Summary:
NtCallbackReturn(>) | 1 | NtGdiCreateBitmap(>) | 2 | NtUserBuildHwndList(>) | 4 | NtFlushInstructionCache(>) | 19 |
NtConnectPort(>) | 1 | NtGdiCreateSolidBrush(>) | 2 | NtUserSelectPalette(>) | 4 | NtUnmapViewOfSection(>) | 20 |
NtCreateMutant(>) | 1 | NtGdiGetDCObject(>) | 2 | NtWriteVirtualMemory(>) | 4 | NtSetInformationThread(>) | 22 |
NtCreateProcessEx(>) | 1 | NtGdiGetDCforBitmap(>) | 2 | NtGdiDeleteObjectApp(>) | 5 | NtQueryInformationProcess(>) | 23 |
NtCreateThread(>) | 1 | NtGdiHfontCreate(>) | 2 | NtGdiGetStockObject(>) | 5 | NtWriteFile(>) | 23 |
NtDuplicateToken(>) | 1 | NtGdiRestoreDC(>) | 2 | NtUserGetProcessWindowStation(>) | 5 | NtRaiseException(>) | 25 |
NtEnumerateValueKey(>) | 1 | NtGdiSaveDC(>) | 2 | NtUserRegisterWindowMessage(>) | 5 | NtContinue(>) | 26 |
NtGdiBitBlt(>) | 1 | NtGdiSetDIBitsToDeviceInternal(>) | 2 | NtCreateSemaphore(>) | 6 | NtSetInformationFile(>) | 26 |
NtGdiCreateCompatibleBitmap(>) | 1 | NtOpenDirectoryObject(>) | 2 | NtEnumerateKey(>) | 6 | NtReleaseMutant(>) | 28 |
NtGdiCreateDIBitmapInternal(>) | 1 | NtOpenProcess(>) | 2 | NtOpenProcessToken(>) | 6 | NtCreateSection(>) | 30 |
NtGdiCreatePatternBrushInternal(>) | 1 | NtQueryInstallUILanguage(>) | 2 | NtQueryVolumeInformationFile(>) | 7 | NtCreateFile(>) | 32 |
NtGdiExtGetObjectW(>) | 1 | NtQueryVirtualMemory(>) | 2 | NtUserCallNoParam(>) | 7 | NtOpenProcessTokenEx(>) | 32 |
NtGdiInit(>) | 1 | NtTerminateProcess(>) | 2 | NtQueryDefaultUILanguage(>) | 8 | NtOpenThreadTokenEx(>) | 32 |
NtGdiQueryFontAssocInfo(>) | 1 | NtUserCloseDesktop(>) | 2 | NtSetInformationProcess(>) | 8 | NtProtectVirtualMemory(>) | 39 |
NtNotifyChangeKey(>) | 1 | NtUserCreateWindowEx(>) | 2 | NtQueryDebugFilterState(>) | 9 | NtQueryInformationToken(>) | 39 |
NtOpenKeyedEvent(>) | 1 | NtUserDestroyWindow(>) | 2 | NtQueryInformationFile(>) | 9 | NtWaitForSingleObject(>) | 41 |
NtQueryInformationJobObject(>) | 1 | NtUserGetObjectInformation(>) | 2 | NtReleaseSemaphore(>) | 10 | NtAllocateVirtualMemory(>) | 43 |
NtQueryObject(>) | 1 | NtUserMessageCall(>) | 2 | NtUserGetWindowDC(>) | 10 | NtUserUnregisterClass(>) | 46 |
NtQueryPerformanceCounter(>) | 1 | NtAddAtom(>) | 3 | NtRequestWaitReplyPort(>) | 11 | NtMapViewOfSection(>) | 48 |
NtQuerySystemTime(>) | 1 | NtDuplicateObject(>) | 3 | NtSetValueKey(>) | 11 | NtUserFindExistingCursorIcon(>) | 49 |
NtRegisterThreadTerminatePort(>) | 1 | NtOpenEvent(>) | 3 | NtUserSystemParametersInfo(>) | 11 | NtOpenFile(>) | 51 |
NtResumeThread(>) | 1 | NtOpenMutant(>) | 3 | NtCreateEvent(>) | 12 | NtOpenSection(>) | 51 |
NtSecureConnectPort(>) | 1 | NtReadVirtualMemory(>) | 3 | NtCreateKey(>) | 12 | NtUserRegisterClassExWOW(>) | 64 |
NtTestAlert(>) | 1 | NtUserGetDC(>) | 3 | NtQueryKey(>) | 12 | NtQueryAttributesFile(>) | 69 |
NtUserBuildNameList(>) | 1 | NtUserOpenDesktop(>) | 3 | NtGdiSelectBitmap(>) | 13 | NtQuerySystemInformation(>) | 76 |
NtUserGetAtomName(>) | 1 | NtUserRemoveProp(>) | 3 | NtQueryDirectoryFile(>) | 13 | NtUserGetClassInfo(>) | 82 |
NtUserGetGUIThreadInfo(>) | 1 | NtFreeVirtualMemory(>) | 4 | NtUserCallOneParam(>) | 14 | NtReadFile(>) | 89 |
NtUserGetThreadDesktop(>) | 1 | NtGdiCreateCompatibleDC(>) | 4 | NtOpenThreadToken(>) | 15 | NtQueryValueKey(>) | 97 |
NtUserSetCursorIconData(>) | 1 | NtOpenSymbolicLinkObject(>) | 4 | NtQuerySection(>) | 15 | NtUserQueryWindow(>) | 112 |
NtUserSetProp(>) | 1 | NtQuerySecurityObject(>) | 4 | NtFsControlFile(>) | 16 | NtOpenKey(>) | 157 |
NtAccessCheck(>) | 2 | NtQuerySymbolicLinkObject(>) | 4 | NtQueryDefaultLocale(>) | 16 | NtClose(>) | 264 |
NtCreateIoCompletion(>) | 2 | NtSetInformationObject(>) | 4 | NtDeviceIoControlFile(>) | 17 |
3
0
\1\0\0\2008\0t\11\200}\350\0t\3\215u\350\200>.u\21\212F\1\204\300tm<.u\6\200", ) \1\0\0\366E\14\2\17\204\30\1\0\0\276\250\270B\0WV\350`\6\0\0\205\333t\15h\0\223@\0V\350m\6\0\0\353\6W\350\235\1\0\0h\20\220@\0W\350Z\6\0\0W\350N\6\0\0\213\330\215\205\270\376\377\377PV\3\337\377\250
310\223@\0\350\252\370\377\377\2008\0u\22V\377\325+\306PVW\350\21\372\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317]\200'\0WS\377\25\320q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^[\302\4\0SV\2135\4q@\0Wh\1\200\0\0\377\326\277\360\310B\0W\377t$\24\377\250\213\330\377\326\203\373\377t\13S\377\254q@\0\213\307\353\23\300_^[\302\4\0\377t$\4\377\25\10q@\0\205\300u\16\377t$\4\377\25\14q@\0\205\300t\13\377t$\10P\377\25\20q@\0\302\10\0U\213\354\203\354\34V\213u\10W\213=\330q@\0\353\12\215E\344P\377\25\324q@\0j\1VV\215E\344j\0P\377\327\205\300u\346_^\311\302\4\0\203=4\316B\0\0Vu-3\311j\10\213\301^\213\320\200\342\1\366\332\33\322\201\342 \203\270\355\321\3503\302Nu\352\211\4\2150\316B\0A\201\371\0\1\0\0|\325\213T$\20\213D$\10\205\322\367\320v#\213L$\14W\17\2669\213\360\201\346\377\0\0\03\367\301\350\10\2134\2650\316B\03\306AJu\343_\367\320^\302\14\0U\213\354\203\354D\213E\10SVW\213\10\215p\20\213@\4\211M\310\213\216\250\233\0\0\213\236\30\5\0\0\211E\314\213\206\34\5\0\0\211E\300\213\206\244\233\0\0;\310\211M\320s", ) == 0x0 01415 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\301\211E\324\351\303\11\0\0\377$\205\10h@\0\203}\314\0\17\204\302\11\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213E\300\203\353\3\301m\300\3\203\340\7\213\310\200\341\1\366\331\33\311\203\341\7\321\350\203\301\10\203\350\0\211\216\24\5\0\0\17\204.\1\0\0HtVHtHH\17\205]\11\0\0\203\317\377\307\6\21\0\0\0\213E\300\213M\10\211\206\34\5\0\0\213E\314\211\236\30\5\0\0\211A\4\213E\10\213M\310P\211\10\213M\320\211\216\250\233\0\0\350\240\11\0\0\213\307_^[\311\302\4\0\307\6\13\0\0\0\351\21\11\0\0\200=\270\343B\0\0\17\205\240\0\0\0\203e\370\0\2708\322B\0=t\324B\0\261\10~\24=8\326B\0}\4\376\301\353\11=\230\326B\0}\2\261\7\17\276\311\211\10\203\300\4=\270\326B\0|\324\215E\370\2778\322B\0Ph8\333B\0h\370\223@\0h4\322B\0hhs@\0h(s@\0h\1\1\0\0h \1\0\0W\350\200\11\0\0j\36Yj\5X\363\253\215E\370Ph8\333B\0h\374\223@\0h0\322B\0h\344s@\0h\250s@\0j\0j\36h8\322B\0\350M\11\0\0\376\5\270\343B\0\240\370\223@\0\210F\20\240\374\223@\0\210F\21\2414\322B\0\211F\24\2410\322B\0\211F\30\203&\0\351<\10\0\0\213\313\307\6\11\0\0\0\203\341\7\323m\300+\331\351'\10\0\0\203}\314\0\17\204-\10\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\20r\333\213E\3003\333%\377\377\0\0\211]\300;\303\211F\4\17\204\351\0\0\0j\12X\351\347\0\0\0\203}\314\0\17\204\350\7\0", ) , ) == 0x0 01416 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\216\240\233\0\0\213U\320;\321u)\213\206\244\233\0\0\215\276\240\33\0\0;\307t\31\213\327;\320\211U\320s\5+\302H\353\4+\312\213\301\205\300\211E\324ub\377u\10\211\226\250\233\0\0\350\4\10\0\0\213\226\250\233\0\0\213\216\244\233\0\0;\321\211U\320s\7\213\301+\302H\353\10\213\206\240\233\0\0+\302\213\276\240\233\0\0\211E\324;\327u\35\215\226\240\33\0\0;\321t\23\211U\320s\7+\312I\213\301\353\4+\372\213\307\211E\324\205\300\17\204a\7\0\0;E\314r\3\213E\314\213N\4;\310\213\371r\2\213\370W\377u\310\377u\320\350\325\365\377\377\1}\310)}\314\1}\320)}\324)~\4\17\205\1\7\0\0\213\206\24\5\0\0\211\6\351\364\6\0\0\203}\314\0\17\204\372\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\16r\333\213E\300%\377?\0\0\213\310\211F\4\203\341\37\200\371\35\17\207Y\375\377\377%\340\3\0\0=\240\3\0\0\17\207I\375\377\377\301m\300\16\203\353\16\203f\10\0\307\6\14\0\0\0\213F\4\301\350\12\203\300\49F\10si\353 \203}\314\0\17\204\213\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213N\10\213E\300\203\340\7\203\353\3\17\276\211\24s@\0\301m\300\3\211D\216\14\213N\4\377F\10\213F\10\301\351\12\203\301\4;\301r\315\353\22\213F\10\17\276\200\24s@\0\203d\206\14\0\377F\10\203~\10\23r\350\215M\370\215\276\14\5\0\0Q\215\216 \5\0\0Q\215\216\20\5\0\03\300WQP\211E\370Pj\23\215F\14j\23P\307\7\7\0\0\0\350\310\6\0\0\205\300u\229\7t\16!F\10\307", ) , ) == 0x0 01417 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\21\0\0\0\351\304\5\0\0\213\206\14\5\0\0\353 \203}\314\0\17\204\302\5\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213\216\20\5\0\0\215\4\201\17\266P\1\17\267@\2\203\370\20\211E\354s\26\213\312+\332\323m\300\213N\10\211D\216\14\377F\10\351\254\0\0\0\203\370\22u\14j\7\307E\370\13\0\0\0X\353,\203\300\362\307E\370\3\0\0\0\353 \203}\314\0\17\204G\5\0\0\213M\310\377M\314\17\2669\213\313\323\347\11}\300\377E\310\203\303\10\215\14\20;\331r\331\213\312+\332\323m\300\17\267\14E\324\223@\0#M\300\213U\370+\330\3\321\213\310\213F\4\323m\300\213N\10\213\370\301\357\5\203\347\37\203\340\37\215\204\7\2\1\0\0\215<\12;\370\17\207|\373\377\377\203}\354\20u\17\203\371\1\17\202m\373\377\377\213|\216\10\353\23\377\215D\216\14\2118A\203\300\4Ju\367\211N\10\213F\4\213N\10\213\320\203\340\37\301\352\5\203\342\37\215\204\2\2\1\0\0;\310\17\202\316\376\377\377\213F\4\203\246\20\5\0\0\0\203e\364\0\213\370\301\350\5\203\347\37\271\1\1\0\0\203\340\37\3\371@\215U\364\211E\354\215\206 \5\0\0RP\215E\374\307E\374\11\0\0\0P\215E\350Phhs@\0h(s@\0Q\215F\14WP\307E\360\6\0\0\0\350\33\5\0\0\203}\374\0u\3\203\310\377\205\300\17\205\312\372\377\377\215E\364P\215\206 \5\0\0P\215E\360P\215E\344Ph\344s@\0h\250s@\0j\0\377u\354\215D\276\14P\350\336\4\0\0\205\300\17\205\226\372\377\377\213E\360\205\300u\14\201\377\1\1\0\0\17\217\203\372\377\377\212M\374\203&\0\210", ) , ) == 0x0 01418 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "N\20\211F\30\17\266F\20\211F\14\213F\24\211F\10\307\6\1\0\0\0\213F\14\353 \203}\314\0\17\204\266\3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\205\311u\22\17\267@\2\211F\10\307\6\6\0\0\0\351Y\3\0\0\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\4\307\6\2\0\0\0\351<\3\0\0\366\301@\17\204\321\0\0\0\366\301 \17\204\315\371\377\377\307\6\7\0\0\0\351\37\3\0\0\213F\10\353 \203}\314\0\17\204 \3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\4\213\310\323m\300+\330\17\266F\21\211F\14\213F\30\211F\10\307\6\3\0\0\0\213F\14\353 \203}\314\0\17\204\317\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\14\307\6\4\0\0\0\351k\2\0\0\366\301@\17\205\5\371\377\377\211N\14\17\267H\2\215\4\210\211F\10\351P\2\0\0\213F\10\353 \203}\314\0\17\204Q\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\14\213\310\323m\300+\330\307\6\5\0\0\0\213E\320\213V\14\213\310+\316\201\351\240\33\0\0;\312s\23\213\216\240\233\0\0+\312+\316\215\214\1`\344\377\377\353\4\213\310+\312\203~\4\0\211M\340\17", ) , ) == 0x0 01419 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\221\0\0\0\213\276\240\233\0\0;\307u#\213\216\244\233\0\0\215\226\240\33\0\0;\312t\23\213\302;\301s\7+\310I\213\371\353\2+\370\205\377ud\377u\10\211\206\250\233\0\0\350\11\2\0\0\213\206\250\233\0\0\213\216\244\233\0\0;\301\211E\320s\7\213\371+\370O\353\10\213\276\240\233\0\0+\370\213\226\240\233\0\0;\302\211U\370u\37\215\226\240\33\0\0;\312t\25\213\302;\301\211E\320s\7+\310I\213\371\353\5\213}\370+\370\205\377\17\204d\1\0\0\213M\340\212\21\210\20@AO;\216\240\233\0\0\211E\320\211M\340\211}\324u\11\215\216\240\33\0\0\211M\340\377N\4\17\205:\377\377\377\351\302\370\377\377\213E\324\213}\320\205\300\17\205\221\0\0\0\213\216\240\233\0\0;\371u#\213\206\244\233\0\0\215\226\240\33\0\0;\302t\23\213\372;\370s\5+\307H\353\4+\317\213\301\205\300ud\377u\10\211\276\250\233\0\0\3508\1\0\0\213\276\250\233\0\0\213\216\244\233\0\0;\371\211}\320s\7\213\301+\307H\353\10\213\206\240\233\0\0+\307\213\226\240\233\0\0;\372\211U\370u\37\215\226\240\33\0\0;\312t\25\213\372;\371\211}\320s\7+\317I\213\301\353\5\213E\370+\307\205\300\17\204\223\0\0\0\212N\10\210\17GH\211}\320\211E\324\351\21\370\377\377\203\373\7v\11\203\353\10\377E\314\377M\310\213E\320\377u\10\211\206\250\233\0\0\350\261\0\0\0\213\216\250\233\0\0\213\226\244\233\0\0;\312\211M\320s\7\213\302+\301H\353\10\213\206\240\233\0\0+\301;\312\211E\324u9\213\206\24\5\0\0\203\370\10\211\6u3\213\6\203\370\17\17\2062\366\377\377\351\223\366\377\377\213E\3003\377\211\206\34\5\0\0\213E\10\211\236\30\5\0\0\211x\4", ) , ) == 0x0 01420 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "3\377G\351q\366\377\377\5d@\0\30d@\0\256d@\0\377d@\0}e@\0\301e@\0\307f@\0xg@\01^@\0\306_@\0\353_@\0\371`@\08a@\0\33c@\0p^@\0\206g@\0SV\213t$\14W\213\276\264\233\0\0\213\236\270\233\0\0;\373v\6\213\236\260\233\0\0\213F\14+\337;\330r\2\213\330SW\377v\10+\303\211F\14\350\15\356\377\377\1^\10\213\206\260\233\0\0\3\373;\370u\269\206\270\233\0\0\215\276\260\33\0\0u\271\211\276\270\233\0\0\353\261\211\276\264\233\0\0_^[\302\4\0U\213\354\201\354\354\0\0\0SV\213u\14Wj\203\300Y\215}\220\363\253\213M\10\213\326\213\1\203\301\4\215D\205\220\377\0Ju\3629u\220u\23\213E\34\203 \0\213E \203 \03\300\351\360\2\0\0\213u 3\333Cj\17\213>\213\313\211} Z3\3009D\215\220u\5A;\312v\363;\371\211M\374s\3\211M 9D\225\220u\3Ju\3679U \211U\350v\3\211U \213} \211>\323\343\353\15+\\215\220\17\210\237\2\0\0A\3\333;\312r\357\213\362\301\346\2\215L5\220\2139+\337\211]\320\17\210\202\2\0\0\3\373\211\205T\377\377\377\21193\311Jt\233\377\3L=\224\203\307\4J\211\214=T\377\377\377u\357\213]\103\377\213\13\203\303\4;\310t\23\215\214\215P\377\377\377\213\21\211<\225\270\326B\0B\211\21G;}\14r\336\213\2145P\377\377\377\213] \203M\364\377\203e\334\0\211M\14\213M\374\367\333;M\350\211E\370\211\205P\377\377\377\307E\340\270\326B\0\211\205\24\377\377\377\17\217\363\1\0\0\215Q\377\215L\215\220\211U\330\211M\344\213M\344\2131\205", ) , ) == 0x0 01421 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213M N\3\313\211u\3249M\374\211M\354\17\216\314\0\0\0F\211u\360\213u\350\377E\364+u\354;u v\3\213u \213M\3743\322+M\354B\323\342;U\360v#\213}\344\203\310\377+E\324\3\320;\316s\24\353\15\203\307\4\3\322\213\7;\320v\7+\320A;\316r\356\213U(3\300@\213\22\323\340\211E\334\215<\2\201\377\240\5\0\0\17\207h\1\0\0\213E$\215\4\220\213U\364\215\264\225\24\377\377\377\213U(\211:\213U\364\205\322\211\6t1\213}\370\213v\374\211\274\225P\377\377\377\212U \210U\11\210M\10\213\327\213\313\323\352\213\310+\316\301\371\2+\312f\211M\12\213M\10\211\14\226\353\5\213M\34\211\1\213M\354\213\331\3M 9M\374\211M\354\17\2178\377\377\377\212M\374\213u\340*\313\210M\11\213M\14\215\14\215\270\326B\0;\361r\6\306E\10\300\353C\213\16;M\20s\34\201\371\0\1\0\0\17\222\301\376\311\203\341`\210M\10f\213\16\203\306\4\211u\340\353\34+M\20\213U\30\3\311\212\24\21\200\302P\203E\340\4\210U\10\213U\24f\213\14\21f\211M\12\213M\374\213U\3703\377+\313G\213\367\323\346\213\313\323\352\353\10\213M\10\211\14\220\3\326;U\334r\363\213M\330\213u\370\213\327\323\342\353\43\362\321\352\205\326u\370\213\3173\362\211M\360\213\313\213\327\211u\370\323\342J#\326\213\312\213U\364;\214\225P\377\377\377t\32+] \213\367J\213\313\323\346N#u\370;\264\225P\377\377\377u\351\211U\364\203}\324\0\17\205?\376\377\377\377E\374\203E\344\4\213M\374\377E\330;M\350\17\216\32\376\377\3773\3009E\320t\11\203}\350\1t\3\203\310\377_^[\311\302$\0\314\377%hr@\0\377%", ) , ) == 0x0 01422 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\236\200\0\0\262\200\0\0\220\200\0\0\200\200\0\0\6\201\0\0\366\200\0\0\344\200\0\0\326\200\0\0\304\200\0\0\0\0\0\08\201\0\0$\201\0\0\21\0\0\200N\201\0\0\0\0\0\0\314\177\0\0\274\177\0\0\254\177\0\0\226\177\0\0\200\177\0\0t\177\0\0d\177\0\0T\177\0\0\0\0\0\0.y\0\0y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) == 0x0 01423 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0shlwapi.dll\0SHAutoComplete\0\0.DEFAULT\Control Panel\International\0\0\0\0Locale\0\0Control Panel\Desktop\ResourceLocale\0\0\0\0GetUserDefaultUILanguage\0\0\0\0%d\0\0\20\21\22\0\10\7\11\6\12\5\13\4\14\3\15\2\16\1\17\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\15\0\17\0\21\0\23\0\27\0\33\0\37\0#\0+\03\0;\0C\0S\0c\0s\0\203\0\243\0\303\0\343\0\2\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\1\0\1\0\2\0\2\0\2\0\2\0\3\0\3\0\3\0\3\0\4\0\4\0\4\0\4\0\5\0\5\0\5\0\5\0\0\0p\0p\0\0\0\1\0\2\0\3\0\4\0\5\0\7\0\11\0\15\0\21\0\31\0!\01\0A\0a\0\201\0\301\0\1\1\201\1\1\2\1\3\1\4\1\6\1\10\1\14\1\20\1\30\1 \10\1@\1`\0\0\0\0\0\0\0\0\1\0\1\0\2\0\2\0", ) , ) == 0x0 01424 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\6\0\6\0\7\0\7\0\10\0\10\0\11\0\11\0\12\0\12\0\13\0\13\0\14\0\14\0\15\0\15\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\13\1\0\0\0\0\0\0\300\0\0\0\0\0\0Fdu\0\0\0\0\0\0\0\0\0\0n{\0\0`p\0\0pv\0\0\0\0\0\0\0\0\0\0H\177\0\0lq\0\0@u\0\0\0\0\0\0\0\0\0\0\332\177\0\0 \353g\302\342,(g\35\245-\217\3606\2250G\1\331\252\376\373X\256j\326\230\241\326\31e\343\373\232: Q\241\311j4k\367s*\37\333\330X\321\322\22U\367\235\353\260#\36Z\255\333\337a\367\311\214I\316\270\346\367\204R\232Ue\253\363\214V\313g\332\341\376\4\223&8f\335\323\330\232=z\301Ib\352\250sM\21c\256j\233\243@kc\354\264A\221\254\266Z\305\260\257b\345\314F\323\16a\246%O\340p\13\3\265\372\21\363~\206uL\235\376F\33\366\314\313\276\235\326\26\306n\366e\346\317\311\226\35\21m\17\334\252C\255\355\312\330\327zR\235&j47\336\202|\366com\267\233\245\355\324\24\233\342L\263\37\310W\2624\331\304\32\12\32\376u)8\5M\235\2519n5s\375\2\265\357\227\33`\302\223\344\227\255", ) == 0x0 01559 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "o\0p\0e\0r\0a\0t\0i\0o\0n\0 \0a\0r\0g\0u\0m\0e\0n\0t\0\34\0S\0t\0i\0l\0l\0 \0e\0x\0e\0c\0u\0t\0i\0n\0g\0 \0l\0a\0s\0t\0 \0r\0e\0q\0u\0e\0s\0t\0,\0T\0h\0i\0s\0 \0c\0a\0l\0l\0 \0i\0s\0 \0n\0o\0t\0 \0v\0a\0l\0i\0d\0 \0f\0o\0r\0 \0a\0n\0 \0F\0T\0P\0 \0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0\0\0\16\0O\0u\0t\0 \0o\0f\0 \0h\0a\0n\0d\0l\0e\0s\0\7\0T\0i\0m\0e\0o\0u\0t\0\16\0E\0x\0t\0e\0n\0d\0e\0d\0 \0e\0r\0r\0o\0r\0\16\0I\0n\0t\0e\0r\0n\0a\0l\0 \0e\0r\0r\0o\0r\0\13\0I\0n\0v\0a\0l\0i\0d\0 \0U\0R\0L\0\23\0U\0n\0r\0e\0c\0o\0g\0n\0i\0z\0e\0d\0 \0s\0c\0h\0e\0m\0e\0\21\0N\0a\0m\0e\0 \0n\0o\0t\0 \0r\0e\0s\0o\0l\0v\0e\0d\0\22\0P\0r\0o\0t\0o\0c\0o\0l\0 \0n\0o\0t\0 \0f\0o\0u\0n\0d\0\16\0I\0n\0v\0a\0l\0i\0d\0 \0o\0p\0t\0i\0o\0n\0\0\0\0\0\0\0\21\0B\0a\0d\0 \0o\0p\0t\0i\0o\0n\0 \0l\0e\0n\0g\0t\0", 14522, 0x0, 0, ... {status=0x0, info=14522}, ) , 14522, 0x0, 0, ... {status=0x0, info=14522}, ) == 0x0 01560 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01561 416 NtClose (12, ... ) == 0x0 01562 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pac.txt"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01563 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\pac.txt"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01564 416 NtClose (-2147482020, ... ) == 0x0 01563 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01565 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01566 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\14\10\0\200", ) , ) == 0x0 01567 416 NtReadFile (176, 0, 0, 0, 2060, 0x0, 0, ... {status=0x0, info=2060}, (176, 0, 0, 0, 2060, 0x0, 0, ... {status=0x0, info=2060}, "\355\323\333N^E\30\6\340\250-mLl\265\33\232\326\322}\244\11\26\272C\272\21^\265b*H7ZS\21(\10\5\354\206\2\251\320\226\237\302\35\364\2<\360\22<\321s\275+=\323\231\377'\215G^\3013\311Zkf\255\231of\2765\317\211\236\257\223\347\253Yx\236\364\257\215\345\310\342\334\271\341\271$\273\223G\311\275\316\247\311\207i\226\357\313\325ys\246\263<:\36'\323\311Gs9\227\221\221\344@\253G..\257'\233\311\302\241\336,&/\223\341\265\364y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) == 0x0 01425 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0j|\0\0T|\0\0D|\0\0X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0j\2MulDiv\0\0|\0DeleteFileA\0\311\0FindFirstFileA\0\0\323\0FindNextFileA\0\305\0FindClose\0\20\3SetFilePointer\0\0\253\2ReadFile\0\0\227\3WriteFile\0", ) , ) == 0x0 01426 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ProfileStringA\0\0\234\3WritePrivateProfileStringA\0\0k\2MultiByteToWideChar\0\357\0FreeLibrary\0\230\1GetProcAddress\0\0H\2LoadLibraryA\0\0w\1GetModuleHandleA\0\0\12\3SetErrorMode\0\0R\1GetExitCodeProcess\0\0\205\3WaitForSingleObject\0\356\1GlobalAlloc\0\365\1GlobalFree\0\0\262\0ExpandEnvironmentStringsA\0P\1GetEnvironmentVariableA\0\263\3lstrcmpA\0\0\266\3lstrcmpiA\0.\0CloseHandle\0\24\3SetFileTime\03\0CompareFileTime\0\320\2SearchPathA\0\255\1GetShortPathNameA\0a\1GetFullPathNameA\0\0d\2MoveFileA\0\377\2SetCurrentDirectoryA\0\0V\1GetFileAttributesA\0\0i\1GetLastError\0\0E\0CreateDirectoryA\0\0\16\3Se", ) , ) == 0x0 01427 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tesA\0\0I\3Sleep\0[\1GetFileSize\0u\1GetModuleFileNameA\0\0\325\1GetTickCount\0\0:\1GetCurrentProcess\0=\0CopyFileA\0\257\0ExitProcess\0\10\1GetCommandLineA\0\351\1GetWindowsDirectoryA\0\0\313\1GetTempPathA\0\0\274\3lstrcpynA\0E\1GetDiskFreeSpaceA\0\0\2GlobalUnlock\0\0\371\1GlobalLock\0\0i\0CreateThread\0\0`\0CreateProcessA\0\0\272\2RemoveDirectoryA\0\0M\0CreateFileA\0\311\1GetTempFileNameA\0\0\277\3lstrlenA\0\0\260\3lstrcatA\0\0\271\1GetSystemDirectoryA\0KERNEL32.dll\0\0\310\0EndPaint\0\0\274\0DrawTextA\0\342\0FillRect\0\0\377\0GetClientRect\0\15\0BeginPaint\0\0\216\0DefWindowProcA\0\0:\2SendMessageA\0\0\223\1InvalidateRect\0\0\304\0", ) , ) == 0x0 01428 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\14\1GetDC\0\277\1LoadImageA\0\0\177\2SetWindowLongA\0\0\21\1GetDlgItem\0\0\255\1IsWindow\0\0\344\0FindWindowExA\0=\2SendMessageTimeoutA\0\325\2wsprintfA\0\221\2ShowWindow\0\0V\2SetForegroundWindow\0\3\2PostQuitMessage\0\205\2SetWindowTextA\0\0y\2SetTimer\0\0\231\0DestroyWindow\0U\0CreateDialogParamA\0\0\341\0ExitWindowsEx\0*\0CharNextA\0\236\0DialogBoxParamA\0\366\0GetClassInfoA\0`\0CreateWindowExA\0\230\2SystemParametersInfoA\0\25\2RegisterClassA\0\0\306\0EndDialog\00\2ScreenToClient\0\0t\1GetWindowRect\0F\2SetClassLongA\0\256\1IsWindowEnabled\0\202\2SetWindowPos\0\0Z\1GetSysColor\0n\1GetWindowLongA\0\0L\2SetCurso", ) , ) == 0x0 01429 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "orA\08\0CheckDlgButton\0\0<\1GetMessagePos\0\267\1LoadBitmapA\0\33\0CallWindowProcA\0\261\1IsWindowVisible\0B\0CloseClipboard\0\0I\2SetClipboardData\0\0\301\0EmptyClipboard\0\0\365\1OpenClipboard\0\243\2TrackPopupMenu\0\0\10\0AppendMenuA\0^\0CreatePopupMenu\0]\1GetSystemMetrics\0\0R\2SetDlgItemTextA\0\23\1GetDlgItemTextA\0\336\1MessageBoxA\0-\0CharPrevA\0\241\0DispatchMessageA\0\0\377\1PeekMessageA\0\0USER32.dll\0\0\16\2SelectObject\0\0<\2SetTextColor\0\0\26\2SetBkMode\0:\0CreateFontIndirectA\0)\0CreateBrushIndirect\0\217\0DeleteObject\0\0k\1GetDeviceCaps\0\25\2SetBkColor\0\0GDI32.dll\0\232\0SHFileOperatio", ) , ) == 0x0 01430 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "xecuteA\0\254\0SHGetFileInfoA\0\0y\0SHBrowseForFolderA\0\0\274\0SHGetPathFromIDListA\0\0\267\0SHGetMalloc\0\303\0SHGetSpecialFolderLocation\0\0SHELL32.dll\0\331\1RegEnumValueA\0\325\1RegEnumKeyA\0\354\1RegQueryValueExA\0\0\371\1RegSetValueExA\0\0\315\1RegCreateKeyExA\0\311\1RegCloseKey\0\322\1RegDeleteValueA\0\320\1RegDeleteKeyA\0\342\1RegOpenKeyExA\0ADVAPI32.dll\0\08\0ImageList_Destroy\04\0ImageList_AddMasked\07\0ImageList_Create\0\0COMCTL32.dll\0\0\20\0CoCreateInstance\0\0\4\1OleUninitialize\0\355\0OleInitialize\0ole32.dll\0\12\0VerQueryValueA\0\0\0\0GetFileVersionInfoA\0\1\0GetFileVersionInfoSizeA\0VE", ) , ) == 0x0 01431 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\240\364B\0m\23@\0\27\@\0\6\0\0\0\\0\0\0%s %s\0\0\0->\0\0\377\377\377\377\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC command line switch\12(NOT RECOMMENDED).\0verifying installer: %d%%\0\0\0Error launching installer\0\0\0... %d%%\0\0\0\0Au_.exe\0SeShutdownPrivilege\0AdjustTokenPrivileges\0\0\0LookupPrivilegeValueA\0\0\0OpenProc", ) , ) == 0x0 01432 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", ) \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/ (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", ) , ) == 0x0 01433 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\3\0\0\0(\0\0\200\5\0\0\0@\0\0\200\16\0\0\0h\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0i\0\0\0\230\0\0\200j\0\0\0\260\0\0\200o\0\0\0\310\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0g\0\0\0\340\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0(\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\08\1\0\0H\201\3\0\350\2\0\0\0\0\0\0\0\0\0\00\204\3\0\0\1\0\0\0\0\0\0\0\0\0\00\205\3\0\34\1\0\0\0\0\0\0\0\0\0\0P\206\3\0`\0\0\0\0\0\0\0\0\0\0\0\260\206\3\0\24\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \0\0\0@\0\0\0\1\0\4\0\0\0\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\200\0\0\0\200\200\0\0\0\0\200\0\0\200\200\0\200\0\200\0\200\200\200\0\300\300\300\0\0\377\0\0\377\0\0\0\377\377\0\0\0\0\377\0\0\377\377\0\377\0\377\0\377\377\377\0\0\0\0\0\0\0\0\7w\0\0\0\0\0\0\0\0\0\0\0\0\0\7x\215\335\220\0\0\0\0\0\0x\370\360\0\0\177\217\210\335\231\220\0\0\0\0\0\177\217\200p\7\207\370\375\331\231\210\0\0\0\0\0x\370\360", ) , ) == 0x0 01434 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\177\217\200xw\207\207\370\331\210\213\260\0\0\0\0x\370\360\207xxxp\11\213\273\260\0\0\0\0\177\217\200xw\207\207\0\0\273\270\200\0\0\0\0x\370\360\207x\210\273\0\0xxp\0\0\0\0\177\217\200xx\273\211\260\7\207\207\200\0\0\0\0\177\377\360\207{\270\233\275\377xxp\0\0\0\0\177\377\360xw\211\273\275\370\367\207\0\0\0\0\0\177\377\360\207\207\233\273\335\217\217x\10\210\210\0\0\177\377\360\210\210{\275\335\210\370\360\0\0\210p\0\177\377\360\210\210\7}\335\210\200\7ww\210p\0\177\377\360\210\210\17\367ww\177\377\377\377\377p\0wwp\210\210\7wwwwwwwxp\0wwp\210\210\0\0\0\0\0\0\0\0\0\200\7\377\377\367\10\210\7\210\210\210\210\210\210\210\207\0wwwwp\210\7\377\377\377\377\377\377\377\207\0\0\0\7ww\10\7\360\0\0\0\0\0\17\207\0\0\0\0wwp\7\360\0\0\0\0\0\17\207\0\0\0\0\7\377\377\7\360\0\0\360\17\0\17\207\0\0\0\0\0wwp\360\0\0\360\17\0\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\17\377\360\0\0\17\207\0\0\0\0\0\0\0\7\360\0\377\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\377\377\377\377\377\377\377\207\0\0\0\0\0\0\0\0wwwwwwww\0\377\376\7\377\300\370\1\377\300p\0\377\300 \0\177\300\0\0\177\300\0\0?