Summary:


NtAdjustPrivilegesToken(>)  1 
NtDeleteAtom(>)  2 
NtGdiBitBlt(>)  7 
NtQueryInformationProcess(>)  15 

NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateSection(>)  17 

NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtGdiDeleteObjectApp(>)  18 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtReadFile(>)  19 

NtCreateThread(>)  1 
NtOpenEvent(>)  2 
NtGdiGetStockObject(>)  7 
NtContinue(>)  20 

NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiRestoreDC(>)  7 
NtQuerySystemInformation(>)  20 

NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 

NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWaitForSingleObject(>)  21 

NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtFlushInstructionCache(>)  23 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtWriteFile(>)  23 

NtGdiQueryFontAssocInfo(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  24 

NtNotifyChangeKey(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenThreadTokenEx(>)  24 

NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  8 
NtOpenSection(>)  25 

NtOpenProcess(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  8 
NtOpenFile(>)  30 

NtQueryInformationJobObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  8 
NtQueryAttributesFile(>)  31 

NtQueryObject(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  31 

NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtSetInformationFile(>)  9 
NtMapViewOfSection(>)  37 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtCreateEvent(>)  10 
NtReleaseMutant(>)  40 

NtResumeThread(>)  1 
NtFsControlFile(>)  4 
NtGdiCreateCompatibleDC(>)  10 
NtAllocateVirtualMemory(>)  41 

NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  4 
NtGdiExtGetObjectW(>)  10 
NtProtectVirtualMemory(>)  45 

NtTestAlert(>)  1 
NtSetValueKey(>)  4 
NtQueryDirectoryFile(>)  10 
NtUserUnregisterClass(>)  45 

NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  11 
NtQueryValueKey(>)  50 

NtUserEnumDisplayMonitors(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetDC(>)  11 
NtGdiSelectBitmap(>)  57 

NtUserGetKeyboardLayoutList(>)  1 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  12 
NtUserRegisterClassExWOW(>)  63 

NtUserGetThreadDesktop(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtQueryDefaultLocale(>)  13 
NtUserGetClassInfo(>)  64 

NtUserSetWindowsHookEx(>)  1 
NtQueryVirtualMemory(>)  6 
NtQueryInformationFile(>)  13 
NtUserFindExistingCursorIcon(>)  72 

NtAccessCheck(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserSystemParametersInfo(>)  13 
NtOpenKey(>)  111 

NtCreateIoCompletion(>)  2 
NtSetInformationProcess(>)  6 
NtUserSelectPalette(>)  14 
NtClose(>)  164 


