Summary:

NtCallbackReturn(>) 1 NtGdiCreateBitmap(>) 2 NtUserBuildHwndList(>) 4 NtFlushInstructionCache(>) 19
NtConnectPort(>) 1 NtGdiCreateSolidBrush(>) 2 NtUserSelectPalette(>) 4 NtUnmapViewOfSection(>) 20
NtCreateMutant(>) 1 NtGdiGetDCObject(>) 2 NtWriteVirtualMemory(>) 4 NtSetInformationThread(>) 22
NtCreateProcessEx(>) 1 NtGdiGetDCforBitmap(>) 2 NtGdiDeleteObjectApp(>) 5 NtQueryInformationProcess(>) 23
NtCreateThread(>) 1 NtGdiHfontCreate(>) 2 NtGdiGetStockObject(>) 5 NtWriteFile(>) 23
NtDuplicateToken(>) 1 NtGdiRestoreDC(>) 2 NtUserGetProcessWindowStation(>) 5 NtRaiseException(>) 25
NtEnumerateValueKey(>) 1 NtGdiSaveDC(>) 2 NtUserRegisterWindowMessage(>) 5 NtContinue(>) 26
NtGdiBitBlt(>) 1 NtGdiSetDIBitsToDeviceInternal(>) 2 NtCreateSemaphore(>) 6 NtSetInformationFile(>) 26
NtGdiCreateCompatibleBitmap(>) 1 NtOpenDirectoryObject(>) 2 NtEnumerateKey(>) 6 NtReleaseMutant(>) 28
NtGdiCreateDIBitmapInternal(>) 1 NtOpenProcess(>) 2 NtOpenProcessToken(>) 6 NtCreateSection(>) 30
NtGdiCreatePatternBrushInternal(>) 1 NtQueryInstallUILanguage(>) 2 NtQueryVolumeInformationFile(>) 7 NtCreateFile(>) 32
NtGdiExtGetObjectW(>) 1 NtQueryVirtualMemory(>) 2 NtUserCallNoParam(>) 7 NtOpenProcessTokenEx(>) 32
NtGdiInit(>) 1 NtTerminateProcess(>) 2 NtQueryDefaultUILanguage(>) 8 NtOpenThreadTokenEx(>) 32
NtGdiQueryFontAssocInfo(>) 1 NtUserCloseDesktop(>) 2 NtSetInformationProcess(>) 8 NtProtectVirtualMemory(>) 39
NtNotifyChangeKey(>) 1 NtUserCreateWindowEx(>) 2 NtQueryDebugFilterState(>) 9 NtQueryInformationToken(>) 39
NtOpenKeyedEvent(>) 1 NtUserDestroyWindow(>) 2 NtQueryInformationFile(>) 9 NtWaitForSingleObject(>) 41
NtQueryInformationJobObject(>) 1 NtUserGetObjectInformation(>) 2 NtReleaseSemaphore(>) 10 NtAllocateVirtualMemory(>) 43
NtQueryObject(>) 1 NtUserMessageCall(>) 2 NtUserGetWindowDC(>) 10 NtUserUnregisterClass(>) 46
NtQueryPerformanceCounter(>) 1 NtAddAtom(>) 3 NtRequestWaitReplyPort(>) 11 NtMapViewOfSection(>) 48
NtQuerySystemTime(>) 1 NtDuplicateObject(>) 3 NtSetValueKey(>) 11 NtUserFindExistingCursorIcon(>) 49
NtRegisterThreadTerminatePort(>) 1 NtOpenEvent(>) 3 NtUserSystemParametersInfo(>) 11 NtOpenFile(>) 51
NtResumeThread(>) 1 NtOpenMutant(>) 3 NtCreateEvent(>) 12 NtOpenSection(>) 51
NtSecureConnectPort(>) 1 NtReadVirtualMemory(>) 3 NtCreateKey(>) 12 NtUserRegisterClassExWOW(>) 64
NtTestAlert(>) 1 NtUserGetDC(>) 3 NtQueryKey(>) 12 NtQueryAttributesFile(>) 69
NtUserBuildNameList(>) 1 NtUserOpenDesktop(>) 3 NtGdiSelectBitmap(>) 13 NtQuerySystemInformation(>) 76
NtUserGetAtomName(>) 1 NtUserRemoveProp(>) 3 NtQueryDirectoryFile(>) 13 NtUserGetClassInfo(>) 82
NtUserGetGUIThreadInfo(>) 1 NtFreeVirtualMemory(>) 4 NtUserCallOneParam(>) 14 NtReadFile(>) 89
NtUserGetThreadDesktop(>) 1 NtGdiCreateCompatibleDC(>) 4 NtOpenThreadToken(>) 15 NtQueryValueKey(>) 97
NtUserSetCursorIconData(>) 1 NtOpenSymbolicLinkObject(>) 4 NtQuerySection(>) 15 NtUserQueryWindow(>) 112
NtUserSetProp(>) 1 NtQuerySecurityObject(>) 4 NtFsControlFile(>) 16 NtOpenKey(>) 157
NtAccessCheck(>) 2 NtQuerySymbolicLinkObject(>) 4 NtQueryDefaultLocale(>) 16 NtClose(>) 264
NtCreateIoCompletion(>) 2 NtSetInformationObject(>) 4 NtDeviceIoControlFile(>) 17

Trace:

00001 416 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00002 416 NtOpenKeyedEvent (0x2000000, {24, 0, 0x0, 0, 0, (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0 00003 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00004 416 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0 00005 416 NtAllocateVirtualMemory (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0 00006 416 NtAllocateVirtualMemory (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0 00007 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00008 416 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0 00009 416 NtAllocateVirtualMemory (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0 00010 416 NtOpenDirectoryObject (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0 00011 416 NtOpenSymbolicLinkObject (0x1, {24, 8, 0x40, 0, 0, (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0 00012 416 NtQuerySymbolicLinkObject (12, ... (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0 00013 416 NtClose (12, ... ) == 0x0 00014 416 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0 00015 416 NtQueryVolumeInformationFile (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00016 416 NtFsControlFile (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER 00017 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00018 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0 00019 416 NtMapViewOfSection (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0 00020 416 NtClose (16, ... ) == 0x0 00021 416 NtQuerySystemInformation (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0 00022 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00023 416 NtCreateSection (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0 00024 416 NtSecureConnectPort ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0 00025 416 NtClose (16, ... ) == 0x0 00026 416 NtQueryObject (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0 00027 416 NtSetInformationObject (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0 00028 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00029 416 NtQueryVirtualMemory (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0 00030 416 NtAllocateVirtualMemory (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0 00031 416 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 0, 0, 0, 0} (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1479, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ) ... {28, 56, reply, 0, 412, 416, 1479, 0} (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1479, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ) ) == 0x0 00032 416 NtRegisterThreadTerminatePort (24, ... ) == 0x0 00033 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0 00034 416 NtQueryValueKey (16, (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00035 416 NtClose (16, ... ) == 0x0 00036 416 NtAllocateVirtualMemory (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0 00037 416 NtOpenMutant (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0 00038 416 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0 00039 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0 00040 416 NtClose (28, ... ) == 0x0 00041 416 NtQueryDefaultLocale (0, 2012046252, ... ) == 0x0 00042 416 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0 00043 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0 00044 416 NtClose (28, ... ) == 0x0 00045 416 NtOpenSection (0x5, {24, 0, 0x40, 0, 0, (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0 00046 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0 00047 416 NtQuerySection (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0 00048 416 NtClose (28, ... ) == 0x0 00049 416 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0 00050 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0 00051 416 NtClose (28, ... ) == 0x0 00052 416 NtQueryVirtualMemory (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0 00053 416 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00054 416 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00055 416 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1481, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ) ... {28, 56, reply, 0, 412, 416, 1481, 0} (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1481, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ) ) == 0x0 00056 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00057 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00058 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00059 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00060 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0 00061 416 NtClose (28, ... ) == 0x0 00062 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00063 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0 00064 416 NtClose (28, ... ) == 0x0 00065 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00066 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0 00067 416 NtClose (28, ... ) == 0x0 00068 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0 00069 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0 00070 416 NtClose (28, ... ) == 0x0 00071 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00072 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00073 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00074 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00075 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00076 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00077 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00078 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0 00079 416 NtClose (28, ... ) == 0x0 00080 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0 00081 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0 00082 416 NtClose (28, ... ) == 0x0 00083 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0 00084 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0 00085 416 NtClose (28, ... ) == 0x0 00086 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00087 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00088 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00089 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00090 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00091 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00092 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00093 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0 00094 416 NtClose (28, ... ) == 0x0 00095 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00096 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00097 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00098 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0 00099 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0 00100 416 NtClose (28, ... ) == 0x0 00101 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00102 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00103 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00104 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 28, ) }, ... 28, ) == 0x0 00105 416 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0 00106 416 NtClose (28, ... ) == 0x0 00107 416 NtProtectVirtualMemory (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0 00108 416 NtProtectVirtualMemory (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0 00109 416 NtFlushInstructionCache (-1, 4222976, 640, ... ) == 0x0 00110 416 NtOpenProcessToken (-1, 0x8, ... 28, ) == 0x0 00111 416 NtQueryInformationToken (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0 00112 416 NtClose (28, ... ) == 0x0 00113 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0 00114 416 NtQueryValueKey (28, (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00115 416 NtClose (28, ... ) == 0x0 00116 416 NtAllocateVirtualMemory (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0 00117 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0 00118 416 NtQueryValueKey (28, (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00119 416 NtQueryValueKey (28, (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00120 416 NtClose (28, ... ) == 0x0 00121 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0 00122 416 NtQueryValueKey (28, (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00123 416 NtClose (28, ... ) == 0x0 00124 416 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0 00125 416 NtSetInformationObject (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0 00126 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00127 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00128 416 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1485, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" ) ... {28, 56, reply, 0, 412, 416, 1485, 0} (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1485, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\35\1$\1\0\0" ) ) == 0x0 00129 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00130 416 NtMapViewOfSection (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0 00131 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0 00132 416 NtOpenThreadTokenEx (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN 00133 416 NtOpenProcessTokenEx (-1, 0x8, 512, ... -2147482020, ) == 0x0 00134 416 NtQueryInformationToken (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL 00135 416 NtQueryInformationToken (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0 00136 416 NtClose (-2147482020, ... ) == 0x0 00137 416 NtAllocateVirtualMemory (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0 00138 416 NtFreeVirtualMemory (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0 00139 416 NtDuplicateObject (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0 00140 416 NtOpenKey (0x20019, {24, 0, 0x240, 0, 0, (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0 00141 416 NtQueryValueKey (-2147482020, (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00142 416 NtClose (-2147482020, ... ) == 0x0 00143 416 NtOpenKey (0x20019, {24, 0, 0x240, 0, 0, (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0 00144 416 NtQueryValueKey (-2147482020, (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00145 416 NtClose (-2147482020, ... ) == 0x0 00146 416 NtQueryDefaultLocale (0, -130840052, ... ) == 0x0 00147 416 NtGdiQueryFontAssocInfo (0, ... ) == 0x0 00148 416 NtUserCallNoParam (24, ... ) == 0x0 00149 416 NtGdiCreateCompatibleDC (0, ... 00150 416 NtAllocateVirtualMemory (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0 00149 416 NtGdiCreateCompatibleDC ... ) == 0x140103c6 00151 416 NtGdiGetStockObject (0, ... ) == 0x1900010 00152 416 NtGdiGetStockObject (4, ... ) == 0x1900011 00153 416 NtGdiCreateBitmap (8, 8, 1, 1, 2010393708, ... ) == 0x13050404 00154 416 NtGdiCreateSolidBrush (0, 0, ... 00155 416 NtAllocateVirtualMemory (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0 00154 416 NtGdiCreateSolidBrush ... ) == 0xe10040a 00156 416 NtGdiGetStockObject (13, ... ) == 0x18a0021 00157 416 NtGdiCreateCompatibleDC (0, ... ) == 0x70010384 00158 416 NtGdiSelectBitmap (1879114628, 319095812, ... ) == 0x185000f 00159 416 NtUserGetThreadDesktop (416, 0, ... ) == 0x2c 00160 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0 00161 416 NtQueryValueKey (52, (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 00162 416 NtClose (52, ... ) == 0x0 00163 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00164 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017 00165 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00166 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c 00167 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00168 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e 00169 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00170 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002 00171 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10013 00172 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018 00173 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00174 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a 00175 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00176 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d 00177 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00178 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... 00179 416 NtAllocateVirtualMemory (-1, 5664768, 0, 4096, 4096, 32, ... 5664768, 4096, ) == 0x0 00178 416 NtUserRegisterClassExWOW ... ) == 0x810dc026 00180 416 NtUserFindExistingCursorIcon (1241204, 1241220, 1241788, ... ) == 0x10011 00181 416 NtUserRegisterClassExWOW (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019 00182 416 NtUserRegisterClassExWOW (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020 00183 416 NtUserRegisterClassExWOW (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022 00184 416 NtUserRegisterClassExWOW (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023 00185 416 NtUserRegisterClassExWOW (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024 00186 416 NtUserRegisterClassExWOW (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025 00187 416 NtCallbackReturn (0, 0, 0, ... 00188 416 NtGdiInit (... ) == 0x1 00189 416 NtGdiGetStockObject (18, ... ) == 0x290001c 00190 416 NtGdiGetStockObject (19, ... ) == 0x1b00019 00191 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00192 416 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0 00193 416 NtAllocateVirtualMemory (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0 00194 416 NtAllocateVirtualMemory (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0 00195 416 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0 00196 416 NtMapViewOfSection (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0 00197 416 NtClose (52, ... ) == 0x0 00198 416 NtAllocateVirtualMemory (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0 00199 416 NtOpenKey (0x2000000, {24, 28, 0x40, 0, 0, (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00200 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0 00201 416 NtQueryValueKey (52, (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00202 416 NtClose (52, ... ) == 0x0 00203 416 NtQueryDefaultUILanguage (1241756, ... 00204 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00205 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482020, ) == 0x0 00206 416 NtQueryInformationToken (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00207 416 NtClose (-2147482020, ... ) == 0x0 00208 416 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0 00209 416 NtOpenKey (0x80000000, {24, 0, 0x240, 0, 0, (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00210 416 NtOpenKey (0x80000000, {24, -2147482020, 0x640, 0, 0, (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0 00211 416 NtQueryValueKey (-2147482032, (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00212 416 NtClose (-2147482032, ... ) == 0x0 00213 416 NtClose (-2147482020, ... ) == 0x0 00203 416 NtQueryDefaultUILanguage ... ) == 0x0 00214 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00215 416 NtQueryInstallUILanguage (2012047340, ... ) == 0x0 00216 416 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0 00217 416 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0 00218 416 NtMapViewOfSection (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 8323072, ) == 0x0 00219 416 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00220 416 NtQueryDefaultUILanguage (2013024600, ... 00221 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00222 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482020, ) == 0x0 00223 416 NtQueryInformationToken (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00224 416 NtClose (-2147482020, ... ) == 0x0 00225 416 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0 00226 416 NtOpenKey (0x80000000, {24, 0, 0x240, 0, 0, (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00227 416 NtOpenKey (0x80000000, {24, -2147482020, 0x640, 0, 0, (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0 00228 416 NtQueryValueKey (-2147482032, (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00229 416 NtClose (-2147482032, ... ) == 0x0 00230 416 NtClose (-2147482020, ... ) == 0x0 00220 416 NtQueryDefaultUILanguage ... ) == 0x0 00231 416 NtAllocateVirtualMemory (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0 00232 416 NtQueryInstallUILanguage (2013024602, ... ) == 0x0 00233 416 NtQueryDefaultLocale (1, 1239792, ... ) == 0x0 00234 416 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00235 416 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1495, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 412, 416, 1495, 0} (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1495, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ) ) == 0x0 00236 416 NtClose (52, ... ) == 0x0 00237 416 NtClose (56, ... ) == 0x0 00238 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00239 416 NtUnmapViewOfSection (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW 00240 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00241 416 NtAllocateVirtualMemory (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0 00242 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0 00243 416 NtQueryValueKey (56, (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00244 416 NtClose (56, ... ) == 0x0 00245 416 NtOpenKey (0x8, {24, 0, 0x40, 0, 0, (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00246 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00247 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00248 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00249 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00250 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00251 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00252 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0 00253 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0 00254 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00255 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0 00256 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0 00257 416 NtClose (52, ... ) == 0x0 00258 416 NtMapViewOfSection (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 921600, ) == 0x0 00259 416 NtClose (60, ... ) == 0x0 00260 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00261 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0 00262 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0 00263 416 NtQuerySection (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00264 416 NtOpenProcessToken (-1, 0x8, ... 64, ) == 0x0 00265 416 NtQueryInformationToken (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0 00266 416 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00267 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0 00268 416 NtQueryValueKey (68, (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00269 416 NtClose (68, ... ) == 0x0 00270 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00271 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 68, ) == 0x0 00272 416 NtQueryInformationToken (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00273 416 NtClose (68, ... ) == 0x0 00274 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00275 416 NtClose (64, ... ) == 0x0 00276 416 NtClose (60, ... ) == 0x0 00277 416 NtMapViewOfSection (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0 00278 416 NtClose (52, ... ) == 0x0 00279 416 NtProtectVirtualMemory (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0 00280 416 NtProtectVirtualMemory (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0 00281 416 NtFlushInstructionCache (-1, 1905594368, 1952, ... ) == 0x0 00282 416 NtProtectVirtualMemory (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0 00283 416 NtProtectVirtualMemory (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0 00284 416 NtFlushInstructionCache (-1, 1905594368, 1952, ... ) == 0x0 00285 416 NtProtectVirtualMemory (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0 00286 416 NtProtectVirtualMemory (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0 00287 416 NtFlushInstructionCache (-1, 1905594368, 1952, ... ) == 0x0 00288 416 NtProtectVirtualMemory (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0 00289 416 NtProtectVirtualMemory (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0 00290 416 NtFlushInstructionCache (-1, 1905594368, 1952, ... ) == 0x0 00291 416 NtProtectVirtualMemory (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0 00292 416 NtProtectVirtualMemory (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0 00293 416 NtFlushInstructionCache (-1, 1905594368, 1952, ... ) == 0x0 00294 416 NtProtectVirtualMemory (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0 00295 416 NtProtectVirtualMemory (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0 00296 416 NtFlushInstructionCache (-1, 1905594368, 1952, ... ) == 0x0 00297 416 NtProtectVirtualMemory (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0 00298 416 NtProtectVirtualMemory (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0 00299 416 NtFlushInstructionCache (-1, 1905594368, 1952, ... ) == 0x0 00300 416 NtAddAtom ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0 00301 416 NtQueryDefaultUILanguage (1239368, ... 00302 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00303 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482020, ) == 0x0 00304 416 NtQueryInformationToken (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00305 416 NtClose (-2147482020, ... ) == 0x0 00306 416 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0 00307 416 NtOpenKey (0x80000000, {24, 0, 0x240, 0, 0, (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00308 416 NtOpenKey (0x80000000, {24, -2147482020, 0x640, 0, 0, (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0 00309 416 NtQueryValueKey (-2147482032, (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00310 416 NtClose (-2147482032, ... ) == 0x0 00311 416 NtClose (-2147482020, ... ) == 0x0 00301 416 NtQueryDefaultUILanguage ... ) == 0x0 00312 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00313 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0 00314 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0 00315 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0 00316 416 NtClose (52, ... ) == 0x0 00317 416 NtMapViewOfSection (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 4096, ) == 0x0 00318 416 NtClose (60, ... ) == 0x0 00319 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00320 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0 00321 416 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1238560, (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0 00322 416 NtCreateSection (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0 00323 416 NtClose (60, ... ) == 0x0 00324 416 NtMapViewOfSection (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 4096, ) == 0x0 00325 416 NtClose (52, ... ) == 0x0 00326 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00327 416 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0 00328 416 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0 00329 416 NtMapViewOfSection (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 4096, ) == 0x0 00330 416 NtQueryInformationFile (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0 00331 416 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00332 416 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 412, 416, 1496, 0} (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ) ) == 0x0 00333 416 NtClose (52, ... ) == 0x0 00334 416 NtClose (60, ... ) == 0x0 00335 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00336 416 NtUnmapViewOfSection (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW 00337 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00338 416 NtUserRegisterWindowMessage ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a 00339 416 NtUserSystemParametersInfo (104, 0, 1906151468, 0, ... ) == 0x1 00340 416 NtUserGetDC (0, ... ) == 0x1010052 00341 416 NtUserCallOneParam (16842834, 56, ... ) == 0x1 00342 416 NtUserSystemParametersInfo (38, 4, 1906153440, 0, ... ) == 0x1 00343 416 NtUserSystemParametersInfo (66, 12, 1240672, 0, ... ) == 0x1 00344 416 NtOpenProcessToken (-1, 0x8, ... 60, ) == 0x0 00345 416 NtAccessCheck (1329160, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN 00346 416 NtClose (60, ... ) == 0x0 00347 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00348 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 60, ) == 0x0 00349 416 NtQueryInformationToken (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00350 416 NtClose (60, ... ) == 0x0 00351 416 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0 00352 416 NtSetInformationObject (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0 00353 416 NtOpenKey (0x20019, {24, 60, 0x40, 0, 0, (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0 00354 416 NtQueryValueKey (52, (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00355 416 NtClose (52, ... ) == 0x0 00356 416 NtUserSystemParametersInfo (41, 500, 1240172, 0, ... ) == 0x1 00357 416 NtOpenKey (0x1, {24, 60, 0x40, 0, 0, (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0 00358 416 NtQueryValueKey (52, (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00359 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0 00360 416 NtQueryValueKey (64, (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00361 416 NtClose (64, ... ) == 0x0 00362 416 NtClose (52, ... ) == 0x0 00363 416 NtUserSystemParametersInfo (102, 0, 1906153328, 0, ... ) == 0x1 00364 416 NtUserSystemParametersInfo (4130, 0, 1240696, 0, ... ) == 0x1 00365 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0 00366 416 NtEnumerateValueKey (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES 00367 416 NtClose (52, ... ) == 0x0 00368 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00369 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b 00370 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d 00371 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10011 00372 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f 00373 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00374 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041 00375 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00376 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043 00377 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045 00378 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00379 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047 00380 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10011 00381 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049 00382 416 NtUserGetClassInfo (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049 00383 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00384 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b 00385 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00386 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d 00387 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00388 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f 00389 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051 00390 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00391 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053 00392 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10011 00393 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055 00394 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057 00395 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00396 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059 00397 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10013 00398 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b 00399 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00400 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d 00401 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00402 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f 00403 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10011 00404 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017 00405 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10011 00406 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019 00407 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10013 00408 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018 00409 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00410 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a 00411 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10011 00412 416 NtUserRegisterClassExWOW (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... 00413 416 NtAllocateVirtualMemory (-1, 5668864, 0, 4096, 4096, 32, ... 