\300\0\0?\300\0`?\300\0`?\300\0\0?\300\0\0?\300\0\0\3\300\0\0\1\300\0\0\0\300\0\0\0\300\0\0\0\300\0\0\0", ) , ) == 0x0 01435 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\370\0\0\1\374\0\0\1\376\0\0\1\377\0\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\374\0\3\1\0\377\377\0\0\0\0\0\0\0\0H\10\312\200\6\0\0\0\0\0\30\1\242\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\3@\253\0\216\02\0\16\0\3\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\337\0\216\02\0\16\0\1\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\7\0\216\02\0\16\0\2\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\2P\7\0\212\0\13\1\1\0\377\377\377\377\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\2@\7\0\6\0\12\1\202\0\372\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\2X;\0\221\0l\0\10\0\4\4\0\0\377\377\202\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0H\4\0@\5\0\0\0\0\0\12\1\202\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\200P\30\0\12\0\361\0\13\0\354\3\0\0m\0s\0c\0t\0l\0s\0_\0p\0r\0o\0g\0r\0e\0s\0s\03\02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\0\0P\30\0\0\0\361\0\10\0\356\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\5@\201@\0\0\31\0\11\1h\0\370\3\0\0S\0y\0s\0L\0i\0s\0", ) , ) == 0x0 01436 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0P\0\0\0\0\26\0\24\0\7\4\0\0\377\377\202\0\377\377g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\34\0<\0\16\0\3\4\0\0\377\377\200\0\0\0\0\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0\310\10\0\200\1\0\0\0\0\0\242\0\26\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\1\0\2P\7\0\7\0\224\0\10\0\6\4\0\0\377\377\202\0\0\0\0\0\0\0\1\0\1\0 \20\0\1\0\4\0\350\2\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01437 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\17\11\0\0_6\1\0V\2\0\200\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f", ) =>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\17\11\0\0_6\1\0V\2\0\200\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f", ) \253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f", ) == 0x0 01438 416 NtReadFile (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353B*]3P\302g\352\26F]se\13o.\235ZE%\273\372\202\6\336\342\2667\307\204L\247r-OH\34dR_\224i\7\203z\6\230!q\271P\340.B\362\327\304?%}E\372#6/o~31\357\367\373M\307\354$\361\350)=\33\343\273:6\213y:W&\314\347m\362\177%\375\11K\2\0\200\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325", ) \233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2 (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353B*]3P\302g\352\26F]se\13o.\235ZE%\273\372\202\6\336\342\2667\307\204L\247r-OH\34dR_\224i\7\203z\6\230!q\271P\340.B\362\327\304?%}E\372#6/o~31\357\367\373M\307\354$\361\350)=\33\343\273:6\213y:W&\314\347m\362\177%\375\11K\2\0\200\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325", ) , ) == 0x0 01439 416 NtReadFile (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\37\365\221b\205\257\2006\35.\34\247\1\344\371\363\02\340O\27\347\321<\201\220\265\230P\233\7\360\36\204\247\323\342\361\236\27\31\352cZF\266\345g\361\214r{^\220v\206qy\2661\314K\342\202\304\256g;{\374N\367(\360\274\302\36\353Lr\226\24*\241\277\22m6\313n{\341U\355\25\236\201\224\257\260\307\4\213\205\237\13\303\205\244\203\341\13\305\253u\230\230Ep\316i0\34G\253\26\246'\304\251)\271\25\205X\337\210\224\240\352\226\320\314\337%r\11\375R\321\1\207G\0m\14\230\333\371\236\10P"\1d"\21M\331\271E\4|\241\350\1\37q\300D\221\364\215"i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346", ) \1d (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\37\365\221b\205\257\2006\35.\34\247\1\344\371\363\02\340O\27\347\321<\201\220\265\230P\233\7\360\36\204\247\323\342\361\236\27\31\352cZF\266\345g\361\214r{^\220v\206qy\2661\314K\342\202\304\256g;{\374N\367(\360\274\302\36\353Lr\226\24*\241\277\22m6\313n{\341U\355\25\236\201\224\257\260\307\4\213\205\237\13\303\205\244\203\341\13\305\253u\230\230Ep\316i0\34G\253\26\246'\304\251)\271\25\205X\337\210\224\240\352\226\320\314\337%r\11\375R\321\1\207G\0m\14\230\333\371\236\10P"\1d"\21M\331\271E\4|\241\350\1\37q\300D\221\364\215"i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346", ) i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346", ) == 0x0 01440 416 NtReadFile (176, 0, 0, 0, 13403, 0x0, 0, ... {status=0x0, info=13403}, (176, 0, 0, 0, 13403, 0x0, 0, ... {status=0x0, info=13403}, "\360\322Wg\35k\177,y\340\33Hc\313\220uz\30Y\331;h{\244\255\207\333\0\275w@\213\201\331E\306d\343\210|H_\245d\11\204<\234\220%e\24\332\22i\256\24\360\11hb.\20\242d\203\12EC\220\36\332\215N\326\232\2202\317\0yD\362\12\225\364$J\242!#\244@K*((A\11\4\323J?\37\237`\210\213\15\357\35\33\27\2332\310\20\36\21\21\225\230\22\25\31b\10\316\354\316\322\6\373>\220v-\33\2634B\242\30B\3\306"\203\341#\213b8j\372\370\337?\201\262\25\2662\327\3019.e\257\202\334g\273\226\225\271\234\115\334\311\231\24\3223\264,\350C\217\217\326\371lo\326\370\205K\311\27\307\=\212\367\370\350\354o^/\22\367~\250x\344\345[\363\325s\203w\236\370\376\267Y\37.\257~\245\313\217\223S\375\212G\216\377|t\363\207\237\245\376\326}c\352\320E\372\207=3\232\245\226\5\35\33\275\340\\307\324^\347\216\7\272O\247v-x\257\252_\337\37~\342;n\36\270dJ\207e\2713\253\373\366ykd\325Z\352\\275W\3173U\354RW\320;]\3\225p\203qq\315\226\315p\227N\377P\372\347\304s\33\356o\232P\357^\277P\34\335i\303\363\301\337\314\13\310\236\375(\344\25\335\353\203\337\3168\326l]\351\375\355{\3\267\1771p\311(\317\214\250\317V\275{\211\234\352\336\361\353\242\236\372\231\356\353&y\265\230\37\30q\347\367\26\375\3167zm\251_n\352#o\362\255c\263W|\243/\\326cr\372k\373n\370\214~{\375\341\341\31\275\305\205\13:b\213;\316\236\363 \313\263\363\257\247\37\200\376\236\200\277\224ks\227O\232\275})\342v\207?\243S\247\317>\26=\253\242\313O\201\303\376\367)\361&", ) \203\341#\213b8j\372\370\337?\201\262\25\2662\327\3019.e\257\202\334g\273\226\225\271\234\115\334\311\231\24\3223\264,\350C\217\217\326\371lo\326\370\205K\311\27\307\=\212\367\370\350\354o^/\22\367~\250x\344\345[\363\325s\203w\236\370\376\267Y\37.\257~\245\313\217\223S\375\212G\216\377|t\363\207\237\245\376\326}c\352\320E\372\207=3\232\245\226\5\35\33\275\340\\307\324^\347\216\7\272O\247v-x\257\252_\337\37~\342;n\36\270dJ\207e\2713\253\373\366ykd\325Z\352\\275W\3173U\354RW\320;]\3\225p\203qq\315\226\315p\227N\377P\372\347\304s\33\356o\232P\357^\277P\34\335i\303\363\301\337\314\13\310\236\375(\344\25\335\353\203\337\3168\326l]\351\375\355{\3\267\1771p\311(\317\214\250\317V\275{\211\234\352\336\361\353\242\236\372\231\356\353&y\265\230\37\30q\347\367\26\375\3167zm\251_n\352#o\362\255c\263W|\243/\\326cr\372k\373n\370\214~{\375\341\341\31\275\305\205\13:b\213;\316\236\363 \313\263\363\257\247\37\200\376\236\200\277\224ks\227O\232\275})\342v\207?\243S\247\317>\26=\253\242\313O\201\303\376\367)\361&", ) == 0x0 01441 416 NtSetInformationFile (176, 1244620, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01442 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "&\225\344\351", ) , ) == 0x0 01443 416 NtSetInformationFile (176, 1244620, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01444 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "V\2\0\200", ) , ) == 0x0 01445 416 NtReadFile (176, 0, 0, 0, 598, 0x0, 0, ... {status=0x0, info=598}, (176, 0, 0, 0, 598, 0x0, 0, ... {status=0x0, info=598}, "\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f:\266\277.\270l\214\332\22>z\232j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353", ) =>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S (176, 0, 0, 0, 598, 0x0, 0, ... {status=0x0, info=598}, "\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f:\266\277.\270l\214\332\22>z\232j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353", ) \253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f:\266\277.\270l\214\332\22>z\232j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353", ) == 0x0 01446 416 NtQueryInformationFile (176, 1244628, 8, Position, ... {status=0x0, info=8}, ) == 0x0 01447 416 NtSetInformationFile (176, 1244628, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01448 416 NtQueryDefaultUILanguage (1244676, ... 01449 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01450 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482020, ) == 0x0 01451 416 NtQueryInformationToken (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01452 416 NtClose (-2147482020, ... ) == 0x0 01453 416 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0 01454 416 NtOpenKey (0x80000000, {24, 0, 0x240, 0, 0, (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01455 416 NtOpenKey (0x80000000, {24, -2147482020, 0x640, 0, 0, (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0 01456 416 NtQueryValueKey (-2147482032, (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01457 416 NtClose (-2147482032, ... ) == 0x0 01458 416 NtClose (-2147482020, ... ) == 0x0 01448 416 NtQueryDefaultUILanguage ... ) == 0x0 01459 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01460 416 NtUserFindExistingCursorIcon (1244008, 1244024, 1244592, ... ) == 0x0 01461 416 NtQueryDefaultLocale (1, 1243692, ... ) == 0x0 01462 416 NtQueryDefaultLocale (1, 1243708, ... ) == 0x0 01463 416 NtUserGetDC (0, ... ) == 0x1010052 01464 416 NtGdiCreateCompatibleBitmap (16842834, 32, 32, ... ) == 0x8050407 01465 416 NtUserCallOneParam (16842834, 56, ... ) == 0x1 01466 416 NtGdiSelectBitmap (335610822, 134546439, ... ) == 0x185000f 01467 416 NtGdiGetDCforBitmap (134546439, ... ) == 0x140103c6 01468 416 NtGdiSaveDC (335610822, ... ) == 0x1 01469 416 NtGdiSelectBitmap (335610822, 134546439, ... ) == 0x8050407 01470 416 NtGdiGetDCObject (335610822, 524288, ... ) == 0x188000b 01471 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01472 416 NtGdiSetDIBitsToDeviceInternal (335610822, 0, 0, 32, 32, 0, 0, 0, 32, 4424112, 1406656, 0, 512, 104, 1, 0, ... ) == 0x20 01473 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01474 416 NtGdiSelectBitmap (335610822, 134546439, ... ) == 0x8050407 01475 416 NtGdiRestoreDC (335610822, -1, ... ) == 0x1 01476 416 NtGdiSelectBitmap (335610822, 25493519, ... ) == 0x8050407 01477 416 NtUserGetDC (0, ... ) == 0x1010052 01478 416 NtGdiCreateDIBitmapInternal (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x7050405 01479 416 NtUserCallOneParam (16842834, 56, ... ) == 0x1 01480 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x185000f 01481 416 NtGdiGetDCforBitmap (117769221, ... ) == 0x140103c6 01482 416 NtGdiSaveDC (335610822, ... ) == 0x1 01483 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x7050405 01484 416 NtGdiGetDCObject (335610822, 524288, ... ) == 0x188000b 01485 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01486 416 NtGdiSetDIBitsToDeviceInternal (335610822, 0, 0, 32, 64, 0, 0, 0, 64, 4424496, 1406656, 0, 256, 48, 1, 0, ... ) == 0x40 01487 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01488 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x7050405 01489 416 NtGdiRestoreDC (335610822, -1, ... ) == 0x1 01490 416 NtGdiSelectBitmap (335610822, 25493519, ... ) == 0x7050405 01491 416 NtGdiCreateCompatibleDC (335610822, ... ) == 0x8010406 01492 416 NtGdiExtGetObjectW (117769221, 24, 1243236, ... ) == 0x18 01493 416 NtGdiCreateBitmap (32, 64, 1, 1, 0, ... ) == 0xa0503da 01494 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x185000f 01495 416 NtGdiSelectBitmap (134284294, 168100826, ... ) == 0x185000f 01496 416 NtGdiBitBlt (134284294, 0, 0, 32, 64, 335610822, 0, 0, 13369376, -1, 0, ... ) == 0x1 01497 416 NtGdiSelectBitmap (335610822, 25493519, ... ) == 0x7050405 01498 416 NtGdiSelectBitmap (134284294, 25493519, ... ) == 0xa0503da 01499 416 NtGdiDeleteObjectApp (117769221, ... ) == 0x1 01500 416 NtGdiDeleteObjectApp (134284294, ... ) == 0x1 01501 416 NtUserCallOneParam (0, 33, ... ) == 0x20091 01502 416 NtUserSetCursorIconData (131217, 1243288, 1243304, 1243884, ... ) == 0x1 01503 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242240, ... ) }, 1242240, ... ) == 0x0 01504 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0 01505 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 172, ... 