Trace:
 00001   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   464   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   464   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   464   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   464   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   464   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   464   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   464   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   464   NtClose  (12, ... ) == 0x0
 00014   464   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   464   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   464   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   464   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   464   NtClose  (16, ... ) == 0x0
 00021   464   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   464   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   464   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   464   NtClose  (16, ... ) == 0x0
 00026   464   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   464   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   464   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   464   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 460, 464, 1531, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 460, 464, 1531, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 460, 464, 1531, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   464   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   464   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   464   NtClose  (16, ... ) == 0x0
 00036   464   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   464   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   464   NtClose  (28, ... ) == 0x0
 00041   464   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   464   NtClose  (28, ... ) == 0x0
 00045   464   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   464   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   464   NtClose  (28, ... ) == 0x0
 00049   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   464   NtClose  (28, ... ) == 0x0
 00052   464   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 460, 464, 1532, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 460, 464, 1532, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 460, 464, 1532, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 128, ) == 0x0
 00057   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 128, ... (0x31509000), 8192, 4, ) == 0x0
 00058   464   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00059   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   464   NtClose  (28, ... ) == 0x0
 00062   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   464   NtClose  (28, ... ) == 0x0
 00065   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00066   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00067   464   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00068   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   464   NtClose  (28, ... ) == 0x0
 00071   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00072   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00073   464   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00074   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   464   NtClose  (28, ... ) == 0x0
 00077   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   464   NtClose  (28, ... ) == 0x0
 00080   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00081   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00082   464   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00083   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   464   NtClose  (28, ... ) == 0x0
 00086   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   464   NtClose  (28, ... ) == 0x0
 00089   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   464   NtClose  (28, ... ) == 0x0
 00092   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   464   NtClose  (28, ... ) == 0x0
 00095   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   464   NtClose  (28, ... ) == 0x0
 00098   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   464   NtClose  (28, ... ) == 0x0
 00101   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00102   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00103   464   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00104   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   464   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   464   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   464   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   464   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   464   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   464   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   464   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   464   NtClose  (40, ... ) == 0x0
 00118   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   464   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   464   NtClose  (40, ... ) == 0x0
 00122   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   464   NtClose  (36, ... ) == 0x0
 00124   464   NtClose  (28, ... ) == 0x0
 00125   464   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   464   NtClose  (32, ... ) == 0x0
 00127   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   464   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   464   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   464   NtClose  (32, ... ) == 0x0
 00135   464   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   464   NtClose  (28, ... ) == 0x0
 00137   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00138   464   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00139   464   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00140   464   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   464   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   464   NtClose  (28, ... ) == 0x0
 00143   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   464   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   464   NtClose  (28, ... ) == 0x0
 00146   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   464   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   464   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   464   NtClose  (28, ... ) == 0x0
 00150   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   464   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   464   NtClose  (28, ... ) == 0x0
 00153   464   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   464   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   464   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   464   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   464   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   464   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   464   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   464   NtClose  (32, ... ) == 0x0
 00163   464   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   464   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 460, 464, 1544, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 460, 464, 1544, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 460, 464, 1544, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00166   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   464   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   464   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   464   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00171   464   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   464   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   464   NtClose  (-2147482020, ... ) == 0x0
 00174   464   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   464   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   464   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   464   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   464   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   464   NtClose  (-2147482020, ... ) == 0x0
 00180   464   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00181   464   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   464   NtClose  (-2147482020, ... ) == 0x0
 00183   464   NtQueryDefaultLocale  (0, -130643444, ... ) == 0x0
 00184   464   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   464   NtUserCallNoParam  (24, ... ) == 0x0
 00186   464   NtGdiCreateCompatibleDC  (0, ...
 00187   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   464   NtGdiCreateCompatibleDC  ... ) == 0xe010448
 00188   464   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   464   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   464   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00191   464   NtGdiCreateSolidBrush  (0, 0, ...
 00192   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   464   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00193   464   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   464   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00195   464   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00196   464   NtUserGetThreadDesktop  (464, 0, ... ) == 0x2c
 00197   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   464   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   464   NtClose  (52, ... ) == 0x0
 00200   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00202   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00204   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00206   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00208   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00210   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00212   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00214   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00216   464   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   464   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00218   464   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00219   464   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00220   464   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00221   464   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00222   464   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00223   464   NtAllocateVirtualMemory  (-1, 5550080, 0, 4096, 4096, 32, ... 5550080, 4096, ) == 0x0
 00222   464   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00224   464   NtCallbackReturn  (0, 0, 0, ...
 00225   464   NtGdiInit  (... ) == 0x1
 00226   464   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   464   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   464   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   464   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   464   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   464   NtClose  (52, ... ) == 0x0
 00234   464   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   464   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   464   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   464   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   464   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   464   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   464   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   464   NtClose  (60, ... ) == 0x0
 00245   464   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   464   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   464   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   464   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   464   NtClose  (60, ... ) == 0x0
 00255   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   464   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   464   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   464   NtClose  (60, ... ) == 0x0
 00259   464   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   464   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   464   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   464   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   464   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   464   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   464   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   464   NtClose  (60, ... ) == 0x0
 00269   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   464   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   464   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   464   NtQueryDefaultUILanguage  (1241768, ...
 00273   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00275   464   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   464   NtClose  (-2147482020, ... ) == 0x0
 00277   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00278   464   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   464   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00280   464   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   464   NtClose  (-2147482032, ... ) == 0x0
 00282   464   NtClose  (-2147482020, ... ) == 0x0
 00272   464   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   464   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   464   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   464   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   464   NtQueryDefaultUILanguage  (2013024600, ...
 00290   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00292   464   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   464   NtClose  (-2147482020, ... ) == 0x0
 00294   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00295   464   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   464   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00297   464   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   464   NtClose  (-2147482032, ... ) == 0x0
 00299   464   NtClose  (-2147482020, ... ) == 0x0
 00289   464   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   464   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   464   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   464   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   464   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 460, 464, 1545, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 460, 464, 1545, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 460, 464, 1545, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   464   NtClose  (68, ... ) == 0x0
 00306   464   NtClose  (72, ... ) == 0x0
 00307   464   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   464   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   464   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   464   NtClose  (68, ... ) == 0x0
 00323   464   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   464   NtClose  (76, ... ) == 0x0
 00325   464   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   464   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   464   NtClose  (76, ... ) == 0x0
 00330   464   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   464   NtClose  (68, ... ) == 0x0
 00332   464   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   464   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   464   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   464   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   464   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   464   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   464   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   464   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   464   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   464   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   464   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   464   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   464   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   464   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   464   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   464   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   464   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   464   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   464   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   464   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   464   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   464   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   464   NtQueryDefaultUILanguage  (1238836, ...
 00355   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00357   464   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   464   NtClose  (-2147482020, ... ) == 0x0
 00359   464   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00360   464   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   464   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00362   464   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   464   NtClose  (-2147482032, ... ) == 0x0
 00364   464   NtClose  (-2147482020, ... ) == 0x0
 00354   464   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   464   NtClose  (68, ... ) == 0x0
 00370   464   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   464   NtClose  (76, ... ) == 0x0
 00372   464   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   464   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   464   NtClose  (76, ... ) == 0x0
 00377   464   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   464   NtClose  (68, ... ) == 0x0
 00379   464   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   464   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   464   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   464   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   464   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 460, 464, 1546, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 460, 464, 1546, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 460, 464, 1546, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   464   NtClose  (68, ... ) == 0x0
 00387   464   NtClose  (76, ... ) == 0x0
 00388   464   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   464   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   464   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   464   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   464   NtUserGetDC  (0, ... ) == 0x1010051
 00394   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00395   464   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   464   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   464   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   464   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   464   NtClose  (76, ... ) == 0x0
 00400   464   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   464   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   464   NtClose  (76, ... ) == 0x0
 00403   464   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   464   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   464   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   464   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   464   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   464   NtClose  (68, ... ) == 0x0
 00409   464   NtClose  (76, ... ) == 0x0
 00410   464   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   464   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   464   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   464   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   464   NtClose  (76, ... ) == 0x0
 00415   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03b
 00417   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03d
 00418   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc03f
 00420   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc041
 00422   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc043
 00424   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc045
 00425   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc047
 00427   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc049
 00429   464   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04b
 00432   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04d
 00434   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04f
 00436   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc051
 00437   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc053
 00439   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc055
 00441   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc057
 00442   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc059
 00444   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05b
 00446   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05d
 00448   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05f
 00450   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc017
 00452   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc019
 00454   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc018
 00456   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01a
 00458   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   464   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc01c
 00460   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00461   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01e
 00462   464   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00463   464   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810cc01b
 00464   464   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00465   464   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810cc068
 00466   464   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00467   464   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc06a
 00468   464   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00469   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00470   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00471   464   NtTestAlert  (... ) == 0x0
 00472   464   NtContinue  (1244464, 1, ...
 00473   464   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3150b000,}, 4, ... ) == 0x0
 00474   464   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00475   464   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   464   NtClose  (68, ... ) == 0x0
 00477   464   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00478   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00479   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00480   464   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 460, 464, 1547, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 460, 464, 1547, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 460, 464, 1547, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00481   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00482   464   NtClose  (80, ... ) == 0x0
 00483   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00484   464   NtClose  (-2147482020, ... ) == 0x0
 00483   464   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00485   464   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00486   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\333\1\325\0\224[\205\0\222[\212\0i\244\205\0.[\205\0\226[\205\0\326[\237\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226Y\205\0,K\205\16\211\357\214\315\267\343\204L[z\25\220\3023\354s\266+\367o\361)\344m\2666\360s\342{\347e\266)\360n\266.\353d\363)\245W\3775\2662\233Q\2417\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0\226[\205\0", ) , ) == 0x0