5668864, 4096, ) == 0x0 00412 416 NtUserRegisterClassExWOW ... ) == 0x810dc01c 00414 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00415 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e 00416 416 NtUserFindExistingCursorIcon (1239976, 1239992, 1240560, ... ) == 0x10011 00417 416 NtUserRegisterClassExWOW (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b 00418 416 NtUserFindExistingCursorIcon (1239972, 1239988, 1240556, ... ) == 0x10011 00419 416 NtUserRegisterClassExWOW (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068 00420 416 NtUserFindExistingCursorIcon (1239980, 1239996, 1240564, ... ) == 0x10011 00421 416 NtUserRegisterClassExWOW (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a 00422 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00423 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00424 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03b 00425 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00426 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03d 00427 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00428 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00429 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03f 00430 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00431 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00432 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc041 00433 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00434 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00435 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc043 00436 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00437 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc045 00438 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00439 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00440 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc047 00441 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00442 416 NtUserFindExistingCursorIcon (1242872, 1242888, 1243456, ... ) == 0x10011 00443 416 NtUserRegisterClassExWOW (1243324, 1243404, 1243388, 1243420, 0, 384, 0, ... ) == 0x810dc049 00444 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00445 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00446 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04b 00447 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00448 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00449 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04d 00450 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00451 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00452 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04f 00453 416 NtUserGetClassInfo (0, 1243496, 1243448, 1243524, 0, ... ) == 0x0 00454 416 NtUserRegisterClassExWOW (1243332, 1243412, 1243396, 1243428, 0, 384, 0, ... ) == 0x810dc051 00455 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00456 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00457 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc053 00458 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00459 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00460 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc055 00461 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc057 00462 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00463 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00464 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc059 00465 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00466 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10013 00467 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05b 00468 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00469 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00470 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05d 00471 416 NtUserGetClassInfo (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0 00472 416 NtUserFindExistingCursorIcon (1242876, 1242892, 1243460, ... ) == 0x10011 00473 416 NtUserRegisterClassExWOW (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05f 00474 416 NtOpenProcess (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 52, ) == 0x0 00475 416 NtQueryInformationProcess (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0 00476 416 NtClose (52, ... ) == 0x0 00477 416 NtUserRegisterWindowMessage ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a 00478 416 NtUserSystemParametersInfo (104, 0, 2000318720, 0, ... ) == 0x1 00479 416 NtUserSystemParametersInfo (38, 4, 2000318708, 0, ... ) == 0x1 00480 416 NtOpenKey (0x20019, {24, 60, 0x40, 0, 0, (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0 00481 416 NtQueryValueKey (52, (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00482 416 NtClose (52, ... ) == 0x0 00483 416 NtUserSystemParametersInfo (41, 500, 1243132, 0, ... ) == 0x1 00484 416 NtUserSystemParametersInfo (102, 0, 2000318732, 0, ... ) == 0x1 00485 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03b 00486 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03d 00487 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03f 00488 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc041 00489 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc043 00490 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc045 00491 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc047 00492 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc049 00493 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04b 00494 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04d 00495 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04f 00496 416 NtUserGetClassInfo (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0xc051 00497 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc053 00498 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc055 00499 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc059 00500 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05b 00501 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05d 00502 416 NtUserGetClassInfo (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05f 00503 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00504 416 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00505 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0 00506 416 NtQueryValueKey (52, (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0 00507 416 NtClose (52, ... ) == 0x0 00508 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00509 416 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00510 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00511 416 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00512 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0 00513 416 NtQueryValueKey (52, (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00514 416 NtQueryValueKey (52, (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00515 416 NtQueryValueKey (52, (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00516 416 NtClose (52, ... ) == 0x0 00517 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0 00518 416 NtQueryValueKey (52, (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00519 416 NtQueryValueKey (52, (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00520 416 NtClose (52, ... ) == 0x0 00521 416 NtOpenDirectoryObject (0x2000f, {24, 0, 0x40, 0, 0, (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0 00522 416 NtOpenEvent (0x1f0003, {24, 52, 0x0, 0, 0, (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00523 416 NtTestAlert (... ) == 0x0 00524 416 NtContinue (1244464, 1, ... 00525 416 NtSetInformationThread (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403166,}, 4, ... ) == 0x0 00526 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242296, ... ) }, 1242296, ... ) == 0x0 00527 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0 00528 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0 00529 416 NtClose (64, ... ) == 0x0 00530 416 NtMapViewOfSection (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 262144, ) == 0x0 00531 416 NtClose (68, ... ) == 0x0 00532 416 NtUnmapViewOfSection (-1, 0x8a0000, ... ) == 0x0 00533 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00534 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00535 416 NtAllocateVirtualMemory (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0 00536 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00537 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0 00538 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247]\353\346b\211\31\365L\365\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00539 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00540 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00541 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00542 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00543 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00544 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00545 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00546 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00547 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "\341\36\204\16\\212\305L\31\324\361d\362\302x\322M]\354E=\10V\364\372\353\251^TA\353Z\301\215\36j\26#\215\321\321'\2516\257z'mC\247\233:\244}\361(w\345\237'\241,\332S\203 \206m\322\244\230\225;T\245\375a\3\257!", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "\341\36\204\16\\212\305L\31\324\361d\362\302x\322M]\354E=\10V\364\372\353\251^TA\353Z\301\215\36j\26#\215\321\321'\2516\257z'mC\247\233:\244}\361(w\345\237'\241,\332S\203 \206m\322\244\230\225;T\245\375a\3\257!", 80, ... ) , 80, ... ) == 0x0 00548 416 NtClose (-2147482020, ... ) == 0x0 00538 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "0\371\374\223]\6\306\242\205c\316\374\21\26R\343Zf\31\205h\266\256\327\256Xc\213\257\32I\14\316\264/\302\257\342\375/\230\361\337\274\350o*\226\321\21\360J\324\34\270\224\317\340\325\376\370N3y=\334\32\2342\225m\272u{\31\22\227\0~\6\25\255\2175\354\11\1\234\213Ub>\303\16\312\335^\241\230\324/\225\177\360!\377}|\332\253N\306\317,\37\25\375|\212\345!%\211\237\2\3039\346\36x/\26\352trZc\254\16\275TK\262\311ez\200!;X\254<\25j\225\210}}^Aw\213\263!i\266\356s\243e\264y\210\220\321\263P\15m\335\341L\243\307\223\246\\310\307\346\353F4\251\256\376Qf\321S\366vX\211\305\2\321=CU\315\224\177\2755y\221\201R\317\215I\224o"\320\254h\366R\12\313\253\240\240\26hl\275m\266"\271\1\254\25\241n\224\260\10/\262\302@}", ) \320\254h\366R\12\313\253\240\240\26hl\275m\266 ... {status=0x0, info=256}, "0\371\374\223]\6\306\242\205c\316\374\21\26R\343Zf\31\205h\266\256\327\256Xc\213\257\32I\14\316\264/\302\257\342\375/\230\361\337\274\350o*\226\321\21\360J\324\34\270\224\317\340\325\376\370N3y=\334\32\2342\225m\272u{\31\22\227\0~\6\25\255\2175\354\11\1\234\213Ub>\303\16\312\335^\241\230\324/\225\177\360!\377}|\332\253N\306\317,\37\25\375|\212\345!%\211\237\2\3039\346\36x/\26\352trZc\254\16\275TK\262\311ez\200!;X\254<\25j\225\210}}^Aw\213\263!i\266\356s\243e\264y\210\220\321\263P\15m\335\341L\243\307\223\246\\310\307\346\353F4\251\256\376Qf\321S\366vX\211\305\2\321=CU\315\224\177\2755y\221\201R\317\215I\224o"\320\254h\366R\12\313\253\240\240\26hl\275m\266"\271\1\254\25\241n\224\260\10/\262\302@}", ) , ) == 0x0 00549 416 NtAllocateVirtualMemory (-1, 1335296, 0, 16384, 4096, 4, ... 1335296, 16384, ) == 0x0 00550 416 NtUserRegisterClassExWOW (1244380, 1244460, 1244444, 1244476, 0, 384, 0, ... ) == 0x810dc038 00551 416 NtUserGetAtomName (49208, 1243144, ... ) == 0x15 00552 416 NtUserCreateWindowEx (0, 49208, 49208, (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... 00553 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240668, ... ) }, 1240668, ... ) == 0x0 00554 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0 00555 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 64, ... 72, ) == 0x0 00556 416 NtClose (64, ... ) == 0x0 00557 416 NtMapViewOfSection (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 204800, ) == 0x0 00558 416 NtClose (72, ... ) == 0x0 00559 416 NtUnmapViewOfSection (-1, 0x8a0000, ... ) == 0x0 00560 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240984, ... ) }, 1240984, ... ) == 0x0 00561 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0 00562 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 72, ... 64, ) == 0x0 00563 416 NtQuerySection (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00564 416 NtClose (72, ... ) == 0x0 00565 416 NtMapViewOfSection (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0 00566 416 NtClose (64, ... ) == 0x0 00567 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00568 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00569 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00570 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 64, ) == 0x0 00571 416 NtQueryInformationToken (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00572 416 NtClose (64, ... ) == 0x0 00573 416 NtOpenKey (0x2001f, {24, 0, 0x640, 0, 0, (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0 00574 416 NtOpenKey (0x1, {24, 64, 0x40, 0, 0, (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 72, ) }, ... 72, ) == 0x0 00575 416 NtQueryValueKey (72, (72, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00576 416 NtClose (72, ... ) == 0x0 00577 416 NtClose (64, ... ) == 0x0 00578 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00579 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 64, ) == 0x0 00580 416 NtQueryInformationToken (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00581 416 NtClose (64, ... ) == 0x0 00582 416 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0 00583 416 NtOpenKey (0x1, {24, 64, 0x40, 0, 0, (0x1, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0 00584 416 NtQueryValueKey (72, (72, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00585 416 NtClose (72, ... ) == 0x0 00586 416 NtClose (64, ... ) == 0x0 00587 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00588 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00589 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == 0x0 00590 416 NtUserGetProcessWindowStation (... ) == 0x28 00591 416 NtUserGetObjectInformation (40, 2, 0, 0, 1242780, ... ) == 0x0 00592 416 NtUserGetObjectInformation (40, 2, 1350040, 16, 1242780, ... ) == 0x1 00593 416 NtUserGetGUIThreadInfo (416, 1242736, ... ) == 0x1 00594 416 NtConnectPort ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242556, 64, ... 64, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242556, 64, ... 64, 0x0, 0x0, 0x0, 64, ) == 0x0 00595 416 NtRequestWaitReplyPort (64, {32, 56, new_msg, 0, 0, 0, 0, 0} (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 412, 416, 1498, 0} (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 00596 416 NtRequestWaitReplyPort (64, {32, 56, new_msg, 0, 0, 0, 0, 0} (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1499, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 412, 416, 1499, 0} (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1499, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 00597 416 NtUserCallNoParam (29, ... 00598 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240028, ... ) }, 1240028, ... ) == 0x0 00597 416 NtUserCallNoParam ... ) == 0x0 00599 416 NtUserSystemParametersInfo (41, 0, 1524225160, 0, ... ) == 0x1 00600 416 NtGdiHfontCreate (1242108, 356, 0, 0, 1329232, ... ) == 0x160a0417 00601 416 NtGdiHfontCreate (1242108, 356, 0, 0, 1329224, ... ) == 0x90a040b 00602 416 NtRequestWaitReplyPort (64, {32, 56, new_msg, 0, 0, 0, 0, 0} (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1500, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 412, 416, 1500, 0} (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1500, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 00603 416 NtMapViewOfSection (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8a0000), {0, 0}, 331776, ) == 0x0 00604 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00605 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00606 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00607 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00608 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00609 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00610 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00611 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00612 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00613 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00614 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00615 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00616 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00617 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00618 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00619 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00620 416 NtUserGetWindowDC (0, ... ) == 0x1010053 00621 416 NtGdiCreatePatternBrushInternal (59048369, 0, 0, ... ) == 0xc1003ff 00622 416 NtUserCallOneParam (16842835, 56, ... ) == 0x1 00623 416 NtUserCallNoParam (29, ... 00624 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239472, ... ) }, 1239472, ... ) == 0x0 00623 416 NtUserCallNoParam ... ) == 0x0 00625 416 NtUserCallNoParam (29, ... 00626 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239468, ... ) }, 1239468, ... ) == 0x0 00625 416 NtUserCallNoParam ... ) == 0x0 00627 416 NtUserMessageCall (0x200be, WM_NCCREATE, 0x0, 0x12f7b4, 0, 670, 0, ... ) == 0x1 00628 416 NtUserMessageCall (0x200be, WM_NCCALCSIZE, 0x0, 0x12f7dc, 0, 670, 0, ... ) == 0x0 00629 416 NtUserSetProp (131262, 43288, -1, ... ) == 0x1 00552 416 NtUserCreateWindowEx ... ) == 0x200be 00630 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247\315\0\24\335c%|_2\371\26\364v\370O\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00631 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00632 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00633 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00634 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00635 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00636 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00637 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00638 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00639 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "\342\241\250\202?\327U\377\236\251\220zx\3\261A%I\2\346\257^Pe\364:\344\337\203\316\221Y\265#\200'\3eK\334\245\372\360\212*\332\227\366(]\204\356z\36\3567\304#\242]\255\370\275\3429h\35\203\330`V\347\253\302\321Vg\26jk", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "\342\241\250\202?\327U\377\236\251\220zx\3\261A%I\2\346\257^Pe\364:\344\337\203\316\221Y\265#\200'\3eK\334\245\372\360\212*\332\227\366(]\204\356z\36\3567\304#\242]\255\370\275\3429h\35\203\330`V\347\253\302\321Vg\26jk", 80, ... ) , 80, ... ) == 0x0 00640 416 NtClose (-2147482020, ... ) == 0x0 00630 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "N{*\212l\355\323V\373PO#\0\374\266L\373\202=\354\177\361\314\350\246\366\355\376.s+\222A\33\335i+\373Ar]\344\361\362\210G:X\7\232\353{,\16\273\252\203I\2373\32\223\301\331, ) , ) == 0x0 00641 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247\315\0\24\335c%|\317\331\13\251\36Jq\Z\371\26\364v\370O\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00642 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00643 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00644 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00645 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00646 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00647 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00648 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00649 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00650 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "\226\30\201\310\177)\250D:l\336\312\341.\374\3\31\325O\317\205\210S\377Y\205\270#\2717 <3\332\317\370\361\\224\350z\32\37\3144\354\344\1\306\\241?N3\332\14\255\203\210\275\333\262\257\32\355PJ\314\211L\225T\362\363\267c3\266\342\232", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "\226\30\201\310\177)\250D:l\336\312\341.\374\3\31\325O\317\205\210S\377Y\205\270#\2717 <3\332\317\370\361\\224\350z\32\37\3144\354\344\1\306\\241?N3\332\14\255\203\210\275\333\262\257\32\355PJ\314\211L\225T\362\363\267c3\266\342\232", 80, ... ) , 80, ... ) == 0x0 00651 416 NtClose (-2147482020, ... ) == 0x0 00641 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\347\257\273NH\277\222\364\310\337\332\14\201\312y>8\314\271\203H 9\363\234\226\27\237i\13\367D\3058r\216\302\233\315\217\325\33\363\351\301l\307I\27\365x.P$\3\347\362a\27eX\253\3571S\324\252\27\322\344\17\<\314\322\33g'h\5?\200\265\262p\7Y\366vF\245\271&"|\306\336vz\332\24\250=\2348~\200\324\244\263\25\260n\210\\334\222\250k\230\323\272\220\14\215)\0\16\370@s\17\202\323\210\256l\203 u\326|\376\210\333O\5\244\273\1\262\4\216\227\370\237\310B\304t\2173\203~m\254<\211.%Jx\300306\336vz\332\24\250=\2348~\200\324\244\263\25\260n\210\\334\222\250k\230\323\272\220\14\215)\0\16\370@s\17\202\323\210\256l\203 u\326|\376\210\333O\5\244\273\1\262\4\216\227\370\237\310B\304t\2173\203~m\254<\211.%Jx\300315\3401R\354\341\323?\372\235Z\266\276\325,\350y\206o~=\25\320A\316\306\305\243\35\7\201\261\3617\266\374%I\15iA'\36\22M\336*B0\30\204\336\225Wb\357\225\13G\206[\374\11)EFC+\271\35-\236o\216\357\247", ) == 0x0 00652 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247\315\0\24\335c%|\317\331\13\251\36Jq\314\261\13\251\36Jq\Z\371\26\364v\370O\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00653 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00654 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00655 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00656 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00657 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00658 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00659 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00660 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00661 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "-\310Mh\263<\347\365\307\225'\236\363\3175rNe\264\236\30z&\325\216=\247\310\21\270S\376W]\260sT?\25\234\314\234\37\27\374\334.\311Ci\330S\365\2640\271\367\3641W7\247o\210tx\10X-\274'\211\256\377\7\217\255b\276", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "-\310Mh\263<\347\365\307\225'\236\363\3175rNe\264\236\30z&\325\216=\247\310\21\270S\376W]\260sT?\25\234\314\234\37\27\374\334.\311Ci\330S\365\2640\271\367\3641W7\247o\210tx\10X-\274'\211\256\377\7\217\255b\276", 80, ... ) , 80, ... ) == 0x0 00662 416 NtClose (-2147482020, ... ) == 0x0 00652 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\317\0k\355+~\204\262(|\251\214R&2\240\370\237\22\316\230,|\255\242\277\341\263>&\263\354\364\15\224\314u\306%\376\347\.\30&o\231\207\206\234\202\263ue\201\303u\253\35\307\263,\211\312*\1,s\222\364m\235F\211\274\274\17~\306l\345\253\363\25\316\7\363-Q\305\313{\\320\11\264\12\344fG\31d`\216\22\247\274\304\7\21\204\226M\331\320\271\306\227\2474\334\205*5\5NN\277I\274T\33\305\365\235\243\277\323L\300T\24N\256%@\335\17\236\274j\3508\202\207\344\177\26p\353\12\271\365"\307\316}/\247,\330\12\333\331\346x\240\312\0\274Jw\214xD\210}~&\37\215\232\241\342\204\267_\332\357`\371\1\254'\347\305\230p\272i\236\351\375\253\303\261\232\314\33:0\255a\331b\267\376\200\316\261\303\355p\324"\260.\347Jm\256\220\231Fc\13-ui\213R\12{G\314", ) \307\316}/\247,\330\12\333\331\346x\240\312\0\274Jw\214xD\210}~&\37\215\232\241\342\204\267_\332\357`\371\1\254'\347\305\230p\272i\236\351\375\253\303\261\232\314\33:0\255a\331b\267\376\200\316\261\303\355p\324 ... {status=0x0, info=256}, "\317\0k\355+~\204\262(|\251\214R&2\240\370\237\22\316\230,|\255\242\277\341\263>&\263\354\364\15\224\314u\306%\376\347\.\30&o\231\207\206\234\202\263ue\201\303u\253\35\307\263,\211\312*\1,s\222\364m\235F\211\274\274\17~\306l\345\253\363\25\316\7\363-Q\305\313{\\320\11\264\12\344fG\31d`\216\22\247\274\304\7\21\204\226M\331\320\271\306\227\2474\334\205*5\5NN\277I\274T\33\305\365\235\243\277\323L\300T\24N\256%@\335\17\236\274j\3508\202\207\344\177\26p\353\12\271\365"\307\316}/\247,\330\12\333\331\346x\240\312\0\274Jw\214xD\210}~&\37\215\232\241\342\204\267_\332\357`\371\1\254'\347\305\230p\272i\236\351\375\253\303\261\232\314\33:0\255a\331b\267\376\200\316\261\303\355p\324"\260.\347Jm\256\220\231Fc\13-ui\213R\12{G\314", ) , ) == 0x0 00663 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247\315\0\24\335c%|\317\331\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\Z\371\26\364v\370O\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00664 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00665 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00666 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00667 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00668 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00669 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00670 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00671 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00672 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "\354\342\270r\375\232B\275v\35Aj]D\372Sk\1M\26\347\230N\3026\247)\31\253\241~\233-\237f5\221O\275b\237\26\316\15\16\211\200\377\267\230\223^\237{F\270\266\221\370\213*\327\222\24OUyN\300)\327\212", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "\354\342\270r\375\232B\275v\35Aj]D\372Sk\1M\26\347\230N\3026\247)\31\253\241~\233-\237f5\221O\275b\237\26\316\15\16\211\200\377\267\230\223^\237{F\270\266\221\370\213*\327\222\24OUyN\300)\327\212", 80, ... ) UyN\300)\327\212", 80, ... ) == 0x0 00673 416 NtClose (-2147482020, ... ) == 0x0 00663 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\323\273\343\200\311\270\235\16Ya\305*\274\212\336C\231b\331\311\203\3`\371\365?\31h\223\243U"\304\261\351\255\314\363!0\320y=\227Gi\32]\271\371\325/]q\377\270\217\272\241\323\216\10\362X.\266\264M]\23E\5a\337\366:c/\217&\232'\220\5\311\360\21\274\0&\325\220\313\206\\240\376\23\376M>\274!V\307\25p]xl\227H\7{\331R>H\307+8\335\251\37t3\321F\20l\231B\277\267b\352o\244\0m]\234P\244\30\255t\7\373\260\215\226i3\276\203\255:\237\321\327\356s7L\3376\317\366m\326S\310\243\37\313[\316\323\215\3370\226\2767{Xv\222M34:\35\375\214\327\302[\35VS,\203a\237\351>\253"f\360\313\224,\247\317\^7\212\335\303\274\307R,\275A-3\263\207\12\326\5\330\366DA\3203@\363\17]\20 n\263%\366a`", ) \304\261\351\255\314\363!0\320y=\227Gi\32]\271\371\325/]q\377\270\217\272\241\323\216\10\362X.\266\264M]\23E\5a\337\366:c/\217&\232'\220\5\311\360\21\274\0&\325\220\313\206\\240\376\23\376M>\274!V\307\25p]xl\227H\7{\331R>H\307+8\335\251\37t3\321F\20l\231B\277\267b\352o\244\0m]\234P\244\30\255t\7\373\260\215\226i3\276\203\255:\237\321\327\356s7L\3376\317\366m\326S\310\243\37\313[\316\323\215\3370\226\2767{Xv\222M34:\35\375\214\327\302[\35VS,\203a\237\351>\253 ... {status=0x0, info=256}, "\323\273\343\200\311\270\235\16Ya\305*\274\212\336C\231b\331\311\203\3`\371\365?\31h\223\243U"\304\261\351\255\314\363!0\320y=\227Gi\32]\271\371\325/]q\377\270\217\272\241\323\216\10\362X.\266\264M]\23E\5a\337\366:c/\217&\232'\220\5\311\360\21\274\0&\325\220\313\206\\240\376\23\376M>\274!V\307\25p]xl\227H\7{\331R>H\307+8\335\251\37t3\321F\20l\231B\277\267b\352o\244\0m]\234P\244\30\255t\7\373\260\215\226i3\276\203\255:\237\321\327\356s7L\3376\317\366m\326S\310\243\37\313[\316\323\215\3370\226\2767{Xv\222M34:\35\375\214\327\302[\35VS,\203a\237\351>\253"f\360\313\224,\247\317\^7\212\335\303\274\307R,\275A-3\263\207\12\326\5\330\366DA\3203@\363\17]\20 n\263%\366a`", ) , ) == 0x0 00674 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247\315\0\24\335c%|\317\331\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\Z\371\26\364v\370O\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00675 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00676 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00677 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00678 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00679 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00680 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00681 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00682 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00683 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "/\234\252r\6\212\313\257\30oe\30\364\201\306W\36\321i 9\265\33\333\3127|\16!FR\221a\232+\205\\372\277\357*\265\360:\322T\33\233\234\213:\207_\3477\234\326\216\274\227\241/J0\267G\346\236/\30\336w\213R{t\316d|\352", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "/\234\252r\6\212\313\257\30oe\30\364\201\306W\36\321i 9\265\33\333\3127|\16!FR\221a\232+\205\\372\277\357*\265\360:\322T\33\233\234\213:\207_\3477\234\326\216\274\227\241/J0\267G\346\236/\30\336w\213R{t\316d|\352", 80, ... ) , 80, ... ) == 0x0 00684 416 NtClose (-2147482020, ... ) == 0x0 00674 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "<'H\2FQ\301\7(\341 ~o"C\3301Tv\330$W\26\241\2530\341U2\236\207 \323\226\22\302\204\315\237\23\267P\305AKbM6#\276\327\3210>'}\333\227uSC\23)D\315\214\257\212\214?\362B|6g\243\2209U\13\336\337\242|P\360a\26\360\213I\366\333\247\254\3N\236\216\37Of\304\34\240{\240\33\275\266\377\34\270P\312G\325\237z{\313q\347\3714:\332q*DR\307\32;v\353\316\253\331\226T6<\226\350\312)\316\32\200\221,\21"3\27\207\261z\317\316E\255\342\1{q\327\247Gb\27YUH\334s\253\10\310\304\245kV\3213\5\347\362\27\234$\276\26A\267\13\322\277\341\0|\20\203\314\251\260\306Oj\10v\336#.k\244\362\177\222\211\251<\2148\23{\360\360\360\307\214&\5\301\261,\5f\236\214\303\230\325\240\7\305\36|\226\275\350\344\376@", ) C\3301Tv\330$W\26\241\2530\341U2\236\207 \323\226\22\302\204\315\237\23\267P\305AKbM6#\276\327\3210>'}\333\227uSC\23)D\315\214\257\212\214?\362B|6g\243\2209U\13\336\337\242|P\360a\26\360\213I\366\333\247\254\3N\236\216\37Of\304\34\240{\240\33\275\266\377\34\270P\312G\325\237z{\313q\347\3714:\332q*DR\307\32;v\353\316\253\331\226T6<\226\350\312)\316\32\200\221,\21 ... {status=0x0, info=256}, "<'H\2FQ\301\7(\341 ~o"C\3301Tv\330$W\26\241\2530\341U2\236\207 \323\226\22\302\204\315\237\23\267P\305AKbM6#\276\327\3210>'}\333\227uSC\23)D\315\214\257\212\214?\362B|6g\243\2209U\13\336\337\242|P\360a\26\360\213I\366\333\247\254\3N\236\216\37Of\304\34\240{\240\33\275\266\377\34\270P\312G\325\237z{\313q\347\3714:\332q*DR\307\32;v\353\316\253\331\226T6<\226\350\312)\316\32\200\221,\21"3\27\207\261z\317\316E\255\342\1{q\327\247Gb\27YUH\334s\253\10\310\304\245kV\3213\5\347\362\27\234$\276\26A\267\13\322\277\341\0|\20\203\314\251\260\306Oj\10v\336#.k\244\362\177\222\211\251<\2148\23{\360\360\360\307\214&\5\301\261,\5f\236\214\303\230\325\240\7\305\36|\226\275\350\344\376@", ) , ) == 0x0 00685 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247\315\0\24\335c%|\317\331\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\Z\371\26\364v\370O\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00686 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00687 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00688 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00689 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00690 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00691 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00692 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00693 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00694 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "\31\255z\352yW\254\214\210q\214J\265\241\212Er\265\2743\221}N#\23\14>\306\213\240\226\237ny\344kL\324\267\244\326W\346\225\3\305\302oW\17\374\247\34x\25\256Pt\356`\2\327\225\261\36G|\340\14\326|n\305\274\273{\352\320\311", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "\31\255z\352yW\254\214\210q\214J\265\241\212Er\265\2743\221}N#\23\14>\306\213\240\226\237ny\344kL\324\267\244\326W\346\225\3\305\302oW\17\374\247\34x\25\256Pt\356`\2\327\225\261\36G|\340\14\326|n\305\274\273{\352\320\311", 80, ... ) , 80, ... ) == 0x0 00695 416 NtClose (-2147482020, ... ) == 0x0 00685 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\372\375\225s\35C\251u\204;\33\366pu\23N\205\374g\371\300\245c\347\212\237,\236x@2:\234c$\6\365\255\3\216E\366\315\330* \3010\210\31\251\334\352\200N"H\305\237\0UWS\216!\35R\346\13\118@\262\326\366w\25C\366\271\267,Ho\320\216\263\223u\365\240q_\314O\335n\375u\326\363\3370\326\271"\342k\223\276C\340\17\25\257\347W\342\227\24\256\320\37\27\264\3362v\317\354\11\351h\317{\221\215\213!F\372-&\354(\377\311\377fU\257\346h\316\10^4\310\214HRR\266?`#\25f\225\344\265\275Z3\\323\I(\223G..\16\6KB\243\23\233\223B$s\253\22\260\32\347\15\375\310\365\21\36\24.7\210JV\322\355\1"\\342uC&YY\302\375\31\332\332\26\310\26\300\323a\310\236\371\266\347\201\277\301Z\227Xu\272Nx#Y\2153j5\341", ) H\305\237\0UWS\216!\35R\346\13\118@\262\326\366w\25C\366\271\267,Ho\320\216\263\223u\365\240q_\314O\335n\375u\326\363\3370\326\271 ... {status=0x0, info=256}, "\372\375\225s\35C\251u\204;\33\366pu\23N\205\374g\371\300\245c\347\212\237,\236x@2:\234c$\6\365\255\3\216E\366\315\330* \3010\210\31\251\334\352\200N"H\305\237\0UWS\216!\35R\346\13\118@\262\326\366w\25C\366\271\267,Ho\320\216\263\223u\365\240q_\314O\335n\375u\326\363\3370\326\271"\342k\223\276C\340\17\25\257\347W\342\227\24\256\320\37\27\264\3362v\317\354\11\351h\317{\221\215\213!F\372-&\354(\377\311\377fU\257\346h\316\10^4\310\214HRR\266?`#\25f\225\344\265\275Z3\\323\I(\223G..\16\6KB\243\23\233\223B$s\253\22\260\32\347\15\375\310\365\21\36\24.7\210JV\322\355\1"\\342uC&YY\302\375\31\332\332\26\310\26\300\323a\310\236\371\266\347\201\277\301Z\227Xu\272Nx#Y\2153j5\341", ) \\342uC&YY\302\375\31\332\332\26\310\26\300\323a\310\236\371\266\347\201\277\301Z\227Xu\272Nx#Y\2153j5\341", ) == 0x0 00696 416 NtDeviceIoControlFile (68, 0, 0x0, 0x0, 0x390008, (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247\315\0\24\335c%|\317\331\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\314\261\13\251\36Jq\Z\371\26\364v\370O\235\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 00697 416 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 00698 416 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 00699 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 00700 416 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 00701 416 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 00702 416 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 00703 416 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 00704 416 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0 00705 416 NtSetValueKey (-2147482020, (-2147482020, "Seed", 0, 3, "N\262\372\234\210\6\267\334\310\37405_;\375>S\12\4\255\302\315\307\200\344\311\361\324\265\325D=a\177N7\351\361m~\200\13\354\201\203\355\271C\31\11\255\310\327\26\36\320\374\24c\321\363\241*K\277\357\177\324'b\141\226\252\333o\273 p ", 80, ... ) , 0, 3, (-2147482020, "Seed", 0, 3, "N\262\372\234\210\6\267\334\310\37405_;\375>S\12\4\255\302\315\307\200\344\311\361\324\265\325D=a\177N7\351\361m~\200\13\354\201\203\355\271C\31\11\255\310\327\26\36\320\374\24c\321\363\241*K\277\357\177\324'b\141\226\252\333o\273 p ", 80, ... ) , 80, ... ) == 0x0 00706 416 NtClose (-2147482020, ... ) == 0x0 00696 416 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\1777\203\21\235py\332\234:UX\353\311\377M\207\257\313\200\354HT?\245\326v\374\356!18\324\237\200(\244\24\312.Yn\262}\357*f\316\345\205X\27v\276\217\2358&i\333\372`0{QcM.u\253\346\314C\225\271\270\360\24\205\220\337!