Ip\20Q2\314|IF'3\343\314\204\4\313n\323>leo\322J\325\333\313\355\372\334u}\274\312*\325\264\245\327X\331\26\25-UT\254\330e\273T\321EE\253-ui\27[\252\367\367\276\347|\337w\276I\202n\367\336\347\331\336\313\350\313\314w\316\357\234\367\374y\317{\336\363~\347\234,_\273Md\13!r@\237~*\304\260\220\37\277\370\354O?\250t\312\17J\305\256\202\27\247\16\373\232_\234\332\326\25I\31\211d\2743\31\3546B\301X,\23666XF\262'fDbF\343\312V\243;\36\266jKJ\12\247\253\37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132:"Q\353L\363\374\177\361!\335\353c=\352#\225\320_\17*\224\352\246_\217\227\10\350\3111\302\373F\11\247\17\251\325!\350\244&L4C9#\371\332\270m\240\223s\204X\23vqy\242M\334\0\216KD\263X\6us\3317\244\312\272\262\342\325k~t\354\353+\36K\233\217O|\334\34jz\312'\366l\3326\227\322\34\3\325+\276;\24\257/\326\325/\231;\377\262\371f\315\374\372z\263f\366\354", ) , ) == 0x0
 01543   744   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\5\0\34780F\0\0\0\0\0\0\0\0\340\0\216\241\13\1\4\0\0\20\0\0\0\0\0\0\0\20\0\0\0\20\0\0\0\20\0\0\0 \0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\24\0\0\0\00\0\0Ph\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\20\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.bss\0\0\0\0\0\20\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\0p\0\0\00\0\0\0j\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.ida", 29184, 0x0, 0, ... {status=0x0, info=29184}, ) , 29184, 0x0, 0, ... {status=0x0, info=29184}, ) == 0x0
 01544   744   NtSetInformationFile  (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01545   744   NtClose  (12, ... ) == 0x0
 01546   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.OCX"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   744   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244072,  (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.OCX"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ...
 01548   744   NtClose  (-2147481996, ... ) == 0x0
 01547   744   NtCreateFile  ... 12, {status=0x0, info=2}, ) == 0x0
 01549   744   NtSetInformationFile  (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01550   744   NtReadFile  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\315\340\0\200", ) , ) == 0x0
 01551   744   NtReadFile  (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384},  (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\354\375\13xTE\2667\214\357N:I\3\15\335@\202A\202\266&(G@[\3\232\30\320\6\222\30$\301N\2\11\214\334b.tbLb\262\33P\1\303t\202\264\233Vtt\2069G\35/\3500\243\343\340\210\212\312@\20\206\213\242\342\35\7T\234A\3556\214F\315@\320H\177\277\265\252v\367\356\0\316\234\363\275\357\373\377?\317\367\6\252\367\336U\253\356U\253V\255ZkU\321\317\326*\361\212\242\230\341\302aE\331\254\210?\227\362\257\377Z\341\6\235\373\322 eS\277\327\317\333l*|\375\274\231\236\332\26GSs\343\242\346\212\233\34\225\25\15\15\215\252\343\206jG\263\267\301Q\333\340\310\275\256\324qScU\365\305\3\7\366\317\220i\270\363\24\245\320dV\322K\375\23\350{\276EQ\16+q\351\3L\11q\212\305\244(\17\11\270\336!\370\261\223\203\237R\230\316\357q\242\334\212\22}*\373M\374\261{C\34\5\213Hv\343S\334L\270\33\340\32\340\332\340\326\3029\3406\301\355\203\373\30\356(\\17\\177\340\267ap\27\300]\16W\107\33\256\12\256", ) \334L\270\33\340\32\340\332\340\326\3029\3406\301\355\203\373\30\356(\\17\\177\340\267ap\27\300]\16W\107\33\256\12\256", ) == 0x0
 01552   744   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\4\0#S\2115\0\0\0\0^\10\0\0\340\0\2#\13\1\5\2\0\10\1\0\0\236\0\0\0\0\0\0\374\22\0\0\0\20\0\0\0\20\1\0\0\0L#\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\1\0\0\4\0\0\307\250\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200d\0\0\301\0\0\0@\7\1\0\366\0\0\0\00\1\0\314\177\0\0\0\0\0\0\0\0\0\0\20\255\1\08\24\0\0\0\260\1\0`\23\0\0@\6\1\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\374\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\16\6\1\0\0\20\0\0\0\10\1\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\274\10\0\0\0 \1\0\0\12\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\0\334\177\0\0\00\1\0\0\200\0\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rel", 30545, 0x0, 0, ... {status=0x0, info=30545}, ) , 30545, 0x0, 0, ... {status=0x0, info=30545}, ) == 0x0
 01553   744   NtReadFile  (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384},  (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\201mP\325x-X\372\4J\347c\23\272\317\322/\253g\331\3351\335\350\277J\363\275\313\20\357rw\332\332\272\342X2,\6&t\20\236\223hrA\264\235\230\265<\301\16\323\4;L\23,\310\342\227\250XZ\35\266(\226\5\376\227i\260\253\27\23\322>\7Q\307\235\304\25\16@\323\361dM\237\3614c\351R]@\331\22\232\36&\301\362\345i\26!\214Cc\203Z\306\326\366\211\240\304\245f[\33\335\257\213\2661\`\25p\262xF\323\375De\273Q\362\347\234b2\303V\207[\237\311\344\225y\14\253\16\350\2759\350\2322\331\263\262\4\331\34\7\201\20*?I\242\27O\201\240\330\314\254\34\12\210Y\234B\17\223RQ^\6\32`#5\300Fj\200\315\241\242pDjD\353\11\cr\7\377\372\13t\237\326\5T\201\265\256L\210\331\266f\\11c\355\215\266\16\365\334\211\16u\304\304\212eC&\336z\373 \333\326\16_\320\261\332t\347d\323\344\316\277\341\13\206\351\377LY+\352\331T\325YV+\346\314\277f\345\362\261\26\214\336\343\3142\33\217\22\355\247\22\355\247\22\35@\340D\12d\355\245\274\\4v`\17\211\220=\230\14\300d`\257\5xp\200A=@\237\203\30^\367l\320G\223m\315s\264\317\361\2\264+\300\243\344'@\357$P\37\241n\37\311\255\354\341\2278\265\321\327\23\277\242\37\320\234\355\256\347\250 4\2\24\317\357h\4\374\16# t\202l\2223\306\217+\367:\202O\334\313m\206\6\363\324\13:\207[\255&^\11\331P\375\340\252h\270\7\341\235\37\7\274c\31\365\7\362&\206.\244\347\263\264u\223g\35 \325\265x\271r\240\247\205\375\347\262\345\3\4q\25\372\200(Fadly/l\362\23\7^\273\33\31\370\36c\356\0I", ) , ) == 0x0
 01554   744   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\203\243\330\23\0\0\277j\4\213\313\350S\246\377\377\213\203\320\23\0\0\215\263\320\23\0\03\377;\307t\20PW\37750 M#\377\25l\20L#\211>\213\203\324\23\0\0\215\263\324\23\0\0;\307\17\204\360\2\0\0PW\37750 M#\377\25l\20L#\211>\351\333\2\0\0=\10@\0\0\17\205A\4\0\0\213E\24f\307E\340\10\0\215u\340\213\0\211E\350\3514\377\377\377\17\267E\34j\4\203\350\10_\211\2734\1\0\0t.HH\17\204\36\2\0\0-\376?\0\0t\37\213\3j\0j\1h\260\213\0\0h\260\213\12\200S\377\220\240\0\0\0\211E\10\351K\377\377\377f\203}\34\10\17\205\240\0\0\0\215u\34\213F\10\205\300\17\204\337\1\0\0P\377\25\214\22L#\205\300\17\204\320\1\0\0\377v\10\377\25t\20L#\215|\0\2\215\2150\377\377\377W\350p\225\377\3773\300PPW\377\2650\377\377\377j\377\377v\10PP\377\25p\20L#\213\2050\377\377\3773\366;\306\211E\10uY\213\3VVj\7h\7\0\12\200S\377\220\240\0\0\09\2650\377\377\377\211E\10\17\204\302\376\377\377\366E\254\1\17\204\270\376\377\377\377\2650\377\377\377V\37750 M#\377\25l\20L#\351\240\376\377\377\213E$f\307E\260\10\0\215u\260\213\0\211E\270\351M\377\377\377P\377\25\254\20L#\213\370\215G\1P\350\332\223\377\377Y\213\360\377u\10\211u\374V\377\25\250\20L#\200$7\0\212\6\213\316\204\300t\37< t\33, 29641, 0x0, 0, ... {status=0x0, info=29641}, ) , 29641, 0x0, 0, ... {status=0x0, info=29641}, ) == 0x0
 01555   744   NtReadFile  (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384},  (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=", ) \376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267 (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=", ) \3\302e\2465\35\23v,\6K216\36\340]\223\263bl\363\227\341\305\31\261\324\224\257&\3K\370X\230}\234#\264\15 (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=", ) , ) == 0x0