 00487   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00488   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\232\244\225\377\202\244)\3\317\32\302U"\220\223Y[Z\330\364\225\23\352<\261R\236^\332\26\320o\344"\265\11\240G\271\260\373F\216\230\6Djli\10_\361\3\32\265(\374\37\357\302\22a\236b\352\371*?\367\367;\16\322\350-\310V=\16PO\7\301\252\227\3310/\372\313iUz\326\242\355\227\31\304\241\272\320E\275\202epu\246s\3773\363{\326Rn`\20A\346\337n^\244O\271jzw\304\356\273}\251n\356^\247\312\303[\374\350\204\351\16\7\5\246\376%\2123A"\237Gk\222v\3\324\27\256\3\311\220\216\315\351\25.\227C\332\362r\235\223\204\243\372CR\277\225Ir]\355O\303\363k<\223\216\234cZS\177\202no\3526\267\200\325df\3\2736\205\337\344\31\321\272\2l\343\5M\310\305\227x\320\206\365\367\360\234\277Q\240\326P\230`D1\207"\227\252\204\21\25\12I\234\223\265\6\33Z\235\205g\277\215U0?p\31S\270A\305W\323Ul\1\243oQ\220\14\201II\203^\250\314\262I\245_C\375I@\257\277\11\343>\367\251\271\326PE\264\230\17\345\24R\331\322\24eM\330\3\352\343\351\301\376\373\203E&\346H\316>\372\275\203\356\3\3500\326s]\21x\21\335f\312\355\25\34^{\333\24i\244\17\326&\371\323\37\6K\230\313\327c\324l \177\372\212O\267\10Mz\250\325\33\325\355#\274\324xmy~\354\314\263\253\277\243\344\316P\16\11.\200\360\2\224C\341\233\32\363\14B\316U\323\2042\275\26\q\34\207%\326\11\300\3\315\356\355\376\211]\241\360\321=\306\273\235\33\321y o\204\262\20315\17"\215\237BWK07\272\240\271i\327w\22\345\360!\275\213\333\32\300\334JT\13\266t\342\217\252\327\37R _zYY", ) \220\223Y[Z\330\364\225\23\352<\261R\236^\332\26\320o\344 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\232\244\225\377\202\244)\3\317\32\302U"\220\223Y[Z\330\364\225\23\352<\261R\236^\332\26\320o\344"\265\11\240G\271\260\373F\216\230\6Djli\10_\361\3\32\265(\374\37\357\302\22a\236b\352\371*?\367\367;\16\322\350-\310V=\16PO\7\301\252\227\3310/\372\313iUz\326\242\355\227\31\304\241\272\320E\275\202epu\246s\3773\363{\326Rn`\20A\346\337n^\244O\271jzw\304\356\273}\251n\356^\247\312\303[\374\350\204\351\16\7\5\246\376%\2123A"\237Gk\222v\3\324\27\256\3\311\220\216\315\351\25.\227C\332\362r\235\223\204\243\372CR\277\225Ir]\355O\303\363k<\223\216\234cZS\177\202no\3526\267\200\325df\3\2736\205\337\344\31\321\272\2l\343\5M\310\305\227x\320\206\365\367\360\234\277Q\240\326P\230`D1\207"\227\252\204\21\25\12I\234\223\265\6\33Z\235\205g\277\215U0?p\31S\270A\305W\323Ul\1\243oQ\220\14\201II\203^\250\314\262I\245_C\375I@\257\277\11\343>\367\251\271\326PE\264\230\17\345\24R\331\322\24eM\330\3\352\343\351\301\376\373\203E&\346H\316>\372\275\203\356\3\3500\326s]\21x\21\335f\312\355\25\34^{\333\24i\244\17\326&\371\323\37\6K\230\313\327c\324l \177\372\212O\267\10Mz\250\325\33\325\355#\274\324xmy~\354\314\263\253\277\243\344\316P\16\11.\200\360\2\224C\341\233\32\363\14B\316U\323\2042\275\26\q\34\207%\326\11\300\3\315\356\355\376\211]\241\360\321=\306\273\235\33\321y o\204\262\20315\17"\215\237BWK07\272\240\271i\327w\22\345\360!\275\213\333\32\300\334JT\13\266t\342\217\252\327\37R _zYY", ) \237Gk\222v\3\324\27\256\3\311\220\216\315\351\25.\227C\332\362r\235\223\204\243\372CR\277\225Ir]\355O\303\363k<\223\216\234cZS\177\202no\3526\267\200\325df\3\2736\205\337\344\31\321\272\2l\343\5M\310\305\227x\320\206\365\367\360\234\277Q\240\326P\230`D1\207 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\232\244\225\377\202\244)\3\317\32\302U"\220\223Y[Z\330\364\225\23\352<\261R\236^\332\26\320o\344"\265\11\240G\271\260\373F\216\230\6Djli\10_\361\3\32\265(\374\37\357\302\22a\236b\352\371*?\367\367;\16\322\350-\310V=\16PO\7\301\252\227\3310/\372\313iUz\326\242\355\227\31\304\241\272\320E\275\202epu\246s\3773\363{\326Rn`\20A\346\337n^\244O\271jzw\304\356\273}\251n\356^\247\312\303[\374\350\204\351\16\7\5\246\376%\2123A"\237Gk\222v\3\324\27\256\3\311\220\216\315\351\25.\227C\332\362r\235\223\204\243\372CR\277\225Ir]\355O\303\363k<\223\216\234cZS\177\202no\3526\267\200\325df\3\2736\205\337\344\31\321\272\2l\343\5M\310\305\227x\320\206\365\367\360\234\277Q\240\326P\230`D1\207"\227\252\204\21\25\12I\234\223\265\6\33Z\235\205g\277\215U0?p\31S\270A\305W\323Ul\1\243oQ\220\14\201II\203^\250\314\262I\245_C\375I@\257\277\11\343>\367\251\271\326PE\264\230\17\345\24R\331\322\24eM\330\3\352\343\351\301\376\373\203E&\346H\316>\372\275\203\356\3\3500\326s]\21x\21\335f\312\355\25\34^{\333\24i\244\17\326&\371\323\37\6K\230\313\327c\324l \177\372\212O\267\10Mz\250\325\33\325\355#\274\324xmy~\354\314\263\253\277\243\344\316P\16\11.\200\360\2\224C\341\233\32\363\14B\316U\323\2042\275\26\q\34\207%\326\11\300\3\315\356\355\376\211]\241\360\321=\306\273\235\33\321y o\204\262\20315\17"\215\237BWK07\272\240\271i\327w\22\345\360!\275\213\333\32\300\334JT\13\266t\342\217\252\327\37R _zYY", ) \215\237BWK07\272\240\271i\327w\22\345\360!\275\213\333\32\300\334JT\13\266t\342\217\252\327\37R _zYY", ) == 0x0
 00489   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373350\22\262\213\7\223\375{%\34h\304 (80, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\3731\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373227\345fz8\213MAE\334\334\17\216\266\342\271\12\252AD\327 \311!\334Y", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00490   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\3358\321P\272\334\351#\364O\263d\366\351\231\262\321\244l\376\221\367\310\244)\211t\346\376\246\31\272\220\377|\243\23\240\20\5#\306\202\331x\235\177\23\305\30\2442WG\25\230\340v9<\37\207\361"\13\274\34\24\254E+\35\335\274\232\25\23\344@\371q\4\246i\264;(\34\34\215:F/\274\366\320\340\266\230\303\310/]J\14\201\371O\321?n\222\35\261\363\320DCm\23s\365\270\246O\200\14\330C\377\10\270\21\3230\340\367c\33`\203\222\13\26\20\305XUP\231\227\252\367?\263"\230\356\270\347\317\335\217r~=x\2Zr\14\346\232:\344\320:\351s\21\10\362\313\266D\321r\343>\204.\225jW\212\322\177\375\253\306M\301\20\224l\240.b\0\362;\247\222\17H\325\37\215_t\244\222\272\226S\10u\231\320\371\10\221jE\212\230`\317\374\343\346p\13K\325\331\12dG\213\366U\204\32I\343\252\224\177M\1|\27\326\177\213\1\257\243\373\335\274f\256hR`\58\261\232\322jN\240G2\220?{\270a\354^_9\322T\11\367P\17G\34q\4\341i\204\3727\356r\362\333\34\3\346\224\34\5\217l\352Ez\302;\362\216\26\216\324\233\15\257\3\237\200q\204\274\313\227\241s\6j\354\205O\207C\236uz\352s\366\340@\245\227}\223\272\200s\204\277\32}\271\230|\315\273s\212\372A\24l\216\31@\222q\20\360\360G$d\4\31\370\277\213\251\350\201\200\251\^\2M\365\6\321\331Z2\17d\21\225zv\344\225\301\221\245\267r\235,\210\17)\222\206\\37\00b\204\301\34Z\5\373\224)\217~\221_%\332x\203\367\2\220(\232\23\345K\201A'\32\221e\23~K\262#\215\312_\365d\211\5i\374\336\350a\250Z\327", ) \13\274\34\24\254E+\35\335\274\232\25\23\344@\371q\4\246i\264;(\34\34\215:F/\274\366\320\340\266\230\303\310/]J\14\201\371O\321?n\222\35\261\363\320DCm\23s\365\270\246O\200\14\330C\377\10\270\21\3230\340\367c\33`\203\222\13\26\20\305XUP\231\227\252\367?\263 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\3358\321P\272\334\351#\364O\263d\366\351\231\262\321\244l\376\221\367\310\244)\211t\346\376\246\31\272\220\377|\243\23\240\20\5#\306\202\331x\235\177\23\305\30\2442WG\25\230\340v9<\37\207\361"\13\274\34\24\254E+\35\335\274\232\25\23\344@\371q\4\246i\264;(\34\34\215:F/\274\366\320\340\266\230\303\310/]J\14\201\371O\321?n\222\35\261\363\320DCm\23s\365\270\246O\200\14\330C\377\10\270\21\3230\340\367c\33`\203\222\13\26\20\305XUP\231\227\252\367?\263"\230\356\270\347\317\335\217r~=x\2Zr\14\346\232:\344\320:\351s\21\10\362\313\266D\321r\343>\204.\225jW\212\322\177\375\253\306M\301\20\224l\240.b\0\362;\247\222\17H\325\37\215_t\244\222\272\226S\10u\231\320\371\10\221jE\212\230`\317\374\343\346p\13K\325\331\12dG\213\366U\204\32I\343\252\224\177M\1|\27\326\177\213\1\257\243\373\335\274f\256hR`\58\261\232\322jN\240G2\220?{\270a\354^_9\322T\11\367P\17G\34q\4\341i\204\3727\356r\362\333\34\3\346\224\34\5\217l\352Ez\302;\362\216\26\216\324\233\15\257\3\237\200q\204\274\313\227\241s\6j\354\205O\207C\236uz\352s\366\340@\245\227}\223\272\200s\204\277\32}\271\230|\315\273s\212\372A\24l\216\31@\222q\20\360\360G$d\4\31\370\277\213\251\350\201\200\251\^\2M\365\6\321\331Z2\17d\21\225zv\344\225\301\221\245\267r\235,\210\17)\222\206\\37\00b\204\301\34Z\5\373\224)\217~\221_%\332x\203\367\2\220(\232\23\345K\201A'\32\221e\23~K\262#\215\312_\365d\211\5i\374\336\350a\250Z\327", ) , ) == 0x0
 00491   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "KcTP,\207l#b\246d`\262\34\262\214j!lh\312r\3102r\14tp\245#\31,\313z|5H%\20\223xC\202O#\30\177\205\236\235\244\244\14\302\25\16\273\3639\252D\2\361\264P9\34\202\367\300+\213\2069\232\203Ha@o*\201\246\377\357\276(\212G\10:\320t9\366F\2733\230U\223\252]\334W\4\371\331\212\272n\4F4\363F\37\306m\205(p\2700\24\5\14N\30z\10.JV0v\254\346\33\366\330\27\13\200K@X\303\13\34\227<\254\272\263\264\303k\270q\224X\217\344%\270x\224\1\367\14p\301\277\344Fals\207Sw\313 \37True\1.\31\322\212D$x\253P\26D\20\27%.\364[w;1\311\212HCD\10_\342\377\27\272\0\10\215u\17\213|\10\71\300\212\16;J\374u\275\365\13\335\216\\12\362\34\16\366\303\337\237Iu\361\21\177\333Z\371\27@$\16\19\370~\335*=+h\304;\2008'\301Wj\330\373\3022\6d\376\270\367\267\333_\257\211\321\11a\13\212G\212*\201\341\377\337\1777x)w\333\212Xc\224\212^\12l|\36\377\302\255\251\13\26\30\217\36\159X\32\200\347\3379\313\1\372\366\6\374\267\0O\21\30\33u\354\261\366\366v\33 \227\353\310?\200\345\337:\32\353\342\35|[\340\366\212l\32\221l\30B\305\222\347Ku\360\321\177\341\4\217\243:\213?\263\4\200?\7\333\2\333\256\203\321O\1\267\17\362J\20z\340\277\20\301\7\3762r\13w\15\17\277\311\3\\211[\265<\307\377\321\216\216]\373_\2509\1\301\212\1\200\373\2r\12~\7\4\240\332\356\330r\2\6s\37\23s\20\4A\261A\24e\205%\316\262\265\326O_c?\14\5\377\247[\350\367\363\337\327", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00492   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\36\321\10\225\250\363}\367Z\276\15\263\347qE0\217\7\26&\26\234\207\212\31-\16\316\22a\342\10\36_\334,7\371\307?\21\371*\352\262\252\361c\304\177\2074H\301tU\236\11\260\210\32\36\311t\203b\221\214\34WRm\207\252\7\6\307Qx\200\247\367\230\13\341O\26\212\303\240\265\266`\335\222Q\323-\260\201\263=DirjBx\324\7\363\214\272Y\226\204\24A"\232\22P}\26\26 \260\266\346\302/\26\277f\320\226\26\315\361\20\25\31\355Y\326h\242{\33^\221!\5\275F\302\260\25\207\377\360\372Y4\360\374\357KK\211\245\364\203Q\275\364F\221\207\5\375S\225\326\273\202A\337\222q\352\0\255\13\2712\236*\275/\272,\271\207\32G\2678\252c\271b\304\357\24181#5\235\204\274\276w\315U\21\36J\242\1\341\227N\301\233\236!\244\340\2241\203,S8$7,\234\323\272`\231\225\360\307\326\355A7AS\310ra~\4\240\7\27Xf\260\231\306\335\271k\234\373\225\35\245\222\204p.A\321\17\1\267\235!|\373=\1]\357F^\251\343\360\230\273Z\256\271\303\245\245\335\261\24q\26o\255\300\376\341\15\250`\362\24]\353\274Jy\243U\230'\26H&\216`\2\373\14\326\241B\317O\7\37g\20&\272\330\25\236G\363)\320y\304\364\325\321\227\20\375\313\205\16b\1\352\21nZ\313`\374\253)U\270\371\27\0\26_\201(\10\313"\1\201[q\202\363\37\216'\225N!\111\263\35l1\1\244\363\374\256\203\360\243\362m\234z\210\204\32\226\254\305\370\12\10\362~\2437\323a~$\225\37\212\276\237\270D\243\320\351\306T\233pb\224\253\311\203\237\301fa\234\207 '\262\11\303&\262bh\260\253\16\325\357 \210\232\233Bw\340vXs\233\215\215\260", ) \232\22P}\26\26 \260\266\346\302/\26\277f\320\226\26\315\361\20\25\31\355Y\326h\242{\33^\221!\5\275F\302\260\25\207\377\360\372Y4\360\374\357KK\211\245\364\203Q\275\364F\221\207\5\375S\225\326\273\202A\337\222q\352\0\255\13\2712\236*\275/\272,\271\207\32G\2678\252c\271b\304\357\24181#5\235\204\274\276w\315U\21\36J\242\1\341\227N\301\233\236!\244\340\2241\203,S8$7,\234\323\272`\231\225\360\307\326\355A7AS\310ra~\4\240\7\27Xf\260\231\306\335\271k\234\373\225\35\245\222\204p.A\321\17\1\267\235!|\373=\1]\357F^\251\343\360\230\273Z\256\271\303\245\245\335\261\24q\26o\255\300\376\341\15\250`\362\24]\353\274Jy\243U\230'\26H&\216`\2\373\14\326\241B\317O\7\37g\20&\272\330\25\236G\363)\320y\304\364\325\321\227\20\375\313\205\16b\1\352\21nZ\313`\374\253)U\270\371\27\0\26_\201(\10\313 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\36\321\10\225\250\363}\367Z\276\15\263\347qE0\217\7\26&\26\234\207\212\31-\16\316\22a\342\10\36_\334,7\371\307?\21\371*\352\262\252\361c\304\177\2074H\301tU\236\11\260\210\32\36\311t\203b\221\214\34WRm\207\252\7\6\307Qx\200\247\367\230\13\341O\26\212\303\240\265\266`\335\222Q\323-\260\201\263=DirjBx\324\7\363\214\272Y\226\204\24A"\232\22P}\26\26 \260\266\346\302/\26\277f\320\226\26\315\361\20\25\31\355Y\326h\242{\33^\221!\5\275F\302\260\25\207\377\360\372Y4\360\374\357KK\211\245\364\203Q\275\364F\221\207\5\375S\225\326\273\202A\337\222q\352\0\255\13\2712\236*\275/\272,\271\207\32G\2678\252c\271b\304\357\24181#5\235\204\274\276w\315U\21\36J\242\1\341\227N\301\233\236!\244\340\2241\203,S8$7,\234\323\272`\231\225\360\307\326\355A7AS\310ra~\4\240\7\27Xf\260\231\306\335\271k\234\373\225\35\245\222\204p.A\321\17\1\267\235!|\373=\1]\357F^\251\343\360\230\273Z\256\271\303\245\245\335\261\24q\26o\255\300\376\341\15\250`\362\24]\353\274Jy\243U\230'\26H&\216`\2\373\14\326\241B\317O\7\37g\20&\272\330\25\236G\363)\320y\304\364\325\321\227\20\375\313\205\16b\1\352\21nZ\313`\374\253)U\270\371\27\0\26_\201(\10\313"\1\201[q\202\363\37\216'\225N!\111\263\35l1\1\244\363\374\256\203\360\243\362m\234z\210\204\32\226\254\305\370\12\10\362~\2437\323a~$\225\37\212\276\237\270D\243\320\351\306T\233pb\224\253\311\203\237\301fa\234\207 '\262\11\303&\262bh\260\253\16\325\357 \210\232\233Bw\340vXs\233\215\215\260", ) , ) == 0x0
 00493   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\210\212\215\225>\250\370\367\314\345\210\263q*\3000\31\\223&\200\307\2\212\217v\213\316\204:g\10\210\4Y,\241\242B?\207\242\257\352$\361tcR$\24\336\232\361U\10R5\210\214ELt\259\24\214\212\14\327m\21\361\202\6Q\12\375\2001\254\35\13w\24\223\212U\3730\266\366\206\27QEv5\201%f\301i\3441\307xB\v\214,\2\23\204\202\32\247\232\204\13\370\26\200{5\266p\231\252\26)=U\226\200\226t\20\203BhY@3'{\215\5\24!\223\346\303\302&N\2\377f\241\3344f\247jK\335\322 \364\25\128\364\320\312\2\5k\10\20\326-\331\304\337\4*o\0;P<2\10q8/,w<\207\214\3428<8A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00494   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\36l\377w\263\322\335&\341\215\10p\216Y\262v\240\234\217\211\212\222\12\331\336\254\227\13\266S\323\233\204\16\376\263W6\210\346\355\233\270KM\327\357\34J\207\255\7,\365?\25\36Y\201\307\313[;o@E\270\250\346a\343\37\232M\234\214[\257\230\374\334\11\3006<\361\205U\311\320/\247D\313L_\342\230\7@%D\322C\263 4\350'7\378}x\353\5&\6\223{V6\210P\344F\226^$\6i\353\253\352?\370\21\200\365\356\206/\214F\236\375\242\25J\230i\303="wl\362\356b\252\0\177\177\300\326\342\211|\227b\1\231\237\345\363\264\2048\311F\232\22Qq\301%\324\300\237\10\276\237\343\22\344\17w\224!;\323\333\360>\302-\261J\226s\25\265\302\230E\250\267\255o\4\254)\2202<:pp\2333$j\366\16\351\360\31\360LH\306ks\236\344\24Ud&V\31\214\2455\27o\22\2000\33\26\257o\31\373i]a\235\227\260z\270{\235U\331*0\352\317\301\224,\201\206\364h\361\226\305>\22\201\25*;\314\0\203\13a%\206\264`8\346\36ad]Y[\27\260\325\213#\333\235u\205\366\322\221j\2650\305\302\322o\270@\225\353\224\333\33\375\207r\203!w\14r\260\245]\1\327\204\343\324\320\357hP\376\314\14\317\274w\22v8\207\322\6\277\367P\370\273\211\362\223^^\1\214\2737\17\21\306]\12Z`\3612h\333\334\12\17\273\262SN \264w0J9*\157\14\261b$\211\226\305'\323\242UU\235\13\336)\322\32t\252O\240\252\0\367\201\200]\336\262g\222\223\314\277\270\304\11\177\33&p\257\337%`P(\235\2\327\310\275\360\276\341\345\330\227\20\306s\225d\275\263\233\262\16\350\27\253bn&\350\215\301\251%\332\317\206\312O\234", ) wl\362\356b\252\0\177\177\300\326\342\211|\227b\1\231\237\345\363\264\2048\311F\232\22Qq\301%\324\300\237\10\276\237\343\22\344\17w\224!;\323\333\360>\302-\261J\226s\25\265\302\230E\250\267\255o\4\254)\2202<:pp\2333$j\366\16\351\360\31\360LH\306ks\236\344\24Ud&V\31\214\2455\27o\22\2000\33\26\257o\31\373i]a\235\227\260z\270{\235U\331*0\352\317\301\224,\201\206\364h\361\226\305>\22\201\25*;\314\0\203\13a%\206\264`8\346\36ad]Y[\27\260\325\213#\333\235u\205\366\322\221j\2650\305\302\322o\270@\225\353\224\333\33\375\207r\203!w\14r\260\245]\1\327\204\343\324\320\357hP\376\314\14\317\274w\22v8\207\322\6\277\367P\370\273\211\362\223^^\1\214\2737\17\21\306]\12Z`\3612h\333\334\12\17\273\262SN \264w0J9*\157\14\261b$\211\226\305'\323\242UU\235\13\336)\322\32t\252O\240\252\0\367\201\200]\336\262g\222\223\314\277\270\304\11\177\33&p\257\337%`P(\235\2\327\310\275\360\276\341\345\330\227\20\306s\225d\275\263\233\262\16\350\27\253bn&\350\215\301\251%\332\317\206\312O\234", ) == 0x0
 00495   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00496   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\129\16\373\6L\213\322m\200?\332\360\244\223-\222`nJ\375\301M\331\317\264\256U\342\3\262\22\225\23L\225\233\177\240\21\342\214\271M9\317\5N\14\324\340\377\22\7\375\21r|\13\252@&\33\267\23J\361%\240\34l>\2449\341\300\20Gu\25\225=\215\204;phu/\16\204\245\310\237\241\1\242\26\362\253\23\302V\31\225b\320q\375u\310\323\4\350f\324\212s\311V\360\303\265\223\3373\201\265\6\230\236\3\200\272tL\301K\33\2120\353r\5${\237\3\334\6p\356\24\345\4x\202c\373\23\303}>v\324\367$'\341?\321\317\304]34P?\225S\35F|J\256\260\234\310\323p\237\304\214m\263\330\235UW\24\231Q\272\220gvF\322\247\306\325hl\1MS\307\205\25\231\257e\3004\272\200\266\244\226\211\222\235\305,\2271W\265\226X\240@\5iT6\214w\343\210\222\212\215\370\330o\376~\351\333\321=\206\253b\237`\323\210\35\273\36\361\371\232APq4\246h\246\242\213\373\4\371\260\203\205D&\207\300\307n\23F\275_\226\353\303\234Ye\275F\233\14\342\26\250\27\206p\276\2\221\331G\263\350K\231\344\11\236\37\273^pO\15\240T\330\20\342F\330\0\247M1\205O\343\350a^{\5\342h\322e\366*\367\306\36\14[\276i\342B\14s\367@u\14\306F\201\311\244\333\311\302\255k\5\350\212{\2220\246x$}\236\350\212\210\222l\357$\371P\3268\201\322\3258\230\373\352\240\260K\0\311\353^\227"g\2157\20\217\24\201\306\27f9\335\216\207\264\36\227\342F\35\34\333\226\30\262\200\331\311\364G\251_;\245,\200\274\330C\374`\200\237-<]\220P\205\367A\263", ) g\2157\20\217\24\201\306\27f9\335\216\207\264\36\227\342F\35\34\333\226\30\262\200\331\311\364G\251_;\245,\200\274\330C\374`\200\237-<]\220P\205\367A\263", ) == 0x0
 00497   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\234b\213\373\220\27\16\322\373\333\272\332f\377\26-\4;\353Jk\232\310\331Y\357+UtX7\22\3H\311\225\15$%\21t\3272bd\300\206\34\360\25\3f\10\204\255+\355u\271U\1\245^\304$\14Mw\253\205\231\323\31\39Uqk.M\323\222\263\343\324\34(LVf\2300\223Ih\4\265\220\303\33\3\26\341\361LW\20\236\212\246\260\367\5\262 \32\3J]\365\356\202\276\201x\248~\23U&\273vB\254\241'wdT\317R\6\2664\306d\20S\213\35\371J8\353\31\310E+\32\304\3266\330\13\16\322\24\17\12?\220\252\37\330;S$\250\256\2W\15\345\306\227\300\372P\321C\30\216\x#\375e\342v\320\211"\306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22"\361\326\262\20\31O\4\306\201=\274\335\30\3341\36\1\271\303\35\212\200\23\30$\333\\311b\34,_\255\376\251\200*\203\306\374\366\333\32-\252\6\25P\23\254\304\263", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22 (80, 0, 0, 0, "\234b\213\373\220\27\16\322\373\333\272\332f\377\26-\4;\353Jk\232\310\331Y\357+UtX7\22\3H\311\225\15$%\21t\3272bd\300\206\34\360\25\3f\10\204\255+\355u\271U\1\245^\304$\14Mw\253\205\231\323\31\39Uqk.M\323\222\263\343\324\34(LVf\2300\223Ih\4\265\220\303\33\3\26\341\361LW\20\236\212\246\260\367\5\262 \32\3J]\365\356\202\276\201x\248~\23U&\273vB\254\241'wdT\317R\6\2664\306d\20S\213\35\371J8\353\31\310E+\32\304\3266\330\13\16\322\24\17\12?\220\252\37\330;S$\250\256\2W\15\345\306\227\300\372P\321C\30\216\x#\375e\342v\320\211"\306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22"\361\326\262\20\31O\4\306\201=\274\335\30\3341\36\1\271\303\35\212\200\23\30$\333\\311b\34,_\255\376\251\200*\203\306\374\366\333\32-\252\6\25P\23\254\304\263", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00498   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "6\345Tm\356\22\305J\343\205\332rm\26%\342"\13\365\14m\313fA\31\273\35~<\23/\236\272\373\241\243\341Y\250@\316\35\301H-B\20{\321B~\230\220\225\322!\336\213$\212u2\247:\177\317P\255n\24p\350\272dh\330\264\17\371\212\227_\320\266@\2\230\26\2076\360\321\5\206\375U?\325\15\351*q\210\372\200\22\205#$\326\370\3703\33\350\230\277-\361\303/\337\324\260\36[b\36\265]\361\26k?g\335\243\231\304D\345E\206F+Xo\236\225&\351H\10|\361t\370\6\351q\323\35\30~\304U\232\205J\363j]\336k\216\262\227>*(OO\22cUMu\36|PI\270\240\7U|bmL9\35\347\276\237\6\321\234D\333\246\265Sl\365\275\223QI\301\22\214\324\310#\26\10\221\22\325Z\357\220\361g?\223\271\226V~\205\256\25A\325S\345\14\342@\250\3779\331\352\272\264I\4C\222\321\325G\270\230\230\4\177\260\364\17.\243\271\344\6\22}\370\325_\205r\263\334}\370V\270\310\310n\243\367\271\223\336ae\375tQw\232\321\241\263u\244y\304\327\232\365<\2\200\16|\326\237\245E\312\277\243$\257\360\245\321dC\213\35\352l\36\212\305\3458\232\260\274\344\275\313\217\263\224j\311\63\277\216\2\247w\231\25)\377\7\260T\367\361v\6\26\200\203\366\25\302:B\10U\24O\315\323\261\362e\213~k\356\2\247Z\27'\4h\2071\305\230\211 \3544\205O'\231'\242\364\313\245N\300\253\274\330\362s\375\0\32;\3Q\6\233\242\30\365k\367-\220)\3154\225'\200BW\264\2072\344\372eH\36q\261\310(\337\7\1r\304\206\314v\13\7\344\337Y\267y\223\330\360\5\246`\4\3049\361\235\10\276u7\21\236^\247W\344z\242\231", ) \13\365\14m\313fA\31\273\35~<\23/\236\272\373\241\243\341Y\250@\316\35\301H-B\20{\321B~\230\220\225\322!\336\213$\212u2\247:\177\317P\255n\24p\350\272dh\330\264\17\371\212\227_\320\266@\2\230\26\2076\360\321\5\206\375U?\325\15\351*q\210\372\200\22\205#$\326\370\3703\33\350\230\277-\361\303/\337\324\260\36[b\36\265]\361\26k?g\335\243\231\304D\345E\206F+Xo\236\225&\351H\10|\361t\370\6\351q\323\35\30~\304U\232\205J\363j]\336k\216\262\227>*(OO\22cUMu\36|PI\270\240\7U|bmL9\35\347\276\237\6\321\234D\333\246\265Sl\365\275\223QI\301\22\214\324\310#\26\10\221\22\325Z\357\220\361g?\223\271\226V~\205\256\25A\325S\345\14\342@\250\3779\331\352\272\264I\4C\222\321\325G\270\230\230\4\177\260\364\17.\243\271\344\6\22}\370\325_\205r\263\334}\370V\270\310\310n\243\367\271\223\336ae\375tQw\232\321\241\263u\244y\304\327\232\365<\2\200\16|\326\237\245E\312\277\243$\257\360\245\321dC\213\35\352l\36\212\305\3458\232\260\274\344\275\313\217\263\224j\311\63\277\216\2\247w\231\25)\377\7\260T\367\361v\6\26\200\203\366\25\302:B\10U\24O\315\323\261\362e\213~k\356\2\247Z\27'\4h\2071\305\230\211 \3544\205O'\231'\242\364\313\245N\300\253\274\330\362s\375\0\32;\3Q\6\233\242\30\365k\367-\220)\3154\225'\200BW\264\2072\344\372eH\36q\261\310(\337\7\1r\304\206\314v\13\7\344\337Y\267y\223\330\360\5\246`\4\3049\361\235\10\276u7\21\236^\247W\344z\242\231", ) == 0x0
 00499   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\240\276\321mxI@Ju\336_r\373M\240\342\264Pp\14\373\220\343A\217\340\230~\252H\252\236,\240$\243w\2-@XFDH\273\31\225{G\31\373\230\6\316W!H\320\241\212\343i":\351\224\325\255\370O\365\350,?\355\330"T|\212\1\4U\266\326Y\35\26\21mu\321\223\335xU\251\216\210\351\274*\15\372\26I\0#\262\215}\370\245@m\230)vt\303\271\204Q\260\210\0\347\36#\6t\26\375d\342\3355\302ADs\36\3F\275\3\352\236\3}lH\236'ttn]lqEF\235~R\16\37\205\334\250\357]H0\13\262\1e\257(\331\24\227c\303\26\360\36\352\13\314\2706\\320|\3646\3119\213\274;\237\220\212\31DM\3750S\372\2568\223\307\22D\22\32\217M#\200S\24\22C\1j\220g<\272\223/\315\323~\23\365\220AC\10`\14t\33-\377\257\202o\272"\22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5"Wr!'\231", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) :\351\224\325\255\370O\365\350,?\355\330 (80, 0, 0, 0, "\240\276\321mxI@Ju\336_r\373M\240\342\264Pp\14\373\220\343A\217\340\230~\252H\252\236,\240$\243w\2-@XFDH\273\31\225{G\31\373\230\6\316W!H\320\241\212\343i":\351\224\325\255\370O\365\350,?\355\330"T|\212\1\4U\266\326Y\35\26\21mu\321\223\335xU\251\216\210\351\274*\15\372\26I\0#\262\215}\370\245@m\230)vt\303\271\204Q\260\210\0\347\36#\6t\26\375d\342\3355\302ADs\36\3F\275\3\352\236\3}lH\236'ttn]lqEF\235~R\16\37\205\334\250\357]H0\13\262\1e\257(\331\24\227c\303\26\360\36\352\13\314\2706\\320|\3646\3119\213\274;\237\220\212\31DM\3750S\372\2568\223\307\22D\22\32\217M#\200S\24\22C\1j\220g<\272\223/\315\323~\23\365\220AC\10`\14t\33-\377\257\202o\272"\22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5"Wr!'\231", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5 (80, 0, 0, 0, "\240\276\321mxI@Ju\336_r\373M\240\342\264Pp\14\373\220\343A\217\340\230~\252H\252\236,\240$\243w\2-@XFDH\273\31\225{G\31\373\230\6\316W!H\320\241\212\343i":\351\224\325\255\370O\365\350,?\355\330"T|\212\1\4U\266\326Y\35\26\21mu\321\223\335xU\251\216\210\351\274*\15\372\26I\0#\262\215}\370\245@m\230)vt\303\271\204Q\260\210\0\347\36#\6t\26\375d\342\3355\302ADs\36\3F\275\3\352\236\3}lH\236'ttn]lqEF\235~R\16\37\205\334\250\357]H0\13\262\1e\257(\331\24\227c\303\26\360\36\352\13\314\2706\\320|\3646\3119\213\274;\237\220\212\31DM\3750S\372\2568\223\307\22D\22\32\217M#\200S\24\22C\1j\220g<\272\223/\315\323~\23\365\220AC\10`\14t\33-\377\257\202o\272"\22\201C\4\212PG.\303\35\4\351\353q\17\270\370<\344\220I\370\370C\4\0r%\207\370\370\300\343M\310\370\370r\271\5\205\344ek/\324w\14\212$\263\343\377\374\304A\301p<\224\333\213|@\304 E\\344&$9\253 \321\362\30\16\35|7\233\212SG\2608\14\3539\344+\220\12\263\21L\6\245\344\13\21,\34\25\277\244\202\260\302\254tv\220M\5\203\210m\220\302\254\31\215U\202\24H\323'\251\340\213\3500k\21\1\222'\2223\21S\303\14 zo\0O\261\302\242\242b\220 NV\3609\330d(x\0\214`\206Q\220\300'\30c0r-\6rH4\3|\5B\301\357\22r\241\340H\210*4\310\276\204\202\1\344\237\3\314\340P\202\344I\22y\5\203u\50;\201\304\257\252\30\10(.\262\21\10\5"Wr!'\231", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00500   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\267\207E[a\300\2057\36\366m\15\205h\220\313\4\207\255\233\313'\212\15*\327\5D\301\320Sa\36\10u\06\327\326\15\261J\200\200\356\202nC\234\3212\20\267\220\314\272n\15\364\240<7\3013\324})\14\352\30U\205&\14\232\215\305Z<\1\325\313%\342\222y\371\35VU\345\31\24\5\251\332\203\271h\0\356S\257\57Rt:\210UR|"\370\212\224\200\35U\271\273>\270\202a\34\321\215\200\322\230 \240{\324\5\5A\215u4\334\27\247i\322\14\234\206\221\2\3026\274\207\212\366[%"\321\357\342\307\273\2\201\364t\350)\241VZ\200\221V\17{!\374H\377|\256`\375\4\324\252\350C\272\244\206\24\255\15\215|]\16\251\211\374\4\2325\3010\252\223A\260\201\26\301=\364\351z\217\362\223\240}-\221\256\325-\216X\22\350\333J\364\211N\2U\4\33\26}=\322\253\1\346\37\377\215\313<\261\276\1\265\3231\10\200\232F\224\354\207\314(6\230\7\17\236\337M\15\177n\237\266\202\267]F\7&l\24\355K=\0\261_P\17i\364\5\217\226\227\310H\343V\320\210\353d\301Y\256\260\270\276\304\237\215\0\347\372\271\353\260\363\217ZSw\24\365\237\273X\207\23_\25*\2341\207V\355\360-\20\243\12{\200\26\203\350u\321\234\337d$w\336\300\10^\211\14\206\2207,]K\221\24\216C\245,]\351\251 \262\177\255(\260\333]\262\272wR\361\365`\220\305\35\317\205\253\305T'Y\302K:\210\0\33\270K\35Yp\250~\212\206\245\340[\210\201\3541\265j\274\321\222\303u\330D\10\336N\311"\225[\32\34\27\222\11[\225f\220\344<1:\272\351C\361F\273N&(\14\20\321P\342\30\273\304\340\350\3306\32\26\220\275\306\23\361\373\341\371\242\24\333\371\306<", ) \370\212\224\200\35U\271\273>\270\202a\34\321\215\200\322\230 \240{\324\5\5A\215u4\334\27\247i\322\14\234\206\221\2\3026\274\207\212\366[% (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\267\207E[a\300\2057\36\366m\15\205h\220\313\4\207\255\233\313'\212\15*\327\5D\301\320Sa\36\10u\06\327\326\15\261J\200\200\356\202nC\234\3212\20\267\220\314\272n\15\364\240<7\3013\324})\14\352\30U\205&\14\232\215\305Z<\1\325\313%\342\222y\371\35VU\345\31\24\5\251\332\203\271h\0\356S\257\57Rt:\210UR|"\370\212\224\200\35U\271\273>\270\202a\34\321\215\200\322\230 \240{\324\5\5A\215u4\334\27\247i\322\14\234\206\221\2\3026\274\207\212\366[%"\321\357\342\307\273\2\201\364t\350)\241VZ\200\221V\17{!\374H\377|\256`\375\4\324\252\350C\272\244\206\24\255\15\215|]\16\251\211\374\4\2325\3010\252\223A\260\201\26\301=\364\351z\217\362\223\240}-\221\256\325-\216X\22\350\333J\364\211N\2U\4\33\26}=\322\253\1\346\37\377\215\313<\261\276\1\265\3231\10\200\232F\224\354\207\314(6\230\7\17\236\337M\15\177n\237\266\202\267]F\7&l\24\355K=\0\261_P\17i\364\5\217\226\227\310H\343V\320\210\353d\301Y\256\260\270\276\304\237\215\0\347\372\271\353\260\363\217ZSw\24\365\237\273X\207\23_\25*\2341\207V\355\360-\20\243\12{\200\26\203\350u\321\234\337d$w\336\300\10^\211\14\206\2207,]K\221\24\216C\245,]\351\251 \262\177\255(\260\333]\262\272wR\361\365`\220\305\35\317\205\253\305T'Y\302K:\210\0\33\270K\35Yp\250~\212\206\245\340[\210\201\3541\265j\274\321\222\303u\330D\10\336N\311"\225[\32\34\27\222\11[\225f\220\344<1:\272\351C\361F\273N&(\14\20\321P\342\30\273\304\340\350\3306\32\26\220\275\306\23\361\373\341\371\242\24\333\371\306<", ) \225[\32\34\27\222\11[\225f\220\344<1:\272\351C\361F\273N&(\14\20\321P\342\30\273\304\340\350\3306\32\26\220\275\306\23\361\373\341\371\242\24\333\371\306<", ) == 0x0