180, ) == 0x0 01506 416 NtClose (172, ... ) == 0x0 01507 416 NtMapViewOfSection (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x990000), 0x0, 262144, ) == 0x0 01508 416 NtClose (180, ... ) == 0x0 01509 416 NtUnmapViewOfSection (-1, 0x990000, ... ) == 0x0 01510 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01511 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01512 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01513 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01514 416 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\WINDOWS\System32"}, 3, 33, ... 180, {status=0x0, info=1}, ) }, 3, 33, ... 180, {status=0x0, info=1}, ) == 0x0 01515 416 NtQueryVolumeInformationFile (180, 1244076, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01516 416 NtClose (12, ... ) == 0x0 01517 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0 01518 416 NtClose (12, ... ) == 0x0 01519 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp\xOe"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0 01520 416 NtClose (12, ... ) == 0x0 01521 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01522 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01523 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp\xOe\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0 01524 416 NtQueryDirectoryFile (12, 0, 0, 0, 1242836, 616, BothDirectory, 1, (12, 0, 0, 0, 1242836, 616, BothDirectory, 1, "slPen.log", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE 01525 416 NtClose (12, ... ) == 0x0 01526 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01527 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01528 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.DEP"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01529 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.DEP"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01530 416 NtClose (-2147482020, ... ) == 0x0 01529 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01531 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01532 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "K\2\0\200", ) , ) == 0x0 01533 416 NtReadFile (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, "\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370\325)\243#\316)\207U\316"m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) \233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2 (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, "\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370\325)\243#\316)\207U\316"m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) == 0x0 01534 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\15\12; Dependency file for setup wizards.\15\12\15\12[Version]\15\12Version=6.0.81.69\15\12\15\12; Default Dependencies ----------------------------------------------\15\12\15\12[MSInet.ocx]\15\12Dest=$(WinSysPath)\15\12Register=$(DLLSelfRegister)\15\12Version=6.0.81.69\15\12Uses1=ComCat.dll\15\12Uses2=\15\12CABFileName=MSInet.cab\15\12CABDefaultURL=http://activex.microsoft.com/controls/vb6\15\12CABINFFile=MSInet.inf\15\12\15\12[ComCat.dll]\15\12Dest=$(WinSysPathSysFile)\15\12Register=$(DLLSelfRegister)\15\12Uses1=\15\12\15\12; Localized Dependencies ----------------------------------", 2407, 0x0, 0, ... {status=0x0, info=2407}, ) , 2407, 0x0, 0, ... {status=0x0, info=2407}, ) == 0x0 01535 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01536 416 NtClose (12, ... ) == 0x0 01537 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.oca"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01538 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.oca"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01539 416 NtClose (-2147482020, ... ) == 0x0 01538 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01540 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01541 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "$(\0\200", ) , ) == 0x0 01542 416 NtReadFile (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, "\355}\17x\224\325\231\357\231$\344\377_\22\371\243Q>\4\5\225\304\17\11\22\220\352\4\2\6\15\20Ip\20Q2\314|IF'3\343\314\204\4\313n\323>leo\322J\325\333\313\355\372\334u}\274\312*\325\264\245\327X\331\26\25-UT\254\330e\273T\321EE\253-ui\27[\252\367\367\276\347|\337w\276I\202n\367\336\347\331\336\313\350\313\314w\316\357\234\367\374y\317{\336\363~\347\234,_\273Md\13!r@\237~*\304\260\220\37\277\370\354O?\250t\312\17J\305\256\202\27\247\16\373\232_\234\332\326\25I\31\211d\2743\31\3546B\301X,\23666XF\262'fDbF\343\312V\243;\36\266jKJ\12\247\253
\316\215\200\367F\227\227Mm\27\253\270\222\255\216\240\231e_\306:\353\206Q\267\377Sl}\270:\7e\334M\234\256\237\355\316\206\362=to\25\353\355\357\31T\271(\253\245\340A\200\352\355\254\367\254\250\242\350z\211\305\6\340\354+(\255\310/\313\304N\2\324\21d\252r)\262\240\306\30\7\257\356\357\264\a\3\257\15gd\251\222\323bM\263\325h|\243\3313\350j\200\311k\333\353\257-O\323l\260\271\323\321\330G1fKl\361\14e\255{.>v6ie\350\255\354\366\255\212\32dss\266\266-,\353V\344PS\343\34\351&\37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132:"Q\353L\363\374\177\361!\335\353c=\352#\225\320_\17*\224\352\246_\217\227\10\350\3111\302\373F\11\247\17\251\325!\350\244&L4C9#\371\332\270m\240\223s\204X\23vqy\242M\334\0\216KD\263X\6us\3317\244\312\272\262\342\325k~t\354\353+\36K\233\217O|\334\34jz\312'\366l\3326\227\322\34\3\325+\276;\24\257/\326\325/\231;\377\262\371f\315\374\372z\263f\366\354", ) \37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132: (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, "\355}\17x\224\325\231\357\231$\344\377_\22\371\243Q>\4\5\225\304\17\11\22\220\352\4\2\6\15\20Ip\20Q2\314|IF'3\343\314\204\4\313n\323>leo\322J\325\333\313\355\372\334u}\274\312*\325\264\245\327X\331\26\25-UT\254\330e\273T\321EE\253-ui\27[\252\367\367\276\347|\337w\276I\202n\367\336\347\331\336\313\350\313\314w\316\357\234\367\374y\317{\336\363~\347\234,_\273Md\13!r@\237~*\304\260\220\37\277\370\354O?\250t\312\17J\305\256\202\27\247\16\373\232_\234\332\326\25I\31\211d\2743\31\3546B\301X,\23666XF\262'fDbF\343\312V\243;\36\266jKJ\12\247\253 , ) , ) == 0x0 01556 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\0\0\0\203\304\14\205\300t\25\213F\4\205\300t\16\213\10WP\377Q\30\213\330\367\333\33\333C\205\333u4\201\177\4\4\1\0\0\213/u\33U\377v\10\377\25\240\21L#\205\300u\15j\5\377v\10\377\25`\21L#\211\7W\377v\10\377\25\220\21L#\213\330\211/3\300\205\333\17\224\300\351\354\376\377\377j\20\377\3253\311f\205\300\17\234\301Qj\0\377v\10\377\25\224\21L#\205\300t\240j\1Pj(\377v\10\377\25(\21L#\213\330\353\216U\213\354VWj\0j\0h\207\0\0\0\377u\10\377\25(\21L#\250\6uJ\213E\14;E\10t\14P\211E\14\377\25\304\21L#\353\357\377u\20\2135`\21L#\377u\14\377\326\213\370\205\377t\33j\360W\377\25T\21L#%\0\0\1\30=\0\0\1\20t\15\377u\20W\353\335j\1X_^]\3033\300\353\370U\213\354Q\215E\374\307E\374\1@\0\200P\213E\10\377u\14hf\4\0\0\377p\10\377\25(\21L#\213E\374\311\302\10\0SV\213\361W\203~\34\0\17\205\235\0\0\0\213F j\5\213\4\305\14!M#\17\267@\30P\350\340\1\0\0P\377\25\4\21L#\205\300t`P\213\316\350\315\1\0\0P\377\25\0\21L#\205\300tMP\377\25\374\20L#\213\330\205\333t@\277\30 M#W\377\25\200\20L#j\0hS\367L#\2115\264(M#\350\274\4\0\0PS\3775\10 M#\377\25\250\21L#\203%\264(M#\0W\377\25`\20L#\203~\34\0u\34\2135\234\20L#\377\326\205\300t\20\377\326%\377\377\0\0\15\0\0\7\200_^[\3033\300\353\370QV\213\361W\366F(\1t\32\213F\34\205\300t\23\215L$\10Qj\0hg\4\0\0P\377", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01557 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\0\200@\0\0\0\220\04\0\11\4\35\0\0\0\0\0$\0\36\0\31\0\31\200@\0\0\0\224\0L\0\21D\37\0\1\0\0\0\20\0\0\0\254\20\0\0\12\0\0\0$\0\37\0\31\0\31\200@\0\0\0\230\0D\0!\4\36\0\1\0\0\0\10\0\10\200\377\377\377\377\1\0\0\0\23\0\0\0\23\0\0\0\1\0\0\0\1\0\0\0\2\0\0\0\2\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\10\0\0\0\11\0\0\0\11\0\0\0\30\0\0\0\30\0\0\0\12\0\0\0\12\0\0\0\16\0\0\0\16\0\0\0\24\0\0\0\24\0\0\0\25\0\0\0\25\0\0\0\32\0\0\0\32\0\0\0\26\0\0\0\21\0\0\0\22\0\0\0\27\0\0\0\31\0\0\0\330\375\377\377\0\0\0\0\0\0\0\0\270\17\0\0\270\17\0\0\314\17\0\0\314\17\0\0\344\17\0\0\344\17\0\0\374\17\0\0(\20\0\0P\20\0\0|\20\0\0\254\20\0\0\254\20\0\0\274\20\0\0\274\20\0\0\340\20\0\0\340\20\0\0\364\20\0\0\364\20\0\0\34\21\0\0\34\21\0\00\21\0\00\21\0\0D\21\0\0D\21\0\0t\21\0\0\260\21\0\0\14\22\0\0 \22\0\0D\22\0\0p\22\0\0\204\22\0\0\204\22\0\0\0\0\0\0<\0\0\0x\0\0\0\264\0\0\0\360\0\0\0,\1\0\0h\1\0\0\244\1\0\0\340\1\0\0\34\2\0\0X\2\0\0\224\2\0\0\320\2\0\0\14\3\0\0H\3\0\0\204\3\0\0\300\3\0\0\374\3\0\08\4\0\0t\4\0\0\260\4\0\0\354\4\0\0(\5\0\0d\5\0\0\240\5\0\0\364\5\0\0T\6\0\0\204\6\0\0\330\6\0\0 \7\0\08\7\0\0\\7\0\0<\0\0\0<\0\0\0\30\0\0\200\0\0\0\0\0\0D\0\14\4\0\0\1\0", 7540, 0x0, 0, ... {status=0x0, info=7540}, ) , 7540, 0x0, 0, ... {status=0x0, info=7540}, ) == 0x0 01558 416 NtReadFile (176, 0, 0, 0, 8397, 0x0, 0, ... {status=0x0, info=8397}, (176, 0, 0, 0, 8397, 0x0, 0, ... {status=0x0, info=8397}, "f\12\276\215\260A\264 \325\366\214&,\261\225\275Y\202\271*\32\2278\254\35\234\31e\303F\314hd4a\2066\27\333\321XQ[\31\207\255t\33r\26e\317\331\336\352m-\260X\315\346e\273\227\335\304&so\226%\2522\243\177\23\207=0\333\273>\16R\323,7@\325\227"\23\316\215\200\367F\227\227Mm\27\253\270\222\255\216\240\231e_\306:\353\206Q\267\377Sl}\270:\7e\334M\234\256\237\355\316\206\362=to\25\353\355\357\31T\271(\253\245\340A\200\352\355\254\367\254\250\242\350z\211\305\6\340\354+(\255\310/\313\304N\2\324\21d\252r)\262\240\306\30\7\257\356\357\264\a\3\257\15gd\251\222\323bM\263\325h|\243\3313\350j\200\311k\333\353\257-O\323l\260\271\323\321\330G1fKl\361\14e\255{.>v6ie\350\255\354\366\255\212\32dss\266\266-,\353V\344PS\343\34\351&\37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132:"Q\353L\363\374\177\361!\335\353c=\352#\225\320_\17*\224\352\246_\217\227\10\350\3111\302\373F\11\247\17\251\325!\350\244&L4C9#\371\332\270m\240\223s\204X\23vqy\242M\334\0\216KD\263X\6us\3317\244\312\272\262\342\325k~t\354\353+\36K\233\217O|\334\34jz\312'\366l\3326\227\322\34\3\325+\276;\24\257/\326\325/\231;\377\262\371f\315\374\372z\263f\366\354", ) , ) == 0x0 01543 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\5\0\34780F\0\0\0\0\0\0\0\0\340\0\216\241\13\1\4\0\0\20\0\0\0\0\0\0\0\20\0\0\0\20\0\0\0\20\0\0\0 \0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\24\0\0\0\00\0\0Ph\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\20\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.bss\0\0\0\0\0\20\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\0p\0\0\00\0\0\0j\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.ida", 29184, 0x0, 0, ... {status=0x0, info=29184}, ) , 29184, 0x0, 0, ... {status=0x0, info=29184}, ) == 0x0 01544 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01545 416 NtClose (12, ... ) == 0x0 01546 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.OCX"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01547 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.OCX"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01548 416 NtClose (-2147482020, ... ) == 0x0 01547 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01549 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01550 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\315\340\0\200", ) , ) == 0x0 01551 416 NtReadFile (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\354\375\13xTE\2667\214\357N:I\3\15\335@\202A\202\266&(G@[\3\232\30\320\6\222\30$\301N\2\11\214\334b.tbLb\262\33P\1\303t\202\264\233Vtt\2069G\35/\3500\243\343\340\210\212\312@\20\206\213\242\342\35\7T\234A\3556\214F\315@\320H\177\277\265\252v\367\356\0\316\234\363\275\357\373\377?