Summary:





NtAccessCheck(>)  1 
NtEnumerateKey(>)  2 
NtGdiRestoreDC(>)  7 
NtRegisterThreadTerminatePort(>)  26 


NtConnectPort(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiSaveDC(>)  7 
NtResumeThread(>)  26 


NtCreateMutant(>)  1 
NtQueryInformationJobObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtTestAlert(>)  26 


NtCreateProcessEx(>)  1 
NtQueryInstallUILanguage(>)  2 
NtOpenThreadToken(>)  7 
NtOpenSection(>)  28 


NtDuplicateToken(>)  1 
NtUserCloseWindowStation(>)  2 
NtUserSetCursorIconData(>)  7 
NtQueryInformationProcess(>)  28 


NtGdiCreatePaletteInternal(>)  1 
NtCallbackReturn(>)  3 
NtUserSystemParametersInfo(>)  7 
NtWriteFile(>)  28 


NtGdiInit(>)  1 
NtCreateKey(>)  3 
NtGdiCreateBitmap(>)  8 
NtQuerySystemInformation(>)  32 


NtGdiQueryFontAssocInfo(>)  1 
NtGdiHfontCreate(>)  3 
NtGdiCreateCompatibleDC(>)  10 
NtCreateEvent(>)  34 


NtNotifyChangeKey(>)  1 
NtOpenDirectoryObject(>)  3 
NtGdiExtGetObjectW(>)  10 
NtOpenFile(>)  34 


NtOpenEvent(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserGetDC(>)  10 
NtQueryInformationToken(>)  34 


NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtQueryInformationFile(>)  11 
NtUserRegisterClassExWOW(>)  34 


NtOpenProcess(>)  1 
NtReadVirtualMemory(>)  3 
NtFlushInstructionCache(>)  12 
NtSetInformationThread(>)  35 


NtQueryDebugFilterState(>)  1 
NtSetInformationObject(>)  3 
NtQuerySection(>)  12 
NtRequestWaitReplyPort(>)  37 


NtQueryKey(>)  1 
NtDuplicateObject(>)  4 
NtGdiDeleteObjectApp(>)  14 
NtReleaseMutant(>)  41 


NtQueryObject(>)  1 
NtOpenMutant(>)  4 
NtUserSelectPalette(>)  14 
NtQueryDefaultLocale(>)  45 


NtQuerySystemTime(>)  1 
NtQueryVirtualMemory(>)  4 
NtQueryDirectoryFile(>)  16 
NtUserFindExistingCursorIcon(>)  47 


NtQueryTimerResolution(>)  1 
NtWriteVirtualMemory(>)  4 
NtSetInformationProcess(>)  18 
NtContinue(>)  48 


NtRaiseException(>)  1 
NtCreateSemaphore(>)  5 
NtUnmapViewOfSection(>)  18 
NtMapViewOfSection(>)  49 


NtSecureConnectPort(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetClassInfo(>)  18 
NtQueryAttributesFile(>)  56 


NtUserCallNoParam(>)  1 
NtOpenProcessToken(>)  6 
NtUserCallOneParam(>)  19 
NtGdiSelectBitmap(>)  57 


NtUserEnumDisplayMonitors(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtCreateFile(>)  21 
NtProtectVirtualMemory(>)  58 


NtUserGetForegroundWindow(>)  1 
NtQueryVolumeInformationFile(>)  6 
NtFreeVirtualMemory(>)  21 
NtSetEvent(>)  86 


NtUserGetKeyboardLayoutList(>)  1 
NtSetInformationFile(>)  6 
NtReadFile(>)  23 
NtQueryValueKey(>)  104 


NtUserGetThreadDesktop(>)  1 
NtFsControlFile(>)  7 
NtWaitForMultipleObjects(>)  23 
NtOpenKey(>)  111 


NtUserOpenWindowStation(>)  1 
NtGdiBitBlt(>)  7 
NtCreateSection(>)  25 
NtWaitForSingleObject(>)  136 


NtUserQueryWindow(>)  1 
NtGdiCreateDIBitmapInternal(>)  7 
NtOpenProcessTokenEx(>)  25 
NtUserFindWindowEx(>)  161 


NtUserSetWindowsHookEx(>)  1 
NtGdiGetDCObject(>)  7 
NtOpenThreadTokenEx(>)  25 
NtAllocateVirtualMemory(>)  170 


NtAddAtom(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtQueryInformationThread(>)  25 
NtClose(>)  176 


NtCreateIoCompletion(>)  2 
NtGdiGetStockObject(>)  7 
NtCreateThread(>)  26 
NtDelayExecution(>)  718 





Trace:

 00001   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   444   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   444   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   444   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   444   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   444   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   444   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   444   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   444   NtClose  (12, ... ) == 0x0
 00014   444   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   444   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   444   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   444   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   444   NtClose  (16, ... ) == 0x0
 00021   444   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   444   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   444   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   444   NtClose  (16, ... ) == 0x0
 00026   444   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   444   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   444   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   444   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 436, 444, 1477, 0} " \214\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 436, 444, 1477, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 436, 444, 1477, 0} " \214\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   444   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   444   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   444   NtClose  (16, ... ) == 0x0
 00036   444   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   444   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   444   NtClose  (28, ... ) == 0x0
 00041   444   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   444   NtClose  (28, ... ) == 0x0
 00045   444   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   444   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   444   NtClose  (28, ... ) == 0x0
 00049   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   444   NtClose  (28, ... ) == 0x0
 00052   444   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 436, 444, 1479, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 436, 444, 1479, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 436, 444, 1479, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   444   NtProtectVirtualMemory  (-1, (0x4df000), 4096, 4, ... (0x4df000), 4096, 8, ) == 0x0
 00057   444   NtProtectVirtualMemory  (-1, (0x4df000), 4096, 8, ... (0x4df000), 4096, 4, ) == 0x0
 00058   444   NtFlushInstructionCache  (-1, 5107712, 4096, ... ) == 0x0
 00059   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00061   444   NtClose  (28, ... ) == 0x0
 00062   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   444   NtClose  (28, ... ) == 0x0
 00065   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00067   444   NtClose  (28, ... ) == 0x0
 00068   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00070   444   NtClose  (28, ... ) == 0x0
 00071   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00073   444   NtClose  (28, ... ) == 0x0
 00074   444   NtProtectVirtualMemory  (-1, (0x4df000), 4096, 4, ... (0x4df000), 4096, 4, ) == 0x0
 00075   444   NtProtectVirtualMemory  (-1, (0x4df000), 4096, 4, ... (0x4df000), 4096, 4, ) == 0x0
 00076   444   NtFlushInstructionCache  (-1, 5107712, 4096, ... ) == 0x0
 00077   444   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00078   444   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00079   444   NtClose  (28, ... ) == 0x0
 00080   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00081   444   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00082   444   NtClose  (28, ... ) == 0x0
 00083   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00084   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 436, 444, 1481, 0} "\10\1\30\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 436, 444, 1481, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 436, 444, 1481, 0} "\10\1\30\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00085   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   444   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x5e0000), 0x0, 1060864, ) == 0x0
 00087   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00088   444   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   444   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00090   444   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00091   444   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00092   444   NtClose  (-2147482032, ... ) == 0x0
 00093   444   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00094   444   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00095   444   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00096   444   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00097   444   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   444   NtClose  (-2147482032, ... ) == 0x0
 00099   444   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00100   444   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   444   NtClose  (-2147482032, ... ) == 0x0
 00102   444   NtQueryDefaultLocale  (0, -130840052, ... ) == 0x0
 00103   444   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00104   444   NtUserCallNoParam  (24, ... ) == 0x0
 00105   444   NtGdiCreateCompatibleDC  (0, ...
 00106   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00105   444   NtGdiCreateCompatibleDC  ... ) == 0x100103cf
 00107   444   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00108   444   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00109   444   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x3b050406
 00110   444   NtGdiCreateSolidBrush  (0, 0, ...
 00111   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10420224, 4096, ) == 0x0
 00110   444   NtGdiCreateSolidBrush  ... ) == 0x19100407
 00112   444   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00113   444   NtGdiCreateCompatibleDC  (0, ... ) == 0x1b0103f2
 00114   444   NtGdiSelectBitmap  (453051378, 990184454, ... ) == 0x185000f
 00115   444   NtUserGetThreadDesktop  (444, 0, ... ) == 0x28
 00116   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00117   444   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00118   444   NtClose  (48, ... ) == 0x0
 00119   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00120   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00121   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00122   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00123   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00124   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00125   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00126   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00127   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00128   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00129   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00131   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00133   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00135   444   NtAllocateVirtualMemory  (-1, 7368704, 0, 4096, 4096, 32, ... 7368704, 4096, ) == 0x0
 00134   444   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00136   444   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00137   444   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00138   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00139   444   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00140   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00141   444   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00142   444   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00143   444   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00144   444   NtCallbackReturn  (0, 0, 0, ...
 00145   444   NtGdiInit  (... ) == 0x1
 00146   444   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00147   444   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00148   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00149   444   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00150   444   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00151   444   NtClose  (48, ... ) == 0x0
 00152   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00153   444   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   444   NtClose  (48, ... ) == 0x0
 00155   444   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00156   444   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00157   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00159   444   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   444   NtClose  (52, ... ) == 0x0
 00161   444   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {436, 0}, ... 52, ) == 0x0
 00162   444   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00163   444   NtClose  (52, ... ) == 0x0
 00164   444   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00165   444   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00166   444   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00167   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00168   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00169   444   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00170   444   NtClose  (52, ... ) == 0x0
 00171   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00172   444   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00173   444   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00174   444   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   444   NtClose  (56, ... ) == 0x0
 00176   444   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00177   444   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00178   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00179   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00180   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03b
 00181   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00182   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03d
 00183   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00184   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00185   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03f
 00186   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00187   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00188   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc041
 00189   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00190   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00191   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc043
 00192   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00193   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc045
 00194   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00195   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00196   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc047
 00197   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00198   444   NtUserFindExistingCursorIcon  (1242920, 1242936, 1243504, ... ) == 0x10011
 00199   444   NtUserRegisterClassExWOW  (1243372, 1243452, 1243436, 1243468, 0, 384, 0, ... ) == 0x810dc049
 00200   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00201   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00202   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04b
 00203   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00204   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00205   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04d
 00206   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00207   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00208   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04f
 00209   444   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0x0
 00210   444   NtUserRegisterClassExWOW  (1243380, 1243460, 1243444, 1243476, 0, 384, 0, ... ) == 0x810dc051
 00211   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00212   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00213   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc053
 00214   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00215   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00216   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc055
 00217   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc057
 00218   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00219   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00220   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc059
 00221   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00222   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10013
 00223   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05b
 00224   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00225   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00226   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05d
 00227   444   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00228   444   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00229   444   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05f
 00230   444   NtTestAlert  (... ) == 0x0
 00231   444   NtContinue  (1244464, 1, ...
 00232   444   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x5d6000,}, 4, ... ) == 0x0
 00233   444   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 56, ) }, ... 56, ) == 0x0
 00234   444   NtQueryValueKey  (56,  (56, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   444   NtClose  (56, ... ) == 0x0
 00236   444   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00237   444   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00238   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00239   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00240   444   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 3, 1, 1, 1311160}  (24, {20, 48, new_msg, 0, 3, 1, 1, 1311160} "\0\0\0\0\2\0\1\0\\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 436, 444, 1492, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 436, 444, 1492, 0}  (24, {20, 48, new_msg, 0, 3, 1, 1, 1311160} "\0\0\0\0\2\0\1\0\\1\24\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 436, 444, 1492, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00241   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 60, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 60, {status=0x0, info=2}, ) == 0x0
 00242   444   NtClose  (60, ... ) == 0x0
 00243   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00244   444   NtClose  (-2147482032, ... ) == 0x0
 00243   444   NtCreateFile  ... 60, {status=0x0, info=3}, ) == 0x0
 00245   444   NtSetInformationFile  (56, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00246   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "l\2103\5#\322c\5%\322l\5\336-c\5\231\322c\5!\322c\5a\322y\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\320c\5\233\302c\13>fj\310\0jbI\354\363\363\225u\272\12v\1\242\21jF\240\2h\1\277\26vU\362\1`\1\240\26k\1\247\15aD\240CRH\274P7,\330G2!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5!\322c\5", ) , ) == 0x0
 00247   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00248   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "t\332U\31N\356.@N\240\32)\201\277\2\15\21\321\342\2\351\32\5\334C\22"\301\351\221\2539#\236\21\331\311#\11AK\2622\274%\311\37\372\7\20;x\244}mAzz\253\275\251\203\34\305GY3\4qD\10b@\320#\310]\355b\7\237\226N\37\242\20fW\324\3472\24\253\13P`\1b\311N_\272 )\311p\261\300"\353\213\356\177\205\277\205&U\343\307\366\331\24F\15\303A\3040\322i[|\256m=lC\2724|\311u\34\261B\273\220\232`3\17\215\305\350Tn\332\7\206\261\326k&\355\0O\215\21\24\30\27`\334\202\314\331\224KL\305\344x\32%\35\223c\361.\3276'\21\202\10\20P\2331\377\276!\263q\266\223]\37\344\261%\345\340$R\351V\253\252m\374\22U\310\226c- \16\343\21\242\350I\17Q\327f\31Jy\265\17\311\202\2619\7\242\315\15w\246\26\315dTv\217\374\37\217\15\347\322\4,\242\353\233\254\332\366\251\237c\221ZW;\2224\341\261\344R\10\252\223W\321\210{\256Yh\307f(\355\366\373\360a\3371\311qA\343\224\214@\215\331\270\3G\375\204\2576p\341Y>\301\352\213\365\352\255\21\313\303\215b\327Cq\334\202\221\31\320\4\277zT\220\7\6K\212\222a\246\226\327\350D\255\200\322\335hN\352\340}y\277S\216\225Y)]\14\366d\225^\32C[81H\2225-\234\17\15\252_\234\0\312\7\365\365C\33X\34\374\300\264\365\267\204\351 \11ou+\14\220UF\261\253\263?\220@\355X:h0Hd\207#\305\212l\14\374\17S\7#\262#\6\263\232\313\214c\212X7\5\211\204\321\365\201\300\12\245\303\321\4\315\315\322\27E\232\253\321&\269\271D{\204!*\331xd\247\36\345^\215"\276\12", ) \301\351\221\2539#\236\21\331\311#\11AK\2622\274%\311\37\372\7\20;x\244}mAzz\253\275\251\203\34\305GY3\4qD\10b@\320#\310]\355b\7\237\226N\37\242\20fW\324\3472\24\253\13P`\1b\311N_\272 )\311p\261\300 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "t\332U\31N\356.@N\240\32)\201\277\2\15\21\321\342\2\351\32\5\334C\22"\301\351\221\2539#\236\21\331\311#\11AK\2622\274%\311\37\372\7\20;x\244}mAzz\253\275\251\203\34\305GY3\4qD\10b@\320#\310]\355b\7\237\226N\37\242\20fW\324\3472\24\253\13P`\1b\311N_\272 )\311p\261\300"\353\213\356\177\205\277\205&U\343\307\366\331\24F\15\303A\3040\322i[|\256m=lC\2724|\311u\34\261B\273\220\232`3\17\215\305\350Tn\332\7\206\261\326k&\355\0O\215\21\24\30\27`\334\202\314\331\224KL\305\344x\32%\35\223c\361.\3276'\21\202\10\20P\2331\377\276!\263q\266\223]\37\344\261%\345\340$R\351V\253\252m\374\22U\310\226c- \16\343\21\242\350I\17Q\327f\31Jy\265\17\311\202\2619\7\242\315\15w\246\26\315dTv\217\374\37\217\15\347\322\4,\242\353\233\254\332\366\251\237c\221ZW;\2224\341\261\344R\10\252\223W\321\210{\256Yh\307f(\355\366\373\360a\3371\311qA\343\224\214@\215\331\270\3G\375\204\2576p\341Y>\301\352\213\365\352\255\21\313\303\215b\327Cq\334\202\221\31\320\4\277zT\220\7\6K\212\222a\246\226\327\350D\255\200\322\335hN\352\340}y\277S\216\225Y)]\14\366d\225^\32C[81H\2225-\234\17\15\252_\234\0\312\7\365\365C\33X\34\374\300\264\365\267\204\351 \11ou+\14\220UF\261\253\263?\220@\355X:h0Hd\207#\305\212l\14\374\17S\7#\262#\6\263\232\313\214c\212X7\5\211\204\321\365\201\300\12\245\303\321\4\315\315\322\27E\232\253\321&\269\271D{\204!*\331xd\247\36\345^\215"\276\12", ) \276\12", ) == 0x0
 00249   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00250   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\20h]\231\300vr\20\330oM\362\237\240\35kD/\345tw\321M!y\361\340\221W\324x9\226#\224\304B\6_E\216;\/\211\371\5s\231\0Qq\266Za:\260w3E\262\362\340\261\267\11$M\2722\223bD\21\11U\242O\30\350\262\250\177]\347\33E\13S\373F1\256y\304^W\367\230\272\262\4\25\217\242\330\366\30y5 3Zo<\12Vs\271&Y\345<\273\223\357\11\251\275#\326\336%I\273\11X$\15\33\2\27<\327\224\3306\213\233\266\253\271\164\1\330\276&X\226\326%1\322\224|\303\227\220w\275\217>w\0-\234f;%E)S\21\244\301\315\313T^\363$\331\343Na\212\240\16\263U6:*\242\240n\216\377\210\224\2356\253\252\25\32b\362 \374\233\22\305\224\2iRU\15\34\305Q0QS\247\6\4\17\321\353\1N'R\327\253\202uA1\320T\301\244\254\350r\32\343\252\217i\221'\15\335-!\262~\322k\210T\335\350y)\325R\305\253\334XO\335\247\324{\200\211\355Y+ \177\13\327\21\274\232h\247\201jzy\222\3746\222G\13 \353\233{\374w\4\0\14\26X\205\31\365lH%\211\230\307S6\346\252Ne\334\207U}\352\324(\263h\217fXI\204\321\200\215\353\300-\274z\372X;f\265X=\17\244\2110jM\256}\167\312\354\33,\353\227\350,,;\37\2415\274<\352.\324\5n\303{\36T>\216\350\27\320\322%\2669\253:\2417\274?\227\22\216\350;9\201\30\253\276y\224M\312!\300\263-\241\14\3315(p\321]\300?\252\355\320\1\241\355f\263|qd\206\360\235b\262. \234\250\213e)\25[\325\235\264S\331\24\10.m\252\6k\16\311\0\35\25\234\324\257\10\234G\304\Z\4", ) , ) == 0x0
 00251   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00252   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2679\236\260\241\5\317cr[\346\37R\351\260V\24\346\222^\334\24\24Gm\327\27t\336\6\214(r:\3\222\25\2\30\21n\177\215\225\251\374\245\253_\366;+\322\327\271F\374$\266P\370\24358\213\3701 \25a\313\245p<\274\250EWq)\210g\315\274V\365\241\12\14\222qB\2110\361t\200G\364t\3321'fR\2450\251^&\16iP\310\205\217Xo#\10RR\251\346\210\17<\331\24\263\327T\236\16nX6\3766\203&s\24\264\242l\21S\2074\346\216\25\211\4\252O\7+\222\341\37\245\331\233G\206\304\343~\24ds\34\357L\23\356&\366\267\355\22R\365q\242\220D$I\213#~\262\320\356\054\240\372\14\377\217KGs\364\365GuC\3614T\303\263\365\330\227\361\361\30s\245\3\202\323\323\14\13dF\335\237\14\5\32\202_*\15\363@\2021\245_=:\240\253\315\35\352_=\10\363E\200\2065,\215&\11Xrz\334\367\344 \336\303\343\340Oc\236)\250e\246:\320M)\344\255\277\213\343u\177\327\20s\365p_\361e\242\304w\315\305\216\361\243\201a,]\3219\177\35}r\310d\351as\30\22\337\12\266Xx\5\246>{\4\343\242\272\27\203\334\240[\36\323\221\201zUH\274t,\227\10\224$g\327\$&\373V\204\273\356\13\303O\337#\224\237\23\377\257P?\35\257he\265\313)\36/H\13J\260\226>\20)\366A\13 \316"\345AE\1\361bXq\25\325\210\305\263'\333\14\24\331"\317\592gP\17\333J/(\326\304\23)\202\17\256\235&p\1\352ZD\242c\324IM\311J\220<\370\234\326o\324\324\223\351\317\2711\324\362\222\233\231\343\320W\5r\245\35\355^\242\10\335\215\302|\327\331\207>=", ) \345AE\1\361bXq\25\325\210\305\263'\333\14\24\331 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2679\236\260\241\5\317cr[\346\37R\351\260V\24\346\222^\334\24\24Gm\327\27t\336\6\214(r:\3\222\25\2\30\21n\177\215\225\251\374\245\253_\366;+\322\327\271F\374$\266P\370\24358\213\3701 \25a\313\245p<\274\250EWq)\210g\315\274V\365\241\12\14\222qB\2110\361t\200G\364t\3321'fR\2450\251^&\16iP\310\205\217Xo#\10RR\251\346\210\17<\331\24\263\327T\236\16nX6\3766\203&s\24\264\242l\21S\2074\346\216\25\211\4\252O\7+\222\341\37\245\331\233G\206\304\343~\24ds\34\357L\23\356&\366\267\355\22R\365q\242\220D$I\213#~\262\320\356\054\240\372\14\377\217KGs\364\365GuC\3614T\303\263\365\330\227\361\361\30s\245\3\202\323\323\14\13dF\335\237\14\5\32\202_*\15\363@\2021\245_=:\240\253\315\35\352_=\10\363E\200\2065,\215&\11Xrz\334\367\344 \336\303\343\340Oc\236)\250e\246:\320M)\344\255\277\213\343u\177\327\20s\365p_\361e\242\304w\315\305\216\361\243\201a,]\3219\177\35}r\310d\351as\30\22\337\12\266Xx\5\246>{\4\343\242\272\27\203\334\240[\36\323\221\201zUH\274t,\227\10\224$g\327\$&\373V\204\273\356\13\303O\337#\224\237\23\377\257P?\35\257he\265\313)\36/H\13J\260\226>\20)\366A\13 \316"\345AE\1\361bXq\25\325\210\305\263'\333\14\24\331"\317\592gP\17\333J/(\326\304\23)\202\17\256\235&p\1\352ZD\242c\324IM\311J\220<\370\234\326o\324\324\223\351\317\2711\324\362\222\233\231\343\320W\5r\245\35\355^\242\10\335\215\302|\327\331\207>=", ) , ) == 0x0
 00253   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (60, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00254   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ">\275\241&\0\302\243\14\231\376\261\340E\335\312|G\20\342\302a\260x\344?\360\341y \332\341+y\304v#\2y\213~``\240\275/\336\333 `n\262\276\250\212Er\367_\23\356j\322\266\346\330\352\31\350\300\36\311ghh%)\204\370\304\267z\271\236L\337\205~\255\322\215\\373\270\177\331\375\372d\364T\7\316\215#\326\244X!lB\261\307:r}\33\264|d\221\32\3\310\325\317\237\257t@I\267\213\3226\310_E[\327\24\244FZU\3154\302/\331aF\4\372\371=\312\323\214\300\203\361\15\0\221\33\25\\315\277nU\17\217\217\274V\236\33\356\34c\331\3751\246jC\375\312\15\306)tD\20\375\314kA^J\216\247B\362\326\342\341\222\332\11\22\223\266\227]\323\335s\251\363\3445\225\34\23\3078\33*tv\201X\375\222\215w\232T\233\307>dR\26;E\277\273Fu\244WOu\21\3538!\330\211\1\221\350Ch\33\273\330\306G\33\13/\27\313\266\244\321]K\35\24b\310\363\23\12\7!\277\273n]\26\20Dm\255\341\270\260:R\2175\26\33\227\2438\331\3530\213uU\34\27\374\22\260)\304s\211\313\305\352\347\15\37\276tIz\323!eg*\1!\307\353\362+\2143\340\31I\17\3673\242&\341qjzC\273^h\251\244\262\352\21\367R\347\30K\226W8'\262@C\372_\305M\217m\357\7gl\210%I\260\364\216\255\323b]\231P\306L-\213\204\36732\0\7\363B\207l-\274\203\11\323\327f\336 \310\203\267.U\376\335+ZXq\23,\335o+K\203\345s~X\200\234\245\305\24\235\363\323z\221\33\365\35-D0ywp"\352\241c+l2\310t\212v\08\375H\357u\314\23\12\361\2107\36J\346*\230+\2", ) \352\241c+l2\310t\212v\08\375H\357u\314\23\12\361\2107\36J\346*\230+\2", ) == 0x0