 00501   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "!\334\300[\367\233\07\210\255\350\15\233\25\313\222\334(\233]|\17\15\274\214\200DW\213\326a\210S\360\0\240\214S\15'\21\5\200x\331\353C\12\212\267\20!\313I\272\370Vq\240\252lD3B&\254\14|C\320\205\260W\37\215S\1\271\1C\220\240\342\4"|\35\300\16`\31\202^,\332\25\342\355\0x\10*\5\241\11\361:\36\16\327|\264\243\17\224\26F\320\271-e=\202\367GT\215\26\211\35 6 Q\5\223\32\10u\242\207\222\247\377\211\211\234\20\312\207\302\240\347\2\212`\0\240"G\264g\307-Y\4\364\342\263\254\241\300\1\5\221\300T\376!j\23z|8;x\4B\361mC,\377\3\24;V\10|\313U,\211j\7\261\232\243\232\265\252\5\325\201\200\232\270\364\177!\12\362\5\373\370-\7\365P-\30\3\227\350M\21q\211\330Y\320\4\215M\370=D\360\204\346\211\244\10\313\252\352;\1#\210\264\10\26\301\303\224z\334I(\240\303\202\17\10\204\310\15\3515\32\266\24\354\330F\221}\351\24{\20\270\0'\4\325\17\377\257\200\217\0\314MHu\15U\210}?DY8\353=\276R\304\10\0q\241<\353&\250\12Z\305,\221\365\11\340\335\207\205\4\220*\12j\2V{\253\250\205Q\376\200\200\330muG\307Zd\262,[\300\236\5\14\14\20\313\262,\313\20\24\24\30\30 ,\313\262, $$((&\200\330\262,,\327\361c;\25\305\213\224\0\253S\17\242YT\20\277\210\226@=K\213\2\365\250\350\321\3\245v\0\15\201zj0j*\212\27\303\343\203\301\10H\25L"\3\0\237\34\201\311\214[\3=\25\344\252j\277\272\177\30tF-\25\243(\232KTPtC>\304v\263]6\214M\25\275PHt\373w\242'\24M\242C<", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |\35\300\16`\31\202^,\332\25\342\355\0x\10*\5\241\11\361:\36\16\327|\264\243\17\224\26F\320\271-e=\202\367GT\215\26\211\35 6 Q\5\223\32\10u\242\207\222\247\377\211\211\234\20\312\207\302\240\347\2\212`\0\240 (80, 0, 0, 0, "!\334\300[\367\233\07\210\255\350\15\233\25\313\222\334(\233]|\17\15\274\214\200DW\213\326a\210S\360\0\240\214S\15'\21\5\200x\331\353C\12\212\267\20!\313I\272\370Vq\240\252lD3B&\254\14|C\320\205\260W\37\215S\1\271\1C\220\240\342\4"|\35\300\16`\31\202^,\332\25\342\355\0x\10*\5\241\11\361:\36\16\327|\264\243\17\224\26F\320\271-e=\202\367GT\215\26\211\35 6 Q\5\223\32\10u\242\207\222\247\377\211\211\234\20\312\207\302\240\347\2\212`\0\240"G\264g\307-Y\4\364\342\263\254\241\300\1\5\221\300T\376!j\23z|8;x\4B\361mC,\377\3\24;V\10|\313U,\211j\7\261\232\243\232\265\252\5\325\201\200\232\270\364\177!\12\362\5\373\370-\7\365P-\30\3\227\350M\21q\211\330Y\320\4\215M\370=D\360\204\346\211\244\10\313\252\352;\1#\210\264\10\26\301\303\224z\334I(\240\303\202\17\10\204\310\15\3515\32\266\24\354\330F\221}\351\24{\20\270\0'\4\325\17\377\257\200\217\0\314MHu\15U\210}?DY8\353=\276R\304\10\0q\241<\353&\250\12Z\305,\221\365\11\340\335\207\205\4\220*\12j\2V{\253\250\205Q\376\200\200\330muG\307Zd\262,[\300\236\5\14\14\20\313\262,\313\20\24\24\30\30 ,\313\262, $$((&\200\330\262,,\327\361c;\25\305\213\224\0\253S\17\242YT\20\277\210\226@=K\213\2\365\250\350\321\3\245v\0\15\201zj0j*\212\27\303\343\203\301\10H\25L"\3\0\237\34\201\311\214[\3=\25\344\252j\277\272\177\30tF-\25\243(\232KTPtC>\304v\263]6\214M\25\275PHt\373w\242'\24M\242C<", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \3\0\237\34\201\311\214[\3=\25\344\252j\277\272\177\30tF-\25\243(\232KTPtC>\304v\263]6\214M\25\275PHt\373w\242'\24M\242C<", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00502   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\266@lP\335G\321\301)\222\213\212I\273\277P\307J\245\240\12(R\216\327ko\20\31x\204p\14\17\375\322\245i\263X\12s\216|\212\270\3710\226\335\225\213\323\253\5f\225\252\5\0\272&X\214\223\364h\271\350\236\230\25\7i\202\344\227\11?\336<\207\275\344\6\303Y\236Y\206\4\234}\2029\223hE\276\7\347!\303H\3525h\265\2\340\3062W[\222\27\312\321\301M\225\235\254\264U\363\336\373^\16\221\226\371\245\206*\313\335\372\232\23\301\3\300bZW\261N\6\230\6\322\310^\236f!\354]\310\15\I\56!\37\234\302`\322\264\327\350\2\5a\26\206\200\245\1\221\226\221\0U%\353z\207|3\27.j\15K\327[\306~\341\205I\2^\224\21\37bYeY\272u\216\2D\31\321E\27\335\221\27\303\353i\10\226V\360$\200C\245\15\222\253qx\322\273?zW@ \0\310\351\2059\273\23\222!\27\253!\344\205\215\315\16v;\256\364\274V\316\22Q\365\257$\267~\222{\217Z\10\305\4D\320\332w\24\260\260\21O\276.\321\270\5\1\240\3\362\24I\333"h\37\21\341.p\7\375\367\5\205\255\371\214\252\236\223\316\225yY\217\254'\313'\5gf}\3339C\360\335\20\375\2\236JW\351\305\4\266\240\353\233U\261-=q\224\22\351\0s\262\3\34\277\237\222\17\211@\326\20\35G\230Y\303\210\266\266\343\370\36\355\303\3068\255\357\347H\267\227(L\\251K@S \210\334/d\330", ) h\37230\363=\4\204dVi\210\317\333\31\11\221M\316X\177\232\275+\15\375<\23n\7$X\215\13\236\177\216\23\210\236\362\32\217$\223CT\353C\355a\205#*\267L\263D9n\221\313\260\177w\25\216V$\213\342\362?\266Xdd\12\321\12\370\21\206\17>\21\341.p\7\375\367\5\205\255\371\214\252\236\223\316\225yY\217\254'\313'\5gf}\3339C\360\335\20\375\2\236JW\351\305\4\266\240\353\233U\261-=q\224\22\351\0s\262\3\34\277\237\222\17\211@\326\20\35G\230Y\303\210\266\266\343\370\36\355\303\3068\255\357\347H\267\227(L\\251K@S \210\334/d\330", ) == 0x0
 00503   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, " \33\351PK\34T\301\277\311\16\212\337\340:PQ\21 \240\234s\327\216A0\352\20\217#\1p\232Tx\322326X\234(\13|\34\343|0\0\206\20\213E\360\200f\3\361\200\0,}\335\214\5\257\355\271~\305\35\25\2212\7\344\1R\272\336\252\3348\344\220C\266Y\10\2\3\4\12&\79\53\300\276\221\274\244\303\336\261\260h#Ye\306\244\14\336\222\201\221T\301\333\316\30\254"\16v\336m\5\213\221\0\242 \206\274\220X\372\14HD\3V9\337W'\25\203\230\220\211M^\10=\244\354\313\223\210\\337^\263!\211\307G`D\357R\350\224^\344\26\20\333 \1\7\315\24\0\303~nz\21'\266\27\2701\210KA\0C~w\336\314\2\310\317\224\37\364\2\340Y,.\13\2\322BTE\201\206\24\27U\260\354\10\0\15u$\26\30 \15\4\360\364xD\340\272z\301\33\245\0^\262\09-H\27!\201\360\244\344\23\326H\16\340`+\364*\15K\22\307\256*$!%\27{\31\1\215\305\222\37U\332\341O5\260\207\24;.G\343\200\16Xw\24\337\200\247h\211g\325\206\307\303v=\222\337\341V\377\323J\333\217R\24MX\3\372\232+p\210\375\252H\353\7\262\3\10\13\10$\13\23\36\305w\32\31\177\26C\302\260\306\355\367\336\246*!\276D\2575\24\313&$\362\25\30\15\241\213t\251\272\266\316?\341\12GQ}\21\20T\273\21wu\365\7k\254\200\205;\242\11\252\10\310K\225\357\2\12\254\261\220\242\5\361=\370\333\257\30u\335\206\246\207\236\334\14l\305\222\355%\353\15\164-\253*\21\22\177[\366\262\225G:\237\4T\14@@K\230G\16\2F\210 \355f\370\210\266F\306\256\366j\347\336\354\22(\332\7,K\326\10\245\210Jt\341\330", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16v\336m\5\213\221\0\242 \206\274\220X\372\14HD\3V9\337W'\25\203\230\220\211M^\10=\244\354\313\223\210\\337^\263!\211\307G`D\357R\350\224^\344\26\20\333 \1\7\315\24\0\303~nz\21'\266\27\2701\210KA\0C~w\336\314\2\310\317\224\37\364\2\340Y,.\13\2\322BTE\201\206\24\27U\260\354\10\0\15u$\26\30 \15\4\360\364xD\340\272z\301\33\245\0^\262\09-H\27!\201\360\244\344\23\326H\16\340`+\364*\15K\22\307\256*$!%\27{\31\1\215\305\222\37U\332\341O5\260\207\24;.G\343\200\16Xw\24\337\200\247h\211g\325\206\307\303v=\222\337\341V\377\323J\333\217R\24MX\3\372\232+p\210\375\252H\353\7\262\3\10\13\10$\13\23\36\305w\32\31\177\26C\302\260\306\355\367\336\246*!\276D\2575\24\313&$\362\25\30\15\241\213t\251\272\266\316?\341\12GQ}\21\20T\273\21wu\365\7k\254\200\205;\242\11\252\10\310K\225\357\2\12\254\261\220\242\5\361=\370\333\257\30u\335\206\246\207\236\334\14l\305\222\355%\353\15\164-\253*\21\22\177[\366\262\225G:\237\4T\14@@K\230G\16\2F\210 \355f\370\210\266F\306\256\366j\347\336\354\22(\332\7,K\326\10\245\210Jt\341\330", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00504   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\233y\201\224\21S\321\340J\310}\353\220a\202UJ5\270m\225\272r:\224.\237kF=\266i$\311\375R\21\214\345\2673]\275\244\212LrR\213|\265A\312l\362\6\262y\337V\245H\226\302\316\356M\316\315\203=T\371\17k\210\325Ks\205Y[\31\370\264\233\355\371\215\321\332\333\274{\14\13\212\35\3156\326\234c>\26\200\303D\210\273\272\234\245{\243\210V\2Z\10\223\3\366\14\256\356n\235\37\355\224\211\310?\323\302\3217\301\37\230[\263\2032\260\307F\270\227\102\216W\263\1\376\315\1\354\26\326\0\220I\27\232JV\20\245-\212\15}"\335\207\236t\373\373\245b\317\315H\316\223O\221\30\216>\356\360\264(*\14\232.N\245\5W\235\2\202`\360\12\236\341S\261\25\326\332\24qM\14gj\345\33S\235RG"\15E\375|b\234\205\22\235\311uq\255I\2206^<\307\2\343b\205A\272\350\360*\275\337\266\340@\233\357\14\30\272\304=\326\2174\310]'\206\336w\314\25\261\212\37\240h\2=\206&\224\273\202\254\225335\207\236t\373\373\245b\317\315H\316\223O\221\30\216>\356\360\264(*\14\232.N\245\5W\235\2\202`\360\12\236\341S\261\25\326\332\24qM\14gj\345\33S\235RG27\+\260{\311H\235\36\216<\27 \362JA\204z\361\243D\323\24\223\208\376*\25\35B\223\21\20\371\3357\3730\30\371^\320\304\14\230@\217|\324YAv@\207\317\30\205S%P!\12\31,]\355\356!\202W\235\30\232(\32- C\250\273\336\13\215\15\26S\224K\216\0rZ\306\166\304\335\343\374:\26\340\7\206!\301G\177\274\267S\216{%\314\374\223\243\256b\204'\222 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\233y\201\224\21S\321\340J\310}\353\220a\202UJ5\270m\225\272r:\224.\237kF=\266i$\311\375R\21\214\345\2673]\275\244\212LrR\213|\265A\312l\362\6\262y\337V\245H\226\302\316\356M\316\315\203=T\371\17k\210\325Ks\205Y[\31\370\264\233\355\371\215\321\332\333\274{\14\13\212\35\3156\326\234c>\26\200\303D\210\273\272\234\245{\243\210V\2Z\10\223\3\366\14\256\356n\235\37\355\224\211\310?\323\302\3217\301\37\230[\263\2032\260\307F\270\227\102\216W\263\1\376\315\1\354\26\326\0\220I\27\232JV\20\245-\212\15}"\335\207\236t\373\373\245b\317\315H\316\223O\221\30\216>\356\360\264(*\14\232.N\245\5W\235\2\202`\360\12\236\341S\261\25\326\332\24qM\14gj\345\33S\235RG"\15E\375|b\234\205\22\235\311uq\255I\2206^<\307\2\343b\205A\272\350\360*\275\337\266\340@\233\357\14\30\272\304=\326\2174\310]'\206\336w\314\25\261\212\37\240h\2=\206&\224\273\202\254\225310]'\206\336w\314\25\261\212\37\240h\2=\206&\224\273\202\254\225217\222\357\23\372o$\3146$\220\334\377\307\351\1)\235:\0\363\177\331\270\5\360", ) == 0x0
 00505   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$ (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370 (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27 (80, 0, 0, 0, "\15"\4\224\207\10T\340\334\223\370\353\6:\7U\334n=m\3\341\367:\2u\32k\320f3i\262\222xR\207\327`\267\245\68\244\34\27\367R\35'0A\7w\6$"ZV3\23\23\302X\265\310\316[\330\270ToT\356\210C\20\366\205\317\0\234\370"\300h\371\33\212_\333* \211\13\34FH6@\307\346>\200\333FD\36\340?\2343 &\210\300Y\337\10\5Xs\148\265\353\235\211\266\21\211^dV\302GlD\37\16\06\203\244\353BF.\314\2152\30\146\1h\226\204\354\200\215\205\220\337L\37J\300K -\34V\370"K\334\33tm\240 bY\226\315\316\5\24\24\30\30ek\360"s\257\14\14u\313\245\223\14\30\2\24;u\12\10\272\326\261\203\215_\24\347\26\211g\374G\260\33\305\306\327G\252d\353\27\312p5{_\23\30\36\30g\222 d\21\304\204\354\252&DEO\26\20\256\245\257\25\213\31\26\21\206\242X7mk\235\371\310\213A\14\16\33\12|B\2\304v\326\334J\30\23\10\240P\267Q\234,\313\266k!\24\14\30\30\14s\237-\266\30-\273HP\10\15\200\10\21K\30[\367ZPU\263\304K\270y:\200\273\202\206\267\232\302\177*\354\326\216\355~I\374\5\370+b\22|\27"\233\36x|\364\307\0\22\13\222\360q;\22\256\310gB\2u9\0A,\263u*+\2043\340\326\300j\14\216\341A=@\324\261<\370\200*\216d/=\230@ 2\17\217\370\16\333?E\275\300\304\3r\30;\306\31\336\200\333e(8\15\320Pd'k4d\33\214\264\223\330'\20\205\362\314\203\352\17\3763\207=\20}\21\273\24\367\20<\354\1\12\222yH\177o\262\227\263$\6\207z\307\177Z\254\235\254[v\177O\343\200\360", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00506   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "/0\247\240\227%\231V\10\22\371\313\34\346\12\246\273\334\343\342\343\343\323]\214\302\211\20pY\337f\237P\275\37$6"\12N$u\16\224\331d\306\366t}-A_P$<(\343\252\37\3322\37\260\30<\255\276#P\306\2008\315>\327\33\36\231&}\274\302Ha\262\10"}\304H\330\213f\31\34\303u=m\0\300\1Q\233!\276\17#\301\334\26?7\302\27\240\2\257\347L\322~\237\234\225\10}\210W\304\316KAT\240\267\366G\241"\37\323\21v\207~\223\320\207p\315u\24\311z\315\335\214\263\320\21\13j\257\15\1\37\265\256\336\342\210\254\232\344\337\205\226m\253\31U\206\312\251b\344\266\352\3\213y/\4\7F\16E\342`\mZ\20\32\11\21O9`d\300\261g\303\2527\263\233\346\346\233\255\360\3434\363\322y\367\267\231\321T\212]e\343\325\305\34(\352T\202\14EH\225\354\231\354L\22\245\203;\11\307\236\1\342X\216\240m69\255`\315\257/\210\7\13\14\5\236\214B\205\353S\343\201\UA!\224\345Cp*\311\227E'\13\302]c||E\305\347l`\372\260\262\35G\305\350\207Ac\371\211\356"\370-\257\3427$\256\233M`\7O\200\27\14\365\241\10=_t\54c7\370y\37\333\220M\327\207Q\243\246\372\320\355\360\200\201\37W\247\257\237\17\352\0+(\215+ac\222;X\373\325\310&\231t\31\232\252\225*\34\34\251\1\345W\4~\221\13q\303\360\312\214t\232=z\311\2765\253\337\222\260\225\211\306P\204\6\225\13\303\2256\305\212@\305\350\225\244\6\30\31\374\206\371\5\223}\306\221l\226\216\14\356\232L\324V\250\30\222\207\254K\26K\237\26\351%\323\256,\310\206\1N\6\206`8\311\12\35?\220\330\22\177;a&\210\275&(\3207", ) \12N$u\16\224\331d\306\366t}-A_P$<(\343\252\37\3322\37\260\30<\255\276#P\306\2008\315>\327\33\36\231&}\274\302Ha\262\10 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "/0\247\240\227%\231V\10\22\371\313\34\346\12\246\273\334\343\342\343\343\323]\214\302\211\20pY\337f\237P\275\37$6"\12N$u\16\224\331d\306\366t}-A_P$<(\343\252\37\3322\37\260\30<\255\276#P\306\2008\315>\327\33\36\231&}\274\302Ha\262\10"}\304H\330\213f\31\34\303u=m\0\300\1Q\233!\276\17#\301\334\26?7\302\27\240\2\257\347L\322~\237\234\225\10}\210W\304\316KAT\240\267\366G\241"\37\323\21v\207~\223\320\207p\315u\24\311z\315\335\214\263\320\21\13j\257\15\1\37\265\256\336\342\210\254\232\344\337\205\226m\253\31U\206\312\251b\344\266\352\3\213y/\4\7F\16E\342`\mZ\20\32\11\21O9`d\300\261g\303\2527\263\233\346\346\233\255\360\3434\363\322y\367\267\231\321T\212]e\343\325\305\34(\352T\202\14EH\225\354\231\354L\22\245\203;\11\307\236\1\342X\216\240m69\255`\315\257/\210\7\13\14\5\236\214B\205\353S\343\201\UA!\224\345Cp*\311\227E'\13\302]c||E\305\347l`\372\260\262\35G\305\350\207Ac\371\211\356"\370-\257\3427$\256\233M`\7O\200\27\14\365\241\10=_t\54c7\370y\37\333\220M\327\207Q\243\246\372\320\355\360\200\201\37W\247\257\237\17\352\0+(\215+ac\222;X\373\325\310&\231t\31\232\252\225*\34\34\251\1\345W\4~\221\13q\303\360\312\214t\232=z\311\2765\253\337\222\260\225\211\306P\204\6\225\13\303\2256\305\212@\305\350\225\244\6\30\31\374\206\371\5\223}\306\221l\226\216\14\356\232L\324V\250\30\222\207\254K\26K\237\26\351%\323\256,\310\206\1N\6\206`8\311\12\35?\220\330\22\177;a&\210\275&(\3207", ) \37\323\21v\207~\223\320\207p\315u\24\311z\315\335\214\263\320\21\13j\257\15\1\37\265\256\336\342\210\254\232\344\337\205\226m\253\31U\206\312\251b\344\266\352\3\213y/\4\7F\16E\342`\mZ\20\32\11\21O9`d\300\261g\303\2527\263\233\346\346\233\255\360\3434\363\322y\367\267\231\321T\212]e\343\325\305\34(\352T\202\14EH\225\354\231\354L\22\245\203;\11\307\236\1\342X\216\240m69\255`\315\257/\210\7\13\14\5\236\214B\205\353S\343\201\UA!\224\345Cp*\311\227E'\13\302]c||E\305\347l`\372\260\262\35G\305\350\207Ac\371\211\356 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "/0\247\240\227%\231V\10\22\371\313\34\346\12\246\273\334\343\342\343\343\323]\214\302\211\20pY\337f\237P\275\37$6"\12N$u\16\224\331d\306\366t}-A_P$<(\343\252\37\3322\37\260\30<\255\276#P\306\2008\315>\327\33\36\231&}\274\302Ha\262\10"}\304H\330\213f\31\34\303u=m\0\300\1Q\233!\276\17#\301\334\26?7\302\27\240\2\257\347L\322~\237\234\225\10}\210W\304\316KAT\240\267\366G\241"\37\323\21v\207~\223\320\207p\315u\24\311z\315\335\214\263\320\21\13j\257\15\1\37\265\256\336\342\210\254\232\344\337\205\226m\253\31U\206\312\251b\344\266\352\3\213y/\4\7F\16E\342`\mZ\20\32\11\21O9`d\300\261g\303\2527\263\233\346\346\233\255\360\3434\363\322y\367\267\231\321T\212]e\343\325\305\34(\352T\202\14EH\225\354\231\354L\22\245\203;\11\307\236\1\342X\216\240m69\255`\315\257/\210\7\13\14\5\236\214B\205\353S\343\201\UA!\224\345Cp*\311\227E'\13\302]c||E\305\347l`\372\260\262\35G\305\350\207Ac\371\211\356"\370-\257\3427$\256\233M`\7O\200\27\14\365\241\10=_t\54c7\370y\37\333\220M\327\207Q\243\246\372\320\355\360\200\201\37W\247\257\237\17\352\0+(\215+ac\222;X\373\325\310&\231t\31\232\252\225*\34\34\251\1\345W\4~\221\13q\303\360\312\214t\232=z\311\2765\253\337\222\260\225\211\306P\204\6\225\13\303\2256\305\212@\305\350\225\244\6\30\31\374\206\371\5\223}\306\221l\226\216\14\356\232L\324V\250\30\222\207\254K\26K\237\26\351%\323\256,\310\206\1N\6\206`8\311\12\35?\220\330\22\177;a&\210\275&(\3207", ) , ) == 0x0
 00507   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\271k"\240\1~\34V\236I|\313\212\275\217\246-\207f\342u\270V]\32\231\14\20\346\2Zf\11\138\37\262m\247\12\330\177\360\16\2\202\341\306`/\370-\327\4\325$\252sf\252\211\201\267\37&C\271\255(x\325\306\26cH>A@\233\231\260&9\302\336:7\10\264&AHN\320\343\31\212\230\360=\373[E\1\307\300\244\276\231xD\334\200d\262\302\201\373\207\257q\27W~\11\307\20\10\353\323\322\304X\20\304T6\354sG7y\232\323\207-\2~\5\213\2p[.\221\311\354\226X\214%\213\224\13\374\364\210\1\211\356+\336t\323)\232r\204\0\226\373\360\234U\20\221,br\355o\3\35"\252\4\221\35\213Et;\331m\314K\237\11\207\24\274`\362\2334gU\361\262\263\15\275c\233;\253f4e\211\374\367!\302TT\34\6\340\343C\236\231(|\17\7\14\323\23\20\354\17\267\311\223\330\276\11Q\305\204\342\316\325%m\240b(`[\364\252\210\221P\211\5\10\327\307\205}\10f\201\312\16\304!\2\276\306p\274\222\22E\261PG]\365'\371ES\274\351`l\3537\35\321\236m\207\3278|\211xy}-9\271\262$8\300\310`\221\24\5\27\232\256$\10\253\4\361\5\2428\262\370\357D^\220\333\214\2Q5\375\177\320{\253\5\201\211\14"\257\11To\0\275s\10+\3678\27;\316\240P\310\260\302\361\31\14\361\20*\212G,\1s\14\201~\7P\364\303f\221\11t\14f\377\311(n.\337\4\353\20\211P\13\1\6\3PF\225\240\236\17@S\263\20\244\220C\234\374\20\242\200\223\353\235\24l\0\325\211\356\14\27QV>C\27\207:\20\223K\11Ml%E\365\251\310\20Z\313\6\20;\275\311\234F\272\220NI\372;\367}\15\275\260sU7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240\1~\34V\236I|\313\212\275\217\246-\207f\342u\270V]\32\231\14\20\346\2Zf\11\138\37\262m\247\12\330\177\360\16\2\202\341\306`/\370-\327\4\325$\252sf\252\211\201\267\37&C\271\255(x\325\306\26cH>A@\233\231\260&9\302\336:7\10\264&AHN\320\343\31\212\230\360=\373[E\1\307\300\244\276\231xD\334\200d\262\302\201\373\207\257q\27W~\11\307\20\10\353\323\322\304X\20\304T6\354sG7y\232\323\207-\2~\5\213\2p[.\221\311\354\226X\214%\213\224\13\374\364\210\1\211\356+\336t\323)\232r\204\0\226\373\360\234U\20\221,br\355o\3\35 (80, 0, 0, 0, "\271k"\240\1~\34V\236I|\313\212\275\217\246-\207f\342u\270V]\32\231\14\20\346\2Zf\11\138\37\262m\247\12\330\177\360\16\2\202\341\306`/\370-\327\4\325$\252sf\252\211\201\267\37&C\271\255(x\325\306\26cH>A@\233\231\260&9\302\336:7\10\264&AHN\320\343\31\212\230\360=\373[E\1\307\300\244\276\231xD\334\200d\262\302\201\373\207\257q\27W~\11\307\20\10\353\323\322\304X\20\304T6\354sG7y\232\323\207-\2~\5\213\2p[.\221\311\354\226X\214%\213\224\13\374\364\210\1\211\356+\336t\323)\232r\204\0\226\373\360\234U\20\221,br\355o\3\35"\252\4\221\35\213Et;\331m\314K\237\11\207\24\274`\362\2334gU\361\262\263\15\275c\233;\253f4e\211\374\367!\302TT\34\6\340\343C\236\231(|\17\7\14\323\23\20\354\17\267\311\223\330\276\11Q\305\204\342\316\325%m\240b(`[\364\252\210\221P\211\5\10\327\307\205}\10f\201\312\16\304!\2\276\306p\274\222\22E\261PG]\365'\371ES\274\351`l\3537\35\321\236m\207\3278|\211xy}-9\271\262$8\300\310`\221\24\5\27\232\256$\10\253\4\361\5\2428\262\370\357D^\220\333\214\2Q5\375\177\320{\253\5\201\211\14"\257\11To\0\275s\10+\3678\27;\316\240P\310\260\302\361\31\14\361\20*\212G,\1s\14\201~\7P\364\303f\221\11t\14f\377\311(n.\337\4\353\20\211P\13\1\6\3PF\225\240\236\17@S\263\20\244\220C\234\374\20\242\200\223\353\235\24l\0\325\211\356\14\27QV>C\27\207:\20\223K\11Ml%E\365\251\310\20Z\313\6\20;\275\311\234F\272\220NI\372;\367}\15\275\260sU7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \257\11To\0\275s\10+\3678\27;\316\240P\310\260\302\361\31\14\361\20*\212G,\1s\14\201~\7P\364\303f\221\11t\14f\377\311(n.\337\4\353\20\211P\13\1\6\3PF\225\240\236\17@S\263\20\244\220C\234\374\20\242\200\223\353\235\24l\0\325\211\356\14\27QV>C\27\207:\20\223K\11Ml%E\365\251\310\20Z\313\6\20;\275\311\234F\272\220NI\372;\367}\15\275\260sU7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00508   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\367\370$S\266\24'\324\312\244n\315 \366x\245\255\235\221:b\321\243\200jp\373\4\3150\222\374\273.Y2r\342-A\320k\324\371L\352-NZ\5\326\212\340\352{\26[\327\336\37K\244\336\353\36\370\232\374\331F\306\215'y\365?m\177\6T\26]u`xz\15\20\376ZZ'\230a~\204\260\304(\325E-\242b\203\216K\207\273\3731\3531\30\254\221\357\216k}E\30o\207\365\4\12\201zX~\231\351\210\242\374\20M\362\32uC(#\22;T\336\211\237dNQ\344S\215\242\251\325\366G\l`\310p\214\273SGau\163\245\263\257\207\271|\243Z=\220.\247fa\35\203\236\207FY\314\204\17\200~\233X\305\212\320\317\253iP\30igM\314\20061u7?\377\233\225M\223\232@p\307\233}\20\353\262>\376\204\346Z\370O\272O:\32\202y\333\273\3751\330\371\12\350\341O\300X\202\15\10wA\342R\225\375\315\367_\273x\243Zup\326\376\3m\344xC\262\300\17D\203\276Y\300~_\5\344\231=\2000\246\272\216\276k\15\344\353\244\233/\213rX\370\10\357\251\252\324\212\347\7;\353W\276\4nI\366'\351\2652\377\26'\276\3\243)\240\306\322]\205O\356V{\7\204b\362\355\355@k\366}D\343\3073j\205a\310\344\27$B\355u\6\217{%\361f\15t\267\331\17\31\301|1\14\3\36\10\207\303\223U\245\300\327\222\247\5V\0\274\310\235\221\221alY2\373\357\\363\367N\330_\12{N\205[\360P\276zi\300}\360\222'\232\277\230\32\250!1\332_\263 \273\210sd\228l\12\352\200\15D,u\364I6u#\274Z\200\331\275\231\252p@\346\375\332\242\336q\240g\300\15u\215\342\252\360\362 s\365\233.\233\332", ) , ) == 0x0
 00509   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "a\243\241S O\242\324\\377\353\315\266\255\375\245;\306\24:\364\212&\200\374+~\4[k\27\374-u\3342\344\271\250AF0Q\371\332\261\250N\314^S\212v\261\376\26\315\214[\37\335\377[\353\210\243\37\37\242\202\303\306\33|\374\365\2516\372\6\302M\330u\366#\377\15\206\245\337Z\261\303\344~\22\353A(C\36\250\242\364\330\13K\21\340~1}j\235\254\7\264\13k\353\36\235o\21\256\201\12\27!\335~\17\262\15\242jK\310\362\214.\306(\265I\276TH\322\32d\330\12aS\33\371,\325`\34\331l\366\223\365\214-\10\302a\343U\266\245%\364\2\271\352\370\337=\6u"f\367F\6\236\21\35\334\314\22T\5~\15\3@\212F\224.i\306C\354g\333\227\56\247.\262?i\300\20M\5\301\305pQ\300\370\20}\351\273\376\22\275\337\370\331\341\312:\214\331\374\333-\246\264\330oQm\341\331\233\335\202\233S\362At\11\20\375[\254\332\273\356\370\337u\346\215{\3\373\277\375C$\233\212D\25\345\334\300\350\4\200\344\17f\500\341\13\276\375Va\3532\300\252\213\344\3}\10y\362/\324\34\274\202;}\14;\4\370\22s'\177\356\267\377\200|;\35r%\306D\6\0Ox\15\376\7\229w\355{\33\356\366\353\37f\307\2451\0a^\277\222$\324\266\360\6\31 \240\361\360V\361\267OT\234\301\352j\211\3\210S\2\303\5\16 \300A\311"\5\300[9\310\13\312\24a\372\2\267\373y\7v\367\330\203\332\12\355\25\0[f\13;z\377\233\370\360\4|\37\277\16A-!\247\201\332\263\266\340\15s\362I\275l\234\261\5\15\322w\360\364\337m\360#*\1\5\331+\302/p\326\275x\3324\205\364\240\361\233\210u\33\271/\360d{\366\365\15u\36\332", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367F\6\236\21\35\334\314\22T\5~\15\3@\212F\224.i\306C\354g\333\227\56\247.\262?i\300\20M\5\301\305pQ\300\370\20}\351\273\376\22\275\337\370\331\341\312:\214\331\374\333-\246\264\330oQm\341\331\233\335\202\233S\362At\11\20\375[\254\332\273\356\370\337u\346\215{\3\373\277\375C$\233\212D\25\345\334\300\350\4\200\344\17f\500\341\13\276\375Va\3532\300\252\213\344\3}\10y\362/\324\34\274\202;}\14;\4\370\22s'\177\356\267\377\200|;\35r%\306D\6\0Ox\15\376\7\229w\355{\33\356\366\353\37f\307\2451\0a^\277\222$\324\266\360\6\31 \240\361\360V\361\267OT\234\301\352j\211\3\210S\2\303\5\16 \300A\311 (80, 0, 0, 0, "a\243\241S O\242\324\\377\353\315\266\255\375\245;\306\24:\364\212&\200\374+~\4[k\27\374-u\3342\344\271\250AF0Q\371\332\261\250N\314^S\212v\261\376\26\315\214[\37\335\377[\353\210\243\37\37\242\202\303\306\33|\374\365\2516\372\6\302M\330u\366#\377\15\206\245\337Z\261\303\344~\22\353A(C\36\250\242\364\330\13K\21\340~1}j\235\254\7\264\13k\353\36\235o\21\256\201\12\27!\335~\17\262\15\242jK\310\362\214.\306(\265I\276TH\322\32d\330\12aS\33\371,\325`\34\331l\366\223\365\214-\10\302a\343U\266\245%\364\2\271\352\370\337=\6u"f\367F\6\236\21\35\334\314\22T\5~\15\3@\212F\224.i\306C\354g\333\227\56\247.\262?i\300\20M\5\301\305pQ\300\370\20}\351\273\376\22\275\337\370\331\341\312:\214\331\374\333-\246\264\330oQm\341\331\233\335\202\233S\362At\11\20\375[\254\332\273\356\370\337u\346\215{\3\373\277\375C$\233\212D\25\345\334\300\350\4\200\344\17f\500\341\13\276\375Va\3532\300\252\213\344\3}\10y\362/\324\34\274\202;}\14;\4\370\22s'\177\356\267\377\200|;\35r%\306D\6\0Ox\15\376\7\229w\355{\33\356\366\353\37f\307\2451\0a^\277\222$\324\266\360\6\31 \240\361\360V\361\267OT\234\301\352j\211\3\210S\2\303\5\16 \300A\311"\5\300[9\310\13\312\24a\372\2\267\373y\7v\367\330\203\332\12\355\25\0[f\13;z\377\233\370\360\4|\37\277\16A-!\247\201\332\263\266\340\15s\362I\275l\234\261\5\15\322w\360\364\337m\360#*\1\5\331+\302/p\326\275x\3324\205\364\240\361\233\210u\33\271/\360d{\366\365\15u\36\332", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00510   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "F@\0\320m\320\267\1\222l\177\233\3447\313\3\334\37\320{\255d\356\315\341\5\224@&\342(X-Z\373\5\277\253\263\330\217\343\301d}\315\217\213\344\15\245\242\222\376\267\27\373\330\15\355\255\224x)\13}\221D\273[\367A,so\242\307\336K\213$\214\204\255\204\363Q4\22\243(T\346\260\211n\305@\276\373\343\3366\200\366\326Q\221\265f\326\255\310\6\14\30\220Y\277},r\4\306\242\332c<\233)\2054\246D0z\246\361\7V\332\243\14;\316\230*\242\201\210=G\168\222}R-\226$\26b\206\371\213\212\204\334\32\254~_\303-\212 \256\255\345j\222\202\204\373P\24\355\13\303\11\360\37\356O\261\233\212_\241d\237\353\326w\340\200Dd\225\321&\354\264y\315\21\222\266e\206\245\6m\356\225\236\14\365\35F\325]\376\243\313\353\307\251\366\217x,\266p!\353\5\3\340`\234w\255`\346\2064\261\344n\37^\221\14\340\265\15\15`w\361V\344\336\217\307\223UfAw\36\225\17IN\242~;\361\335u1\12\377[\235\25\274\245)B\213\0\26T\255D\206Sm\341\330\277\215\158\336\201E&\0\336tM\321{\320\35\261\4\345\226\245\206\14\27\231\\334MO\210\201tUC9\322\~\242, ) , ) == 0x0