\317\367\6\252\367\336U\253\356U\253V\255ZkU\321\317\326*\361\212\242\230\341\302aE\331\254\210?\227\362\257\377Z\341\6\235\373\322 eS\277\327\317\333l*|\375\274\231\236\332\26GSs\343\242\346\212\233\34\225\25\15\15\215\252\343\206jG\263\267\301Q\333\340\310\275\256\324qScU\365\305\3\7\366\317\220i\270\363\24\245\320dV\322K\375\23\350{\276EQ\16+q\351\3L\11q\212\305\244(\17\11\270\336!\370\261\223\203\237R\230\316\357q\242\334\212\22}*\373M\374\261{C\34\5\213Hv\343S \36\340]\223\263bl\363\227\341\305\31\261\324\224\257&\3K\370X\230}\234#\264\15 (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K\334L\270\33\340\32\340\332\340\326\3029\3406\301\355\203\373\30\356(\\17\\177\340\267ap\27\300]\16W\107\33\256\12\256", ) \334L\270\33\340\32\340\332\340\326\3029\3406\301\355\203\373\30\356(\\17\\177\340\267ap\27\300]\16W\107\33\256\12\256", ) == 0x0 01552 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\4\0#S\2115\0\0\0\0^\10\0\0\340\0\2#\13\1\5\2\0\10\1\0\0\236\0\0\0\0\0\0\374\22\0\0\0\20\0\0\0\20\1\0\0\0L#\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\1\0\0\4\0\0\307\250\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200d\0\0\301\0\0\0@\7\1\0\366\0\0\0\00\1\0\314\177\0\0\0\0\0\0\0\0\0\0\20\255\1\08\24\0\0\0\260\1\0`\23\0\0@\6\1\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\374\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\16\6\1\0\0\20\0\0\0\10\1\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\274\10\0\0\0 \1\0\0\12\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\0\334\177\0\0\00\1\0\0\200\0\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rel", 30545, 0x0, 0, ... {status=0x0, info=30545}, ) , 30545, 0x0, 0, ... {status=0x0, info=30545}, ) == 0x0 01553 416 NtReadFile (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\201mP\325x-X\372\4J\347c\23\272\317\322/\253g\331\3351\335\350\277J\363\275\313\20\357rw\332\332\272\342X2,\6&t\20\236\223hrA\264\235\230\265<\301\16\323\4;L\23,\310\342\227\250XZ\35\266(\226\5\376\227i\260\253\27\23\322>\7Q\307\235\304\25\16@\323\361dM\237\3614c\351R]@\331\22\232\36&\301\362\345i\26!\214Cc\203Z\306\326\366\211\240\304\245f[\33\335\257\213\2661\`\25p\262xF\323\375De\273Q\362\347\234b2\303V\207[\237\311\344\225y\14\253\16\350\2759\350\2322\331\263\262\4\331\34\7\201\20*?I\242\27O\201\240\330\314\254\34\12\210Y\234B\17\223RQ^\6\32`#5\300Fj\200\315\241\242pDjD\353\11\cr\7\377\372\13t\237\326\5T\201\265\256L\210\331\266f\\11c\355\215\266\16\365\334\211\16u\304\304\212eC&\336z\373 \333\326\16_\320\261\332t\347d\323\344\316\277\341\13\206\351\377LY+\352\331T\325YV+\346\314\277f\345\362\261\26\214\336\343\3142\33\217\22\355\247\22\355\247\22\35@\340D\12d\355\245\274\\4v`\17\211\220=\230\14\300d`\257\5xp\200A=@\237\203\30^\367l\320G\223m\315s\264\317\361\2\264+\300\243\344'@\357$P\37\241n\37\311\255\354\341\2278\265\321\327\23\277\242\37\320\234\355\256\347\250 4\2\24\317\357h\4\374\16# t\202l\2223\306\217+\367:\202O\334\313m\206\6\363\324\13:\207[\255&^\11\331P\375\340\252h\270\7\341\235\37\7\274c\31\365\7\362&\206.\244\347\263\264u\223g\35 \325\265x\271r\240\247\205\375\347\262\345\3\4q\25\372\200(Fadly/l\362\23\7^\273\33\31\370\36c\356\0I", ) , ) == 0x0 01554 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\203\243\330\23\0\0\277j\4\213\313\350S\246\377\377\213\203\320\23\0\0\215\263\320\23\0\03\377;\307t\20PW\37750 M#\377\25l\20L#\211>\213\203\324\23\0\0\215\263\324\23\0\0;\307\17\204\360\2\0\0PW\37750 M#\377\25l\20L#\211>\351\333\2\0\0=\10@\0\0\17\205A\4\0\0\213E\24f\307E\340\10\0\215u\340\213\0\211E\350\3514\377\377\377\17\267E\34j\4\203\350\10_\211\2734\1\0\0t.HH\17\204\36\2\0\0-\376?\0\0t\37\213\3j\0j\1h\260\213\0\0h\260\213\12\200S\377\220\240\0\0\0\211E\10\351K\377\377\377f\203}\34\10\17\205\240\0\0\0\215u\34\213F\10\205\300\17\204\337\1\0\0P\377\25\214\22L#\205\300\17\204\320\1\0\0\377v\10\377\25t\20L#\215|\0\2\215\2150\377\377\377W\350p\225\377\3773\300PPW\377\2650\377\377\377j\377\377v\10PP\377\25p\20L#\213\2050\377\377\3773\366;\306\211E\10uY\213\3VVj\7h\7\0\12\200S\377\220\240\0\0\09\2650\377\377\377\211E\10\17\204\302\376\377\377\366E\254\1\17\204\270\376\377\377\377\2650\377\377\377V\37750 M#\377\25l\20L#\351\240\376\377\377\213E$f\307E\260\10\0\215u\260\213\0\211E\270\351M\377\377\377P\377\25\254\20L#\213\370\215G\1P\350\332\223\377\377Y\213\360\377u\10\211u\374V\377\25\250\20L#\200$7\0\212\6\213\316\204\300t\37< t\33, 29641, 0x0, 0, ... {status=0x0, info=29641}, ) , 29641, 0x0, 0, ... {status=0x0, info=29641}, ) == 0x0 01555 416 NtReadFile (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K , ) \3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=" , ) \376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267 (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=" 216 "\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=" 23 346 Q\253\337&\355\267\223\251\276\236\314\326\366\266\366\211V\310\34\354/\267\271\271\363GG\327J\345N\322\373\354\275\272\332\305\375[Q\366\344\223\372x\225\27\255\366\322x\3631}\245\254f\276\326\216\245\253\177\263Q\322:PC\345\237V\266\3277J*\262\253Q\252\275}\365\305\310V\274\321\274\232-\377\254-S\231\371sW\351\263|\272\371\376l\16\214\217\315\347\257\262\233tdy1\363\243\271\321{\2525{)\3\213G\222k\203)\353:Y\323\374U\11R'\274\226\335\347\223\303\345G=\250\335\216\226\251\263\272^\363]\2e\317\375\356\216\345\14\" , ) , ) == 0x0 01568 416 NtWriteFile (12, 0, 0, 0, " (12, 0, 0, 0, ""/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01569 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01570 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "???????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01571 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01572 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01573 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "??\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "??\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01574 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01575 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi?", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01576 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35", 17456, 0x0, 0, ... {status=0x0, info=17456}, ) , 17456, 0x0, 0, ... {status=0x0, info=17456}, ) == 0x0 01577 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01578 416 NtClose (12, ... ) == 0x0 01579 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01580 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01581 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01582 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01583 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0 01584 416 NtClose (12, ... ) == 0x0 01585 416 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0 01586 416 NtQueryVolumeInformationFile (12, 1244076, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01587 416 NtClose (180, ... ) == 0x0 01588 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01589 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01590 416 NtClose (-2147482020, ... ) == 0x0 01589 416 NtCreateFile ... 180, {status=0x0, info=2}, ) == 0x0 01591 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01592 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\211 \0\200", ) , ) == 0x0 01593 416 NtReadFile (176, 0, 0, 0, 8329, 0x0, 0, ... {status=0x0, info=8329}, (176, 0, 0, 0, 8329, 0x0, 0, ... {status=0x0, info=8329}, "\355}\177|T\307u\357,\310 @\6a$\202\2150\342Ac\331\301 \20`\260\301Z$-\221\260\26\255V\277\260-,\204\366J+YH\313\336\25\31012J\201D\327\313\272`\303'$\261]\222\17I\324\304m\325W\210U\202\239\330\201O\252\324J\321\3\265V\373\364\22\352'\7\342(\257\324\310\261\354\355\367\234\271\367\352\256~A\352\304\257\177\354,g\356\314\33433\347\23493sf\356hp>vXL\26B\304\0\302a!\332\205tvqsG\2703\27\236\231)NM\373\331\242v[\356\317\26\25z\253\325d\237\277\276\312_\2763\271\242\274\256\256>\220\274CI\3667\324%W\327%g\345\25$\357\254\367(\313n\277}\372\22\275\214?{\366\203\267\377\376\352WZ\14\310\276\361\325\226\237\342\371\315\353/\363\363\177\\377\32?\335\325\25^zo\324\355r\10\221k\233,\276\223|c\223\221\326'f\331f\330\246\340%"\3112\355\304\34x\361\200\355:W\3612N\374\332t\276\3315\313\364KW\205\230\304\11\361\22\327|\232\17v\253\234B\244P\300'D[\254\370\304.e\222N2*Yb\33\37oY@i\14\340\371b\206N\220k\4a\222\365\355\313<\345\201r\204\343\246\353\274\2332\30v\220F\3072\277\352\257\20:\17>\35\3177\12\317\363\343\262\303Z\215\263\2408\243\330\271&uYVn\256\210\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\377\366nJK\245\372\324\307\212\272\354\311*5\367W\225\252\347\365\12\365\355\333\25\265\254LQ\277\351\257R\37\274\241\250\257\177\244\250\17"~\355E\217\372\336\373\212\372\243\357{\324\352\257y\324\35\17+\352\227\360\376K\203\212:\324\356Q\353\264J\365\337=\212ZSR\251\336X\357", ) \3112\355\304\34x\361\200\355:W\3612N\374\332t\276\3315\313\364KW\205\230\304\11\361\22\327|\232\17v\253\234B\244P\300'D[\254\370\304.e\222N2*Yb\33\37oY@i\14\340\371b\206N\220k\4a\222\365\355\313<\345\201r\204\343\246\353\274\2332\30v\220F\3072\277\352\257\20:\17>\35\3177\12\317\363\343\262\303Z\215\263\2408\243\330\271&uYVn\256\210\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\377\366nJK\245\372\324\307\212\272\354\311*5\367W\225\252\347\365\12\365\355\333\25\265\254LQ\277\351\257R\37\274\241\250\257\177\244\250\17 (176, 0, 0, 0, 8329, 0x0, 0, ... {status=0x0, info=8329}, "\355}\177|T\307u\357,\310 @\6a$\202\2150\342Ac\331\301 \20`\260\301Z$-\221\260\26\255V\277\260-,\204\366J+YH\313\336\25\31012J\201D\327\313\272`\303'$\261]\222\17I\324\304m\325W\210U\202\239\330\201O\252\324J\321\3\265V\373\364\22\352'\7\342(\257\324\310\261\354\355\367\234\271\367\352\256~A\352\304\257\177\354,g\356\314\33433\347\23493sf\356hp>vXL\26B\304\0\302a!\332\205tvqsG\2703\27\236\231)NM\373\331\242v[\356\317\26\25z\253\325d\237\277\276\312_\2763\271\242\274\256\256>\220\274CI\3667\324%W\327%g\345\25$\357\254\367(\313n\277}\372\22\275\214?{\366\203\267\377\376\352WZ\14\310\276\361\325\226\237\342\371\315\353/\363\363\177\\377\32?\335\325\25^zo\324\355r\10\221k\233,\276\223|c\223\221\326'f\331f\330\246\340%"\3112\355\304\34x\361\200\355:W\3612N\374\332t\276\3315\313\364KW\205\230\304\11\361\22\327|\232\17v\253\234B\244P\300'D[\254\370\304.e\222N2*Yb\33\37oY@i\14\340\371b\206N\220k\4a\222\365\355\313<\345\201r\204\343\246\353\274\2332\30v\220F\3072\277\352\257\20:\17>\35\3177\12\317\363\343\262\303Z\215\263\2408\243\330\271&uYVn\256\210\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\377\366nJK\245\372\324\307\212\272\354\311*5\367W\225\252\347\365\12\365\355\333\25\265\254LQ\277\351\257R\37\274\241\250\257\177\244\250\17"~\355E\217\372\336\373\212\372\243\357{\324\352\257y\324\35\17+\352\227\360\376K\203\212:\324\356Q\353\264J\365\337=\212ZSR\251\336X\357", ) , ) == 0x0 01594 416 NtWriteFile (180, 0, 0, 0, (180, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\217\212\371\333\313\353\227\210\313\353\227\210\313\353\227\210H\367\231\210\312\353\227\210\242\364\236\210\312\353\227\210"\364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01595 416 NtSetInformationFile (180, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01596 416 NtClose (180, ... ) == 0x0 01597 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 1244076, ... ) }, 1244076, ... ) == 0x0 01598 416 NtQueryInformationJobObject (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED 01599 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1240548, ... ) }, 1240548, ... ) == 0x0 01600 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1241240, ... ) }, 1241240, ... ) == 0x0 01601 416 NtOpenFile (0x1000a1, {24, 0, 0x40, 0, 0, (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0 01602 416 NtCreateSection (0xf001f, 0x0, 0x0, 16, 16777216, 180, ... 