 00255   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00256   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\23L3\25\346\362#\17\223\232_\355\377\3315\31)\377F\11\25\0b\321\352\365\227\372\241\217\332D\3\\370\270\376\232h\255\376\364\221.\346\2141%=\31\235\347cg\263W\275\314\350\376\261\275\210\27z\305m\337G-u(%\265\336N\316\351\210OJHHPU\212TR\27\362\4\27"\366F\24\322\346B \216F\343\344d\2>K\273]\6\372\305\365\32\3333\240\355\257\244\303\27 \27\32\2\262\303\225\345\317\317\260\223\335k\324\17\20"\3713o\247\222\216p\177e\371^4\26G\4\244K\252\320\273t\332q"'\251\24\14\234\14\14\222t\12\232\3716/\226\30\276\6\203h\272x\6\356\3223\16B\302Cn0\314\375\217\207\362\213\16Z\215y\6k\217\342}5\269\352\17\352\35\26t\364\302"md\10"V\2667\312s\324sV}\266(f\252\317\232O\31\371\17\265\366Cy\301*\334\261%t\347\17\21.\315\315\375\254\273>r\366\313\340\347s\301X$E \35\257\26\216\205\324\236\317&\361[A\303b\325\346\376\352\341\212\4\360\26I`!\223\347\17wv\10\332_-p\214%\24#)!\321FEL\346a\321\262\376\5\215\274\272\7\247%\3\30{\12r\365^\356\204?{z\31\232\327\227\27\374-\11.\24:\310\257(\25\2\35\1N9O\210e)e\200\363\257a\305\12\326p\356\352\204\301ot\317}\11U\334g\212\230\237N\221\371\241\266\24\245\24\1_\324\273\341\351\371\251\10\27\260O;\252\335>\25U\317\327\200\261\223\331\5\370j\3436x=\241\347\337\205"\33\25W\16\205\372\351\12q8"oU<\340j"\357\352\252>\21R?\315!fS\363\0r\205\222\335\353\1\235\377\357\201\26\201[\22\250\202[\224\240x\362#\223\321w\270", ) \366F\24\322\346B \216F\343\344d\2>K\273]\6\372\305\365\32\3333\240\355\257\244\303\27 \27\32\2\262\303\225\345\317\317\260\223\335k\324\17\20 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\23L3\25\346\362#\17\223\232_\355\377\3315\31)\377F\11\25\0b\321\352\365\227\372\241\217\332D\3\\370\270\376\232h\255\376\364\221.\346\2141%=\31\235\347cg\263W\275\314\350\376\261\275\210\27z\305m\337G-u(%\265\336N\316\351\210OJHHPU\212TR\27\362\4\27"\366F\24\322\346B \216F\343\344d\2>K\273]\6\372\305\365\32\3333\240\355\257\244\303\27 \27\32\2\262\303\225\345\317\317\260\223\335k\324\17\20"\3713o\247\222\216p\177e\371^4\26G\4\244K\252\320\273t\332q"'\251\24\14\234\14\14\222t\12\232\3716/\226\30\276\6\203h\272x\6\356\3223\16B\302Cn0\314\375\217\207\362\213\16Z\215y\6k\217\342}5\269\352\17\352\35\26t\364\302"md\10"V\2667\312s\324sV}\266(f\252\317\232O\31\371\17\265\366Cy\301*\334\261%t\347\17\21.\315\315\375\254\273>r\366\313\340\347s\301X$E \35\257\26\216\205\324\236\317&\361[A\303b\325\346\376\352\341\212\4\360\26I`!\223\347\17wv\10\332_-p\214%\24#)!\321FEL\346a\321\262\376\5\215\274\272\7\247%\3\30{\12r\365^\356\204?{z\31\232\327\227\27\374-\11.\24:\310\257(\25\2\35\1N9O\210e)e\200\363\257a\305\12\326p\356\352\204\301ot\317}\11U\334g\212\230\237N\221\371\241\266\24\245\24\1_\324\273\341\351\371\251\10\27\260O;\252\335>\25U\317\327\200\261\223\331\5\370j\3436x=\241\347\337\205"\33\25W\16\205\372\351\12q8"oU<\340j"\357\352\252>\21R?\315!fS\363\0r\205\222\335\353\1\235\377\357\201\26\201[\22\250\202[\224\240x\362#\223\321w\270", ) '\251\24\14\234\14\14\222t\12\232\3716/\226\30\276\6\203h\272x\6\356\3223\16B\302Cn0\314\375\217\207\362\213\16Z\215y\6k\217\342}5\269\352\17\352\35\26t\364\302 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\23L3\25\346\362#\17\223\232_\355\377\3315\31)\377F\11\25\0b\321\352\365\227\372\241\217\332D\3\\370\270\376\232h\255\376\364\221.\346\2141%=\31\235\347cg\263W\275\314\350\376\261\275\210\27z\305m\337G-u(%\265\336N\316\351\210OJHHPU\212TR\27\362\4\27"\366F\24\322\346B \216F\343\344d\2>K\273]\6\372\305\365\32\3333\240\355\257\244\303\27 \27\32\2\262\303\225\345\317\317\260\223\335k\324\17\20"\3713o\247\222\216p\177e\371^4\26G\4\244K\252\320\273t\332q"'\251\24\14\234\14\14\222t\12\232\3716/\226\30\276\6\203h\272x\6\356\3223\16B\302Cn0\314\375\217\207\362\213\16Z\215y\6k\217\342}5\269\352\17\352\35\26t\364\302"md\10"V\2667\312s\324sV}\266(f\252\317\232O\31\371\17\265\366Cy\301*\334\261%t\347\17\21.\315\315\375\254\273>r\366\313\340\347s\301X$E \35\257\26\216\205\324\236\317&\361[A\303b\325\346\376\352\341\212\4\360\26I`!\223\347\17wv\10\332_-p\214%\24#)!\321FEL\346a\321\262\376\5\215\274\272\7\247%\3\30{\12r\365^\356\204?{z\31\232\327\227\27\374-\11.\24:\310\257(\25\2\35\1N9O\210e)e\200\363\257a\305\12\326p\356\352\204\301ot\317}\11U\334g\212\230\237N\221\371\241\266\24\245\24\1_\324\273\341\351\371\251\10\27\260O;\252\335>\25U\317\327\200\261\223\331\5\370j\3436x=\241\347\337\205"\33\25W\16\205\372\351\12q8"oU<\340j"\357\352\252>\21R?\315!fS\363\0r\205\222\335\353\1\235\377\357\201\26\201[\22\250\202[\224\240x\362#\223\321w\270", ) V\2667\312s\324sV}\266(f\252\317\232O\31\371\17\265\366Cy\301*\334\261%t\347\17\21.\315\315\375\254\273>r\366\313\340\347s\301X$E \35\257\26\216\205\324\236\317&\361[A\303b\325\346\376\352\341\212\4\360\26I`!\223\347\17wv\10\332_-p\214%\24#)!\321FEL\346a\321\262\376\5\215\274\272\7\247%\3\30{\12r\365^\356\204?{z\31\232\327\227\27\374-\11.\24:\310\257(\25\2\35\1N9O\210e)e\200\363\257a\305\12\326p\356\352\204\301ot\317}\11U\334g\212\230\237N\221\371\241\266\24\245\24\1_\324\273\341\351\371\251\10\27\260O;\252\335>\25U\317\327\200\261\223\331\5\370j\3436x=\241\347\337\205 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\23L3\25\346\362#\17\223\232_\355\377\3315\31)\377F\11\25\0b\321\352\365\227\372\241\217\332D\3\\370\270\376\232h\255\376\364\221.\346\2141%=\31\235\347cg\263W\275\314\350\376\261\275\210\27z\305m\337G-u(%\265\336N\316\351\210OJHHPU\212TR\27\362\4\27"\366F\24\322\346B \216F\343\344d\2>K\273]\6\372\305\365\32\3333\240\355\257\244\303\27 \27\32\2\262\303\225\345\317\317\260\223\335k\324\17\20"\3713o\247\222\216p\177e\371^4\26G\4\244K\252\320\273t\332q"'\251\24\14\234\14\14\222t\12\232\3716/\226\30\276\6\203h\272x\6\356\3223\16B\302Cn0\314\375\217\207\362\213\16Z\215y\6k\217\342}5\269\352\17\352\35\26t\364\302"md\10"V\2667\312s\324sV}\266(f\252\317\232O\31\371\17\265\366Cy\301*\334\261%t\347\17\21.\315\315\375\254\273>r\366\313\340\347s\301X$E \35\257\26\216\205\324\236\317&\361[A\303b\325\346\376\352\341\212\4\360\26I`!\223\347\17wv\10\332_-p\214%\24#)!\321FEL\346a\321\262\376\5\215\274\272\7\247%\3\30{\12r\365^\356\204?{z\31\232\327\227\27\374-\11.\24:\310\257(\25\2\35\1N9O\210e)e\200\363\257a\305\12\326p\356\352\204\301ot\317}\11U\334g\212\230\237N\221\371\241\266\24\245\24\1_\324\273\341\351\371\251\10\27\260O;\252\335>\25U\317\327\200\261\223\331\5\370j\3436x=\241\347\337\205"\33\25W\16\205\372\351\12q8"oU<\340j"\357\352\252>\21R?\315!fS\363\0r\205\222\335\353\1\235\377\357\201\26\201[\22\250\202[\224\240x\362#\223\321w\270", ) oU<\340j (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\23L3\25\346\362#\17\223\232_\355\377\3315\31)\377F\11\25\0b\321\352\365\227\372\241\217\332D\3\\370\270\376\232h\255\376\364\221.\346\2141%=\31\235\347cg\263W\275\314\350\376\261\275\210\27z\305m\337G-u(%\265\336N\316\351\210OJHHPU\212TR\27\362\4\27"\366F\24\322\346B \216F\343\344d\2>K\273]\6\372\305\365\32\3333\240\355\257\244\303\27 \27\32\2\262\303\225\345\317\317\260\223\335k\324\17\20"\3713o\247\222\216p\177e\371^4\26G\4\244K\252\320\273t\332q"'\251\24\14\234\14\14\222t\12\232\3716/\226\30\276\6\203h\272x\6\356\3223\16B\302Cn0\314\375\217\207\362\213\16Z\215y\6k\217\342}5\269\352\17\352\35\26t\364\302"md\10"V\2667\312s\324sV}\266(f\252\317\232O\31\371\17\265\366Cy\301*\334\261%t\347\17\21.\315\315\375\254\273>r\366\313\340\347s\301X$E \35\257\26\216\205\324\236\317&\361[A\303b\325\346\376\352\341\212\4\360\26I`!\223\347\17wv\10\332_-p\214%\24#)!\321FEL\346a\321\262\376\5\215\274\272\7\247%\3\30{\12r\365^\356\204?{z\31\232\327\227\27\374-\11.\24:\310\257(\25\2\35\1N9O\210e)e\200\363\257a\305\12\326p\356\352\204\301ot\317}\11U\334g\212\230\237N\221\371\241\266\24\245\24\1_\324\273\341\351\371\251\10\27\260O;\252\335>\25U\317\327\200\261\223\331\5\370j\3436x=\241\347\337\205"\33\25W\16\205\372\351\12q8"oU<\340j"\357\352\252>\21R?\315!fS\363\0r\205\222\335\353\1\235\377\357\201\26\201[\22\250\202[\224\240x\362#\223\321w\270", ) , ) == 0x0
 00257   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (60, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00258   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "#!\273MTx\311\272\351\223A\215\374Q\356\322r\215\323\3326\22\253a3\213Kew\327\327d:\300\336\3727\2\200"\231\210Z\217m\323\234\205\310\330\355\370\373\210\333\1"M)\210\7\266W:&'\356La\230\26\333~\240\310\11\375\275a\20Q\336\221I\302\333\31\1\346\254\302\1\213q\221a \367\24\7\2.\2417\3\220\330\34g7-0\323\221\255R)\300\27m\2531\353K\33\267\12\320\214*08\33Y\\350\371\360\271\375\325dZ\320=d\265\T\3~>\15\360\360\330\2512\33\5\321x1/,\201\227(\263\361\321\210\*\306sKS\2715U\21\353\5[\333o\251\302U\235%\1pr\6\303\17\275\204;3\20\33\313L\254\226 q`xU\246\15\246o\344GXM\2541\13\365%\333'>\217+\351)0!k*`b\17\313\33mL\26\344\240\6#Z\252\23\321\314\3333}\2Z5]&U\216\235\351\374\225\253\3130\37e\237\236\377\205&\360\302\256\300qA3\237@9\241\201wF h\363o\261\265\360#\250\1"'_\301\226F)\262oq:\377\234\252%P\14\2773S \1\253\202$\354h\374\240\30\312\243l\275\331U_\341\261*\233F%*\253\5S\367\233\375D\22\200H\331\240\332n\5\327\346\341\7B\3209V\336\351\346\327j\247\221A\222\242u\372Y\242%]\222\247\35\305\364\2622\5\353\310\3679I\351VfUm\13!vo\356\30 vM$aa-)Q1\367$\320D\355=X"\21i\1\360Q\321\27\2135J\320c\3142\33D\352#\372ld'\302\336j!\235;dp\3\1M1\365\310\365\21F\7\21\35\322%e\342\372+e\6\312R\35", ) \231\210Z\217m\323\234\205\310\330\355\370\373\210\333\1 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "#!\273MTx\311\272\351\223A\215\374Q\356\322r\215\323\3326\22\253a3\213Kew\327\327d:\300\336\3727\2\200"\231\210Z\217m\323\234\205\310\330\355\370\373\210\333\1"M)\210\7\266W:&'\356La\230\26\333~\240\310\11\375\275a\20Q\336\221I\302\333\31\1\346\254\302\1\213q\221a \367\24\7\2.\2417\3\220\330\34g7-0\323\221\255R)\300\27m\2531\353K\33\267\12\320\214*08\33Y\\350\371\360\271\375\325dZ\320=d\265\T\3~>\15\360\360\330\2512\33\5\321x1/,\201\227(\263\361\321\210\*\306sKS\2715U\21\353\5[\333o\251\302U\235%\1pr\6\303\17\275\204;3\20\33\313L\254\226 q`xU\246\15\246o\344GXM\2541\13\365%\333'>\217+\351)0!k*`b\17\313\33mL\26\344\240\6#Z\252\23\321\314\3333}\2Z5]&U\216\235\351\374\225\253\3130\37e\237\236\377\205&\360\302\256\300qA3\237@9\241\201wF h\363o\261\265\360#\250\1"'_\301\226F)\262oq:\377\234\252%P\14\2773S \1\253\202$\354h\374\240\30\312\243l\275\331U_\341\261*\233F%*\253\5S\367\233\375D\22\200H\331\240\332n\5\327\346\341\7B\3209V\336\351\346\327j\247\221A\222\242u\372Y\242%]\222\247\35\305\364\2622\5\353\310\3679I\351VfUm\13!vo\356\30 vM$aa-)Q1\367$\320D\355=X"\21i\1\360Q\321\27\2135J\320c\3142\33D\352#\372ld'\302\336j!\235;dp\3\1M1\365\310\365\21F\7\21\35\322%e\342\372+e\6\312R\35", ) '_\301\226F)\262oq:\377\234\252%P\14\2773S \1\253\202$\354h\374\240\30\312\243l\275\331U_\341\261*\233F%*\253\5S\367\233\375D\22\200H\331\240\332n\5\327\346\341\7B\3209V\336\351\346\327j\247\221A\222\242u\372Y\242%]\222\247\35\305\364\2622\5\353\310\3679I\351VfUm\13!vo\356\30 vM$aa-)Q1\367$\320D\355=X244\253\243\243\23\353h\261k\13\211\347\370 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "#!\273MTx\311\272\351\223A\215\374Q\356\322r\215\323\3326\22\253a3\213Kew\327\327d:\300\336\3727\2\200"\231\210Z\217m\323\234\205\310\330\355\370\373\210\333\1"M)\210\7\266W:&'\356La\230\26\333~\240\310\11\375\275a\20Q\336\221I\302\333\31\1\346\254\302\1\213q\221a \367\24\7\2.\2417\3\220\330\34g7-0\323\221\255R)\300\27m\2531\353K\33\267\12\320\214*08\33Y\\350\371\360\271\375\325dZ\320=d\265\T\3~>\15\360\360\330\2512\33\5\321x1/,\201\227(\263\361\321\210\*\306sKS\2715U\21\353\5[\333o\251\302U\235%\1pr\6\303\17\275\204;3\20\33\313L\254\226 q`xU\246\15\246o\344GXM\2541\13\365%\333'>\217+\351)0!k*`b\17\313\33mL\26\344\240\6#Z\252\23\321\314\3333}\2Z5]&U\216\235\351\374\225\253\3130\37e\237\236\377\205&\360\302\256\300qA3\237@9\241\201wF h\363o\261\265\360#\250\1"'_\301\226F)\262oq:\377\234\252%P\14\2773S \1\253\202$\354h\374\240\30\312\243l\275\331U_\341\261*\233F%*\253\5S\367\233\375D\22\200H\331\240\332n\5\327\346\341\7B\3209V\336\351\346\327j\247\221A\222\242u\372Y\242%]\222\247\35\305\364\2622\5\353\310\3679I\351VfUm\13!vo\356\30 vM$aa-)Q1\367$\320D\355=X"\21i\1\360Q\321\27\2135J\320c\3142\33D\352#\372ld'\302\336j!\235;dp\3\1M1\365\310\365\21F\7\21\35\322%e\342\372+e\6\312R\35", ) , ) == 0x0
 00259   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (60, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (60, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (60, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00260   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Y\262M\235j\234\14\3716 L~j\301+VQ\276\12qw~\202)\0\215.\1H\202\232g^\213\344Vp\2364d\11\261g\200\241Wf\326\225\365a\3631\237c\222%\325W%@i\257\322z\332T\265z%\370\5\26\260H\177"\301P\20\223\366T\17\272\237\323\12"\375@\345!\205\350\323h\306_\5I\255+Vh\226b\345,\252\272\225\2430\216\3561\363\250L\233*;\300 0\0\267\22\332\372\265\23\256 \2115\20=x\254\201b\274 \221"\207\253\301AyT\322X\2058P-e\373\307\353\262"2k/$sj\17\31\327Z\322\213\342\341\213W\275l\274\14\267\\247\203f^\2107[\312-1n~%\262\323\3679\224\323\247p\336Rw\34\357\343]15Z\247t\354a\204=\322\4\302\3rd\20\303\334Km\350a\317\224.\203h\0\341\301\31wN\311\301\367\325\351\33\1\15-`\21\32\204kLu\301\351y\352\325\177\320\215\260\326\257%\6\357\320$\310\27\361\261\375\313\14^)\233\202K\3332(9X\353>\211\321\364\205\265\213\341"e\275\263\1\254\237\233\343\241\262\242\14\311\363k\316\2\335\310\2576\251\367t\271\331A]%\233l\241\202Rm\15\24\310&\27\3\345\325\21ua\0\36\;wt\355ja\5\275\302l\372\355\302\336\7\37\237+p,\207\346'\327/:=\312\357\335\13\345\356\320%!\26\210#\211C|/I\307\226\200%Bcyd\245I\17K\320\324\257\226\177\301B\375,\26B\346\210b\6#\260\7\233\15\31\321i$\336o\251\306\321)\352`w\359\362C\316\223\376\250!\5\372K)\15\306\370\5C\5\222\207q\223\357\350u\322\310V.'\353cpm(\247\2\210a\216\360\321\211\14\365q\306sA>o\6", ) \301P\20\223\366T\17\272\237\323\12 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Y\262M\235j\234\14\3716 L~j\301+VQ\276\12qw~\202)\0\215.\1H\202\232g^\213\344Vp\2364d\11\261g\200\241Wf\326\225\365a\3631\237c\222%\325W%@i\257\322z\332T\265z%\370\5\26\260H\177"\301P\20\223\366T\17\272\237\323\12"\375@\345!\205\350\323h\306_\5I\255+Vh\226b\345,\252\272\225\2430\216\3561\363\250L\233*;\300 0\0\267\22\332\372\265\23\256 \2115\20=x\254\201b\274 \221"\207\253\301AyT\322X\2058P-e\373\307\353\262"2k/$sj\17\31\327Z\322\213\342\341\213W\275l\274\14\267\\247\203f^\2107[\312-1n~%\262\323\3679\224\323\247p\336Rw\34\357\343]15Z\247t\354a\204=\322\4\302\3rd\20\303\334Km\350a\317\224.\203h\0\341\301\31wN\311\301\367\325\351\33\1\15-`\21\32\204kLu\301\351y\352\325\177\320\215\260\326\257%\6\357\320$\310\27\361\261\375\313\14^)\233\202K\3332(9X\353>\211\321\364\205\265\213\341"e\275\263\1\254\237\233\343\241\262\242\14\311\363k\316\2\335\310\2576\251\367t\271\331A]%\233l\241\202Rm\15\24\310&\27\3\345\325\21ua\0\36\;wt\355ja\5\275\302l\372\355\302\336\7\37\237+p,\207\346'\327/:=\312\357\335\13\345\356\320%!\26\210#\211C|/I\307\226\200%Bcyd\245I\17K\320\324\257\226\177\301B\375,\26B\346\210b\6#\260\7\233\15\31\321i$\336o\251\306\321)\352`w\359\362C\316\223\376\250!\5\372K)\15\306\370\5C\5\222\207q\223\357\350u\322\310V.'\353cpm(\247\2\210a\216\360\321\211\14\365q\306sA>o\6", ) \207\253\301AyT\322X\2058P-e\373\307\353\262 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Y\262M\235j\234\14\3716 L~j\301+VQ\276\12qw~\202)\0\215.\1H\202\232g^\213\344Vp\2364d\11\261g\200\241Wf\326\225\365a\3631\237c\222%\325W%@i\257\322z\332T\265z%\370\5\26\260H\177"\301P\20\223\366T\17\272\237\323\12"\375@\345!\205\350\323h\306_\5I\255+Vh\226b\345,\252\272\225\2430\216\3561\363\250L\233*;\300 0\0\267\22\332\372\265\23\256 \2115\20=x\254\201b\274 \221"\207\253\301AyT\322X\2058P-e\373\307\353\262"2k/$sj\17\31\327Z\322\213\342\341\213W\275l\274\14\267\\247\203f^\2107[\312-1n~%\262\323\3679\224\323\247p\336Rw\34\357\343]15Z\247t\354a\204=\322\4\302\3rd\20\303\334Km\350a\317\224.\203h\0\341\301\31wN\311\301\367\325\351\33\1\15-`\21\32\204kLu\301\351y\352\325\177\320\215\260\326\257%\6\357\320$\310\27\361\261\375\313\14^)\233\202K\3332(9X\353>\211\321\364\205\265\213\341"e\275\263\1\254\237\233\343\241\262\242\14\311\363k\316\2\335\310\2576\251\367t\271\331A]%\233l\241\202Rm\15\24\310&\27\3\345\325\21ua\0\36\;wt\355ja\5\275\302l\372\355\302\336\7\37\237+p,\207\346'\327/:=\312\357\335\13\345\356\320%!\26\210#\211C|/I\307\226\200%Bcyd\245I\17K\320\324\257\226\177\301B\375,\26B\346\210b\6#\260\7\233\15\31\321i$\336o\251\306\321)\352`w\359\362C\316\223\376\250!\5\372K)\15\306\370\5C\5\222\207q\223\357\350u\322\310V.'\353cpm(\247\2\210a\216\360\321\211\14\365q\306sA>o\6", ) e\275\263\1\254\237\233\343\241\262\242\14\311\363k\316\2\335\310\2576\251\367t\271\331A]%\233l\241\202Rm\15\24\310&\27\3\345\325\21ua\0\36\;wt\355ja\5\275\302l\372\355\302\336\7\37\237+p,\207\346'\327/:=\312\357\335\13\345\356\320%!\26\210#\211C|/I\307\226\200%Bcyd\245I\17K\320\324\257\226\177\301B\375,\26B\346\210b\6#\260\7\233\15\31\321i$\336o\251\306\321)\352`w\359\362C\316\223\376\250!\5\372K)\15\306\370\5C\5\222\207q\223\357\350u\322\310V.'\353cpm(\247\2\210a\216\360\321\211\14\365q\306sA>o\6", ) == 0x0
 00261   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (60, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (60, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00262   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "45\254j\244\360r4\3729c\311=\206p\37N\244\2"\362\377\307U=z\223\351\16\2507\33\356\212:;T\14q\231\303\333\17\4%m/%\227\206o\365\20\325\231\12k\236\311{\1\311\370ix\252\212Uj\316m\217\376\30*\20\335NYUp\241\264\130\323a\213\256\233v\1\202\361\33\2064\322\304\327\275\372`5\2\261hy=Tl=\357\325s\216d"\343\5\15L\1031\257\267M_\27~%t"\271\20\260\340\331aZ\222}\320G\0\227\)\320\363F/\353`\1$\231\311eS\341\243\306G>x\314\364\277\323m\205\336v9\263\207\275\227\303\302{L\372\34\25\14\241\23I\333Lp\306Z\221\312C\203-\232'\6\251\33h\214w\353\265\26b\25014\261[.\351\352\252\217\200\361A\353Y\367\310$ee=b4:@1\355\265\342\217@O\11C\4&\254\30\324m\323\15\177\231\343\207\22P\260'NV\7\353I8\326S\32\325\362C\205\335\320\264\20i\23\201\267\363\2207\22/\302wmt\373#\5\352\344\226!7|\350\4\363"\227\177\340\311h\205f\326\306<3\332\203 \14"\207\205U\303\307\341\366\316G4@_H\361\346\240\302\327\221|I~8\3232@3\200\356Mp\376\232\337\371\331X\206t\321\30+f1\24\21\267\332{e\376\265\266&(\252\351\203\346\15\2621M\5\273\27\336\1)\336y\321h\377\11\227\231\237\200\315\314\305\0\244\321\6)\331k!\17\236\33\21V\310zz\347\212o\14\342?\224\333\207z\347Y\371\226\3140p\376\370\225\323\307{0\245\374\261\254\233d\255:\245\371\177@\\303!U\314\224\24p\324\325X\274\237\320!\247(x\343\205\235\206\214\7 \272t\16\10\210\2228\331\17\321\370\253\203\345\243\246G\373\11", ) \362\377\307U=z\223\351\16\2507\33\356\212:;T\14q\231\303\333\17\4%m/%\227\206o\365\20\325\231\12k\236\311{\1\311\370ix\252\212Uj\316m\217\376\30*\20\335NYUp\241\264\130\323a\213\256\233v\1\202\361\33\2064\322\304\327\275\372`5\2\261hy=Tl=\357\325s\216d (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "45\254j\244\360r4\3729c\311=\206p\37N\244\2"\362\377\307U=z\223\351\16\2507\33\356\212:;T\14q\231\303\333\17\4%m/%\227\206o\365\20\325\231\12k\236\311{\1\311\370ix\252\212Uj\316m\217\376\30*\20\335NYUp\241\264\130\323a\213\256\233v\1\202\361\33\2064\322\304\327\275\372`5\2\261hy=Tl=\357\325s\216d"\343\5\15L\1031\257\267M_\27~%t"\271\20\260\340\331aZ\222}\320G\0\227\)\320\363F/\353`\1$\231\311eS\341\243\306G>x\314\364\277\323m\205\336v9\263\207\275\227\303\302{L\372\34\25\14\241\23I\333Lp\306Z\221\312C\203-\232'\6\251\33h\214w\353\265\26b\25014\261[.\351\352\252\217\200\361A\353Y\367\310$ee=b4:@1\355\265\342\217@O\11C\4&\254\30\324m\323\15\177\231\343\207\22P\260'NV\7\353I8\326S\32\325\362C\205\335\320\264\20i\23\201\267\363\2207\22/\302wmt\373#\5\352\344\226!7|\350\4\363"\227\177\340\311h\205f\326\306<3\332\203 \14"\207\205U\303\307\341\366\316G4@_H\361\346\240\302\327\221|I~8\3232@3\200\356Mp\376\232\337\371\331X\206t\321\30+f1\24\21\267\332{e\376\265\266&(\252\351\203\346\15\2621M\5\273\27\336\1)\336y\321h\377\11\227\231\237\200\315\314\305\0\244\321\6)\331k!\17\236\33\21V\310zz\347\212o\14\342?\224\333\207z\347Y\371\226\3140p\376\370\225\323\307{0\245\374\261\254\233d\255:\245\371\177@\\303!U\314\224\24p\324\325X\274\237\320!\247(x\343\205\235\206\214\7 \272t\16\10\210\2228\331\17\321\370\253\203\345\243\246G\373\11", ) \271\20\260\340\331aZ\222}\320G\0\227\)\320\363F/\353`\1$\231\311eS\341\243\306G>x\314\364\277\323m\205\336v9\263\207\275\227\303\302{L\372\34\25\14\241\23I\333Lp\306Z\221\312C\203-\232'\6\251\33h\214w\353\265\26b\25014\261[.\351\352\252\217\200\361A\353Y\367\310$ee=b4:@1\355\265\342\217@O\11C\4&\254\30\324m\323\15\177\231\343\207\22P\260'NV\7\353I8\326S\32\325\362C\205\335\320\264\20i\23\201\267\363\2207\22/\302wmt\373#\5\352\344\226!7|\350\4\363 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "45\254j\244\360r4\3729c\311=\206p\37N\244\2"\362\377\307U=z\223\351\16\2507\33\356\212:;T\14q\231\303\333\17\4%m/%\227\206o\365\20\325\231\12k\236\311{\1\311\370ix\252\212Uj\316m\217\376\30*\20\335NYUp\241\264\130\323a\213\256\233v\1\202\361\33\2064\322\304\327\275\372`5\2\261hy=Tl=\357\325s\216d"\343\5\15L\1031\257\267M_\27~%t"\271\20\260\340\331aZ\222}\320G\0\227\)\320\363F/\353`\1$\231\311eS\341\243\306G>x\314\364\277\323m\205\336v9\263\207\275\227\303\302{L\372\34\25\14\241\23I\333Lp\306Z\221\312C\203-\232'\6\251\33h\214w\353\265\26b\25014\261[.\351\352\252\217\200\361A\353Y\367\310$ee=b4:@1\355\265\342\217@O\11C\4&\254\30\324m\323\15\177\231\343\207\22P\260'NV\7\353I8\326S\32\325\362C\205\335\320\264\20i\23\201\267\363\2207\22/\302wmt\373#\5\352\344\226!7|\350\4\363"\227\177\340\311h\205f\326\306<3\332\203 \14"\207\205U\303\307\341\366\316G4@_H\361\346\240\302\327\221|I~8\3232@3\200\356Mp\376\232\337\371\331X\206t\321\30+f1\24\21\267\332{e\376\265\266&(\252\351\203\346\15\2621M\5\273\27\336\1)\336y\321h\377\11\227\231\237\200\315\314\305\0\244\321\6)\331k!\17\236\33\21V\310zz\347\212o\14\342?\224\333\207z\347Y\371\226\3140p\376\370\225\323\307{0\245\374\261\254\233d\255:\245\371\177@\\303!U\314\224\24p\324\325X\274\237\320!\247(x\343\205\235\206\214\7 \272t\16\10\210\2228\331\17\321\370\253\203\345\243\246G\373\11", ) \207\205U\303\307\341\366\316G4@_H\361\346\240\302\327\221|I~8\3232@3\200\356Mp\376\232\337\371\331X\206t\321\30+f1\24\21\267\332{e\376\265\266&(\252\351\203\346\15\2621M\5\273\27\336\1)\336y\321h\377\11\227\231\237\200\315\314\305\0\244\321\6)\331k!\17\236\33\21V\310zz\347\212o\14\342?\224\333\207z\347Y\371\226\3140p\376\370\225\323\307{0\245\374\261\254\233d\255:\245\371\177@\\303!U\314\224\24p\324\325X\274\237\320!\247(x\343\205\235\206\214\7 \272t\16\10\210\2228\331\17\321\370\253\203\345\243\246G\373\11", ) == 0x0
 00263   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00264   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, " s\234K\205\7k\27~\317\7\267\375VHt\12\223z\362\251\345f1\203_\341?\256\234\321FO\276:\200_\362P\34\4\230O\16\212\324\343\4\270\222\335#\6\323a\25q\274\2\310\345\241,3\251Uk\375\312\324Y\2\232'3\204L\321\202\362\33\320\370\310u\243\26\37H`\361\251s\210\177\251`U\264*\265\376\23}\240\17t\362s\317M\11\223\226\327\251m\324P\201\220\270*\26\351\348\254\377zE\335\317Z \25\327\352\222@QW\254\305I+\351\273\227\323I%\250\331\177C"j\236\14V\222\244Ce\314\203:\275N\226h\317\341C#)\327;v-\250\350\305)\352{/\303\214\7S\272\314\262\357\343\354 \275<\262\210C\17\36v\37\23\312o\325\15R/\201\0m\16\7\315R/\32`\256\317\365:\331(%\3\220\373\36U\376\370^\31\277\303%\357\327w\21\301\227\247\2679\312\20N\6\31\265\252-\336o\35#\306\0\2\312DXp+\332\356Z55u\217\254\247\316\214F.$\322fx\225\273A\345\7\3566\30p\35?\312\341\225\274\246o\304\321V\371\254\233\217Jaj\365\257\216\307\350A9X9\34y\177\26\343z\345\253\216`\336m\36+\256\270\Re!\7k\312p\15\201\202\324T\223\376\270\27J\363w\119\312\36\263\371\240o\35\14i+U)\226Od\355\337\343^\326\207\256\27\2\210(\275X\350\215\17;\220\324\237\343\255I^\32d`{h.f\375\12\260qy[2\222\2646\360\227\302!\300h\227\321\12C\232L\243R\313c\320\26236\14V\222\244Ce\314\203:\275N\226h\317\341C#)\327;v-\250\350\305)\352{/\303\214\7S\272\314\262\357\343\354 \275<\262\210C\17\36v\37\23\312o\325\15R/\201\0m\16\7\315R/\32`\256\317\365:\331(%\3\220\373\36U\376\370^\31\277\303%\357\327w\21\301\227\247\2679\312\20N\6\31\265\252-\336o\35#\306\0\2\312DXp+\332\356Z55u\217\254\247\316\214F.$\322fx\225\273A\345\7\3566\30p\35?\312\341\225\274\246o\304\321V\371\254\233\217Jaj\365\257\216\307\350A9X9\34y\177\26\343z\345\253\216`\336m\36+\256\270\Re!\7k\312p\15\201\202\324T\223\376\270\27J\363w\119\312\36\263\371\240o\35\14i+U)\226Od\355\337\343^\326\207\256\27\2\210(\275X\350\215\17;\220\324\237\343\255I^\32d`{h.f\375\12\260qy[2\222\2646\360\227\302!\300h\227\321\12C\232L\243R\313c\320\26223\257\323\210\206H\201\22\321\3104\2212\355\344!\203\244_`\356\233\205\234&\3\363\13\#%\23\335\354\375\336\306\226\227/\22\247\6S\312X\303\341\276\364h8\14K=,\2\252K", ) == 0x0