 00511   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\320\33\205\320\373\2132\1\47\372\233rlN\3JDU{;?k\315w^\21@\260\271\255X\273\1~\5)\3606\330\31\270Dd\353\226\12\213rV \242\4\2452\27m\203\210\355;\317\375)\235&\24D-\0rA\272(\352\242Q\205\316\213\262\327\1\255\22\250\3244\204\370\255Tp\353\14nS\33;\373u\205\263\200`\215\324\221#=S\255^]\211\30\6\2:}\272)\201\3064\201\346<\15r\040\37\265z0\252\202VL\370\211;X\303\257\242\27\323\270G\230c\27}\304v\23$\2009\3\371\35\321\1\334\214\367\373_Uv\17 8\366`j\4\331\1\373\306Oh\13URu\37x\244\233\34\4$d\11\260Swv\333\301d\3\212\243\354""H\21\4\355\340\2063]\350\356\3\305\211\365\213\35P]h\370N\353Q\362s\217\356w3p\267\260\200\3v;\31w;;c\206\242\352an\211\5\24\14v\356\210\15\366,tVr\205\12\307\5\16\343A\341E\20\17\337\25'~\255\252Xu\247Qz[\13N9\245\277\31\16\0\200\17(D\20\10\350\341N\344\10\15\256\205\4E\260[[t\333\212\376\320\213\352\201\345\0\376\3\14\201\302\331\334\333\24\15\201\342\16\3069D\7\373\242\252(\221\305E\2135t\24\1c\316<\316~\355V\33K\274\373\217v\12\335;{y\270\340\266\10\271\213\5\377v\36W\20\355\260\363}+\373WS\300\206\245\353\11IP|\2166\16\271\274\210\317\2601)+\265\363\241\201\206 \267\221\3464\235\353\3O\16\3536J\310\366+\6A\2048n{\373I\34$s\3\213\4;\357s\214\375\2023$L\266\34\200@A\2E)\351\260\200\3007\255\37\335m\244\275\32\250\201\307\375\201\347\376D\227^ry\273\3533;\16", 10240, 0x0, 0, ... {status=0x0, info=10240}, )  (80, 0, 0, 0, "\320\33\205\320\373\2132\1\47\372\233rlN\3JDU{;?k\315w^\21@\260\271\255X\273\1~\5)\3606\330\31\270Dd\353\226\12\213rV \242\4\2452\27m\203\210\355;\317\375)\235&\24D-\0rA\272(\352\242Q\205\316\213\262\327\1\255\22\250\3244\204\370\255Tp\353\14nS\33;\373u\205\263\200`\215\324\221#=S\255^]\211\30\6\2:}\272)\201\3064\201\346<\15r\040\37\265z0\252\202VL\370\211;X\303\257\242\27\323\270G\230c\27}\304v\23$\2009\3\371\35\321\1\334\214\367\373_Uv\17 8\366`j\4\331\1\373\306Oh\13URu\37x\244\233\34\4$d\11\260Swv\333\301d\3\212\243\354""H\21\4\355\340\2063]\350\356\3\305\211\365\213\35P]h\370N\353Q\362s\217\356w3p\267\260\200\3v;\31w;;c\206\242\352an\211\5\24\14v\356\210\15\366,tVr\205\12\307\5\16\343A\341E\20\17\337\25'~\255\252Xu\247Qz[\13N9\245\277\31\16\0\200\17(D\20\10\350\341N\344\10\15\256\205\4E\260[[t\333\212\376\320\213\352\201\345\0\376\3\14\201\302\331\334\333\24\15\201\342\16\3069D\7\373\242\252(\221\305E\2135t\24\1c\316<\316~\355V\33K\274\373\217v\12\335;{y\270\340\266\10\271\213\5\377v\36W\20\355\260\363}+\373WS\300\206\245\353\11IP|\2166\16\271\274\210\317\2601)+\265\363\241\201\206 \267\221\3464\235\353\3O\16\3536J\310\366+\6A\2048n{\373I\34$s\3\213\4;\357s\214\375\2023$L\266\34\200@A\2E)\351\260\200\3007\255\37\335m\244\275\32\250\201\307\375\201\347\376D\227^ry\273\3533;\16", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00512   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\231\337p\2254\27\26\344\213\317H\216A\310\256\4\35\317l}\16\27\325\14-\337\371\21\342S\22\330\365K\25__\4Jd\252\274F\271\207\303#0\351\375\315D\270\0\334\314\255\13\5`2M`U\336[bb\231\360\306-\231\23\201\4\21?\202*P\331\317\37\206\15L\340\13\217\226\247\350\331\254\314#Q\212\37\342N\200|=f\354d\226G:\374\274"\302\4\35\247\204_\304\14\326T\247i\355\360\322\26\360t\311\14\255\272\370\261\275r\210\330\376\27\235\33\10\261\271\377\326\261`\317\240\270\360\352lS\211\260\256%\1WL\210\312/\267\311\22G\31t\312\301)\0\244/\236\23\333\225\231\230Q8\22P\237Qe\201\315>\231\247\252\16\305\1\210k\301\303\313\23M0\341P\355\314\352\213OQ\373\307\311\12n;\340K\221\354\337\10W\362\323\1-$\n\206\217\317\4\227h\16\312N\267H\240\1\304\246!\0NE\177\255\245\367!\342vx\31\316Z9\326\261u\262\36\335\2553\266\252\2474\374\231\35\372\335Aj\33I\31\14\17\360\206\13\177NJu\340a\231yM\313=\34\215\332\355\320\374MLy\6\321Y\16\7W\261\206\22\221PN\262\373\266\201JI^\215\10\232|\225,]\351\251\24\210C\231\25)wN\262\266\177\211(\272\326\3720\3340jRW.M\350\327\247\353m\234\263\276\202\317\\212\13\36\{\312K7s\326$;\301\27iN\16\205\360\3158\333\375TR\363\360\360\234\357r\244"\0\10iE\374d\365\10wi\320\370\14\222@\214?\275\242\2\367\276\272\366\0\352\10\300\250\225.\250\213\232A\350s!\16M\1\226\332g\200\342\260\274h;L}#G/`\204\177s\1\366\241\240?\273\322\272\315B}F\257\366\326\2477,\315\372p\5kW{\15", ) \302\4\35\247\204_\304\14\326T\247i\355\360\322\26\360t\311\14\255\272\370\261\275r\210\330\376\27\235\33\10\261\271\377\326\261`\317\240\270\360\352lS\211\260\256%\1WL\210\312/\267\311\22G\31t\312\301)\0\244/\236\23\333\225\231\230Q8\22P\237Qe\201\315>\231\247\252\16\305\1\210k\301\303\313\23M0\341P\355\314\352\213OQ\373\307\311\12n;\340K\221\354\337\10W\362\323\1-$\n\206\217\317\4\227h\16\312N\267H\240\1\304\246!\0NE\177\255\245\367!\342vx\31\316Z9\326\261u\262\36\335\2553\266\252\2474\374\231\35\372\335Aj\33I\31\14\17\360\206\13\177NJu\340a\231yM\313=\34\215\332\355\320\374MLy\6\321Y\16\7W\261\206\22\221PN\262\373\266\201JI^\215\10\232|\225,]\351\251\24\210C\231\25)wN\262\266\177\211(\272\326\3720\3340jRW.M\350\327\247\353m\234\263\276\202\317\\212\13\36\{\312K7s\326$;\301\27iN\16\205\360\3158\333\375TR\363\360\360\234\357r\244 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\231\337p\2254\27\26\344\213\317H\216A\310\256\4\35\317l}\16\27\325\14-\337\371\21\342S\22\330\365K\25__\4Jd\252\274F\271\207\303#0\351\375\315D\270\0\334\314\255\13\5`2M`U\336[bb\231\360\306-\231\23\201\4\21?\202*P\331\317\37\206\15L\340\13\217\226\247\350\331\254\314#Q\212\37\342N\200|=f\354d\226G:\374\274"\302\4\35\247\204_\304\14\326T\247i\355\360\322\26\360t\311\14\255\272\370\261\275r\210\330\376\27\235\33\10\261\271\377\326\261`\317\240\270\360\352lS\211\260\256%\1WL\210\312/\267\311\22G\31t\312\301)\0\244/\236\23\333\225\231\230Q8\22P\237Qe\201\315>\231\247\252\16\305\1\210k\301\303\313\23M0\341P\355\314\352\213OQ\373\307\311\12n;\340K\221\354\337\10W\362\323\1-$\n\206\217\317\4\227h\16\312N\267H\240\1\304\246!\0NE\177\255\245\367!\342vx\31\316Z9\326\261u\262\36\335\2553\266\252\2474\374\231\35\372\335Aj\33I\31\14\17\360\206\13\177NJu\340a\231yM\313=\34\215\332\355\320\374MLy\6\321Y\16\7W\261\206\22\221PN\262\373\266\201JI^\215\10\232|\225,]\351\251\24\210C\231\25)wN\262\266\177\211(\272\326\3720\3340jRW.M\350\327\247\353m\234\263\276\202\317\\212\13\36\{\312K7s\326$;\301\27iN\16\205\360\3158\333\375TR\363\360\360\234\357r\244"\0\10iE\374d\365\10wi\320\370\14\222@\214?\275\242\2\367\276\272\366\0\352\10\300\250\225.\250\213\232A\350s!\16M\1\226\332g\200\342\260\274h;L}#G/`\204\177s\1\366\241\240?\273\322\272\315B}F\257\366\326\2477,\315\372p\5kW{\15", ) , ) == 0x0
 00513   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\17\204\365\225\242L\223\344\35\224\315\216\327\223+\4\213\224\351}\230LP\14\273\204|\21t\10\227\330c\20\220_\311_\317d<\347\303\271\21\230\2460\177\246HD.[Y\314;P\200`\244\26\345UH\0\347b\17\253C-\17H\4\4\207d\7*\306\202J\37\20V\311\340\235\324\23\247~\202)\314\265\12\17\37t\25\5|\253=id\0\34\277\374*yG\4\213\374\1_RWST12h\360DMut_W(\272n\3528r\36\203{\27\13@\215\261/\244S\261\366\224%\270f\261\351S\37\353+%\227\14\311\210\t2\311\204\34\234t\\232\254\02t\33\23M\316\34\230\307c\227P\11\12\340\201[e\34\247, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00514   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\217\201\350\342\220J\367\356\271\345\211\330\341\366\177;m,\224\35}\240\363\357iX\202\20G7'\225\226\333]\377\234`\310\370\351\313\206u\35&9d\212\357\335\315\246\363px\371\362\342A\223S2-X\227\327\260\1\353m\332\230\313^~\352\30\202,\235/\255\31\301N\320\300\235W\301\215\311_\236\25\33\365\313\272\202\221\320\30\232\207\232p\202i\2767\352\261\352\257\326\33\3\3442\3775h_\250\225\2542\240\206b\220\321\346h\355\3165!\330z\355\376\329\377\223\360\340\320f^\177Y3A\32.g\333\16C\310\25\301\2025w\12o\217\322\334\200\26E5(&\373\207x\201C\226\203\352\310\260\26\276\257J\177\177/\303q\34Y\355\0\27\346E\260AJ&-M\320\235Q\301\265\326\364\307\304\323\307Kc\272\263\354,\236\221\301X\241\377\233%P\214gn\226+\302\317\15=\247|0\316~\15b8\347\243\204"K%\24\17X\204\220\372H\221\370\3075\237\2516\177"ok&\261+\26\225\226\275j\345$\343\233\304;-^\320\235\3633\21\372\304\267!\332\267\336\341\20\345T\224P\206\344Sm\12\233\324\350\240\247\243\346\212\13\326a\26\222\254\376\203\257\201\174\242\225\26\207\373\251\301h\227}\300\4q\207\273\201\30\235\6\36\310w\206\255\333\332\243\313\13\324\351\222\207-8\206k\323\301\35\221?\1\305\306\264\236p\2\335TR\17\240p\363[7\322\204\13\253\240\363L\256Q\322;\253\360Ks\314\4\252\331\215\17U\336\3420\345\357\216\260\305N\362\211\374\323\325\376M\326\231\224\323[o\5/\\3111\266\373#\377\272i\200\35\265\330j\212\35\13=\24\5t\333\325X\331\347\356\266X\23\37\303\302E\223\300\231\240\315MEh\225U\353\212\262X\363V\231/\234\20", ) K%\24\17X\204\220\372H\221\370\3075\237\2516\177 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\217\201\350\342\220J\367\356\271\345\211\330\341\366\177;m,\224\35}\240\363\357iX\202\20G7'\225\226\333]\377\234`\310\370\351\313\206u\35&9d\212\357\335\315\246\363px\371\362\342A\223S2-X\227\327\260\1\353m\332\230\313^~\352\30\202,\235/\255\31\301N\320\300\235W\301\215\311_\236\25\33\365\313\272\202\221\320\30\232\207\232p\202i\2767\352\261\352\257\326\33\3\3442\3775h_\250\225\2542\240\206b\220\321\346h\355\3165!\330z\355\376\329\377\223\360\340\320f^\177Y3A\32.g\333\16C\310\25\301\2025w\12o\217\322\334\200\26E5(&\373\207x\201C\226\203\352\310\260\26\276\257J\177\177/\303q\34Y\355\0\27\346E\260AJ&-M\320\235Q\301\265\326\364\307\304\323\307Kc\272\263\354,\236\221\301X\241\377\233%P\214gn\226+\302\317\15=\247|0\316~\15b8\347\243\204"K%\24\17X\204\220\372H\221\370\3075\237\2516\177"ok&\261+\26\225\226\275j\345$\343\233\304;-^\320\235\3633\21\372\304\267!\332\267\336\341\20\345T\224P\206\344Sm\12\233\324\350\240\247\243\346\212\13\326a\26\222\254\376\203\257\201\174\242\225\26\207\373\251\301h\227}\300\4q\207\273\201\30\235\6\36\310w\206\255\333\332\243\313\13\324\351\222\207-8\206k\323\301\35\221?\1\305\306\264\236p\2\335TR\17\240p\363[7\322\204\13\253\240\363L\256Q\322;\253\360Ks\314\4\252\331\215\17U\336\3420\345\357\216\260\305N\362\211\374\323\325\376M\326\231\224\323[o\5/\\3111\266\373#\377\272i\200\35\265\330j\212\35\13=\24\5t\333\325X\331\347\356\266X\23\37\303\302E\223\300\231\240\315MEh\225U\353\212\262X\363V\231/\234\20", ) , ) == 0x0
 00515   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\31\332m\342\6\21r\356/\276\14\330w\255\372;\373w\21\35\353\373v\357\377\3\7\20\321l\242\225\0\200\330\377\12;M\370\177\220\3u\213}\274d\34\264X\3150\250\365xo\251gA\5\10\267-\316\314R\260\227\260\350\332\16\220\333~|C\7,\13t(\31W\25U\300\13\14D\215_\4\33\25\215\256N\272\24\312U\30\14\334\37p\242;7|\352o\257@@\206\344\244\244\260h\311\363\20\254\244\373\3b\6A\264\346\376\266K5\267\203\377\355hA\274\377\5\253e\320\360\5\372Y\245\32\237.\361\200\213C^ND\202\243,\217o\31\211Y\200\200\36\260(\260\240\2x\27\30\23\203|\2235\26(\364\317\177\351tFq\212\2h\0\201\275\300\260\327\21\243-\333\213\30QW\356S\364Q\237V\307\3358?\263zw\33\221W\3$\377\15~\325\214\3615\23+T\224\210=\202l\3710X%\210b\256\274&\204\264\20\240\24\231\3\1\220l\23\24\370Qn\32\251\240$\247o\375}4+\200\316\23\275\374\276\241\343\15\237\276-\310\213\30\363\245J\177\304!z_\267H\272\225\34\243\17\21P\20\277\326m\234\300Q\3506\374&\346\34PSa\200\311)\376\25\364\4\17\242\371\20\26\21\240,\301\376\314\370\300\222*\2\273\27C\30\6\210\223\362\206;\200_\243]PQ\351\4\334\2508\200V\301\213\312\272\1S\2351\236\346YXT\304T%pe\0\262\322\22P.\240e\27+QD`.\360\335(I\4<\202\10\17\303\205g0s\264\13\260S\25w\211j\210P\376\333\215\34\224E\0\352\5\271\7L1 \240\246\377,2\5\35\200n]j\34F\216=\202^\361\333C\3\\347x\355\335\23\211\230GE\5\233\34\240[\26\300h\3\16n\212$\3vV\17t\31\20", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00516   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\306\213\2218\265<\25\1/\7\375\360\362\202e\222\312\317\206Q\222\335\27\333\25\11\241#\304s\315\252\370s\354@\372XY\7\344\231\2173\305#\200\363\327\251wRr\23\204\3\370\7\205FZ\177\205\2103\260\375j\216\327\215\270\6W\301\17\2\330-S\7a\341u\6\366\245\353\270\15\365\237\366\347\305^\303\236\326\14\241;\12\254\323p\326X\235]a\244\257\23\221\1\376#\374\319\337\202X|\264\337\241;\351r\2\315[v\227\224\220\203`\225\24:\3022X\323_\305\30]mOZ\321\27\235K\225#\362\267\23\14\256\2\227\4\325J\315\314\310\175\323\305\17\3672v\17Q\343\312"\222a\261\277\320\4\312;\352U\236r\276\204\322h\211_]\23\353/\355\16\361_\313\347v^\332\227\364a*\16!o\310L\12=\7\2122\17\242\4\320\310\236 \24t\1 aoN\15\221#\206\341$\244jc\206\250\323\340M\326+;\335\23r1\322\7\344;\2417\323\13*\1T\367\245\37\262D\205\22f[\345|'\204\5|\226\0\241\2\377%\325r\272\373g\371\225\16\341p\302[-\252\24D^\256\201\357\371\20\350<\20\148\\235\26\2J\242E\306\20\323\21\251\I~\201\253\217=qd\331\244\237\17\201\263\206K\231P\223\265\252?\313W\224o\201\220\313X\370P\321R\303W\25\330R>R\240\266\200=\0\37>\206\353\224IK\236\21\244\322\4\235\377N\333\313~*Wv\3\230c\232x\265\202\366s\255*\273b&\32\222\200\204\20\307\210\360\11\32X\31\254\355/\2002e\276\266\304\14w\376 \24\351V4\15\313\207\6\224\200\31\3\232[\205\10\335\301\204\351\212X\305 T}\244e\205 \2257!7G\336J{\345\350\212\256\343\311(\340\201&\231w\22u\11\306\264\4", ) \222a\261\277\320\4\312;\352U\236r\276\204\322h\211_]\23\353/\355\16\361_\313\347v^\332\227\364a*\16!o\310L\12=\7\2122\17\242\4\320\310\236 \24t\1 aoN\15\221#\206\341$\244jc\206\250\323\340M\326+;\335\23r1\322\7\344;\2417\323\13*\1T\367\245\37\262D\205\22f[\345|'\204\5|\226\0\241\2\377%\325r\272\373g\371\225\16\341p\302[-\252\24D^\256\201\357\371\20\350<\20\148\\235\26\2J\242E\306\20\323\21\251\I~\201\253\217=qd\331\244\237\17\201\263\206K\231P\223\265\252?\313W\224o\201\220\313X\370P\321R\303W\25\330R>R\240\266\200=\0\37>\206\353\224IK\236\21\244\322\4\235\377N\333\313~*Wv\3\230c\232x\265\202\366s\255*\273b&\32\222\200\204\20\307\210\360\11\32X\31\254\355/\2002e\276\266\304\14w\376 \24\351V4\15\313\207\6\224\200\31\3\232[\205\10\335\301\204\351\212X\305 T}\244e\205 \2257!7G\336J{\345\350\212\256\343\311(\340\201&\231w\22u\11\306\264\4", ) == 0x0
 00517   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "P\320\248#g\220\1\271\x\360d\331\340\222\\224\3Q\4\206\222\333\203R$#R(H\252n(i@l\3\334\7r\302\123Sx\5\363A\362\362R\344H\1\3n\\0F\314$\0\210\245\353xj\30\214\10\270\220\14D\17\224\203\250S\221:du\220\255 \353.Vp\237`\274@^U\305S\147`\217\254E+SX\13\6\344\2449H\24\1hxy\31\257\204\7X\352\357Z\241\255\262\367\2[\0\363\227\2\313\6`\3O\277\302\244\3V_SC\330m\331\1T\27\13\20\20#d\354\226\148Y\22\4C\21H\314^T\260\323STr2\340T\324\343\y\27a'\344U\4\`oU\10);\204D3\14_\313Hn/{Ut_]\274\363^L\314qa\274U\244o^\27\217=\221\321\267\174_U\310\10{\221t\227{\344o\330V\24#\20\272\241\244\3748\3\250E\273\310\326\275`X\23\344jW\7r`$7EP\257\1\302\254 \37$\37\0\22\360\0`|\261\337\200|\0[$\2i~Pr,\240\342\371\3UdpT\0\250\252\202\37\333\256\27\264|\20~g\225\14\256\7\30\26\224\21'EPKV\21?\7\314~\27\360\12=\347?\\244\11T\4\263\20\20\34P\5\356/?]\14\21o\27\313NXn\13TRU\14\220\330\304e\327\240 \333\270\0\211e\3\353\2\22\316\236\207\377W\4\13\244\313\333]%\257W\340X\35c\14#0\202`((*-9\243\32\4\333\1\20Q\323u\11\214\3\234\254{t\52\363\3453\304\232,{ \202\262\3234\233\220\2\6\2\333\234\3\14\0\0\10K\232\1\351\34\3@ \302&!e\23{\207\267l\302\336\334 `\350\34\365f\311\276\273\4&\17,\227u\237\2351\4", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00518   464   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "(X\371\312\372\224\200\209\313\237\33v9\261{\231v]\20\216\3&uj\27\210d\235\346\345\16\26W\212<\267Q\347\213\234\7\356\266\206\350%\16\227\217\260\244\217J$\343R\353\262\354pP\256\13\240\0\307\24\354K\4\1G\256\345\277\227=\245\336z\17\267\216\2307\334\220\264\220\224\260\216\227\343%\244\266\366\4\26\245x\230\335\211\344\360R\316(\336U\227\240\367\373\216\20\323\321]\254\33\33\371d\234R\24\233[Y\15\333\207\10}\336\367\202\214I\235\7\307\343\227\324\362\267\232\235\12\376\35\363\335\302\274CD\260\366z\225\212\205!\201\301m\361\14:\316m\216R\30I\211\223/\303p\227\224\300\214n\204\323<`\270!39\270\314\251F\244<\225\333>\331\334\205\342r}\331\22>\360K"\224\277\6\4V\244P\234\17\215\4\235Y\310\6\307M\256\2\364`\341\202\243Q\206F2\313\214\213\327\32TktE\24\254\230Z\270\350Z\331u\312Z\270\275\20\33\327\\2\331/'\352\335\203\14\224\204n\223;\232X\313+\363`\230b\247}\225\214\205\3705Y\212\311\215\254\261J\241$Zn\201\16\246cH\226+J\353\15~ke\301\246k\14/\07Cl\346O\207\374\230\13\321\14\367\3+dY\315\36\17\3439\33E\265\361\215\2\210\220\214!\220x\305\177\277\202\244e\234\351\211\335\311_\354X4\10am\224\355)a=\35\213\301\32\202\227\235\231\371j\31,>\303\321\372S\263\14&\224\220\21\247\341\304\14\272;u0\252\32H,]\5\2041\23g\255\202\356\374\366\370\304 1%[O\32\21\257\251\205\24'\5\214\347\337\220\343\356\375W\21\11\3137L`O?\225\367\206\1\271[\353P\201m\214\20Yl\344YI"\224\215\347\343NP\263cyW\366\12\22;\216#", ) \224\277\6\4V\244P\234\17\215\4\235Y\310\6\307M\256\2\364`\341\202\243Q\206F2\313\214\213\327\32TktE\24\254\230Z\270\350Z\331u\312Z\270\275\20\33\327\\2\331/'\352\335\203\14\224\204n\223;\232X\313+\363`\230b\247}\225\214\205\3705Y\212\311\215\254\261J\241$Zn\201\16\246cH\226+J\353\15~ke\301\246k\14/\07Cl\346O\207\374\230\13\321\14\367\3+dY\315\36\17\3439\33E\265\361\215\2\210\220\214!\220x\305\177\277\202\244e\234\351\211\335\311_\354X4\10am\224\355)a=\35\213\301\32\202\227\235\231\371j\31,>\303\321\372S\263\14&\224\220\21\247\341\304\14\272;u0\252\32H,]\5\2041\23g\255\202\356\374\366\370\304 1%[O\32\21\257\251\205\24'\5\214\347\337\220\343\356\375W\21\11\3137L`O?\225\367\206\1\271[\353P\201m\214\20Yl\344YI (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "(X\371\312\372\224\200\209\313\237\33v9\261{\231v]\20\216\3&uj\27\210d\235\346\345\16\26W\212<\267Q\347\213\234\7\356\266\206\350%\16\227\217\260\244\217J$\343R\353\262\354pP\256\13\240\0\307\24\354K\4\1G\256\345\277\227=\245\336z\17\267\216\2307\334\220\264\220\224\260\216\227\343%\244\266\366\4\26\245x\230\335\211\344\360R\316(\336U\227\240\367\373\216\20\323\321]\254\33\33\371d\234R\24\233[Y\15\333\207\10}\336\367\202\214I\235\7\307\343\227\324\362\267\232\235\12\376\35\363\335\302\274CD\260\366z\225\212\205!\201\301m\361\14:\316m\216R\30I\211\223/\303p\227\224\300\214n\204\323<`\270!39\270\314\251F\244<\225\333>\331\334\205\342r}\331\22>\360K"\224\277\6\4V\244P\234\17\215\4\235Y\310\6\307M\256\2\364`\341\202\243Q\206F2\313\214\213\327\32TktE\24\254\230Z\270\350Z\331u\312Z\270\275\20\33\327\\2\331/'\352\335\203\14\224\204n\223;\232X\313+\363`\230b\247}\225\214\205\3705Y\212\311\215\254\261J\241$Zn\201\16\246cH\226+J\353\15~ke\301\246k\14/\07Cl\346O\207\374\230\13\321\14\367\3+dY\315\36\17\3439\33E\265\361\215\2\210\220\214!\220x\305\177\277\202\244e\234\351\211\335\311_\354X4\10am\224\355)a=\35\213\301\32\202\227\235\231\371j\31,>\303\321\372S\263\14&\224\220\21\247\341\304\14\272;u0\252\32H,]\5\2041\23g\255\202\356\374\366\370\304 1%[O\32\21\257\251\205\24'\5\214\347\337\220\343\356\375W\21\11\3137L`O?\225\367\206\1\271[\353P\201m\214\20Yl\344YI"\224\215\347\343NP\263cyW\366\12\22;\216#", ) , ) == 0x0
 00519   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\276\3|\312l\317\5\20\257\220\32\33\340b4{\17-\330\20\30X\243u\374L\15d\13\275`\16\200\14\17\313\21\260\30\314f%2M\263\366\222M x\16\206\14\344f\11K(H\16\22\240a\240\13\20E\212\330\254\215@|d\12\11\221\233\315\2\210\333\21S\370\336a\331\11I\13\B\343\1\217w\267\14\306\217\376\213\250X\302*\30\301\260`!\20\212\23z\4\301\373\252\211:X6\13R\216\22\14\223\271\230\365\227\2\233\11n\22\210\271`.z\2669.\227,F2g\20\333\250\202Y\205t)\370\331\204euK\264\317:\6\222\15!P\12T\10\4\13\2M\6Q\26+\2b;d\2025\12\3F\244\220\11\213AA\321k\342\36\221\254\16\1=\350\314\202\360\312\314\3438\20\215\214\331\2Ot\242\352K\330\211\224\225\26;\14\3N+e;\35b1&\20\214\23\243\260Y\34\222\10\254'\21$$\3145\4\1608\315\226\275\21n\15\3500\340\30100\211/\226l\306lp\24\2\374\16PT\14aX\256d\317\226\233\17ub\236E#\252\10\2\36\313\11!\6#@\177)\331!e\12\262\14\335_\4iX\242S\344m\2\266\254a\253F\16\301\214\331\22\235\17\242\357\31\272eF\321l\106\14\260\317\25\211\272A\14,`\3600"\2\326b\343\330\136c\357\14s\12\204`\13#", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \313\21\260\30\314f%2M\263\366\222M x\16\206\14\344f\11K(H\16\22\240a\240\13\20E\212\330\254\215@|d\12\11\221\233\315\2\210\333\21S\370\336a\331\11I\13\B\343\1\217w\267\14\306\217\376\213\250X\302*\30\301\260`!\20\212\23z\4\301\373\252\211:X6\13R\216\22\14\223\271\230\365\227\2\233\11n\22\210\271`.z\2669.\227,F2g\20\333\250\202Y\205t)\370\331\204euK\264\317:\6\222\15!P\12T\10\4\13\2M\6Q\26+\2b;d\2025\12\3F\244\220\11\213AA\321k\342\36\221\254\16\1=\350\314\202\360\312\314\3438\20\215\214\331\2Ot\242\352K\330\211\224\225\26;\14\3N+e;\35b1&\20\214\23\243\260Y\34\222\10\254'\21$$\3145\4\1608\315\226\275\21n\15\3500\340\30100\211/\226l\306lp\24\2\374\16PT\14aX\256d\317\226\233\17ub\236E#\252\10\2\36\313\11!\6#@\177)\331!e\12\262\14\335_\4iX\242S\344m\2\266\254a\253F\16\301\214\331\22\235\17\242\357\31\272eF\321l\106\14\260\317\25\211\272A\14,`\3600315,\313^\11\205<(\202x\247s\370R{\264%\315\24\237\219\362\0\24\261^\11\347I\313f\356k\14\224\11]l\311`\331d\20\367\20Z<[}\13\4m\32K\334lr\2\314 (80, 0, 0, 0, "\276\3|\312l\317\5\20\257\220\32\33\340b4{\17-\330\20\30X\243u\374L\15d\13\275`\16\200\14\17\313\21\260\30\314f%2M\263\366\222M x\16\206\14\344f\11K(H\16\22\240a\240\13\20E\212\330\254\215@|d\12\11\221\233\315\2\210\333\21S\370\336a\331\11I\13\B\343\1\217w\267\14\306\217\376\213\250X\302*\30\301\260`!\20\212\23z\4\301\373\252\211:X6\13R\216\22\14\223\271\230\365\227\2\233\11n\22\210\271`.z\2669.\227,F2g\20\333\250\202Y\205t)\370\331\204euK\264\317:\6\222\15!P\12T\10\4\13\2M\6Q\26+\2b;d\2025\12\3F\244\220\11\213AA\321k\342\36\221\254\16\1=\350\314\202\360\312\314\3438\20\215\214\331\2Ot\242\352K\330\211\224\225\26;\14\3N+e;\35b1&\20\214\23\243\260Y\34\222\10\254'\21$$\3145\4\1608\315\226\275\21n\15\3500\340\30100\211/\226l\306lp\24\2\374\16PT\14aX\256d\317\226\233\17ub\236E#\252\10\2\36\313\11!\6#@\177)\331!e\12\262\14\335_\4iX\242S\344m\2\266\254a\253F\16\301\214\331\22\235\17\242\357\31\272eF\321l\106\14\260\317\25\211\272A\14,`\3600"\2\326b\343\330\136c\357\14s\12\204`\13#", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00520   464   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "J\10\205\0z\10\205\0>?\205\0.?\205\0\276(\205\0\256(\205\0\336(\205\0\306(\205\0\316(\205\0\366(\205\0\376(\205\0\346(\205\0\356(\205\0\26(\205\0\36(\205\0\6(\205\0r(\205\0n(\205\0\212/\205\0\366/\205\0\2/\205\0z/\205\0\202.\205\0\302.\205\0B.\205\0\272-\205\0^,\205\0\242"\205\0\342"\205\0\316!\205\0r!\205\0.'\205\0V%\205\0\36\333\205\0\372\332\205\0\232\331\205\0\32\331\205\0Z\331\205\0V\330\205\0v\330\205\0\222\337\205\0\242\337\205\0\16\10\200\0v\10\200\0Ab\202\0}b\202\0\224a\202\0\214a\202\0\242a\202\0\330a\202\0\377a\202\0\22a\202\06a\202\0/a\202\0Ba\202\0~a\202\0ha\202\0\204`\202\0\276`\202\0\327`\202\0\306`\202\0\353`\202\0\0`\202\0!`\202\0G`\202\0n`\202\0\215g\202\0\334g\202\0\371g\202\0\4g\202\0Wg\202\0wg\202\0\222f\202\0\257f\202\0\361f\202\0\352f\202\0\4f\202\0, ) \205\0\342 (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "J\10\205\0z\10\205\0>?\205\0.?\205\0\276(\205\0\256(\205\0\336(\205\0\306(\205\0\316(\205\0\366(\205\0\376(\205\0\346(\205\0\356(\205\0\26(\205\0\36(\205\0\6(\205\0r(\205\0n(\205\0\212/\205\0\366/\205\0\2/\205\0z/\205\0\202.\205\0\302.\205\0B.\205\0\272-\205\0^,\205\0\242"\205\0\342"\205\0\316!\205\0r!\205\0.'\205\0V%\205\0\36\333\205\0\372\332\205\0\232\331\205\0\32\331\205\0Z\331\205\0V\330\205\0v\330\205\0\222\337\205\0\242\337\205\0\16\10\200\0v\10\200\0Ab\202\0}b\202\0\224a\202\0\214a\202\0\242a\202\0\330a\202\0\377a\202\0\22a\202\06a\202\0/a\202\0Ba\202\0~a\202\0ha\202\0\204`\202\0\276`\202\0\327`\202\0\306`\202\0\353`\202\0\0`\202\0!`\202\0G`\202\0n`\202\0\215g\202\0\334g\202\0\371g\202\0\4g\202\0Wg\202\0wg\202\0\222f\202\0\257f\202\0\361f\202\0\352f\202\0\4f\202\0, ) , ) == 0x0