172, ) == 0x0 01603 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01604 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 184, ) }, ... 184, ) == 0x0 01605 416 NtQueryValueKey (184, (184, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01606 416 NtClose (184, ... ) == 0x0 01607 416 NtQueryVolumeInformationFile (180, 1240548, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01608 416 NtOpenMutant (0x120001, {24, 52, 0x0, 0, 0, (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 184, ) }, ... 184, ) == 0x0 01609 416 NtWaitForSingleObject (184, 0, {-1000000, -1}, ... ) == 0x0 01610 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 188, ) }, ... 188, ) == 0x0 01611 416 NtMapViewOfSection (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 57344, ) == 0x0 01612 416 NtReleaseMutant (184, ... 0x0, ) == 0x0 01613 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238532, ... ) }, 1238532, ... ) == 0x0 01614 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0 01615 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 192, ... 196, ) == 0x0 01616 416 NtClose (192, ... ) == 0x0 01617 416 NtMapViewOfSection (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 106496, ) == 0x0 01618 416 NtClose (196, ... ) == 0x0 01619 416 NtUnmapViewOfSection (-1, 0x9a0000, ... ) == 0x0 01620 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238848, ... ) }, 1238848, ... ) == 0x0 01621 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0 01622 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 196, ... 192, ) == 0x0 01623 416 NtQuerySection (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01624 416 NtClose (196, ... ) == 0x0 01625 416 NtMapViewOfSection (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0 01626 416 NtClose (192, ... ) == 0x0 01627 416 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0 01628 416 NtQueryInformationFile (192, 1239136, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01629 416 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0 01630 416 NtMapViewOfSection (196, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x9a0000), 0x0, 1028096, ) == 0x0 01631 416 NtQueryInformationFile (192, 1239232, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01632 416 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01633 416 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 01634 416 NtQueryInformationProcess (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0 01635 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01636 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236796, 616, BothDirectory, 1, (200, 0, 0, 0, 1236796, 616, BothDirectory, 1, "vMW03a1066.exe", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 01637 416 NtClose (200, ... ) == 0x0 01638 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01639 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01640 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1236184, ... ) }, 1236184, ... ) == 0x0 01641 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01642 416 NtQueryDirectoryFile (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0 01643 416 NtClose (200, ... ) == 0x0 01644 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01645 416 NtQueryDirectoryFile (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 01646 416 NtClose (200, ... ) == 0x0 01647 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01648 416 NtQueryDirectoryFile (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "vMW03a", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0 01649 416 NtClose (200, ... ) == 0x0 01650 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01651 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01652 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 01653 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01654 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 200, ) == 0x0 01655 416 NtQueryInformationToken (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01656 416 NtClose (200, ... ) == 0x0 01657 416 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01658 416 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\vMW03a1066.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01659 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01660 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01661 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1238464, ... ) }, 1238464, ... ) == 0x0 01662 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01663 416 NtQueryDirectoryFile (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0 01664 416 NtClose (200, ... ) == 0x0 01665 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01666 416 NtQueryDirectoryFile (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 01667 416 NtClose (200, ... ) == 0x0 01668 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01669 416 NtQueryDirectoryFile (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "vMW03a", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0 01670 416 NtClose (200, ... ) == 0x0 01671 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01672 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01673 416 NtWaitForSingleObject (184, 0, {-1000000, -1}, ... ) == 0x0 01674 416 NtQueryVolumeInformationFile (180, 1239108, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01675 416 NtQueryInformationFile (180, 1239088, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01676 416 NtQueryInformationFile (180, 1239128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01677 416 NtReleaseMutant (184, ... 0x0, ) == 0x0 01678 416 NtUnmapViewOfSection (-1, 0x9a0000, ... ) == 0x0 01679 416 NtClose (196, ... ) == 0x0 01680 416 NtClose (192, ... ) == 0x0 01681 416 NtQuerySection (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01682 416 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vMW03a1066.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01683 416 NtOpenThreadToken (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN 01684 416 NtOpenProcessToken (-1, 0xa, ... 192, ) == 0x0 01685 416 NtQueryInformationToken (192, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0 01686 416 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01687 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01688 416 NtQueryValueKey (196, (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01689 416 NtQueryValueKey (196, (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01690 416 NtClose (196, ... ) == 0x0 01691 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01692 416 NtQueryValueKey (196, (196, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL 01693 416 NtQueryValueKey (196, (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0 01694 416 NtClose (196, ... ) == 0x0 01695 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01696 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01697 416 NtQueryValueKey (196, (196, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01698 416 NtClose (196, ... ) == 0x0 01699 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01700 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01701 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01702 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01703 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01704 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01705 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01706 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01707 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01708 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01709 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 196, ) }, ... 196, ) == 0x0 01710 416 NtEnumerateKey (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0 01711 416 NtOpenKey (0x20019, {24, 196, 0x40, 0, 0, (0x20019, {24, 196, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 200, ) }, ... 200, ) == 0x0 01712 416 NtQueryValueKey (200, (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0 01713 416 NtQueryValueKey (200, (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01714 416 NtClose (200, ... ) == 0x0 01715 416 NtEnumerateKey (196, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES 01716 416 NtClose (196, ... ) == 0x0 01717 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01718 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01719 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01720 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01721 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01722 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01723 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01724 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01725 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01726 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01727 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01728 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01729 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01730 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01731 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01732 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01733 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01734 416 NtClose (196, ... ) == 0x0 01735 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01736 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01737 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01738 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01739 416 NtClose (196, ... ) == 0x0 01740 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01741 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01742 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01743 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01744 416 NtClose (196, ... ) == 0x0 01745 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01746 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01747 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01748 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01749 416 NtClose (196, ... ) == 0x0 01750 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01751 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01752 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01753 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01754 416 NtClose (196, ... ) == 0x0 01755 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01756 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01757 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01758 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01759 416 NtClose (196, ... ) == 0x0 01760 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01761 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01762 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01763 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01764 416 NtClose (196, ... ) == 0x0 01765 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01766 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01767 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01768 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01769 416 NtClose (196, ... ) == 0x0 01770 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01771 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01772 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01773 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01774 416 NtClose (196, ... ) == 0x0 01775 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01776 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01777 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01778 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01779 416 NtClose (196, ... ) == 0x0 01780 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01781 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01782 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01783 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01784 416 NtClose (196, ... ) == 0x0 01785 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01786 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01787 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01788 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01789 416 NtClose (196, ... ) == 0x0 01790 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01791 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01792 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01793 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01794 416 NtClose (196, ... ) == 0x0 01795 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01796 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01797 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01798 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01799 416 NtClose (196, ... ) == 0x0 01800 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01801 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01802 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01803 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01804 416 NtClose (196, ... ) == 0x0 01805 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01806 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01807 416 NtQueryValueKey (196, (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0 01808 416 NtClose (196, ... ) == 0x0 01809 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01810 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01811 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01812 416 NtClose (196, ... ) == 0x0 01813 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01814 416 NtOpenThreadToken (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN 01815 416 NtOpenProcessToken (-1, 0xa, ... 