 01556   744   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\0\0\0\203\304\14\205\300t\25\213F\4\205\300t\16\213\10WP\377Q\30\213\330\367\333\33\333C\205\333u4\201\177\4\4\1\0\0\213/u\33U\377v\10\377\25\240\21L#\205\300u\15j\5\377v\10\377\25`\21L#\211\7W\377v\10\377\25\220\21L#\213\330\211/3\300\205\333\17\224\300\351\354\376\377\377j\20\377\3253\311f\205\300\17\234\301Qj\0\377v\10\377\25\224\21L#\205\300t\240j\1Pj(\377v\10\377\25(\21L#\213\330\353\216U\213\354VWj\0j\0h\207\0\0\0\377u\10\377\25(\21L#\250\6uJ\213E\14;E\10t\14P\211E\14\377\25\304\21L#\353\357\377u\20\2135`\21L#\377u\14\377\326\213\370\205\377t\33j\360W\377\25T\21L#%\0\0\1\30=\0\0\1\20t\15\377u\20W\353\335j\1X_^]\3033\300\353\370U\213\354Q\215E\374\307E\374\1@\0\200P\213E\10\377u\14hf\4\0\0\377p\10\377\25(\21L#\213E\374\311\302\10\0SV\213\361W\203~\34\0\17\205\235\0\0\0\213F j\5\213\4\305\14!M#\17\267@\30P\350\340\1\0\0P\377\25\4\21L#\205\300t`P\213\316\350\315\1\0\0P\377\25\0\21L#\205\300tMP\377\25\374\20L#\213\330\205\333t@\277\30 M#W\377\25\200\20L#j\0hS\367L#\2115\264(M#\350\274\4\0\0PS\3775\10 M#\377\25\250\21L#\203%\264(M#\0W\377\25`\20L#\203~\34\0u\34\2135\234\20L#\377\326\205\300t\20\377\326%\377\377\0\0\15\0\0\7\200_^[\3033\300\353\370QV\213\361W\366F(\1t\32\213F\34\205\300t\23\215L$\10Qj\0hg\4\0\0P\377", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 01557   744   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "\0\200@\0\0\0\220\04\0\11\4\35\0\0\0\0\0$\0\36\0\31\0\31\200@\0\0\0\224\0L\0\21D\37\0\1\0\0\0\20\0\0\0\254\20\0\0\12\0\0\0$\0\37\0\31\0\31\200@\0\0\0\230\0D\0!\4\36\0\1\0\0\0\10\0\10\200\377\377\377\377\1\0\0\0\23\0\0\0\23\0\0\0\1\0\0\0\1\0\0\0\2\0\0\0\2\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\10\0\0\0\11\0\0\0\11\0\0\0\30\0\0\0\30\0\0\0\12\0\0\0\12\0\0\0\16\0\0\0\16\0\0\0\24\0\0\0\24\0\0\0\25\0\0\0\25\0\0\0\32\0\0\0\32\0\0\0\26\0\0\0\21\0\0\0\22\0\0\0\27\0\0\0\31\0\0\0\330\375\377\377\0\0\0\0\0\0\0\0\270\17\0\0\270\17\0\0\314\17\0\0\314\17\0\0\344\17\0\0\344\17\0\0\374\17\0\0(\20\0\0P\20\0\0|\20\0\0\254\20\0\0\254\20\0\0\274\20\0\0\274\20\0\0\340\20\0\0\340\20\0\0\364\20\0\0\364\20\0\0\34\21\0\0\34\21\0\00\21\0\00\21\0\0D\21\0\0D\21\0\0t\21\0\0\260\21\0\0\14\22\0\0 \22\0\0D\22\0\0p\22\0\0\204\22\0\0\204\22\0\0\0\0\0\0<\0\0\0x\0\0\0\264\0\0\0\360\0\0\0,\1\0\0h\1\0\0\244\1\0\0\340\1\0\0\34\2\0\0X\2\0\0\224\2\0\0\320\2\0\0\14\3\0\0H\3\0\0\204\3\0\0\300\3\0\0\374\3\0\08\4\0\0t\4\0\0\260\4\0\0\354\4\0\0(\5\0\0d\5\0\0\240\5\0\0\364\5\0\0T\6\0\0\204\6\0\0\330\6\0\0 \7\0\08\7\0\0\\7\0\0<\0\0\0<\0\0\0\30\0\0\200\0\0\0\0\0\0D\0\14\4\0\0\1\0", 7540, 0x0, 0, ... {status=0x0, info=7540}, ) , 7540, 0x0, 0, ... {status=0x0, info=7540}, ) == 0x0
 01558   744   NtReadFile  (176, 0, 0, 0, 8397, 0x0, 0, ... {status=0x0, info=8397},  (176, 0, 0, 0, 8397, 0x0, 0, ... {status=0x0, info=8397}, "f\12\276\215\260A\264 \325\366\214&,\261\225\275Y\202\271*\32\2278\254\35\234\31e\303F\314hd4a\2066\27\333\321XQ[\31\207\255t\33r\26e\317\331\336\352m-\260X\315\346e\273\227\335\304&so\226%\2522\243\177\23\207=0\333\273>\16R\323,7@\325\227"\23\316\215\200\367F\227\227Mm\27\253\270\222\255\216\240\231e_\306:\353\206Q\267\377Sl}\270:\7e\334M\234\256\237\355\316\206\362=to\25\353\355\357\31T\271(\253\245\340A\200\352\355\254\367\254\250\242\350z\211\305\6\340\354+(\255\310/\313\304N\2\324\21d\252r)\262\240\306\30\7\257\356\357\264\a\3\257\15gd\251\222\323bM\263\325h|\243\3313\350j\200\311k\333\353\257-O\323l\260\271\323\321\330G1fKl\361\14e\255{.>v6ie\350\255\354\366\255\212\32dss\266\266-,\353V\344PS\343\34\351&23\316\215\200\367F\227\227Mm\27\253\270\222\255\216\240\231e_\306:\353\206Q\267\377Sl}\270:\7e\334M\234\256\237\355\316\206\362=to\25\353\355\357\31T\271(\253\245\340A\200\352\355\254\367\254\250\242\350z\211\305\6\340\354+(\255\310/\313\304N\2\324\21d\252r)\262\240\306\30\7\257\356\357\264\a\3\257\15gd\251\222\323bM\263\325h|\243\3313\350j\200\311k\333\353\257-O\323l\260\271\323\321\330G1fKl\361\14e\255{.>v6ie\350\255\354\366\255\212\32dss\266\266-,\353V\344PS\343\34\351&346\353g\302\342,(g\35\245-\217\3606\2250G\1\331\252\376\373X\256j\326\230\241\326\31e\343\373\232: Q\241\311j4k\367s*\37\333\330X\321\322\22U\367\235\353\260#\36Z\255\333\337a\367\311\214I\316\270\346\367\204R\232Ue\253\363\214V\313g\332\341\376\4\223&8f\335\323\330\232=z\301Ib\352\250sM\21c\256j\233\243@kc\354\264A\221\254\266Z\305\260\257b\345\314F\323\16a\246%O\340p\13\3\265\372\21\363~\206uL\235\376F\33\366\314\313\276\235\326\26\306n\366e\346\317\311\226\35\21m\17\334\252C\255\355\312\330\327zR\235&j47\336\202|\366com\267\233\245\355\324\24\233\342L\263\37\310W\2624\331\304\32\12\32\376u)8\5M\235\2519n5s\375\2\265\357\227\33`\302\223\344\227\255", ) == 0x0
 01559   744   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "o\0p\0e\0r\0a\0t\0i\0o\0n\0 \0a\0r\0g\0u\0m\0e\0n\0t\0\34\0S\0t\0i\0l\0l\0 \0e\0x\0e\0c\0u\0t\0i\0n\0g\0 \0l\0a\0s\0t\0 \0r\0e\0q\0u\0e\0s\0t\0,\0T\0h\0i\0s\0 \0c\0a\0l\0l\0 \0i\0s\0 \0n\0o\0t\0 \0v\0a\0l\0i\0d\0 \0f\0o\0r\0 \0a\0n\0 \0F\0T\0P\0 \0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0\0\0\16\0O\0u\0t\0 \0o\0f\0 \0h\0a\0n\0d\0l\0e\0s\0\7\0T\0i\0m\0e\0o\0u\0t\0\16\0E\0x\0t\0e\0n\0d\0e\0d\0 \0e\0r\0r\0o\0r\0\16\0I\0n\0t\0e\0r\0n\0a\0l\0 \0e\0r\0r\0o\0r\0\13\0I\0n\0v\0a\0l\0i\0d\0 \0U\0R\0L\0\23\0U\0n\0r\0e\0c\0o\0g\0n\0i\0z\0e\0d\0 \0s\0c\0h\0e\0m\0e\0\21\0N\0a\0m\0e\0 \0n\0o\0t\0 \0r\0e\0s\0o\0l\0v\0e\0d\0\22\0P\0r\0o\0t\0o\0c\0o\0l\0 \0n\0o\0t\0 \0f\0o\0u\0n\0d\0\16\0I\0n\0v\0a\0l\0i\0d\0 \0o\0p\0t\0i\0o\0n\0\0\0\0\0\0\0\21\0B\0a\0d\0 \0o\0p\0t\0i\0o\0n\0 \0l\0e\0n\0g\0t\0", 14522, 0x0, 0, ... {status=0x0, info=14522}, ) , 14522, 0x0, 0, ... {status=0x0, info=14522}, ) == 0x0
 01560   744   NtSetInformationFile  (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01561   744   NtClose  (12, ... ) == 0x0
 01562   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01563   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 1244108, ... ) }, 1244108, ... ) == 0x0
 01564   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01565   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1244108, ... ) }, 1244108, ... ) == 0x0
 01566   744   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0
 01567   744   NtClose  (12, ... ) == 0x0
 01568   744   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 01569   744   NtQueryVolumeInformationFile  (12, 1244076, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01570   744   NtClose  (180, ... ) == 0x0
 01571   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   744   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244072,  (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ...
 01573   744   NtClose  (-2147481996, ... ) == 0x0
 01572   744   NtCreateFile  ... 180, {status=0x0, info=2}, ) == 0x0
 01574   744   NtSetInformationFile  (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01575   744   NtReadFile  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "E \0\200", ) , ) == 0x0
 01576   744   NtReadFile  (176, 0, 0, 0, 8261, 0x0, 0, ... {status=0x0, info=8261},  (176, 0, 0, 0, 8261, 0x0, 0, ... {status=0x0, info=8261}, "\355}\17xT\307u\357\254\220A`\31\11#\3318\6#b\22\313\377\204\4\100\6kAZ,\31-\354\12\255\2041X\10\355\225V\262\220\326{W \307\310(\37\340\350\346z]lC\252\270N\342\344\343%j\342\266|-\256U"7r \25\315S\236\225g\12z\265\372\312ki*?\250\303\367\3123J-{\337\357\234\271\367\356\335\225\20~/\177\332\367};\3139wf\356\231\2313g\316\234\371sG\203{\333a1M\10\221\12\210F\205\350\25\3229\305\215\35\321\316^xr\26681\363g\213z\35\345?[T\31hTs\202\241\326\206P\355\356\234\272\332\226\226\326p\316.%'\324\326\222\323\330\222S\262yK\316\356V\277\222w\313-\263\26\33y\374\336W\177\365\376\177\276\364\373]&\224^\373z\327O\361\374\316\325o\362\363\363W_\345gEc]\200\336\233e{\B\224;\246\211Ov\35\331`\306]\20\31\216\233\35\323\361\22\201\34\31\367\372\\240L\300N\243V\2312L\365u\30\365f\327)\343\273_\27"\205#2%\255\365\264\36\354.\226\13\221K\236\240\20o\244\211_\333\345\246\30,\243\220\305\216\353\323\345\205\225\3660\236\345\353\15\206<\11\214\311\252\357\314\363\327\206k\341O\237e\324\335\222A\314A\32\375y!5T'\214:\4\15\272\340\4:g\352\315\347]\366b\334[\252\326W\271W\344\347\225\224\227\213\244K\272\244K\272\244K\272\244K\272\244K\272\244K\272\244\373\17\357\246w\325\253\317|\252\250yO5\250\345\377\263^\365\277S\247\276\177\213\242\326\324(\352wB\15\352\352k\212\372\316'\212\272\32\341\313\257\371\325\17?R\324\37\375\271_m|\325\257\356zDQ\237\307\373\347\307\24u\274\327\257\266h\365\352\277\372\25\265\251\272", ) 7r \25\315S\236\225g\12z\265\372\312ki*?\250\303\367\3123J-{\337\357\234\271\367\356\335\225\20~/\177\332\367};\3139wf\356\231\2313g\316\234\371sG\203{\333a1M\10\221\12\210F\205\350\25\3229\305\215\35\321\316^xr\26681\363g\213z\35\345?[T\31hTs\202\241\326\206P\355\356\234\272\332\226\226\326p\316.