\340\11\35\267wz\33\261\35\177\32\377\272\12\356\2\321r\322s+\20\345\340(a\315\23TL\26\6=\210\325de<\274"\276c\350u@#\344[gTwX7\20\25\365\377h\210O\16\355\361*\212\216\265D\300\304l\366\332\343\236\277\204]\304\210\252b\20\367\276\21\2049O\260\373(\33\312+\37\310\310E\276y\312rK\23"\231e\5Z\272\346\324\23\361\212\201\253\333\251\256\16h\310\12\343\242o'\176\337 \370]D\301M\310\340D\317L*'\263\10\372\222\330B(\20\254\24n\327\235\241,=\233W\345h\15\2332\243\273\3371\246\322", ) \276c\350u@#\344[gTwX7\20\25\365\377h\210O\16\355\361*\212\216\265D\300\304l\366\332\343\236\277\204]\304\210\252b\20\367\276\21\2049O\260\373(\33\312+\37\310\310E\276y\312rK\23 ... {status=0x0, info=256}, "\1777\203\21\235py\332\234:UX\353\311\377M\207\257\313\200\354HT?\245\326v\374\356!18\324\237\200(\244\24\312.Yn\262}\357*f\316\345\205X\27v\276\217\2358&i\333\372`0{QcM.u\253\346\314C\225\271\270\360\24\205\220\337!\340\11\35\267wz\33\261\35\177\32\377\272\12\356\2\321r\322s+\20\345\340(a\315\23TL\26\6=\210\325de<\274"\276c\350u@#\344[gTwX7\20\25\365\377h\210O\16\355\361*\212\216\265D\300\304l\366\332\343\236\277\204]\304\210\252b\20\367\276\21\2049O\260\373(\33\312+\37\310\310E\276y\312rK\23"\231e\5Z\272\346\324\23\361\212\201\253\333\251\256\16h\310\12\343\242o'\176\337 \370]D\301M\310\340D\317L*'\263\10\372\222\330B(\20\254\24n\327\235\241,=\233W\345h\15\2332\243\273\3371\246\322", ) , ) == 0x0 00707 416 NtUserRegisterWindowMessage ( ("ObjectLink", ... ) , ... ) == 0xc002 00708 416 NtAddAtom ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0I\0n\0t\0e\0r\0f\0a\0c\0e\0", 44, 1244632, ... ) , 44, 1244632, ... ) == 0x0 00709 416 NtAddAtom ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0M\0a\0r\0s\0h\0a\0l\0H\0w\0n\0d\0", 48, 1244632, ... ) , 48, 1244632, ... ) == 0x0 00710 416 NtUserRegisterWindowMessage ( ("OM_POST_WM_COMMAND", ... ) , ... ) == 0xc08e 00711 416 NtUserRegisterWindowMessage ( ("OLE_MESSAHE", ... ) , ... ) == 0xc08f 00712 416 NtCreateSemaphore (0x1f0003, {24, 52, 0x80, 1350648, 0, (0x1f0003, {24, 52, 0x80, 1350648, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 76, ) }, 0, 2147483647, ... 76, ) == STATUS_OBJECT_NAME_EXISTS 00713 416 NtReleaseSemaphore (76, 1, ... 0, ) == 0x0 00714 416 NtWaitForSingleObject (76, 0, {0, 0}, ... ) == 0x0 00715 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00716 416 NtOpenKey (0x1, {24, 60, 0x40, 0, 0, (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0 00717 416 NtQueryValueKey (80, (80, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00718 416 NtClose (80, ... ) == 0x0 00719 416 NtReleaseSemaphore (76, 1, ... 0, ) == 0x0 00720 416 NtWaitForSingleObject (76, 0, {0, 0}, ... ) == 0x0 00721 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00722 416 NtOpenKey (0x1, {24, 60, 0x40, 0, 0, (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0 00723 416 NtQueryValueKey (80, (80, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00724 416 NtClose (80, ... ) == 0x0 00725 416 NtReleaseSemaphore (76, 1, ... 0, ) == 0x0 00726 416 NtWaitForSingleObject (76, 0, {0, 0}, ... ) == 0x0 00727 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00728 416 NtOpenKey (0x1, {24, 60, 0x40, 0, 0, (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0 00729 416 NtQueryValueKey (80, (80, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00730 416 NtClose (80, ... ) == 0x0 00731 416 NtOpenKey (0x9, {24, 28, 0x40, 0, 0, (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00732 416 NtReleaseSemaphore (76, 1, ... 0, ) == 0x0 00733 416 NtWaitForSingleObject (76, 0, {0, 0}, ... ) == 0x0 00734 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00735 416 NtOpenKey (0x1, {24, 60, 0x40, 0, 0, (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0 00736 416 NtQueryValueKey (80, (80, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00737 416 NtClose (80, ... ) == 0x0 00738 416 NtAllocateVirtualMemory (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0 00739 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00740 416 NtReleaseSemaphore (76, 1, ... 0, ) == 0x0 00741 416 NtWaitForSingleObject (76, 0, {0, 0}, ... ) == 0x0 00742 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00743 416 NtOpenKey (0x1, {24, 60, 0x40, 0, 0, (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0 00744 416 NtQueryValueKey (80, (80, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00745 416 NtClose (80, ... ) == 0x0 00746 416 NtReleaseSemaphore (76, 1, ... 0, ) == 0x0 00747 416 NtWaitForSingleObject (76, 0, {0, 0}, ... ) == 0x0 00748 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00749 416 NtOpenKey (0x1, {24, 60, 0x40, 0, 0, (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0 00750 416 NtQueryValueKey (80, (80, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00751 416 NtClose (80, ... ) == 0x0 00752 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00753 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 80, ) == 0x0 00754 416 NtQueryInformationToken (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00755 416 NtClose (80, ... ) == 0x0 00756 416 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 80, ) }, ... 80, ) == 0x0 00757 416 NtSetInformationObject (82, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0 00758 416 NtQueryKey (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0 00759 416 NtOpenKey (0x1, {24, 82, 0x40, 0, 0, (0x1, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00760 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 84, ) }, ... 84, ) == 0x0 00761 416 NtQueryKey (86, Name, 392, ... {Name= (86, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0 00762 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00763 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 88, ) == 0x0 00764 416 NtQueryInformationToken (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00765 416 NtClose (88, ... ) == 0x0 00766 416 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00767 416 NtQueryValueKey (86, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (86, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 00768 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1238300, ... ) }, 1238300, ... ) == 0x0 00769 416 NtClose (86, ... ) == 0x0 00770 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 00771 416 NtOpenFile (0x100080, {24, 0, 0x40, 0, 0, (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 84, {status=0x0, info=1}, ) }, 3, 96, ... 84, {status=0x0, info=1}, ) == 0x0 00772 416 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 88, ) }, ... 88, ) == 0x0 00773 416 NtQuerySymbolicLinkObject (88, ... (88, ... "\Device\WinDfs\U:00000000000091fc", 66, ) , 66, ) == 0x0 00774 416 NtClose (88, ... ) == 0x0 00775 416 NtQueryVolumeInformationFile (84, 1241652, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00776 416 NtClose (84, ... ) == 0x0 00777 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 84, ) }, ... 84, ) == 0x0 00778 416 NtMapViewOfSection (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0 00779 416 NtClose (84, ... ) == 0x0 00780 416 NtCreateSemaphore (0x1f0003, 0x0, 1, 1, ... 84, ) == 0x0 00781 416 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0 00782 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 92, ) }, ... 92, ) == 0x0 00783 416 NtNotifyChangeKey (92, 88, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103 00784 416 NtQueryInformationProcess (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0 00785 416 NtCreateSemaphore (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0 00786 416 NtCreateSemaphore (0x100003, 0x0, 0, 2147483647, ... 100, ) == 0x0 00787 416 NtWaitForSingleObject (88, 0, {0, 0}, ... ) == 0x102 00788 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 104, ) }, ... 104, ) == 0x0 00789 416 NtOpenKey (0x20019, {24, 104, 0x40, 0, 0, (0x20019, {24, 104, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 108, ) }, ... 108, ) == 0x0 00790 416 NtQueryValueKey (108, (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0 00791 416 NtQueryValueKey (108, (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0 00792 416 NtClose (108, ... ) == 0x0 00793 416 NtOpenKey (0x20019, {24, 104, 0x40, 0, 0, (0x20019, {24, 104, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0 00794 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 00795 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 00796 416 NtQueryValueKey (108, (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00797 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 00798 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 00799 416 NtClose (108, ... ) == 0x0 00800 416 NtOpenKey (0x20019, {24, 104, 0x40, 0, 0, (0x20019, {24, 104, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0 00801 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0 00802 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0 00803 416 NtQueryValueKey (108, (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00804 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0 00805 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0 00806 416 NtClose (108, ... ) == 0x0 00807 416 NtOpenKey (0x20019, {24, 104, 0x40, 0, 0, (0x20019, {24, 104, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0 00808 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0 00809 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0 00810 416 NtQueryValueKey (108, (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00811 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 00812 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 00813 416 NtClose (108, ... ) == 0x0 00814 416 NtOpenKey (0x20019, {24, 104, 0x40, 0, 0, (0x20019, {24, 104, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0 00815 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0 00816 416 NtQueryValueKey (108, (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0 00817 416 NtQueryValueKey (108, (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00818 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0 00819 416 NtQueryValueKey (108, (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0 00820 416 NtClose (108, ... ) == 0x0 00821 416 NtClose (104, ... ) == 0x0 00822 416 NtQueryDefaultLocale (1, 1241204, ... ) == 0x0 00823 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0 00824 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0 00825 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0 00826 416 NtClose (104, ... ) == 0x0 00827 416 NtMapViewOfSection (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 12288, ) == 0x0 00828 416 NtClose (108, ... ) == 0x0 00829 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00830 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0 00831 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0 00832 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0 00833 416 NtQuerySection (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00834 416 NtClose (108, ... ) == 0x0 00835 416 NtMapViewOfSection (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0 00836 416 NtClose (104, ... ) == 0x0 00837 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 104, ) }, ... 104, ) == 0x0 00838 416 NtQueryValueKey (104, (104, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 00839 416 NtClose (104, ... ) == 0x0 00840 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0 00841 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0 00842 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0 00843 416 NtClose (104, ... ) == 0x0 00844 416 NtMapViewOfSection (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 40960, ) == 0x0 00845 416 NtClose (108, ... ) == 0x0 00846 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00847 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0 00848 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0 00849 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0 00850 416 NtQuerySection (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00851 416 NtClose (108, ... ) == 0x0 00852 416 NtMapViewOfSection (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0 00853 416 NtClose (104, ... ) == 0x0 00854 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00855 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1238720, ... ) }, 1238720, ... ) == 0x0 00856 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0 00857 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0 00858 416 NtQuerySection (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00859 416 NtClose (104, ... ) == 0x0 00860 416 NtMapViewOfSection (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0 00861 416 NtClose (108, ... ) == 0x0 00862 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00863 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1238720, ... ) }, 1238720, ... ) == 0x0 00864 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0 00865 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0 00866 416 NtQuerySection (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00867 416 NtClose (108, ... ) == 0x0 00868 416 NtMapViewOfSection (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0 00869 416 NtClose (104, ... ) == 0x0 00870 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00871 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0 00872 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0 00873 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0 00874 416 NtQuerySection (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00875 416 NtClose (104, ... ) == 0x0 00876 416 NtMapViewOfSection (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0 00877 416 NtClose (108, ... ) == 0x0 00878 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00879 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0 00880 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0 00881 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0 00882 416 NtQuerySection (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00883 416 NtClose (108, ... ) == 0x0 00884 416 NtMapViewOfSection (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0 00885 416 NtClose (104, ... ) == 0x0 00886 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00887 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0 00888 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0 00889 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0 00890 416 NtQuerySection (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00891 416 NtClose (104, ... ) == 0x0 00892 416 NtMapViewOfSection (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0 00893 416 NtClose (108, ... ) == 0x0 00894 416 NtAllocateVirtualMemory (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0 00895 416 NtOpenKey (0x80000000, {24, 0, 0xc0, 0, 0, (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 108, ) }, ... 108, ) == 0x0 00896 416 NtQueryValueKey (108, (108, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00897 416 NtOpenProcessToken (-1, 0x8, ... 104, ) == 0x0 00898 416 NtQueryInformationToken (104, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0 00899 416 NtClose (104, ... ) == 0x0 00900 416 NtAllocateVirtualMemory (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0 00901 416 NtCreateSemaphore (0x1f0003, 0x0, 1, 1, ... 104, ) == 0x0 00902 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0 00903 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0 00904 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0 00905 416 NtClose (112, ... ) == 0x0 00906 416 NtMapViewOfSection (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 24576, ) == 0x0 00907 416 NtClose (116, ... ) == 0x0 00908 416 NtUnmapViewOfSection (-1, 0x880000, ... ) == 0x0 00909 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0 00910 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0 00911 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0 00912 416 NtQuerySection (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00913 416 NtClose (116, ... ) == 0x0 00914 416 NtMapViewOfSection (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0 00915 416 NtClose (112, ... ) == 0x0 00916 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 112, ) }, ... 112, ) == 0x0 00917 416 NtQueryValueKey (112, (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0 00918 416 NtClose (112, ... ) == 0x0 00919 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00920 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00921 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00922 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00923 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == 0x0 00924 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0 00925 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0 00926 416 NtClose (112, ... ) == 0x0 00927 416 NtMapViewOfSection (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 122880, ) == 0x0 00928 416 NtClose (116, ... ) == 0x0 00929 416 NtUnmapViewOfSection (-1, 0x900000, ... ) == 0x0 00930 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00931 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00932 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00933 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 00934 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == 0x0 00935 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0 00936 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0 00937 416 NtQuerySection (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00938 416 NtClose (116, ... ) == 0x0 00939 416 NtMapViewOfSection (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0 00940 416 NtClose (112, ... ) == 0x0 00941 416 NtProtectVirtualMemory (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0 00942 416 NtProtectVirtualMemory (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0 00943 416 NtFlushInstructionCache (-1, 268521472, 416, ... ) == 0x0 00944 416 NtProtectVirtualMemory (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0 00945 416 NtProtectVirtualMemory (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0 00946 416 NtFlushInstructionCache (-1, 268521472, 416, ... ) == 0x0 00947 416 NtProtectVirtualMemory (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0 00948 416 NtProtectVirtualMemory (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0 00949 416 NtFlushInstructionCache (-1, 268521472, 416, ... ) == 0x0 00950 416 NtProtectVirtualMemory (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0 00951 416 NtProtectVirtualMemory (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0 00952 416 NtFlushInstructionCache (-1, 268521472, 416, ... ) == 0x0 00953 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00954 416 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 8912896, 65536, ) == 0x0 00955 416 NtAllocateVirtualMemory (-1, 8912896, 0, 4096, 4096, 4, ... 8912896, 4096, ) == 0x0 00956 416 NtAllocateVirtualMemory (-1, 8916992, 0, 8192, 4096, 4, ... 8916992, 8192, ) == 0x0 00957 416 NtAllocateVirtualMemory (-1, 8925184, 0, 4096, 4096, 4, ... 8925184, 4096, ) == 0x0 00958 416 NtQueryPerformanceCounter (... {100537177, 0}, {3579545, 0}, ) == 0x0 00959 416 NtRaiseException (1239016, 1238276, 1, ... 00960 416 NtContinue (1237072, 0, ... 00961 416 NtOpenMutant (0x120001, {24, 52, 0x2, 0, 0, (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 112, ) }, ... 112, ) == 0x0 00962 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 00963 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00964 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 00965 416 NtAllocateVirtualMemory (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0 00966 416 NtAllocateVirtualMemory (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0 00967 416 NtRaiseException (1228992, 1228252, 1, ... 00968 416 NtContinue (1227048, 0, ... 00969 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 00970 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00971 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 00972 416 NtRaiseException (1230752, 1230012, 1, ... 00973 416 NtContinue (1228808, 0, ... 00974 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 00975 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00976 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 00977 416 NtRaiseException (1230756, 1230016, 1, ... 00978 416 NtContinue (1228812, 0, ... 00979 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 00980 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00981 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 00982 416 NtRaiseException (1230752, 1230012, 1, ... 00983 416 NtContinue (1228808, 0, ... 00984 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 00985 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00986 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 00987 416 NtRaiseException (1230756, 1230016, 1, ... 00988 416 NtContinue (1228812, 0, ... 00989 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 00990 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00991 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 00992 416 NtRaiseException (1230752, 1230012, 1, ... 00993 416 NtContinue (1228808, 0, ... 00994 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 00995 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00996 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 00997 416 NtRaiseException (1230756, 1230016, 1, ... 00998 416 NtContinue (1228812, 0, ... 00999 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01000 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01001 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01002 416 NtRaiseException (1230752, 1230012, 1, ... 01003 416 NtContinue (1228808, 0, ... 01004 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01005 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01006 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01007 416 NtRaiseException (1230756, 1230016, 1, ... 01008 416 NtContinue (1228812, 0, ... 01009 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01010 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01011 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01012 416 NtRaiseException (1230752, 1230012, 1, ... 01013 416 NtContinue (1228808, 0, ... 01014 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01015 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01016 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01017 416 NtRaiseException (1230756, 1230016, 1, ... 01018 416 NtContinue (1228812, 0, ... 01019 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01020 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01021 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01022 416 NtRaiseException (1230752, 1230012, 1, ... 01023 416 NtContinue (1228808, 0, ... 01024 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01025 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01026 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01027 416 NtRaiseException (1230756, 1230016, 1, ... 01028 416 NtContinue (1228812, 0, ... 01029 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01030 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01031 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01032 416 NtRaiseException (1230752, 1230012, 1, ... 01033 416 NtContinue (1228808, 0, ... 01034 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01035 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01036 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01037 416 NtRaiseException (1230756, 1230016, 1, ... 01038 416 NtContinue (1228812, 0, ... 01039 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01040 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01041 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01042 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0 01043 416 NtOpenProcess (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 116, ) == 0x0 01044 416 NtQueryInformationProcess (116, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0 01045 416 NtClose (116, ... ) == 0x0 01046 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0 01047 416 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01048 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01049 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0 01050 416 NtQueryValueKey (116, (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01051 416 NtClose (116, ... ) == 0x0 01052 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01053 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0 01054 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0 01055 416 NtQuerySystemTime (... {-1048871164, 29889258}, ) == 0x0 01056 416 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0 01057 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01058 416 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0 01059 416 NtQueryInformationProcess (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0 01060 416 NtQueryInformationProcess (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0 01061 416 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0 01062 416 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0 01063 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0 01064 416 NtOpenKey (0x20019, {24, 136, 0x40, 0, 0, (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0 01065 416 NtQueryValueKey (140, (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0 01066 416 NtClose (140, ... ) == 0x0 01067 416 NtClose (136, ... ) == 0x0 01068 416 NtCreateIoCompletion (0x1f0003, 0x0, 0, ... 136, ) == 0x0 01069 416 NtCreateIoCompletion (0x1f0003, 0x0, -1, ... 140, ) == 0x0 01070 416 NtDuplicateObject (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0 01071 416 NtAllocateVirtualMemory (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0 01072 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01073 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0 01074 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01075 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01076 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1238232, (0xc0100080, {24, 0, 0x40, 0, 1238232, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0 01077 416 NtSetInformationFile (152, 1238288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01078 416 NtSetInformationFile (152, 1238280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01079 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01080 416 NtWriteFile (152, 129, 0, 0, (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01081 416 NtAllocateVirtualMemory (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0 01082 416 NtReadFile (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0 01083 416 NtFsControlFile (152, 129, 0x0, 0x0, 0x11c017, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68}, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103 01084 416 NtClose (148, ... ) == 0x0 01085 416 NtClose (152, ... ) == 0x0 01086 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01087 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0 01088 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01089 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01090 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1238232, (0xc0100080, {24, 0, 0x40, 0, 1238232, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0 01091 416 NtSetInformationFile (148, 1238288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01092 416 NtSetInformationFile (148, 1238280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01093 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01094 416 NtWriteFile (148, 129, 0, 0, (148, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01095 416 NtReadFile (148, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (148, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0 01096 416 NtFsControlFile (148, 129, 0x0, 0x0, 0x11c017, (148, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68}, (148, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103 01097 416 NtClose (152, ... ) == 0x0 01098 416 NtClose (148, ... ) == 0x0 01099 416 NtOpenKey (0x2000000, {24, 28, 0x40, 0, 0, (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 148, ) }, ... 148, ) == 0x0 01100 416 NtQueryKey (148, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0 01101 416 NtQuerySecurityObject (148, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL 01102 416 NtQuerySecurityObject (148, 15, 0, ... ) == STATUS_ACCESS_DENIED 01103 416 NtAllocateVirtualMemory (-1, 0, 0, 524280, 8192, 4, ... 9437184, 524288, ) == 0x0 01104 416 NtAllocateVirtualMemory (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0 01105 416 NtQueryValueKey (148, (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0 01106 416 NtClose (148, ... ) == 0x0 01107 416 NtCreateFile (0x100000, {24, 0, 0x40, 0, 0, (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0 01108 416 NtFsControlFile (148, 0, 0x0, 0x0, 0x600bc, (148, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024}, (148, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01109 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01110 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0 01111 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01112 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01113 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1239672, (0xc0100080, {24, 0, 0x40, 0, 1239672, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0 01114 416 NtSetInformationFile (156, 1239728, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01115 416 NtSetInformationFile (156, 1239720, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01116 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01117 416 NtWriteFile (156, 129, 0, 0, (156, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01118 416 NtReadFile (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0 01119 416 NtFsControlFile (156, 129, 0x0, 0x0, 0x11c017, (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\340\360\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68}, (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\340\360\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103 01120 416 NtClose (152, ... ) == 0x0 01121 416 NtClose (156, ... ) == 0x0 01122 416 NtWaitForSingleObject (104, 0, {-70000000, -1}, ... ) == 0x0 01123 416 NtReleaseSemaphore (104, 1, ... 0x0, ) == 0x0 01124 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0 01125 416 NtOpenEvent (0x100000, {24, 52, 0x0, 0, 0, (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 156, ) }, ... 156, ) == 0x0 01126 416 NtWaitForSingleObject (156, 0, {-1800000000, -1}, ... ) == 0x0 01127 416 NtClose (156, ... ) == 0x0 01128 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01129 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0 01130 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01131 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01132 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1239708, (0xc0100080, {24, 0, 0x40, 0, 1239708, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0 01133 416 NtSetInformationFile (152, 1239764, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01134 416 NtSetInformationFile (152, 1239756, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01135 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01136 416 NtWriteFile (152, 129, 0, 0, (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01137 416 NtReadFile (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\214 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 01138 416 NtFsControlFile (152, 129, 0x0, 0x0, 0x11c017, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\214 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68}, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\214 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 01139 416 NtFsControlFile (152, 129, 0x0, 0x0, 0x11c017, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0rd\230\374\335~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0rd\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48}, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0rd\230\374\335~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0rd\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103 01140 416 NtFsControlFile (152, 129, 0x0, 0x0, 0x11c017, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0sd\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0sd\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48}, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0sd\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0sd\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103 01141 416 NtFsControlFile (152, 129, 0x0, 0x0, 0x11c017, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0rd\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56}, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0rd\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103 01142 416 NtFsControlFile (152, 129, 0x0, 0x0, 0x11c017, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0sd\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48}, (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0sd\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103 01143 416 NtClose (156, ... ) == 0x0 01144 416 NtClose (152, ... ) == 0x0 01145 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 01146 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 01147 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 01148 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 01149 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == 0x0 01150 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 152, ) }, ... 152, ) == 0x0 01151 416 NtQueryValueKey (152, (152, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0 01152 416 NtClose (152, ... ) == 0x0 01153 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 152, ) }, ... 152, ) == 0x0 01154 416 NtQueryValueKey (152, (152, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0 01155 416 NtClose (152, ... ) == 0x0 01156 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 152, ) }, ... 