196, ) == 0x0 01816 416 NtDuplicateToken (196, 0xc, {24, 0, 0x0, 0, 1240440, 0x0}, 0, 2, ... 200, ) == 0x0 01817 416 NtClose (196, ... ) == 0x0 01818 416 NtAccessCheck (1366144, 200, 0x1, 1240568, 1240512, 56, 1240596, ... (0x1), ) == 0x0 01819 416 NtClose (200, ... ) == 0x0 01820 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 200, ) }, ... 200, ) == 0x0 01821 416 NtQueryValueKey (200, (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01822 416 NtClose (200, ... ) == 0x0 01823 416 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 200, ) }, ... 200, ) == 0x0 01824 416 NtQuerySymbolicLinkObject (200, ... (200, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0 01825 416 NtClose (200, ... ) == 0x0 01826 416 NtQueryInformationFile (180, 1238900, 528, Name, ... {status=0x0, info=82}, ) == 0x0 01827 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01828 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01829 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1237580, ... ) }, 1237580, ... ) == 0x0 01830 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01831 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0 01832 416 NtClose (200, ... ) == 0x0 01833 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01834 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 01835 416 NtClose (200, ... ) == 0x0 01836 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01837 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "vMW03a", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0 01838 416 NtClose (200, ... ) == 0x0 01839 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01840 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01841 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01842 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 200, ) == 0x0 01843 416 NtQueryInformationToken (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01844 416 NtClose (200, ... ) == 0x0 01845 416 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 200, ) }, ... 200, ) == 0x0 01846 416 NtOpenKey (0x20019, {24, 200, 0x40, 0, 0, (0x20019, {24, 200, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 196, ) }, ... 196, ) == 0x0 01847 416 NtClose (200, ... ) == 0x0 01848 416 NtQueryValueKey (196, (196, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01849 416 NtQueryValueKey (196, (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0 01850 416 NtClose (196, ... ) == 0x0 01851 416 NtAllocateVirtualMemory (-1, 0, 0, 4096, 8192, 4, ... 10092544, 4096, ) == 0x0 01852 416 NtAllocateVirtualMemory (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0 01853 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01854 416 NtQueryValueKey (196, (196, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01855 416 NtClose (196, ... ) == 0x0 01856 416 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01857 416 NtQueryInformationToken (192, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0 01858 416 NtQueryInformationToken (192, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0 01859 416 NtClose (192, ... ) == 0x0 01860 416 NtCreateProcessEx (1243176, 2035711, 0, -1, 0, 172, 0, 0, 0, ... ) == 0x0 01861 416 NtQueryInformationProcess (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=412,}, 0x0, ) == 0x0 01862 416 NtReadVirtualMemory (192, 0x7ffdf008, 4, ... (192, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0 01863 416 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01864 416 NtReadVirtualMemory (192, 0x400000, 4096, ... (192, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\217\212\371\333\313\353\227\210\313\353\227\210\313\353\227\210H\367\231\210\312\353\227\210\242\364\236\210\312\353\227\210"\364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 4096, ) \364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 4096, ) == 0x0 01865 416 NtReadVirtualMemory (192, 0x407000, 256, ... (192, 0x407000, 256, ... "\0\0\0\0\247 \367F\0\0\0\0\0\0\3\0\3\0\0\0X\0\0\200\16\0\0\0@\0\0\200\20\0\0\0(\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\1\0\0\0\230\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\3\01u\0\0\340\0\0\2002u\0\0\310\0\0\2003u\0\0\260\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\0\10\1\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\0\30\1\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\0(\1\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\08\1\0\0Pq\0\0\360\1\0\0", 256, ) , 256, ) == 0x0 01866 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01867 416 NtQueryInformationProcess (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=412,}, 0x0, ) == 0x0 01868 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 1241240, ... ) }, 1241240, ... ) == 0x0 01869 416 NtAllocateVirtualMemory (-1, 0, 0, 1732, 4096, 4, ... 10158080, 4096, ) == 0x0 01870 416 NtAllocateVirtualMemory (192, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0 01871 416 NtWriteVirtualMemory (192, 0x10000, (192, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0 01872 416 NtAllocateVirtualMemory (192, 0, 0, 1732, 4096, 4, ... 131072, 4096, ) == 0x0 01873 416 NtWriteVirtualMemory (192, 0x20000, (192, 0x20000, "\0\20\0\0\304\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\04\0\10\2\220\2\0\0\0\0\0\0\12\1\14\1\230\4\0\0R\0T\0\244\5\0\0R\0T\0\370\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0T\0L\6\0\0\36\0 \0\240\6\0\0\0\0\2\0\300\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1732, ... 0x0, ) , 1732, ... 0x0, ) == 0x0 01874 416 NtWriteVirtualMemory (192, 0x7ffdf010, (192, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 01875 416 NtWriteVirtualMemory (192, 0x7ffdf1e8, (192, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 01876 416 NtFreeVirtualMemory (-1, (0x9b0000), 0, 32768, ... (0x9b0000), 4096, ) == 0x0 01877 416 NtAllocateVirtualMemory (192, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0 01878 416 NtAllocateVirtualMemory (192, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0 01879 416 NtProtectVirtualMemory (192, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0 01880 416 NtCreateThread (0x1f03ff, 0x0, 192, 1241440, 1242160, 1, ... 196, {380, 568}, ) == 0x0 01881 416 NtRequestWaitReplyPort (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ... {168, 196, reply, 0, 412, 416, 1503, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ) ... {168, 196, reply, 0, 412, 416, 1503, 0} (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ... {168, 196, reply, 0, 412, 416, 1503, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ) ) == 0x0 01882 416 NtResumeThread (196, ... 1, ) == 0x0 01883 416 NtClose (180, ... ) == 0x0 01884 416 NtClose (172, ... ) == 0x0 01885 416 NtClose (196, ... ) == 0x0 01886 416 NtClose (192, ... ) == 0x0 01887 416 NtClose (176, ... ) == 0x0 01888 416 NtUserDestroyWindow (131262, ... 01889 416 NtUserRemoveProp (131262, 43288, ... ) == 0xffffffff 01890 416 NtUserRemoveProp (131262, 43282, ... ) == 0x0 01891 416 NtUserRemoveProp (131262, 43287, ... ) == 0x0 01888 416 NtUserDestroyWindow ... ) == 0x1 01892 416 NtUserUnregisterClass (1244636, 1998258176, 1244624, ... ) == 0x1 01893 416 NtTerminateProcess (0, 0, ... ) == 0x0 01894 416 NtRaiseException (1243508, 1242768, 1, ... 01895 416 NtContinue (1241564, 0, ... 01896 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01897 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01898 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01899 416 NtRaiseException (1233484, 1232744, 1, ... 01900 416 NtContinue (1231540, 0, ... 01901 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01902 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01903 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01904 416 NtUnmapViewOfSection (-1, 0x980000, ... ) == 0x0 01905 416 NtClose (168, ... ) == 0x0 01906 416 NtClose (164, ... ) == 0x0 01907 416 NtClose (152, ... ) == 0x0 01908 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0 01909 416 NtFreeVirtualMemory (-1, (0x880000), 0, 32768, ... (0x880000), 65536, ) == 0x0 01910 416 NtClose (104, ... ) == 0x0 01911 416 NtClose (148, ... ) == 0x0 01912 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0 01913 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 148, ) }, ... 148, ) == 0x0 01914 416 NtQueryValueKey (148, (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 01915 416 NtClose (148, ... ) == 0x0 01916 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0 01917 416 NtUnmapViewOfSection (-1, 0x8a0000, ... ) == 0x0 01918 416 NtClose (72, ... ) == 0x0 01919 416 NtGdiDeleteObjectApp (202376191, ... ) == 0x1 01920 416 NtUserGetProcessWindowStation (... ) == 0x28 01921 416 NtUserBuildNameList (40, 256, 1349064, 1244148, ... ) == 0x0 01922 416 NtUserGetProcessWindowStation (... ) == 0x28 01923 416 NtUserOpenDesktop ({24, 40, 0x40, 0, 0, ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x48 01924 416 NtUserBuildHwndList (72, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0 01925 416 NtUserQueryWindow (65706, 0, ... ) == 0x7dc 01926 416 NtUserQueryWindow (65706, 1, ... ) == 0x7e0 01927 416 NtUserQueryWindow (65704, 0, ... ) == 0x7dc 01928 416 NtUserQueryWindow (65704, 1, ... ) == 0x7e0 01929 416 NtUserQueryWindow (65702, 0, ... ) == 0x7dc 01930 416 NtUserQueryWindow (65702, 1, ... ) == 0x7e0 01931 416 NtUserQueryWindow (131168, 0, ... ) == 0x7dc 01932 416 NtUserQueryWindow (131168, 1, ... ) == 0x7e0 01933 416 NtUserQueryWindow (65696, 0, ... ) == 0x778 01934 416 NtUserQueryWindow (65696, 1, ... ) == 0x784 01935 416 NtUserQueryWindow (65662, 0, ... ) == 0x778 01936 416 NtUserQueryWindow (65662, 1, ... ) == 0x784 01937 416 NtUserBuildHwndList (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0 01938 416 NtUserQueryWindow (65664, 0, ... ) == 0x778 01939 416 NtUserQueryWindow (65664, 1, ... ) == 0x784 01940 416 NtUserQueryWindow (65670, 0, ... ) == 0x778 01941 416 NtUserQueryWindow (65670, 1, ... ) == 0x784 01942 416 NtUserQueryWindow (65672, 0, ... ) == 0x778 01943 416 NtUserQueryWindow (65672, 1, ... ) == 0x784 01944 416 NtUserQueryWindow (65674, 0, ... ) == 0x778 01945 416 NtUserQueryWindow (65674, 1, ... ) == 0x784 01946 416 NtUserQueryWindow (65678, 0, ... ) == 0x778 01947 416 NtUserQueryWindow (65678, 1, ... ) == 0x784 01948 416 NtUserQueryWindow (65680, 0, ... ) == 0x778 01949 416 NtUserQueryWindow (65680, 1, ... ) == 0x784 01950 416 NtUserQueryWindow (65682, 0, ... ) == 0x778 01951 416 NtUserQueryWindow (65682, 1, ... ) == 0x784 01952 416 NtUserQueryWindow (65684, 0, ... ) == 0x778 01953 