%'\324\326\222\323\330\222S\262yK\316\356V\277\222w\313-\263\26\33y\374\336W\177\365\376\177\276\364\373]&\224^\373z\327O\361\374\316\325o\362\363\363W_\345gEc]\200\336\233e{\B\224;\246\211Ov\35\331`\306]\20\31\216\233\35\323\361\22\201\34\31\367\372\\240L\300N\243V\2312L\365u\30\365f\327)\343\273_\27 (176, 0, 0, 0, 8261, 0x0, 0, ... {status=0x0, info=8261}, "\355}\17xT\307u\357\254\220A`\31\11#\3318\6#b\22\313\377\204\4\100\6kAZ,\31-\354\12\255\2041X\10\355\225V\262\220\326{W \307\310(\37\340\350\346z]lC\252\270N\342\344\343%j\342\266|-\256U"7r \25\315S\236\225g\12z\265\372\312ki*?\250\303\367\3123J-{\337\357\234\271\367\356\335\225\20~/\177\332\367};\3139wf\356\231\2313g\316\234\371sG\203{\333a1M\10\221\12\210F\205\350\25\3229\305\215\35\321\316^xr\26681\363g\213z\35\345?[T\31hTs\202\241\326\206P\355\356\234\272\332\226\226\326p\316.%'\324\326\222\323\330\222S\262yK\316\356V\277\222w\313-\263\26\33y\374\336W\177\365\376\177\276\364\373]&\224^\373z\327O\361\374\316\325o\362\363\363W_\345gEc]\200\336\233e{\B\224;\246\211Ov\35\331`\306]\20\31\216\233\35\323\361\22\201\34\31\367\372\\240L\300N\243V\2312L\365u\30\365f\327)\343\273_\27"\205#2%\255\365\264\36\354.\226\13\221K\236\240\20o\244\211_\333\345\246\30,\243\220\305\216\353\323\345\205\225\3660\236\345\353\15\206<\11\214\311\252\357\314\363\327\206k\341O\237e\324\335\222A\314A\32\375y!5T'\214:\4\15\272\340\4:g\352\315\347]\366b\334[\252\326W\271W\344\347\225\224\227\213\244K\272\244K\272\244K\272\244K\272\244K\272\244K\272\244\373\17\357\246w\325\253\317|\252\250yO5\250\345\377\263^\365\277S\247\276\177\213\242\326\324(\352wB\15\352\352k\212\372\316'\212\272\32\341\313\257\371\325\17?R\324\37\375\271_m|\325\257\356zDQ\237\307\373\347\307\24u\274\327\257\266h\365\352\277\372\25\265\251\272", ) , ) == 0x0
 01577   744   NtWriteFile  (180, 0, 0, 0,  (180, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\217\212\371\333\313\353\227\210\313\353\227\210\313\353\227\210H\367\231\210\312\353\227\210\242\364\236\210\312\353\227\210"\364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\375b\224F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\230\240\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\344L\0\0(\0\0\0\0p\0\0\254\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0LB\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\375b\224F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\230\240\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\344L\0\0(\0\0\0\0p\0\0\254\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0LB\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0
 01578   744   NtSetInformationFile  (180, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01579   744   NtClose  (180, ... ) == 0x0
 01580   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe"}, 1244076, ... ) }, 1244076, ... ) == 0x0
 01581   744   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01582   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 1240548, ... ) }, 1240548, ... ) == 0x0
 01583   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 1241240, ... ) }, 1241240, ... ) == 0x0
 01584   744   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01585   744   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 180, ... 172, ) == 0x0
 01586   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01587   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 184, ) }, ... 184, ) == 0x0
 01588   744   NtQueryValueKey  (184,  (184, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   744   NtClose  (184, ... ) == 0x0
 01590   744   NtQueryVolumeInformationFile  (180, 1240548, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01591   744   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 184, ) }, ... 184, ) == 0x0
 01592   744   NtWaitForSingleObject  (184, 0, {-1000000, -1}, ... ) == 0x0
 01593   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 188, ) }, ... 188, ) == 0x0
 01594   744   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 57344, ) == 0x0
 01595   744   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 01596   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238532, ... ) }, 1238532, ... ) == 0x0
 01597   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01598   744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ... 196, ) == 0x0
 01599   744   NtClose  (192, ... ) == 0x0
 01600   744   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 106496, ) == 0x0
 01601   744   NtClose  (196, ... ) == 0x0
 01602   744   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 01603   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238848, ... ) }, 1238848, ... ) == 0x0
 01604   744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01605   744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 196, ... 192, ) == 0x0
 01606   744   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01607   744   NtClose  (196, ... ) == 0x0
 01608   744   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01609   744   NtClose  (192, ... ) == 0x0
 01610   744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01611   744   NtQueryInformationFile  (192, 1239136, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01612   744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0
 01613   744   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x9a0000), 0x0, 1028096, ) == 0x0
 01614   744   NtQueryInformationFile  (192, 1239232, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01615   744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01617   744   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01618   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01619   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1236796, 616, BothDirectory, 1,  (200, 0, 0, 0, 1236796, 616, BothDirectory, 1, "b06FdUe1083.exe", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 01620   744   NtClose  (200, ... ) == 0x0
 01621   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01622   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01623   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 1236184, ... ) }, 1236184, ... ) == 0x0
 01624   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01625   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1235544, 616, BothDirectory, 1,  (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01626   744   NtClose  (200, ... ) == 0x0
 01627   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01628   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1235544, 616, BothDirectory, 1,  (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01629   744   NtClose  (200, ... ) == 0x0
 01630   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01631   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1235544, 616, BothDirectory, 1,  (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "b06FdUe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01632   744   NtClose  (200, ... ) == 0x0
 01633   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01634   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01635   744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01636   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01637   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01638   744   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01639   744   NtClose  (200, ... ) == 0x0
 01640   744   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01641   744   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\b06FdUe1083.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01642   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01643   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01644   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 1238464, ... ) }, 1238464, ... ) == 0x0
 01645   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01646   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01647   744   NtClose  (200, ... ) == 0x0
 01648   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01649   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01650   744   NtClose  (200, ... ) == 0x0
 01651   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01652   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "b06FdUe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01653   744   NtClose  (200, ... ) == 0x0
 01654   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01655   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01656   744   NtWaitForSingleObject  (184, 0, {-1000000, -1}, ... ) == 0x0