 00521   464   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\334S\0\0\354S\0\0\250d\0\0\270d\0\0(s\0\08s\0\0Hs\0\0Ps\0\0Xs\0\0`s\0\0hs\0\0ps\0\0xs\0\0\200s\0\0\210s\0\0\220s\0\0\344s\0\0\370s\0\0\34t\0\0`t\0\0\224t\0\0\354t\0\0\24u\0\0Tu\0\0\324u\0\0,v\0\0\310w\0\04y\0\0ty\0\0Xz\0\0\344z\0\0\270|\0\0\300~\0\0\210\200\0\0l\201\0\0\14\202\0\0\214\202\0\0\314\202\0\0\300\203\0\0\340\203\0\0\4\204\0\04\204\0\0\230S\5\0\340S\5\0\3279\7\0\3539\7\0\2:\7\0\32:\7\04:\7\0N:\7\0i:\7\0\204:\7\0\240:\7\0\271:\7\0\324:\7\0\350:\7\0\376:\7\0\22;\7\0(;\7\0A;\7\0P;\7\0};\7\0\226;\7\0\267;\7\0\321;\7\0\370;\7\0\33<\7\0J<\7\0o<\7\0\222<\7\0\301<\7\0\341<\7\0\4=\7\09=\7\0g=\7\0|=\7\0\222=\7\0\252=\7\0\300=\7\0\326=\7\0\354=\7\0\1>\7\0\32>\7\0/>\7\0D>\7\0^>\7\0y>\7\0\204>\7\0\212>\7\0\223>\7\0\237>\7\0\34\0\26\0\27\0\31\0\24\0\30\0\25\0\32\0\4\0\3\0\10\0\7\0\6\0\5\0+\0\33\0\35\0\36\0$\0 \0(\0*\0)\0!\0#\0"\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00522   464   NtClose  (80, ... ) == 0x0
 00523   464   NtClose  (68, ... ) == 0x0
 00524   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.tmp"}, 1242416, ... ) }, 1242416, ... ) == 0x0
 00525   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00526   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00527   464   NtClose  (68, ... ) == 0x0
 00528   464   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00529   464   NtClose  (80, ... ) == 0x0
 00530   464   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00531   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00532   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00533   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00534   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00535   464   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00536   464   NtClose  (80, ... ) == 0x0
 00537   464   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 475136, ) == STATUS_IMAGE_NOT_AT_BASE
 00538   464   NtMapViewOfSection  (68, -1, (0x860000), 0, 0, 0x0, 475136, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00539   464   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00540   464   NtClose  (68, ... ) == 0x0
 00541   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 8, ) == 0x0
 00542   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 8, ... (0x8d3000), 4096, 4, ) == 0x0
 00543   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00544   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00545   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00546   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00547   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00548   464   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00549   464   NtClose  (68, ... ) == 0x0
 00550   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00551   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00552   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00553   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00554   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00555   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00556   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00557   464   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00558   464   NtClose  (68, ... ) == 0x0
 00559   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00560   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00561   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00562   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00563   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00564   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00565   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00566   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00567   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00568   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00569   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00570   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00571   464   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241948, ... ) }, 1241948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   464   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241948, ... ) }, 1241948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241948, ... ) }, 1241948, ... ) == 0x0
 00575   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00576   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00577   464   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00578   464   NtClose  (68, ... ) == 0x0
 00579   464   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00580   464   NtClose  (80, ... ) == 0x0
 00581   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00582   464   NtProtectVirtualMemory  (-1, (0x8d3000), 4096, 4, ... (0x8d3000), 4096, 4, ) == 0x0
 00583   464   NtFlushInstructionCache  (-1, 9252864, 4096, ... ) == 0x0
 00584   464   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {460, 0}, ... 80, ) == 0x0
 00585   464   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00586   464   NtClose  (80, ... ) == 0x0
 00587   464   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00588   464   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00589   464   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00590   464   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00591   464   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   464   NtClose  (80, ... ) == 0x0
 00593   464   NtUserSystemParametersInfo  (41, 500, 1242456, 0, ... ) == 0x1
 00594   464   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00595   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00596   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00597   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ...
 00598   464   NtAllocateVirtualMemory  (-1, 5554176, 0, 4096, 4096, 32, ... 5554176, 4096, ) == 0x0
 00597   464   NtUserRegisterClassExWOW  ... ) == 0x810cc03b
 00599   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00600   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc03d
 00601   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00602   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00603   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc03f
 00604   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00605   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00606   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc041
 00607   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00608   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00609   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc043
 00610   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00611   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc045
 00612   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00613   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00614   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc047
 00615   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00616   464   NtUserFindExistingCursorIcon  (1242244, 1242260, 1242828, ... ) == 0x10011
 00617   464   NtUserRegisterClassExWOW  (1242696, 1242776, 1242760, 1242792, 0, 384, 0, ... ) == 0x810cc049
 00618   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00619   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00620   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc04b
 00621   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00622   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00623   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc04d
 00624   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00625   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00626   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc04f
 00627   464   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00628   464   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810cc051
 00629   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00630   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00631   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc053
 00632   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00633   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00634   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc055
 00635   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc057
 00636   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00637   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00638   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc059
 00639   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00640   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10013
 00641   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc05b
 00642   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00643   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00644   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc05d
 00645   464   NtUserGetClassInfo  (1999896576, 1242864, 1242816, 1242892, 0, ... ) == 0x0
 00646   464   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00647   464   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810cc05f
 00648   464   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00649   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00650   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00651   464   NtNotifyChangeKey  (84, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00652   464   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00653   464   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00654   464   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00655   464   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00656   464   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00657   464   NtQueryVirtualMemory  (-1, 0x12f670, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00658   464   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00659   464   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9371648, 1048576, ) == 0x0
 00660   464   NtAllocateVirtualMemory  (-1, 9371648, 0, 16384, 4096, 4, ... 9371648, 16384, ) == 0x0
 00661   464   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00662   464   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00663   464   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   464   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   464   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00666   464   NtQueryInformationToken  (96, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00667   464   NtClose  (96, ... ) == 0x0
 00668   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00669   464   NtReleaseMutant  (16, ...
 00670   464   NtContinue  (-130645880, 0, ...
 00669   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00671   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.ENU"}, 1241180, ... ) }, 1241180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.ENU"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.ENU.DLL"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.EN"}, 1241180, ... ) }, 1241180, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.EN"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\gka1.EN.DLL"}, 1240820, ... ) }, 1240820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   464   NtReleaseMutant  (16, ...
 00679   464   NtContinue  (-130645880, 0, ...
 00678   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00681   464   NtReleaseMutant  (16, ...
 00682   464   NtContinue  (-130645880, 0, ...
 00681   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00683   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00684   464   NtReleaseMutant  (16, ...
 00685   464   NtContinue  (-130645880, 0, ...
 00684   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00686   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   464   NtReleaseMutant  (16, ...
 00688   464   NtContinue  (-130645880, 0, ...
 00687   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   464   NtReleaseMutant  (16, ...
 00691   464   NtContinue  (-130645880, 0, ...
 00690   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   464   NtReleaseMutant  (16, ...
 00694   464   NtContinue  (-130645880, 0, ...
 00693   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   464   NtReleaseMutant  (16, ...
 00697   464   NtContinue  (-130645880, 0, ...
 00696   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   464   NtReleaseMutant  (16, ...
 00700   464   NtContinue  (-130645880, 0, ...
 00699   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   464   NtReleaseMutant  (16, ...
 00703   464   NtContinue  (-130645880, 0, ...
 00702   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   464   NtReleaseMutant  (16, ...
 00706   464   NtContinue  (-130645880, 0, ...
 00705   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   464   NtReleaseMutant  (16, ...
 00709   464   NtContinue  (-130645880, 0, ...
 00708   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   464   NtReleaseMutant  (16, ...
 00712   464   NtContinue  (-130645880, 0, ...
 00711   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   464   NtReleaseMutant  (16, ...
 00715   464   NtContinue  (-130645880, 0, ...
 00714   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   464   NtReleaseMutant  (16, ...
 00718   464   NtContinue  (-130645880, 0, ...
 00717   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   464   NtReleaseMutant  (16, ...
 00721   464   NtContinue  (-130645880, 0, ...
 00720   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   464   NtReleaseMutant  (16, ...
 00724   464   NtContinue  (-130645880, 0, ...
 00723   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   464   NtReleaseMutant  (16, ...
 00727   464   NtContinue  (-130645880, 0, ...
 00726   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   464   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   464   NtReleaseMutant  (16, ...
 00730   464   NtContinue  (-130645880, 0, ...
 00729   464   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   464   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 96, ) == 0x0
 00732   464   NtUserGetDC  (0, ... ) == 0x1010051
 00733   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00734   464   NtUserGetDC  (0, ... ) == 0x1010051
 00735   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00736   464   NtGdiCreatePaletteInternal  (1241868, 16, ... ) == 0x6080454
 00737   464   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00738   464   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00739   464   NtUserFindExistingCursorIcon  (1242264, 1242280, 1242848, ... ) == 0x10003
 00740   464   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\0C\0C\0", 28, 1242800, ... ) , 28, 1242800, ... ) == 0x0
 00741   464   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\08\06\00\00\00\00\00\00\00\00\00\01\0D\00\0", 52, 1242800, ... ) , 52, 1242800, ... ) == 0x0
 00742   464   NtUserSystemParametersInfo  (104, 0, 9376892, 0, ... ) == 0x1
 00743   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10011
 00744   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10023
 00745   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00746   464   NtUserGetDC  (0, ... ) == 0x1010051
 00747   464   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1050456
 00748   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00749   464   NtGdiSelectBitmap  (234947656, 17106006, ... ) == 0x185000f
 00750   464   NtGdiGetDCforBitmap  (17106006, ... ) == 0xe010448
 00751   464   NtGdiSaveDC  (234947656, ... ) == 0x1
 00752   464   NtGdiSelectBitmap  (234947656, 17106006, ... ) == 0x1050456
 00753   464   NtGdiGetDCObject  (234947656, 524288, ... ) == 0x188000b
 00754   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00755   464   NtGdiSetDIBitsToDeviceInternal  (234947656, 0, 0, 32, 64, 0, 0, 0, 64, 9192972, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00756   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00757   464   NtGdiSelectBitmap  (234947656, 17106006, ... ) == 0x1050456
 00758   464   NtGdiRestoreDC  (234947656, -1, ... ) == 0x1
 00759   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x1050456
 00760   464   NtGdiCreateCompatibleDC  (234947656, ... ) == 0x2010457
 00761   464   NtGdiExtGetObjectW  (17106006, 24, 1241320, ... ) == 0x18
 00762   464   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x2050458
 00763   464   NtGdiSelectBitmap  (234947656, 17106006, ... ) == 0x185000f
 00764   464   NtGdiSelectBitmap  (33621079, 33883224, ... ) == 0x185000f
 00765   464   NtGdiBitBlt  (33621079, 0, 0, 32, 64, 234947656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00766   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x1050456
 00767   464   NtGdiSelectBitmap  (33621079, 25493519, ... ) == 0x2050458
 00768   464   NtGdiDeleteObjectApp  (17106006, ... ) == 0x1
 00769   464   NtGdiDeleteObjectApp  (33621079, ... ) == 0x1
 00770   464   NtUserCallOneParam  (0, 33, ... ) == 0x100ad
 00771   464   NtUserSetCursorIconData  (65709, 1241428, 1241444, 1242024, ... ) == 0x1
 00772   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10029
 00773   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10027
 00774   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10025
 00775   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00776   464   NtUserGetDC  (0, ... ) == 0x1010051
 00777   464   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x7050455
 00778   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00779   464   NtGdiSelectBitmap  (234947656, 117769301, ... ) == 0x185000f
 00780   464   NtGdiGetDCforBitmap  (117769301, ... ) == 0xe010448
 00781   464   NtGdiSaveDC  (234947656, ... ) == 0x1
 00782   464   NtGdiSelectBitmap  (234947656, 117769301, ... ) == 0x7050455
 00783   464   NtGdiGetDCObject  (234947656, 524288, ... ) == 0x188000b
 00784   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00785   464   NtGdiSetDIBitsToDeviceInternal  (234947656, 0, 0, 32, 64, 0, 0, 0, 64, 9193280, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00786   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00787   464   NtGdiSelectBitmap  (234947656, 117769301, ... ) == 0x7050455
 00788   464   NtGdiRestoreDC  (234947656, -1, ... ) == 0x1
 00789   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x7050455
 00790   464   NtGdiCreateCompatibleDC  (234947656, ... ) == 0x3010456
 00791   464   NtGdiExtGetObjectW  (117769301, 24, 1241320, ... ) == 0x18
 00792   464   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x3050459
 00793   464   NtGdiSelectBitmap  (234947656, 117769301, ... ) == 0x185000f
 00794   464   NtGdiSelectBitmap  (50398294, 50660441, ... ) == 0x185000f
 00795   464   NtGdiBitBlt  (50398294, 0, 0, 32, 64, 234947656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00796   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x7050455
 00797   464   NtGdiSelectBitmap  (50398294, 25493519, ... ) == 0x3050459
 00798   464   NtGdiDeleteObjectApp  (117769301, ... ) == 0x1
 00799   464   NtGdiDeleteObjectApp  (50398294, ... ) == 0x1
 00800   464   NtUserCallOneParam  (0, 33, ... ) == 0x100af
 00801   464   NtUserSetCursorIconData  (65711, 1241428, 1241444, 1242024, ... ) == 0x1
 00802   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00803   464   NtUserGetDC  (0, ... ) == 0x1010051
 00804   464   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x4050457
 00805   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00806   464   NtGdiSelectBitmap  (234947656, 67437655, ... ) == 0x185000f
 00807   464   NtGdiGetDCforBitmap  (67437655, ... ) == 0xe010448
 00808   464   NtGdiSaveDC  (234947656, ... ) == 0x1
 00809   464   NtGdiSelectBitmap  (234947656, 67437655, ... ) == 0x4050457
 00810   464   NtGdiGetDCObject  (234947656, 524288, ... ) == 0x188000b
 00811   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00812   464   NtGdiSetDIBitsToDeviceInternal  (234947656, 0, 0, 32, 64, 0, 0, 0, 64, 9193588, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00813   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00814   464   NtGdiSelectBitmap  (234947656, 67437655, ... ) == 0x4050457
 00815   464   NtGdiRestoreDC  (234947656, -1, ... ) == 0x1
 00816   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x4050457
 00817   464   NtGdiCreateCompatibleDC  (234947656, ... ) == 0x9010455
 00818   464   NtGdiExtGetObjectW  (67437655, 24, 1241320, ... ) == 0x18
 00819   464   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x305045a
 00820   464   NtGdiSelectBitmap  (234947656, 67437655, ... ) == 0x185000f
 00821   464   NtGdiSelectBitmap  (151061589, 50660442, ... ) == 0x185000f
 00822   464   NtGdiBitBlt  (151061589, 0, 0, 32, 64, 234947656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00823   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x4050457
 00824   464   NtGdiSelectBitmap  (151061589, 25493519, ... ) == 0x305045a
 00825   464   NtGdiDeleteObjectApp  (67437655, ... ) == 0x1
 00826   464   NtGdiDeleteObjectApp  (151061589, ... ) == 0x1
 00827   464   NtUserCallOneParam  (0, 33, ... ) == 0x100b1
 00828   464   NtUserSetCursorIconData  (65713, 1241428, 1241444, 1242024, ... ) == 0x1
 00829   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00830   464   NtUserGetDC  (0, ... ) == 0x1010051
 00831   464   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x5050456
 00832   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00833   464   NtGdiSelectBitmap  (234947656, 84214870, ... ) == 0x185000f
 00834   464   NtGdiGetDCforBitmap  (84214870, ... ) == 0xe010448
 00835   464   NtGdiSaveDC  (234947656, ... ) == 0x1
 00836   464   NtGdiSelectBitmap  (234947656, 84214870, ... ) == 0x5050456
 00837   464   NtGdiGetDCObject  (234947656, 524288, ... ) == 0x188000b
 00838   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00839   464   NtGdiSetDIBitsToDeviceInternal  (234947656, 0, 0, 32, 64, 0, 0, 0, 64, 9193896, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00840   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00841   464   NtGdiSelectBitmap  (234947656, 84214870, ... ) == 0x5050456
 00842   464   NtGdiRestoreDC  (234947656, -1, ... ) == 0x1
 00843   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x5050456
 00844   464   NtGdiCreateCompatibleDC  (234947656, ... ) == 0x6010457
 00845   464   NtGdiExtGetObjectW  (84214870, 24, 1241320, ... ) == 0x18
 00846   464   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x305045b
 00847   464   NtGdiSelectBitmap  (234947656, 84214870, ... ) == 0x185000f
 00848   464   NtGdiSelectBitmap  (100729943, 50660443, ... ) == 0x185000f
 00849   464   NtGdiBitBlt  (100729943, 0, 0, 32, 64, 234947656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00850   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x5050456
 00851   464   NtGdiSelectBitmap  (100729943, 25493519, ... ) == 0x305045b
 00852   464   NtGdiDeleteObjectApp  (84214870, ... ) == 0x1
 00853   464   NtGdiDeleteObjectApp  (100729943, ... ) == 0x1
 00854   464   NtUserCallOneParam  (0, 33, ... ) == 0x100b3
 00855   464   NtUserSetCursorIconData  (65715, 1241428, 1241444, 1242024, ... ) == 0x1
 00856   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00857   464   NtUserGetDC  (0, ... ) == 0x1010051
 00858   464   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xb050455
 00859   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00860   464   NtGdiSelectBitmap  (234947656, 184878165, ... ) == 0x185000f
 00861   464   NtGdiGetDCforBitmap  (184878165, ... ) == 0xe010448
 00862   464   NtGdiSaveDC  (234947656, ... ) == 0x1
 00863   464   NtGdiSelectBitmap  (234947656, 184878165, ... ) == 0xb050455
 00864   464   NtGdiGetDCObject  (234947656, 524288, ... ) == 0x188000b
 00865   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00866   464   NtGdiSetDIBitsToDeviceInternal  (234947656, 0, 0, 32, 64, 0, 0, 0, 64, 9194204, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00867   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00868   464   NtGdiSelectBitmap  (234947656, 184878165, ... ) == 0xb050455
 00869   464   NtGdiRestoreDC  (234947656, -1, ... ) == 0x1
 00870   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0xb050455
 00871   464   NtGdiCreateCompatibleDC  (234947656, ... ) == 0x7010456
 00872   464   NtGdiExtGetObjectW  (184878165, 24, 1241320, ... ) == 0x18
 00873   464   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x305045c
 00874   464   NtGdiSelectBitmap  (234947656, 184878165, ... ) == 0x185000f
 00875   464   NtGdiSelectBitmap  (117507158, 50660444, ... ) == 0x185000f
 00876   464   NtGdiBitBlt  (117507158, 0, 0, 32, 64, 234947656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00877   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0xb050455
 00878   464   NtGdiSelectBitmap  (117507158, 25493519, ... ) == 0x305045c
 00879   464   NtGdiDeleteObjectApp  (184878165, ... ) == 0x1
 00880   464   NtGdiDeleteObjectApp  (117507158, ... ) == 0x1
 00881   464   NtUserCallOneParam  (0, 33, ... ) == 0x100b5