 00265   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (60, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00266   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "K\326\221\35_<\340\337`r\267y\251\335\320\232\357\260\6\201\3112\240~\252\336&\337KJ\2505\247\3Z\300E\203A2]\257X\241\5\7A\11E\35'\201\251\26\10S\323\35\31wL*\212\207\177\233\2234\377\344c|\36\247\356Q\310\372\111\333h\20\355\327\327=>\23\7\336o\12\34\365/\3207\0\342_L\375\14\5`\14\213\233\20\262\213\377\26>\364 \274\347R9T\321\304\0\270\260\256\341\236\2506Y\231m\240\3472):\357\344lP\363\346\34)\34265\3438\241\350Xa\213\237BW\267\17Z\333\4\343S\230R+\334<\346_\333\244\25)9\2605#\352\342h\225\307\205\213\17 \362\212\246\377a{$Yf\345\227\216\362\314\315D\322\35j\304\367\16\335&\343\63\17H\333U\1J\224\267\206fA\3*R$\241Sx\2310\7+\23N\326\330\230\240\334\362\30\370\266\353N\267\256\217\255Y\303j@\260"\177\335\332@\21\266\375\261\224\34l\2136\214\335%I/\337xB\6\334N\242I5\263\200y.\326g\376\261\32l\262\350\300\353$\2250P\0\303\0e\37\12\370|g>\3168\35(\207>\361\250\242\36\251\253W\36\15GS\251\260\343\211\343\13\347\237w\246\203\372U\20\311\257>a\5\260)\360\321\224KAZd\376\356\26U\264=\31[\33\341\305\30\25|\\366[\361\245\2271\21\225\305\331\227\1R\310\1\351\260 e\320\6\235\5\177\330'\214\303BV\370%\364\156^\2\30\11\3\323\227\2537}jv)\371\224d\342\200\336=6\351\255\307\320\313`\302\320\206w\212a\376bv-\324\303\355\0S\240c\271\16?\273\334\333\27\11G-\252\1\312\302\352U*\323e\6q\370"8p\335#Vi\363\344\211\222A\333A \365B\356", ) \177\335\332@\21\266\375\261\224\34l\2136\214\335%I/\337xB\6\334N\242I5\263\200y.\326g\376\261\32l\262\350\300\353$\2250P\0\303\0e\37\12\370|g>\3168\35(\207>\361\250\242\36\251\253W\36\15GS\251\260\343\211\343\13\347\237w\246\203\372U\20\311\257>a\5\260)\360\321\224KAZd\376\356\26U\264=\31[\33\341\305\30\25|\\366[\361\245\2271\21\225\305\331\227\1R\310\1\351\260 e\320\6\235\5\177\330'\214\303BV\370%\364\156^\2\30\11\3\323\227\2537}jv)\371\224d\342\200\336=6\351\255\307\320\313`\302\320\206w\212a\376bv-\324\303\355\0S\240c\271\16?\273\334\333\27\11G-\252\1\312\302\352U*\323e\6q\370 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "K\326\221\35_<\340\337`r\267y\251\335\320\232\357\260\6\201\3112\240~\252\336&\337KJ\2505\247\3Z\300E\203A2]\257X\241\5\7A\11E\35'\201\251\26\10S\323\35\31wL*\212\207\177\233\2234\377\344c|\36\247\356Q\310\372\111\333h\20\355\327\327=>\23\7\336o\12\34\365/\3207\0\342_L\375\14\5`\14\213\233\20\262\213\377\26>\364 \274\347R9T\321\304\0\270\260\256\341\236\2506Y\231m\240\3472):\357\344lP\363\346\34)\34265\3438\241\350Xa\213\237BW\267\17Z\333\4\343S\230R+\334<\346_\333\244\25)9\2605#\352\342h\225\307\205\213\17 \362\212\246\377a{$Yf\345\227\216\362\314\315D\322\35j\304\367\16\335&\343\63\17H\333U\1J\224\267\206fA\3*R$\241Sx\2310\7+\23N\326\330\230\240\334\362\30\370\266\353N\267\256\217\255Y\303j@\260"\177\335\332@\21\266\375\261\224\34l\2136\214\335%I/\337xB\6\334N\242I5\263\200y.\326g\376\261\32l\262\350\300\353$\2250P\0\303\0e\37\12\370|g>\3168\35(\207>\361\250\242\36\251\253W\36\15GS\251\260\343\211\343\13\347\237w\246\203\372U\20\311\257>a\5\260)\360\321\224KAZd\376\356\26U\264=\31[\33\341\305\30\25|\\366[\361\245\2271\21\225\305\331\227\1R\310\1\351\260 e\320\6\235\5\177\330'\214\303BV\370%\364\156^\2\30\11\3\323\227\2537}jv)\371\224d\342\200\336=6\351\255\307\320\313`\302\320\206w\212a\376bv-\324\303\355\0S\240c\271\16?\273\334\333\27\11G-\252\1\312\302\352U*\323e\6q\370"8p\335#Vi\363\344\211\222A\333A \365B\356", ) , ) == 0x0
 00267   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (60, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00268   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "2\365p\226Z\373?\10\333:\34\6.\223\306\245L\277\243.\30\366\277:hhN\330\217"\1\210|\374\241\15\332\332\26\326\25\37\24\362\354\365@\366\316\221\2601l\314y!\1\201Cr\327\21%J\203\6?\276\312\37\325\3035*8\376j\350\227\217\7R\237._\326Np\375\340\207\274\274d\265+\211\223%5p+\257\237\224\2612[rX\25\211\347\250\350(z\304\234^\312Z\300\306\336\254\353\17\347\311\37\11x\16\234H\371\254\10\240\333\247\225\356,-n\264\3426\35\27\312\223\261f:DKF?\331(\24\301\254Rx\223\314\303\217\225\331\10\274'x\26\356?Oi\22\0\211\271\20q1l\267\351 \357HK\3026+\237\332PC\210\206+\327;\32E\306w\201x\374\15\276\216J\216xe\346\315\232N\15\227-u\13:wF\361#\357ep\3\264\224\245\353\207\244C'Lr\30U3\5\223$\254n\6a\273\245F\237\376\23\262\315;&E\372\374\321:H\22sH\247Ya\333$\23\233\25\;\226\222\311\377\274\375\3703\2514i\13\237\336\14Y\11\16\376t\23\335\370I\276\207\272\201\221\355\376\260\36DU\333\271\276\317*\274p\307_\30\6\336?|\207\5I\351A47\277\305\311\326\343\341.\264f\365\314e\2715\213\2\356\23\22\311\216\305\321\36\15Xs\205\345| \341>\\336X\1\331\254\230\22[\300\20"\27\351`0S\367\245A'\322,},,\202k\3365d\27\30\245\216\356>\264\244\240\20\322\2\16Nb\324[\236@G\34\1r\222\336\32r\13\365:*\5\304\313\270\352\212\233\6\251\201a\306`\33a\345\214\320Z\315*\30\36\204zCw\376X\325\25\362\371Q\271\17\241\177S\17G\331.y\331$X\177%\256|\272/\223N$", ) \1\210|\374\241\15\332\332\26\326\25\37\24\362\354\365@\366\316\221\2601l\314y!\1\201Cr\327\21%J\203\6?\276\312\37\325\3035*8\376j\350\227\217\7R\237._\326Np\375\340\207\274\274d\265+\211\223%5p+\257\237\224\2612[rX\25\211\347\250\350(z\304\234^\312Z\300\306\336\254\353\17\347\311\37\11x\16\234H\371\254\10\240\333\247\225\356,-n\264\3426\35\27\312\223\261f:DKF?\331(\24\301\254Rx\223\314\303\217\225\331\10\274'x\26\356?Oi\22\0\211\271\20q1l\267\351 \357HK\3026+\237\332PC\210\206+\327;\32E\306w\201x\374\15\276\216J\216xe\346\315\232N\15\227-u\13:wF\361#\357ep\3\264\224\245\353\207\244C'Lr\30U3\5\223$\254n\6a\273\245F\237\376\23\262\315;&E\372\374\321:H\22sH\247Ya\333$\23\233\25\;\226\222\311\377\274\375\3703\2514i\13\237\336\14Y\11\16\376t\23\335\370I\276\207\272\201\221\355\376\260\36DU\333\271\276\317*\274p\307_\30\6\336?|\207\5I\351A47\277\305\311\326\343\341.\264f\365\314e\2715\213\2\356\23\22\311\216\305\321\36\15Xs\205\345| \341>\\336X\1\331\254\230\22[\300\20 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "2\365p\226Z\373?\10\333:\34\6.\223\306\245L\277\243.\30\366\277:hhN\330\217"\1\210|\374\241\15\332\332\26\326\25\37\24\362\354\365@\366\316\221\2601l\314y!\1\201Cr\327\21%J\203\6?\276\312\37\325\3035*8\376j\350\227\217\7R\237._\326Np\375\340\207\274\274d\265+\211\223%5p+\257\237\224\2612[rX\25\211\347\250\350(z\304\234^\312Z\300\306\336\254\353\17\347\311\37\11x\16\234H\371\254\10\240\333\247\225\356,-n\264\3426\35\27\312\223\261f:DKF?\331(\24\301\254Rx\223\314\303\217\225\331\10\274'x\26\356?Oi\22\0\211\271\20q1l\267\351 \357HK\3026+\237\332PC\210\206+\327;\32E\306w\201x\374\15\276\216J\216xe\346\315\232N\15\227-u\13:wF\361#\357ep\3\264\224\245\353\207\244C'Lr\30U3\5\223$\254n\6a\273\245F\237\376\23\262\315;&E\372\374\321:H\22sH\247Ya\333$\23\233\25\;\226\222\311\377\274\375\3703\2514i\13\237\336\14Y\11\16\376t\23\335\370I\276\207\272\201\221\355\376\260\36DU\333\271\276\317*\274p\307_\30\6\336?|\207\5I\351A47\277\305\311\326\343\341.\264f\365\314e\2715\213\2\356\23\22\311\216\305\321\36\15Xs\205\345| \341>\\336X\1\331\254\230\22[\300\20"\27\351`0S\367\245A'\322,},,\202k\3365d\27\30\245\216\356>\264\244\240\20\322\2\16Nb\324[\236@G\34\1r\222\336\32r\13\365:*\5\304\313\270\352\212\233\6\251\201a\306`\33a\345\214\320Z\315*\30\36\204zCw\376X\325\25\362\371Q\271\17\241\177S\17G\331.y\331$X\177%\256|\272/\223N$", ) , ) == 0x0
 00269   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00270   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\21\363K\333\267\336\210"7\3215\10\247,\364\251,\316t\216\376\351\210p\343Gu\16\13l\246\232\315\364W2+\213\243_z\2\230\216N&H\245\23I\21io\321)\1Z\341b\1\36\271\256r\177\303\332\250e\207;\276 \254\273\34abf,\231\226\7\25P1U\356\267\330\350\372"\34"\301W\371Q\22\32\35\236,7\322\332\263\274\364wD\233\247\262-\203W\255\216\312R5\213z\2671w\370[\334\2459okr\222\323C\335\311X\376TW\267\224\210\204\314\\2\217\352\35\274\354\276\233'\373\342\303\25S\2059\30\322y\4\21\315{P\340\3002Sm34T\34*\352>6\1\333B\37\260X\251\355\261p!\241\353`\355!<\302\277i%\230Z L\355Zt:\200eK\244\243\273\220\326,m*\2071p>\252f\310\7\225g!x\320\217\21V\244\2705\370RA\246\315ZkWe\326X\275\300^>\355\317\321\246\214\324Y~Q6\310\35K\312\203\221v\256<\24\11\375\377O\205"\244X\34V\351Xf\211\250\373\336\247[f\21-\244Xg\242oOqw\240\346\17\346\7\2\231\233\327&\255\271\335\274\254\303\26\314\257y\247\304T\30\227\14n\340w\334\34/\333c\365 \226s\3417\323^\331)\337\315^\236B\303\15z\2\350\357\240P\15^\3607c\373"\336\342\307\24I\30\236,S\201\13\347\353'-\315\262Z\332\332*.\305\277\216$-\25\33v\302H\376vc~s\237\201\243G\2049j3\4\333\351\312/k\337\215\323\313U#\12g\220\244\2404\252\25\305\344W\230\312\321,\315\350\263\276C\327\371eD\245\352\265hN\355\177!R\321\350\1\32=\20\211", ) 7\3215\10\247,\364\251,\316t\216\376\351\210p\343Gu\16\13l\246\232\315\364W2+\213\243_z\2\230\216N&H\245\23I\21io\321)\1Z\341b\1\36\271\256r\177\303\332\250e\207;\276 \254\273\34abf,\231\226\7\25P1U\356\267\330\350\372 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\21\363K\333\267\336\210"7\3215\10\247,\364\251,\316t\216\376\351\210p\343Gu\16\13l\246\232\315\364W2+\213\243_z\2\230\216N&H\245\23I\21io\321)\1Z\341b\1\36\271\256r\177\303\332\250e\207;\276 \254\273\34abf,\231\226\7\25P1U\356\267\330\350\372"\34"\301W\371Q\22\32\35\236,7\322\332\263\274\364wD\233\247\262-\203W\255\216\312R5\213z\2671w\370[\334\2459okr\222\323C\335\311X\376TW\267\224\210\204\314\\2\217\352\35\274\354\276\233'\373\342\303\25S\2059\30\322y\4\21\315{P\340\3002Sm34T\34*\352>6\1\333B\37\260X\251\355\261p!\241\353`\355!<\302\277i%\230Z L\355Zt:\200eK\244\243\273\220\326,m*\2071p>\252f\310\7\225g!x\320\217\21V\244\2705\370RA\246\315ZkWe\326X\275\300^>\355\317\321\246\214\324Y~Q6\310\35K\312\203\221v\256<\24\11\375\377O\205"\244X\34V\351Xf\211\250\373\336\247[f\21-\244Xg\242oOqw\240\346\17\346\7\2\231\233\327&\255\271\335\274\254\303\26\314\257y\247\304T\30\227\14n\340w\334\34/\333c\365 \226s\3417\323^\331)\337\315^\236B\303\15z\2\350\357\240P\15^\3607c\373"\336\342\307\24I\30\236,S\201\13\347\353'-\315\262Z\332\332*.\305\277\216$-\25\33v\302H\376vc~s\237\201\243G\2049j3\4\333\351\312/k\337\215\323\313U#\12g\220\244\2404\252\25\305\344W\230\312\321,\315\350\263\276C\327\371eD\245\352\265hN\355\177!R\321\350\1\32=\20\211", ) \301W\371Q\22\32\35\236,7\322\332\263\274\364wD\233\247\262-\203W\255\216\312R5\213z\2671w\370[\334\2459okr\222\323C\335\311X\376TW\267\224\210\204\314\\2\217\352\35\274\354\276\233'\373\342\303\25S\2059\30\322y\4\21\315{P\340\3002Sm34T\34*\352>6\1\333B\37\260X\251\355\261p!\241\353`\355!<\302\277i%\230Z L\355Zt:\200eK\244\243\273\220\326,m*\2071p>\252f\310\7\225g!x\320\217\21V\244\2705\370RA\246\315ZkWe\326X\275\300^>\355\317\321\246\214\324Y~Q6\310\35K\312\203\221v\256<\24\11\375\377O\205 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\21\363K\333\267\336\210"7\3215\10\247,\364\251,\316t\216\376\351\210p\343Gu\16\13l\246\232\315\364W2+\213\243_z\2\230\216N&H\245\23I\21io\321)\1Z\341b\1\36\271\256r\177\303\332\250e\207;\276 \254\273\34abf,\231\226\7\25P1U\356\267\330\350\372"\34"\301W\371Q\22\32\35\236,7\322\332\263\274\364wD\233\247\262-\203W\255\216\312R5\213z\2671w\370[\334\2459okr\222\323C\335\311X\376TW\267\224\210\204\314\\2\217\352\35\274\354\276\233'\373\342\303\25S\2059\30\322y\4\21\315{P\340\3002Sm34T\34*\352>6\1\333B\37\260X\251\355\261p!\241\353`\355!<\302\277i%\230Z L\355Zt:\200eK\244\243\273\220\326,m*\2071p>\252f\310\7\225g!x\320\217\21V\244\2705\370RA\246\315ZkWe\326X\275\300^>\355\317\321\246\214\324Y~Q6\310\35K\312\203\221v\256<\24\11\375\377O\205"\244X\34V\351Xf\211\250\373\336\247[f\21-\244Xg\242oOqw\240\346\17\346\7\2\231\233\327&\255\271\335\274\254\303\26\314\257y\247\304T\30\227\14n\340w\334\34/\333c\365 \226s\3417\323^\331)\337\315^\236B\303\15z\2\350\357\240P\15^\3607c\373"\336\342\307\24I\30\236,S\201\13\347\353'-\315\262Z\332\332*.\305\277\216$-\25\33v\302H\376vc~s\237\201\243G\2049j3\4\333\351\312/k\337\215\323\313U#\12g\220\244\2404\252\25\305\344W\230\312\321,\315\350\263\276C\327\371eD\245\352\265hN\355\177!R\321\350\1\32=\20\211", ) \336\342\307\24I\30\236,S\201\13\347\353'-\315\262260\27&\216\24\34\352\213\3\262_\313_n\325\330K\261\230\212W\330\276>Z\332\332*.\305\277\216$-\25\33v\302H\376vc~s\237\201\243G\2049j3\4\333\351\312/k\337\215\323\313U#\12g\220\244\2404\252\25\305\344W\230\312\321,\315\350\263\276C\327\371eD\245\352\265hN\355\177!R\321\350\1\32=\20\211", ) == 0x0
 00271   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (60, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00272   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "2\377\350\271\242\350]\331\334\347.\10+[b\244'\16\245\5/\253\37\361G\31I\266\236]4\7\366\327\366\37\346\333\247\234\273\363k\12\245AD\356\12\227\207\30q\371g\207\330H~\252q;\36\212)\202r5\263\313\25\14)\\367f~\361C%\236\357u\271`\255\202RD\7z\267\256\257(\251\216\325>\2457}\5\340\2326y\212\352g\275\326\221N\12E\206!\5\1\21\214Q\20\304|\25\365\301\315\260k\324\304{+\3358\20m\263|q\34\2734U\341\304\4\31nw\310\250\263.\317A8\346\33\356s\2050\243l\247\27Zv\322w\3659\352\335\245\21_\23\35\326v0\305a\223\246\264\373\242n\214+P\210+8@(.\235B\313\227(\353)\325\211\213baEB\313\36\275\353S02\25\0\222q\306\243\6\272\2116U\213Ra\27\206T\330\225Y\314S\315E\245h\235\330r\352\317p\277;I\340\30\365\325+\325\324V\214\320\223_)i\34\334\1z\366\207%\323\272\236`\17P\216\353E\374&\12R\234\265\0\351\235w\0\246N\3708\320\33\250\14\365M2\315\277\16\264?\356\237\264\335\335%\252B\356\364zh]4\217\321b@\345\232\3023\217\301%\241\371l\217\5\256\331e\14\234\254\236t\371'\225a\216&\23\211\63\267\270\337L\325h\1k\15f\15)\336\365`xDD\255\314{\31xD\6\4\362G\11\11\231f\272d\330\345k\247\253\355`\332\5\250\234.\15h+\325\272^\202=l\16\251\325\235\317\223\262'\22\336\307\15\252Ta\350\200G\335\264\366Gy\374\7y$z\352\277\340\243!\335B\234\371\323|\356r\336Y\36\11\12+\344\362\11".\24M3&\255"\247N\216\374\204\256\4-\310\253\4!S=\345\226\37\201\205", ) .\24M3&\255 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "2\377\350\271\242\350]\331\334\347.\10+[b\244'\16\245\5/\253\37\361G\31I\266\236]4\7\366\327\366\37\346\333\247\234\273\363k\12\245AD\356\12\227\207\30q\371g\207\330H~\252q;\36\212)\202r5\263\313\25\14)\\367f~\361C%\236\357u\271`\255\202RD\7z\267\256\257(\251\216\325>\2457}\5\340\2326y\212\352g\275\326\221N\12E\206!\5\1\21\214Q\20\304|\25\365\301\315\260k\324\304{+\3358\20m\263|q\34\2734U\341\304\4\31nw\310\250\263.\317A8\346\33\356s\2050\243l\247\27Zv\322w\3659\352\335\245\21_\23\35\326v0\305a\223\246\264\373\242n\214+P\210+8@(.\235B\313\227(\353)\325\211\213baEB\313\36\275\353S02\25\0\222q\306\243\6\272\2116U\213Ra\27\206T\330\225Y\314S\315E\245h\235\330r\352\317p\277;I\340\30\365\325+\325\324V\214\320\223_)i\34\334\1z\366\207%\323\272\236`\17P\216\353E\374&\12R\234\265\0\351\235w\0\246N\3708\320\33\250\14\365M2\315\277\16\264?\356\237\264\335\335%\252B\356\364zh]4\217\321b@\345\232\3023\217\301%\241\371l\217\5\256\331e\14\234\254\236t\371'\225a\216&\23\211\63\267\270\337L\325h\1k\15f\15)\336\365`xDD\255\314{\31xD\6\4\362G\11\11\231f\272d\330\345k\247\253\355`\332\5\250\234.\15h+\325\272^\202=l\16\251\325\235\317\223\262'\22\336\307\15\252Ta\350\200G\335\264\366Gy\374\7y$z\352\277\340\243!\335B\234\371\323|\356r\336Y\36\11\12+\344\362\11".\24M3&\255"\247N\216\374\204\256\4-\310\253\4!S=\345\226\37\201\205", ) , ) == 0x0
 00273   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00274   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2'v\200G\224\237\3:\246\350\27$\11kv\16\11\375\247O\346YF\277\320\201\30=c7\225\240\215*\214(X\376Vp\36\34\221\303~\356\332\244\214\372M-d\13\1p\366\17\32\237\233z\261\321[\5!c\26\216\225\200\230}\350\212\2565\375\265"e\312#\275\0)eN\222\305T\377\234\204:\263\13\345\312\325\370\331\325\213\16U\372zR4\217\310\2056\226\356Z%\234\331\21\301\344I\37\353\207{\21\350\313\333:\23\351Ty\313\275\314\335\306S\343\11\371\302\203\207A\3\361\335\332\270e\301-f\205j\300\277\364\262\242-\216m`\257f\0\231\210e\10\333\213\306\37\331;q\12\252\341=KeP\372\355x#\233\223\260R\327\33\2216\323\12\13R\24\352Q\37\226\356\204\0\204c\255\212qg\322~\242\11R\342\24\202\7h\11Z\377\270\2169\2034\344\37\227|\232w\25\260\361\36\343\310r\226C4\6\5-n{\364\27{Z\22\3717\221\235\357]\304\267\335\340 \235\260\375\365\7V"\16 \230\372\63\322\25235*2k\206z\362\17k\275\236\333faa\3132on\271\312Y\232\237\377@\362T\31\214\366\204\230\14\375ih\366\31\202\335\222n\343kQ/J\373\203+s\4\353\200"\304\337\36\312'A\303\233\276\245\263c)\251A`\375T\343\221\246|\2022\354\212\262\240\2072\266[\216\353h{J)\312b\343x\21277\241{\255\375u`\263\2673j\261\276\346t-6\371\223\326\305\213\243fw\326\0\12'\341\364A\342fh\265\211T;}r\3073\373\372\323\342~\266_\177\221d\325b\4\\304\376y\5\376\213\5UYQXK\316%\3510&I\364\372\221\244n\316\244`Y", ) e\312#\275\0)eN\222\305T\377\234\204:\263\13\345\312\325\370\331\325\213\16U\372zR4\217\310\2056\226\356Z%\234\331\21\301\344I\37\353\207{\21\350\313\333:\23\351Ty\313\275\314\335\306S\343\11\371\302\203\207A\3\361\335\332\270e\301-f\205j\300\277\364\262\242-\216m`\257f\0\231\210e\10\333\213\306\37\331;q\12\252\341=KeP\372\355x#\233\223\260R\327\33\2216\323\12\13R\24\352Q\37\226\356\204\0\204c\255\212qg\322~\242\11R\342\24\202\7h\11Z\377\270\2169\2034\344\37\227|\232w\25\260\361\36\343\310r\226C4\6\5-n{\364\27{Z\22\3717\221\235\357]\304\267\335\340 \235\260\375\365\7V (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2'v\200G\224\237\3:\246\350\27$\11kv\16\11\375\247O\346YF\277\320\201\30=c7\225\240\215*\214(X\376Vp\36\34\221\303~\356\332\244\214\372M-d\13\1p\366\17\32\237\233z\261\321[\5!c\26\216\225\200\230}\350\212\2565\375\265"e\312#\275\0)eN\222\305T\377\234\204:\263\13\345\312\325\370\331\325\213\16U\372zR4\217\310\2056\226\356Z%\234\331\21\301\344I\37\353\207{\21\350\313\333:\23\351Ty\313\275\314\335\306S\343\11\371\302\203\207A\3\361\335\332\270e\301-f\205j\300\277\364\262\242-\216m`\257f\0\231\210e\10\333\213\306\37\331;q\12\252\341=KeP\372\355x#\233\223\260R\327\33\2216\323\12\13R\24\352Q\37\226\356\204\0\204c\255\212qg\322~\242\11R\342\24\202\7h\11Z\377\270\2169\2034\344\37\227|\232w\25\260\361\36\343\310r\226C4\6\5-n{\364\27{Z\22\3717\221\235\357]\304\267\335\340 \235\260\375\365\7V"\16 \230\372\63\322\25235*2k\206z\362\17k\275\236\333faa\3132on\271\312Y\232\237\377@\362T\31\214\366\204\230\14\375ih\366\31\202\335\222n\343kQ/J\373\203+s\4\353\200"\304\337\36\312'A\303\233\276\245\263c)\251A`\375T\343\221\246|\2022\354\212\262\240\2072\266[\216\353h{J)\312b\343x\21277\241{\255\375u`\263\2673j\261\276\346t-6\371\223\326\305\213\243fw\326\0\12'\341\364A\342fh\265\211T;}r\3073\373\372\323\342~\266_\177\221d\325b\4\\304\376y\5\376\213\5UYQXK\316%\3510&I\364\372\221\244n\316\244`Y", ) \343kQ/J\373\203+s\4\353\200 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\2'v\200G\224\237\3:\246\350\27$\11kv\16\11\375\247O\346YF\277\320\201\30=c7\225\240\215*\214(X\376Vp\36\34\221\303~\356\332\244\214\372M-d\13\1p\366\17\32\237\233z\261\321[\5!c\26\216\225\200\230}\350\212\2565\375\265"e\312#\275\0)eN\222\305T\377\234\204:\263\13\345\312\325\370\331\325\213\16U\372zR4\217\310\2056\226\356Z%\234\331\21\301\344I\37\353\207{\21\350\313\333:\23\351Ty\313\275\314\335\306S\343\11\371\302\203\207A\3\361\335\332\270e\301-f\205j\300\277\364\262\242-\216m`\257f\0\231\210e\10\333\213\306\37\331;q\12\252\341=KeP\372\355x#\233\223\260R\327\33\2216\323\12\13R\24\352Q\37\226\356\204\0\204c\255\212qg\322~\242\11R\342\24\202\7h\11Z\377\270\2169\2034\344\37\227|\232w\25\260\361\36\343\310r\226C4\6\5-n{\364\27{Z\22\3717\221\235\357]\304\267\335\340 \235\260\375\365\7V"\16 \230\372\63\322\25235*2k\206z\362\17k\275\236\333faa\3132on\271\312Y\232\237\377@\362T\31\214\366\204\230\14\375ih\366\31\202\335\222n\343kQ/J\373\203+s\4\353\200"\304\337\36\312'A\303\233\276\245\263c)\251A`\375T\343\221\246|\2022\354\212\262\240\2072\266[\216\353h{J)\312b\343x\21277\241{\255\375u`\263\2673j\261\276\346t-6\371\223\326\305\213\243fw\326\0\12'\341\364A\342fh\265\211T;}r\3073\373\372\323\342~\266_\177\221d\325b\4\\304\376y\5\376\213\5UYQXK\316%\3510&I\364\372\221\244n\316\244`Y", ) , ) == 0x0
 00275   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00276   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "B\234{$\15\351@\261\273\321\25G`\206hA5\323\0qa\234\7q5\265"\11\351\267\256\15\352@\225\215\231\3649\242\366?\315\36\232\212[@N\353\236c\212@\361b\33\6-]\233o\245\211\2147\0R\315\253\6 y)A$\221{\313&\33\250M \321\6\35!\354G\316\203\370\273\2\361\0\351D\13R\363\201e(g\234\241\31j?\1\2275\2\3709MH\15\245g\303*6/\204b\222T\6\327\329.b^hyI\222-\2375\323\377\251\261E\222O&\235\305\352p\217\265/Z\3752\271\322E` \221\276cJ\236\235B\236A\15'\21e\346kN'>\6\16e\302@=\222\305\252\210\245\221q\21e6\260\11Y\326qVd\332\330\14\30G\377V\24\227[\30\343\202\273V=\275\336-E^\201\265\215\250@\211\2157d\235\32\25*t\332\220@\371\275\262\262\355\2466\306\256\335Wq\16\353\362Zd.%\35NF)\237\14C@M\231U\343\225:\276`r\317h.u\272\205$\35"\265d\243A\362\332\4\243\365b\274I\321\232%\330\322p1!\205[\212\334\324\207\5p2al\223\202\21\6t\266\5Q5\35\23Q!\362\341/\231\13\315\22s\352s\341V\204\252#&\312uU0\2455\4\224\34r\22\332\241\243\351\215\330^\342\36\201\3\251@b@\21F3Q\301,\V\351\303\14\354\233>\347\343*\2061\7\376\216\250\35\1c\365\331\372\321\355u \300\210\7\352\225\337\362\13+\37\1!\225\273M5\361)+b\233\333=x\32e\241+\312?\247%)o\7l\247s\252i\321\7\7\203t;mJ7\4u:\313\207\6\216\376\252\365\30%g\12Ba\6\363\337g\263-\322c\15=\321\251\223\25\321#%2o\346H", ) \11\351\267\256\15\352@\225\215\231\3649\242\366?\315\36\232\212[@N\353\236c\212@\361b\33\6-]\233o\245\211\2147\0R\315\253\6 y)A$\221{\313&\33\250M \321\6\35!\354G\316\203\370\273\2\361\0\351D\13R\363\201e(g\234\241\31j?\1\2275\2\3709MH\15\245g\303*6/\204b\222T\6\327\329.b^hyI\222-\2375\323\377\251\261E\222O&\235\305\352p\217\265/Z\3752\271\322E` \221\276cJ\236\235B\236A\15'\21e\346kN'>\6\16e\302@=\222\305\252\210\245\221q\21e6\260\11Y\326qVd\332\330\14\30G\377V\24\227[\30\343\202\273V=\275\336-E^\201\265\215\250@\211\2157d\235\32\25*t\332\220@\371\275\262\262\355\2466\306\256\335Wq\16\353\362Zd.%\35NF)\237\14C@M\231U\343\225:\276`r\317h.u\272\205$\35 (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "B\234{$\15\351@\261\273\321\25G`\206hA5\323\0qa\234\7q5\265"\11\351\267\256\15\352@\225\215\231\3649\242\366?\315\36\232\212[@N\353\236c\212@\361b\33\6-]\233o\245\211\2147\0R\315\253\6 y)A$\221{\313&\33\250M \321\6\35!\354G\316\203\370\273\2\361\0\351D\13R\363\201e(g\234\241\31j?\1\2275\2\3709MH\15\245g\303*6/\204b\222T\6\327\329.b^hyI\222-\2375\323\377\251\261E\222O&\235\305\352p\217\265/Z\3752\271\322E` \221\276cJ\236\235B\236A\15'\21e\346kN'>\6\16e\302@=\222\305\252\210\245\221q\21e6\260\11Y\326qVd\332\330\14\30G\377V\24\227[\30\343\202\273V=\275\336-E^\201\265\215\250@\211\2157d\235\32\25*t\332\220@\371\275\262\262\355\2466\306\256\335Wq\16\353\362Zd.%\35NF)\237\14C@M\231U\343\225:\276`r\317h.u\272\205$\35"\265d\243A\362\332\4\243\365b\274I\321\232%\330\322p1!\205[\212\334\324\207\5p2al\223\202\21\6t\266\5Q5\35\23Q!\362\341/\231\13\315\22s\352s\341V\204\252#&\312uU0\2455\4\224\34r\22\332\241\243\351\215\330^\342\36\201\3\251@b@\21F3Q\301,\V\351\303\14\354\233>\347\343*\2061\7\376\216\250\35\1c\365\331\372\321\355u \300\210\7\352\225\337\362\13+\37\1!\225\273M5\361)+b\233\333=x\32e\241+\312?\247%)o\7l\247s\252i\321\7\7\203t;mJ7\4u:\313\207\6\216\376\252\365\30%g\12Ba\6\363\337g\263-\322c\15=\321\251\223\25\321#%2o\346H", ) , ) == 0x0
 00277   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00278   444   NtReadFile  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (56, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\273\222s\211#\316s\200\252\203x\22\341\351/=p\363\206WLu5\215\321l`y\353\276\375\14\1\214\363\343:\22\246m\327\335N\3351\343\323C\312./\10E\331\30\304-\322\273\12\35\330%\24\345\304?n\333\362\5D<\323\267niAi\340\3024\353dN\12h.*\276\325\211\3ls\204#p\210\304\236\323\5E\235\13Hs\257\334\273\267\1\222l\24\221\342\373\310k\340.\266\315\367\370EY\334\345\11\350\37q\223\11\232m\16\5\222\240E1\227\351\264x\311\342yE\330j\224\26If\25\206\3030\365\234\21\321\14h\331?G\346\321}\352\226\336\245\212\337\2203\264\245\370?\206@\23!\25\253)E\361)P\311\214\33c\17\23\205\q\11\7\241R\356\266\320\370\14O\366sv\340\374\31\263\30\217M\\255\340\4\25\372\2463\0\222\330J\375\223\333\250\3576f\254?-\366xGq\3307\25)\304gH'\203O\7%\26\34a$\271w\3gv\363\147\331\341\247J\364}&x\317a8\311\36\373\0\300G\200=1\311z\266$\235\27\247\313\300\365\2652\373V\23\32\312e\231w\267X>\345\260/\25\255\301\300\15Aa[!\215\365rLiJ\10\1/\342\23\237\14\251rk,:\3\305\242\263S\214\16\376\272\211\370\242w\7\335\334@\2559\20;\332}\33\375(.\247\1\233d\2042\24%\314l\27c\336%E^\200\321F\353\330\321\11\374lk\327\221p0\341L\326\17\\342y%\13\243\313\320 \274\335\301\333\22\246\250C\360\276k3-\262\374,\3/\331D-\212\243\345@\356"\310\15E\336\7C\203_v5\326\222K\331\200\225mjH;\2320\353\221\4\11\260\336\14\306\345\360\223\354\16o\221(\217\273\227\340`\7\25\326\3029}\227(u\1", ) \310\15E\336\7C\203_v5\326\222K\331\200\225mjH;\2320\353\221\4\11\260\336\14\306\345\360\223\354\16o\221(\217\273\227\340`\7\25\326\3029}\227(u\1", ) == 0x0
 00279   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (60, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00280   444   NtReadFile  (56, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (56, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "a\231c\5q\231c\5E\211c\5U\211c\5\305\273c\5\325\273c\5%\270c\5-\270c\55\270c\5=\270c\5\5\270c\5\15\270c\5\25\270c\5\35\270c\5e\270c\5m\270c\5\201\270c\5\225\270c\5\371\270c\5=\271c\5q\271c\5\211\271c\5\361\271c\51\276c\5\261\276c\5\311\276c\5\245\274c\5\321\275c\5\21\242c\55\243c\5\201\243c\5U\241c\5]\247c\5e\245c\5\11\252c\5\351\252c\5i\253c\5\251\253c\5]\250c\5\275\250c\5\341\250c\5\321\250c\5\271\221f\5\301\221f\5\366\373d\5\312\373d\5#\370d\5;\370d\5\25\370d\5o\370d\5H\370d\5\245\370d\5\201\370d\5\230\370d\5\365\370d\5\311\370d\5\337\370d\53\371d\5\11\371d\5`\371d\5q\371d\5\\371d\5\267\371d\5\226\371d\5\360\371d\5\331\371d\5:\376d\5k\376d\5N\376d\5\263\376d\5\340\376d\5\300\376d\5%\377d\5\30\377d\5F\377d\5]\377d\5\263\377d\5\213\377d\5\341\377d\5\367\377d\5\315\377d\5 \374d\5;\374d\5\16\374d\5e\374d\5\177\374d\5X\374d\5\245\374d\5\253\374d\5\262\374d\5\276\374d\5=\322u\56\322z\55\322{\54\322y\5%\322`\5)\322d\5'\322f\5\12\322x\5<\322}\5\5\322C\5\11\322I\5\10\322B\5\2\322A\5>\322F\5\7\322D\52\322r\53\322o\51\322m\5.\322n\5*\322i\5(\322O\5!\322a\5 \322M\5\14\322c\5!\322c\5!\322c\5!\322cE\5\252\23!\20\340-hT\266\23Eu\234.Pe\202cE\5\252\23!\20\347-h", ) , ) == 0x0