 01657   744   NtQueryVolumeInformationFile  (180, 1239108, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01658   744   NtQueryInformationFile  (180, 1239088, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01659   744   NtQueryInformationFile  (180, 1239128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01660   744   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 01661   744   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 01662   744   NtClose  (196, ... ) == 0x0
 01663   744   NtClose  (192, ... ) == 0x0
 01664   744   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01665   744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\b06FdUe1083.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01666   744   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01667   744   NtOpenProcessToken  (-1, 0xa, ... 192, ) == 0x0
 01668   744   NtQueryInformationToken  (192, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01669   744   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01671   744   NtQueryValueKey  (196,  (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01672   744   NtQueryValueKey  (196,  (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01673   744   NtClose  (196, ... ) == 0x0
 01674   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01675   744   NtQueryValueKey  (196,  (196, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01676   744   NtQueryValueKey  (196,  (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01677   744   NtClose  (196, ... ) == 0x0
 01678   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01679   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01680   744   NtQueryValueKey  (196,  (196, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   744   NtClose  (196, ... ) == 0x0
 01682   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01683   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01684   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01685   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01686   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01687   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01688   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01689   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01690   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01691   744   NtQueryDefaultLocale  (1, 1239920, ... ) == 0x0
 01692   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 196, ) }, ... 196, ) == 0x0
 01693   744   NtEnumerateKey  (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01694   744   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 200, ) }, ... 200, ) == 0x0
 01695   744   NtQueryValueKey  (200,  (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01696   744   NtQueryValueKey  (200,  (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01697   744   NtClose  (200, ... ) == 0x0
 01698   744   NtEnumerateKey  (196, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01699   744   NtClose  (196, ... ) == 0x0
 01700   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01701   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01703   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01705   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01709   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01711   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01713   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01714   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01715   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01716   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01717   744   NtClose  (196, ... ) == 0x0
 01718   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01719   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01720   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01721   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01722   744   NtClose  (196, ... ) == 0x0
 01723   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01724   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01725   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01726   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01727   744   NtClose  (196, ... ) == 0x0
 01728   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01729   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01730   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01731   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01732   744   NtClose  (196, ... ) == 0x0
 01733   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01734   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01735   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01736   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01737   744   NtClose  (196, ... ) == 0x0
 01738   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01740   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01741   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01742   744   NtClose  (196, ... ) == 0x0
 01743   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01744   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01745   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01746   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01747   744   NtClose  (196, ... ) == 0x0
 01748   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01749   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01750   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01751   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01752   744   NtClose  (196, ... ) == 0x0
 01753   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01754   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01755   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01756   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01757   744   NtClose  (196, ... ) == 0x0
 01758   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01759   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01760   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01761   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01762   744   NtClose  (196, ... ) == 0x0
 01763   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01765   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01766   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01767   744   NtClose  (196, ... ) == 0x0
 01768   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01769   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01770   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01771   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01772   744   NtClose  (196, ... ) == 0x0
 01773   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01774   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01775   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01776   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01777   744   NtClose  (196, ... ) == 0x0
 01778   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01780   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01781   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01782   744   NtClose  (196, ... ) == 0x0
 01783   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01784   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01785   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01786   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01787   744   NtClose  (196, ... ) == 0x0
 01788   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01789   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01790   744   NtQueryValueKey  (196,  (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01791   744   NtClose  (196, ... ) == 0x0
 01792   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01793   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01794   744   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01795   744   NtClose  (196, ... ) == 0x0
 01796   744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01797   744   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01798   744   NtOpenProcessToken  (-1, 0xa, ... 196, ) == 0x0