152, ) == 0x0 01157 416 NtQueryValueKey (152, (152, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0 01158 416 NtClose (152, ... ) == 0x0 01159 416 NtRaiseException (1229676, 1228936, 1, ... 01160 416 NtContinue (1227732, 0, ... 01161 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01162 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01163 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01164 416 NtRaiseException (1229672, 1228932, 1, ... 01165 416 NtContinue (1227728, 0, ... 01166 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01167 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01168 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01169 416 NtCreateMutant (0x1f0001, {24, 52, 0x80, 1240340, 0, (0x1f0001, {24, 52, 0x80, 1240340, 0, "HGFSMUTEX"}, 1, ... 152, ) }, 1, ... 152, ) == 0x0 01170 416 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01171 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01172 416 NtQueryAttributesFile ({24, 12, 0x40, 0, 0, ({24, 12, 0x40, 0, 0, "shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01173 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == 0x0 01174 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0 01175 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 156, ... 160, ) == 0x0 01176 416 NtQuerySection (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01177 416 NtClose (156, ... ) == 0x0 01178 416 NtMapViewOfSection (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0 01179 416 NtClose (160, ... ) == 0x0 01180 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01181 416 NtCreateSemaphore (0x1f0003, {24, 52, 0x80, 1350648, 0, (0x1f0003, {24, 52, 0x80, 1350648, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 160, ) }, 0, 2147483647, ... 160, ) == STATUS_OBJECT_NAME_EXISTS 01182 416 NtReleaseSemaphore (160, 1, ... 0, ) == 0x0 01183 416 NtWaitForSingleObject (160, 0, {0, 0}, ... ) == 0x0 01184 416 NtCreateKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0 01185 416 NtQueryValueKey (156, (156, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0 01186 416 NtClose (156, ... ) == 0x0 01187 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1237892, ... ) }, 1237892, ... ) == 0x0 01188 416 NtCreateKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0 01189 416 NtSetValueKey (156, (156, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1, (156, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0 01190 416 NtClose (156, ... ) == 0x0 01191 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 156, {status=0x0, info=1}, ) }, 3, 16417, ... 156, {status=0x0, info=1}, ) == 0x0 01192 416 NtQueryDirectoryFile (156, 0, 0, 0, 1238032, 616, BothDirectory, 1, (156, 0, 0, 0, 1238032, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0 01193 416 NtUnmapViewOfSection (-1, 0x76780000, ... ) == 0x0 01194 416 NtRaiseException (1229312, 1228572, 1, ... 01195 416 NtContinue (1227368, 0, ... 01196 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01197 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01198 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01199 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 1240340, 1239916, (0xc0100080, {24, 0, 0x40, 1240340, 1239916, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0 01200 416 NtRaiseException (1229312, 1228572, 1, ... 01201 416 NtContinue (1227368, 0, ... 01202 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01203 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01204 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01205 416 NtCreateSection (0xf0007, {24, 52, 0x80, 1240340, 0, (0xf0007, {24, 52, 0x80, 1240340, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 164, ... 168, ) }, {27876, 0}, 4, 134217728, 164, ... 168, ) == 0x0 01206 416 NtMapViewOfSection (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x980000), {0, 0}, 28672, ) == 0x0 01207 416 NtReleaseMutant (152, ... 0x0, ) == 0x0 01208 416 NtRaiseException (1230728, 1229988, 1, ... 01209 416 NtContinue (1228784, 0, ... 01210 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01211 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01212 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01213 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 1241384, 1240972, (0xc0100080, {24, 0, 0x40, 1241384, 1240972, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 172, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 172, {status=0x0, info=0}, ) == 0x0 01214 416 NtDeviceIoControlFile (172, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, (172, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0 01215 416 NtClose (172, ... ) == 0x0 01216 416 NtRaiseException (1230708, 1229968, 1, ... 01217 416 NtContinue (1228764, 0, ... 01218 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01219 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01220 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01221 416 NtRaiseException (1230728, 1229988, 1, ... 01222 416 NtContinue (1228784, 0, ... 01223 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01224 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01225 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01226 416 NtAllocateVirtualMemory (-1, 1368064, 0, 20480, 4096, 4, ... 1368064, 20480, ) == 0x0 01227 416 NtAllocateVirtualMemory (-1, 1388544, 0, 20480, 4096, 4, ... 1388544, 20480, ) == 0x0 01228 416 NtWaitForSingleObject (104, 0, {-70000000, -1}, ... ) == 0x0 01229 416 NtReleaseSemaphore (104, 1, ... 0x0, ) == 0x0 01230 416 NtOpenEvent (0x100000, {24, 52, 0x0, 0, 0, (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 172, ) }, ... 172, ) == 0x0 01231 416 NtWaitForSingleObject (172, 0, {-1800000000, -1}, ... ) == 0x0 01232 416 NtClose (172, ... ) == 0x0 01233 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01234 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0 01235 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01236 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01237 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1239648, (0xc0100080, {24, 0, 0x40, 0, 1239648, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0 01238 416 NtSetInformationFile (176, 1239704, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01239 416 NtSetInformationFile (176, 1239696, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01240 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01241 416 NtWriteFile (176, 129, 0, 0, (176, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01242 416 NtReadFile (176, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (176, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\215 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 01243 416 NtFsControlFile (176, 129, 0x0, 0x0, 0x11c017, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\215 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68}, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\215 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 01244 416 NtFsControlFile (176, 129, 0x0, 0x0, 0x11c017, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0td\230\374\335~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0td\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48}, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0td\230\374\335~\334\21\261\310\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0td\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103 01245 416 NtFsControlFile (176, 129, 0x0, 0x0, 0x11c017, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0ud\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0ud\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48}, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0ud\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0ud\230\374\335~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103 01246 416 NtFsControlFile (176, 129, 0x0, 0x0, 0x11c017, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0td\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56}, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0td\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103 01247 416 NtFsControlFile (176, 129, 0x0, 0x0, 0x11c017, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0ud\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48}, (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0ud\230\374\335~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103 01248 416 NtClose (172, ... ) == 0x0 01249 416 NtClose (176, ... ) == 0x0 01250 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01251 416 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0 01252 416 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01253 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01254 416 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1239740, (0xc0100080, {24, 0, 0x40, 0, 1239740, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0 01255 416 NtSetInformationFile (172, 1239796, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01256 416 NtSetInformationFile (172, 1239788, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01257 416 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01258 416 NtWriteFile (172, 129, 0, 0, (172, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01259 416 NtReadFile (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\342&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 01260 416 NtFsControlFile (172, 129, 0x0, 0x0, 0x11c017, (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\342&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76}, (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\342&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 01261 416 NtClose (176, ... ) == 0x0 01262 416 NtClose (172, ... ) == 0x0 01263 416 NtCreateKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0 01264 416 NtSetValueKey (172, (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1, (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0 01265 416 NtClose (172, ... ) == 0x0 01266 416 NtOpenKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 172, ) }, ... 172, ) == 0x0 01267 416 NtQueryValueKey (172, (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 01268 416 NtClose (172, ... ) == 0x0 01269 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01270 416 NtQueryKey (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0 01271 416 NtOpenKey (0x1, {24, 82, 0x40, 0, 0, (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01272 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01273 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01274 416 NtQueryKey (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0 01275 416 NtOpenKey (0x1, {24, 82, 0x40, 0, 0, (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01276 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01277 416 NtCreateKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0 01278 416 NtSetValueKey (172, (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1, (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0 01279 416 NtClose (172, ... ) == 0x0 01280 416 NtOpenKey (0x2000000, {24, 60, 0x40, 0, 0, (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 172, ) }, ... 172, ) == 0x0 01281 416 NtQueryValueKey (172, (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 01282 416 NtClose (172, ... ) == 0x0 01283 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01284 416 NtQueryKey (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0 01285 416 NtOpenKey (0x1, {24, 82, 0x40, 0, 0, (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01286 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01287 416 NtOpenKey (0x1, {24, 28, 0x40, 0, 0, (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01288 416 NtQueryKey (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0 01289 416 NtOpenKey (0x1, {24, 82, 0x40, 0, 0, (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01290 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01291 416 NtWaitForSingleObject (104, 0, {-70000000, -1}, ... ) == 0x0 01292 416 NtReleaseSemaphore (104, 1, ... 0x0, ) == 0x0 01293 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01294 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 172, ) == 0x0 01295 416 NtQueryInformationToken (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01296 416 NtClose (172, ... ) == 0x0 01297 416 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 172, ) }, ... 172, ) == 0x0 01298 416 NtOpenKey (0x20019, {24, 172, 0x40, 0, 0, (0x20019, {24, 172, 0x40, 0, 0, "Network"}, ... 176, ) }, ... 176, ) == 0x0 01299 416 NtClose (172, ... ) == 0x0 01300 416 NtQueryKey (176, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (176, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0 01301 416 NtQuerySecurityObject (176, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL 01302 416 NtQuerySecurityObject (176, 15, 0, ... ) == STATUS_ACCESS_DENIED 01303 416 NtWaitForSingleObject (88, 0, {0, 0}, ... ) == 0x102 01304 416 NtEnumerateKey (176, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (176, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0 01305 416 NtOpenKey (0x2001f, {24, 176, 0x40, 0, 0, (0x2001f, {24, 176, 0x40, 0, 0, "f"}, ... 172, ) }, ... 172, ) == 0x0 01306 416 NtQueryValueKey (172, (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0 01307 416 NtQueryValueKey (172, (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0 01308 416 NtQueryValueKey (172, (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01309 416 NtQueryValueKey (172, (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0 01310 416 NtQueryValueKey (172, (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01311 416 NtQueryValueKey (172, (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0 01312 416 NtQueryValueKey (172, (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01313 416 NtClose (172, ... ) == 0x0 01314 416 NtEnumerateKey (176, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (176, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0 01315 416 NtOpenKey (0x2001f, {24, 176, 0x40, 0, 0, (0x2001f, {24, 176, 0x40, 0, 0, "u"}, ... 172, ) }, ... 172, ) == 0x0 01316 416 NtQueryValueKey (172, (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0 01317 416 NtQueryValueKey (172, (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0 01318 416 NtQueryValueKey (172, (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01319 416 NtQueryValueKey (172, (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0 01320 416 NtQueryValueKey (172, (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01321 416 NtQueryValueKey (172, (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0 01322 416 NtQueryValueKey (172, (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01323 416 NtClose (172, ... ) == 0x0 01324 416 NtClose (176, ... ) == 0x0 01325 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 01326 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 01327 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 01328 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 01329 416 NtQueryKey (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0 01330 416 NtOpenKey (0x2000000, {24, 82, 0x40, 0, 0, (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01331 416 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 176, ) }, ... 176, ) == 0x0 01332 416 NtQueryKey (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0 01333 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01334 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 172, ) == 0x0 01335 416 NtQueryInformationToken (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01336 416 NtClose (172, ... ) == 0x0 01337 416 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01338 416 NtEnumerateKey (178, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (178, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0 01339 416 NtQueryKey (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0 01340 416 NtOpenKey (0x1, {24, 82, 0x40, 0, 0, (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01341 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 172, ) }, ... 172, ) == 0x0 01342 416 NtQueryKey (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0 01343 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01344 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 180, ) == 0x0 01345 416 NtQueryInformationToken (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01346 416 NtClose (180, ... ) == 0x0 01347 416 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01348 416 NtQueryValueKey (174, (174, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (174, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0 01349 416 NtClose (174, ... ) == 0x0 01350 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 01351 416 NtOpenFile (0x100080, {24, 0, 0x40, 0, 0, (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 172, {status=0x0, info=1}, ) }, 3, 96, ... 172, {status=0x0, info=1}, ) == 0x0 01352 416 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 180, ) }, ... 180, ) == 0x0 01353 416 NtQuerySymbolicLinkObject (180, ... (180, ... "\Device\WinDfs\U:00000000000091fc", 66, ) , 66, ) == 0x0 01354 416 NtClose (180, ... ) == 0x0 01355 416 NtQueryVolumeInformationFile (172, 1241060, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01356 416 NtClose (172, ... ) == 0x0 01357 416 NtEnumerateKey (178, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES 01358 416 NtClose (178, ... ) == 0x0 01359 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 176, {status=0x0, info=1}, ) }, 3, 16417, ... 176, {status=0x0, info=1}, ) == 0x0 01360 416 NtQueryDirectoryFile (176, 0, 0, 0, 1239848, 616, BothDirectory, 1, (176, 0, 0, 0, 1239848, 616, BothDirectory, 1, "startupscripts", 0, ... {status=0x0, info=128}, ) , 0, ... {status=0x0, info=128}, ) == 0x0 01361 416 NtClose (176, ... ) == 0x0 01362 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01363 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1244288, ... ) }, 1244288, ... ) == 0x0 01364 416 NtRequestWaitReplyPort (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456} (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1502, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" ) ... {20, 48, reply, 0, 412, 416, 1502, 0} (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1502, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" ) ) == 0x0 01365 416 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1244296, (0x80100080, {24, 0, 0x40, 0, 1244296, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsv1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 176, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 176, {status=0x0, info=2}, ) == 0x0 01366 416 NtClose (176, ... ) == 0x0 01367 416 NtOpenFile (0x10080, {24, 0, 0x40, 0, 0, (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsv1.tmp"}, 7, 2113600, ... 176, {status=0x0, info=1}, ) }, 7, 2113600, ... 176, {status=0x0, info=1}, ) == 0x0 01368 416 NtQueryInformationFile (176, 1244668, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER 01369 416 NtSetInformationFile (176, 1244719, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0 01370 416 NtClose (176, ... ) == 0x0 01371 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1244540, ... ) }, 1244540, ... ) == 0x0 01372 416 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1244520, (0x80100080, {24, 0, 0x40, 0, 1244520, "\??\u:\work\packed.exe"}, 0x0, 32, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 32, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0 01373 416 NtQueryInformationFile (176, 1244588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01374 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345lJ\250\241\15$\373\241\15$\373\241\15$\373/\5{\373\243\15$\373\241\15%\3739\15$\373"\5y\373\260\15$\373\365.\24\373\250\15$\373f\13"\373\240\15$\373Rich\241\15$\373\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\206\271\246D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\212\2\0\0\4\0\0f1\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0Pt\0\0\264\0\0\0\0\200\3\0\310\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\376[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) \5y\373\260\15$\373\365.\24\373\250\15$\373f\13 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345lJ\250\241\15$\373\241\15$\373\241\15$\373/\5{\373\243\15$\373\241\15%\3739\15$\373"\5y\373\260\15$\373\365.\24\373\250\15$\373f\13"\373\240\15$\373Rich\241\15$\373\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\206\271\246D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\212\2\0\0\4\0\0f1\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0Pt\0\0\264\0\0\0\0\200\3\0\310\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\376[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01375 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\376\21\0\0\0p\0\0\0\22\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.data\0\0\0\324d\2\0\0\220\0\0\0\4\0\0\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ndata\0\0\0\200\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\310\6\0\0\0\200\3\0\0\10\0\0\0v\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01376 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "U\213\354\203\354\\203}\14\17t+\203}\14F\213E\24u\15\203H\30\20\213\15$\364B\0\211H\4P\377u\20\377u\14\377u\10\377\25@r@\0\351B\1\0\0SV\2135(\364B\0\215E\244WP\377u\10\377\25Dr@\0\203e\364\0\211E\14\215E\344P\377u\10\377\25Hr@\0\213}\360\203e\360\0\213\35Dp@\0\351\200\0\0\0\17\266FR\17\266VV\17\257U\350\213\317+M\350\17\257\301\3\302\211M\20\231\367\3773\322\212\360\17\266FQ\17\257\301\17\266NU\17\257M\350\3\301\213\312\231\367\377\17\266VT\17\257U\350\212\310\17\266FP\17\257E\20\3\302\231\367\377\301\341\10\17\266\300\13\310\215E\364P\211M\370\377\25Hp@\0\203E\360\4\211E\24P\215E\344P\377u\14\377\25Lr@\0\377u\24\377\323\203E\350\49}\350\17\214w\377\377\377\203~X\377te\377v4\377\25Lp@\0\205\300\211E\24tU\213}\14j\1W\307E\344\20\0\0\0\307E\350\10\0\0\0\377\25Pp@\0\377vXW\377\25Tp@\0\377u\24\2135Xp@\0W\377\326\211E\14\215E\344h \10\0\0Pj\377h \354B\0W\377\25Pr@\0\377u\14W\377\326\377u\24\377\323\215E\244P\377u\10\377\25Tr@\0_^3\300[\311\302\20\0\213L$\4\241H\364B\0\213\321Si\322\30\4\0\0VW\213T\2\10\366\302\2tO\215q\13\377;5L\364B\0sB\213\316i\311\30\4\0\0\215D\1\10\213\10\366\301\2t\3G\353\36\366\301\4t\11\213\317O\205\311t \353\20\366\301\20u\13\213\3313\332\203\343\13\331\211\30F\5\30\4\0\0;5L\364B\0r\312_^[\302\4\0U\213\354QQ", ) , ) == 0x0 01377 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\213\35H\364B\03\311\3\363W\211M\374\211M\370\213F\10\250\2t\139M\14t\6$\276B\211F\10;\25L\364B\0sD\213\302i\300\30\4\0\0\215|\30\10\215B\1\213\17\366\301\2t\12j\1R\350\245\377\377\377\213\17\366\301\4u(\366\301@t\3\377E\374\366\301\1t\5\377E\374\353\3\377E\370;\5L\364B\0\213\320r\2743\300_^[\311\302\10\0\203}\374\0t\363\203}\370\0t\6\203N\10@\353\347\213N\10\200\341\177\203\311\1\211N\10\353\331\213L$\4\241H\364B\0V3\366\203\371 s495L\364B\0v,\215P\10W\213\2\250\6u\223\377G\323\347\205z\374t\4\14\1\353\2$\376\211\2F\201\302\30\4\0\0;5L\364B\0r\331_^\302\4\0U\213\354\203\354\14\241(\364B\0\203e\374\0SV\5\224\0\0\0W\213=L\364B\0\211E\370\213E\3703\3339\30tK;\337sE\2135H\364B\0\203\306\10\213\26\366\302\6u(\213E\10\205\300t\6\203<\230\0t\33\213M\3743\300@\203\342\1\323\340\213N\374#\310\213\301\213M\374\323\342;\302u\13C\201\306\30\4\0\0;\337r\306;\337t\15\377E\374\203E\370\4\203}\374 r\237\213E\374_^[\311\302\4\0V\213t$\10\351\204\0\0\0\213\306\213\15P\364B\0k\300\34\3\301\2038\1tzP\350\252\0\0\0=\377\377\377\177ts\205\300}\23@\271\0\0C\0\301\340\12+\310Q\350\247E\0\0\205\300u\63\300@F\353\7H\213\316\213\360+\301\203|$\14\0t8\1\5\14\354B\0\241\364\353B\03\311j\0\205\300\17\224\301\3\310Qh0u\0\0\3775\14\354B\0\377\25,q@\0Ph\2\4\0\0\377t$", ) , ) == 0x0 01378 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\377\377\3773\300^\302\10\0\270\377\377\377\177\353\365\213D$\4\213\15(\364B\0j\0\377t\201l\350H\377\377\377\302\4\0h@\240@\0\377t$\10\350H9\0\0\302\4\0U\213\354\201\354\244\1\0\0\241$\364B\0SV\213u\10Wj\7Y\215}\330\211E\3703\333\363\245\213E\334\213}\340\213\360\271\0\0C\0\301\346\12\301\347\12\3\361\3\371\215M\334\211]\374\211\15<\224@\0\213M\330\203\301\376\203\371A\17\207\243\24\0\0\377$\215A)@\0SP\350\3448\0\0\351\364\15\0\0\377\5\354\353B\09]\370\17\204\345\15\0\0S\377\25\354q@\0\351\331\15\0\0;\303}\21@\271\0\0C\0\301\340\12+\310Q\350\203D\0\0HSP\350\226\376\377\377\351^\24\0\0\213M\340;\313t)\366\301\10t\17\241\14\220@\0\243\240\222@\0\3518\24\0\0\241\240\222@\0\211\15\240\222@\0\243\14\220@\0\351#\24\0\0SP\350k8\0\0\351\27\24\0\0S\350_\25\0\0\203\370\1\177\33\300@P\377\25\220p@\0\351\375\23\0\0\377u\370\377\25\360q@\0\351\357\23\0\0j\1\3506\25\0\0\213M\334\211\4\215\240\364B\0\351\331\23\0\0\213E\344\2154\205\240\364B\03\300\213\16;\313\17\224\300#M\350\213D\205\334\211\16\351\303\23\0\0\213E\340\3774\205\240\364B\0V\351P\23\0\0\213\15\360\353B\0\2135Xr@\0;\313t\11\377u\340Q\377\326\213E\334\213\15\4\354B\0;\313\17\204\201\23\0\0PQ\377\326\351x\23\0\0j\360\350\334\24\0\0\377u\340P\377\25\214p@\0\205\300\17\205_\23\0\0\351\5\21\0\0j\360\350\276\24\0\0\213\370W\350\227?\0\08\37\213\360tF;\363tBj\V\350\35?", ) , ) == 0x0 01379 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\13\377\25\210p@\0\205\300u\33\377\25\204p@\0=\267\0\0\0u\13W\377\25\200p@\0\250\20u\3\377E\374\212E\13\210\6F:\303u\2769]\340t\36j\346\350\354\375\377\377Wh\0XC\0\350\224C\0\0W\377\25|p@\0\351\334\22\0\0j\365\351\216\13\0\0S\350:\24\0\0P\350JF\0\0\351}\6\0\0j\320\350(\24\0\0j\337\211E\10\350\36\24\0\0\377u\10\276@\240@\0\211E\370V\350NC\0\0\377u\370\350\C\0\0\377u\10\213\370\350RC\0\0\3\370\201\377\375\3\0\0}\24h\34\220@\0V\350CC\0\0\377u\370V\350:C\0\0\377u\370\377u\10\377\25xp@\0\205\300t\7j\343\351\24\13\0\09]\344\17\204\375\17\0\0\377u\10\350\313E\0\0\205\300\17\204\355\17\0\0\377u\370\377u\10\350+@\0\0j\344\351\351\12\0\0S\350\225\23\0\0\213\360\215E\10PWh\0\4\0\0V\377\25tp@\0\205\300t#\213E\10;\306v%8\30t!V\350\203E\0\0;\303t\16\203\300,P\377u\10\350\236B\0\0\353\11\307E\374\1\0\0\0\210\379]\344\17\205\336\21\0\0h\0\4\0\0WW\377\25pp@\0\351\314\21\0\0j\377\3500\23\0\0\215M\10QVh\0\4\0\0SPS\377\25lp@\0\205\300\17\205\252\21\0\0\351$\17\0\0j\357\350\11\23\0\0PV\350C?\0\0\351+\376\377\377j1\350\366\22\0\0\213\360\213E\334\203\340\7V\211u\314\211E\10\350\234=\0\0V\276@\234@\0\205\300t\10V\350\23B\0\0\353\27h\0XC\0V\350\6B\0\0P\350\15=\0\0P\350\26B\0\0V\3500D\0\0\277@\244@\0\203}\10\3|1V\350", ) , ) == 0x0 01380 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\350\203\300\24QP\377\25hp@\0\213\310\213E\10\203\300\375\15\0\0\0\200#\301\367\330\33\300@\211E\109]\10u\21V\377\25\200p@\0$\376PV\377\25\214p@\03\300\203}\10\1\17\225\300@Ph\0\0\0@V\350]>\0\0\203\370\377\211E\370uv9]\10uSh\0\0C\0W\350tA\0\0Vh\0\0C\0\350iA\0\0\377u\360h@\240@\0\350~A\0\0Wh\0\0C\0\350QA\0\0\213E\334\301\370\3Ph@\240@\0\350@:\0\0\203\350\4\17\204H\377\377\377Ht\33Vj\372\351\346\373\377\377\377u\314j\342\350\3054\0\0\203}\10\2\351\10\375\377\377\377\5\250\364B\0\351k\20\0\0\377u\314j\352\350\2474\0\0\377\5\240\222@\0SS\377u\370\377u\344\350\323\25\0\0\377\15\240\222@\0\203}\350\377\213\370u\6\203}\354\377t\22\215E\350P\215E\350SP\377u\370\377\25dp@\0\377u\370\377\25`p@\0;\373\17\215\16\20\0\0\203\377\376u\23j\351V\350\317@\0\0\377u\314V\350\300@\0\0\353\10j\356V\350\274@\0\0h\20\0 \0V\351B\11\0\0S\3534j1\350D\21\0\0\377u\334P\350|9\0\0;\303\17\204s\15\0\0;E\344\17\204A\1\0\0;E\354\17\205\266\17\0\0\213E\360\351\271\17\0\0j\360\350\22\21\0\0\377u\340P\350\2149\0\0\351\231\17\0\0j\1\350\375\20\0\0P\350N@\0\0\351\216\13\0\0j\2\350\316\20\0\0j\3\211E\10\350\304\20\0\0j\1\213\370\350\330\20\0\09]\344\211E\324\210\36t\119]\10\17\204Z\17\0\0P\350\26@\0\0;\373}\10\3\370\17\210H\17\0\0;\370~\2\213\370\213E\324\3\307PV", ) , ) == 0x0 01381 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\17\0\0}\17V\350\345?\0\0\3\370y\5\211]\10\213\373\201\377\0\4\0\0\17\215\16\17\0\0\210\347\351\6\17\0\0j \350j\20\0\0j1\213\360\350a\20\0\09]\354PVu\22\377\25\244p@\0\205\300ug\213E\344\351\350\16\0\0\377\25\350p@\0\353\3543\377GW\3507\20\0\09]\344h\0\4\0\0VPt\10\377\25\354p@\0\353\6\377\25\360p@\0\205\300u\5\211}\374\210\36\210\236\377\3\0\0\351\236\16\0\0S\350\346\17\0\0j\1\213\360\350\335\17\0\09]\360u\10;\360|\10~\237\353\16;\360s\10\213E\350\351\201\16\0\0v\217\213E\354\351w\16\0\0j\1\350\263\17\0\0j\2\213\370\350\252\17\0\0\213\310\213E\350\203\370\14wm\377$\205I*@\0\3\371\353b+\371\353^\17\257\317\213\371\353W;\313tB\213\307\231\367\371\213\370\353J\13\371\353F#\371\353B3\371\353>3\300;\373\17\224\300\353\347;\373u\16\353\103\377\353+;\373t\370;\313t\3643\377G\353\36;\313t\11\213\307\231\367\371\213\372\353\213\377\307E\374\1\0\0\0\353\6\323\347\353\2\323\377W\3511\372\377\377j\1\350C\17\0\0j\2\213\370\350\35\17\0\0PWV\377\25\364q@\0\203\304\14\351\276\15\0\0\213E\344\213=@\260@\0;\303tDH;\373\17\204\371\6\0\0\213?;\303u\361;\373\17\204\353\6\0\0\203\307\4\276@\234@\0WV\3507>\0\0\241@\260@\0\203\300\4PW\350(>\0\0\241@\260@\0V\203\300\4P\351\223\14\0\09]\340t%;\373\17\204\13\13\0\0\215G\4PV\350\2>\0\0\213\7W\243@\260@\0\377\25\364p@\0\351C\15\0\0h\4\4\0\0j@\377", ) , ) == 0x0 01382 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4P\350\366=\0\0\241@\260@\0\211\6\2115@\260@\0\351\26\15\0\0j3\350z\16\0\0jD\211E\370\350p\16\0\0\366E\360\1\211E\10u\13\377u\370\350\27=\0\0\211E\370\366E\360\2u\13\377u\10\350\6=\0\0\211E\10\203}\330!j\1uD\350!\16\0\0j\2\213\370\350\30\16\0\0\213M\360\301\371\2t\36\215U\314RQS\377u\10\377u\370PW\377\25\370q@\0\367\330\33\300@\211E\374\353?\377u\10\377u\370PW\377\25, ) , ) == 0x0 01383 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "p@\0\351.\7\0\0S\350o\14\0\0j\1\213\360\350f\14\0\09]\350PVu\13\377\25Xr@\0\351\6\13\0\0\377\254r@\0\351\373\12\0\0S\350`\14\0\0j1\213\360\350W\14\0\0j"\213\330\350N\14\0\0SVh\24\220@\0h@\240@\0\213\370\377\25\364q@\0\203\304\20j\354\350\276\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\230\12\0\0\351>\10\0\0S\350\370\13\0\0\213\360Vj\353\350\322.\0\0h\0XC\0V\350\2543\0\0;\303\211E\10\17\204\30\10\0\09]\344tF\2135\374p@\0\353\7j\17\350B>\0\0jd\377u\10\377\326=\2\1\0\0t\353\215E\314P\377u\10\377\25\0q@\09]\340|\13\377u\314W\350::\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25`p@\0\351\24\12\0\0j\2\350x\13\0\0P\350\210=\0\0;\303\211E\10t\23\213\330\377s\24W\350\3779\0\0\377s\30\351?\366\377\377\210\36\210\37\351\217\7\0\0\215E\250j\356\211E\10\350B\13\0\0\215M\320\211E\324QP\350\223L\0\0\210\36;\303\211E\370\210\37\307E\374\1\0\0\0\17\204\264\11\0\0Pj@\377\25\370p@\0;\303\211E\314\17\204\240\11\0\0P\377u\370S\377u\324\350VL\0\0\205\300t4\215E\274P\215E\10Ph\20\220@\0\377u\314\3507L\0\0\205\300t\33\213E\10\377p\10V\350t9\0\0\213E\10\377p\14W\350h9\0\0\211]\374\377u\314\351\5\374\377\3773\377h\1\200\0\0G\211}\374\377\25\4q@\09\35\320\364B\0\17", ) \213\330\350N\14\0\0SVh\24\220@\0h@\240@\0\213\370\377\25\364q@\0\203\304\20j\354\350\276\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\230\12\0\0\351>\10\0\0S\350\370\13\0\0\213\360Vj\353\350\322.\0\0h\0XC\0V\350\2543\0\0;\303\211E\10\17\204\30\10\0\09]\344tF\2135\374p@\0\353\7j\17\350B>\0\0jd\377u\10\377\326=\2\1\0\0t\353\215E\314P\377u\10\377\25\0q@\09]\340|\13\377u\314W\350::\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25`p@\0\351\24\12\0\0j\2\350x\13\0\0P\350\210=\0\0;\303\211E\10t\23\213\330\377s\24W\350\3779\0\0\377s\30\351?\366\377\377\210\36\210\37\351\217\7\0\0\215E\250j\356\211E\10\350B\13\0\0\215M\320\211E\324QP\350\223L\0\0\210\36;\303\211E\370\210\37\307E\374\1\0\0\0\17\204\264\11\0\0Pj@\377\25\370p@\0;\303\211E\314\17\204\240\11\0\0P\377u\370S\377u\324\350VL\0\0\205\300t4\215E\274P\215E\10Ph\20\220@\0\377u\314\3507L\0\0\205\300t\33\213E\10\377p\10V\350t9\0\0\213E\10\377p\14W\350h9\0\0\211]\374\377u\314\351\5\374\377\3773\377h\1\200\0\0G\211}\374\377\25\4q@\09\35\320\364B\0\17", ) == 0x0 01384 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "W\213\360\350\222\12\0\09]\354\211E\10t\15V\377\25\10q@\0\213\370;\373u\15V\377\25\14q@\0\213\370;\373te\377u\10W\377\25\20q@\0\213\360;\363t=9]\344\211]\374t\27\377u\344\350\336\363\377\377\377\326\205\300t1\307E\374\1\0\0\0\353(h\0\220@\0h@\260@\0h\0\0C\0h\0\4\0\0\377u\370\377\326\203\304\24\353\12\377u\10j\367\350\375,\0\09]\350u\24W\377\25\24q@\0\353\13j\366\353\2j\347\350\216\363\377\377S\377\25\4q@\0\351\211\10\0\0j\360\350\355\11\0\0j\337\211E\320\350\343\11\0\0j\2\213\360\350\332\11\0\0j\315\211E\324\350\320\11\0\0jE\211E\314\350\306\11\0\0V\211E\274\350w4\0\0\205\300u\7j!