 00281   444   NtWriteFile  (60, 0, 0, 0,  (60, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00282   444   NtClose  (60, ... ) == 0x0
 00283   444   NtClose  (56, ... ) == 0x0
 00284   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00285   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.tmp"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00286   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 60, ) == 0x0
 00287   444   NtClose  (56, ... ) == 0x0
 00288   444   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 176128, ) == 0x0
 00289   444   NtClose  (60, ... ) == 0x0
 00290   444   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00291   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00292   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00293   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.tmp"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00294   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00295   444   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00296   444   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00297   444   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00298   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00300   444   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00301   444   NtClose  (68, ... ) == 0x0
 00302   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00303   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00304   444   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00305   444   NtClose  (68, ... ) == 0x0
 00306   444   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00307   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   444   NtClose  (64, ... ) == 0x0
 00309   444   NtClose  (60, ... ) == 0x0
 00310   444   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xa00000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00311   444   NtMapViewOfSection  (56, -1, (0xa00000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00312   444   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00313   444   NtClose  (56, ... ) == 0x0
 00314   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 8, ) == 0x0
 00315   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 8, ... (0xa72000), 4096, 4, ) == 0x0
 00316   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00317   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00318   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00319   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00320   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00321   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00322   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00323   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00324   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00325   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00326   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00327   444   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00328   444   NtClose  (56, ... ) == 0x0
 00329   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00330   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00331   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00332   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00333   444   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00334   444   NtClose  (56, ... ) == 0x0
 00335   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00336   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00337   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00338   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00339   444   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00340   444   NtClose  (56, ... ) == 0x0
 00341   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00342   444   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00343   444   NtClose  (56, ... ) == 0x0
 00344   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00345   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00346   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00347   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00348   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00349   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00350   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00351   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00352   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00354   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00355   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 60, ) == 0x0
 00356   444   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00357   444   NtClose  (56, ... ) == 0x0
 00358   444   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00359   444   NtClose  (60, ... ) == 0x0
 00360   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00362   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241148, ... ) }, 1241148, ... ) == 0x0
 00364   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00365   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 56, ) == 0x0
 00366   444   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00367   444   NtClose  (60, ... ) == 0x0
 00368   444   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00369   444   NtClose  (56, ... ) == 0x0
 00370   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240344, ... ) }, 1240344, ... ) == 0x0
 00374   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00375   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 60, ) == 0x0
 00376   444   NtQuerySection  (60, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00377   444   NtClose  (56, ... ) == 0x0
 00378   444   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00379   444   NtClose  (60, ... ) == 0x0
 00380   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00381   444   NtProtectVirtualMemory  (-1, (0xa72000), 4096, 4, ... (0xa72000), 4096, 4, ) == 0x0
 00382   444   NtFlushInstructionCache  (-1, 10952704, 4096, ... ) == 0x0
 00383   444   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00384   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00385   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 64, ) }, ... 64, ) == 0x0
 00386   444   NtNotifyChangeKey  (64, 56, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00387   444   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00388   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00389   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00390   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00391   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00392   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 76, ) }, ... 76, ) == 0x0
 00393   444   NtQueryValueKey  (76,  (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00394   444   NtClose  (76, ... ) == 0x0
 00395   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00396   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00397   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00398   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00399   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 76, ) }, ... 76, ) == 0x0
 00400   444   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   444   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   444   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   444   NtClose  (76, ... ) == 0x0
 00404   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 76, ) }, ... 76, ) == 0x0
 00405   444   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   444   NtQueryValueKey  (76,  (76, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407   444   NtClose  (76, ... ) == 0x0
 00408   444   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 76, ) }, ... 76, ) == 0x0
 00409   444   NtOpenEvent  (0x1f0003, {24, 76, 0x0, 0, 0,  (0x1f0003, {24, 76, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00411   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11010048, 65536, ) == 0x0
 00412   444   NtAllocateVirtualMemory  (-1, 11010048, 0, 4096, 4096, 4, ... 11010048, 4096, ) == 0x0
 00413   444   NtAllocateVirtualMemory  (-1, 11014144, 0, 8192, 4096, 4, ... 11014144, 8192, ) == 0x0
 00414   444   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00415   444   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 12288, ) == 0x0
 00416   444   NtClose  (80, ... ) == 0x0
 00417   444   NtAllocateVirtualMemory  (-1, 11022336, 0, 4096, 4096, 4, ... 11022336, 4096, ) == 0x0
 00418   444   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00419   444   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00420   444   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00421   444   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00422   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00423   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00424   444   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00425   444   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00426   444   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00427   444   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00428   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 11141120, 1048576, ) == 0x0
 00429   444   NtAllocateVirtualMemory  (-1, 11141120, 0, 16384, 4096, 4, ... 11141120, 16384, ) == 0x0
 00430   444   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00431   444   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00432   444   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00433   444   NtOpenKey  (0xf003f, {24, 52, 0x40, 0, 0,  (0xf003f, {24, 52, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00434   444   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00435   444   NtQueryInformationToken  (80, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00436   444   NtClose  (80, ... ) == 0x0
 00437   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00438   444   NtReleaseMutant  (16, ...
 00439   444   NtContinue  (-130842488, 0, ...
 00438   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00440   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00441   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00442   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\ika1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00447   444   NtReleaseMutant  (16, ...
 00448   444   NtContinue  (-130842488, 0, ...
 00447   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00449   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00450   444   NtReleaseMutant  (16, ...
 00451   444   NtContinue  (-130842488, 0, ...
 00450   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00452   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00453   444   NtReleaseMutant  (16, ...
 00454   444   NtContinue  (-130842488, 0, ...
 00453   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00455   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00456   444   NtReleaseMutant  (16, ...
 00457   444   NtContinue  (-130842488, 0, ...
 00456   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00458   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00459   444   NtReleaseMutant  (16, ...
 00460   444   NtContinue  (-130842488, 0, ...
 00459   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00461   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00462   444   NtReleaseMutant  (16, ...
 00463   444   NtContinue  (-130842488, 0, ...
 00462   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00464   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00465   444   NtReleaseMutant  (16, ...
 00466   444   NtContinue  (-130842488, 0, ...
 00465   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00467   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00468   444   NtReleaseMutant  (16, ...
 00469   444   NtContinue  (-130842488, 0, ...
 00468   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00470   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00471   444   NtReleaseMutant  (16, ...
 00472   444   NtContinue  (-130842488, 0, ...
 00471   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00473   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00474   444   NtReleaseMutant  (16, ...
 00475   444   NtContinue  (-130842488, 0, ...
 00474   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00476   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00477   444   NtReleaseMutant  (16, ...
 00478   444   NtContinue  (-130842488, 0, ...
 00477   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00479   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00480   444   NtReleaseMutant  (16, ...
 00481   444   NtContinue  (-130842488, 0, ...
 00480   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00482   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00483   444   NtReleaseMutant  (16, ...
 00484   444   NtContinue  (-130842488, 0, ...
 00483   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00485   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00486   444   NtReleaseMutant  (16, ...
 00487   444   NtContinue  (-130842488, 0, ...
 00486   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00488   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00489   444   NtReleaseMutant  (16, ...
 00490   444   NtContinue  (-130842488, 0, ...
 00489   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00491   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00492   444   NtReleaseMutant  (16, ...
 00493   444   NtContinue  (-130842488, 0, ...
 00492   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00494   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00495   444   NtReleaseMutant  (16, ...
 00496   444   NtContinue  (-130842488, 0, ...
 00495   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00497   444   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00498   444   NtReleaseMutant  (16, ...
 00499   444   NtContinue  (-130842488, 0, ...
 00498   444   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00500   444   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 80, ) == 0x0
 00501   444   NtUserGetDC  (0, ... ) == 0x1010052
 00502   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00503   444   NtUserGetDC  (0, ... ) == 0x1010052
 00504   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00505   444   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x43080409
 00506   444   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00507   444   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00508   444   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00509   444   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\0B\04\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00510   444   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\0A\00\00\00\00\00\00\00\00\00\00\01\0B\0C\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00511   444   NtUserSystemParametersInfo  (104, 0, 11146364, 0, ... ) == 0x1
 00512   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00513   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00514   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00515   444   NtUserGetDC  (0, ... ) == 0x1010052
 00516   444   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xa0503db
 00517   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00518   444   NtGdiSelectBitmap  (268501967, 168100827, ... ) == 0x185000f
 00519   444   NtGdiGetDCforBitmap  (168100827, ... ) == 0x100103cf
 00520   444   NtGdiSaveDC  (268501967, ... ) == 0x1
 00521   444   NtGdiSelectBitmap  (268501967, 168100827, ... ) == 0xa0503db
 00522   444   NtGdiGetDCObject  (268501967, 524288, ... ) == 0x188000b
 00523   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00524   444   NtGdiSetDIBitsToDeviceInternal  (268501967, 0, 0, 32, 64, 0, 0, 0, 64, 10892812, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00525   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00526   444   NtGdiSelectBitmap  (268501967, 168100827, ... ) == 0xa0503db
 00527   444   NtGdiRestoreDC  (268501967, -1, ... ) == 0x1
 00528   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xa0503db
 00529   444   NtGdiCreateCompatibleDC  (268501967, ... ) == 0x190103f1
 00530   444   NtGdiExtGetObjectW  (168100827, 24, 1241324, ... ) == 0x18
 00531   444   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503d9
 00532   444   NtGdiSelectBitmap  (268501967, 168100827, ... ) == 0x185000f
 00533   444   NtGdiSelectBitmap  (419496945, 134546393, ... ) == 0x185000f
 00534   444   NtGdiBitBlt  (419496945, 0, 0, 32, 64, 268501967, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00535   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xa0503db
 00536   444   NtGdiSelectBitmap  (419496945, 25493519, ... ) == 0x80503d9
 00537   444   NtGdiDeleteObjectApp  (168100827, ... ) == 0x1
 00538   444   NtGdiDeleteObjectApp  (419496945, ... ) == 0x1
 00539   444   NtUserCallOneParam  (0, 33, ... ) == 0x3006b
 00540   444   NtUserSetCursorIconData  (196715, 1241432, 1241448, 1242028, ... ) == 0x1
 00541   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00542   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00543   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00544   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00545   444   NtUserGetDC  (0, ... ) == 0x1010052
 00546   444   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xb0503d8
 00547   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00548   444   NtGdiSelectBitmap  (268501967, 184878040, ... ) == 0x185000f
 00549   444   NtGdiGetDCforBitmap  (184878040, ... ) == 0x100103cf
 00550   444   NtGdiSaveDC  (268501967, ... ) == 0x1
 00551   444   NtGdiSelectBitmap  (268501967, 184878040, ... ) == 0xb0503d8
 00552   444   NtGdiGetDCObject  (268501967, 524288, ... ) == 0x188000b
 00553   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00554   444   NtGdiSetDIBitsToDeviceInternal  (268501967, 0, 0, 32, 64, 0, 0, 0, 64, 10893120, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00555   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00556   444   NtGdiSelectBitmap  (268501967, 184878040, ... ) == 0xb0503d8
 00557   444   NtGdiRestoreDC  (268501967, -1, ... ) == 0x1
 00558   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xb0503d8
 00559   444   NtGdiCreateCompatibleDC  (268501967, ... ) == 0xc0103db
 00560   444   NtGdiExtGetObjectW  (184878040, 24, 1241324, ... ) == 0x18
 00561   444   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050402
 00562   444   NtGdiSelectBitmap  (268501967, 184878040, ... ) == 0x185000f
 00563   444   NtGdiSelectBitmap  (201393115, 134546434, ... ) == 0x185000f
 00564   444   NtGdiBitBlt  (201393115, 0, 0, 32, 64, 268501967, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00565   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xb0503d8
 00566   444   NtGdiSelectBitmap  (201393115, 25493519, ... ) == 0x8050402
 00567   444   NtGdiDeleteObjectApp  (184878040, ... ) == 0x1
 00568   444   NtGdiDeleteObjectApp  (201393115, ... ) == 0x1
 00569   444   NtUserCallOneParam  (0, 33, ... ) == 0x3006d
 00570   444   NtUserSetCursorIconData  (196717, 1241432, 1241448, 1242028, ... ) == 0x1
 00571   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00572   444   NtUserGetDC  (0, ... ) == 0x1010052
 00573   444   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1b0503f1
 00574   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00575   444   NtGdiSelectBitmap  (268501967, 453313521, ... ) == 0x185000f
 00576   444   NtGdiGetDCforBitmap  (453313521, ... ) == 0x100103cf
 00577   444   NtGdiSaveDC  (268501967, ... ) == 0x1
 00578   444   NtGdiSelectBitmap  (268501967, 453313521, ... ) == 0x1b0503f1
 00579   444   NtGdiGetDCObject  (268501967, 524288, ... ) == 0x188000b
 00580   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00581   444   NtGdiSetDIBitsToDeviceInternal  (268501967, 0, 0, 32, 64, 0, 0, 0, 64, 10893428, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00582   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00583   444   NtGdiSelectBitmap  (268501967, 453313521, ... ) == 0x1b0503f1
 00584   444   NtGdiRestoreDC  (268501967, -1, ... ) == 0x1
 00585   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0x1b0503f1
 00586   444   NtGdiCreateCompatibleDC  (268501967, ... ) == 0xd0103d8
 00587   444   NtGdiExtGetObjectW  (453313521, 24, 1241324, ... ) == 0x18
 00588   444   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050403
 00589   444   NtGdiSelectBitmap  (268501967, 453313521, ... ) == 0x185000f
 00590   444   NtGdiSelectBitmap  (218170328, 134546435, ... ) == 0x185000f
 00591   444   NtGdiBitBlt  (218170328, 0, 0, 32, 64, 268501967, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00592   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0x1b0503f1
 00593   444   NtGdiSelectBitmap  (218170328, 25493519, ... ) == 0x8050403
 00594   444   NtGdiDeleteObjectApp  (453313521, ... ) == 0x1
 00595   444   NtGdiDeleteObjectApp  (218170328, ... ) == 0x1
 00596   444   NtUserCallOneParam  (0, 33, ... ) == 0x300a1
 00597   444   NtUserSetCursorIconData  (196769, 1241432, 1241448, 1242028, ... ) == 0x1
 00598   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00599   444   NtUserGetDC  (0, ... ) == 0x1010052
 00600   444   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xe0503db
 00601   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00602   444   NtGdiSelectBitmap  (268501967, 235209691, ... ) == 0x185000f
 00603   444   NtGdiGetDCforBitmap  (235209691, ... ) == 0x100103cf
 00604   444   NtGdiSaveDC  (268501967, ... ) == 0x1
 00605   444   NtGdiSelectBitmap  (268501967, 235209691, ... ) == 0xe0503db
 00606   444   NtGdiGetDCObject  (268501967, 524288, ... ) == 0x188000b
 00607   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00608   444   NtGdiSetDIBitsToDeviceInternal  (268501967, 0, 0, 32, 64, 0, 0, 0, 64, 10893736, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00609   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00610   444   NtGdiSelectBitmap  (268501967, 235209691, ... ) == 0xe0503db
 00611   444   NtGdiRestoreDC  (268501967, -1, ... ) == 0x1
 00612   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xe0503db
 00613   444   NtGdiCreateCompatibleDC  (268501967, ... ) == 0x1d0103f1
 00614   444   NtGdiExtGetObjectW  (235209691, 24, 1241324, ... ) == 0x18
 00615   444   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503fd
 00616   444   NtGdiSelectBitmap  (268501967, 235209691, ... ) == 0x185000f
 00617   444   NtGdiSelectBitmap  (486605809, 134546429, ... ) == 0x185000f
 00618   444   NtGdiBitBlt  (486605809, 0, 0, 32, 64, 268501967, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00619   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xe0503db
 00620   444   NtGdiSelectBitmap  (486605809, 25493519, ... ) == 0x80503fd
 00621   444   NtGdiDeleteObjectApp  (235209691, ... ) == 0x1
 00622   444   NtGdiDeleteObjectApp  (486605809, ... ) == 0x1
 00623   444   NtUserCallOneParam  (0, 33, ... ) == 0x3009f
 00624   444   NtUserSetCursorIconData  (196767, 1241432, 1241448, 1242028, ... ) == 0x1
 00625   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00626   444   NtUserGetDC  (0, ... ) == 0x1010052
 00627   444   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xf0503d8
 00628   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00629   444   NtGdiSelectBitmap  (268501967, 251986904, ... ) == 0x185000f
 00630   444   NtGdiGetDCforBitmap  (251986904, ... ) == 0x100103cf
 00631   444   NtGdiSaveDC  (268501967, ... ) == 0x1
 00632   444   NtGdiSelectBitmap  (268501967, 251986904, ... ) == 0xf0503d8
 00633   444   NtGdiGetDCObject  (268501967, 524288, ... ) == 0x188000b
 00634   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00635   444   NtGdiSetDIBitsToDeviceInternal  (268501967, 0, 0, 32, 64, 0, 0, 0, 64, 10894044, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00636   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00637   444   NtGdiSelectBitmap  (268501967, 251986904, ... ) == 0xf0503d8
 00638   444   NtGdiRestoreDC  (268501967, -1, ... ) == 0x1
 00639   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xf0503d8