 01799   744   NtDuplicateToken  (196, 0xc, {24, 0, 0x0, 0, 1240440, 0x0}, 0, 2, ... 200, ) == 0x0
 01800   744   NtClose  (196, ... ) == 0x0
 01801   744   NtAccessCheck  (1408896, 200, 0x1, 1240568, 1240512, 56, 1240596, ... (0x1), ) == 0x0
 01802   744   NtClose  (200, ... ) == 0x0
 01803   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 200, ) }, ... 200, ) == 0x0
 01804   744   NtQueryValueKey  (200,  (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01805   744   NtClose  (200, ... ) == 0x0
 01806   744   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 200, ) }, ... 200, ) == 0x0
 01807   744   NtQuerySymbolicLinkObject  (200, ...  (200, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01808   744   NtClose  (200, ... ) == 0x0
 01809   744   NtQueryInformationFile  (180, 1238900, 528, Name, ... {status=0x0, info=86}, ) == 0x0
 01810   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01811   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01812   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe"}, 1237580, ... ) }, 1237580, ... ) == 0x0
 01813   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01814   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1236940, 616, BothDirectory, 1,  (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01815   744   NtClose  (200, ... ) == 0x0
 01816   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01817   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1236940, 616, BothDirectory, 1,  (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01818   744   NtClose  (200, ... ) == 0x0
 01819   744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01820   744   NtQueryDirectoryFile  (200, 0, 0, 0, 1236940, 616, BothDirectory, 1,  (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "b06FdUe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01821   744   NtClose  (200, ... ) == 0x0
 01822   744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01823   744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01824   744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01825   744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01826   744   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01827   744   NtClose  (200, ... ) == 0x0
 01828   744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 200, ) }, ... 200, ) == 0x0
 01829   744   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 196, ) }, ... 196, ) == 0x0
 01830   744   NtClose  (200, ... ) == 0x0
 01831   744   NtQueryValueKey  (196,  (196, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01832   744   NtQueryValueKey  (196,  (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01833   744   NtClose  (196, ... ) == 0x0
 01834   744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10092544, 4096, ) == 0x0
 01835   744   NtAllocateVirtualMemory  (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0
 01836   744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01837   744   NtQueryValueKey  (196,  (196, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   744   NtClose  (196, ... ) == 0x0
 01839   744   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01840   744   NtQueryInformationToken  (192, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01841   744   NtQueryInformationToken  (192, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01842   744   NtClose  (192, ... ) == 0x0
 01843   744   NtCreateProcessEx  (1243176, 2035711, 0, -1, 0, 172, 0, 0, 0, ... ) == 0x0
 01844   744   NtQueryInformationProcess  (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=840,ParentPid=732,}, 0x0, ) == 0x0
 01845   744   NtReadVirtualMemory  (192, 0x7ffdf008, 4, ...  (192, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 01846   744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe\b06FdUe1083.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847   744   NtReadVirtualMemory  (192, 0x400000, 4096, ...  (192, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\217\212\371\333\313\353\227\210\313\353\227\210\313\353\227\210H\367\231\210\312\353\227\210\242\364\236\210\312\353\227\210"\364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\375b\224F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\230\240\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\344L\0\0(\0\0\0\0p\0\0\254\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0LB\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 4096, ) \364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\375b\224F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\230\240\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\344L\0\0(\0\0\0\0p\0\0\254\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0LB\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 4096, ) == 0x0
 01848   744   NtReadVirtualMemory  (192, 0x407000, 256, ...  (192, 0x407000, 256, ... "\0\0\0\0\375b\224FT\0\0\0\0\0\3\0\3\0\0\0X\0\0\200\16\0\0\0@\0\0\200\20\0\0\0(\0\0\200\0\0\0\0\375b\224FT\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\375b\224FT\0\0\0\0\0\1\0\1\0\0\0\230\0\0\200\0\0\0\0\375b\224FT\0\0\0\0\0\3\01u\0\0\340\0\0\2002u\0\0\310\0\0\2003u\0\0\260\0\0\200\0\0\0\0\375b\224FT\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\375b\224FT\0\0\0\0\0\1\0\0\0\0\0\10\1\0\0\0\0\0\0\375b\224FT\0\0\0\0\0\1\0\0\0\0\0\30\1\0\0\0\0\0\0\375b\224FT\0\0\0\0\0\1\0\0\0\0\0(\1\0\0\0\0\0\0\375b\224FT\0\0\0\0\0\1\0\0\0\0\08\1\0\0Pq\0\0\354\1\0\0", 256, ) , 256, ) == 0x0
 01849   744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01850   744   NtQueryInformationProcess  (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=840,ParentPid=732,}, 0x0, ) == 0x0
 01851   744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\b06FdUe"}, 1241240, ... ) }, 1241240, ... ) == 0x0
 01852   744   NtAllocateVirtualMemory  (-1, 0, 0, 1748, 4096, 4, ... 10158080, 4096, ) == 0x0
 01853   744   NtAllocateVirtualMemory  (192, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01854   744   NtWriteVirtualMemory  (192, 0x10000,  (192, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01855   744   NtAllocateVirtualMemory  (192, 0, 0, 1748, 4096, 4, ... 131072, 4096, ) == 0x0
 01856   744   NtWriteVirtualMemory  (192, 0x20000,  (192, 0x20000, "\0\20\0\0\324\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\06\0\10\2\220\2\0\0\0\0\0\0\14\1\16\1\230\4\0\0V\0X\0\250\5\0\0V\0X\0\0\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0V\0X\0X\6\0\0\36\0 \0\260\6\0\0\0\0\2\0\320\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1748, ... 0x0, ) , 1748, ... 0x0, ) == 0x0
 01857   744   NtWriteVirtualMemory  (192, 0x7ffdf010,  (192, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01858   744   NtWriteVirtualMemory  (192, 0x7ffdf1e8,  (192, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01859   744   NtFreeVirtualMemory  (-1, (0x9b0000), 0, 32768, ... (0x9b0000), 4096, ) == 0x0
 01860   744   NtAllocateVirtualMemory  (192, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01861   744   NtAllocateVirtualMemory  (192, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01862   744   NtProtectVirtualMemory  (192, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01863   744   NtCreateThread  (0x1f03ff, 0x0, 192, 1241440, 1242160, 1, ... 196, {840, 860}, ) == 0x0
 01864   744   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260}  (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0H\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ... {168, 196, reply, 0, 732, 744, 1580, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0H\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" )  ... {168, 196, reply, 0, 732, 744, 1580, 0}  (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0H\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ... {168, 196, reply, 0, 732, 744, 1580, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0H\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" )  ) == 0x0
 01865   744   NtResumeThread  (196, ... 1, ) == 0x0
 01866   744   NtClose  (180, ... ) == 0x0
 01867   744   NtClose  (172, ... ) == 0x0
 01868   744   NtClose  (196, ... ) == 0x0
 01869   744   NtClose  (192, ... ) == 0x0
 01870   744   NtClose  (176, ... ) == 0x0
 01871   744   NtUserDestroyWindow  (65740, ...