\350\262\11\0\0\215E\10Ph t@\0j\1Sh0t@\0\377\25xr@\0;\303\17\214\330\0\0\0\213E\10\215U\370Rh@t@\0\213\10P\377\21\213\370;\373\17\214\260\0\0\0\213E\10VP\213\10\377QP\213\370\213E\10h\0XC\0P\213\10\377Q$\213M\354\276\377\0\0\0\213\301\301\370\10#\306t\15\213M\10PQ\213\21\377R<\213M\354\213E\10\301\371\20\213\20QP\377R4\213E\3148\30t\22\213U\354\213E\10#\326\213\10R\377u\314P\377QD\213E\10\377u\324\213\10P\377Q,\213E\10\377u\274\213\10P\377Q\34;\373|-\276@\224@\0h\0\4\0\0Vj\377\377u\320f\211\35@\224@\0SS\377\25\30q@\0\213E\370j\1VP\213\10\377Q\30\213\370\213E\370P\213\10\377Q\10\213E\10P\213\10\377Q\10;\373}\23\307E\374\1\0\0\0j\360\350;\362\377\377\351=\7\0\0j\364", ) , ) == 0x0 01385 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\211}\10\350\222\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3247\0\0V\210\8\1\350\3127\0\0\277@\244@\0j\370W\210\0\1\350\3057\0\0VW\350\2707\0\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350$+\0\0\215E\234P\377\25`q@\0\205\300\17\204\303\6\0\0Sj\371\350\12+\0\0\351a\4\0\0=\15\360\255\13t\35h\20\0 \0j\350S\350p7\0\0P\350H0\0\0\270\377\377\377\177\351\235\6\0\0\377\5\264\364B\0\351\207\6\0\03\3663\377;\303t\10S\350\344\7\0\0\213\3609]\340t\11j\21\350\326\7\0\0\213\3709]\354t\11j"\350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j"\3509\7\0\0\213M\354\203\341\2QP\377u\340\350\360\7\0\0P\350c\7\0\0\213\370;\373\17\204\256\5\0\0\351T\3\0\0P\350\325\7\0\0\213u\354\213\370\213E\360j\2\211E\320\350\374\6\0\0j\21\211E\274\350\362\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25 p@\0\205\300\17\205e\5\0\0\203\376\1\277@\244@\0u\16j#\350\277\6\0\0W\350\206\0\0@\203\376\4u\16j\3\350\217\6\0\0V\243@\244@\0", ) \350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\211}\10\350\222\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3247\0\0V\210\8\1\350\3127\0\0\277@\244@\0j\370W\210\0\1\350\3057\0\0VW\350\2707\0\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350$+\0\0\215E\234P\377\25`q@\0\205\300\17\204\303\6\0\0Sj\371\350\12+\0\0\351a\4\0\0=\15\360\255\13t\35h\20\0 \0j\350S\350p7\0\0P\350H0\0\0\270\377\377\377\177\351\235\6\0\0\377\5\264\364B\0\351\207\6\0\03\3663\377;\303t\10S\350\344\7\0\0\213\3609]\340t\11j\21\350\326\7\0\0\213\3709]\354t\11j"\350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j"\3509\7\0\0\213M\354\203\341\2QP\377u\340\350\360\7\0\0P\350c\7\0\0\213\370;\373\17\204\256\5\0\0\351T\3\0\0P\350\325\7\0\0\213u\354\213\370\213E\360j\2\211E\320\350\374\6\0\0j\21\211E\274\350\362\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25 p@\0\205\300\17\205e\5\0\0\203\376\1\277@\244@\0u\16j#\350\277\6\0\0W\350\206\0\0@\203\376\4u\16j\3\350\217\6\0\0V\243@\244@\0", ) , ) == 0x0 01386 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "S\377u\350\350\264\12\0\0PW\377u\320S\377u\274\377u\10\377\25\4p@\0\205\300u\3\211]\374\377u\10\351\321\0\0\0h\31\0\2\0\350B\7\0\0j3\213\370\350]\6\0\0;\373\210\36\17\204\223\2\0\0\215M\314\307E\314\377\3\0\0Q\215M\10VQSPW\377\25\0p@\03\311A\205\300u7\203}\10\4t\339M\10t\6\203}\10\2u&9]\354t\3\211M\374\213E\314\210\340\353r9]\354u\7\307E\374\1\0\0\0\3776V\350\2354\0\0\353\\210\36\211M\374\353Uh\31\0\2\0\350\307\6\0\0j\3\213\370\350\305\5\0\0;\373\210\36\17\204\30\2\0\09]\354\271\377\3\0\0\211M\10t\14QVPW\377\25\10p@\0\353\31SSS\215M\10SQVPW\377\25\14p@\0\205\300\17\205\346\1\0\0\210\236\377\3\0\0W\377\25\34p@\0\351)\4\0\08\36\17\204!\4\0\0V\350>4\0\0P\351\366\371\377\377j\355\350y\5\0\0\377u\344\377u\340P\350\1771\0\0\203\370\377\17\204\242\1\0\0P\351E\360\377\3779]\344t\21j\1\3505\5\0\0\242@\240@\03\300@\353\15j\21\350A\5\0\0P\350\2224\0\08\36\17\204s\1\0\0\215M\10SQPh@\240@\0V\350\3323\0\0P\377\25$q@\0\351D\360\377\377j\2\211]\324\350\357\4\0\0\203\370\1\211E\370\17\214\225\3\0\0\271\377\3\0\0;\301~\3\211M\3708\36\17\204\216\0\0\0V\210]\13\350\2333\0\09]\370\211E\314~}\213u\324\215E\320SP\215E\367j\1P\377u\314\377\25(q@\0\205\300te\203}\320\1u_9]\350u!\200}\13\15t+\200}\13\12t%\212E\367", ) , ) == 0x0 01387 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\370|\276\3539\17\266E\367PW\350(3\0\0\351"\3\0\0\212E\3678E\13t\16<\15t\4<\12u\6\210\4>F\353\23j\1Sj\377\377u\314\377\250q@\0\353\3\213u\324\210\34>;\363\351\201\357\377\3778\36\17\204\336\2\0\0\377u\350Sj\2\350!\4\0\0PV\350\3572\0\0P\377\250q@\09]\340\17\214\274\2\0\0\351]\2\0\08\36\17\204\257\2\0\0V\350\3142\0\0P\377\254q@\0\351\235\2\0\08\37t\30\215\205\\376\377\377PW\350\2572\0\0P\377\258q@\0\205\300u?\307E\374\1\0\0\0\210\36\351s\2\0\0j\2\350\327\3\0\0\215\215\\376\377\377QP\377\253\0\0\212E\3678E\13t\16<\15t\4<\12u\6\210\4>F\353\23j\1Sj\377\377u\314\377\250q@\0\353\3\213u\324\210\34>;\363\351\201\357\377\3778\36\17\204\336\2\0\0\377u\350Sj\2\350!\4\0\0PV\350\3572\0\0P\377\250q@\09]\340\17\214\274\2\0\0\351]\2\0\08\36\17\204\257\2\0\0V\350\3142\0\0P\377\254q@\0\351\235\2\0\08\37t\30\215\205\\376\377\377PW\350\2572\0\0P\377\258q@\0\205\300u?\307E\374\1\0\0\0\210\36\351s\2\0\0j\2\350\327\3\0\0\215\215\\376\377\377QP\377\250\203\370\377u\20\210\37\210\36\307E\374\1\0\0\0\351I\2\0\0PW\350L2\0\0\215\205\210\376\377\377PV\351[\1\0\0S\307E\314f\375\377\377\350\223\3\0\0\213\360V\350E.\0\0\205\300Vt\15\276@\240@\0V\350\2742\0\0\353 h\0TC\0h@\240@\0\350\2532\0\0P\350\262-\0\0P\350\2732\0\0\276@\240@\0V\350\3204\0\0j\2h\0\0\0@V\350X/\0\0\203\370\377\211E\10\17\204\242\0\0\0\241,\364B\0\2135\370p@\0Pj@\211E\324\377\326\213\370;\373t{S\350\234\11\0\0\377u\324W\350a\11\0\0\377u\344j@\377\326\213\360;\363\211u\320t4\377u\344VS\377u\340\350\30\7\0\0\353\30\213\16\213F\4\203\306\10Q\3\307VP\211M\310\350\320.\0\0\3u\3108\36u\344\377u\320\377\25\364p@\0\215E\274SP\377u\324W\377u\10\377\25$q@\0W\377\25\364p@\0SS\377u\10j\377\350\314\6\0\0\211E\314", ) == 0x0 01388 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\09]\314j\363_}\21j\357_V\377\25@q@\0\307E\374\1\0\0\0W\351\307\371\377\377S\350V\2\0\0;\5L\364B\0\211E\10\17\203\244\376\377\377\213\360\213E\344i\366\30\4\0\0\35H\364B\0;\303|\27\213\14\206u\17\203\306\30VW\350\2011\0\0\351\320\0\0\0Q\353t\203\311\377+\310\211M\344t\14j\1\350\12\2\0\0\211E\340\353\20\377u\354\215F\30P\350y1\0\0\200N\11\1\213E\344\213M\340\211\14\2069]\350\17\204\225\0\0\0\377u\10\350\333\350\377\377\351\210\0\0\0S\350\320\1\0\0\203\370 \17\203$\376\377\3779]\350t#9]\344t\17P\350\323\351\377\377SS\350"\351\377\377\353`S\350\15\352\377\377PW\350]0\0\0\353Q9]\344t\22\213\25(\364B\0\213M\340\211\214\202\224\0\0\0\353:\213\15(\364B\0\377\264\201\224\0\0\0W\350\3650\0\0\353%\213\15\240\270B\0S#\310Qj\13\377u\370\377\25351\377\377\353`S\350\15\352\377\377PW\350]0\0\0\353Q9]\344t\22\213\25(\364B\0\213M\340\211\214\202\224\0\0\0\353:\213\15(\364B\0\377\264\201\224\0\0\0W\350\3650\0\0\353%\213\15\240\270B\0S#\310Qj\13\377u\370\377\2509]\334t\13SS\377u\370\377\258r@\0\213E\374\1\5\250\364B\03\300_^[\311\302\4\0:)@\0\223\24@\0\237\24@\0\272\24@\0\334\24@\0\30\25@\02\25@\0\207\25@\0\267\25@\0\325\25@\0Z\26@\0@\25@\0V\25@\0w\25@\0k\26@\0\377\26@\0c\27@\0\212\27@\0\235\27@\0L\31@\0O\31@\0\201\31@\0\226\31@\0\250\31@\0)\32@\0Z\32@\0\221\32@\0\303\32@\0P\33@\0q\33@\0\31\34@\0\31\34@\0\333\34@\0\370\34@\0\23\35@\02\35@\0\216\35@\0\10\36@\04\36@\0\234\36@\0\33\37@\0K\37@\0\334\37@\0\246 @\0\366!@", ) == 0x0 01389 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0*#@\0\206#@\0*$@\0\245$@\0\6%@\0\32%@\0<%@\0\204%@\0I&@\0x&@\0\222&@\0\274&@\0\372&@\0!(@\0\247(@\0/)@\0/)@\0\12)@\0\344\32@\0\350\32@\0\354\32@\0\363\32@\0\0\33@\0\4\33@\0\10\33@\0\14\33@\0\25\33@\0\37\33@\0,\33@\0D\33@\0H\33@\0\213D$\4\213\15<\224@\0\3774\201j\0\350l/\0\0P\350\273.\0\0\302\4\0V\213t$\10\205\366W\213\306}\2\367\330\213\25<\224@\0\213\310\203\341\17\301\370\4\3774\212\301\340\12\5@\234@\0P\3506/\0\0\205\366\213\370}\6W\350D1\0\0\213\307_^\302\4\0U\213\354\201\354\14\1\0\0SV\215E\374WP3\333j\10S\377u\14\377u\10\377\25\20p@\0;\303uM\2135\10p@\0\277\5\1\0\0\353\319]\20uB\215\205\364\376\377\377SP\377u\374\350\271\377\377\377\205\300u\22\215\205\364\376\377\377WPS\377u\374\377\326\205\300t\325\377u\374\377\25\34p@\0\377u\14\377u\10\377\25\24p@\0_^[\311\302\14\0\377u\374\377\25\34p@\03\300@\353\353\213D$\4\205\300u\12\241\244\364B\0\5\1\0\0\200\302\4\0U\213\354\215E\10P\377u\10j\0j"\350\21\377\377\377P\241<\224@\0\377p\4\350\312\377\377\377P\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\344q@\0\213E\24\211u\14\243H\260@\09u\14uN\213\15PLA\0\241X\214B\0;\310|\2\213\310Pj", ) \350\21\377\377\377P\241<\224@\0\377p\4\350\312\377\377\377P\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\344q@\0\213E\24\211u\14\243H\260@\09u\14uN\213\15PLA\0\241X\214B\0;\310|\2\213\310Pj", ) == 0x0 01390 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "A\0\3775H\260@\0V\377\25\364q@\0\203\304\14VW\377\25\350q@\0Vh\6\4\0\0W\350\223&\0\0j\5W\377\25Xr@\0_3\300^]\302\20\0U\213\354\203\354,SV3\366W\211u\374\377\25\234p@\0\211u\364\211u\370\276\0\C\0h\0\4\0\0V\213\370\3775 \364B\0\201\307\350\3\0\0\377\25\230p@\0j\3h\0\0\0\200V\350/*\0\0\213\330\203\373\377\211]\360\211\35 \220@\0u\12\270x\221@\0\351\37\2\0\0V\350\222(\0\0j\0S\377\25\224p@\0\205\300\243X\214B\0\213\360\17\216)\1\0\0\241,\364B\0\213\336\367\330\33\300%\0~\0\0\5\0\2\0\0;\360|\2\213\330ShX\14B\0\350\16\4\0\0\205\300\17\204f\1\0\03\3009\5,\364B\0u\177j\34\215E\324hX\14B\0P\350\217)\0\0\213M\324\367\301\360\377\377\377\17\205\232\0\0\0\201}\330\357\276\255\336\17\205\215\0\0\0\201}\344Inst\17\205\200\0\0\0\201}\340softuw\201}\334Nullun\213E\354;\306\17\217\377\0\0\0\11M\10\213\25PLA\0\366E\10\10\211\25,\364B\0u\6\366E\10\4uq\377E\370\215p\374;\336v>\213\336\353:\366E\10\2u49E\374t\10P\350\233/\0\0\353'\377\25\234p@\0;\307v\35h\\221@\0h\253+@\0j\0jo\3775 \364B\0\377\25\334q@\0\211E\374;5X\214B\0}\21ShX\14B\0\377u\364\350\217/\0\0\211E\364\1\35PLA\0+\363\205\366\17\217\346\376\377\377\203}\374\0t\11\377u\374\377\25\340q@\03\3779=,\364B\0tZ9}\370t"\3775PLA\0\350", ) \3775PLA\0\350", ) == 0x0 01391 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\205\300t;\213E\364;E\370u3\377u\350j@\377\25\370p@\0\213\360\241,\364B\0\203\300\34P\350\361\2\0\0\377u\350VWj\377\350\207\0\0\0;E\350t\37V\377\25\364p@\0\270(\220@\0\353m\203}\374\0t\363\377u\374\377\25\340q@\0\353\350\366E\10\2\2115(\364B\0t\3\203\16\10\213\6\203\340\30\366E\324\1\243\300\364B\0\213\6\2430\364B\0t\6\377\54\364B\0j\10\215FDY\203\350\10\10Iu\370j\1WW\377u\360\377\250q@\0\211F<\203\306\4j@Vh@\364B\0\350\330'\0\03\300_^[\311\302\4\0U\213\354\203\354XSV\213u\24W\213}\20\211u\370\205\377u\7\307E\370\0\200\0\0\203e\374\0\211}\364\205\377u\7\307E\364X\214A\0\213E\10\205\300|\16\213\15x\364B\0\3\310Q\350\32\2\0\0\215E\24j\4P\350\335\1\0\0\205\300\17\204\200\1\0\0\366E\27\200\17\204_\1\0\0\213\35\234p@\0\377\323\203%|\265@\0\0\203%x\265@\0\0\201e\24\377\377\377\177\211E\360\270\0\314@\0\307\5`\260@\0\10\0\0\0\243\10LA\0\243\4LA\0\213E\24\307\5\0LA\0\0LA\0\211E\10\17\216r\1\0\0\276\0@\0\09u\24}\3\213u\24\277XLA\0VW\350c\1\0\0\205\300\17\204\6\1\0\0)u\24\211=P\260@\0\2115T\260@\0\213}\364\213E\370hP\260@\0\211=X\260@\0\243\\260@\0\350\1.\0\0\205\300\211E\350\17\214\262\0\0\0\2135X\260@\0+\367\377\323\366\5\240\222@\0\1\213\370tC+E\360=\310\0\0\0w\6\203}\24\0u3\213E\10\377u\10+E\24jdP", ) , ) == 0x0 01392 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\221@\0P\377\25\364q@\0\203\304\14\215E\250Pj\0\350f\35\0\0\211}\3603\300;\360tI9E\20u P\215E\354PV\377u\364\377u\14\377\25$q@\0\205\300t=9u\354u8\1u\374\353\30)u\370\1u\374\241X\260@\0\203}\370\1\211E\364\17\214\201\0\0\0\203}\350\1\17\2055\377\377\377\353u9E\24\17\217\372\376\377\377\353jj\374\353\35j\376\353\31\205\377tS9u\24}\3\213u\24VW\350Y\0\0\0\205\300uHj\375X\353I\213u\3709u\24}\3\213u\24\277XLA\0VW\3509\0\0\0\205\300t\340\215E\20j\0PVW\377u\14\377\25$q@\0\205\300t\260;u\20u\253\1u\374)u\24\203}\24\0\177\277\353\3\211u\374\213E\374_^[\311\302\20\0U\213\354V\213u\14\215E\14j\0PV\377u\10\3775 \220@\0\377\25(q@\0\205\300t\129u\14u\53\300@\353\23\300^]\302\10\0j\0j\0\377t$\14\3775 \220@\0\377\250q@\0\302\4\0V\276\0dC\0V\350\331*\0\0V\350\20$\0\0\205\300u\2^\303V\350\230#\0\0j\0V\377\25\210p@\0Vh\0PC\0\350w%\0\0^\303\201\354|\1\0\0SUV3\366W\211t$\30\275@\222@\0\306D$\20 \377\250p@\0V\377\25pr@\0\243\320\364B\0V\215D$0h`\1\0\0PVh`\230B\0\377\25Xq@\0h0\222@\0h \354B\0\350#(\0\0\273\0dC\0Sh\0\4\0\0\377\25\264p@\0\350d\377\377\377\205\300u$h\373\3\0\0S\377\25\260p@\0h(\222@\0S\350\16(\0\0\350D\377\377\377\205\300\17\204<\1", ) , ) == 0x0 01393 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \243 \364B\0\213\307u\12\306D$\20 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) , ) == 0x0 01394 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0W\350\324%\0\0\353\6W\350 !\0\0h\30\222@\0V\350\335%\0\0\377t$\24V\350\323%\0\0h\20\222@\0V\350\310%\0\0WV\350\301%\0\0V\350\254 \0\0SV\350 \36\0\0\205\300t\11P\377\25`p@\03\355\376\5\240\221@\0\377D$\20\203|$\20\32\17\214\26\377\377\377\351\310\376\377\377\203=\264\364B\0\0\17\204\216\0\0\0\276\0\222@\0h\354\221@\0V\350g(\0\0h\324\221@\0V\213\350\350Z(\0\0h\274\221@\0V\213\370\350M(\0\03\366\213\330;\356tH;\376tD;\336t@\215D$\24Pj(\377\25\240p@\0P\377\325\205\300t,\215D$ Ph\250\221@\0V\377\327VV\215D$$VPV\377t$(\307D$4\1\0\0\0\307D$@\2\0\0\0\377\323Vj\2\377\25\34r@\0\205\300u\7j\11\350\13\337\377\377\241\314\364B\0\203\370\377t\4\211D$\30\377t$\30\377\25\250p@\0\241 \220@\0\203\370\377t\16P\377\25`p@\0\203\15 \220@\0\377j\7h\0hC\0\350\334\35\0\0\303\203\354\24SUV\2135(\364B\0Wh\364r@\0h\310\222@\0\350\220'\0\03\333;\303t\22\377\320\17\267\300Ph\0`C\0\350\305#\0\0\353H\277\240\250B\0\307\5\0`C\00x\0\0WSh\314r@\0h\1\0\0\200\3509#\0\08\35\240\250B\0u\25Wh\304r@\0h\234r@\0h\3\0\0\200\350\34#\0\0Wh\0`C\0\3509$\0\0\350K\2\0\0\2410\364B\0\275\0TC\0\203\340 U\243\240\364B\0\350\355\37\0\0\205\300\17\205\200\0\0\0\213NH;\313ty\213VL\241X\364B\0\277\300", ) , ) == 0x0 01395 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "D\350\311"\0\0\240\300\343B\0:\303tT<"u\17\277\301\343B\0j"W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) \0\0\240\300\343B\0:\303tT< (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "D\350\311"\0\0\240\300\343B\0:\303tT<"u\17\277\301\343B\0j"W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) == 0x0 01396 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\14\334\377\3773\300_^][\203\304\24\303SUVW\277\0`C\0\273\377\377\0\0W\3500!\0\0\2135d\364B\0\205\366tE\213\15(\364B\0\213Id\213\321\17\257\316\367\332\3\15`\364B\0\3\312Nf\213)f3\350#\353f\205\355t\6\205\366u\354\353\31\213Q\2\211\25\0\354B\0\213Q\6\211\25\310\364B\0\215Q\12\205\322u\22f\201\373\377\377u\7\273\377\3\0\0\353\2433\333\353\237\211\25\374\353B\0\17\267\1PW\350\246 \0\0j\376h \354B\0\350^!\0\0P\3775\200\250B\0\377\25\350q@\0\241L\364B\0\2135H\364B\0\205\300t\33\213\370\213\6\205\300t\12P\215F\30P\3500!\0\0\201\306\30\4\0\0Ou\347_^][\303\203\354\20\271\20\1\0\0SU\213l$ V;\351W\17\204s\1\0\0\201\375\10\4\0\0\17\204g\1\0\0\213\$$\203\375Gu\253\300j\23PPPPS\3775\200\250B\0\377\25|q@\0\203\375\5u\30\213D$,H\367\330\33\300#\305P\3775\200\250B\0\377\25Xr@\0\201\375\15\4\0\0u\32\3775\370\353B\0\377\25\340q@\0\213D$,\243\370\353B\0\351\17\4\0\0\203\375\21u\23j\0j\0S\377\25(r@\03\300@\351\36\4\0\0\203\375\20u3\241D\364B\0H9\5\204\222@\0\17\205\310\0\0\0\3775h\230B\0\377\25xq@\0\205\300\17\205\264\0\0\0\275\21\1\0\0\307D$,\1\0\0\0\201\375\21\1\0\0\17\205\233\0\0\0\17\267t$,VS\377\25$r@\0\213\35, ) , ) == 0x0 01397 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0~:j\377\353\34\203\376\2u1\203=\254\364B\0\0t\25V\350\364\331\377\377\2115p\234B\0jx\350s\3\0\0\353(j\3\350\336\331\377\377\205\300u\35\211=p\234B\0\353\344\377t$0\377t$0h\21\1\0\0\3775\370\353B\0\377\323\377t$0\377t$0U\350\311\3\0\0\351,\3\0\0\213D$,\213\$$;\351\243\214\250B\0uM\2135$r@\0j\1S\211\35$\364B\0\377\326j\2S\243\234\250B\0\377\326j\377j\34S\243h\230B\0\350"\3\0\0\3775\10\354B\0j\362S\377\25tq@\0j\4\350Y\331\377\377\243\354\353B\03\300@\243\214\250B\0\213\15\204\222@\03\377\213\361\301\346\6\35@\364B\0;\317|>\203\370\1u1W\377v\20\350\204\330\377\377\205\300t$j\1Wh\17\4\0\0\3775\370\353B\0\377\25\17\204w\2\0\0h\13\4\0\0\350\354\2\0\0\241\214\250B\0\1\5\204\222@\0\301\340\6\3\360\241\204\222@\0;\5D\364B\0u\7j\1\350\311\330\377\377\203=\354\353B\0\0\17\205\367\1\0\0\241D\364B\09\5\204\222@\0\17\203\346\1\0\0\377v$\213~\24h\0pC\0\350\210\36\0\0\377v h\31\374\377\377S\350@\2\0\0\377v\34h\33\374\377\377S\3502\2\0\0\377v(h\32\374\377\377S\350$\2\0\0j\3S\377\25$r@\0\203=\254\364B\0\0\213\350t\10f\201\347\375\376\203\317\4\213\307\203\340\10PU\377\25Xr@\0\213\307%\0\1\0\0PU\377\254r@\0\213\307\203\340\2P\350\3\2\0\0\203\347\4W\3775h\230B\0\377\254r@\03\377", ) \3\0\0\3775\10\354B\0j\362S\377\25tq@\0j\4\350Y\331\377\377\243\354\353B\03\300@\243\214\250B\0\213\15\204\222@\03\377\213\361\301\346\6\35@\364B\0;\317|>\203\370\1u1W\377v\20\350\204\330\377\377\205\300t$j\1Wh\17\4\0\0\3775\370\353B\0\377\2503\3009=\354\353B\0\17\224\300\351\201\2\0\09>\17\204w\2\0\0h\13\4\0\0\350\354\2\0\0\241\214\250B\0\1\5\204\222@\0\301\340\6\3\360\241\204\222@\0;\5D\364B\0u\7j\1\350\311\330\377\377\203=\354\353B\0\0\17\205\367\1\0\0\241D\364B\09\5\204\222@\0\17\203\346\1\0\0\377v$\213~\24h\0pC\0\350\210\36\0\0\377v h\31\374\377\377S\350@\2\0\0\377v\34h\33\374\377\377S\3502\2\0\0\377v(h\32\374\377\377S\350$\2\0\0j\3S\377\25$r@\0\203=\254\364B\0\0\213\350t\10f\201\347\375\376\203\317\4\213\307\203\340\10PU\377\25Xr@\0\213\307%\0\1\0\0PU\377\254r@\0\213\307\203\340\2P\350\3\2\0\0\203\347\4W\3775h\230B\0\377\254r@\03\377", ) == 0x0 01398 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "r@\0\377\3259=\254\364B\0t\23Wj\2h\1\4\0\0S\377\325\3775h\230B\0\353\6\3775\234\250B\0\350\315\1\0\0\275\240\250B\0h \354B\0U\350\240\35\0\0\377v\30U\350\255\35\0\0\3\305P\350\261\35\0\0US\377\25\350q@\0W\377v\10\350\20\327\377\377\205\300\17\205\276\376\377\3779\6\17\204\266\376\377\377\203~\4\5u\359\5\254\364B\0\17\205\21\1\0\09\5\240\364B\0\17\205\230\376\377\377\351\0\1\0\0\3775\370\353B\0\377\25\340q@\0\2115x\240B\0\203>\0\17\216\300\0\0\0\213F\4V\3774\205\210\222@\0f\213\6f\3\5\0\354B\0S\17\267\300P\3775 \364B\0\377\25\334q@\0\205\300\243\370\353B\0\17\204\215\0\0\0\377v,j\6P\350\332\0\0\0\215D$\20Ph\372\3\0\0S\377\25$r@\0P\377\25pq@\0\215D$\20PS\377\25lq@\03\377j\25WW\377t$ \377t$ W\3775\370\353B\0\377\25|q@\0W\377v\14\350<\326\377\377j\10\3775\370\353B\0\377\25Xr@\0h\5\4\0\0\350\306\0\0\0\353 \3775\370\353B\0\377\25\340q@\0\3775p\234B\0\203%$\364B\0\0S\377\25\264q@\0\203=\240\270B\0\0u\34\203=\370\353B\0\0t\23j\12S\377\25Xr@\0\307\5\240\270B\0\1\0\0\03\300_^][\203\304\20\302\20\0\203|$\4xu\6\377\5\354\353B\0j\0\377t$\10h\10\4\0\0\3775$\364B\0\377\25, ) , ) == 0x0 01399 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\3775$\364B\0\377\25\17\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\327>@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\220q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25$r@\0\213\330S\350@\376\377\377\213517\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\327>@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\220q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25$r@\0\213\330S\350@\376\377\377\21354\0\0S\377\326\241(\364B\0\213@h\205\300}\11\367\330P\377\25\200q@\0Pj\0hC\4\0\0S\377\326h\0\0\1\4j\0hE\4", ) == 0x0 01400 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "W\350\353\31\0\0Pj\0h5\4\0\0S\377\326\215E\364P\377u\24hI\4\0\0S\377\326\203%\210\250B\0\03\300\351a\1\0\0\201}\14\21\1\0\0\213\35$r@\0\2135, ) , ) == 0x0 01401 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0U\213\354\203\354H\241x\240B\0SV\211E\340\213p<\213@8\301\346\12\201\306\0\0C\0\201}\14\13\4\0\0W\211E\370\273\373\3\0\0u\15VS\350\206\20\0\0V\350\330\31\0\0\201}\14\20\1\0\0uxS\377u\10\377\25$r@\0V\213\370\350\372\22\0\0\205\300t\20V\350\27\23\0\0\205\300u\6V\350z\22\0\0\213E\10VW\243\370\353B\0\377\25\350q@\0\213E\24\377p4j\1\377u\10\3505\373\377\377\213E\24\377p0j\24\377u\10\350%\373\377\377W\350T\373\377\377h\214r@\0h\200r@\0\350;\32\0\0\205\300\17\204+\2\0\0j\1W\377\320\201}\14\21\1\0\0\17\205\306\0\0\0\17\267E\20;\303u\30\213M\20\301\351\20f\201\371\0\3\17\205\0\2\0\0\307E\14\17\4\0\0=\351\3\0\0\17\205\233\0\0\0j\73\300Y\215}\274\377u\370\363\253\213E\10\277\240\250B\0hx\234B\0\211E\270\211}\300\307E\314\373D@\0\211u\320\350\326\26\0\0\211E\304\215E\270P\307E\310A\0\0\0\377\25Tq@\0\205\300tMP\350\363\16\0\0V\350\235\21\0\0\241(\364B\0\213\200\34\1\0\0\205\300t Pj\0\350\233\26\0\0W\277\300\343B\0W\377\25\244p@\0\205\300t\7WV\350}\26\0\0\377\5\220\250B\0VS\377u\10\350/\17\0\0\353\7\307E\14\17\4\0\0\201}\14\17\4\0\0t\15\201}\14\5\4\0\0\17\205=\1\0\0\203e\374\0\203e\370\0VS\203\317\377\350\4\17\0\0V\350\7\22\0\0\205\300u\7\307E\374\1\0\0\0V\276p\230B\0V\350\3\26\0\0V\350\235\21\0\0\205\300t\3\200 \0h\340\222@\0h\310\222@\0\350\372\30\0\0", ) , ) == 0x0 01402 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "Q\215M\354Q\215M\330QV\377\320\205\300t\17\213}\330\213E\334\17\254\307\12\301\350\12\353/\215E\334P\215E\364P\215E\350P\215E\360PV\377\25\274p@\0\205\300t\33\213E\360S\17\257E\350\377u\364P\377\25,q@\0\213\370\307E\370\1\0\0\0j\5\350\272\1\0\0;\370s\7\307E\374\2\0\0\0\213\15\374\353B\03\3669q\20t+Pj\373h\377\3\0\0\350\340\0\0\09u\370t\13Wj\374S\350\322\0\0\0\353\16h`\230B\0S\377u\10\350\32\16\0\0\213E\374;\306\243\304\364B\0u\12j\7\350^\317\377\377\211E\374\213E\340\205X\24t\3\211u\3743\3009u\374\17\224\300P\350\27\371\377\3779u\374u\1595\220\250B\0u\5\350\266\374\377\377\2115\220\250B\0\377u\24\377u\20\377u\14\3506\371\377\377_^[\311\302\20\0U\213\354\203}\14\1V\2135, ) , ) == 0x0 01403 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "V\377u\10\3775\370\353B\0\350\252\14\0\0_^[\311\302\14\0\213\25L\364B\0\213\15H\364B\03\300\205\322t\30V\366A\10\1t\7\213t$\10\3\4\261\201\301\30\4\0\0Ju\352^\302\4\0U\213\354\203\3548V\2135, ) , ) == 0x0 01404 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2370j\25\377u\10\350\267\365\377\377\377t\2374j\26\377u\10\350\251\365\377\3773\3773\3339=L\364B\0\17\216\304\0\0\0\213E\344\215P\10\211U\354\215B\20\2008\0\17\204\220\0\0\0\211E\310\213\2j \213\320Y\211]\260#\321\307E\264\2\0\377\377\250\2\307E\270\15\0\0\0\211M\304\211}\334\211U\300t8\215E\260\307E\270M\0\0\0Pj\0h\0\21\0\0\307E\330\1\0\0\0\377u\374\377\326\213\15\230\250B\0\307E\350\1\0\0\0\211\4\271\241\230\250B\0\213\34\270\353.\250\4t\21Sj\3h\12\21\0\0\377u\374\377\326\213\330\353\31\215E\260Pj\0h\0\21\0\0\377u\374\377\326\213\15\230\250B\0\211\4\271\213U\354G\201\302\30\4\0\0;=L\364B\0\211U\354\17\214K\377\377\377\203}\350\0u\31j\360\377u\374\377\25\204q@\0$\373Pj\360\377u\374\377\25(r@\0\203}\364\0u\30j\5\377u\370\377\25Xr@\0\377u\370\350\330\364\377\377\351\203\3\0\0\377u\374\350\313\364\377\377\213]\3443\377\201}\14\5\4\0\0u\223\311\211}\20A\307E\14\17\4\0\0\211M\24\353\3\213M\24\203}\14N\270\23\4\0\0t\119E\14\17\205\347\0\0\09E\14\211M\364t\15\201y\4\10\4\0\0\17\205\322\0\0\0\366\51\364B\0\2uv9E\14t\11\213M\24\203y\10\376uh3\3119E\14\17\225\301Q\377u\374\350\242\374\377\377;\307|S\213\310i\311\30\4\0\0\215T\31\10\213\12\366\301\20u@\366\301@t\24\201\361\200\0\0\0\204\311y\5\203\311\1\353\10\203\341\376\353\3\203\361\1P\211\12\350\241\307\377\377\2410\364B\03\311\367\320A\307E\14\17\4\0\0\301\350\10#\301\211M", ) , ) == 0x0 01405 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\201x\10n\376\377\377u\16\377p\Wh\31\4\0\0\377u\374\377\326\213E\364\201x\10j\376\377\377u(\203x\14\2u\22\213@\i\300\30\4\0\0\215D\30\10\203\10 \353\20\213@\i\300\30\4\0\0\215\\30\10\203#\337\201}\14\21\1\0\0urf\201}\20\371\3\17\205H\2\0\0\213E\20\301\350\20f=\1\0\17\2058\2\0\0WWhG\1\0\0\377u\370\377\326\203\370\377\17\204#\2\0\0WPhP\1\0\0\377u\370\377\326\213\330\203\373\377t\10\213E\3609<\230u\3j [S\350\360\307\377\377SWh \4\0\0\377u\10\377\326\307E\20\1\0\0\0\211}\24\307E\14\17\4\0\0\201}\14\0\2\0\0u\14WWh\0\2\0\0\377u\374\377\326\201}\14\13\4\0\0u2\241\204\250B\0;\307t\7P\377\25,p@\0\241\230\250B\0;\307t\7P\377\25\364p@\0\211=\204\250B\0\211=\230\250B\0\211=\200\364B\0\201}\14\17\4\0\0\17\205G\1\0\0WW\350\305\306\377\3779}\20t\7j\10\350\332\310\377\3779}\24t?\3775\230\250B\0\350\234\307\377\377\213\330S\350K\307\377\3773\3003\311;\337~\16\213U\3609<\202t\1A@;\303|\362WQhN\1\0\0\377u\370\377\326\211]\24\307E\14 \4\0\0WW\350n\306\377\377\241\230\250B\09=L\364B\0\211E\344\241H\364B\0\307E\3100\360\0\0\211}\364\17\216\234\0\0\0\215X\10\213E\344\213M\364\213\4\210;\307tt\213\13\211E\300\366\305\1\307E\274\10\0\0\0t\21\215C\20\307E\274\11\0\0\0\211E\314\200c\1\376\366\301@t\5j\3X\353\16\213\301\203\340\1@\366\301\20t\3\203\300\3\213\321\377u\300\301", ) , ) == 0x0 01406 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\3\300\203\342 \203\341\1\13\302A\211E\304Qh\2\21\0\0\377u\374\377\326\215E\274PWh\15\21\0\0\377u\374\377\326\377E\364\201\303\30\4\0\0\213E\364;\5L\364B\0\17\214g\377\377\377j\1W\377u\374\377\258r@\0\241\374\353B\09x\20t\24j\5\350\271\371\377\377Pj\373h\377\3\0\0\350\367\370\377\377\201}\14 \4\0\0u5\366\51\364B\0\1t,3\300\203}\24 \2135Xr@\0\17\224\300\301\340\3\213\370W\377u\374\377\326Wh\376\3\0\0\377u\10\377\25$r@\0P\377\326\377u\24\377u\20\377u\14\350t\361\377\377_^[\311\302\20\0U\213\354\201}\14\2\1\0\0SVu\33\203}\20 \17\205\212\0\0\0h\23\4\0\0\3500\361\377\3773\300\351\222\0\0\0\203}\14\2u\7\203\15\234\222@\0\377\201}\14\0\2\0\0\276\31\4\0\0u\36\377u\10\377\25\240q@\0\205\300tQj\1\377u\10\350+\371\377\377\213\330\211u\14\353\3\213]\249u\14u;9\35\234\222@\0t3W\276\0\0C\0\277\240\250B\0VW\211\35\234\222@\0\350\224\14\0\0SV\350\353\13\0\0j\6\350\273\306\377\377WV\350\177\14\0\0_\353\3\213]\24S\377u\20\377u\14\377u\10\3775\224\250B\0\377\25\234q@\0^[]\302\20\0U\213\354\203\3540\241\4\354B\0S3\333V;\303W\211E\374\17\204\260\0\0\0\241\240\222@\0\276\200\240B\0\213\370\211E\370\203\347\1u\11\377u\10V\350G\14\0\0V\3505\14\0\09]\14\211E\10t\33\377u\14\350%\14\0\0\3E\10=\0\10\0\0ss\377u\14V\350\30\14\0\0\366E\370\4t\15V\3775\350\353B\0\377\25\350q@\0\366E", ) , ) == 0x0 01407 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\344\377u\374\2135, ) , ) == 0x0 01408 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\364B\0\2u\15j\10\377u\374\377\25Xr@\0\353\6\211\35\360\353B\0h\354\3\0\0\377u\10\377\327h\0\00u\213\370Sh\1\4\0\0W\377\326\366\50\364B\0\4\17\204\361\1\0\0\377u\20Sh\11\4\0\0W\377\326\377u\14Sh\1 \0\0W\377\326\351\324\1\0\0\201}\14\5\4\0\0u(\215E\10PSh\354\3\0\0\377u\10\377\25$r@\0PhPN@\0SS\377\25\310p@\0P\377\25`p@\0\201}\14\21\1\0\0\2135Xr@\0u\33f\201}\20\3\4u5S\3775\360\353B\0\377\326j\10W\377\326\350\336\360\377\377\201}\14\4\4\0\0uU9\35\354\353B\0t&jx\307\5p\234B\0\2\0\0\0\350\302\354\377\377\377u\24\377u\20\377u\14\350B\355\377\377_^[\311\302\20\0j\10\3775$\364B\0\377\3269\35\254\364B\0u\16\241x\240B\0S\377p4\350o\374\377\377j\1\350\206\354\377\377\203}\14{u\2769}\20u\271SSh\4\20\0\0W\377\25, ) , ) == 0x0 01409 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0V\350\351\7\0\0\3\360f\307\6\15\12FFC;]\14|\331\377u\10\377\25\300p@\0\377u\10j\1\377\25\250q@\0\377\25\244q@\03\300\351\260\376\377\377U\213\354Q\215E\374P\377\25Lq@\0\213E\374\205\300t\22\377u\10\213\10P\377Q\24\213E\374P\213\10\377Q\10\311\302\4\0U\213\354\203\354\20\377u\14\307\5\250\310B\0D\0\0\0\377\25\200p@\03\311\203\370\377t\4\250\20u\3\211M\14\215E\360Ph\250\310B\0\377u\14QQQQQ\377u\10Q\377\25\314p@\0\205\300t\14\377u\364\377\25`p@\0\213E\360\311\302\10\0\377%\304q@\0h\0\4\0\0\377t$\14\377t$\14\3775\370\353B\0\377\25\310q@\0\302\10\0\213D$\10\213\310\201\341\377\377\37\0\203=\300\364B\0\0t\5\301\350\25u%\203=\310\364B\0\0t\6\201\361\0\0\30\0Qh \354B\0\377t$\14\3775$\364B\0\377\25\314q@\0\302\10\0U\213\354\201\354H\1\0\0VW\213}\10W\350\227\2\0\0\366E\14\10\211E\370t\27W\377\25@q@\0\367\330\33\300@\1\5\250\364B\0\351\221\1\0\0S\213]\14\203\343\1\211]\374t\22\205\300\17\204"\1\0\0\366E\14\2\17\204\30\1\0\0\276\250\270B\0WV\350`\6\0\0\205\333t\15h\0\223@\0V\350m\6\0\0\353\6W\350\235\1\0\0h\20\220@\0W\350Z\6\0\0W\350N\6\0\0\213\330\215\205\270\376\377\377PV\3\337\377\25\1\0\0\2008\0t\11\200}\350\0t\3\215u\350\200>.u\21\212F\1\204\300tm<.u\6\200", ) \1\0\0\366E\14\2\17\204\30\1\0\0\276\250\270B\0WV\350`\6\0\0\205\333t\15h\0\223@\0V\350m\6\0\0\353\6W\350\235\1\0\0h\20\220@\0W\350Z\6\0\0W\350N\6\0\0\213\330\215\205\270\376\377\377PV\3\337\377\250\203\370\377\211E\10\17\204\274\0\0\0\215\205\344\376\377\377j?P\215\265\344\376\377\377\350>\1\0\0\2008\0t\11\200}\350\0t\3\215u\350\200>.u\21\212F\1\204\300tm<.u\6\200", ) == 0x0 01410 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\205\270\376\377\377\250\20t\25\213E\14\203\340\3<\3uH\377u\14W\350\0\377\377\377\353=$\376PW\377\25\214p@\0W\377\25@q@\0\205\300u \366E\14\4t\22Wj\361\350<\371\377\377j\0W\350\331\2\0\0\353\20\377\5\250\364B\0\353\10Wj\362\350"\371\377\377\215\205\270\376\377\377P\377u\10\377\258q@\0\205\300\17\205M\377\377\377\377u\10\377\254q@\0\203}\374\0t\4\200c\377\03\366[9u\374tS9u\370u\10\377\5\250\364B\0\353FW\350\16\10\0\0\205\300t371\377\377\215\205\270\376\377\377P\377u\10\377\258q@\0\205\300\17\205M\377\377\377\377u\10\377\254q@\0\203}\374\0t\4\200c\377\03\366[9u\374tS9u\370u\10\377\5\250\364B\0\353FW\350\16\10\0\0\205\300t350<\0\0\0h\200\0\0\0W\377\25\214p@\0W\377\25\320p@\0\205\300u\27\366E\14\4t\313Wj\361\350\255\370\377\377VW\350K\2\0\0\353\10Wj\345\350\234\370\377\377_^\311\302\10\0V\213t$\10V\350\376\4\0\0\3\306PV\377\25\320q@\0\2008\t\13h\20\220@\0V\350\352\4\0\0\213\306^\302\4\0\213D$\4\353\15:L$\10t\15P\377\25\24r@\0\212\10\204\311u\355\302\10\0V\213t$\10V\350\267\4\0\0\3\306\2008\t\14PV\377\25\320q@\0;\306w\357\200 \0^\302\4\0\213L$\4\212\1\14 f\2019\\t\2212177\6\200y\1:t\43\300\353\33\300@\302\4\0SV\2135\24r@\0W\213|$\20W\377\326\213\330S\377\326\200?\0t\14f\201;:\u\5P\377\326\353!f\201?\\u\30j\2^j\PN\350_\377\377\377\2008\0t\7@\205\366u\355\353\23\300_^[\302\4\0VW\377t$\14\276\250\274B\0V\350\2\4\0\0V\350\234\377\377\377\213\370\205\377u\43\300\353RW\350(\6\0\0\366\50\364B", ) == 0x0 01411 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "t\343+\376\353\24\350\245\6\0\0\205\300t\5\366\0\20t\321V\350\25\377\377\377V\350\321\3\0\0;\307V\177\341\350\276\376\377\377V\377\25\200p@\03\311\203\370\377\17\225\301\213\301_^\302\4\0SVW\377t$\24\350\245\3\0\0\213\370\213t$\20\353"\377t$\24\212\347\200$7\0V\377\25\244p@\0\205\300\210\347t\33V\377\25\24r@\0\213\360V\350u\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25\200p@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\324p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\234p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\330p@\0\205\300u\15\205\377u\320\200&\0_^]\302\10\0\213\306\353\366SUVWh0\223@\0h\310\222@\0\350\270\5\0\0\205\300\213t$\30t\21j\5V\377t$\34\377\320\205\300\17\205F\1\0\0\213\35pp@\0\307\50\312B\0NUL\0\205\366\277\0\4\0\0\2750\312B\0t&j\1j\0V\3505\377\377\377P\377\25`p@\0WUV\377\323\205\300\17\204\20\1\0\0;\307\17\217\10\1\0\0\276\250\304B\0WV\377t$\34\377\323\205\300\17\204\363\0\0\0;\307\17\217\353\0\0\0VUh(\223@\0h\250\300B\0\377\25\364q@\0\203\304\20\213\330h\360\3\0\0V\377\25\260p@\0h\30\223@\0V\350\31\2\0\03\300Ph\200\0\0\10j\4PPh\0\0\0\300V\377\25\324p", ) \377t$\24\212\347\200$7\0V\377\25\244p@\0\205\300\210\347t\33V\377\25\24r@\0\213\360V\350u\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25\200p@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\324p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\234p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\330p@\0\205\300u\15\205\377u\320\200&\0_^]\302\10\0\213\306\353\366SUVWh0\223@\0h\310\222@\0\350\270\5\0\0\205\300\213t$\30t\21j\5V\377t$\34\377\320\205\300\17\205F\1\0\0\213\35pp@\0\307\50\312B\0NUL\0\205\366\277\0\4\0\0\2750\312B\0t&j\1j\0V\3505\377\377\377P\377\25`p@\0WUV\377\323\205\300\17\204\20\1\0\0;\307\17\217\10\1\0\0\276\250\304B\0WV\377t$\34\377\323\205\300\17\204\363\0\0\0;\307\17\217\353\0\0\0VUh(\223@\0h\250\300B\0\377\25\364q@\0\203\304\20\213\330h\360\3\0\0V\377\25\260p@\0h\30\223@\0V\350\31\2\0\03\300Ph\200\0\0\10j\4PPh\0\0\0\300V\377\25\324p", ) == 0x0 01412 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0j\0U\377\25\224p@\0\213\370\215D\37\12Pj@\377\25\370p@\0\213\360\205\366to\215D$\30j\0PWVU\377\25(q@\0\205\300t[;|$\30uUh\14\223@\0V\350\374\375\377\377\205\300uZ\215\4>h\14\223@\0P\350\205\1\0\0\203\307\12\213\307S\3\306h\250\300B\0P\350#\376\377\3773\300PPPU\377\250q@\0\215D$\30j\0\3\373PWVU\377\25$q@\0V\377\25\364p@\0U\377\25`p@\0\377\5\260\364B\0_^][\302\10\0\203\300\12h\10\223@\0P\350\220\375\377\377\205\300t\245@\215\24>;\302\213\310s\15\212\21\210\24\31A\215\24>;\312r\363+\306\353\214U\213\354S\215E\14V\213u\243\333Ph\31\0\2\0S\377u\14\210\36\377u\10\377\25\20p@\0\205\300u>\215E\10\307E\10\0\4\0\0P\215E\24VPS\377u\20\377u\14\377\25\0p@\0\205\300u\14\203}\24\1t\10\203}\24\2t\2\210\36\377u\14\210\236\377\3\0\0\377\25\34p@\0^[]\302\20\0\377t$\10h\20s@\0\377t$\14\377\25\364q@\0\203\304\14\302\10\0U\213\354Q\213M\10SVW3\377\2009-\307E\374\1\0\0\0\260\12\2639u\5A\203M\374\377\20090u\34A\212\21\200\3720|\11\200\3727\177\4\260\10\2637\200\342\337\200\372Xu\3\260\20A\17\276\21A\203\3720|\14\17\276\363;\326\177\5\203\3520\353\31<\20u!\213\362\203\346\337\203\376A|\27\203\376F\177\22\203\342\7\203\302\11\17\276\360\17\257\367\3\362\213\376\353\306\213E\374\17\257\307_^[\311\302\4\0h\0\4\0\0\377t$\14\377t$\14\377\25\270p@\0\302\10\0\377%\334", ) , ) == 0x0 01413 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\203\354\30S\213]\14VW\205\333}\21\213\15\374\353B\0\215\4\235\4\0\0\0+\310\213\31\241X\364B\0\213M\10\3\330\270\300\343B\0+\310\213\370\201\371\0\10\0\0\17\203\264\1\0\0\213}\10\203e\10\0\351\250\1\0\0\213\327+\320\201\372\0\4\0\0\17\215\245\1\0\0C\200\371\374\17\206\201\1\0\0\17\276C\1\17\276\13\213\360\213\321\203\346\177\203\342\177\301\346\7\13\362\272\0\200\0\0\211M\350\211E\360\13\312\13\302C\211M\354C\200}\17\376\211E\364\17\205\365\0\0\0\203e\14\0\200'\0j\4^9u\360u\11\307E\14\234\223@\0\353x\213E\350\203\370+u\27Wh\214\223@\0h`\223@\0h\2\0\0\200\350\0\376\377\377\353T\203\370&u+WhP\223@\0h`\223@\0h\2\0\0\200\350\344\375\377\377\200?\0\17\205\223\0\0\0h<\223@\0W\350\334\376\377\377\353$\203\370%u\16h\0\4\0\0W\377\25\344p@\0\353\21\203\370$u\21h\0\4\0\0W\377\25\260p@\0\200?\0u]\203=\244\364B\0\0u\3j\2^\215E\374NP\377t\265\350\3775$\364B\0\377\25dq@\0\205\300u\35W\377u\374\377\25Pq@\0\377u\374\211E\370\350\324\366\377\377\203}\370\0u\11\353\3\200'\0\205\366u\303\200?\0t\17\203}\14\0t\11\377u\14W\350p\376\377\377W\350\212\0\0\0\353F\200}\17\375u.