 00640   444   NtGdiCreateCompatibleDC  (268501967, ... ) == 0x100103db
 00641   444   NtGdiExtGetObjectW  (251986904, 24, 1241324, ... ) == 0x18
 00642   444   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x11050382
 00643   444   NtGdiSelectBitmap  (268501967, 251986904, ... ) == 0x185000f
 00644   444   NtGdiSelectBitmap  (268501979, 285541250, ... ) == 0x185000f
 00645   444   NtGdiBitBlt  (268501979, 0, 0, 32, 64, 268501967, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00646   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0xf0503d8
 00647   444   NtGdiSelectBitmap  (268501979, 25493519, ... ) == 0x11050382
 00648   444   NtGdiDeleteObjectApp  (251986904, ... ) == 0x1
 00649   444   NtGdiDeleteObjectApp  (268501979, ... ) == 0x1
 00650   444   NtUserCallOneParam  (0, 33, ... ) == 0x3009d
 00651   444   NtUserSetCursorIconData  (196765, 1241432, 1241448, 1242028, ... ) == 0x1
 00652   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00653   444   NtUserGetDC  (0, ... ) == 0x1010052
 00654   444   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1f0503f1
 00655   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00656   444   NtGdiSelectBitmap  (268501967, 520422385, ... ) == 0x185000f
 00657   444   NtGdiGetDCforBitmap  (520422385, ... ) == 0x100103cf
 00658   444   NtGdiSaveDC  (268501967, ... ) == 0x1
 00659   444   NtGdiSelectBitmap  (268501967, 520422385, ... ) == 0x1f0503f1
 00660   444   NtGdiGetDCObject  (268501967, 524288, ... ) == 0x188000b
 00661   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00662   444   NtGdiSetDIBitsToDeviceInternal  (268501967, 0, 0, 32, 64, 0, 0, 0, 64, 10894660, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00663   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00664   444   NtGdiSelectBitmap  (268501967, 520422385, ... ) == 0x1f0503f1
 00665   444   NtGdiRestoreDC  (268501967, -1, ... ) == 0x1
 00666   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0x1f0503f1
 00667   444   NtGdiCreateCompatibleDC  (268501967, ... ) == 0x110103d8
 00668   444   NtGdiExtGetObjectW  (520422385, 24, 1241324, ... ) == 0x18
 00669   444   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503ff
 00670   444   NtGdiSelectBitmap  (268501967, 520422385, ... ) == 0x185000f
 00671   444   NtGdiSelectBitmap  (285279192, 151323647, ... ) == 0x185000f
 00672   444   NtGdiBitBlt  (285279192, 0, 0, 32, 64, 268501967, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00673   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0x1f0503f1
 00674   444   NtGdiSelectBitmap  (285279192, 25493519, ... ) == 0x90503ff
 00675   444   NtGdiDeleteObjectApp  (520422385, ... ) == 0x1
 00676   444   NtGdiDeleteObjectApp  (285279192, ... ) == 0x1
 00677   444   NtUserCallOneParam  (0, 33, ... ) == 0x4009b
 00678   444   NtUserSetCursorIconData  (262299, 1241432, 1241448, 1242028, ... ) == 0x1
 00679   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00680   444   NtUserGetDC  (0, ... ) == 0x1010052
 00681   444   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x120503db
 00682   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00683   444   NtGdiSelectBitmap  (268501967, 302318555, ... ) == 0x185000f
 00684   444   NtGdiGetDCforBitmap  (302318555, ... ) == 0x100103cf
 00685   444   NtGdiSaveDC  (268501967, ... ) == 0x1
 00686   444   NtGdiSelectBitmap  (268501967, 302318555, ... ) == 0x120503db
 00687   444   NtGdiGetDCObject  (268501967, 524288, ... ) == 0x188000b
 00688   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00689   444   NtGdiSetDIBitsToDeviceInternal  (268501967, 0, 0, 32, 64, 0, 0, 0, 64, 10894352, 1319624, 0, 256, 48, 1, 0, ... ) == 0x40
 00690   444   NtUserSelectPalette  (268501967, 25690123, 0, ... ) == 0x188000b
 00691   444   NtGdiSelectBitmap  (268501967, 302318555, ... ) == 0x120503db
 00692   444   NtGdiRestoreDC  (268501967, -1, ... ) == 0x1
 00693   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0x120503db
 00694   444   NtGdiCreateCompatibleDC  (268501967, ... ) == 0x210103f1
 00695   444   NtGdiExtGetObjectW  (302318555, 24, 1241324, ... ) == 0x18
 00696   444   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x60503fc
 00697   444   NtGdiSelectBitmap  (268501967, 302318555, ... ) == 0x185000f
 00698   444   NtGdiSelectBitmap  (553714673, 100991996, ... ) == 0x185000f
 00699   444   NtGdiBitBlt  (553714673, 0, 0, 32, 64, 268501967, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00700   444   NtGdiSelectBitmap  (268501967, 25493519, ... ) == 0x120503db
 00701   444   NtGdiSelectBitmap  (553714673, 25493519, ... ) == 0x60503fc
 00702   444   NtGdiDeleteObjectApp  (302318555, ... ) == 0x1
 00703   444   NtGdiDeleteObjectApp  (553714673, ... ) == 0x1
 00704   444   NtUserCallOneParam  (0, 33, ... ) == 0x4008d
 00705   444   NtUserSetCursorIconData  (262285, 1241432, 1241448, 1242028, ... ) == 0x1
 00706   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00707   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00708   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00709   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00710   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00711   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00712   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00713   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00714   444   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00715   444   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00716   444   NtUserGetDC  (0, ... ) == 0x1010052
 00717   444   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00718   444   NtUserEnumDisplayMonitors  (0, 0, 10617444, 11146944, ... ) == 0x1
 00719   444   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00720   444   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329104, ... ) == 0x220a03f1
 00721   444   NtGdiExtGetObjectW  (571081713, 420, 1241808, ... ) == 0x164
 00722   444   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00723   444   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329096, ... ) == 0x130a03d8
 00724   444   NtGdiExtGetObjectW  (319423448, 420, 1241808, ... ) == 0x164
 00725   444   NtGdiHfontCreate  (1241984, 356, 0, 0, 1329088, ... ) == 0x130a03db
 00726   444   NtGdiExtGetObjectW  (319423451, 420, 1241808, ... ) == 0x164
 00727   444   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00728   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 12189696, 4096, ) == 0x0
 00729   444   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00730   444   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00731   444   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00732   444   NtOpenMutant  (0x1f0001, {24, 76, 0x0, 0, 0,  (0x1f0001, {24, 76, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00733   444   NtUserSetWindowsHookEx  (10485760, 1243796, 0, 4, 10493628, 2, ... ) == 0x30099
 00734   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00735   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\SIWVID"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00736   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1244964,  (0xc0100080, {24, 0, 0x40, 0, 1244964, "\??\NTICE"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00737   444   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Wine"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00739   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00740   444   NtContinue  (1244368, 0, ...
 00741   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 84, {status=0x0, info=1}, ) == 0x0
 00742   444   NtQueryInformationFile  (84, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00743   444   NtAllocateVirtualMemory  (-1, 0, 0, 926720, 4096, 64, ... 12255232, 929792, ) == 0x0
 00744   444   NtReadFile  (84, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720},  (84, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\233\10S\206\337i=\325\337i=\325\337i=\325\337i<\325]h=\325%J$\325\334i=\325\337i=\325\335i=\325%J\2\325\336i=\325HJx\325\336i=\325%J}\325\334i=\325\5J!\325\16i=\325\5J \325\334i=\325%J\0\325\336i=\325Rich\337i=\325\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0H\7\0\0\336\6\0\0\0\0\0A\242\1\0\0\20\0\0\0\20\7\0\0\0\346w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\16\0\0\4\0\0\222\207\16\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0@!\2\0\210i\0\0\304-\7\0(\0\0\0\0\220\7\0\330^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\15\0\20S\0\0 V\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250f\7\0@\0\0\0\220\2\0\0\34\0\0\0\0\20\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) , ) == 0x0
 00745   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 88, {status=0x0, info=1}, ) == 0x0
 00746   444   NtQueryInformationFile  (88, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00747   444   NtAllocateVirtualMemory  (-1, 0, 0, 561152, 4096, 64, ... 13238272, 561152, ) == 0x0
 00748   444   NtReadFile  (88, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152},  (88, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0cf;e'\7U6'\7U6'\7U6'\7T6`\6U6\335$L6 \7U6'\7U6%\7U6\335$j6&\7U6\260$\206&\7U6\335$\256!\7U6\375$I6U\7U6\335$h6&\7U6Rich'\7U6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\262\5\0\0\340\2\0\0\0\0\0KQ\0\0\0\20\0\0\0P\5\0\0\0\324w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\320\10\0\0\4\0\0\35?\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0pk\1\0\251K\0\0\230\244\5\0P\0\0\0\0\360\5\0\210\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\10\0\270+\0\0\0\300\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\324\4\0\0\300\241\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\08\260\5\0", ) , ) == 0x0
 00749   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00750   444   NtQueryInformationFile  (92, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00751   444   NtAllocateVirtualMemory  (-1, 0, 0, 549888, 4096, 64, ... 13828096, 552960, ) == 0x0
 00752   444   NtReadFile  (92, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888},  (92, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\375\343\244\227\271\202\312\304\271\202\312\304\271\202\312\304C\241\323\304\276\202\312\304\271\202\312\304\273\202\312\304C\241\212\304\275\202\312\304\364\241\326\304\262\202\312\304p\240\340\304\277\202\312\304\271\202\313\304\37\203\312\304C\241\365\304\270\202\312\304.\241\217\304\270\202\312\304c\241\327\304\255\202\312\304c\241\326\304:\202\312\304C\241\367\304\270\202\312\304Rich\271\202\312\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0B\6\0\02\2\0\0\0\0\0\373\34\0\0\0\20\0\0\0 \6\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\10\0\0\4\0\0\305\371\10\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\224\1\0YQ\0\0\204(\6\0P\0\0\0\0\260\6\0h\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\10\0\264D\0\0\330P\6\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0L\0\0\0\0\20\0\0\\6\0\0\360&\6\0`\0\0\0\0\0\0\0", ) , ) == 0x0
 00753   444   NtClose  (92, ... ) == 0x0
 00754   444   NtClose  (88, ... ) == 0x0
 00755   444   NtClose  (84, ... ) == 0x0
 00756   444   NtRaiseException  (1244384, 1243644, 1, ...
 00757   444   NtContinue  (1242440, 0, ...
 00758   444   NtOpenMutant  (0x120001, {24, 76, 0x2, 0, 0,  (0x120001, {24, 76, 0x2, 0, 0, "DBWinMutex"}, ... 84, ) }, ... 84, ) == 0x0
 00759   444   NtWaitForSingleObject  (84, 0, 0x0, ... ) == 0x0
 00760   444   NtOpenSection  (0x2, {24, 76, 0x0, 0, 0,  (0x2, {24, 76, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   444   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 00762   444   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 14417920, 4096, ) == 0x0
 00763   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00765   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == 0x0
 00767   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00768   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 92, ) == 0x0
 00769   444   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00770   444   NtClose  (88, ... ) == 0x0
 00771   444   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00772   444   NtClose  (92, ... ) == 0x0
 00773   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00774   444   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00775   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00776   444   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00777   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 100, ) }, ... 100, ) == 0x0
 00778   444   NtQueryValueKey  (100,  (100, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   444   NtQueryValueKey  (100,  (100, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   444   NtQueryValueKey  (100,  (100, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00781   444   NtQueryValueKey  (100,  (100, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   444   NtQueryValueKey  (100,  (100, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00783   444   NtQueryValueKey  (100,  (100, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784   444   NtQueryValueKey  (100,  (100, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785   444   NtQueryValueKey  (100,  (100, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00786   444   NtQueryValueKey  (100,  (100, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00787   444   NtQueryValueKey  (100,  (100, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00788   444   NtQueryValueKey  (100,  (100, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   444   NtQueryValueKey  (100,  (100, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790   444   NtQueryValueKey  (100,  (100, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   444   NtQueryValueKey  (100,  (100, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792   444   NtQueryValueKey  (100,  (100, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00793   444   NtQueryValueKey  (100,  (100, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   444   NtQueryValueKey  (100,  (100, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   444   NtQueryValueKey  (100,  (100, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00796   444   NtQueryValueKey  (100,  (100, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00797   444   NtQueryValueKey  (100,  (100, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798   444   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00799   444   NtQueryValueKey  (100,  (100, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   444   NtQueryValueKey  (100,  (100, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   444   NtQueryValueKey  (100,  (100, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00802   444   NtQueryValueKey  (100,  (100, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   444   NtQueryValueKey  (100,  (100, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   444   NtQueryValueKey  (100,  (100, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00805   444   NtQueryValueKey  (100,  (100, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00806   444   NtQueryValueKey  (100,  (100, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807   444   NtQueryValueKey  (100,  (100, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   444   NtQueryValueKey  (100,  (100, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   444   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00810   444   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 104, ) }, ... 104, ) == 0x0
 00811   444   NtQueryValueKey  (104,  (104, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00812   444   NtClose  (104, ... ) == 0x0
 00813   444   NtCreateEvent  (0x1f0003, {24, 76, 0x80, 0, 0,  (0x1f0003, {24, 76, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00814   444   NtQueryValueKey  (100,  (100, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00815   444   NtQueryValueKey  (100,  (100, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00816   444   NtQueryValueKey  (100,  (100, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   444   NtQueryValueKey  (100,  (100, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   444   NtQueryValueKey  (100,  (100, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   444   NtQueryValueKey  (100,  (100, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   444   NtQueryValueKey  (100,  (100, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00821   444   NtQueryValueKey  (100,  (100, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   444   NtQueryValueKey  (100,  (100, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00823   444   NtQueryValueKey  (100,  (100, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14483456, 1048576, ) == 0x0
 00825   444   NtAllocateVirtualMemory  (-1, 15523840, 0, 8192, 4096, 4, ... 15523840, 8192, ) == 0x0
 00826   444   NtProtectVirtualMemory  (-1, (0xece000), 4096, 260, ... (0xece000), 4096, 4, ) == 0x0
 00827   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 104, {436, 588}, ) == 0x0
 00828   444   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=436,Tid=588,}, 0x0, ) == 0x0
 00829   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (h\0\0\0\264\1\0\0L\2\0\0" ... {28, 56, reply, 0, 436, 444, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\264\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1493, 0}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 538976288} "\0\0\0\0\1\0\1\0-      (h\0\0\0\264\1\0\0L\2\0\0" ... {28, 56, reply, 0, 436, 444, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (h\0\0\0\264\1\0\0L\2\0\0" )  ) == 0x0
 00830   444   NtResumeThread  (104, ... 1, ) == 0x0
 00831   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15532032, 1048576, ) == 0x0
 00832   588   NtTestAlert  (... ) == 0x0
 00833   588   NtContinue  (15531312, 1, ...
 00834   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00835   588   NtDelayExecution  (0, {-150000, -1}, ...
 00836   444   NtAllocateVirtualMemory  (-1, 16572416, 0, 8192, 4096, 4, ... 16572416, 8192, ) == 0x0
 00837   444   NtProtectVirtualMemory  (-1, (0xfce000), 4096, 260, ... (0xfce000), 4096, 4, ) == 0x0
 00838   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 108, {436, 580}, ) == 0x0
 00839   444   NtQueryInformationThread  (108, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=436,Tid=580,}, 0x0, ) == 0x0
 00840   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1493, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\264\1\0\0D\2\0\0" ... {28, 56, reply, 0, 436, 444, 1494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\264\1\0\0D\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1494, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\264\1\0\0D\2\0\0" ... {28, 56, reply, 0, 436, 444, 1494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (l\0\0\0\264\1\0\0D\2\0\0" )  ) == 0x0
 00841   444   NtResumeThread  (108, ... 1, ) == 0x0
 00842   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16580608, 1048576, ) == 0x0
 00843   444   NtAllocateVirtualMemory  (-1, 17620992, 0, 8192, 4096, 4, ... 17620992, 8192, ) == 0x0
 00844   444   NtProtectVirtualMemory  (-1, (0x10ce000), 4096, 260, ...
 00845   580   NtTestAlert  (... ) == 0x0
 00846   580   NtContinue  (16579888, 1, ...
 00847   580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00848   580   NtDelayExecution  (0, {-150000, -1}, ...
 00844   444   NtProtectVirtualMemory  ... (0x10ce000), 4096, 4, ) == 0x0
 00849   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 112, {436, 584}, ) == 0x0
 00850   444   NtQueryInformationThread  (112, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=436,Tid=584,}, 0x0, ) == 0x0
 00851   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1494, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (p\0\0\0\264\1\0\0H\2\0\0" ... {28, 56, reply, 0, 436, 444, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (p\0\0\0\264\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1495, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (p\0\0\0\264\1\0\0H\2\0\0" ... {28, 56, reply, 0, 436, 444, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (p\0\0\0\264\1\0\0H\2\0\0" )  ) == 0x0
 00852   444   NtResumeThread  (112, ... 1, ) == 0x0
 00853   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17629184, 1048576, ) == 0x0
 00854   584   NtTestAlert  (... ) == 0x0
 00855   584   NtContinue  (17628464, 1, ...
 00856   584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00857   584   NtDelayExecution  (0, {-150000, -1}, ...
 00858   444   NtAllocateVirtualMemory  (-1, 18669568, 0, 8192, 4096, 4, ... 18669568, 8192, ) == 0x0
 00859   444   NtProtectVirtualMemory  (-1, (0x11ce000), 4096, 260, ... (0x11ce000), 4096, 4, ) == 0x0
 00860   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 116, {436, 576}, ) == 0x0
 00861   444   NtQueryInformationThread  (116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=436,Tid=576,}, 0x0, ) == 0x0
 00862   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1495, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (t\0\0\0\264\1\0\0@\2\0\0" ... {28, 56, reply, 0, 436, 444, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (t\0\0\0\264\1\0\0@\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1496, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (t\0\0\0\264\1\0\0@\2\0\0" ... {28, 56, reply, 0, 436, 444, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (t\0\0\0\264\1\0\0@\2\0\0" )  ) == 0x0
 00863   444   NtResumeThread  (116, ... 1, ) == 0x0
 00864   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18677760, 1048576, ) == 0x0
 00865   444   NtAllocateVirtualMemory  (-1, 19718144, 0, 8192, 4096, 4, ... 19718144, 8192, ) == 0x0
 00866   444   NtProtectVirtualMemory  (-1, (0x12ce000), 4096, 260, ...
 00867   576   NtTestAlert  (... ) == 0x0
 00868   576   NtContinue  (18677040, 1, ...
 00869   576   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00870   576   NtDelayExecution  (0, {-150000, -1}, ...
 00866   444   NtProtectVirtualMemory  ... (0x12ce000), 4096, 4, ) == 0x0
 00871   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 120, {436, 596}, ) == 0x0
 00872   444   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=436,Tid=596,}, 0x0, ) == 0x0
 00873   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1496, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (x\0\0\0\264\1\0\0T\2\0\0" ... {28, 56, reply, 0, 436, 444, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (x\0\0\0\264\1\0\0T\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1497, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1496, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (x\0\0\0\264\1\0\0T\2\0\0" ... {28, 56, reply, 0, 436, 444, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (x\0\0\0\264\1\0\0T\2\0\0" )  ) == 0x0
 00874   444   NtResumeThread  (120, ... 1, ) == 0x0
 00875   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19726336, 1048576, ) == 0x0
 00876   596   NtTestAlert  (... ) == 0x0
 00877   596   NtContinue  (19725616, 1, ...
 00878   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00879   596   NtDelayExecution  (0, {-150000, -1}, ...
 00880   444   NtAllocateVirtualMemory  (-1, 20766720, 0, 8192, 4096, 4, ... 20766720, 8192, ) == 0x0
 00881   444   NtProtectVirtualMemory  (-1, (0x13ce000), 4096, 260, ... (0x13ce000), 4096, 4, ) == 0x0
 00882   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 124, {436, 636}, ) == 0x0
 00883   444   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=436,Tid=636,}, 0x0, ) == 0x0
 00884   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1497, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (|\0\0\0\264\1\0\0|\2\0\0" ... {28, 56, reply, 0, 436, 444, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (|\0\0\0\264\1\0\0|\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1498, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1497, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (|\0\0\0\264\1\0\0|\2\0\0" ... {28, 56, reply, 0, 436, 444, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (|\0\0\0\264\1\0\0|\2\0\0" )  ) == 0x0
 00885   444   NtResumeThread  (124, ... 1, ) == 0x0
 00886   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20774912, 1048576, ) == 0x0
 00887   444   NtAllocateVirtualMemory  (-1, 21815296, 0, 8192, 4096, 4, ... 21815296, 8192, ) == 0x0
 00888   444   NtProtectVirtualMemory  (-1, (0x14ce000), 4096, 260, ...
 00889   636   NtTestAlert  (... ) == 0x0
 00890   636   NtContinue  (20774192, 1, ...
 00891   636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00892   636   NtDelayExecution  (0, {-150000, -1}, ...
 00888   444   NtProtectVirtualMemory  ... (0x14ce000), 4096, 4, ) == 0x0
 00893   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 128, {436, 732}, ) == 0x0
 00894   444   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=436,Tid=732,}, 0x0, ) == 0x0