416 NtUserQueryWindow (65684, 1, ... ) == 0x784 01954 416 NtUserQueryWindow (65686, 0, ... ) == 0x778 01955 416 NtUserQueryWindow (65686, 1, ... ) == 0x784 01956 416 NtUserQueryWindow (65690, 0, ... ) == 0x778 01957 416 NtUserQueryWindow (65690, 1, ... ) == 0x784 01958 416 NtUserQueryWindow (65692, 0, ... ) == 0x778 01959 416 NtUserQueryWindow (65692, 1, ... ) == 0x784 01960 416 NtUserQueryWindow (65694, 0, ... ) == 0x778 01961 416 NtUserQueryWindow (65694, 1, ... ) == 0x784 01962 416 NtUserQueryWindow (65652, 0, ... ) == 0x778 01963 416 NtUserQueryWindow (65652, 1, ... ) == 0x784 01964 416 NtUserQueryWindow (65640, 0, ... ) == 0x778 01965 416 NtUserQueryWindow (65640, 1, ... ) == 0x784 01966 416 NtUserQueryWindow (196682, 0, ... ) == 0x778 01967 416 NtUserQueryWindow (196682, 1, ... ) == 0x784 01968 416 NtUserQueryWindow (65638, 0, ... ) == 0x778 01969 416 NtUserQueryWindow (65638, 1, ... ) == 0x784 01970 416 NtUserQueryWindow (196684, 0, ... ) == 0x778 01971 416 NtUserQueryWindow (196684, 1, ... ) == 0x784 01972 416 NtUserQueryWindow (196668, 0, ... ) == 0x778 01973 416 NtUserQueryWindow (196668, 1, ... ) == 0x784 01974 416 NtUserBuildHwndList (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0 01975 416 NtUserQueryWindow (196670, 0, ... ) == 0x778 01976 416 NtUserQueryWindow (196670, 1, ... ) == 0x784 01977 416 NtUserQueryWindow (196674, 0, ... ) == 0x778 01978 416 NtUserQueryWindow (196674, 1, ... ) == 0x784 01979 416 NtUserQueryWindow (196672, 0, ... ) == 0x778 01980 416 NtUserQueryWindow (196672, 1, ... ) == 0x784 01981 416 NtUserQueryWindow (196676, 0, ... ) == 0x778 01982 416 NtUserQueryWindow (196676, 1, ... ) == 0x784 01983 416 NtUserQueryWindow (196678, 0, ... ) == 0x778 01984 416 NtUserQueryWindow (196678, 1, ... ) == 0x784 01985 416 NtUserQueryWindow (196680, 0, ... ) == 0x778 01986 416 NtUserQueryWindow (196680, 1, ... ) == 0x784 01987 416 NtUserQueryWindow (65642, 0, ... ) == 0x778 01988 416 NtUserQueryWindow (65642, 1, ... ) == 0x784 01989 416 NtUserQueryWindow (65646, 0, ... ) == 0x778 01990 416 NtUserQueryWindow (65646, 1, ... ) == 0x784 01991 416 NtUserQueryWindow (65650, 0, ... ) == 0x778 01992 416 NtUserQueryWindow (65650, 1, ... ) == 0x784 01993 416 NtUserQueryWindow (65688, 0, ... ) == 0x778 01994 416 NtUserQueryWindow (65688, 1, ... ) == 0x784 01995 416 NtUserQueryWindow (65676, 0, ... ) == 0x778 01996 416 NtUserQueryWindow (65676, 1, ... ) == 0x784 01997 416 NtUserQueryWindow (65660, 0, ... ) == 0x778 01998 416 NtUserQueryWindow (65660, 1, ... ) == 0x77c 01999 416 NtUserQueryWindow (65574, 0, ... ) == 0x268 02000 416 NtUserQueryWindow (65574, 1, ... ) == 0x2c4 02001 416 NtUserQueryWindow (65724, 0, ... ) == 0x7ec 02002 416 NtUserQueryWindow (65724, 1, ... ) == 0x7f0 02003 416 NtUserQueryWindow (65722, 0, ... ) == 0x7ec 02004 416 NtUserQueryWindow (65722, 1, ... ) == 0x7f0 02005 416 NtUserQueryWindow (65720, 0, ... ) == 0x7ec 02006 416 NtUserQueryWindow (65720, 1, ... ) == 0x7f0 02007 416 NtUserQueryWindow (65718, 0, ... ) == 0x7ec 02008 416 NtUserQueryWindow (65718, 1, ... ) == 0x7f0 02009 416 NtUserQueryWindow (65716, 0, ... ) == 0x7ec 02010 416 NtUserQueryWindow (65716, 1, ... ) == 0x7f0 02011 416 NtUserQueryWindow (65714, 0, ... ) == 0x7ec 02012 416 NtUserQueryWindow (65714, 1, ... ) == 0x7f0 02013 416 NtUserQueryWindow (65712, 0, ... ) == 0x7ec 02014 416 NtUserQueryWindow (65712, 1, ... ) == 0x7f0 02015 416 NtUserQueryWindow (65710, 0, ... ) == 0x7ec 02016 416 NtUserQueryWindow (65710, 1, ... ) == 0x7f0 02017 416 NtUserQueryWindow (131172, 0, ... ) == 0x7f8 02018 416 NtUserQueryWindow (131172, 1, ... ) == 0x7fc 02019 416 NtUserQueryWindow (65708, 0, ... ) == 0x7dc 02020 416 NtUserQueryWindow (65708, 1, ... ) == 0x7e0 02021 416 NtUserQueryWindow (131170, 0, ... ) == 0x7d0 02022 416 NtUserQueryWindow (131170, 1, ... ) == 0x7d4 02023 416 NtUserQueryWindow (65644, 0, ... ) == 0x778 02024 416 NtUserQueryWindow (65644, 1, ... ) == 0x7a0 02025 416 NtUserQueryWindow (327760, 0, ... ) == 0x778 02026 416 NtUserQueryWindow (327760, 1, ... ) == 0x77c 02027 416 NtUserQueryWindow (262228, 0, ... ) == 0x778 02028 416 NtUserQueryWindow (262228, 1, ... ) == 0x77c 02029 416 NtUserQueryWindow (327758, 0, ... ) == 0x778 02030 416 NtUserQueryWindow (327758, 1, ... ) == 0x77c 02031 416 NtUserQueryWindow (65666, 0, ... ) == 0x778 02032 416 NtUserQueryWindow (65666, 1, ... ) == 0x77c 02033 416 NtUserQueryWindow (65654, 0, ... ) == 0x778 02034 416 NtUserQueryWindow (65654, 1, ... ) == 0x77c 02035 416 NtUserBuildHwndList (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0 02036 416 NtUserQueryWindow (65656, 0, ... ) == 0x778 02037 416 NtUserQueryWindow (65656, 1, ... ) == 0x77c 02038 416 NtUserQueryWindow (65658, 0, ... ) == 0x778 02039 416 NtUserQueryWindow (65658, 1, ... ) == 0x77c 02040 416 NtUserCloseDesktop (72, ... 02041 416 NtClose (72, ... ) == 0x0 02040 416 NtUserCloseDesktop ... ) == 0x1 02042 416 NtUserGetProcessWindowStation (... ) == 0x28 02043 416 NtUserOpenDesktop ({24, 40, 0x40, 0, 0, ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0 02044 416 NtUserGetProcessWindowStation (... ) == 0x28 02045 416 NtUserOpenDesktop ({24, 40, 0x40, 0, 0, ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0 02046 416 NtGdiDeleteObjectApp (369755159, ... ) == 0x1 02047 416 NtGdiDeleteObjectApp (151651339, ... ) == 0x1 02048 416 NtClose (64, ... ) == 0x0 02049 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0 02050 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03b 02051 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02052 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03d 02053 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02054 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03f 02055 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02056 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc041 02057 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02058 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc043 02059 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02060 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc045 02061 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02062 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc047 02063 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02064 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc049 02065 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02066 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04b 02067 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02068 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04d 02069 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02070 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04f 02071 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02072 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc051 02073 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02074 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc053 02075 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02076 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc057 02077 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02078 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc059 02079 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02080 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05b 02081 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02082 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05d 02083 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02084 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05f 02085 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02086 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc017 02087 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02088 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc019 02089 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02090 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc018 02091 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02092 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01a 02093 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02094 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01c 02095 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02096 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01e 02097 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02098 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01b 02099 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02100 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc068 02101 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02102 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc06a 02103 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02104 416 NtUnmapViewOfSection (-1, 0x890000, ... ) == 0x0 02105 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0 02106 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03b 02107 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02108 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03d 02109 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02110 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03f 02111 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02112 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc041 02113 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02114 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc043 02115 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02116 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc045 02117 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02118 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc047 02119 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02120 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc049 02121 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02122 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04b 02123 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02124 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04d 02125 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02126 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04f 02127 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02128 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc051 02129 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02130 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc053 02131 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02132 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc057 02133 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02134 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc059 02135 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02136 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05b 02137 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02138 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05d 02139 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02140 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05f 02141 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02142 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0 02143 416 NtClose (160, ... ) == 0x0 02144 416 NtClose (76, ... ) == 0x0 02145 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0 02146 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0 02147 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0 02148 416 NtClose (68, ... ) == 0x0 02149 416 NtFreeVirtualMemory (-1, (0x9a0000), 4096, 32768, ... (0x9a0000), 4096, ) == 0x0 02150 416 NtRequestWaitReplyPort (24, {20, 48, new_msg, 0, 1369944, 1369952, 65912, 1310720} (24, {20, 48, new_msg, 0, 1369944, 1369952, 65912, 1310720} "\0\0\0\0\3\0\1\0\230\375\22\0\2$\370w\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1508, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2$\370w\0\0\0\0" ) ... {20, 48, reply, 0, 412, 416, 1508, 0} (24, {20, 48, new_msg, 0, 1369944, 1369952, 65912, 1310720} "\0\0\0\0\3\0\1\0\230\375\22\0\2$\370w\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1508, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2$\370w\0\0\0\0" ) ) == 0x0 02151 416 NtTerminateProcess (-1, 0, ... 02152 416 NtClose (44, ... ) == 0x0