\203\376\33u\16\3775$\364B\0W\350\223\375\377\377\353\21\213\306\301\340\12\5\0\0C\0PW\350"\376\377\377\203\306\353\203\376\6s\24\353\304\200}\17\377u\14\203\310\377+\306PW\350(\376\377\377W\350\26\376\377\377\3\370\270\300\343B\0\353\15u\10\212\13\210\17GC\353\3\210\17G\212\13\204", ) \376\377\377\203\306\353\203\376\6s\24\353\304\200}\17\377u\14\203\310\377+\306PW\350(\376\377\377W\350\26\376\377\377\3\370\270\300\343B\0\353\15u\10\212\13\210\17GC\353\3\210\17G\212\13\204", ) == 0x0 01414 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\203}\10\0_^[t\11P\377u\10\350\310\375\377\377\311\302\10\0SV\213t$\14W\200>\u\25\200~\1\u\17\200~\2?u\11\200~\3\u\3\203\306\4\200>\0t\14V\350\21\371\377\377\205\300t\2FF\212\6\213\336\204\300\213\376t9U\213-\24r@\0<\37v"Ph\310\223@\0\350\252\370\377\377\2008\0u\22V\377\325+\306PVW\350\21\372\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317]\200'\0WS\377\25\320q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^[\302\4\0SV\2135\4q@\0Wh\1\200\0\0\377\326\277\360\310B\0W\377t$\24\377\25310\223@\0\350\252\370\377\377\2008\0u\22V\377\325+\306PVW\350\21\372\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317]\200'\0WS\377\25\320q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^[\302\4\0SV\2135\4q@\0Wh\1\200\0\0\377\326\277\360\310B\0W\377t$\24\377\250\213\330\377\326\203\373\377t\13S\377\254q@\0\213\307\353\23\300_^[\302\4\0\377t$\4\377\25\10q@\0\205\300u\16\377t$\4\377\25\14q@\0\205\300t\13\377t$\10P\377\25\20q@\0\302\10\0U\213\354\203\354\34V\213u\10W\213=\330q@\0\353\12\215E\344P\377\25\324q@\0j\1VV\215E\344j\0P\377\327\205\300u\346_^\311\302\4\0\203=4\316B\0\0Vu-3\311j\10\213\301^\213\320\200\342\1\366\332\33\322\201\342 \203\270\355\321\3503\302Nu\352\211\4\2150\316B\0A\201\371\0\1\0\0|\325\213T$\20\213D$\10\205\322\367\320v#\213L$\14W\17\2669\213\360\201\346\377\0\0\03\367\301\350\10\2134\2650\316B\03\306AJu\343_\367\320^\302\14\0U\213\354\203\354D\213E\10SVW\213\10\215p\20\213@\4\211M\310\213\216\250\233\0\0\213\236\30\5\0\0\211E\314\213\206\34\5\0\0\211E\300\213\206\244\233\0\0;\310\211M\320s", ) == 0x0 01415 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\301\211E\324\351\303\11\0\0\377$\205\10h@\0\203}\314\0\17\204\302\11\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213E\300\203\353\3\301m\300\3\203\340\7\213\310\200\341\1\366\331\33\311\203\341\7\321\350\203\301\10\203\350\0\211\216\24\5\0\0\17\204.\1\0\0HtVHtHH\17\205]\11\0\0\203\317\377\307\6\21\0\0\0\213E\300\213M\10\211\206\34\5\0\0\213E\314\211\236\30\5\0\0\211A\4\213E\10\213M\310P\211\10\213M\320\211\216\250\233\0\0\350\240\11\0\0\213\307_^[\311\302\4\0\307\6\13\0\0\0\351\21\11\0\0\200=\270\343B\0\0\17\205\240\0\0\0\203e\370\0\2708\322B\0=t\324B\0\261\10~\24=8\326B\0}\4\376\301\353\11=\230\326B\0}\2\261\7\17\276\311\211\10\203\300\4=\270\326B\0|\324\215E\370\2778\322B\0Ph8\333B\0h\370\223@\0h4\322B\0hhs@\0h(s@\0h\1\1\0\0h \1\0\0W\350\200\11\0\0j\36Yj\5X\363\253\215E\370Ph8\333B\0h\374\223@\0h0\322B\0h\344s@\0h\250s@\0j\0j\36h8\322B\0\350M\11\0\0\376\5\270\343B\0\240\370\223@\0\210F\20\240\374\223@\0\210F\21\2414\322B\0\211F\24\2410\322B\0\211F\30\203&\0\351<\10\0\0\213\313\307\6\11\0\0\0\203\341\7\323m\300+\331\351'\10\0\0\203}\314\0\17\204-\10\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\20r\333\213E\3003\333%\377\377\0\0\211]\300;\303\211F\4\17\204\351\0\0\0j\12X\351\347\0\0\0\203}\314\0\17\204\350\7\0", ) , ) == 0x0 01416 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\216\240\233\0\0\213U\320;\321u)\213\206\244\233\0\0\215\276\240\33\0\0;\307t\31\213\327;\320\211U\320s\5+\302H\353\4+\312\213\301\205\300\211E\324ub\377u\10\211\226\250\233\0\0\350\4\10\0\0\213\226\250\233\0\0\213\216\244\233\0\0;\321\211U\320s\7\213\301+\302H\353\10\213\206\240\233\0\0+\302\213\276\240\233\0\0\211E\324;\327u\35\215\226\240\33\0\0;\321t\23\211U\320s\7+\312I\213\301\353\4+\372\213\307\211E\324\205\300\17\204a\7\0\0;E\314r\3\213E\314\213N\4;\310\213\371r\2\213\370W\377u\310\377u\320\350\325\365\377\377\1}\310)}\314\1}\320)}\324)~\4\17\205\1\7\0\0\213\206\24\5\0\0\211\6\351\364\6\0\0\203}\314\0\17\204\372\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\16r\333\213E\300%\377?\0\0\213\310\211F\4\203\341\37\200\371\35\17\207Y\375\377\377%\340\3\0\0=\240\3\0\0\17\207I\375\377\377\301m\300\16\203\353\16\203f\10\0\307\6\14\0\0\0\213F\4\301\350\12\203\300\49F\10si\353 \203}\314\0\17\204\213\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213N\10\213E\300\203\340\7\203\353\3\17\276\211\24s@\0\301m\300\3\211D\216\14\213N\4\377F\10\213F\10\301\351\12\203\301\4;\301r\315\353\22\213F\10\17\276\200\24s@\0\203d\206\14\0\377F\10\203~\10\23r\350\215M\370\215\276\14\5\0\0Q\215\216 \5\0\0Q\215\216\20\5\0\03\300WQP\211E\370Pj\23\215F\14j\23P\307\7\7\0\0\0\350\310\6\0\0\205\300u\229\7t\16!F\10\307", ) , ) == 0x0 01417 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\21\0\0\0\351\304\5\0\0\213\206\14\5\0\0\353 \203}\314\0\17\204\302\5\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213\216\20\5\0\0\215\4\201\17\266P\1\17\267@\2\203\370\20\211E\354s\26\213\312+\332\323m\300\213N\10\211D\216\14\377F\10\351\254\0\0\0\203\370\22u\14j\7\307E\370\13\0\0\0X\353,\203\300\362\307E\370\3\0\0\0\353 \203}\314\0\17\204G\5\0\0\213M\310\377M\314\17\2669\213\313\323\347\11}\300\377E\310\203\303\10\215\14\20;\331r\331\213\312+\332\323m\300\17\267\14E\324\223@\0#M\300\213U\370+\330\3\321\213\310\213F\4\323m\300\213N\10\213\370\301\357\5\203\347\37\203\340\37\215\204\7\2\1\0\0\215<\12;\370\17\207|\373\377\377\203}\354\20u\17\203\371\1\17\202m\373\377\377\213|\216\10\353\23\377\215D\216\14\2118A\203\300\4Ju\367\211N\10\213F\4\213N\10\213\320\203\340\37\301\352\5\203\342\37\215\204\2\2\1\0\0;\310\17\202\316\376\377\377\213F\4\203\246\20\5\0\0\0\203e\364\0\213\370\301\350\5\203\347\37\271\1\1\0\0\203\340\37\3\371@\215U\364\211E\354\215\206 \5\0\0RP\215E\374\307E\374\11\0\0\0P\215E\350Phhs@\0h(s@\0Q\215F\14WP\307E\360\6\0\0\0\350\33\5\0\0\203}\374\0u\3\203\310\377\205\300\17\205\312\372\377\377\215E\364P\215\206 \5\0\0P\215E\360P\215E\344Ph\344s@\0h\250s@\0j\0\377u\354\215D\276\14P\350\336\4\0\0\205\300\17\205\226\372\377\377\213E\360\205\300u\14\201\377\1\1\0\0\17\217\203\372\377\377\212M\374\203&\0\210", ) , ) == 0x0 01418 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "N\20\211F\30\17\266F\20\211F\14\213F\24\211F\10\307\6\1\0\0\0\213F\14\353 \203}\314\0\17\204\266\3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\205\311u\22\17\267@\2\211F\10\307\6\6\0\0\0\351Y\3\0\0\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\4\307\6\2\0\0\0\351<\3\0\0\366\301@\17\204\321\0\0\0\366\301 \17\204\315\371\377\377\307\6\7\0\0\0\351\37\3\0\0\213F\10\353 \203}\314\0\17\204 \3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\4\213\310\323m\300+\330\17\266F\21\211F\14\213F\30\211F\10\307\6\3\0\0\0\213F\14\353 \203}\314\0\17\204\317\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\14\307\6\4\0\0\0\351k\2\0\0\366\301@\17\205\5\371\377\377\211N\14\17\267H\2\215\4\210\211F\10\351P\2\0\0\213F\10\353 \203}\314\0\17\204Q\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\14\213\310\323m\300+\330\307\6\5\0\0\0\213E\320\213V\14\213\310+\316\201\351\240\33\0\0;\312s\23\213\216\240\233\0\0+\312+\316\215\214\1`\344\377\377\353\4\213\310+\312\203~\4\0\211M\340\17", ) , ) == 0x0 01419 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\221\0\0\0\213\276\240\233\0\0;\307u#\213\216\244\233\0\0\215\226\240\33\0\0;\312t\23\213\302;\301s\7+\310I\213\371\353\2+\370\205\377ud\377u\10\211\206\250\233\0\0\350\11\2\0\0\213\206\250\233\0\0\213\216\244\233\0\0;\301\211E\320s\7\213\371+\370O\353\10\213\276\240\233\0\0+\370\213\226\240\233\0\0;\302\211U\370u\37\215\226\240\33\0\0;\312t\25\213\302;\301\211E\320s\7+\310I\213\371\353\5\213}\370+\370\205\377\17\204d\1\0\0\213M\340\212\21\210\20@AO;\216\240\233\0\0\211E\320\211M\340\211}\324u\11\215\216\240\33\0\0\211M\340\377N\4\17\205:\377\377\377\351\302\370\377\377\213E\324\213}\320\205\300\17\205\221\0\0\0\213\216\240\233\0\0;\371u#\213\206\244\233\0\0\215\226\240\33\0\0;\302t\23\213\372;\370s\5+\307H\353\4+\317\213\301\205\300ud\377u\10\211\276\250\233\0\0\3508\1\0\0\213\276\250\233\0\0\213\216\244\233\0\0;\371\211}\320s\7\213\301+\307H\353\10\213\206\240\233\0\0+\307\213\226\240\233\0\0;\372\211U\370u\37\215\226\240\33\0\0;\312t\25\213\372;\371\211}\320s\7+\317I\213\301\353\5\213E\370+\307\205\300\17\204\223\0\0\0\212N\10\210\17GH\211}\320\211E\324\351\21\370\377\377\203\373\7v\11\203\353\10\377E\314\377M\310\213E\320\377u\10\211\206\250\233\0\0\350\261\0\0\0\213\216\250\233\0\0\213\226\244\233\0\0;\312\211M\320s\7\213\302+\301H\353\10\213\206\240\233\0\0+\301;\312\211E\324u9\213\206\24\5\0\0\203\370\10\211\6u3\213\6\203\370\17\17\2062\366\377\377\351\223\366\377\377\213E\3003\377\211\206\34\5\0\0\213E\10\211\236\30\5\0\0\211x\4", ) , ) == 0x0 01420 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "3\377G\351q\366\377\377\5d@\0\30d@\0\256d@\0\377d@\0}e@\0\301e@\0\307f@\0xg@\01^@\0\306_@\0\353_@\0\371`@\08a@\0\33c@\0p^@\0\206g@\0SV\213t$\14W\213\276\264\233\0\0\213\236\270\233\0\0;\373v\6\213\236\260\233\0\0\213F\14+\337;\330r\2\213\330SW\377v\10+\303\211F\14\350\15\356\377\377\1^\10\213\206\260\233\0\0\3\373;\370u\269\206\270\233\0\0\215\276\260\33\0\0u\271\211\276\270\233\0\0\353\261\211\276\264\233\0\0_^[\302\4\0U\213\354\201\354\354\0\0\0SV\213u\14Wj\203\300Y\215}\220\363\253\213M\10\213\326\213\1\203\301\4\215D\205\220\377\0Ju\3629u\220u\23\213E\34\203 \0\213E \203 \03\300\351\360\2\0\0\213u 3\333Cj\17\213>\213\313\211} Z3\3009D\215\220u\5A;\312v\363;\371\211M\374s\3\211M 9D\225\220u\3Ju\3679U \211U\350v\3\211U \213} \211>\323\343\353\15+\\215\220\17\210\237\2\0\0A\3\333;\312r\357\213\362\301\346\2\215L5\220\2139+\337\211]\320\17\210\202\2\0\0\3\373\211\205T\377\377\377\21193\311Jt\233\377\3L=\224\203\307\4J\211\214=T\377\377\377u\357\213]\103\377\213\13\203\303\4;\310t\23\215\214\215P\377\377\377\213\21\211<\225\270\326B\0B\211\21G;}\14r\336\213\2145P\377\377\377\213] \203M\364\377\203e\334\0\211M\14\213M\374\367\333;M\350\211E\370\211\205P\377\377\377\307E\340\270\326B\0\211\205\24\377\377\377\17\217\363\1\0\0\215Q\377\215L\215\220\211U\330\211M\344\213M\344\2131\205", ) , ) == 0x0 01421 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213M N\3\313\211u\3249M\374\211M\354\17\216\314\0\0\0F\211u\360\213u\350\377E\364+u\354;u v\3\213u \213M\3743\322+M\354B\323\342;U\360v#\213}\344\203\310\377+E\324\3\320;\316s\24\353\15\203\307\4\3\322\213\7;\320v\7+\320A;\316r\356\213U(3\300@\213\22\323\340\211E\334\215<\2\201\377\240\5\0\0\17\207h\1\0\0\213E$\215\4\220\213U\364\215\264\225\24\377\377\377\213U(\211:\213U\364\205\322\211\6t1\213}\370\213v\374\211\274\225P\377\377\377\212U \210U\11\210M\10\213\327\213\313\323\352\213\310+\316\301\371\2+\312f\211M\12\213M\10\211\14\226\353\5\213M\34\211\1\213M\354\213\331\3M 9M\374\211M\354\17\2178\377\377\377\212M\374\213u\340*\313\210M\11\213M\14\215\14\215\270\326B\0;\361r\6\306E\10\300\353C\213\16;M\20s\34\201\371\0\1\0\0\17\222\301\376\311\203\341`\210M\10f\213\16\203\306\4\211u\340\353\34+M\20\213U\30\3\311\212\24\21\200\302P\203E\340\4\210U\10\213U\24f\213\14\21f\211M\12\213M\374\213U\3703\377+\313G\213\367\323\346\213\313\323\352\353\10\213M\10\211\14\220\3\326;U\334r\363\213M\330\213u\370\213\327\323\342\353\43\362\321\352\205\326u\370\213\3173\362\211M\360\213\313\213\327\211u\370\323\342J#\326\213\312\213U\364;\214\225P\377\377\377t\32+] \213\367J\213\313\323\346N#u\370;\264\225P\377\377\377u\351\211U\364\203}\324\0\17\205?\376\377\377\377E\374\203E\344\4\213M\374\377E\330;M\350\17\216\32\376\377\3773\3009E\320t\11\203}\350\1t\3\203\310\377_^[\311\302$\0\314\377%hr@\0\377%", ) , ) == 0x0 01422 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\236\200\0\0\262\200\0\0\220\200\0\0\200\200\0\0\6\201\0\0\366\200\0\0\344\200\0\0\326\200\0\0\304\200\0\0\0\0\0\08\201\0\0$\201\0\0\21\0\0\200N\201\0\0\0\0\0\0\314\177\0\0\274\177\0\0\254\177\0\0\226\177\0\0\200\177\0\0t\177\0\0d\177\0\0T\177\0\0\0\0\0\0.y\0\0y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) == 0x0 01423 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0shlwapi.dll\0SHAutoComplete\0\0.DEFAULT\Control Panel\International\0\0\0\0Locale\0\0Control Panel\Desktop\ResourceLocale\0\0\0\0GetUserDefaultUILanguage\0\0\0\0%d\0\0\20\21\22\0\10\7\11\6\12\5\13\4\14\3\15\2\16\1\17\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\15\0\17\0\21\0\23\0\27\0\33\0\37\0#\0+\03\0;\0C\0S\0c\0s\0\203\0\243\0\303\0\343\0\2\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\1\0\1\0\2\0\2\0\2\0\2\0\3\0\3\0\3\0\3\0\4\0\4\0\4\0\4\0\5\0\5\0\5\0\5\0\0\0p\0p\0\0\0\1\0\2\0\3\0\4\0\5\0\7\0\11\0\15\0\21\0\31\0!\01\0A\0a\0\201\0\301\0\1\1\201\1\1\2\1\3\1\4\1\6\1\10\1\14\1\20\1\30\1 \10\1@\1`\0\0\0\0\0\0\0\0\1\0\1\0\2\0\2\0", ) , ) == 0x0 01424 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\6\0\6\0\7\0\7\0\10\0\10\0\11\0\11\0\12\0\12\0\13\0\13\0\14\0\14\0\15\0\15\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\13\1\0\0\0\0\0\0\300\0\0\0\0\0\0Fdu\0\0\0\0\0\0\0\0\0\0n{\0\0`p\0\0pv\0\0\0\0\0\0\0\0\0\0H\177\0\0lq\0\0@u\0\0\0\0\0\0\0\0\0\0\332\177\0\0y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) == 0x0 01425 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0j|\0\0T|\0\0D|\0\0X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0j\2MulDiv\0\0|\0DeleteFileA\0\311\0FindFirstFileA\0\0\323\0FindNextFileA\0\305\0FindClose\0\20\3SetFilePointer\0\0\253\2ReadFile\0\0\227\3WriteFile\0", ) , ) == 0x0 01426 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ProfileStringA\0\0\234\3WritePrivateProfileStringA\0\0k\2MultiByteToWideChar\0\357\0FreeLibrary\0\230\1GetProcAddress\0\0H\2LoadLibraryA\0\0w\1GetModuleHandleA\0\0\12\3SetErrorMode\0\0R\1GetExitCodeProcess\0\0\205\3WaitForSingleObject\0\356\1GlobalAlloc\0\365\1GlobalFree\0\0\262\0ExpandEnvironmentStringsA\0P\1GetEnvironmentVariableA\0\263\3lstrcmpA\0\0\266\3lstrcmpiA\0.\0CloseHandle\0\24\3SetFileTime\03\0CompareFileTime\0\320\2SearchPathA\0\255\1GetShortPathNameA\0a\1GetFullPathNameA\0\0d\2MoveFileA\0\377\2SetCurrentDirectoryA\0\0V\1GetFileAttributesA\0\0i\1GetLastError\0\0E\0CreateDirectoryA\0\0\16\3Se", ) , ) == 0x0 01427 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tesA\0\0I\3Sleep\0[\1GetFileSize\0u\1GetModuleFileNameA\0\0\325\1GetTickCount\0\0:\1GetCurrentProcess\0=\0CopyFileA\0\257\0ExitProcess\0\10\1GetCommandLineA\0\351\1GetWindowsDirectoryA\0\0\313\1GetTempPathA\0\0\274\3lstrcpynA\0E\1GetDiskFreeSpaceA\0\0\2GlobalUnlock\0\0\371\1GlobalLock\0\0i\0CreateThread\0\0`\0CreateProcessA\0\0\272\2RemoveDirectoryA\0\0M\0CreateFileA\0\311\1GetTempFileNameA\0\0\277\3lstrlenA\0\0\260\3lstrcatA\0\0\271\1GetSystemDirectoryA\0KERNEL32.dll\0\0\310\0EndPaint\0\0\274\0DrawTextA\0\342\0FillRect\0\0\377\0GetClientRect\0\15\0BeginPaint\0\0\216\0DefWindowProcA\0\0:\2SendMessageA\0\0\223\1InvalidateRect\0\0\304\0", ) , ) == 0x0 01428 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\14\1GetDC\0\277\1LoadImageA\0\0\177\2SetWindowLongA\0\0\21\1GetDlgItem\0\0\255\1IsWindow\0\0\344\0FindWindowExA\0=\2SendMessageTimeoutA\0\325\2wsprintfA\0\221\2ShowWindow\0\0V\2SetForegroundWindow\0\3\2PostQuitMessage\0\205\2SetWindowTextA\0\0y\2SetTimer\0\0\231\0DestroyWindow\0U\0CreateDialogParamA\0\0\341\0ExitWindowsEx\0*\0CharNextA\0\236\0DialogBoxParamA\0\366\0GetClassInfoA\0`\0CreateWindowExA\0\230\2SystemParametersInfoA\0\25\2RegisterClassA\0\0\306\0EndDialog\00\2ScreenToClient\0\0t\1GetWindowRect\0F\2SetClassLongA\0\256\1IsWindowEnabled\0\202\2SetWindowPos\0\0Z\1GetSysColor\0n\1GetWindowLongA\0\0L\2SetCurso", ) , ) == 0x0 01429 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "orA\08\0CheckDlgButton\0\0<\1GetMessagePos\0\267\1LoadBitmapA\0\33\0CallWindowProcA\0\261\1IsWindowVisible\0B\0CloseClipboard\0\0I\2SetClipboardData\0\0\301\0EmptyClipboard\0\0\365\1OpenClipboard\0\243\2TrackPopupMenu\0\0\10\0AppendMenuA\0^\0CreatePopupMenu\0]\1GetSystemMetrics\0\0R\2SetDlgItemTextA\0\23\1GetDlgItemTextA\0\336\1MessageBoxA\0-\0CharPrevA\0\241\0DispatchMessageA\0\0\377\1PeekMessageA\0\0USER32.dll\0\0\16\2SelectObject\0\0<\2SetTextColor\0\0\26\2SetBkMode\0:\0CreateFontIndirectA\0)\0CreateBrushIndirect\0\217\0DeleteObject\0\0k\1GetDeviceCaps\0\25\2SetBkColor\0\0GDI32.dll\0\232\0SHFileOperatio", ) , ) == 0x0 01430 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "xecuteA\0\254\0SHGetFileInfoA\0\0y\0SHBrowseForFolderA\0\0\274\0SHGetPathFromIDListA\0\0\267\0SHGetMalloc\0\303\0SHGetSpecialFolderLocation\0\0SHELL32.dll\0\331\1RegEnumValueA\0\325\1RegEnumKeyA\0\354\1RegQueryValueExA\0\0\371\1RegSetValueExA\0\0\315\1RegCreateKeyExA\0\311\1RegCloseKey\0\322\1RegDeleteValueA\0\320\1RegDeleteKeyA\0\342\1RegOpenKeyExA\0ADVAPI32.dll\0\08\0ImageList_Destroy\04\0ImageList_AddMasked\07\0ImageList_Create\0\0COMCTL32.dll\0\0\20\0CoCreateInstance\0\0\4\1OleUninitialize\0\355\0OleInitialize\0ole32.dll\0\12\0VerQueryValueA\0\0\0\0GetFileVersionInfoA\0\1\0GetFileVersionInfoSizeA\0VE", ) , ) == 0x0 01431 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\240\364B\0m\23@\0\27\@\0\6\0\0\0\\0\0\0%s %s\0\0\0->\0\0\377\377\377\377\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC command line switch\12(NOT RECOMMENDED).\0verifying installer: %d%%\0\0\0Error launching installer\0\0\0... %d%%\0\0\0\0Au_.exe\0SeShutdownPrivilege\0AdjustTokenPrivileges\0\0\0LookupPrivilegeValueA\0\0\0OpenProc", ) , ) == 0x0 01432 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", ) \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/ (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", ) , ) == 0x0 01433 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\3\0\0\0(\0\0\200\5\0\0\0@\0\0\200\16\0\0\0h\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0i\0\0\0\230\0\0\200j\0\0\0\260\0\0\200o\0\0\0\310\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0g\0\0\0\340\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0(\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\08\1\0\0H\201\3\0\350\2\0\0\0\0\0\0\0\0\0\00\204\3\0\0\1\0\0\0\0\0\0\0\0\0\00\205\3\0\34\1\0\0\0\0\0\0\0\0\0\0P\206\3\0`\0\0\0\0\0\0\0\0\0\0\0\260\206\3\0\24\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \0\0\0@\0\0\0\1\0\4\0\0\0\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\200\0\0\0\200\200\0\0\0\0\200\0\0\200\200\0\200\0\200\0\200\200\200\0\300\300\300\0\0\377\0\0\377\0\0\0\377\377\0\0\0\0\377\0\0\377\377\0\377\0\377\0\377\377\377\0\0\0\0\0\0\0\0\7w\0\0\0\0\0\0\0\0\0\0\0\0\0\7x\215\335\220\0\0\0\0\0\0x\370\360\0\0\177\217\210\335\231\220\0\0\0\0\0\177\217\200p\7\207\370\375\331\231\210\0\0\0\0\0x\370\360", ) , ) == 0x0 01434 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\177\217\200xw\207\207\370\331\210\213\260\0\0\0\0x\370\360\207xxxp\11\213\273\260\0\0\0\0\177\217\200xw\207\207\0\0\273\270\200\0\0\0\0x\370\360\207x\210\273\0\0xxp\0\0\0\0\177\217\200xx\273\211\260\7\207\207\200\0\0\0\0\177\377\360\207{\270\233\275\377xxp\0\0\0\0\177\377\360xw\211\273\275\370\367\207\0\0\0\0\0\177\377\360\207\207\233\273\335\217\217x\10\210\210\0\0\177\377\360\210\210{\275\335\210\370\360\0\0\210p\0\177\377\360\210\210\7}\335\210\200\7ww\210p\0\177\377\360\210\210\17\367ww\177\377\377\377\377p\0wwp\210\210\7wwwwwwwxp\0wwp\210\210\0\0\0\0\0\0\0\0\0\200\7\377\377\367\10\210\7\210\210\210\210\210\210\210\207\0wwwwp\210\7\377\377\377\377\377\377\377\207\0\0\0\7ww\10\7\360\0\0\0\0\0\17\207\0\0\0\0wwp\7\360\0\0\0\0\0\17\207\0\0\0\0\7\377\377\7\360\0\0\360\17\0\17\207\0\0\0\0\0wwp\360\0\0\360\17\0\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\17\377\360\0\0\17\207\0\0\0\0\0\0\0\7\360\0\377\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\377\377\377\377\377\377\377\207\0\0\0\0\0\0\0\0wwwwwwww\0\377\376\7\377\300\370\1\377\300p\0\377\300 \0\177\300\0\0\177\300\0\0?\300\0\0?\300\0`?\300\0`?\300\0\0?\300\0\0?\300\0\0\3\300\0\0\1\300\0\0\0\300\0\0\0\300\0\0\0\300\0\0\0", ) , ) == 0x0 01435 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\370\0\0\1\374\0\0\1\376\0\0\1\377\0\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\374\0\3\1\0\377\377\0\0\0\0\0\0\0\0H\10\312\200\6\0\0\0\0\0\30\1\242\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\3@\253\0\216\02\0\16\0\3\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\337\0\216\02\0\16\0\1\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\7\0\216\02\0\16\0\2\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\2P\7\0\212\0\13\1\1\0\377\377\377\377\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\2@\7\0\6\0\12\1\202\0\372\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\2X;\0\221\0l\0\10\0\4\4\0\0\377\377\202\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0H\4\0@\5\0\0\0\0\0\12\1\202\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\200P\30\0\12\0\361\0\13\0\354\3\0\0m\0s\0c\0t\0l\0s\0_\0p\0r\0o\0g\0r\0e\0s\0s\03\02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\0\0P\30\0\0\0\361\0\10\0\356\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\5@\201@\0\0\31\0\11\1h\0\370\3\0\0S\0y\0s\0L\0i\0s\0", ) , ) == 0x0 01436 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0P\0\0\0\0\26\0\24\0\7\4\0\0\377\377\202\0\377\377g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\34\0<\0\16\0\3\4\0\0\377\377\200\0\0\0\0\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0\310\10\0\200\1\0\0\0\0\0\242\0\26\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\1\0\2P\7\0\7\0\224\0\10\0\6\4\0\0\377\377\202\0\0\0\0\0\0\0\1\0\1\0 \20\0\1\0\4\0\350\2\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01437 416 NtReadFile (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\17\11\0\0_6\1\0V\2\0\200\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f", ) =>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\17\11\0\0_6\1\0V\2\0\200\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f", ) \253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f", ) == 0x0 01438 416 NtReadFile (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353B*]3P\302g\352\26F]se\13o.\235ZE%\273\372\202\6\336\342\2667\307\204L\247r-OH\34dR_\224i\7\203z\6\230!q\271P\340.B\362\327\304?%}E\372#6/o~31\357\367\373M\307\354$\361\350)=\33\343\273:6\213y:W&\314\347m\362\177%\375\11K\2\0\200\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325", ) \233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2 (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353B*]3P\302g\352\26F]se\13o.\235ZE%\273\372\202\6\336\342\2667\307\204L\247r-OH\34dR_\224i\7\203z\6\230!q\271P\340.B\362\327\304?%}E\372#6/o~31\357\367\373M\307\354$\361\350)=\33\343\273:6\213y:W&\314\347m\362\177%\375\11K\2\0\200\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325", ) , ) == 0x0 01439 416 NtReadFile (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\37\365\221b\205\257\2006\35.\34\247\1\344\371\363\02\340O\27\347\321<\201\220\265\230P\233\7\360\36\204\247\323\342\361\236\27\31\352cZF\266\345g\361\214r{^\220v\206qy\2661\314K\342\202\304\256g;{\374N\367(\360\274\302\36\353Lr\226\24*\241\277\22m6\313n{\341U\355\25\236\201\224\257\260\307\4\213\205\237\13\303\205\244\203\341\13\305\253u\230\230Ep\316i0\34G\253\26\246'\304\251)\271\25\205X\337\210\224\240\352\226\320\314\337%r\11\375R\321\1\207G\0m\14\230\333\371\236\10P"\1d"\21M\331\271E\4|\241\350\1\37q\300D\221\364\215"i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346", ) \1d (176, 0, 0, 0, 32768, 0x0, 0, ... {status=0x0, info=32768}, "\37\365\221b\205\257\2006\35.\34\247\1\344\371\363\02\340O\27\347\321<\201\220\265\230P\233\7\360\36\204\247\323\342\361\236\27\31\352cZF\266\345g\361\214r{^\220v\206qy\2661\314K\342\202\304\256g;{\374N\367(\360\274\302\36\353Lr\226\24*\241\277\22m6\313n{\341U\355\25\236\201\224\257\260\307\4\213\205\237\13\303\205\244\203\341\13\305\253u\230\230Ep\316i0\34G\253\26\246'\304\251)\271\25\205X\337\210\224\240\352\226\320\314\337%r\11\375R\321\1\207G\0m\14\230\333\371\236\10P"\1d"\21M\331\271E\4|\241\350\1\37q\300D\221\364\215"i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346", ) i\276\236(8>\216\3575\337~\35\306\206\225\256\262\341\230\177\210\304|\214\271\331\330 \277d\304\3354\261\303,D\260\204\324P\2672\246\271\215bx\275\350\345\20\253\20\232\256\257\311\331\341\255\6\335\224_\350\235\257\255p\202Q|\15\363j\222\375\363\13q\220\205\204rz\260V\250\347\270\203\37'\321\225\1\371Ysl\333:J\335\321\334\4\256+T:\327zZ\243\370\212\373>\370\267\237Ez\2\370\252\370G\3118f\313\354\345$\364\220\275\334\356\35N\222\204l\375\320\315\11f\261j\352\2l\321\313\370\370;\306\2\246\273A\210\272\12\323\203v]~\0\6\6\275\243^&6\35\336\14&%ce=w\314\357\334@\231! \232U\347\353\21Msf\225\342^\205Dp\325\373\351\312\333W\11\5p\246\306\370\256)\215C\3\3057P\5\253\6\220Q\352\335s\300\321O\330F\245 z\6ZR\300\207$\336\223?\36h\355:\30 U\257\305(\255\321fda\12b\0cPC\253t\261\263<\330\312\323#M;\200\213%\316\11_a\234;\304\13\13\376\205\10w\321\220\13P\15\346", ) == 0x0 01440 416 NtReadFile (176, 0, 0, 0, 13403, 0x0, 0, ... {status=0x0, info=13403}, (176, 0, 0, 0, 13403, 0x0, 0, ... {status=0x0, info=13403}, "\360\322Wg\35k\177,y\340\33Hc\313\220uz\30Y\331;h{\244\255\207\333\0\275w@\213\201\331E\306d\343\210|H_\245d\11\204<\234\220%e\24\332\22i\256\24\360\11hb.\20\242d\203\12EC\220\36\332\215N\326\232\2202\317\0yD\362\12\225\364$J\242!#\244@K*((A\11\4\323J?\37\237`\210\213\15\357\35\33\27\2332\310\20\36\21\21\225\230\22\25\31b\10\316\354\316\322\6\373>\220v-\33\2634B\242\30B\3\306"\203\341#\213b8j\372\370\337?\201\262\25\2662\327\3019.e\257\202\334g\273\226\225\271\234\115\334\311\231\24\3223\264,\350C\217\217\326\371lo\326\370\205K\311\27\307\=\212\367\370\350\354o^/\22\367~\250x\344\345[\363\325s\203w\236\370\376\267Y\37.\257~\245\313\217\223S\375\212G\216\377|t\363\207\237\245\376\326}c\352\320E\372\207=3\232\245\226\5\35\33\275\340\\307\324^\347\216\7\272O\247v-x\257\252_\337\37~\342;n\36\270dJ\207e\2713\253\373\366ykd\325Z\352\\275W\3173U\354RW\320;]\3\225p\203qq\315\226\315p\227N\377P\372\347\304s\33\356o\232P\357^\277P\34\335i\303\363\301\337\314\13\310\236\375(\344\25\335\353\203\337\3168\326l]\351\375\355{\3\267\1771p\311(\317\214\250\317V\275{\211\234\352\336\361\353\242\236\372\231\356\353&y\265\230\37\30q\347\367\26\375\3167zm\251_n\352#o\362\255c\263W|\243/\\326cr\372k\373n\370\214~{\375\341\341\31\275\305\205\13:b\213;\316\236\363 \313\263\363\257\247\37\200\376\236\200\277\224ks\227O\232\275})\342v\207?\243S\247\317>\26=\253\242\313O\201\303\376\367)\361&", ) \203\341#\213b8j\372\370\337?\201\262\25\2662\327\3019.e\257\202\334g\273\226\225\271\234\115\334\311\231\24\3223\264,\350C\217\217\326\371lo\326\370\205K\311\27\307\=\212\367\370\350\354o^/\22\367~\250x\344\345[\363\325s\203w\236\370\376\267Y\37.\257~\245\313\217\223S\375\212G\216\377|t\363\207\237\245\376\326}c\352\320E\372\207=3\232\245\226\5\35\33\275\340\\307\324^\347\216\7\272O\247v-x\257\252_\337\37~\342;n\36\270dJ\207e\2713\253\373\366ykd\325Z\352\\275W\3173U\354RW\320;]\3\225p\203qq\315\226\315p\227N\377P\372\347\304s\33\356o\232P\357^\277P\34\335i\303\363\301\337\314\13\310\236\375(\344\25\335\353\203\337\3168\326l]\351\375\355{\3\267\1771p\311(\317\214\250\317V\275{\211\234\352\336\361\353\242\236\372\231\356\353&y\265\230\37\30q\347\367\26\375\3167zm\251_n\352#o\362\255c\263W|\243/\\326cr\372k\373n\370\214~{\375\341\341\31\275\305\205\13:b\213;\316\236\363 \313\263\363\257\247\37\200\376\236\200\277\224ks\227O\232\275})\342v\207?\243S\247\317>\26=\253\242\313O\201\303\376\367)\361&", ) == 0x0 01441 416 NtSetInformationFile (176, 1244620, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01442 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "&\225\344\351", ) , ) == 0x0 01443 416 NtSetInformationFile (176, 1244620, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01444 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "V\2\0\200", ) , ) == 0x0 01445 416 NtReadFile (176, 0, 0, 0, 598, 0x0, 0, ... {status=0x0, info=598}, (176, 0, 0, 0, 598, 0x0, 0, ... {status=0x0, info=598}, "\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f:\266\277.\270l\214\332\22>z\232j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353", ) =>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S (176, 0, 0, 0, 598, 0x0, 0, ... {status=0x0, info=598}, "\355UAk\23Q\20\236\210\25\223\32DT<\11\257`\21\245,\255B-\1\221\270]1\207$\245\11$\207\34\372\232L\342\222\335}\353\333\267m\342A\242\27=\211\210^\274\10\376\4/^\364\324\203\340\315\253^\374\13\36\324\213m\234\227d\3556\230\352\315\203\35\230\375\346\315\274\371fv\31f\37\2\0K\300@4jsi\12`\232\32092\364\273G\207\376\343I\370\243\364c2t\0\274$\370\322\377{\201\177,\37\251\207\321'\201\251\21F\347\24\351V\2\16\344@\16\344?\26\275\37O\304\366\302x\354\364\204\274c\2443\243;\207\307b\247H\237\320\312\271\229\326*\217\335\347o\23\237h\37E\261\353\204\305C\364x\235\375\276\365\340\335\236X\236p\363"=>\177xt\356\305\336\274*\341\315i\352\366\336\335o7v\206y\272\207\265\11\357\20\345\265\11\253'\351\306\231^ou\224w\201|w&\274\337\276\253qgv\26\362\331\\241d\231\345\\261\0\333\317z`fjet\375Z\247\210q\273\268+\350\31\216hA\276\224+Xec\331Z\211LQ\347\221Y4\253\340\363\272\241:J\323\3276\362\225\371\313\34\206\2600\277\270h`\7c\221\332X\244\20:N \232\212\345\274@q\307a\245n\240\320e\33\227\214\205%\350\337\357\261\22\252\320\7\223{\347\25\333\224\266\302\14\3S"W\310\232\302i\240\244\263%\245\220\254\201u\341\372\22\203\300\366Z\254\301\25\237a\246\2202\364\256\230=,\200\362\32X\35\254\207\3"\253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f:\266\277.\270l\214\332\22>z\232j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353", ) \253\243$\257\253\270\205\3.]I\263(\301\232\266\203\14\212\241\362C\265[\262\324\266}\37\33\272\31\341w\3312*n;\1+\13f:\266\277.\270l\214\332\22>z\232j\300\323\334\345\316\260t*\235\332\356\3654PR\275\315\262\353", ) == 0x0 01446 416 NtQueryInformationFile (176, 1244628, 8, Position, ... {status=0x0, info=8}, ) == 0x0 01447 416 NtSetInformationFile (176, 1244628, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01448 416 NtQueryDefaultUILanguage (1244676, ... 01449 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01450 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482020, ) == 0x0 01451 416 NtQueryInformationToken (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01452 416 NtClose (-2147482020, ... ) == 0x0 01453 416 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0 01454 416 NtOpenKey (0x80000000, {24, 0, 0x240, 0, 0, (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01455 416 NtOpenKey (0x80000000, {24, -2147482020, 0x640, 0, 0, (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0 01456 416 NtQueryValueKey (-2147482032, (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01457 416 NtClose (-2147482032, ... ) == 0x0 01458 416 NtClose (-2147482020, ... ) == 0x0 01448 416 NtQueryDefaultUILanguage ... ) == 0x0 01459 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01460 416 NtUserFindExistingCursorIcon (1244008, 1244024, 1244592, ... ) == 0x0 01461 416 NtQueryDefaultLocale (1, 1243692, ... ) == 0x0 01462 416 NtQueryDefaultLocale (1, 1243708, ... ) == 0x0 01463 416 NtUserGetDC (0, ... ) == 0x1010052 01464 416 NtGdiCreateCompatibleBitmap (16842834, 32, 32, ... ) == 0x8050407 01465 416 NtUserCallOneParam (16842834, 56, ... ) == 0x1 01466 416 NtGdiSelectBitmap (335610822, 134546439, ... ) == 0x185000f 01467 416 NtGdiGetDCforBitmap (134546439, ... ) == 0x140103c6 01468 416 NtGdiSaveDC (335610822, ... ) == 0x1 01469 416 NtGdiSelectBitmap (335610822, 134546439, ... ) == 0x8050407 01470 416 NtGdiGetDCObject (335610822, 524288, ... ) == 0x188000b 01471 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01472 416 NtGdiSetDIBitsToDeviceInternal (335610822, 0, 0, 32, 32, 0, 0, 0, 32, 4424112, 1406656, 0, 512, 104, 1, 0, ... ) == 0x20 01473 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01474 416 NtGdiSelectBitmap (335610822, 134546439, ... ) == 0x8050407 01475 416 NtGdiRestoreDC (335610822, -1, ... ) == 0x1 01476 416 NtGdiSelectBitmap (335610822, 25493519, ... ) == 0x8050407 01477 416 NtUserGetDC (0, ... ) == 0x1010052 01478 416 NtGdiCreateDIBitmapInternal (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x7050405 01479 416 NtUserCallOneParam (16842834, 56, ... ) == 0x1 01480 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x185000f 01481 416 NtGdiGetDCforBitmap (117769221, ... ) == 0x140103c6 01482 416 NtGdiSaveDC (335610822, ... ) == 0x1 01483 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x7050405 01484 416 NtGdiGetDCObject (335610822, 524288, ... ) == 0x188000b 01485 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01486 416 NtGdiSetDIBitsToDeviceInternal (335610822, 0, 0, 32, 64, 0, 0, 0, 64, 4424496, 1406656, 0, 256, 48, 1, 0, ... ) == 0x40 01487 416 NtUserSelectPalette (335610822, 25690123, 0, ... ) == 0x188000b 01488 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x7050405 01489 416 NtGdiRestoreDC (335610822, -1, ... ) == 0x1 01490 416 NtGdiSelectBitmap (335610822, 25493519, ... ) == 0x7050405 01491 416 NtGdiCreateCompatibleDC (335610822, ... ) == 0x8010406 01492 416 NtGdiExtGetObjectW (117769221, 24, 1243236, ... ) == 0x18 01493 416 NtGdiCreateBitmap (32, 64, 1, 1, 0, ... ) == 0xa0503da 01494 416 NtGdiSelectBitmap (335610822, 117769221, ... ) == 0x185000f 01495 416 NtGdiSelectBitmap (134284294, 168100826, ... ) == 0x185000f 01496 416 NtGdiBitBlt (134284294, 0, 0, 32, 64, 335610822, 0, 0, 13369376, -1, 0, ... ) == 0x1 01497 416 NtGdiSelectBitmap (335610822, 25493519, ... ) == 0x7050405 01498 416 NtGdiSelectBitmap (134284294, 25493519, ... ) == 0xa0503da 01499 416 NtGdiDeleteObjectApp (117769221, ... ) == 0x1 01500 416 NtGdiDeleteObjectApp (134284294, ... ) == 0x1 01501 416 NtUserCallOneParam (0, 33, ... ) == 0x20091 01502 416 NtUserSetCursorIconData (131217, 1243288, 1243304, 1243884, ... ) == 0x1 01503 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242240, ... ) }, 1242240, ... ) == 0x0 01504 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0 01505 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 172, ... 180, ) == 0x0 01506 416 NtClose (172, ... ) == 0x0 01507 416 NtMapViewOfSection (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x990000), 0x0, 262144, ) == 0x0 01508 416 NtClose (180, ... ) == 0x0 01509 416 NtUnmapViewOfSection (-1, 0x990000, ... ) == 0x0 01510 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01511 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01512 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01513 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01514 416 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\WINDOWS\System32"}, 3, 33, ... 180, {status=0x0, info=1}, ) }, 3, 33, ... 