 00895   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1498, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\200\0\0\0\264\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 436, 444, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\200\0\0\0\264\1\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1499, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1498, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\200\0\0\0\264\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 436, 444, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\200\0\0\0\264\1\0\0\334\2\0\0" )  ) == 0x0
 00896   444   NtResumeThread  (128, ... 1, ) == 0x0
 00897   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21823488, 1048576, ) == 0x0
 00898   732   NtTestAlert  (... ) == 0x0
 00899   732   NtContinue  (21822768, 1, ...
 00900   732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00901   732   NtDelayExecution  (0, {-150000, -1}, ...
 00902   444   NtAllocateVirtualMemory  (-1, 22863872, 0, 8192, 4096, 4, ... 22863872, 8192, ) == 0x0
 00903   444   NtProtectVirtualMemory  (-1, (0x15ce000), 4096, 260, ... (0x15ce000), 4096, 4, ) == 0x0
 00904   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 132, {436, 744}, ) == 0x0
 00905   444   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=436,Tid=744,}, 0x0, ) == 0x0
 00906   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1499, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\204\0\0\0\264\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 436, 444, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\204\0\0\0\264\1\0\0\350\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1500, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\204\0\0\0\264\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 436, 444, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0   (\204\0\0\0\264\1\0\0\350\2\0\0" )  ) == 0x0
 00907   444   NtResumeThread  (132, ... 1, ) == 0x0
 00908   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 00909   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00910   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00911   744   NtTestAlert  (... ) == 0x0
 00912   744   NtContinue  (22871344, 1, ...
 00913   744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00914   744   NtDelayExecution  (0, {-20010000, -1}, ...
 00910   444   NtCreateEvent  ... 144, ) == 0x0
 00915   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00916   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 00917   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 00918   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 00919   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 00920   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 00921   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 00922   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 00923   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 00924   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 00925   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 00926   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 00927   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 00928   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22872064, 1048576, ) == 0x0
 00929   444   NtAllocateVirtualMemory  (-1, 23912448, 0, 8192, 4096, 4, ... 23912448, 8192, ) == 0x0
 00930   444   NtProtectVirtualMemory  (-1, (0x16ce000), 4096, 260, ... (0x16ce000), 4096, 4, ) == 0x0
 00931   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 200, {436, 676}, ) == 0x0
 00932   444   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=436,Tid=676,}, 0x0, ) == 0x0
 00933   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 12361743, 40972, 36117852, 5770028}  (24, {28, 56, new_msg, 0, 12361743, 40972, 36117852, 5770028} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\310\0\0\0\264\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 436, 444, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\264\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1501, 0}  (24, {28, 56, new_msg, 0, 12361743, 40972, 36117852, 5770028} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\310\0\0\0\264\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 436, 444, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\310\0\0\0\264\1\0\0\244\2\0\0" )  ) == 0x0
 00934   444   NtResumeThread  (200, ... 1, ) == 0x0
 00935   676   NtTestAlert  (... ) == 0x0
 00936   676   NtContinue  (23919920, 1, ...
 00937   676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00938   676   NtWaitForSingleObject  (136, 0, 0x0, ...
 00939   444   NtSetInformationThread  (200, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00940   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23920640, 1048576, ) == 0x0
 00941   444   NtAllocateVirtualMemory  (-1, 24961024, 0, 8192, 4096, 4, ... 24961024, 8192, ) == 0x0
 00942   444   NtProtectVirtualMemory  (-1, (0x17ce000), 4096, 260, ... (0x17ce000), 4096, 4, ) == 0x0
 00943   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 204, {436, 788}, ) == 0x0
 00944   444   NtQueryInformationThread  (204, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=436,Tid=788,}, 0x0, ) == 0x0
 00945   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1501, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\264\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 436, 444, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\264\1\0\0\24\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1502, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1501, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\264\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 436, 444, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\314\0\0\0\264\1\0\0\24\3\0\0" )  ) == 0x0
 00946   444   NtResumeThread  (204, ... 1, ) == 0x0
 00947   444   NtSetInformationThread  (204, BasePriority, {thread info, class 3, size 4}, 4, ...
 00948   788   NtTestAlert  (... ) == 0x0
 00949   788   NtContinue  (24968496, 1, ...
 00950   788   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00951   788   NtWaitForSingleObject  (140, 0, 0x0, ...
 00947   444   NtSetInformationThread  ... ) == 0x0
 00952   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24969216, 1048576, ) == 0x0
 00953   444   NtAllocateVirtualMemory  (-1, 26009600, 0, 8192, 4096, 4, ... 26009600, 8192, ) == 0x0
 00954   444   NtProtectVirtualMemory  (-1, (0x18ce000), 4096, 260, ... (0x18ce000), 4096, 4, ) == 0x0
 00955   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 208, {436, 784}, ) == 0x0
 00956   444   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=436,Tid=784,}, 0x0, ) == 0x0
 00957   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1502, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\264\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 436, 444, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\264\1\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1503, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1502, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\264\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 436, 444, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\320\0\0\0\264\1\0\0\20\3\0\0" )  ) == 0x0
 00958   444   NtResumeThread  (208, ... 1, ) == 0x0
 00959   444   NtSetInformationThread  (208, BasePriority, {thread info, class 3, size 4}, 4, ...
 00960   784   NtTestAlert  (... ) == 0x0
 00961   784   NtContinue  (26017072, 1, ...
 00962   784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00963   784   NtWaitForSingleObject  (144, 0, 0x0, ...
 00959   444   NtSetInformationThread  ... ) == 0x0
 00964   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26017792, 1048576, ) == 0x0
 00965   444   NtAllocateVirtualMemory  (-1, 27058176, 0, 8192, 4096, 4, ... 27058176, 8192, ) == 0x0
 00966   444   NtProtectVirtualMemory  (-1, (0x19ce000), 4096, 260, ... (0x19ce000), 4096, 4, ) == 0x0
 00967   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 212, {436, 712}, ) == 0x0
 00968   444   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=436,Tid=712,}, 0x0, ) == 0x0
 00969   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1503, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\264\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 436, 444, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\264\1\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 436, 444, 1504, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\264\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 436, 444, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0\264\1\0\0\310\2\0\0" )  ) == 0x0
 00970   444   NtResumeThread  (212, ... 1, ) == 0x0
 00971   444   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ...
 00972   712   NtTestAlert  (... ) == 0x0
 00973   712   NtContinue  (27065648, 1, ...
 00974   712   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00975   712   NtWaitForSingleObject  (148, 0, 0x0, ...
 00971   444   NtSetInformationThread  ... ) == 0x0
 00976   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27066368, 1048576, ) == 0x0
 00977   444   NtAllocateVirtualMemory  (-1, 28106752, 0, 8192, 4096, 4, ... 28106752, 8192, ) == 0x0
 00978   444   NtProtectVirtualMemory  (-1, (0x1ace000), 4096, 260, ... (0x1ace000), 4096, 4, ) == 0x0
 00979   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 216, {436, 836}, ) == 0x0
 00980   444   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=436,Tid=836,}, 0x0, ) == 0x0
 00981   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1504, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\264\1\0\0D\3\0\0" ... {28, 56, reply, 0, 436, 444, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\264\1\0\0D\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1505, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1504, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\264\1\0\0D\3\0\0" ... {28, 56, reply, 0, 436, 444, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0\264\1\0\0D\3\0\0" )  ) == 0x0
 00982   444   NtResumeThread  (216, ... 1, ) == 0x0
 00983   444   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ...
 00984   836   NtTestAlert  (... ) == 0x0
 00985   836   NtContinue  (28114224, 1, ...
 00986   836   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00987   836   NtWaitForSingleObject  (152, 0, 0x0, ...
 00983   444   NtSetInformationThread  ... ) == 0x0
 00988   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28114944, 1048576, ) == 0x0
 00989   444   NtAllocateVirtualMemory  (-1, 29155328, 0, 8192, 4096, 4, ... 29155328, 8192, ) == 0x0
 00990   444   NtProtectVirtualMemory  (-1, (0x1bce000), 4096, 260, ... (0x1bce000), 4096, 4, ) == 0x0
 00991   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 220, {436, 856}, ) == 0x0
 00992   444   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=436,Tid=856,}, 0x0, ) == 0x0
 00993   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1505, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\264\1\0\0X\3\0\0" ... {28, 56, reply, 0, 436, 444, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\264\1\0\0X\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1506, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1505, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\264\1\0\0X\3\0\0" ... {28, 56, reply, 0, 436, 444, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0\264\1\0\0X\3\0\0" )  ) == 0x0
 00994   444   NtResumeThread  (220, ... 1, ) == 0x0
 00995   444   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ...
 00996   856   NtTestAlert  (... ) == 0x0
 00997   856   NtContinue  (29162800, 1, ...
 00998   856   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00999   856   NtWaitForSingleObject  (156, 0, 0x0, ...
 00995   444   NtSetInformationThread  ... ) == 0x0
 01000   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29163520, 1048576, ) == 0x0
 01001   444   NtAllocateVirtualMemory  (-1, 30203904, 0, 8192, 4096, 4, ... 30203904, 8192, ) == 0x0
 01002   444   NtProtectVirtualMemory  (-1, (0x1cce000), 4096, 260, ... (0x1cce000), 4096, 4, ) == 0x0
 01003   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 224, {436, 860}, ) == 0x0
 01004   444   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=436,Tid=860,}, 0x0, ) == 0x0
 01005   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1506, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\264\1\0\0\\3\0\0" ... {28, 56, reply, 0, 436, 444, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\264\1\0\0\\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1507, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\264\1\0\0\\3\0\0" ... {28, 56, reply, 0, 436, 444, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0\264\1\0\0\\3\0\0" )  ) == 0x0
 01006   444   NtResumeThread  (224, ... 1, ) == 0x0
 01007   860   NtAllocateVirtualMemory  (-1, 11026432, 0, 4096, 4096, 4, ... 11026432, 4096, ) == 0x0
 01008   860   NtTestAlert  (... ) == 0x0
 01009   860   NtContinue  (30211376, 1, ...
 01010   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01011   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01012   444   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01013   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30212096, 1048576, ) == 0x0
 01014   444   NtAllocateVirtualMemory  (-1, 31252480, 0, 8192, 4096, 4, ... 31252480, 8192, ) == 0x0
 01015   444   NtProtectVirtualMemory  (-1, (0x1dce000), 4096, 260, ... (0x1dce000), 4096, 4, ) == 0x0
 01016   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 228, {436, 864}, ) == 0x0
 01017   444   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=436,Tid=864,}, 0x0, ) == 0x0
 01018   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1507, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\264\1\0\0`\3\0\0" ... {28, 56, reply, 0, 436, 444, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\264\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1508, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\264\1\0\0`\3\0\0" ... {28, 56, reply, 0, 436, 444, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0\264\1\0\0`\3\0\0" )  ) == 0x0
 01019   444   NtResumeThread  (228, ... 1, ) == 0x0
 01020   444   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 01021   864   NtTestAlert  (... ) == 0x0
 01022   864   NtContinue  (31259952, 1, ...
 01023   864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01024   864   NtWaitForSingleObject  (164, 0, 0x0, ...
 01020   444   NtSetInformationThread  ... ) == 0x0
 01025   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31260672, 1048576, ) == 0x0
 01026   444   NtAllocateVirtualMemory  (-1, 32301056, 0, 8192, 4096, 4, ... 32301056, 8192, ) == 0x0
 01027   444   NtProtectVirtualMemory  (-1, (0x1ece000), 4096, 260, ... (0x1ece000), 4096, 4, ) == 0x0
 01028   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 232, {436, 868}, ) == 0x0
 01029   444   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=436,Tid=868,}, 0x0, ) == 0x0
 01030   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1508, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\264\1\0\0d\3\0\0" ... {28, 56, reply, 0, 436, 444, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\264\1\0\0d\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1509, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\264\1\0\0d\3\0\0" ... {28, 56, reply, 0, 436, 444, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0\264\1\0\0d\3\0\0" )  ) == 0x0
 01031   444   NtResumeThread  (232, ... 1, ) == 0x0
 01032   444   NtSetInformationThread  (232, BasePriority, {thread info, class 3, size 4}, 4, ...
 01033   868   NtTestAlert  (... ) == 0x0
 01034   868   NtContinue  (32308528, 1, ...
 01035   868   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01036   868   NtWaitForSingleObject  (168, 0, 0x0, ...
 01032   444   NtSetInformationThread  ... ) == 0x0
 01037   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32309248, 1048576, ) == 0x0
 01038   444   NtAllocateVirtualMemory  (-1, 33349632, 0, 8192, 4096, 4, ... 33349632, 8192, ) == 0x0
 01039   444   NtProtectVirtualMemory  (-1, (0x1fce000), 4096, 260, ... (0x1fce000), 4096, 4, ) == 0x0
 01040   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 236, {436, 872}, ) == 0x0
 01041   444   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=436,Tid=872,}, 0x0, ) == 0x0
 01042   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1509, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\264\1\0\0h\3\0\0" ... {28, 56, reply, 0, 436, 444, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\264\1\0\0h\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1510, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\264\1\0\0h\3\0\0" ... {28, 56, reply, 0, 436, 444, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0\264\1\0\0h\3\0\0" )  ) == 0x0
 01043   444   NtResumeThread  (236, ... 1, ) == 0x0
 01044   444   NtSetInformationThread  (236, BasePriority, {thread info, class 3, size 4}, 4, ...
 01045   872   NtTestAlert  (... ) == 0x0
 01046   872   NtContinue  (33357104, 1, ...
 01047   872   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01048   872   NtWaitForSingleObject  (172, 0, 0x0, ...
 01044   444   NtSetInformationThread  ... ) == 0x0
 01049   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33357824, 1048576, ) == 0x0
 01050   444   NtAllocateVirtualMemory  (-1, 34398208, 0, 8192, 4096, 4, ... 34398208, 8192, ) == 0x0
 01051   444   NtProtectVirtualMemory  (-1, (0x20ce000), 4096, 260, ... (0x20ce000), 4096, 4, ) == 0x0
 01052   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 240, {436, 876}, ) == 0x0
 01053   444   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=436,Tid=876,}, 0x0, ) == 0x0
 01054   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1510, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0\264\1\0\0l\3\0\0" ... {28, 56, reply, 0, 436, 444, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0\264\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1511, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1510, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0\264\1\0\0l\3\0\0" ... {28, 56, reply, 0, 436, 444, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0\264\1\0\0l\3\0\0" )  ) == 0x0
 01055   444   NtResumeThread  (240, ... 1, ) == 0x0
 01056   444   NtSetInformationThread  (240, BasePriority, {thread info, class 3, size 4}, 4, ...
 01057   876   NtTestAlert  (... ) == 0x0
 01058   876   NtContinue  (34405680, 1, ...
 01059   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01060   876   NtWaitForSingleObject  (176, 0, 0x0, ...
 01056   444   NtSetInformationThread  ... ) == 0x0
 01061   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34406400, 1048576, ) == 0x0
 01062   444   NtAllocateVirtualMemory  (-1, 35446784, 0, 8192, 4096, 4, ... 35446784, 8192, ) == 0x0
 01063   444   NtProtectVirtualMemory  (-1, (0x21ce000), 4096, 260, ... (0x21ce000), 4096, 4, ) == 0x0
 01064   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 244, {436, 880}, ) == 0x0
 01065   444   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=436,Tid=880,}, 0x0, ) == 0x0
 01066   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1511, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0\264\1\0\0p\3\0\0" ... {28, 56, reply, 0, 436, 444, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0\264\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1512, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1511, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0\264\1\0\0p\3\0\0" ... {28, 56, reply, 0, 436, 444, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0\264\1\0\0p\3\0\0" )  ) == 0x0
 01067   444   NtResumeThread  (244, ... 1, ) == 0x0
 01068   444   NtSetInformationThread  (244, BasePriority, {thread info, class 3, size 4}, 4, ...
 01069   880   NtTestAlert  (... ) == 0x0
 01070   880   NtContinue  (35454256, 1, ...
 01071   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01072   880   NtWaitForSingleObject  (180, 0, 0x0, ...
 01068   444   NtSetInformationThread  ... ) == 0x0
 01073   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35454976, 1048576, ) == 0x0
 01074   444   NtAllocateVirtualMemory  (-1, 36495360, 0, 8192, 4096, 4, ... 36495360, 8192, ) == 0x0
 01075   444   NtProtectVirtualMemory  (-1, (0x22ce000), 4096, 260, ... (0x22ce000), 4096, 4, ) == 0x0
 01076   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 248, {436, 884}, ) == 0x0
 01077   444   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=436,Tid=884,}, 0x0, ) == 0x0
 01078   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1512, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0\264\1\0\0t\3\0\0" ... {28, 56, reply, 0, 436, 444, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0\264\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1513, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1512, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0\264\1\0\0t\3\0\0" ... {28, 56, reply, 0, 436, 444, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0\264\1\0\0t\3\0\0" )  ) == 0x0
 01079   444   NtResumeThread  (248, ... 1, ) == 0x0
 01080   884   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 01081   884   NtTestAlert  (... ) == 0x0
 01082   884   NtContinue  (36502832, 1, ...
 01083   884   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01084   884   NtWaitForSingleObject  (184, 0, 0x0, ...
 01085   444   NtSetInformationThread  (248, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 01086   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36503552, 1048576, ) == 0x0
 01087   444   NtAllocateVirtualMemory  (-1, 37543936, 0, 8192, 4096, 4, ... 37543936, 8192, ) == 0x0
 01088   444   NtProtectVirtualMemory  (-1, (0x23ce000), 4096, 260, ... (0x23ce000), 4096, 4, ) == 0x0
 01089   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 252, {436, 888}, ) == 0x0
 01090   444   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=436,Tid=888,}, 0x0, ) == 0x0
 01091   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1513, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0\264\1\0\0x\3\0\0" ... {28, 56, reply, 0, 436, 444, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0\264\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1514, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0\264\1\0\0x\3\0\0" ... {28, 56, reply, 0, 436, 444, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0\264\1\0\0x\3\0\0" )  ) == 0x0
 01092   444   NtResumeThread  (252, ... 1, ) == 0x0
 01093   444   NtSetInformationThread  (252, BasePriority, {thread info, class 3, size 4}, 4, ...
 01094   888   NtTestAlert  (... ) == 0x0
 01095   888   NtContinue  (37551408, 1, ...
 01096   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01097   888   NtWaitForSingleObject  (188, 0, 0x0, ...
 01093   444   NtSetInformationThread  ... ) == 0x0
 01098   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37552128, 1048576, ) == 0x0
 01099   444   NtAllocateVirtualMemory  (-1, 38592512, 0, 8192, 4096, 4, ... 38592512, 8192, ) == 0x0
 01100   444   NtProtectVirtualMemory  (-1, (0x24ce000), 4096, 260, ... (0x24ce000), 4096, 4, ) == 0x0
 01101   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 256, {436, 892}, ) == 0x0
 01102   444   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=436,Tid=892,}, 0x0, ) == 0x0
 01103   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1514, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0\264\1\0\0|\3\0\0" ... {28, 56, reply, 0, 436, 444, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0\264\1\0\0|\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1515, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1514, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0\264\1\0\0|\3\0\0" ... {28, 56, reply, 0, 436, 444, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0\264\1\0\0|\3\0\0" )  ) == 0x0
 01104   444   NtResumeThread  (256, ... 1, ) == 0x0
 01105   444   NtSetInformationThread  (256, BasePriority, {thread info, class 3, size 4}, 4, ...
 01106   892   NtTestAlert  (... ) == 0x0
 01107   892   NtContinue  (38599984, 1, ...
 01108   892   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01109   892   NtWaitForSingleObject  (192, 0, 0x0, ...
 01105   444   NtSetInformationThread  ... ) == 0x0
 01110   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 38600704, 1048576, ) == 0x0
 01111   444   NtAllocateVirtualMemory  (-1, 39641088, 0, 8192, 4096, 4, ... 39641088, 8192, ) == 0x0
 01112   444   NtProtectVirtualMemory  (-1, (0x25ce000), 4096, 260, ... (0x25ce000), 4096, 4, ) == 0x0
 01113   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 260, {436, 908}, ) == 0x0
 01114   444   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=436,Tid=908,}, 0x0, ) == 0x0