 00882   464   NtUserSetCursorIconData  (65717, 1241428, 1241444, 1242024, ... ) == 0x1
 00883   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00884   464   NtUserGetDC  (0, ... ) == 0x1010051
 00885   464   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x8050457
 00886   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00887   464   NtGdiSelectBitmap  (234947656, 134546519, ... ) == 0x185000f
 00888   464   NtGdiGetDCforBitmap  (134546519, ... ) == 0xe010448
 00889   464   NtGdiSaveDC  (234947656, ... ) == 0x1
 00890   464   NtGdiSelectBitmap  (234947656, 134546519, ... ) == 0x8050457
 00891   464   NtGdiGetDCObject  (234947656, 524288, ... ) == 0x188000b
 00892   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00893   464   NtGdiSetDIBitsToDeviceInternal  (234947656, 0, 0, 32, 64, 0, 0, 0, 64, 9194820, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00894   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00895   464   NtGdiSelectBitmap  (234947656, 134546519, ... ) == 0x8050457
 00896   464   NtGdiRestoreDC  (234947656, -1, ... ) == 0x1
 00897   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x8050457
 00898   464   NtGdiCreateCompatibleDC  (234947656, ... ) == 0xd010455
 00899   464   NtGdiExtGetObjectW  (134546519, 24, 1241320, ... ) == 0x18
 00900   464   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x305045d
 00901   464   NtGdiSelectBitmap  (234947656, 134546519, ... ) == 0x185000f
 00902   464   NtGdiSelectBitmap  (218170453, 50660445, ... ) == 0x185000f
 00903   464   NtGdiBitBlt  (218170453, 0, 0, 32, 64, 234947656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00904   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x8050457
 00905   464   NtGdiSelectBitmap  (218170453, 25493519, ... ) == 0x305045d
 00906   464   NtGdiDeleteObjectApp  (134546519, ... ) == 0x1
 00907   464   NtGdiDeleteObjectApp  (218170453, ... ) == 0x1
 00908   464   NtUserCallOneParam  (0, 33, ... ) == 0x100b7
 00909   464   NtUserSetCursorIconData  (65719, 1241428, 1241444, 1242024, ... ) == 0x1
 00910   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x0
 00911   464   NtUserGetDC  (0, ... ) == 0x1010051
 00912   464   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x9050456
 00913   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00914   464   NtGdiSelectBitmap  (234947656, 151323734, ... ) == 0x185000f
 00915   464   NtGdiGetDCforBitmap  (151323734, ... ) == 0xe010448
 00916   464   NtGdiSaveDC  (234947656, ... ) == 0x1
 00917   464   NtGdiSelectBitmap  (234947656, 151323734, ... ) == 0x9050456
 00918   464   NtGdiGetDCObject  (234947656, 524288, ... ) == 0x188000b
 00919   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00920   464   NtGdiSetDIBitsToDeviceInternal  (234947656, 0, 0, 32, 64, 0, 0, 0, 64, 9194512, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00921   464   NtUserSelectPalette  (234947656, 25690123, 0, ... ) == 0x188000b
 00922   464   NtGdiSelectBitmap  (234947656, 151323734, ... ) == 0x9050456
 00923   464   NtGdiRestoreDC  (234947656, -1, ... ) == 0x1
 00924   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x9050456
 00925   464   NtGdiCreateCompatibleDC  (234947656, ... ) == 0xa010457
 00926   464   NtGdiExtGetObjectW  (151323734, 24, 1241320, ... ) == 0x18
 00927   464   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x305045e
 00928   464   NtGdiSelectBitmap  (234947656, 151323734, ... ) == 0x185000f
 00929   464   NtGdiSelectBitmap  (167838807, 50660446, ... ) == 0x185000f
 00930   464   NtGdiBitBlt  (167838807, 0, 0, 32, 64, 234947656, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00931   464   NtGdiSelectBitmap  (234947656, 25493519, ... ) == 0x9050456
 00932   464   NtGdiSelectBitmap  (167838807, 25493519, ... ) == 0x305045e
 00933   464   NtGdiDeleteObjectApp  (151323734, ... ) == 0x1
 00934   464   NtGdiDeleteObjectApp  (167838807, ... ) == 0x1
 00935   464   NtUserCallOneParam  (0, 33, ... ) == 0x100b9
 00936   464   NtUserSetCursorIconData  (65721, 1241428, 1241444, 1242024, ... ) == 0x1
 00937   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10015
 00938   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10019
 00939   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x1001f
 00940   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x1001b
 00941   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10021
 00942   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x1001d
 00943   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10013
 00944   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10017
 00945   464   NtUserFindExistingCursorIcon  (1242148, 1242164, 1242732, ... ) == 0x10011
 00946   464   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00947   464   NtUserGetDC  (0, ... ) == 0x1010051
 00948   464   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00949   464   NtUserEnumDisplayMonitors  (0, 0, 8915880, 9377472, ... ) == 0x1
 00950   464   NtUserSystemParametersInfo  (31, 60, 1241584, 0, ... ) == 0x1
 00951   464   NtGdiHfontCreate  (1241980, 356, 0, 0, 1344496, ... ) == 0xb0a0457
 00952   464   NtGdiExtGetObjectW  (185205847, 420, 1241804, ... ) == 0x164
 00953   464   NtUserSystemParametersInfo  (41, 0, 1241784, 0, ... ) == 0x1
 00954   464   NtGdiHfontCreate  (1241980, 356, 0, 0, 1344488, ... ) == 0xf0a0455
 00955   464   NtGdiExtGetObjectW  (252314709, 420, 1241804, ... ) == 0x164
 00956   464   NtGdiHfontCreate  (1241980, 356, 0, 0, 1344480, ... ) == 0xa0a0456
 00957   464   NtGdiExtGetObjectW  (168428630, 420, 1241804, ... ) == 0x164
 00958   464   NtUserFindExistingCursorIcon  (1241892, 1241908, 1242476, ... ) == 0x0
 00959   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 8650752, 4096, ) == 0x0
 00960   464   NtUserGetKeyboardLayoutList  (64, 1242464, ... ) == 0x1
 00961   464   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00962   464   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0d5
 00963   464   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0d6
 00964   464   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   464   NtUserSetWindowsHookEx  (8781824, 1243792, 0, 4, 8789524, 2, ... ) == 0x100bb
 00966   464   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   464   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm13.2i"}, 1, ... 100, ) }, 1, ... 100, ) == 0x0
 00968   464   NtOpenProcessToken  (-1, 0x20, ... 104, ) == 0x0
 00969   464   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 108, ) }, ... 108, ) == 0x0
 00972   464   NtQueryValueKey  (108,  (108, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   464   NtClose  (108, ... ) == 0x0
 00974   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00976   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00977   464   NtQuerySystemTime  (... {95106364, 29874541}, ) == 0x0
 00978   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00979   464   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   464   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00981   464   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00982   464   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00983   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00984   464   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00985   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 128, ) }, ... 128, ) == 0x0
 00986   464   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00987   464   NtQueryValueKey  (132,  (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00988   464   NtClose  (132, ... ) == 0x0
 00989   464   NtClose  (128, ... ) == 0x0
 00990   464   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 128, ) == 0x0
 00991   464   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 132, ) == 0x0
 00992   464   NtDuplicateObject  (-1, 128, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00993   464   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00994   464   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   464   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00996   464   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00997   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00998   464   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243248,  (0xc0100080, {24, 0, 0x40, 0, 1243248, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00999   464   NtSetInformationFile  (144, 1243304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01000   464   NtSetInformationFile  (144, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01001   464   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01002   464   NtWriteFile  (144, 121, 0, 0,  (144, 121, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01003   464   NtReadFile  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01004   464   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01005   464   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\02I\353>`E\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\02I\353>`E\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\02I\353>`E\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\02I\353>`E\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\02I\353>`E\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01006   464   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\02I\353>`E\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\02I\353>`E\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01007   464   NtClose  (140, ... ) == 0x0
 01008   464   NtClose  (144, ... ) == 0x0
 01009   464   NtAdjustPrivilegesToken  (104, 0, 1245084, 16, 0, 0, ... ) == 0x0
 01010   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01011   464   NtQueryValueKey  (144,  (144, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   464   NtClose  (144, ... ) == 0x0
 01013   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01014   464   NtQueryValueKey  (144,  (144, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   464   NtClose  (144, ... ) == 0x0
 01016   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01017   464   NtQueryValueKey  (144,  (144, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   464   NtClose  (144, ... ) == 0x0
 01019   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01020   464   NtQueryValueKey  (144,  (144, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   464   NtClose  (144, ... ) == 0x0
 01022   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01023   464   NtQueryValueKey  (144,  (144, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   464   NtClose  (144, ... ) == 0x0
 01025   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01026   464   NtQueryValueKey  (144,  (144, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   464   NtClose  (144, ... ) == 0x0
 01028   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01029   464   NtQueryValueKey  (144,  (144, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   464   NtClose  (144, ... ) == 0x0
 01031   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01032   464   NtQueryValueKey  (144,  (144, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   464   NtClose  (144, ... ) == 0x0
 01034   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01035   464   NtQueryValueKey  (144,  (144, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   464   NtClose  (144, ... ) == 0x0
 01037   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01038   464   NtQueryValueKey  (144,  (144, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   464   NtClose  (144, ... ) == 0x0
 01040   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   464   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01042   464   NtSetInformationFile  (-2147482808, -130644956, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01043   464   NtSetInformationFile  (-2147482808, -130645428, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01041   464   NtCreateKey  ... 144, 1, ) == 0x0
 01044   464   NtSetValueKey  (144,  (144, "ID", 0, 1, "v\0u\0z\0b\0p\0f\0z\0g\0f\0l\0g\0k\0a\0e\0s\0v\0p\0w\0\0\0", 38, ... ) , 0, 1,  (144, "ID", 0, 1, "v\0u\0z\0b\0p\0f\0z\0g\0f\0l\0g\0k\0a\0e\0s\0v\0p\0w\0\0\0", 38, ... ) , 38, ... ) == 0x0
 01045   464   NtClose  (144, ... ) == 0x0
 01046   464   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01047   464   NtQueryValueKey  (144,  (144, "System Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   464   NtClose  (144, ... ) == 0x0
 01049   464   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 01050   464   NtSetValueKey  (144,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01051   464   NtClose  (144, ... ) == 0x0
 01052   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243520,  (0x80100080, {24, 0, 0x40, 0, 1243520, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01053   464   NtQueryInformationFile  (144, 1244456, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01054   464   NtQueryInformationFile  (144, 1244428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01055   464   NtQueryInformationFile  (144, 1244380, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01056   464   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01057   464   NtQueryInformationFile  (144, 1371664, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01058   464   NtQueryInformationFile  (144, 1242924, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01059   464   NtQueryInformationFile  (144, 1242768, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01060   464   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242776,  (0x40110080, {24, 0, 0x40, 0, 1242776, "\??\C:\WINDOWS\System32\rvrhcewq.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01061   464   NtClose  (-2147482020, ... ) == 0x0
 01060   464   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01062   464   NtQueryVolumeInformationFile  (140, 1242148, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01063   464   NtQueryInformationFile  (140, 1242108, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01064   464   NtQueryVolumeInformationFile  (144, 1242148, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01065   464   NtQueryVolumeInformationFile  (144, 1241832, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01066   464   NtSetInformationFile  (140, 1241936, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01067   464   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 01068   464   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9f0000), {0, 0}, 192512, ) == 0x0
 01069   464   NtClose  (148, ... ) == 0x0
 01070   464   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01071   464   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "]Pr\37\235\311\244$\316\371\245\0-\207C\361\276\355\222\26\252;\347K\220-\205!\275\23\326\2746\322j,\342\335\256\14^\17\247\255\264\337\245\37\204\357\350\277\224\350\271I\6\277\14M\265t\315\260\2469\217/\336iMG\224\213)%\25\313\216\14p}\15\31&\311\242\303\26>\305Hm\230\234\0\217\231\375)\274]\231X\236\177\256x\232c5\20\262w\375\326!?\205-\265[7p\325u\251#\270\20v\220\342T\361#\16t\205\7\262\226R\252\32z%\240\246\373P<\246[\203x\326\204\340@\336\335\2642\265W\275\260\261i\267F\216+\345%\245i+2v\233\2404\244n#@\260\33\2637^E\225@\206\305\245\300\244;\275\20\\22r\205\312b\361\324n~}\2\212\315\211:R\253\231j_^\276\211]\20\313X\335\314\321\261n\351\220\362\207\222\205\10\227\270\335\10\357qa\341\312Za \224C\1\274t3\347`BJ\366\342\32\361M^\236\234\302\262\312x6(\231\12\24<\367G\246\260zSs0w]\321\25\225\\211\310\266t\361\37\301\314\325;\246\335\225\12\323j\225\271\334}\305\21\204\277\2579\226H\221J0\311.\25\200\320\341(\217L\235\11\6x\25\31\214X\25\11\6@\231\1\6x\25\35\210\342\317\256\4D\245!\6\362\341*\264x\307\246\4R\241%\326\325\305&\260|\305\16\326U\255)\326U\305\16\274p\305\6\326U\251-\276\302\317\6\270t\207d\236\277\2651\226?\207d\244h\217\344\224?\2615=\277\215\344\240l\214\220\237\313\2759B$\224\220\254T?$\231R\314\33\206c\355\246\\222\206I\202\242znfZ\323r(\360\20TGJ\32\265\271{\375\245\251\341\325\17\236\22\312\300\206\0]\362\251\257D\341\224\226_R0q\322\220", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01072   464   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\213\17\335v\233\336o\240vn\211\364\232<\225A\206\37\245\255\375\310D\202\232a)\243\234\200\324\225\372\13\272\37\340P\272P5\3232\7(Q\17\226\260Y%\337M\323\276\250\335[\250w\243\6qf\322\253\255`\235\354\2129\264\357\373\231\227\360\224U\312+\313\266z\370]\334\1Z\362\242\36\224f\227\276\345%\300\236\202]\367\203\220\323\313\270\273aR\230J\230\266\273[\210\7\242\247\304\210\321\252\305\216\204\237\17ja\20 \332\pv\207\31#\366\254'&\220\231\277\210\234FcW\6B"n\362\17\21a\235\353\266i\277\22\236\331\226\332%\34\357\24\138\231\13\372G\326\262\3\335\205\234rO\235Q\303\224\367\30~\267\2532\237\310\363\306QJ\32\10\231w\214\311\367\260\10\301$J7\342\26\203[K\216\23\227\5\273w&\347\341)\261\252p\270\216\1\226\22\2001\4C\365_\327\232C}\350\255d\3G\373\247\311M\326\325\241\264C\312\277\321$l_\204\371\3\352C_\235*L\250\271\34\266\177\266\227\232B\2\321\1\345C\22\360z\244\24\232\246\37\305\232v\23\221+\314\247\172\3303dJN\347\5\6\331\244\263_\203\202v\265Y\34\207\346\262K\207w\2\22\226H}3\343g\312#\22Y\2539J\273\335\372\220K\376D6rc\276^\354\316\16M\347\310\\237;\235\200\325\37\311\6\342\22\202@:3\355S.\332\221\246\200\343\316\300\363\350\324%\306\360Y`\21J\22,\351G\354B\35\207\25\347\274j\311\230x[\246\227(\354\2038\33\347\337T\322\221\221T\243*\10\315S\3\254\226[\331Gd^))\267;\341\232\226/\341\20\376\260\4@W\351\314\313\373Q\203\353HD\321\3662\333=K\331\352Q1"c\363K&7\310\267y]\2041\247\333\211\274", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) n\362\17\21a\235\353\266i\277\22\236\331\226\332%\34\357\24\138\231\13\372G\326\262\3\335\205\234rO\235Q\303\224\367\30~\267\2532\237\310\363\306QJ\32\10\231w\214\311\367\260\10\301$J7\342\26\203[K\216\23\227\5\273w&\347\341)\261\252p\270\216\1\226\22\2001\4C\365_\327\232C}\350\255d\3G\373\247\311M\326\325\241\264C\312\277\321$l_\204\371\3\352C_\235*L\250\271\34\266\177\266\227\232B\2\321\1\345C\22\360z\244\24\232\246\37\305\232v\23\221+\314\247\172\3303dJN\347\5\6\331\244\263_\203\202v\265Y\34\207\346\262K\207w\2\22\226H}3\343g\312#\22Y\2539J\273\335\372\220K\376D6rc\276^\354\316\16M\347\310\\237;\235\200\325\37\311\6\342\22\202@:3\355S.\332\221\246\200\343\316\300\363\350\324%\306\360Y`\21J\22,\351G\354B\35\207\25\347\274j\311\230x[\246\227(\354\2038\33\347\337T\322\221\221T\243*\10\315S\3\254\226[\331Gd^))\267;\341\232\226/\341\20\376\260\4@W\351\314\313\373Q\203\353HD\321\3662\333=K\331\352Q1 (140, 0, 0, 0, "\213\17\335v\233\336o\240vn\211\364\232<\225A\206\37\245\255\375\310D\202\232a)\243\234\200\324\225\372\13\272\37\340P\272P5\3232\7(Q\17\226\260Y%\337M\323\276\250\335[\250w\243\6qf\322\253\255`\235\354\2129\264\357\373\231\227\360\224U\312+\313\266z\370]\334\1Z\362\242\36\224f\227\276\345%\300\236\202]\367\203\220\323\313\270\273aR\230J\230\266\273[\210\7\242\247\304\210\321\252\305\216\204\237\17ja\20 \332\pv\207\31#\366\254'&\220\231\277\210\234FcW\6B"n\362\17\21a\235\353\266i\277\22\236\331\226\332%\34\357\24\138\231\13\372G\326\262\3\335\205\234rO\235Q\303\224\367\30~\267\2532\237\310\363\306QJ\32\10\231w\214\311\367\260\10\301$J7\342\26\203[K\216\23\227\5\273w&\347\341)\261\252p\270\216\1\226\22\2001\4C\365_\327\232C}\350\255d\3G\373\247\311M\326\325\241\264C\312\277\321$l_\204\371\3\352C_\235*L\250\271\34\266\177\266\227\232B\2\321\1\345C\22\360z\244\24\232\246\37\305\232v\23\221+\314\247\172\3303dJN\347\5\6\331\244\263_\203\202v\265Y\34\207\346\262K\207w\2\22\226H}3\343g\312#\22Y\2539J\273\335\372\220K\376D6rc\276^\354\316\16M\347\310\\237;\235\200\325\37\311\6\342\22\202@:3\355S.\332\221\246\200\343\316\300\363\350\324%\306\360Y`\21J\22,\351G\354B\35\207\25\347\274j\311\230x[\246\227(\354\2038\33\347\337T\322\221\221T\243*\10\315S\3\254\226[\331Gd^))\267;\341\232\226/\341\20\376\260\4@W\351\314\313\373Q\203\353HD\321\3662\333=K\331\352Q1"c\363K&7\310\267y]\2041\247\333\211\274", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01073   464   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\2260\35\252\302\272au\207<\207\2721W\235\4\216\322\255t\210(\324\30\307[\245$\216Z=\231\246-\0-\246{\7\330-.\330!\222\\255\3\206w\267\4f=kM\3064\353o\241\203\266\307\332\206\264\14\232\321\232[`\15\220\211k']\326Yr\\224\5\204\276\177\3466\367\272{\30$\202\357\303+\360\300^\\340s\251\313\222_\340\30v\231H\236\253\265TC\1V\223\203\211J\222GK\273Y0\15Z\2100z_\275\314k\33\334\2>\177\245\314\266\355\205\216\326\263\206\320\266\7=, 5372, 0x0, 0, ... {status=0x0, info=5372}, ) , 5372, 0x0, 0, ... {status=0x0, info=5372}, ) == 0x0
 01074   464   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 01075   464   NtSetInformationFile  (140, 1244380, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01076   464   NtClose  (144, ... ) == 0x0
 01077   464   NtClose  (140, ... ) == 0x0
 01078   464   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01079   464   NtSetValueKey  (140,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0v\0r\0h\0c\0e\0w\0q\0.\0e\0x\0e\0\0\0", 66, ... , 0, 1,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0v\0r\0h\0c\0e\0w\0q\0.\0e\0x\0e\0\0\0", 66, ... , 66, ...
 01080   464   NtSetInformationFile  (-2147482808, -130644172, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01081   464   NtSetInformationFile  (-2147482808, -130644264, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01079   464   NtSetValueKey  ... ) == 0x0
 01082   464   NtClose  (140, ... ) == 0x0
 01083   464   NtClose  (100, ... ) == 0x0
 01084   464   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01085   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rvrhcewq.exe"}, 1241012, ... ) }, 1241012, ... ) == 0x0
 01086   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rvrhcewq.exe"}, 1241704, ... ) }, 1241704, ... ) == 0x0
 01087   464   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rvrhcewq.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01088   464   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 140, ) == 0x0
 01089   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 144, ) }, ... 144, ) == 0x0
 01091   464   NtQueryValueKey  (144,  (144, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   464   NtClose  (144, ... ) == 0x0
 01093   464   NtQueryVolumeInformationFile  (100, 1241012, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01094   464   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 144, ) }, ... 144, ) == 0x0
 01095   464   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01096   464   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 148, ) }, ... 148, ) == 0x0
 01097   464   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 57344, ) == 0x0
 01098   464   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01099   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238996, ... ) }, 1238996, ... ) == 0x0
 01100   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01101   464   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 156, ) == 0x0
 01102   464   NtClose  (152, ... ) == 0x0
 01103   464   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 106496, ) == 0x0
 01104   464   NtClose  (156, ... ) == 0x0
 01105   464   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01106   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239312, ... ) }, 1239312, ... ) == 0x0
 01107   464   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01108   464   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 152, ) == 0x0
 01109   464   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01110   464   NtClose  (156, ... ) == 0x0
 01111   464   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01112   464   NtClose  (152, ... ) == 0x0
 01113   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01114   464   NtQueryInformationFile  (152, 1239600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01115   464   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 152, ... 156, ) == 0x0
 01116   464   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa00000), 0x0, 1028096, ) == 0x0
 01117   464   NtQueryInformationFile  (152, 1239696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01118   464   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   464   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01120   464   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01121   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01122   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1, "rvrhcewq.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01123   464   NtClose  (160, ... ) == 0x0
 01124   464   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01125   464   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01126   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rvrhcewq.exe"}, 1236648, ... ) }, 1236648, ... ) == 0x0
 01127   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01128   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01129   464   NtClose  (160, ... ) == 0x0
 01130   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01131   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01132   464   NtClose  (160, ... ) == 0x0
 01133   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01134   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "rvrhcewq.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01135   464   NtClose  (160, ... ) == 0x0