180, {status=0x0, info=1}, ) == 0x0 01515 416 NtQueryVolumeInformationFile (180, 1244076, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01516 416 NtClose (12, ... ) == 0x0 01517 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0 01518 416 NtClose (12, ... ) == 0x0 01519 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp\xOe"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0 01520 416 NtClose (12, ... ) == 0x0 01521 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01522 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01523 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Temp\xOe\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0 01524 416 NtQueryDirectoryFile (12, 0, 0, 0, 1242836, 616, BothDirectory, 1, (12, 0, 0, 0, 1242836, 616, BothDirectory, 1, "slPen.log", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE 01525 416 NtClose (12, ... ) == 0x0 01526 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01527 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01528 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.DEP"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01529 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.DEP"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01530 416 NtClose (-2147482020, ... ) == 0x0 01529 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01531 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01532 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "K\2\0\200", ) , ) == 0x0 01533 416 NtReadFile (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, "\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370\325)\243#\316)\207U\316"m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) \233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2 (176, 0, 0, 0, 587, 0x0, 0, ... {status=0x0, info=587}, "\255\225K\217\2330\24\205\367H\374\7/\272 \221J \32\245i\247TJI\322\346\321\231(d\332E5\13\171\215%\300\21\366<\177}\2571i0\270\32\265"\233$\347\336{\314w.\10\333\272DSr$\371\236\344\3613JhJP\302\12\304\211\270?\242G\372\202\213=wm\313\266~~'\5\247,\277\265\255\352W0r=w\354\273\243\367\262.}\22|\237\212\263\37%\34\275\375\247Oy\320\267h\221\23\341\262\370\11\316\232\22.\2027\316\17\232G\317|\203\305\241g[[\362\213rA\12\320\247\353uD\322\344\244\364\214\27w\303\11\367\203\220e!\26\356>M\2252\14l+\234|\236\3\362\25\316HP\35\33\343\273R\257hn\266\353\340 \304\361\303`\200cA\37\310\223\233\321\270`\234%\320\313\262A\314rQ\260\224\17\36\356F\345\340\342j.=O~4OJ\252\363\361&*\370\222C\257\301)\22\25\367\232\3058\245/d\377\377\201#\345\324\357\243/\244\310p\216\234\351\254\7\177\373Ru<\317{\207\202\252\4\207_j\273A\37e\375\323\355\351\242\244>\235\351\361\302\300Yn\16\350\351W}\235\245_\371U\351\227\214\363\2": g\276\325\30C`T%3c\2503\316\267FF%7\7\332\214\320\327)#\370\325\31\27\2\356\11\271\310\305\256\16\351{\0Y\325\214\224\276\247S.vFJ%7\7\332\224\320\327)%\370\325)\243#\316)\207U\316"m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) m\225\23\240\254j\346]Nt\312Yd\244Trs\240M\11}\235R\202_\235r\211\1\205p\202\234\345F[\246\17\230\247\242y\233\276\316\271\334\309\225\334\34hsB_\247\234\340W\347\\261\202\310[vu\255Q\16\201R\225\314\214C\235qumdTrs\240\315\10}\2352\202_", ) == 0x0 01534 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\15\12; Dependency file for setup wizards.\15\12\15\12[Version]\15\12Version=6.0.81.69\15\12\15\12; Default Dependencies ----------------------------------------------\15\12\15\12[MSInet.ocx]\15\12Dest=$(WinSysPath)\15\12Register=$(DLLSelfRegister)\15\12Version=6.0.81.69\15\12Uses1=ComCat.dll\15\12Uses2=\15\12CABFileName=MSInet.cab\15\12CABDefaultURL=http://activex.microsoft.com/controls/vb6\15\12CABINFFile=MSInet.inf\15\12\15\12[ComCat.dll]\15\12Dest=$(WinSysPathSysFile)\15\12Register=$(DLLSelfRegister)\15\12Uses1=\15\12\15\12; Localized Dependencies ----------------------------------", 2407, 0x0, 0, ... {status=0x0, info=2407}, ) , 2407, 0x0, 0, ... {status=0x0, info=2407}, ) == 0x0 01535 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01536 416 NtClose (12, ... ) == 0x0 01537 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.oca"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01538 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.oca"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01539 416 NtClose (-2147482020, ... ) == 0x0 01538 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01540 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01541 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "$(\0\200", ) , ) == 0x0 01542 416 NtReadFile (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, "\355}\17x\224\325\231\357\231$\344\377_\22\371\243Q>\4\5\225\304\17\11\22\220\352\4\2\6\15\20Ip\20Q2\314|IF'3\343\314\204\4\313n\323>leo\322J\325\333\313\355\372\334u}\274\312*\325\264\245\327X\331\26\25-UT\254\330e\273T\321EE\253-ui\27[\252\367\367\276\347|\337w\276I\202n\367\336\347\331\336\313\350\313\314w\316\357\234\367\374y\317{\336\363~\347\234,_\273Md\13!r@\237~*\304\260\220\37\277\370\354O?\250t\312\17J\305\256\202\27\247\16\373\232_\234\332\326\25I\31\211d\2743\31\3546B\301X,\23666XF\262'fDbF\343\312V\243;\36\266jKJ\12\247\253\37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132:"Q\353L\363\374\177\361!\335\353c=\352#\225\320_\17*\224\352\246_\217\227\10\350\3111\302\373F\11\247\17\251\325!\350\244&L4C9#\371\332\270m\240\223s\204X\23vqy\242M\334\0\216KD\263X\6us\3317\244\312\272\262\342\325k~t\354\353+\36K\233\217O|\334\34jz\312'\366l\3326\227\322\34\3\325+\276;\24\257/\326\325/\231;\377\262\371f\315\374\372z\263f\366\354", ) \37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132: (176, 0, 0, 0, 10276, 0x0, 0, ... {status=0x0, info=10276}, "\355}\17x\224\325\231\357\231$\344\377_\22\371\243Q>\4\5\225\304\17\11\22\220\352\4\2\6\15\20Ip\20Q2\314|IF'3\343\314\204\4\313n\323>leo\322J\325\333\313\355\372\334u}\274\312*\325\264\245\327X\331\26\25-UT\254\330e\273T\321EE\253-ui\27[\252\367\367\276\347|\337w\276I\202n\367\336\347\331\336\313\350\313\314w\316\357\234\367\374y\317{\336\363~\347\234,_\273Md\13!r@\237~*\304\260\220\37\277\370\354O?\250t\312\17J\305\256\202\27\247\16\373\232_\234\332\326\25I\31\211d\2743\31\3546B\301X,\23666XF\262'fDbF\343\312V\243;\36\266jKJ\12\247\253\37JT\256\2\31252T\351\350w\226,\267O\225\237?C\356C\226\235\270\\377v\263\345\317}BT\321\267\211\262t\215R\311!\357c1\22\217\27\377\361Om\332\352K\353u\313\322+!?\250j{\355\206T\312)\2641f?\354\251M\246\222!zH\310\272\210[@\271^\34Z\315_\33\11\7\323A\225\337}\212ob\4\16\371Y\321x(\243\15\222#p\213\304\231\317\237\365g\230\6\317\323\305\242\255i\365\212\353\27\31\227\327\232\306\342`\250\3132:"Q\353L\363\374\177\361!\335\353c=\352#\225\320_\17*\224\352\246_\217\227\10\350\3111\302\373F\11\247\17\251\325!\350\244&L4C9#\371\332\270m\240\223s\204X\23vqy\242M\334\0\216KD\263X\6us\3317\244\312\272\262\342\325k~t\354\353+\36K\233\217O|\334\34jz\312'\366l\3326\227\322\34\3\325+\276;\24\257/\326\325/\231;\377\262\371f\315\374\372z\263f\366\354", ) , ) == 0x0 01543 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\5\0\34780F\0\0\0\0\0\0\0\0\340\0\216\241\13\1\4\0\0\20\0\0\0\0\0\0\0\20\0\0\0\20\0\0\0\20\0\0\0 \0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\240\0\0\24\0\0\0\00\0\0Ph\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\20\0\0\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.bss\0\0\0\0\0\20\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\0p\0\0\00\0\0\0j\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.ida", 29184, 0x0, 0, ... {status=0x0, info=29184}, ) , 29184, 0x0, 0, ... {status=0x0, info=29184}, ) == 0x0 01544 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01545 416 NtClose (12, ... ) == 0x0 01546 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MSINET.OCX"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01547 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\MSINET.OCX"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01548 416 NtClose (-2147482020, ... ) == 0x0 01547 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01549 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01550 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\315\340\0\200", ) , ) == 0x0 01551 416 NtReadFile (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\354\375\13xTE\2667\214\357N:I\3\15\335@\202A\202\266&(G@[\3\232\30\320\6\222\30$\301N\2\11\214\334b.tbLb\262\33P\1\303t\202\264\233Vtt\2069G\35/\3500\243\343\340\210\212\312@\20\206\213\242\342\35\7T\234A\3556\214F\315@\320H\177\277\265\252v\367\356\0\316\234\363\275\357\373\377?\317\367\6\252\367\336U\253\356U\253V\255ZkU\321\317\326*\361\212\242\230\341\302aE\331\254\210?\227\362\257\377Z\341\6\235\373\322 eS\277\327\317\333l*|\375\274\231\236\332\26GSs\343\242\346\212\233\34\225\25\15\15\215\252\343\206jG\263\267\301Q\333\340\310\275\256\324qScU\365\305\3\7\366\317\220i\270\363\24\245\320dV\322K\375\23\350{\276EQ\16+q\351\3L\11q\212\305\244(\17\11\270\336!\370\261\223\203\237R\230\316\357q\242\334\212\22}*\373M\374\261{C\34\5\213Hv\343S\334L\270\33\340\32\340\332\340\326\3029\3406\301\355\203\373\30\356(\\17\\177\340\267ap\27\300]\16W\107\33\256\12\256", ) \334L\270\33\340\32\340\332\340\326\3029\3406\301\355\203\373\30\356(\\17\\177\340\267ap\27\300]\16W\107\33\256\12\256", ) == 0x0 01552 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\4\0#S\2115\0\0\0\0^\10\0\0\340\0\2#\13\1\5\2\0\10\1\0\0\236\0\0\0\0\0\0\374\22\0\0\0\20\0\0\0\20\1\0\0\0L#\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\1\0\0\4\0\0\307\250\2\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\200d\0\0\301\0\0\0@\7\1\0\366\0\0\0\00\1\0\314\177\0\0\0\0\0\0\0\0\0\0\20\255\1\08\24\0\0\0\260\1\0`\23\0\0@\6\1\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\374\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\16\6\1\0\0\20\0\0\0\10\1\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\274\10\0\0\0 \1\0\0\12\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rsrc\0\0\0\334\177\0\0\00\1\0\0\200\0\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.rel", 30545, 0x0, 0, ... {status=0x0, info=30545}, ) , 30545, 0x0, 0, ... {status=0x0, info=30545}, ) == 0x0 01553 416 NtReadFile (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\201mP\325x-X\372\4J\347c\23\272\317\322/\253g\331\3351\335\350\277J\363\275\313\20\357rw\332\332\272\342X2,\6&t\20\236\223hrA\264\235\230\265<\301\16\323\4;L\23,\310\342\227\250XZ\35\266(\226\5\376\227i\260\253\27\23\322>\7Q\307\235\304\25\16@\323\361dM\237\3614c\351R]@\331\22\232\36&\301\362\345i\26!\214Cc\203Z\306\326\366\211\240\304\245f[\33\335\257\213\2661\`\25p\262xF\323\375De\273Q\362\347\234b2\303V\207[\237\311\344\225y\14\253\16\350\2759\350\2322\331\263\262\4\331\34\7\201\20*?I\242\27O\201\240\330\314\254\34\12\210Y\234B\17\223RQ^\6\32`#5\300Fj\200\315\241\242pDjD\353\11\cr\7\377\372\13t\237\326\5T\201\265\256L\210\331\266f\\11c\355\215\266\16\365\334\211\16u\304\304\212eC&\336z\373 \333\326\16_\320\261\332t\347d\323\344\316\277\341\13\206\351\377LY+\352\331T\325YV+\346\314\277f\345\362\261\26\214\336\343\3142\33\217\22\355\247\22\355\247\22\35@\340D\12d\355\245\274\\4v`\17\211\220=\230\14\300d`\257\5xp\200A=@\237\203\30^\367l\320G\223m\315s\264\317\361\2\264+\300\243\344'@\357$P\37\241n\37\311\255\354\341\2278\265\321\327\23\277\242\37\320\234\355\256\347\250 4\2\24\317\357h\4\374\16# t\202l\2223\306\217+\367:\202O\334\313m\206\6\363\324\13:\207[\255&^\11\331P\375\340\252h\270\7\341\235\37\7\274c\31\365\7\362&\206.\244\347\263\264u\223g\35 \325\265x\271r\240\247\205\375\347\262\345\3\4q\25\372\200(Fadly/l\362\23\7^\273\33\31\370\36c\356\0I", ) , ) == 0x0 01554 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\203\243\330\23\0\0\277j\4\213\313\350S\246\377\377\213\203\320\23\0\0\215\263\320\23\0\03\377;\307t\20PW\37750 M#\377\25l\20L#\211>\213\203\324\23\0\0\215\263\324\23\0\0;\307\17\204\360\2\0\0PW\37750 M#\377\25l\20L#\211>\351\333\2\0\0=\10@\0\0\17\205A\4\0\0\213E\24f\307E\340\10\0\215u\340\213\0\211E\350\3514\377\377\377\17\267E\34j\4\203\350\10_\211\2734\1\0\0t.HH\17\204\36\2\0\0-\376?\0\0t\37\213\3j\0j\1h\260\213\0\0h\260\213\12\200S\377\220\240\0\0\0\211E\10\351K\377\377\377f\203}\34\10\17\205\240\0\0\0\215u\34\213F\10\205\300\17\204\337\1\0\0P\377\25\214\22L#\205\300\17\204\320\1\0\0\377v\10\377\25t\20L#\215|\0\2\215\2150\377\377\377W\350p\225\377\3773\300PPW\377\2650\377\377\377j\377\377v\10PP\377\25p\20L#\213\2050\377\377\3773\366;\306\211E\10uY\213\3VVj\7h\7\0\12\200S\377\220\240\0\0\09\2650\377\377\377\211E\10\17\204\302\376\377\377\366E\254\1\17\204\270\376\377\377\377\2650\377\377\377V\37750 M#\377\25l\20L#\351\240\376\377\377\213E$f\307E\260\10\0\215u\260\213\0\211E\270\351M\377\377\377P\377\25\254\20L#\213\370\215G\1P\350\332\223\377\377Y\213\360\377u\10\211u\374V\377\25\250\20L#\200$7\0\212\6\213\316\204\300t\37< t\33, 29641, 0x0, 0, ... {status=0x0, info=29641}, ) , 29641, 0x0, 0, ... {status=0x0, info=29641}, ) == 0x0 01555 416 NtReadFile (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=", ) \376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267 (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=", ) \3\302e\2465\35\23v,\6K216\36\340]\223\263bl\363\227\341\305\31\261\324\224\257&\3K\370X\230}\234#\264\15 (176, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=16384}, "\221\226\33\300W\345%e\220`\210\247Fj\345\35\277\362v3\353\247_\342\351\313PF\357@\2718,$\201\301\244r~_\313\342}\376K\300\315:H"\376\274\353\265\207\337\3233\306\254g\270\373D1\37F'\32\212\251\35\350\274\213\315\277G\232\234%\305(hC\242\367Z\254\2129\350\26\253\233-\327\23\237\273\363k\326\274\240\22\10\3162\221\261#\352\272\244\220#\356\147\245N\302\217]\35Hl]f\306\222\334\32\331\$\264$E\2400\330\231\24\363Z=5\324\334M\321ul\257 \241!\246\267"M\21w\23k\371\216\272\204\250\220C\252;xX\230\3605\213J-$\213\234\257\13/Ex\25\221X\277.\247\3562J'\240\236\245\307\321~\236A\03\270\305,v\315B\30\177\3\255\232\243(@\227\343\245B\200\205\306\2276\262\262\215=\374>\337{\313\327\336b\321\340\232\221\224W\371\261\374\321,\301\222\6\250\241d\13\206\20\356"\3\302e\2465\35\23v,\6K"\202v\220_\21\247/vb\305\236\25\346\352p(QW\217\320\227\37v?\210\256\260\343\270^\312\205\227A\231\257\3635Z0\334 \236\350\216\16\205\251\265\233\307\1262\254&\265\14\305R\35H^\351\273R\361\16qa\237\0\255\206\357|\2660\2579f%\3406i\346\225\376\263:\2771\322%n\355\33T\266\212gN\232^\335\321\372\302\222L\13\313hmq*\26\226\310\242\202\256\206(\233o\332\3508m\362hm\32\361\323\304\242c\252\213\7W\325\272\243\3067i-\366\16\12\31$\366Z\370\12vX\277|\304,\304\344\273\215}\12P\26T\362\216\20$d2n\13'\256=", ) , ) == 0x0 01556 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\0\0\0\203\304\14\205\300t\25\213F\4\205\300t\16\213\10WP\377Q\30\213\330\367\333\33\333C\205\333u4\201\177\4\4\1\0\0\213/u\33U\377v\10\377\25\240\21L#\205\300u\15j\5\377v\10\377\25`\21L#\211\7W\377v\10\377\25\220\21L#\213\330\211/3\300\205\333\17\224\300\351\354\376\377\377j\20\377\3253\311f\205\300\17\234\301Qj\0\377v\10\377\25\224\21L#\205\300t\240j\1Pj(\377v\10\377\25(\21L#\213\330\353\216U\213\354VWj\0j\0h\207\0\0\0\377u\10\377\25(\21L#\250\6uJ\213E\14;E\10t\14P\211E\14\377\25\304\21L#\353\357\377u\20\2135`\21L#\377u\14\377\326\213\370\205\377t\33j\360W\377\25T\21L#%\0\0\1\30=\0\0\1\20t\15\377u\20W\353\335j\1X_^]\3033\300\353\370U\213\354Q\215E\374\307E\374\1@\0\200P\213E\10\377u\14hf\4\0\0\377p\10\377\25(\21L#\213E\374\311\302\10\0SV\213\361W\203~\34\0\17\205\235\0\0\0\213F j\5\213\4\305\14!M#\17\267@\30P\350\340\1\0\0P\377\25\4\21L#\205\300t`P\213\316\350\315\1\0\0P\377\25\0\21L#\205\300tMP\377\25\374\20L#\213\330\205\333t@\277\30 M#W\377\25\200\20L#j\0hS\367L#\2115\264(M#\350\274\4\0\0PS\3775\10 M#\377\25\250\21L#\203%\264(M#\0W\377\25`\20L#\203~\34\0u\34\2135\234\20L#\377\326\205\300t\20\377\326%\377\377\0\0\15\0\0\7\200_^[\3033\300\353\370QV\213\361W\366F(\1t\32\213F\34\205\300t\23\215L$\10Qj\0hg\4\0\0P\377", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01557 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "\0\200@\0\0\0\220\04\0\11\4\35\0\0\0\0\0$\0\36\0\31\0\31\200@\0\0\0\224\0L\0\21D\37\0\1\0\0\0\20\0\0\0\254\20\0\0\12\0\0\0$\0\37\0\31\0\31\200@\0\0\0\230\0D\0!\4\36\0\1\0\0\0\10\0\10\200\377\377\377\377\1\0\0\0\23\0\0\0\23\0\0\0\1\0\0\0\1\0\0\0\2\0\0\0\2\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\10\0\0\0\11\0\0\0\11\0\0\0\30\0\0\0\30\0\0\0\12\0\0\0\12\0\0\0\16\0\0\0\16\0\0\0\24\0\0\0\24\0\0\0\25\0\0\0\25\0\0\0\32\0\0\0\32\0\0\0\26\0\0\0\21\0\0\0\22\0\0\0\27\0\0\0\31\0\0\0\330\375\377\377\0\0\0\0\0\0\0\0\270\17\0\0\270\17\0\0\314\17\0\0\314\17\0\0\344\17\0\0\344\17\0\0\374\17\0\0(\20\0\0P\20\0\0|\20\0\0\254\20\0\0\254\20\0\0\274\20\0\0\274\20\0\0\340\20\0\0\340\20\0\0\364\20\0\0\364\20\0\0\34\21\0\0\34\21\0\00\21\0\00\21\0\0D\21\0\0D\21\0\0t\21\0\0\260\21\0\0\14\22\0\0 \22\0\0D\22\0\0p\22\0\0\204\22\0\0\204\22\0\0\0\0\0\0<\0\0\0x\0\0\0\264\0\0\0\360\0\0\0,\1\0\0h\1\0\0\244\1\0\0\340\1\0\0\34\2\0\0X\2\0\0\224\2\0\0\320\2\0\0\14\3\0\0H\3\0\0\204\3\0\0\300\3\0\0\374\3\0\08\4\0\0t\4\0\0\260\4\0\0\354\4\0\0(\5\0\0d\5\0\0\240\5\0\0\364\5\0\0T\6\0\0\204\6\0\0\330\6\0\0 \7\0\08\7\0\0\\7\0\0<\0\0\0<\0\0\0\30\0\0\200\0\0\0\0\0\0D\0\14\4\0\0\1\0", 7540, 0x0, 0, ... {status=0x0, info=7540}, ) , 7540, 0x0, 0, ... {status=0x0, info=7540}, ) == 0x0 01558 416 NtReadFile (176, 0, 0, 0, 8397, 0x0, 0, ... {status=0x0, info=8397}, (176, 0, 0, 0, 8397, 0x0, 0, ... {status=0x0, info=8397}, "f\12\276\215\260A\264 \325\366\214&,\261\225\275Y\202\271*\32\2278\254\35\234\31e\303F\314hd4a\2066\27\333\321XQ[\31\207\255t\33r\26e\317\331\336\352m-\260X\315\346e\273\227\335\304&so\226%\2522\243\177\23\207=0\333\273>\16R\323,7@\325\227"\23\316\215\200\367F\227\227Mm\27\253\270\222\255\216\240\231e_\306:\353\206Q\267\377Sl}\270:\7e\334M\234\256\237\355\316\206\362=to\25\353\355\357\31T\271(\253\245\340A\200\352\355\254\367\254\250\242\350z\211\305\6\340\354+(\255\310/\313\304N\2\324\21d\252r)\262\240\306\30\7\257\356\357\264\a\3\257\15gd\251\222\323bM\263\325h|\243\3313\350j\200\311k\333\353\257-O\323l\260\271\323\321\330G1fKl\361\14e\255{.>v6ie\350\255\354\366\255\212\32dss\266\266-,\353V\344PS\343\34\351&23\316\215\200\367F\227\227Mm\27\253\270\222\255\216\240\231e_\306:\353\206Q\267\377Sl}\270:\7e\334M\234\256\237\355\316\206\362=to\25\353\355\357\31T\271(\253\245\340A\200\352\355\254\367\254\250\242\350z\211\305\6\340\354+(\255\310/\313\304N\2\324\21d\252r)\262\240\306\30\7\257\356\357\264\a\3\257\15gd\251\222\323bM\263\325h|\243\3313\350j\200\311k\333\353\257-O\323l\260\271\323\321\330G1fKl\361\14e\255{.>v6ie\350\255\354\366\255\212\32dss\266\266-,\353V\344PS\343\34\351&346\353g\302\342,(g\35\245-\217\3606\2250G\1\331\252\376\373X\256j\326\230\241\326\31e\343\373\232: Q\241\311j4k\367s*\37\333\330X\321\322\22U\367\235\353\260#\36Z\255\333\337a\367\311\214I\316\270\346\367\204R\232Ue\253\363\214V\313g\332\341\376\4\223&8f\335\323\330\232=z\301Ib\352\250sM\21c\256j\233\243@kc\354\264A\221\254\266Z\305\260\257b\345\314F\323\16a\246%O\340p\13\3\265\372\21\363~\206uL\235\376F\33\366\314\313\276\235\326\26\306n\366e\346\317\311\226\35\21m\17\334\252C\255\355\312\330\327zR\235&j47\336\202|\366com\267\233\245\355\324\24\233\342L\263\37\310W\2624\331\304\32\12\32\376u)8\5M\235\2519n5s\375\2\265\357\227\33`\302\223\344\227\255", ) == 0x0 01559 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "o\0p\0e\0r\0a\0t\0i\0o\0n\0 \0a\0r\0g\0u\0m\0e\0n\0t\0\34\0S\0t\0i\0l\0l\0 \0e\0x\0e\0c\0u\0t\0i\0n\0g\0 \0l\0a\0s\0t\0 \0r\0e\0q\0u\0e\0s\0t\0,\0T\0h\0i\0s\0 \0c\0a\0l\0l\0 \0i\0s\0 \0n\0o\0t\0 \0v\0a\0l\0i\0d\0 \0f\0o\0r\0 \0a\0n\0 \0F\0T\0P\0 \0c\0o\0n\0n\0e\0c\0t\0i\0o\0n\0\0\0\16\0O\0u\0t\0 \0o\0f\0 \0h\0a\0n\0d\0l\0e\0s\0\7\0T\0i\0m\0e\0o\0u\0t\0\16\0E\0x\0t\0e\0n\0d\0e\0d\0 \0e\0r\0r\0o\0r\0\16\0I\0n\0t\0e\0r\0n\0a\0l\0 \0e\0r\0r\0o\0r\0\13\0I\0n\0v\0a\0l\0i\0d\0 \0U\0R\0L\0\23\0U\0n\0r\0e\0c\0o\0g\0n\0i\0z\0e\0d\0 \0s\0c\0h\0e\0m\0e\0\21\0N\0a\0m\0e\0 \0n\0o\0t\0 \0r\0e\0s\0o\0l\0v\0e\0d\0\22\0P\0r\0o\0t\0o\0c\0o\0l\0 \0n\0o\0t\0 \0f\0o\0u\0n\0d\0\16\0I\0n\0v\0a\0l\0i\0d\0 \0o\0p\0t\0i\0o\0n\0\0\0\0\0\0\0\21\0B\0a\0d\0 \0o\0p\0t\0i\0o\0n\0 \0l\0e\0n\0g\0t\0", 14522, 0x0, 0, ... {status=0x0, info=14522}, ) , 14522, 0x0, 0, ... {status=0x0, info=14522}, ) == 0x0 01560 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01561 416 NtClose (12, ... ) == 0x0 01562 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\pac.txt"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01563 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\pac.txt"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01564 416 NtClose (-2147482020, ... ) == 0x0 01563 416 NtCreateFile ... 12, {status=0x0, info=2}, ) == 0x0 01565 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01566 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\14\10\0\200", ) , ) == 0x0 01567 416 NtReadFile (176, 0, 0, 0, 2060, 0x0, 0, ... {status=0x0, info=2060}, (176, 0, 0, 0, 2060, 0x0, 0, ... {status=0x0, info=2060}, "\355\323\333N^E\30\6\340\250-mLl\265\33\232\326\322}\244\11\26\272C\272\21^\265b*H7ZS\21(\10\5\354\206\2\251\320\226\237\302\35\364\2<\360\22<\321s\275+=\323\231\377'\215G^\3013\311Zkf\255\231of\2765\317\211\236\257\223\347\253Yx\236\364\257\215\345\310\342\334\271\341\271$\273\223G\311\275\316\247\311\207i\226\357\313\325ys\246\263<:\36'\323\311Gs9\227\221\221\344@\253G..\257'\233\311\302\241\336,&/\223\341\265\364Q\253\337&\355\267\223\251\276\236\314\326\366\266\366\211V\310\34\354/\267\271\271\363GG\327J\345N\322\373\354\275\272\332\305\375[Q\366\344\223\372x\225\27\255\366\322x\3631}\245\254f\276\326\216\245\253\177\263Q\322:PC\345\237V\266\3277J*\262\253Q\252\275}\365\305\310V\274\321\274\232-\377\254-S\231\371sW\351\263|\272\371\376l\16\214\217\315\347\257\262\233tdy1\363\243\271\321{\2525{)\3\213G\222k\203)\353:Y\323\374U\11R'\274\226\335\347\223\303\345G=\250\335\216\226\251\263\272^\363]\2e\317\375\356\216\345\14\", ) , ) == 0x0 01568 416 NtWriteFile (12, 0, 0, 0, " (12, 0, 0, 0, ""/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01569 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01570 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "???????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01571 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01572 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01573 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "??\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "??\7\256?????]?\35?_Y0\24?\23\26????e?_\277?E/????h????=??uCK~p\35?u??g]W?J? ?\7?????C?>??\10?{d??v2/b\25?9|b??$??(e8\177y?_???\232??=??????;?5?\25?\37???v????|`????8?_?{??J?~3}\4t+#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01574 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \15\12 (12, 0, 0, 0, "#??W?????\370???\20?\6q???]?????\24\177;????PM?\177\236Jf\10"\15\12"/R??xv?mx??=z[?\36of1Kf???\17??k??^'s??,??????Z???'Oc'???\35l??b??6f?1?MM??\27???????4q|??\177??m\325?o??}??Kz?/l?7n?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01575 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "?k???~;???K?o??????+7o^?3???n]8{?F???s?????&??u??\2>?~?a!???\177 S{5?1??\33???B\7?{v????k??}??1J7u??H?4?i?E\7????]9?\32??.dP??????~[\177j??\5?/m??k?u?T?\31?5\177???Hk?I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi?", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) , 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01576 416 NtWriteFile (12, 0, 0, 0, (12, 0, 0, 0, "I????q\6{zc\1{\6=?Y.?'?!???????\\327??\263?9???Z5??????????O???\23\33???\16??A???4??#\36\25????uu?mTDxp???/\264??????l????????????[??6<\264]????U??\26Q??`7/?e????\4\26]???\16???\31=???ff2\37Yz???T??5w\21\177???o\25???????\22?@????\216?y??????p\?????b:A??g???? ?+=\177{3??>=????\377?o????|~??~?\16{???57????M???????Y?\216e|??\6?`?c\300\16?~?q(?????0?\27\[g?\367??/?\35?qo?gY?N5$?@???????>o\36??CE?\25??#???~L|??=???C?\172??\34??Bi????\37??|?v|???H?/??\22d.\35q?>;-??w\22????\5[?>o??#?\37\34O\??}?N??|-?_X?g??????8?b/??\3E??\37]?\17?????\27??\34{c+:????\37??j?????????/?????Q?.?`s? z??Np? ?9???\7\256?????]?\35", 17456, 0x0, 0, ... {status=0x0, info=17456}, ) , 17456, 0x0, 0, ... {status=0x0, info=17456}, ) == 0x0 01577 416 NtSetInformationFile (12, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01578 416 NtClose (12, ... ) == 0x0 01579 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01580 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01581 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION 01582 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1244108, ... ) }, 1244108, ... ) == 0x0 01583 416 NtCreateFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 12, {status=0x0, info=2}, ) == 0x0 01584 416 NtClose (12, ... ) == 0x0 01585 416 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0 01586 416 NtQueryVolumeInformationFile (12, 1244076, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01587 416 NtClose (180, ... ) == 0x0 01588 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1244092, ... ) }, 1244092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01589 416 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244072, (0x40100080, {24, 0, 0x40, 0, 1244072, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 0x0, 0, 1, 5, 96, 0, 0, ... }, 0x0, 0, 1, 5, 96, 0, 0, ... 01590 416 NtClose (-2147482020, ... ) == 0x0 01589 416 NtCreateFile ... 180, {status=0x0, info=2}, ) == 0x0 01591 416 NtSetInformationFile (176, 1244048, 8, Position, ... {status=0x0, info=0}, ) == 0x0 01592 416 NtReadFile (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, (176, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\211 \0\200", ) , ) == 0x0 01593 416 NtReadFile (176, 0, 0, 0, 8329, 0x0, 0, ... {status=0x0, info=8329}, (176, 0, 0, 0, 8329, 0x0, 0, ... {status=0x0, info=8329}, "\355}\177|T\307u\357,\310 @\6a$\202\2150\342Ac\331\301 \20`\260\301Z$-\221\260\26\255V\277\260-,\204\366J+YH\313\336\25\31012J\201D\327\313\272`\303'$\261]\222\17I\324\304m\325W\210U\202\239\330\201O\252\324J\321\3\265V\373\364\22\352'\7\342(\257\324\310\261\354\355\367\234\271\367\352\256~A\352\304\257\177\354,g\356\314\33433\347\23493sf\356hp>vXL\26B\304\0\302a!\332\205tvqsG\2703\27\236\231)NM\373\331\242v[\356\317\26\25z\253\325d\237\277\276\312_\2763\271\242\274\256\256>\220\274CI\3667\324%W\327%g\345\25$\357\254\367(\313n\277}\372\22\275\214?{\366\203\267\377\376\352WZ\14\310\276\361\325\226\237\342\371\315\353/\363\363\177\\377\32?\335\325\25^zo\324\355r\10\221k\233,\276\223|c\223\221\326'f\331f\330\246\340%"\3112\355\304\34x\361\200\355:W\3612N\374\332t\276\3315\313\364KW\205\230\304\11\361\22\327|\232\17v\253\234B\244P\300'D[\254\370\304.e\222N2*Yb\33\37oY@i\14\340\371b\206N\220k\4a\222\365\355\313<\345\201r\204\343\246\353\274\2332\30v\220F\3072\277\352\257\20:\17>\35\3177\12\317\363\343\262\303Z\215\263\2408\243\330\271&uYVn\256\210\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\377\366nJK\245\372\324\307\212\272\354\311*5\367W\225\252\347\365\12\365\355\333\25\265\254LQ\277\351\257R\37\274\241\250\257\177\244\250\17"~\355E\217\372\336\373\212\372\243\357{\324\352\257y\324\35\17+\352\227\360\376K\203\212:\324\356Q\353\264J\365\337=\212ZSR\251\336X\357", ) \3112\355\304\34x\361\200\355:W\3612N\374\332t\276\3315\313\364KW\205\230\304\11\361\22\327|\232\17v\253\234B\244P\300'D[\254\370\304.e\222N2*Yb\33\37oY@i\14\340\371b\206N\220k\4a\222\365\355\313<\345\201r\204\343\246\353\274\2332\30v\220F\3072\277\352\257\20:\17>\35\3177\12\317\363\343\262\303Z\215\263\2408\243\330\271&uYVn\256\210\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\377\366nJK\245\372\324\307\212\272\354\311*5\367W\225\252\347\365\12\365\355\333\25\265\254LQ\277\351\257R\37\274\241\250\257\177\244\250\17 (176, 0, 0, 0, 8329, 0x0, 0, ... {status=0x0, info=8329}, "\355}\177|T\307u\357,\310 @\6a$\202\2150\342Ac\331\301 \20`\260\301Z$-\221\260\26\255V\277\260-,\204\366J+YH\313\336\25\31012J\201D\327\313\272`\303'$\261]\222\17I\324\304m\325W\210U\202\239\330\201O\252\324J\321\3\265V\373\364\22\352'\7\342(\257\324\310\261\354\355\367\234\271\367\352\256~A\352\304\257\177\354,g\356\314\33433\347\23493sf\356hp>vXL\26B\304\0\302a!\332\205tvqsG\2703\27\236\231)NM\373\331\242v[\356\317\26\25z\253\325d\237\277\276\312_\2763\271\242\274\256\256>\220\274CI\3667\324%W\327%g\345\25$\357\254\367(\313n\277}\372\22\275\214?{\366\203\267\377\376\352WZ\14\310\276\361\325\226\237\342\371\315\353/\363\363\177\\377\32?\335\325\25^zo\324\355r\10\221k\233,\276\223|c\223\221\326'f\331f\330\246\340%"\3112\355\304\34x\361\200\355:W\3612N\374\332t\276\3315\313\364KW\205\230\304\11\361\22\327|\232\17v\253\234B\244P\300'D[\254\370\304.e\222N2*Yb\33\37oY@i\14\340\371b\206N\220k\4a\222\365\355\313<\345\201r\204\343\246\353\274\2332\30v\220F\3072\277\352\257\20:\17>\35\3177\12\317\363\343\262\303Z\215\263\2408\243\330\271&uYVn\256\210\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\250\213\272\377\366nJK\245\372\324\307\212\272\354\311*5\367W\225\252\347\365\12\365\355\333\25\265\254LQ\277\351\257R\37\274\241\250\257\177\244\250\17"~\355E\217\372\336\373\212\372\243\357{\324\352\257y\324\35\17+\352\227\360\376K\203\212:\324\356Q\353\264J\365\337=\212ZSR\251\336X\357", ) , ) == 0x0 01594 416 NtWriteFile (180, 0, 0, 0, (180, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\217\212\371\333\313\353\227\210\313\353\227\210\313\353\227\210H\367\231\210\312\353\227\210\242\364\236\210\312\353\227\210"\364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) \364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 32768, 0x0, 0, ... {status=0x0, info=32768}, ) == 0x0 01595 416 NtSetInformationFile (180, 1244140, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01596 416 NtClose (180, ... ) == 0x0 01597 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 1244076, ... ) }, 1244076, ... ) == 0x0 01598 416 NtQueryInformationJobObject (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED 01599 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1240548, ... ) }, 1240548, ... ) == 0x0 01600 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1241240, ... ) }, 1241240, ... ) == 0x0 01601 416 NtOpenFile (0x1000a1, {24, 0, 0x40, 0, 0, (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0 01602 416 NtCreateSection (0xf001f, 0x0, 0x0, 16, 16777216, 180, ... 172, ) == 0x0 01603 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01604 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 184, ) }, ... 184, ) == 0x0 01605 416 NtQueryValueKey (184, (184, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01606 416 NtClose (184, ... ) == 0x0 01607 416 NtQueryVolumeInformationFile (180, 1240548, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01608 416 NtOpenMutant (0x120001, {24, 52, 0x0, 0, 0, (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 184, ) }, ... 184, ) == 0x0 01609 416 NtWaitForSingleObject (184, 0, {-1000000, -1}, ... ) == 0x0 01610 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 188, ) }, ... 188, ) == 0x0 01611 416 NtMapViewOfSection (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 57344, ) == 0x0 01612 416 NtReleaseMutant (184, ... 0x0, ) == 0x0 01613 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238532, ... ) }, 1238532, ... ) == 0x0 01614 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0 01615 416 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 192, ... 196, ) == 0x0 01616 416 NtClose (192, ... ) == 0x0 01617 416 NtMapViewOfSection (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 106496, ) == 0x0 01618 416 NtClose (196, ... ) == 0x0 01619 416 NtUnmapViewOfSection (-1, 0x9a0000, ... ) == 0x0 01620 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238848, ... ) }, 1238848, ... ) == 0x0 01621 416 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0 01622 416 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 196, ... 192, ) == 0x0 01623 416 NtQuerySection (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01624 416 NtClose (196, ... ) == 0x0 01625 416 NtMapViewOfSection (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0 01626 416 NtClose (192, ... ) == 0x0 01627 416 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0 01628 416 NtQueryInformationFile (192, 1239136, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01629 416 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0 01630 416 NtMapViewOfSection (196, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x9a0000), 0x0, 1028096, ) == 0x0 01631 416 NtQueryInformationFile (192, 1239232, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01632 416 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01633 416 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 01634 416 NtQueryInformationProcess (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0 01635 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01636 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236796, 616, BothDirectory, 1, (200, 0, 0, 0, 1236796, 616, BothDirectory, 1, "vMW03a1066.exe", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 01637 416 NtClose (200, ... ) == 0x0 01638 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01639 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01640 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1236184, ... ) }, 1236184, ... ) == 0x0 01641 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01642 416 NtQueryDirectoryFile (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0 01643 416 NtClose (200, ... ) == 0x0 01644 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01645 416 NtQueryDirectoryFile (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 01646 416 NtClose (200, ... ) == 0x0 01647 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01648 416 NtQueryDirectoryFile (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, (200, 0, 0, 0, 1235544, 616, BothDirectory, 1, "vMW03a", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0 01649 416 NtClose (200, ... ) == 0x0 01650 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01651 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01652 416 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 01653 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01654 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 200, ) == 0x0 01655 416 NtQueryInformationToken (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01656 416 NtClose (200, ... ) == 0x0 01657 416 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01658 416 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\vMW03a1066.