 01872   744   NtUserRemoveProp  (65740, 43288, ... ) == 0xffffffff
 01873   744   NtUserRemoveProp  (65740, 43282, ... ) == 0x0
 01874   744   NtUserRemoveProp  (65740, 43287, ... ) == 0x0
 01871   744   NtUserDestroyWindow  ... ) == 0x1
 01875   744   NtUserUnregisterClass  (1244636, 1998258176, 1244624, ... ) == 0x1
 01876   744   NtTerminateProcess  (0, 0, ... ) == 0x0
 01877   744   NtRaiseException  (1243508, 1242768, 1, ...
 01878   744   NtContinue  (1241564, 0, ...
 01879   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01880   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01881   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01882   744   NtRaiseException  (1233484, 1232744, 1, ...
 01883   744   NtContinue  (1231540, 0, ...
 01884   744   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01885   744   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886   744   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01887   744   NtUnmapViewOfSection  (-1, 0x980000, ... ) == 0x0
 01888   744   NtClose  (168, ... ) == 0x0
 01889   744   NtClose  (164, ... ) == 0x0
 01890   744   NtClose  (152, ... ) == 0x0
 01891   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01892   744   NtFreeVirtualMemory  (-1, (0x880000), 0, 32768, ... (0x880000), 65536, ) == 0x0
 01893   744   NtClose  (104, ... ) == 0x0
 01894   744   NtClose  (148, ... ) == 0x0
 01895   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01896   744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 148, ) }, ... 148, ) == 0x0
 01897   744   NtQueryValueKey  (148,  (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01898   744   NtClose  (148, ... ) == 0x0
 01899   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01900   744   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 01901   744   NtClose  (72, ... ) == 0x0
 01902   744   NtGdiDeleteObjectApp  (68158497, ... ) == 0x1
 01903   744   NtUserGetProcessWindowStation  (... ) == 0x28
 01904   744   NtUserBuildNameList  (40, 256, 1349064, 1244148, ... ) == 0x0
 01905   744   NtUserGetProcessWindowStation  (... ) == 0x28
 01906   744   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x48
 01907   744   NtUserBuildHwndList  (72, 0, 0, 0, 64, ... (0x3004c, 0x100dc, 0x100ae, 0x100ac, 0x100aa, 0x100a6, 0x100a0, 0x10078, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x10080, 0x10026, 0x100c8, 0x4005e, 0x100c2, 0x100c0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x20060, 0x100da, 0x100d0, 0x100ce, 0x100b6, 0x100b4, 0x100b2, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 01908   744   NtUserQueryWindow  (196684, 0, ... ) == 0x770
 01909   744   NtUserQueryWindow  (196684, 1, ... ) == 0x784
 01910   744   NtUserQueryWindow  (65756, 0, ... ) == 0x770
 01911   744   NtUserQueryWindow  (65756, 1, ... ) == 0x784
 01912   744   NtUserQueryWindow  (65710, 0, ... ) == 0xa8
 01913   744   NtUserQueryWindow  (65710, 1, ... ) == 0xac
 01914   744   NtUserQueryWindow  (65708, 0, ... ) == 0xa8
 01915   744   NtUserQueryWindow  (65708, 1, ... ) == 0xac
 01916   744   NtUserQueryWindow  (65706, 0, ... ) == 0xa8
 01917   744   NtUserQueryWindow  (65706, 1, ... ) == 0xac
 01918   744   NtUserQueryWindow  (65702, 0, ... ) == 0xa8
 01919   744   NtUserQueryWindow  (65702, 1, ... ) == 0xac
 01920   744   NtUserQueryWindow  (65696, 0, ... ) == 0x770
 01921   744   NtUserQueryWindow  (65696, 1, ... ) == 0x784
 01922   744   NtUserQueryWindow  (65656, 0, ... ) == 0x770
 01923   744   NtUserQueryWindow  (65656, 1, ... ) == 0x784
 01924   744   NtUserBuildHwndList  (0, 65656, 1, 0, 64, ... (0x1007a, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 01925   744   NtUserQueryWindow  (65658, 0, ... ) == 0x770
 01926   744   NtUserQueryWindow  (65658, 1, ... ) == 0x784
 01927   744   NtUserQueryWindow  (65670, 0, ... ) == 0x770
 01928   744   NtUserQueryWindow  (65670, 1, ... ) == 0x784
 01929   744   NtUserQueryWindow  (65672, 0, ... ) == 0x770
 01930   744   NtUserQueryWindow  (65672, 1, ... ) == 0x784
 01931   744   NtUserQueryWindow  (65674, 0, ... ) == 0x770
 01932   744   NtUserQueryWindow  (65674, 1, ... ) == 0x784
 01933   744   NtUserQueryWindow  (65678, 0, ... ) == 0x770
 01934   744   NtUserQueryWindow  (65678, 1, ... ) == 0x784
 01935   744   NtUserQueryWindow  (65680, 0, ... ) == 0x770
 01936   744   NtUserQueryWindow  (65680, 1, ... ) == 0x784
 01937   744   NtUserQueryWindow  (65682, 0, ... ) == 0x770
 01938   744   NtUserQueryWindow  (65682, 1, ... ) == 0x784
 01939   744   NtUserQueryWindow  (65684, 0, ... ) == 0x770
 01940   744   NtUserQueryWindow  (65684, 1, ... ) == 0x784
 01941   744   NtUserQueryWindow  (65686, 0, ... ) == 0x770
 01942   744   NtUserQueryWindow  (65686, 1, ... ) == 0x784
 01943   744   NtUserQueryWindow  (65690, 0, ... ) == 0x770
 01944   744   NtUserQueryWindow  (65690, 1, ... ) == 0x784
 01945   744   NtUserQueryWindow  (65692, 0, ... ) == 0x770
 01946   744   NtUserQueryWindow  (65692, 1, ... ) == 0x784
 01947   744   NtUserQueryWindow  (65694, 0, ... ) == 0x770
 01948   744   NtUserQueryWindow  (65694, 1, ... ) == 0x784
 01949   744   NtUserQueryWindow  (65652, 0, ... ) == 0x770
 01950   744   NtUserQueryWindow  (65652, 1, ... ) == 0x784
 01951   744   NtUserQueryWindow  (65640, 0, ... ) == 0x770
 01952   744   NtUserQueryWindow  (65640, 1, ... ) == 0x784
 01953   744   NtUserQueryWindow  (196682, 0, ... ) == 0x770
 01954   744   NtUserQueryWindow  (196682, 1, ... ) == 0x784