 01136   464   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01137   464   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01138   464   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01139   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01140   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01141   464   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01142   464   NtClose  (160, ... ) == 0x0
 01143   464   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   464   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\rvrhcewq.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   464   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01146   464   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01147   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rvrhcewq.exe"}, 1238928, ... ) }, 1238928, ... ) == 0x0
 01148   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01149   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01150   464   NtClose  (160, ... ) == 0x0
 01151   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01152   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01153   464   NtClose  (160, ... ) == 0x0
 01154   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01155   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "rvrhcewq.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01156   464   NtClose  (160, ... ) == 0x0
 01157   464   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01158   464   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01159   464   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01160   464   NtQueryVolumeInformationFile  (100, 1239572, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01161   464   NtQueryInformationFile  (100, 1239552, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01162   464   NtQueryInformationFile  (100, 1239592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01163   464   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01164   464   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01165   464   NtClose  (156, ... ) == 0x0
 01166   464   NtClose  (152, ... ) == 0x0
 01167   464   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01168   464   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rvrhcewq.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   464   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01170   464   NtOpenProcessToken  (-1, 0xa, ... 152, ) == 0x0
 01171   464   NtQueryInformationToken  (152, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01172   464   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01174   464   NtQueryValueKey  (156,  (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01175   464   NtQueryValueKey  (156,  (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01176   464   NtClose  (156, ... ) == 0x0
 01177   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01178   464   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01179   464   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01180   464   NtClose  (156, ... ) == 0x0
 01181   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01183   464   NtQueryValueKey  (156,  (156, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   464   NtClose  (156, ... ) == 0x0
 01185   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01186   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01187   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01188   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01189   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01190   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01191   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01192   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01193   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01194   464   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01195   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01196   464   NtEnumerateKey  (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01197   464   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 160, ) }, ... 160, ) == 0x0
 01198   464   NtQueryValueKey  (160,  (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01199   464   NtQueryValueKey  (160,  (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01200   464   NtClose  (160, ... ) == 0x0
 01201   464   NtEnumerateKey  (156, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01202   464   NtClose  (156, ... ) == 0x0
 01203   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01218   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01219   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01220   464   NtClose  (156, ... ) == 0x0
 01221   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01223   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01224   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01225   464   NtClose  (156, ... ) == 0x0
 01226   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01228   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01229   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01230   464   NtClose  (156, ... ) == 0x0
 01231   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01233   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01234   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01235   464   NtClose  (156, ... ) == 0x0
 01236   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01238   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01239   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01240   464   NtClose  (156, ... ) == 0x0
 01241   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01243   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01244   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01245   464   NtClose  (156, ... ) == 0x0
 01246   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01248   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01249   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01250   464   NtClose  (156, ... ) == 0x0
 01251   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01253   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01254   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01255   464   NtClose  (156, ... ) == 0x0
 01256   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01258   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01259   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01260   464   NtClose  (156, ... ) == 0x0
 01261   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01263   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01264   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01265   464   NtClose  (156, ... ) == 0x0
 01266   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01268   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01269   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01270   464   NtClose  (156, ... ) == 0x0
 01271   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01273   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01274   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01275   464   NtClose  (156, ... ) == 0x0
 01276   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01278   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01279   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01280   464   NtClose  (156, ... ) == 0x0
 01281   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01283   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01284   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01285   464   NtClose  (156, ... ) == 0x0
 01286   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01288   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01289   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01290   464   NtClose  (156, ... ) == 0x0
 01291   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01293   464   NtQueryValueKey  (156,  (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01294   464   NtClose  (156, ... ) == 0x0
 01295   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01297   464   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   464   NtClose  (156, ... ) == 0x0
 01299   464   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   464   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01301   464   NtOpenProcessToken  (-1, 0xa, ... 156, ) == 0x0
 01302   464   NtDuplicateToken  (156, 0xc, {24, 0, 0x0, 0, 1240904, 0x0}, 0, 2, ... 160, ) == 0x0
 01303   464   NtClose  (156, ... ) == 0x0
 01304   464   NtAccessCheck  (1378880, 160, 0x1, 1241032, 1240976, 56, 1241060, ... (0x1), ) == 0x0
 01305   464   NtClose  (160, ... ) == 0x0
 01306   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 160, ) }, ... 160, ) == 0x0
 01307   464   NtQueryValueKey  (160,  (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01308   464   NtClose  (160, ... ) == 0x0
 01309   464   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 160, ) }, ... 160, ) == 0x0
 01310   464   NtQuerySymbolicLinkObject  (160, ...  (160, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01311   464   NtClose  (160, ... ) == 0x0
 01312   464   NtQueryInformationFile  (100, 1239364, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 01313   464   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01314   464   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01315   464   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rvrhcewq.exe"}, 1238044, ... ) }, 1238044, ... ) == 0x0
 01316   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01317   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01318   464   NtClose  (160, ... ) == 0x0
 01319   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01320   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01321   464   NtClose  (160, ... ) == 0x0
 01322   464   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01323   464   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "rvrhcewq.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01324   464   NtClose  (160, ... ) == 0x0
 01325   464   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01326   464   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01327   464   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01328   464   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01329   464   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01330   464   NtClose  (160, ... ) == 0x0
 01331   464   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01332   464   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01333   464   NtClose  (160, ... ) == 0x0
 01334   464   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01335   464   NtQueryValueKey  (156,  (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01336   464   NtClose  (156, ... ) == 0x0
 01337   464   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10485760, 4096, ) == 0x0
 01338   464   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01339   464   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01340   464   NtQueryValueKey  (156,  (156, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   464   NtClose  (156, ... ) == 0x0
 01342   464   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   464   NtQueryInformationToken  (152, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01344   464   NtQueryInformationToken  (152, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01345   464   NtClose  (152, ... ) == 0x0
 01346   464   NtCreateProcessEx  (1243640, 2035711, 0, -1, 0, 140, 0, 0, 0, ... ) == 0x0
 01347   464   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=460,}, 0x0, ) == 0x0
 01348   464   NtReadVirtualMemory  (152, 0x7ffdf008, 4, ...  (152, 0x7ffdf008, 4, ... "\0\0P1", 0x0, ) , 0x0, ) == 0x0
 01349   464   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rvrhcewq.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   464   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01351   464   NtReadVirtualMemory  (152, 0x31500000, 4096, ...  (152, 0x31500000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01352   464   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01353   464   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=460,}, 0x0, ) == 0x0
 01354   464   NtAllocateVirtualMemory  (-1, 0, 0, 1672, 4096, 4, ... 10551296, 4096, ) == 0x0
 01355   464   NtAllocateVirtualMemory  (152, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01356   464   NtWriteVirtualMemory  (152, 0x10000,  (152, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01357   464   NtAllocateVirtualMemory  (152, 0, 0, 1672, 4096, 4, ... 131072, 4096, ) == 0x0
 01358   464   NtWriteVirtualMemory  (152, 0x20000,  (152, 0x20000, "\0\20\0\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0@\0B\0\230\5\0\0@\0B\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0@\0B\0 \6\0\0\36\0 \0d\6\0\0\0\0\2\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1672, ... 0x0, ) , 1672, ... 0x0, ) == 0x0
 01359   464   NtWriteVirtualMemory  (152, 0x7ffdf010,  (152, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01360   464   NtWriteVirtualMemory  (152, 0x7ffdf1e8,  (152, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01361   464   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 01362   464   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01363   464   NtAllocateVirtualMemory  (152, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01364   464   NtProtectVirtualMemory  (152, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01365   464   NtCreateThread  (0x1f03ff, 0x0, 152, 1241904, 1242624, 1, ... 156, {860, 864}, ) == 0x0
 01366   464   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1344776, 1243724}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1344776, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0\\3\0\0`\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 460, 464, 1548, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0\\3\0\0`\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 460, 464, 1548, 0}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1344776, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0\\3\0\0`\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 460, 464, 1548, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0\\3\0\0`\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 01367   464   NtResumeThread  (156, ... 1, ) == 0x0
 01368   464   NtClose  (100, ... ) == 0x0
 01369   464   NtClose  (140, ... ) == 0x0
 01370   464   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=460,}, 0x0, ) == 0x0
 01371   464   NtUserWaitForInputIdle  (860, 30000, 0, ...
 01372   464   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01373   464   NtClose  (140, ... ) == 0x0
 01371   464   NtUserWaitForInputIdle  ... ) == 0x0
 01374   464   NtClose  (152, ... ) == 0x0
 01375   464   NtClose  (156, ... ) == 0x0
 01376   464   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01377   464   NtTerminateProcess  (0, 0, ... ) == 0x0
 01378   464   NtQueryVirtualMemory  (-1, 0x897664, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01379   464   NtQueryVirtualMemory  (-1, 0x897f70, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01380   464   NtQueryVirtualMemory  (-1, 0x86d838, Basic, 28, ... {BaseAddress=0x86d000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01381   464   NtGdiDeleteObjectApp  (252314709, ... ) == 0x1
 01382   464   NtGdiDeleteObjectApp  (168428630, ... ) == 0x1
 01383   464   NtGdiDeleteObjectApp  (185205847, ... ) == 0x1
 01384   464   NtUserDestroyCursor  (65721, 1, ... ) == 0x1
 01385   464   NtUserDestroyCursor  (65719, 1, ... ) == 0x1
 01386   464   NtUserDestroyCursor  (65717, 1, ... ) == 0x1
 01387   464   NtUserDestroyCursor  (65715, 1, ... ) == 0x1
 01388   464   NtUserDestroyCursor  (65713, 1, ... ) == 0x1
 01389   464   NtUserDestroyCursor  (65711, 1, ... ) == 0x1
 01390   464   NtUserDestroyCursor  (65709, 1, ... ) == 0x1
 01391   464   NtUserFindExistingCursorIcon  (1243476, 1243492, 1244060, ... ) == 0x10011
 01392   464   NtDeleteAtom  (49180, ... ) == 0x0
 01393   464   NtDeleteAtom  (49181, ... ) == 0x0
 01394   464   NtGdiDeleteObjectApp  (101188692, ... ) == 0x1
 01395   464   NtClose  (96, ... ) == 0x0
 01396   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01397   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01398   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01399   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01400   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01401   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01402   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01403   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01404   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01405   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01406   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01407   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01408   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01409   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01410   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01411   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01412   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01413   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01414   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01415   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01416   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01417   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01418   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01419   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01420   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01421   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01422   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01423   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01424   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01425   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01426   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01427   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01428   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01429   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01430   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01431   464   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01432   464   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01433   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01434   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01435   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01436   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01437   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01438   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01439   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01440   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01441   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01442   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01443   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01444   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01445   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01446   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01447   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01448   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01449   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01450   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01451   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01452   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01453   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01454   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01455   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01456   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01457   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01458   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01459   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01460   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01461   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01462   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01463   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01464   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01465   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01466   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01467   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01468   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01469   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc017
 01470   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01471   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc019
 01472   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01473   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc018
 01474   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01475   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01a
 01476   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01477   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01c
 01478   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01479   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01e
 01480   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01481   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01b
 01482   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01483   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc068
 01484   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01485   464   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc06a
 01486   464   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01487   464   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01488   464   NtClose  (76, ... ) == 0x0
 01489   464   NtClose  (64, ... ) == 0x0
 01490   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01491   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01492   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01493   464   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01494   464   NtFreeVirtualMemory  (-1, (0xa00000), 4096, 32768, ... (0xa00000), 4096, ) == 0x0
 01495   464   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 460, 464, 1593, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 460, 464, 1593, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 460, 464, 1593, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01496   464   NtTerminateProcess  (-1, 0, ...
 01497   464   NtClose  (44, ... ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtDeleteAtom(>)	2	NtGdiBitBlt(>)	7	NtQueryInformationProcess(>)	15
NtCallbackReturn(>)	1	NtEnumerateKey(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtCreateSection(>)	17
NtCreateMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtGdiGetDCObject(>)	7	NtGdiDeleteObjectApp(>)	18
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetDCforBitmap(>)	7	NtReadFile(>)	19
NtCreateThread(>)	1	NtOpenEvent(>)	2	NtGdiGetStockObject(>)	7	NtContinue(>)	20
NtDelayExecution(>)	1	NtOpenSymbolicLinkObject(>)	2	NtGdiRestoreDC(>)	7	NtQuerySystemInformation(>)	20
NtDuplicateToken(>)	1	NtQueryInstallUILanguage(>)	2	NtGdiSaveDC(>)	7	NtUserCallOneParam(>)	20
NtEnumerateValueKey(>)	1	NtQuerySymbolicLinkObject(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtWaitForSingleObject(>)	21
NtGdiCreatePaletteInternal(>)	1	NtReadVirtualMemory(>)	2	NtOpenProcessToken(>)	7	NtFlushInstructionCache(>)	23
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtUserDestroyCursor(>)	7	NtWriteFile(>)	23
NtGdiQueryFontAssocInfo(>)	1	NtUserWaitForInputIdle(>)	2	NtUserSetCursorIconData(>)	7	NtOpenProcessTokenEx(>)	24
NtNotifyChangeKey(>)	1	NtAddAtom(>)	3	NtGdiCreateBitmap(>)	8	NtOpenThreadTokenEx(>)	24
NtOpenKeyedEvent(>)	1	NtCreateSemaphore(>)	3	NtQuerySection(>)	8	NtOpenSection(>)	25
NtOpenProcess(>)	1	NtDuplicateObject(>)	3	NtRequestWaitReplyPort(>)	8	NtOpenFile(>)	30
NtQueryInformationJobObject(>)	1	NtFreeVirtualMemory(>)	3	NtSetInformationThread(>)	8	NtQueryAttributesFile(>)	31
NtQueryObject(>)	1	NtGdiHfontCreate(>)	3	NtQueryDebugFilterState(>)	9	NtQueryInformationToken(>)	31
NtQuerySystemTime(>)	1	NtOpenMutant(>)	3	NtSetInformationFile(>)	9	NtMapViewOfSection(>)	37
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtCreateEvent(>)	10	NtReleaseMutant(>)	40
NtResumeThread(>)	1	NtFsControlFile(>)	4	NtGdiCreateCompatibleDC(>)	10	NtAllocateVirtualMemory(>)	41
NtSecureConnectPort(>)	1	NtOpenThreadToken(>)	4	NtGdiExtGetObjectW(>)	10	NtProtectVirtualMemory(>)	45
NtTestAlert(>)	1	NtSetValueKey(>)	4	NtQueryDirectoryFile(>)	10	NtUserUnregisterClass(>)	45
NtUserCallNoParam(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	11	NtQueryValueKey(>)	50
NtUserEnumDisplayMonitors(>)	1	NtUserRegisterWindowMessage(>)	5	NtUserGetDC(>)	11	NtGdiSelectBitmap(>)	57
NtUserGetKeyboardLayoutList(>)	1	NtCreateKey(>)	6	NtUnmapViewOfSection(>)	12	NtUserRegisterClassExWOW(>)	63
NtUserGetThreadDesktop(>)	1	NtQueryDefaultUILanguage(>)	6	NtQueryDefaultLocale(>)	13	NtUserGetClassInfo(>)	64
NtUserSetWindowsHookEx(>)	1	NtQueryVirtualMemory(>)	6	NtQueryInformationFile(>)	13	NtUserFindExistingCursorIcon(>)	72
NtAccessCheck(>)	2	NtQueryVolumeInformationFile(>)	6	NtUserSystemParametersInfo(>)	13	NtOpenKey(>)	111
NtCreateIoCompletion(>)	2	NtSetInformationProcess(>)	6	NtUserSelectPalette(>)	14	NtClose(>)	164