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01659 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01660 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01661 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1238464, ... ) }, 1238464, ... ) == 0x0 01662 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01663 416 NtQueryDirectoryFile (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0 01664 416 NtClose (200, ... ) == 0x0 01665 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01666 416 NtQueryDirectoryFile (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 01667 416 NtClose (200, ... ) == 0x0 01668 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01669 416 NtQueryDirectoryFile (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, (200, 0, 0, 0, 1237824, 616, BothDirectory, 1, "vMW03a", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0 01670 416 NtClose (200, ... ) == 0x0 01671 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01672 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01673 416 NtWaitForSingleObject (184, 0, {-1000000, -1}, ... ) == 0x0 01674 416 NtQueryVolumeInformationFile (180, 1239108, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01675 416 NtQueryInformationFile (180, 1239088, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01676 416 NtQueryInformationFile (180, 1239128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01677 416 NtReleaseMutant (184, ... 0x0, ) == 0x0 01678 416 NtUnmapViewOfSection (-1, 0x9a0000, ... ) == 0x0 01679 416 NtClose (196, ... ) == 0x0 01680 416 NtClose (192, ... ) == 0x0 01681 416 NtQuerySection (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01682 416 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vMW03a1066.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01683 416 NtOpenThreadToken (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN 01684 416 NtOpenProcessToken (-1, 0xa, ... 192, ) == 0x0 01685 416 NtQueryInformationToken (192, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0 01686 416 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01687 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01688 416 NtQueryValueKey (196, (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01689 416 NtQueryValueKey (196, (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01690 416 NtClose (196, ... ) == 0x0 01691 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01692 416 NtQueryValueKey (196, (196, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL 01693 416 NtQueryValueKey (196, (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0 01694 416 NtClose (196, ... ) == 0x0 01695 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01696 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01697 416 NtQueryValueKey (196, (196, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01698 416 NtClose (196, ... ) == 0x0 01699 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01700 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01701 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01702 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01703 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01704 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01705 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01706 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01707 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01708 416 NtQueryDefaultLocale (1, 1239920, ... ) == 0x0 01709 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 196, ) }, ... 196, ) == 0x0 01710 416 NtEnumerateKey (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0 01711 416 NtOpenKey (0x20019, {24, 196, 0x40, 0, 0, (0x20019, {24, 196, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 200, ) }, ... 200, ) == 0x0 01712 416 NtQueryValueKey (200, (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0 01713 416 NtQueryValueKey (200, (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01714 416 NtClose (200, ... ) == 0x0 01715 416 NtEnumerateKey (196, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES 01716 416 NtClose (196, ... ) == 0x0 01717 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01718 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01719 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01720 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01721 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01722 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01723 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01724 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01725 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01726 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01727 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01728 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01729 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01730 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01731 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01732 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01733 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01734 416 NtClose (196, ... ) == 0x0 01735 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01736 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01737 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01738 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01739 416 NtClose (196, ... ) == 0x0 01740 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01741 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01742 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01743 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01744 416 NtClose (196, ... ) == 0x0 01745 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01746 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01747 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01748 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01749 416 NtClose (196, ... ) == 0x0 01750 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01751 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01752 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01753 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01754 416 NtClose (196, ... ) == 0x0 01755 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01756 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01757 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01758 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01759 416 NtClose (196, ... ) == 0x0 01760 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01761 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01762 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01763 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01764 416 NtClose (196, ... ) == 0x0 01765 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01766 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01767 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01768 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01769 416 NtClose (196, ... ) == 0x0 01770 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01771 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01772 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01773 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01774 416 NtClose (196, ... ) == 0x0 01775 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01776 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01777 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01778 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01779 416 NtClose (196, ... ) == 0x0 01780 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01781 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01782 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01783 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01784 416 NtClose (196, ... ) == 0x0 01785 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01786 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01787 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01788 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01789 416 NtClose (196, ... ) == 0x0 01790 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01791 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01792 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01793 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01794 416 NtClose (196, ... ) == 0x0 01795 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01796 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01797 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01798 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01799 416 NtClose (196, ... ) == 0x0 01800 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01801 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01802 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01803 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01804 416 NtClose (196, ... ) == 0x0 01805 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01806 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01807 416 NtQueryValueKey (196, (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0 01808 416 NtClose (196, ... ) == 0x0 01809 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01810 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 196, ) == 0x0 01811 416 NtQueryInformationToken (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01812 416 NtClose (196, ... ) == 0x0 01813 416 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01814 416 NtOpenThreadToken (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN 01815 416 NtOpenProcessToken (-1, 0xa, ... 196, ) == 0x0 01816 416 NtDuplicateToken (196, 0xc, {24, 0, 0x0, 0, 1240440, 0x0}, 0, 2, ... 200, ) == 0x0 01817 416 NtClose (196, ... ) == 0x0 01818 416 NtAccessCheck (1366144, 200, 0x1, 1240568, 1240512, 56, 1240596, ... (0x1), ) == 0x0 01819 416 NtClose (200, ... ) == 0x0 01820 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 200, ) }, ... 200, ) == 0x0 01821 416 NtQueryValueKey (200, (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01822 416 NtClose (200, ... ) == 0x0 01823 416 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 200, ) }, ... 200, ) == 0x0 01824 416 NtQuerySymbolicLinkObject (200, ... (200, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0 01825 416 NtClose (200, ... ) == 0x0 01826 416 NtQueryInformationFile (180, 1238900, 528, Name, ... {status=0x0, info=82}, ) == 0x0 01827 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01828 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01829 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe"}, 1237580, ... ) }, 1237580, ... ) == 0x0 01830 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01831 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0 01832 416 NtClose (200, ... ) == 0x0 01833 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01834 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 01835 416 NtClose (200, ... ) == 0x0 01836 416 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0 01837 416 NtQueryDirectoryFile (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, (200, 0, 0, 0, 1236940, 616, BothDirectory, 1, "vMW03a", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0 01838 416 NtClose (200, ... ) == 0x0 01839 416 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01840 416 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01841 416 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01842 416 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 200, ) == 0x0 01843 416 NtQueryInformationToken (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01844 416 NtClose (200, ... ) == 0x0 01845 416 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 200, ) }, ... 200, ) == 0x0 01846 416 NtOpenKey (0x20019, {24, 200, 0x40, 0, 0, (0x20019, {24, 200, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 196, ) }, ... 196, ) == 0x0 01847 416 NtClose (200, ... ) == 0x0 01848 416 NtQueryValueKey (196, (196, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 01849 416 NtQueryValueKey (196, (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0 01850 416 NtClose (196, ... ) == 0x0 01851 416 NtAllocateVirtualMemory (-1, 0, 0, 4096, 8192, 4, ... 10092544, 4096, ) == 0x0 01852 416 NtAllocateVirtualMemory (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0 01853 416 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0 01854 416 NtQueryValueKey (196, (196, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01855 416 NtClose (196, ... ) == 0x0 01856 416 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01857 416 NtQueryInformationToken (192, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0 01858 416 NtQueryInformationToken (192, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0 01859 416 NtClose (192, ... ) == 0x0 01860 416 NtCreateProcessEx (1243176, 2035711, 0, -1, 0, 172, 0, 0, 0, ... ) == 0x0 01861 416 NtQueryInformationProcess (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=412,}, 0x0, ) == 0x0 01862 416 NtReadVirtualMemory (192, 0x7ffdf008, 4, ... (192, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0 01863 416 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a\vMW03a1066.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01864 416 NtReadVirtualMemory (192, 0x400000, 4096, ... (192, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\217\212\371\333\313\353\227\210\313\353\227\210\313\353\227\210H\367\231\210\312\353\227\210\242\364\236\210\312\353\227\210"\364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 4096, ) \364\232\210\312\353\227\210Rich\313\353\227\210\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\247 \367F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0P\0\0\0 \0\0\0\0\0\0\240\23\0\0\0\20\0\0\0`\0\0\0\0@\0\0\20\0\0\0\20\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\200\0\0\0\20\0\0\326\353\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\04M\0\0(\0\0\0\0p\0\0\260\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\2\0\0 \0\0\0\0\20\0\0$\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\234B\0\0\0\20\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\14\12\0\0\0`\0\0\0\20\0\0\0`\0\0\0\0\0\0", 4096, ) == 0x0 01865 416 NtReadVirtualMemory (192, 0x407000, 256, ... (192, 0x407000, 256, ... "\0\0\0\0\247 \367F\0\0\0\0\0\0\3\0\3\0\0\0X\0\0\200\16\0\0\0@\0\0\200\20\0\0\0(\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\1\0\0\0\230\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\3\01u\0\0\340\0\0\2002u\0\0\310\0\0\2003u\0\0\260\0\0\200\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\0\10\1\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\0\30\1\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\0(\1\0\0\0\0\0\0\247 \367F\0\0\0\0\0\0\1\0\0\0\0\08\1\0\0Pq\0\0\360\1\0\0", 256, ) , 256, ) == 0x0 01866 416 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01867 416 NtQueryInformationProcess (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=412,}, 0x0, ) == 0x0 01868 416 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\vMW03a"}, 1241240, ... ) }, 1241240, ... ) == 0x0 01869 416 NtAllocateVirtualMemory (-1, 0, 0, 1732, 4096, 4, ... 10158080, 4096, ) == 0x0 01870 416 NtAllocateVirtualMemory (192, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0 01871 416 NtWriteVirtualMemory (192, 0x10000, (192, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0 01872 416 NtAllocateVirtualMemory (192, 0, 0, 1732, 4096, 4, ... 131072, 4096, ) == 0x0 01873 416 NtWriteVirtualMemory (192, 0x20000, (192, 0x20000, "\0\20\0\0\304\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\04\0\10\2\220\2\0\0\0\0\0\0\12\1\14\1\230\4\0\0R\0T\0\244\5\0\0R\0T\0\370\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0T\0L\6\0\0\36\0 \0\240\6\0\0\0\0\2\0\300\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1732, ... 0x0, ) , 1732, ... 0x0, ) == 0x0 01874 416 NtWriteVirtualMemory (192, 0x7ffdf010, (192, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 01875 416 NtWriteVirtualMemory (192, 0x7ffdf1e8, (192, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 01876 416 NtFreeVirtualMemory (-1, (0x9b0000), 0, 32768, ... (0x9b0000), 4096, ) == 0x0 01877 416 NtAllocateVirtualMemory (192, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0 01878 416 NtAllocateVirtualMemory (192, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0 01879 416 NtProtectVirtualMemory (192, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0 01880 416 NtCreateThread (0x1f03ff, 0x0, 192, 1241440, 1242160, 1, ... 196, {380, 568}, ) == 0x0 01881 416 NtRequestWaitReplyPort (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ... {168, 196, reply, 0, 412, 416, 1503, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ) ... {168, 196, reply, 0, 412, 416, 1503, 0} (24, {168, 196, new_msg, 0, 1312776, 1310720, 1400960, 1243260} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ... {168, 196, reply, 0, 412, 416, 1503, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\373\22\0\0H\365w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0:\0\\0W\0" ) ) == 0x0 01882 416 NtResumeThread (196, ... 1, ) == 0x0 01883 416 NtClose (180, ... ) == 0x0 01884 416 NtClose (172, ... ) == 0x0 01885 416 NtClose (196, ... ) == 0x0 01886 416 NtClose (192, ... ) == 0x0 01887 416 NtClose (176, ... ) == 0x0 01888 416 NtUserDestroyWindow (131262, ... 01889 416 NtUserRemoveProp (131262, 43288, ... ) == 0xffffffff 01890 416 NtUserRemoveProp (131262, 43282, ... ) == 0x0 01891 416 NtUserRemoveProp (131262, 43287, ... ) == 0x0 01888 416 NtUserDestroyWindow ... ) == 0x1 01892 416 NtUserUnregisterClass (1244636, 1998258176, 1244624, ... ) == 0x1 01893 416 NtTerminateProcess (0, 0, ... ) == 0x0 01894 416 NtRaiseException (1243508, 1242768, 1, ... 01895 416 NtContinue (1241564, 0, ... 01896 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01897 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01898 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01899 416 NtRaiseException (1233484, 1232744, 1, ... 01900 416 NtContinue (1231540, 0, ... 01901 416 NtWaitForSingleObject (112, 0, 0x0, ... ) == 0x0 01902 416 NtOpenSection (0x2, {24, 52, 0x0, 0, 0, (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01903 416 NtReleaseMutant (112, ... 0x0, ) == 0x0 01904 416 NtUnmapViewOfSection (-1, 0x980000, ... ) == 0x0 01905 416 NtClose (168, ... ) == 0x0 01906 416 NtClose (164, ... ) == 0x0 01907 416 NtClose (152, ... ) == 0x0 01908 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0 01909 416 NtFreeVirtualMemory (-1, (0x880000), 0, 32768, ... (0x880000), 65536, ) == 0x0 01910 416 NtClose (104, ... ) == 0x0 01911 416 NtClose (148, ... ) == 0x0 01912 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0 01913 416 NtOpenKey (0x20019, {24, 28, 0x40, 0, 0, (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 148, ) }, ... 148, ) == 0x0 01914 416 NtQueryValueKey (148, (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 01915 416 NtClose (148, ... ) == 0x0 01916 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0 01917 416 NtUnmapViewOfSection (-1, 0x8a0000, ... ) == 0x0 01918 416 NtClose (72, ... ) == 0x0 01919 416 NtGdiDeleteObjectApp (202376191, ... ) == 0x1 01920 416 NtUserGetProcessWindowStation (... ) == 0x28 01921 416 NtUserBuildNameList (40, 256, 1349064, 1244148, ... ) == 0x0 01922 416 NtUserGetProcessWindowStation (... ) == 0x28 01923 416 NtUserOpenDesktop ({24, 40, 0x40, 0, 0, ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x48 01924 416 NtUserBuildHwndList (72, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x100ae, 0x20064, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0 01925 416 NtUserQueryWindow (65706, 0, ... ) == 0x7dc 01926 416 NtUserQueryWindow (65706, 1, ... ) == 0x7e0 01927 416 NtUserQueryWindow (65704, 0, ... ) == 0x7dc 01928 416 NtUserQueryWindow (65704, 1, ... ) == 0x7e0 01929 416 NtUserQueryWindow (65702, 0, ... ) == 0x7dc 01930 416 NtUserQueryWindow (65702, 1, ... ) == 0x7e0 01931 416 NtUserQueryWindow (131168, 0, ... ) == 0x7dc 01932 416 NtUserQueryWindow (131168, 1, ... ) == 0x7e0 01933 416 NtUserQueryWindow (65696, 0, ... ) == 0x778 01934 416 NtUserQueryWindow (65696, 1, ... ) == 0x784 01935 416 NtUserQueryWindow (65662, 0, ... ) == 0x778 01936 416 NtUserQueryWindow (65662, 1, ... ) == 0x784 01937 416 NtUserBuildHwndList (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0 01938 416 NtUserQueryWindow (65664, 0, ... ) == 0x778 01939 416 NtUserQueryWindow (65664, 1, ... ) == 0x784 01940 416 NtUserQueryWindow (65670, 0, ... ) == 0x778 01941 416 NtUserQueryWindow (65670, 1, ... ) == 0x784 01942 416 NtUserQueryWindow (65672, 0, ... ) == 0x778 01943 416 NtUserQueryWindow (65672, 1, ... ) == 0x784 01944 416 NtUserQueryWindow (65674, 0, ... ) == 0x778 01945 416 NtUserQueryWindow (65674, 1, ... ) == 0x784 01946 416 NtUserQueryWindow (65678, 0, ... ) == 0x778 01947 416 NtUserQueryWindow (65678, 1, ... ) == 0x784 01948 416 NtUserQueryWindow (65680, 0, ... ) == 0x778 01949 416 NtUserQueryWindow (65680, 1, ... ) == 0x784 01950 416 NtUserQueryWindow (65682, 0, ... ) == 0x778 01951 416 NtUserQueryWindow (65682, 1, ... ) == 0x784 01952 416 NtUserQueryWindow (65684, 0, ... ) == 0x778 01953 416 NtUserQueryWindow (65684, 1, ... ) == 0x784 01954 416 NtUserQueryWindow (65686, 0, ... ) == 0x778 01955 416 NtUserQueryWindow (65686, 1, ... ) == 0x784 01956 416 NtUserQueryWindow (65690, 0, ... ) == 0x778 01957 416 NtUserQueryWindow (65690, 1, ... ) == 0x784 01958 416 NtUserQueryWindow (65692, 0, ... ) == 0x778 01959 416 NtUserQueryWindow (65692, 1, ... ) == 0x784 01960 416 NtUserQueryWindow (65694, 0, ... ) == 0x778 01961 416 NtUserQueryWindow (65694, 1, ... ) == 0x784 01962 416 NtUserQueryWindow (65652, 0, ... ) == 0x778 01963 416 NtUserQueryWindow (65652, 1, ... ) == 0x784 01964 416 NtUserQueryWindow (65640, 0, ... ) == 0x778 01965 416 NtUserQueryWindow (65640, 1, ... ) == 0x784 01966 416 NtUserQueryWindow (196682, 0, ... ) == 0x778 01967 416 NtUserQueryWindow (196682, 1, ... ) == 0x784 01968 416 NtUserQueryWindow (65638, 0, ... ) == 0x778 01969 416 NtUserQueryWindow (65638, 1, ... ) == 0x784 01970 416 NtUserQueryWindow (196684, 0, ... ) == 0x778 01971 416 NtUserQueryWindow (196684, 1, ... ) == 0x784 01972 416 NtUserQueryWindow (196668, 0, ... ) == 0x778 01973 416 NtUserQueryWindow (196668, 1, ... ) == 0x784 01974 416 NtUserBuildHwndList (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0 01975 416 NtUserQueryWindow (196670, 0, ... ) == 0x778 01976 416 NtUserQueryWindow (196670, 1, ... ) == 0x784 01977 416 NtUserQueryWindow (196674, 0, ... ) == 0x778 01978 416 NtUserQueryWindow (196674, 1, ... ) == 0x784 01979 416 NtUserQueryWindow (196672, 0, ... ) == 0x778 01980 416 NtUserQueryWindow (196672, 1, ... ) == 0x784 01981 416 NtUserQueryWindow (196676, 0, ... ) == 0x778 01982 416 NtUserQueryWindow (196676, 1, ... ) == 0x784 01983 416 NtUserQueryWindow (196678, 0, ... ) == 0x778 01984 416 NtUserQueryWindow (196678, 1, ... ) == 0x784 01985 416 NtUserQueryWindow (196680, 0, ... ) == 0x778 01986 416 NtUserQueryWindow (196680, 1, ... ) == 0x784 01987 416 NtUserQueryWindow (65642, 0, ... ) == 0x778 01988 416 NtUserQueryWindow (65642, 1, ... ) == 0x784 01989 416 NtUserQueryWindow (65646, 0, ... ) == 0x778 01990 416 NtUserQueryWindow (65646, 1, ... ) == 0x784 01991 416 NtUserQueryWindow (65650, 0, ... ) == 0x778 01992 416 NtUserQueryWindow (65650, 1, ... ) == 0x784 01993 416 NtUserQueryWindow (65688, 0, ... ) == 0x778 01994 416 NtUserQueryWindow (65688, 1, ... ) == 0x784 01995 416 NtUserQueryWindow (65676, 0, ... ) == 0x778 01996 416 NtUserQueryWindow (65676, 1, ... ) == 0x784 01997 416 NtUserQueryWindow (65660, 0, ... ) == 0x778 01998 416 NtUserQueryWindow (65660, 1, ... ) == 0x77c 01999 416 NtUserQueryWindow (65574, 0, ... ) == 0x268 02000 416 NtUserQueryWindow (65574, 1, ... ) == 0x2c4 02001 416 NtUserQueryWindow (65724, 0, ... ) == 0x7ec 02002 416 NtUserQueryWindow (65724, 1, ... ) == 0x7f0 02003 416 NtUserQueryWindow (65722, 0, ... ) == 0x7ec 02004 416 NtUserQueryWindow (65722, 1, ... ) == 0x7f0 02005 416 NtUserQueryWindow (65720, 0, ... ) == 0x7ec 02006 416 NtUserQueryWindow (65720, 1, ... ) == 0x7f0 02007 416 NtUserQueryWindow (65718, 0, ... ) == 0x7ec 02008 416 NtUserQueryWindow (65718, 1, ... ) == 0x7f0 02009 416 NtUserQueryWindow (65716, 0, ... ) == 0x7ec 02010 416 NtUserQueryWindow (65716, 1, ... ) == 0x7f0 02011 416 NtUserQueryWindow (65714, 0, ... ) == 0x7ec 02012 416 NtUserQueryWindow (65714, 1, ... ) == 0x7f0 02013 416 NtUserQueryWindow (65712, 0, ... ) == 0x7ec 02014 416 NtUserQueryWindow (65712, 1, ... ) == 0x7f0 02015 416 NtUserQueryWindow (65710, 0, ... ) == 0x7ec 02016 416 NtUserQueryWindow (65710, 1, ... ) == 0x7f0 02017 416 NtUserQueryWindow (131172, 0, ... ) == 0x7f8 02018 416 NtUserQueryWindow (131172, 1, ... ) == 0x7fc 02019 416 NtUserQueryWindow (65708, 0, ... ) == 0x7dc 02020 416 NtUserQueryWindow (65708, 1, ... ) == 0x7e0 02021 416 NtUserQueryWindow (131170, 0, ... ) == 0x7d0 02022 416 NtUserQueryWindow (131170, 1, ... ) == 0x7d4 02023 416 NtUserQueryWindow (65644, 0, ... ) == 0x778 02024 416 NtUserQueryWindow (65644, 1, ... ) == 0x7a0 02025 416 NtUserQueryWindow (327760, 0, ... ) == 0x778 02026 416 NtUserQueryWindow (327760, 1, ... ) == 0x77c 02027 416 NtUserQueryWindow (262228, 0, ... ) == 0x778 02028 416 NtUserQueryWindow (262228, 1, ... ) == 0x77c 02029 416 NtUserQueryWindow (327758, 0, ... ) == 0x778 02030 416 NtUserQueryWindow (327758, 1, ... ) == 0x77c 02031 416 NtUserQueryWindow (65666, 0, ... ) == 0x778 02032 416 NtUserQueryWindow (65666, 1, ... ) == 0x77c 02033 416 NtUserQueryWindow (65654, 0, ... ) == 0x778 02034 416 NtUserQueryWindow (65654, 1, ... ) == 0x77c 02035 416 NtUserBuildHwndList (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0 02036 416 NtUserQueryWindow (65656, 0, ... ) == 0x778 02037 416 NtUserQueryWindow (65656, 1, ... ) == 0x77c 02038 416 NtUserQueryWindow (65658, 0, ... ) == 0x778 02039 416 NtUserQueryWindow (65658, 1, ... ) == 0x77c 02040 416 NtUserCloseDesktop (72, ... 02041 416 NtClose (72, ... ) == 0x0 02040 416 NtUserCloseDesktop ... ) == 0x1 02042 416 NtUserGetProcessWindowStation (... ) == 0x28 02043 416 NtUserOpenDesktop ({24, 40, 0x40, 0, 0, ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0 02044 416 NtUserGetProcessWindowStation (... ) == 0x28 02045 416 NtUserOpenDesktop ({24, 40, 0x40, 0, 0, ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0 02046 416 NtGdiDeleteObjectApp (369755159, ... ) == 0x1 02047 416 NtGdiDeleteObjectApp (151651339, ... ) == 0x1 02048 416 NtClose (64, ... ) == 0x0 02049 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0 02050 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03b 02051 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02052 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03d 02053 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02054 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc03f 02055 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02056 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc041 02057 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02058 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc043 02059 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02060 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc045 02061 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02062 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc047 02063 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02064 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc049 02065 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02066 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04b 02067 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02068 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04d 02069 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02070 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc04f 02071 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02072 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc051 02073 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02074 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc053 02075 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02076 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc057 02077 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02078 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc059 02079 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02080 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05b 02081 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02082 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05d 02083 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02084 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc05f 02085 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02086 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc017 02087 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02088 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc019 02089 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02090 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc018 02091 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02092 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01a 02093 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02094 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01c 02095 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02096 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01e 02097 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02098 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc01b 02099 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02100 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc068 02101 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02102 416 NtUserGetClassInfo (1905590272, 1244196, 1244148, 1244224, 0, ... ) == 0xc06a 02103 416 NtUserUnregisterClass (1244200, 1905590272, 1244188, ... ) == 0x1 02104 416 NtUnmapViewOfSection (-1, 0x890000, ... ) == 0x0 02105 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0 02106 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03b 02107 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02108 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03d 02109 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02110 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc03f 02111 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02112 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc041 02113 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02114 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc043 02115 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02116 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc045 02117 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02118 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc047 02119 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02120 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc049 02121 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02122 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04b 02123 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02124 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04d 02125 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02126 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc04f 02127 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02128 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc051 02129 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02130 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc053 02131 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02132 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc057 02133 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02134 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc059 02135 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02136 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05b 02137 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02138 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05d 02139 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02140 416 NtUserGetClassInfo (1999896576, 1244196, 1244148, 1244224, 0, ... ) == 0xc05f 02141 416 NtUserUnregisterClass (1244200, 1999896576, 1244188, ... ) == 0x1 02142 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0 02143 416 NtClose (160, ... ) == 0x0 02144 416 NtClose (76, ... ) == 0x0 02145 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0 02146 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0 02147 416 NtSetInformationThread (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0 02148 416 NtClose (68, ... ) == 0x0 02149 416 NtFreeVirtualMemory (-1, (0x9a0000), 4096, 32768, ... (0x9a0000), 4096, ) == 0x0 02150 416 NtRequestWaitReplyPort (24, {20, 48, new_msg, 0, 1369944, 1369952, 65912, 1310720} (24, {20, 48, new_msg, 0, 1369944, 1369952, 65912, 1310720} "\0\0\0\0\3\0\1\0\230\375\22\0\2$\370w\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1508, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2$\370w\0\0\0\0" ) ... {20, 48, reply, 0, 412, 416, 1508, 0} (24, {20, 48, new_msg, 0, 1369944, 1369952, 65912, 1310720} "\0\0\0\0\3\0\1\0\230\375\22\0\2$\370w\0\0\0\0" ... {20, 48, reply, 0, 412, 416, 1508, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2$\370w\0\0\0\0" ) ) == 0x0 02151 416 NtTerminateProcess (-1, 0, ... 02152 416 NtClose (44, ... ) == 0x0