 01955   744   NtUserQueryWindow  (65638, 0, ... ) == 0x770
 01956   744   NtUserQueryWindow  (65638, 1, ... ) == 0x784
 01957   744   NtUserQueryWindow  (196668, 0, ... ) == 0x770
 01958   744   NtUserQueryWindow  (196668, 1, ... ) == 0x784
 01959   744   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 01960   744   NtUserQueryWindow  (196670, 0, ... ) == 0x770
 01961   744   NtUserQueryWindow  (196670, 1, ... ) == 0x784
 01962   744   NtUserQueryWindow  (196674, 0, ... ) == 0x770
 01963   744   NtUserQueryWindow  (196674, 1, ... ) == 0x784
 01964   744   NtUserQueryWindow  (196672, 0, ... ) == 0x770
 01965   744   NtUserQueryWindow  (196672, 1, ... ) == 0x784
 01966   744   NtUserQueryWindow  (196676, 0, ... ) == 0x770
 01967   744   NtUserQueryWindow  (196676, 1, ... ) == 0x784
 01968   744   NtUserQueryWindow  (196678, 0, ... ) == 0x770
 01969   744   NtUserQueryWindow  (196678, 1, ... ) == 0x784
 01970   744   NtUserQueryWindow  (196680, 0, ... ) == 0x770
 01971   744   NtUserQueryWindow  (196680, 1, ... ) == 0x784
 01972   744   NtUserQueryWindow  (65642, 0, ... ) == 0x770
 01973   744   NtUserQueryWindow  (65642, 1, ... ) == 0x784
 01974   744   NtUserQueryWindow  (65646, 0, ... ) == 0x770
 01975   744   NtUserQueryWindow  (65646, 1, ... ) == 0x784
 01976   744   NtUserQueryWindow  (65650, 0, ... ) == 0x770
 01977   744   NtUserQueryWindow  (65650, 1, ... ) == 0x784
 01978   744   NtUserQueryWindow  (65688, 0, ... ) == 0x770
 01979   744   NtUserQueryWindow  (65688, 1, ... ) == 0x784
 01980   744   NtUserQueryWindow  (65676, 0, ... ) == 0x770
 01981   744   NtUserQueryWindow  (65676, 1, ... ) == 0x784
 01982   744   NtUserQueryWindow  (65664, 0, ... ) == 0x770
 01983   744   NtUserQueryWindow  (65664, 1, ... ) == 0x774
 01984   744   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 01985   744   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 01986   744   NtUserQueryWindow  (65736, 0, ... ) == 0x234
 01987   744   NtUserQueryWindow  (65736, 1, ... ) == 0x238
 01988   744   NtUserQueryWindow  (262238, 0, ... ) == 0x234
 01989   744   NtUserQueryWindow  (262238, 1, ... ) == 0x238
 01990   744   NtUserQueryWindow  (65730, 0, ... ) == 0xb4
 01991   744   NtUserQueryWindow  (65730, 1, ... ) == 0xb8
 01992   744   NtUserQueryWindow  (65728, 0, ... ) == 0xb4
 01993   744   NtUserQueryWindow  (65728, 1, ... ) == 0xb8
 01994   744   NtUserQueryWindow  (65726, 0, ... ) == 0xb4
 01995   744   NtUserQueryWindow  (65726, 1, ... ) == 0xb8
 01996   744   NtUserQueryWindow  (65724, 0, ... ) == 0xb4
 01997   744   NtUserQueryWindow  (65724, 1, ... ) == 0xb8
 01998   744   NtUserQueryWindow  (65722, 0, ... ) == 0xb4
 01999   744   NtUserQueryWindow  (65722, 1, ... ) == 0xb8
 02000   744   NtUserQueryWindow  (65720, 0, ... ) == 0xb4
 02001   744   NtUserQueryWindow  (65720, 1, ... ) == 0xb8
 02002   744   NtUserQueryWindow  (131168, 0, ... ) == 0xc4
 02003   744   NtUserQueryWindow  (131168, 1, ... ) == 0xc8
 02004   744   NtUserQueryWindow  (65754, 0, ... ) == 0x770
 02005   744   NtUserQueryWindow  (65754, 1, ... ) == 0x314
 02006   744   NtUserQueryWindow  (65744, 0, ... ) == 0x770
 02007   744   NtUserQueryWindow  (65744, 1, ... ) == 0x314
 02008   744   NtUserBuildHwndList  (0, 65744, 1, 0, 64, ... (0x100d2, 0x100d4, 0x100d6, 0x100d8, 0x1, ), 5, ) == 0x0
 02009   744   NtUserQueryWindow  (65746, 0, ... ) == 0x770
 02010   744   NtUserQueryWindow  (65746, 1, ... ) == 0x314
 02011   744   NtUserQueryWindow  (65748, 0, ... ) == 0x770
 02012   744   NtUserQueryWindow  (65748, 1, ... ) == 0x314
 02013   744   NtUserQueryWindow  (65750, 0, ... ) == 0x770
 02014   744   NtUserQueryWindow  (65750, 1, ... ) == 0x314
 02015   744   NtUserQueryWindow  (65752, 0, ... ) == 0x770
 02016   744   NtUserQueryWindow  (65752, 1, ... ) == 0x314
 02017   744   NtUserQueryWindow  (65742, 0, ... ) == 0x770
 02018   744   NtUserQueryWindow  (65742, 1, ... ) == 0x784
 02019   744   NtUserQueryWindow  (65718, 0, ... ) == 0xa8
 02020   744   NtUserQueryWindow  (65718, 1, ... ) == 0xac
 02021   744   NtUserQueryWindow  (65716, 0, ... ) == 0xb4
 02022   744   NtUserQueryWindow  (65716, 1, ... ) == 0xb8
 02023   744   NtUserQueryWindow  (65714, 0, ... ) == 0xb4
 02024   744   NtUserQueryWindow  (65714, 1, ... ) == 0xb8
 02025   744   NtUserQueryWindow  (131170, 0, ... ) == 0x94
 02026   744   NtUserQueryWindow  (131170, 1, ... ) == 0xa4
 02027   744   NtUserQueryWindow  (65644, 0, ... ) == 0x770
 02028   744   NtUserQueryWindow  (65644, 1, ... ) == 0x7cc
 02029   744   NtUserQueryWindow  (327760, 0, ... ) == 0x770
 02030   744   NtUserQueryWindow  (327760, 1, ... ) == 0x774
 02031   744   NtUserQueryWindow  (262228, 0, ... ) == 0x770
 02032   744   NtUserQueryWindow  (262228, 1, ... ) == 0x774
 02033   744   NtUserQueryWindow  (327758, 0, ... ) == 0x770
 02034   744   NtUserQueryWindow  (327758, 1, ... ) == 0x774
 02035   744   NtUserQueryWindow  (65666, 0, ... ) == 0x770
 02036   744   NtUserQueryWindow  (65666, 1, ... ) == 0x774
 02037   744   NtUserQueryWindow  (65654, 0, ... ) == 0x770
 02038   744   NtUserQueryWindow  (65654, 1, ... ) == 0x774
 02039   744   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x1007c, 0x1007e, 0x1, ), 3, ) == 0x0
 02040   744   NtUserQueryWindow  (65660, 0, ... ) == 0x770
 02041   744   NtUserQueryWindow  (65660, 1, ... ) == 0x774
 02042   744   NtUserQueryWindow  (65662, 0, ... ) == 0x770
 02043   744   NtUserQueryWindow  (65662, 1, ... ) == 0x774
 02044   744   NtUserCloseDesktop  (72, ...
 02045   744   NtClose  (72, ... ) == 0x0
 02044   744   NtUserCloseDesktop  ... ) == 0x1
 02046   744   NtUserGetProcessWindowStation  (... ) == 0x28
 02047   744   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02048   744   NtUserGetProcessWindowStation  (... ) == 0x28
 02049   744   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02050   744   NtGdiDeleteObjectApp  (705299494, ... ) == 0x1
 02051   744   NtGdiDeleteObjectApp  (84542500, ... ) == 0x1
 02052   744   NtClose  (64, ... ) == 0x0
 02053   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02054   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03b
 02055   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02056   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03d
 02057   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02058   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03f
 02059   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02060   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc041
 02061   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02062   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc043
 02063   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02064   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc045
 02065   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02066   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc047
 02067   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02068   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc049
 02069   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02070   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04b
 02071   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02072   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04d
 02073   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02074   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04f
 02075   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02076   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc051
 02077   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02078   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc053
 02079   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02080   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc057
 02081   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02082   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc059
 02083   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02084   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05b
 02085   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02086   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05d
 02087   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02088   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05f
 02089   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02090   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc017
 02091   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02092   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc019
 02093   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02094   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc018
 02095   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02096   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01a
 02097   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02098   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01c
 02099   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02100   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01e
 02101   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02102   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01b
 02103   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02104   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc068
 02105   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02106   744   NtUserGetClassInfo  (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc06a
 02107   744   NtUserUnregisterClass  (1244200, 1905590272, 1244188, ... ) == 0x1
 02108   744   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 02109   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02110   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03b
 02111   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02112   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03d
 02113   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02114   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03f
 02115   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02116   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc041
 02117   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02118   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc043
 02119   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02120   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc045
 02121   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02122   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc047
 02123   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02124   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc049
 02125   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02126   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04b
 02127   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02128   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04d
 02129   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02130   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04f
 02131   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02132   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc051
 02133   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02134   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc053
 02135   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02136   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc057
 02137   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02138   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc059
 02139   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02140   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05b
 02141   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02142   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05d
 02143   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02144   744   NtUserGetClassInfo  (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05f
 02145   744   NtUserUnregisterClass  (1244200, 1999896576, 1244188, ... ) == 0x1
 02146   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02147   744   NtClose  (160, ... ) == 0x0
 02148   744   NtClose  (76, ... ) == 0x0
 02149   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02150   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02151   744   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02152   744   NtClose  (68, ... ) == 0x0
 02153   744   NtFreeVirtualMemory  (-1, (0x9a0000), 4096, 32768, ... (0x9a0000), 4096, ) == 0x0
 02154   744   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1369936, 1369944, 65912, 1310720}  (24, {20, 48, new_msg, 0, 1369936, 1369944, 65912, 1310720} "\0\0\0\0\3\0\1\0\230\375\22\0\2$\370w\0\0\0\0" ... {20, 48, reply, 0, 732, 744, 1585, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2$\370w\0\0\0\0" )  ... {20, 48, reply, 0, 732, 744, 1585, 0}  (24, {20, 48, new_msg, 0, 1369936, 1369944, 65912, 1310720} "\0\0\0\0\3\0\1\0\230\375\22\0\2$\370w\0\0\0\0" ... {20, 48, reply, 0, 732, 744, 1585, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2$\370w\0\0\0\0" )  ) == 0x0
 02155   744   NtTerminateProcess  (-1, 0, ...
 02156   744   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtGdiCreateBitmap(>)	2	NtUserSelectPalette(>)	4	NtDeviceIoControlFile(>)	17
NtConnectPort(>)	1	NtGdiCreateSolidBrush(>)	2	NtWriteVirtualMemory(>)	4	NtFlushInstructionCache(>)	19
NtCreateMutant(>)	1	NtGdiGetDCObject(>)	2	NtGdiDeleteObjectApp(>)	5	NtUnmapViewOfSection(>)	20
NtCreateProcessEx(>)	1	NtGdiGetDCforBitmap(>)	2	NtGdiGetStockObject(>)	5	NtSetInformationThread(>)	22
NtCreateThread(>)	1	NtGdiHfontCreate(>)	2	NtUserBuildHwndList(>)	5	NtQueryInformationProcess(>)	23
NtDuplicateToken(>)	1	NtGdiRestoreDC(>)	2	NtUserGetProcessWindowStation(>)	5	NtSetInformationFile(>)	24
NtEnumerateValueKey(>)	1	NtGdiSaveDC(>)	2	NtUserRegisterWindowMessage(>)	5	NtRaiseException(>)	25
NtGdiBitBlt(>)	1	NtGdiSetDIBitsToDeviceInternal(>)	2	NtCreateSemaphore(>)	6	NtContinue(>)	26
NtGdiCreateCompatibleBitmap(>)	1	NtOpenDirectoryObject(>)	2	NtEnumerateKey(>)	6	NtReleaseMutant(>)	28
NtGdiCreateDIBitmapInternal(>)	1	NtOpenProcess(>)	2	NtOpenProcessToken(>)	6	NtCreateFile(>)	30
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryVolumeInformationFile(>)	7	NtCreateSection(>)	30
NtGdiExtGetObjectW(>)	1	NtQueryVirtualMemory(>)	2	NtUserCallNoParam(>)	7	NtOpenProcessTokenEx(>)	32
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtQueryDefaultUILanguage(>)	8	NtOpenThreadTokenEx(>)	32
NtGdiQueryFontAssocInfo(>)	1	NtUserCloseDesktop(>)	2	NtSetInformationProcess(>)	8	NtProtectVirtualMemory(>)	39
NtNotifyChangeKey(>)	1	NtUserCreateWindowEx(>)	2	NtQueryDebugFilterState(>)	9	NtQueryInformationToken(>)	39
NtOpenKeyedEvent(>)	1	NtUserDestroyWindow(>)	2	NtQueryInformationFile(>)	9	NtWaitForSingleObject(>)	41
NtQueryInformationJobObject(>)	1	NtUserGetObjectInformation(>)	2	NtReleaseSemaphore(>)	10	NtAllocateVirtualMemory(>)	43
NtQueryObject(>)	1	NtUserMessageCall(>)	2	NtUserGetWindowDC(>)	10	NtUserUnregisterClass(>)	46
NtQueryPerformanceCounter(>)	1	NtAddAtom(>)	3	NtRequestWaitReplyPort(>)	11	NtMapViewOfSection(>)	48
NtQuerySystemTime(>)	1	NtDuplicateObject(>)	3	NtSetValueKey(>)	11	NtUserFindExistingCursorIcon(>)	49
NtRegisterThreadTerminatePort(>)	1	NtOpenEvent(>)	3	NtUserSystemParametersInfo(>)	11	NtOpenFile(>)	51
NtResumeThread(>)	1	NtOpenMutant(>)	3	NtCreateEvent(>)	12	NtOpenSection(>)	51
NtSecureConnectPort(>)	1	NtReadVirtualMemory(>)	3	NtCreateKey(>)	12	NtUserRegisterClassExWOW(>)	64
NtTestAlert(>)	1	NtUserGetDC(>)	3	NtQueryKey(>)	12	NtQueryAttributesFile(>)	68
NtUserBuildNameList(>)	1	NtUserOpenDesktop(>)	3	NtGdiSelectBitmap(>)	13	NtQuerySystemInformation(>)	76
NtUserGetAtomName(>)	1	NtUserRemoveProp(>)	3	NtQueryDirectoryFile(>)	13	NtUserGetClassInfo(>)	82
NtUserGetGUIThreadInfo(>)	1	NtFreeVirtualMemory(>)	4	NtUserCallOneParam(>)	14	NtReadFile(>)	87
NtUserGetThreadDesktop(>)	1	NtGdiCreateCompatibleDC(>)	4	NtWriteFile(>)	14	NtQueryValueKey(>)	97
NtUserSetCursorIconData(>)	1	NtOpenSymbolicLinkObject(>)	4	NtOpenThreadToken(>)	15	NtUserQueryWindow(>)	132
NtUserSetProp(>)	1	NtQuerySecurityObject(>)	4	NtQuerySection(>)	15	NtOpenKey(>)	157
NtAccessCheck(>)	2	NtQuerySymbolicLinkObject(>)	4	NtFsControlFile(>)	16	NtClose(>)	262
NtCreateIoCompletion(>)	2	NtSetInformationObject(>)	4	NtQueryDefaultLocale(>)	16