 01115   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 436, 444, 1515, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0\264\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 436, 444, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0\264\1\0\0\214\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1516, 0}  (24, {28, 56, new_msg, 0, 436, 444, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0\264\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 436, 444, 1516, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0\264\1\0\0\214\3\0\0" )  ) == 0x0
 01116   444   NtResumeThread  (260, ... 1, ) == 0x0
 01117   444   NtSetInformationThread  (260, BasePriority, {thread info, class 3, size 4}, 4, ...
 01118   908   NtTestAlert  (... ) == 0x0
 01119   908   NtContinue  (39648560, 1, ...
 01120   908   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01121   908   NtWaitForSingleObject  (196, 0, 0x0, ...
 01117   444   NtSetInformationThread  ... ) == 0x0
 01122   444   NtSetEvent  (144, ...
 00963   784   NtWaitForSingleObject  ... ) == 0x0
 01123   784   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01124   784   NtWaitForSingleObject  (144, 0, 0x0, ...
 01122   444   NtSetEvent  ... 0x0, ) == 0x0
 01125   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01126   444   NtSetEvent  (192, ...
 01109   892   NtWaitForSingleObject  ... ) == 0x0
 01127   892   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01128   892   NtWaitForSingleObject  (192, 0, 0x0, ...
 01126   444   NtSetEvent  ... 0x0, ) == 0x0
 01129   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01130   444   NtSetEvent  (188, ...
 01097   888   NtWaitForSingleObject  ... ) == 0x0
 01131   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01132   888   NtWaitForSingleObject  (188, 0, 0x0, ...
 01130   444   NtSetEvent  ... 0x0, ) == 0x0
 01133   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01134   444   NtSetEvent  (148, ...
 00975   712   NtWaitForSingleObject  ... ) == 0x0
 01135   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01136   712   NtWaitForSingleObject  (148, 0, 0x0, ...
 01134   444   NtSetEvent  ... 0x0, ) == 0x0
 01137   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01138   444   NtQueryVirtualMemory  (-1, 0x10000, Basic, 28, ... {BaseAddress=0x10000,AllocationBase=0x10000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 00835   588   NtDelayExecution  ... ) == 0x0
 01139   588   NtDelayExecution  (0, {-20010000, -1}, ...
 00848   580   NtDelayExecution  ... ) == 0x0
 01140   580   NtDelayExecution  (0, {-20010000, -1}, ...
 00857   584   NtDelayExecution  ... ) == 0x0
 01141   584   NtDelayExecution  (0, {-20010000, -1}, ...
 00870   576   NtDelayExecution  ... ) == 0x0
 01142   576   NtDelayExecution  (0, {-20010000, -1}, ...
 00879   596   NtDelayExecution  ... ) == 0x0
 01143   596   NtDelayExecution  (0, {-20010000, -1}, ...
 00892   636   NtDelayExecution  ... ) == 0x0
 01144   636   NtDelayExecution  (0, {-20010000, -1}, ...
 00901   732   NtDelayExecution  ... ) == 0x0
 01145   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01146   444   NtUserGetForegroundWindow  (... ) == 0x20064
 01147   444   NtUserQueryWindow  (131172, 0, ... ) == 0x7f4
 01148   444   NtSetEvent  (148, ...
 01136   712   NtWaitForSingleObject  ... ) == 0x0
 01149   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01150   712   NtWaitForSingleObject  (148, 0, 0x0, ...
 01148   444   NtSetEvent  ... 0x0, ) == 0x0
 01151   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01152   444   NtSetEvent  (172, ...
 01048   872   NtWaitForSingleObject  ... ) == 0x0
 01153   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01154   872   NtWaitForSingleObject  (172, 0, 0x0, ...
 01152   444   NtSetEvent  ... 0x0, ) == 0x0
 01155   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01156   444   NtSetEvent  (180, ...
 01072   880   NtWaitForSingleObject  ... ) == 0x0
 01157   880   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01158   880   NtWaitForSingleObject  (180, 0, 0x0, ...
 01156   444   NtSetEvent  ... 0x0, ) == 0x0
 01159   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01160   444   NtSetEvent  (148, ...
 01150   712   NtWaitForSingleObject  ... ) == 0x0
 01161   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01162   712   NtWaitForSingleObject  (148, 0, 0x0, ...
 01160   444   NtSetEvent  ... 0x0, ) == 0x0
 01163   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01164   444   NtSetEvent  (156, ...
 00999   856   NtWaitForSingleObject  ... ) == 0x0
 01165   856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01166   856   NtWaitForSingleObject  (156, 0, 0x0, ...
 01164   444   NtSetEvent  ... 0x0, ) == 0x0
 01167   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01168   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01169   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01170   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01171   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01172   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01173   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01174   444   NtSetEvent  (184, ...
 01084   884   NtWaitForSingleObject  ... ) == 0x0
 01175   884   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01176   884   NtWaitForSingleObject  (184, 0, 0x0, ...
 01174   444   NtSetEvent  ... 0x0, ) == 0x0
 01177   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01178   444   NtSetEvent  (184, ...
 01176   884   NtWaitForSingleObject  ... ) == 0x0
 01179   884   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01180   884   NtWaitForSingleObject  (184, 0, 0x0, ...
 01178   444   NtSetEvent  ... 0x0, ) == 0x0
 01181   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01182   444   NtContinue  (1243044, 0, ...
 01183   444   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01184   444   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01185   444   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01186   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01187   444   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 01188   444   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 264, ) == 0x0
 01189   444   NtMapViewOfSection  (264, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x25e0000), 0x0, 4194304, ) == 0x0
 01190   444   NtAllocateVirtualMemory  (-1, 39714816, 0, 1, 4096, 4, ... 39714816, 4096, ) == 0x0
 01191   444   NtAllocateVirtualMemory  (-1, 39718912, 0, 832, 4096, 4, ... 39718912, 4096, ) == 0x0
 01192   444   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 268, ) == 0x0
 01193   444   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x29e0000), 0x0, 4194304, ) == 0x0
 01194   444   NtAllocateVirtualMemory  (-1, 43909120, 0, 1, 4096, 4, ... 43909120, 4096, ) == 0x0
 01195   444   NtCreateSection  (0xf0007, 0x0, {37972, 0}, 4, 134217728, 0, ... 272, ) == 0x0
 01196   444   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2de0000), {0, 0}, 40960, ) == 0x0
 01197   444   NtUnmapViewOfSection  (-1, 0x2de0000, ... ) == 0x0
 01198   444   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2de0000), {0, 0}, 40960, ) == 0x0
 01199   444   NtClose  (268, ... ) == 0x0
 01200   444   NtUnmapViewOfSection  (-1, 0x29e0000, ... ) == 0x0
 01201   444   NtClose  (264, ... ) == 0x0
 01202   444   NtUnmapViewOfSection  (-1, 0x25e0000, ... ) == 0x0
 01203   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01204   444   NtUnmapViewOfSection  (-1, 0x2de0000, ... ) == 0x0
 01205   444   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x25d0000), {0, 0}, 40960, ) == 0x0
 01206   444   NtUnmapViewOfSection  (-1, 0x25d0000, ... ) == 0x0
 01207   444   NtMapViewOfSection  (272, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x25d0000), {0, 0}, 40960, ) == 0x0
 01208   444   NtUnmapViewOfSection  (-1, 0x25d0000, ... ) == 0x0
 01209   444   NtSetEvent  (176, ...
 01060   876   NtWaitForSingleObject  ... ) == 0x0
 01210   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01211   876   NtWaitForSingleObject  (176, 0, 0x0, ...
 01209   444   NtSetEvent  ... 0x0, ) == 0x0
 01212   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01213   444   NtSetEvent  (140, ...
 00951   788   NtWaitForSingleObject  ... ) == 0x0
 01214   788   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01215   788   NtWaitForSingleObject  (140, 0, 0x0, ...
 01213   444   NtSetEvent  ... 0x0, ) == 0x0
 01216   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01217   444   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01218   444   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01219   444   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01220   444   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01221   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01222   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01223   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01224   444   NtSetEvent  (192, ...
 01128   892   NtWaitForSingleObject  ... ) == 0x0
 01225   892   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01226   892   NtWaitForSingleObject  (192, 0, 0x0, ...
 01224   444   NtSetEvent  ... 0x0, ) == 0x0
 01227   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01228   444   NtAllocateVirtualMemory  (-1, 0, 0, 1000, 4096, 4, ... 39649280, 4096, ) == 0x0
 01229   444   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01230   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 4096, ) == 0x0
 01231   444   NtSetEvent  (160, ...
 01011   860   NtWaitForSingleObject  ... ) == 0x0
 01232   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01233   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01231   444   NtSetEvent  ... 0x0, ) == 0x0
 01234   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01235   444   NtUserFindWindowEx  (0, 0,  (0, 0, "RegmonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01236   444   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Registry Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01237   444   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01238   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01239   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01240   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01241   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01242   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01243   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01244   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01245   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01246   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01247   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 39649280, 65536, ) == 0x0
 01248   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01249   444   NtFreeVirtualMemory  (-1, (0x25d0000), 0, 32768, ... (0x25d0000), 65536, ) == 0x0
 01250   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "SOFTWARE\NuMega\DriverStudio"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   444   NtSetEvent  (172, ...
 01154   872   NtWaitForSingleObject  ... ) == 0x0
 01252   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01253   872   NtWaitForSingleObject  (172, 0, 0x0, ...
 01251   444   NtSetEvent  ... 0x0, ) == 0x0
 01254   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01255   444   NtSetEvent  (160, ...
 01233   860   NtWaitForSingleObject  ... ) == 0x0
 01256   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01257   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01255   444   NtSetEvent  ... 0x0, ) == 0x0
 01258   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01259   444   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work"}, 3, 33, ... 264, {status=0x0, info=1}, ) }, 3, 33, ... 264, {status=0x0, info=1}, ) == 0x0
 01260   444   NtQueryVolumeInformationFile  (264, 1244912, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01261   444   NtClose  (12, ... ) == 0x0
 01262   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 39649280, 4096, ) == 0x0
 01263   444   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 01264   444   NtQueryVolumeInformationFile  (12, 1244916, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01265   444   NtClose  (264, ... ) == 0x0
 01266   444   NtAllocateVirtualMemory  (-1, 0, 0, 200000, 4096, 4, ... 39714816, 200704, ) == 0x0
 01267   444   NtAllocateVirtualMemory  (-1, 0, 0, 1024, 4096, 4, ... 39976960, 4096, ) == 0x0
 01268   444   NtSetEvent  (176, ...
 01211   876   NtWaitForSingleObject  ... ) == 0x0
 01269   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01270   876   NtWaitForSingleObject  (176, 0, 0x0, ...
 01268   444   NtSetEvent  ... 0x0, ) == 0x0
 01271   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01272   444   NtSetEvent  (172, ...
 01253   872   NtWaitForSingleObject  ... ) == 0x0
 01273   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01274   872   NtWaitForSingleObject  (172, 0, 0x0, ...
 01272   444   NtSetEvent  ... 0x0, ) == 0x0
 01275   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01276   444   NtSetEvent  (196, ...
 01121   908   NtWaitForSingleObject  ... ) == 0x0
 01277   908   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01278   908   NtWaitForSingleObject  (196, 0, 0x0, ...
 01276   444   NtSetEvent  ... 0x0, ) == 0x0
 01279   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01280   444   NtSetEvent  (168, ...
 01036   868   NtWaitForSingleObject  ... ) == 0x0
 01281   868   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01282   868   NtWaitForSingleObject  (168, 0, 0x0, ...
 01280   444   NtSetEvent  ... 0x0, ) == 0x0
 01283   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01284   444   NtSetEvent  (180, ...
 01158   880   NtWaitForSingleObject  ... ) == 0x0
 01285   880   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01286   880   NtWaitForSingleObject  (180, 0, 0x0, ...
 01284   444   NtSetEvent  ... 0x0, ) == 0x0
 01287   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01288   444   NtSetEvent  (144, ...
 01124   784   NtWaitForSingleObject  ... ) == 0x0
 01289   784   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01290   784   NtWaitForSingleObject  (144, 0, 0x0, ...
 01288   444   NtSetEvent  ... 0x0, ) == 0x0
 01291   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01292   444   NtSetEvent  (172, ...
 01274   872   NtWaitForSingleObject  ... ) == 0x0
 01293   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01294   872   NtWaitForSingleObject  (172, 0, 0x0, ...
 01292   444   NtSetEvent  ... 0x0, ) == 0x0
 01295   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01296   444   NtSetEvent  (164, ...
 01024   864   NtWaitForSingleObject  ... ) == 0x0
 01297   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01298   864   NtWaitForSingleObject  (164, 0, 0x0, ...
 01296   444   NtSetEvent  ... 0x0, ) == 0x0
 01299   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01300   444   NtSetEvent  (164, ...
 01298   864   NtWaitForSingleObject  ... ) == 0x0
 01301   864   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01302   864   NtWaitForSingleObject  (164, 0, 0x0, ...
 01300   444   NtSetEvent  ... 0x0, ) == 0x0
 01303   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01304   444   NtSetEvent  (176, ...
 01270   876   NtWaitForSingleObject  ... ) == 0x0
 01305   876   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01306   876   NtWaitForSingleObject  (176, 0, 0x0, ...
 01304   444   NtSetEvent  ... 0x0, ) == 0x0
 01307   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01308   444   NtSetEvent  (160, ...
 01257   860   NtWaitForSingleObject  ... ) == 0x0
 01309   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01310   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01308   444   NtSetEvent  ... 0x0, ) == 0x0
 01311   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01312   444   NtSetEvent  (148, ...
 01162   712   NtWaitForSingleObject  ... ) == 0x0
 01313   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01314   712   NtWaitForSingleObject  (148, 0, 0x0, ...
 01312   444   NtSetEvent  ... 0x0, ) == 0x0
 01315   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01316   444   NtSetEvent  (136, ...
 00938   676   NtWaitForSingleObject  ... ) == 0x0
 01317   676   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01318   676   NtWaitForSingleObject  (136, 0, 0x0, ...
 01316   444   NtSetEvent  ... 0x0, ) == 0x0
 01319   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01320   444   NtSetEvent  (160, ...
 01310   860   NtWaitForSingleObject  ... ) == 0x0
 01321   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01322   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01320   444   NtSetEvent  ... 0x0, ) == 0x0
 01323   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01324   444   NtSetEvent  (196, ...
 01278   908   NtWaitForSingleObject  ... ) == 0x0
 01325   908   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01326   908   NtWaitForSingleObject  (196, 0, 0x0, ...
 01324   444   NtSetEvent  ... 0x0, ) == 0x0
 01327   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01328   444   NtUserFindWindowEx  (0, 0,  (0, 0, "FilemonClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01329   444   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "File Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01330   444   NtUserFindWindowEx  (0, 0,  (0, 0, "PROCMON_WINDOW_CLASS", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01331   444   NtUserFindWindowEx  (0, 0, 0x0,  (0, 0, 0x0, "Process Monitor - Sysinternals: www.sysinternals.com", 0, ... ) , 0, ... ) == 0x0
 01332   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 40042496, 65536, ) == 0x0
 01333   444   NtQuerySystemInformation  (Module, 65536, ... {system info, class 11, size 500}, 0x0, ) == 0x0
 01334   444   NtFreeVirtualMemory  (-1, (0x2630000), 0, 32768, ... (0x2630000), 65536, ) == 0x0
 01335   444   NtSetEvent  (148, ...
 01314   712   NtWaitForSingleObject  ... ) == 0x0
 01336   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01337   712   NtWaitForSingleObject  (148, 0, 0x0, ...
 01335   444   NtSetEvent  ... 0x0, ) == 0x0
 01338   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01339   444   NtProtectVirtualMemory  (-1, (0x401000), 116028, 64, ... (0x401000), 118784, 128, ) == 0x0
 01340   444   NtSetEvent  (148, ...
 01337   712   NtWaitForSingleObject  ... ) == 0x0
 01341   712   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01342   712   NtWaitForSingleObject  (148, 0, 0x0, ...
 01340   444   NtSetEvent  ... 0x0, ) == 0x0
 01343   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01344   444   NtAllocateVirtualMemory  (-1, 0, 0, 905216, 4096, 4, ... 40042496, 905216, ) == 0x0
 01345   444   NtFreeVirtualMemory  (-1, (0x2630000), 0, 32768, ... (0x2630000), 905216, ) == 0x0
 01346   444   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 40042496, 1048576, ) == 0x0
 01347   444   NtAllocateVirtualMemory  (-1, 41082880, 0, 8192, 4096, 4, ... 41082880, 8192, ) == 0x0
 01348   444   NtProtectVirtualMemory  (-1, (0x272e000), 4096, 260, ... (0x272e000), 4096, 4, ) == 0x0
 01349   444   NtCreateThread  (0x1f03ff, 0x0, -1, 1244212, 1244928, 1, ... 264, {436, 912}, ) == 0x0
 01350   444   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=436,Tid=912,}, 0x0, ) == 0x0
 01351   444   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243936, 34}  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243936, 34} "\0\0\0\0\1\0\1\07(\365w\240o\374w\10\1\0\0\264\1\0\0\220\3\0\0" ... {28, 56, reply, 0, 436, 444, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\240o\374w\10\1\0\0\264\1\0\0\220\3\0\0" )  ... {28, 56, reply, 0, 436, 444, 1517, 0}  (24, {28, 56, new_msg, 0, 131108, 2147348480, 1243936, 34} "\0\0\0\0\1\0\1\07(\365w\240o\374w\10\1\0\0\264\1\0\0\220\3\0\0" ... {28, 56, reply, 0, 436, 444, 1517, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\240o\374w\10\1\0\0\264\1\0\0\220\3\0\0" )  ) == 0x0
 01352   444   NtResumeThread  (264, ... 1, ) == 0x0
 01353   444   NtSetEvent  (196, ...
 01354   912   NtTestAlert  (... ) == 0x0
 01355   912   NtContinue  (41090352, 1, ...
 01356   912   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01357   912   NtDelayExecution  (0, {-40000000, -1}, ...
 01326   908   NtWaitForSingleObject  ... ) == 0x0
 01358   908   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01359   908   NtWaitForSingleObject  (196, 0, 0x0, ...
 01353   444   NtSetEvent  ... 0x0, ) == 0x0
 01360   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01361   444   NtSetEvent  (156, ...
 01166   856   NtWaitForSingleObject  ... ) == 0x0
 01362   856   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01363   856   NtWaitForSingleObject  (156, 0, 0x0, ...
 01361   444   NtSetEvent  ... 0x0, ) == 0x0
 01364   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01365   444   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01366   444   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01367   444   NtSetEvent  (172, ...
 01294   872   NtWaitForSingleObject  ... ) == 0x0
 01368   872   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01369   872   NtWaitForSingleObject  (172, 0, 0x0, ...
 01367   444   NtSetEvent  ... 0x0, ) == 0x0
 01370   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01371   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 4, ... 41091072, 4096, ) == 0x0
 01372   444   NtAllocateVirtualMemory  (-1, 0, 0, 8192, 4096, 4, ... 41156608, 8192, ) == 0x0
 01373   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 64, ... 41222144, 65536, ) == 0x0
 01374   444   NtAllocateVirtualMemory  (-1, 0, 0, 312, 4096, 4, ... 41287680, 4096, ) == 0x0
 01375   444   NtFreeVirtualMemory  (-1, (0x2760000), 0, 32768, ... (0x2760000), 4096, ) == 0x0
 01376   444   NtAllocateVirtualMemory  (-1, 0, 0, 456, 4096, 4, ... 41287680, 4096, ) == 0x0
 01377   444   NtFreeVirtualMemory  (-1, (0x2760000), 0, 32768, ... (0x2760000), 4096, ) == 0x0
 01378   444   NtAllocateVirtualMemory  (-1, 0, 0, 3712, 4096, 4, ... 41287680, 4096, ) == 0x0
 01379   444   NtAllocateVirtualMemory  (-1, 0, 0, 4348, 4096, 64, ... 41353216, 8192, ) == 0x0
 01380   444   NtAllocateVirtualMemory  (-1, 0, 0, 1535, 4096, 64, ... 41418752, 4096, ) == 0x0
 01381   444   NtAllocateVirtualMemory  (-1, 0, 0, 2702, 4096, 64, ... 41484288, 4096, ) == 0x0
 01382   444   NtAllocateVirtualMemory  (-1, 0, 0, 150, 4096, 64, ... 41549824, 4096, ) == 0x0
 01383   444   NtAllocateVirtualMemory  (-1, 0, 0, 1909, 4096, 64, ... 41615360, 4096, ) == 0x0
 01384   444   NtAllocateVirtualMemory  (-1, 0, 0, 2215, 4096, 64, ... 41680896, 4096, ) == 0x0
 01385   444   NtAllocateVirtualMemory  (-1, 0, 0, 650, 4096, 64, ... 41746432, 4096, ) == 0x0
 01386   444   NtAllocateVirtualMemory  (-1, 0, 0, 4645, 4096, 64, ... 41811968, 8192, ) == 0x0
 01387   444   NtAllocateVirtualMemory  (-1, 0, 0, 916, 4096, 64, ... 41877504, 4096, ) == 0x0
 01388   444   NtAllocateVirtualMemory  (-1, 0, 0, 2667, 4096, 64, ... 41943040, 4096, ) == 0x0
 01389   444   NtAllocateVirtualMemory  (-1, 0, 0, 92, 4096, 64, ... 42008576, 4096, ) == 0x0
 01390   444   NtAllocateVirtualMemory  (-1, 0, 0, 362, 4096, 64, ... 42074112, 4096, ) == 0x0
 01391   444   NtAllocateVirtualMemory  (-1, 0, 0, 2968, 4096, 64, ... 42139648, 4096, ) == 0x0
 01392   444   NtAllocateVirtualMemory  (-1, 0, 0, 2273, 4096, 64, ... 42205184, 4096, ) == 0x0
 01393   444   NtAllocateVirtualMemory  (-1, 0, 0, 2972, 4096, 64, ... 42270720, 4096, ) == 0x0
 01394   444   NtAllocateVirtualMemory  (-1, 0, 0, 1290, 4096, 64, ... 42336256, 4096, ) == 0x0
 01395   444   NtAllocateVirtualMemory  (-1, 0, 0, 1231, 4096, 64, ... 42401792, 4096, ) == 0x0
 01396   444   NtAllocateVirtualMemory  (-1, 0, 0, 2242, 4096, 64, ... 42467328, 4096, ) == 0x0
 01397   444   NtAllocateVirtualMemory  (-1, 0, 0, 2195, 4096, 64, ... 42532864, 4096, ) == 0x0
 01398   444   NtAllocateVirtualMemory  (-1, 0, 0, 1330, 4096, 64, ... 42598400, 4096, ) == 0x0
 01399   444   NtAllocateVirtualMemory  (-1, 0, 0, 5505, 4096, 64, ... 42663936, 8192, ) == 0x0
 01400   444   NtAllocateVirtualMemory  (-1, 0, 0, 2656, 4096, 64, ... 42729472, 4096, ) == 0x0
 01401   444   NtAllocateVirtualMemory  (-1, 0, 0, 2638, 4096, 64, ... 42795008, 4096, ) == 0x0
 01402   444   NtAllocateVirtualMemory  (-1, 0, 0, 983, 4096, 64, ... 42860544, 4096, ) == 0x0
 01403   444   NtAllocateVirtualMemory  (-1, 0, 0, 3547, 4096, 64, ... 42926080, 4096, ) == 0x0
 01404   444   NtAllocateVirtualMemory  (-1, 0, 0, 3018, 4096, 64, ... 42991616, 4096, ) == 0x0
 01405   444   NtAllocateVirtualMemory  (-1, 0, 0, 137, 4096, 64, ... 43057152, 4096, ) == 0x0
 01406   444   NtAllocateVirtualMemory  (-1, 0, 0, 1007, 4096, 64, ... 43122688, 4096, ) == 0x0
 01407   444   NtAllocateVirtualMemory  (-1, 0, 0, 2314, 4096, 64, ... 43188224, 4096, ) == 0x0
 01408   444   NtAllocateVirtualMemory  (-1, 0, 0, 3068, 4096, 64, ... 43253760, 4096, ) == 0x0
 01409   444   NtAllocateVirtualMemory  (-1, 0, 0, 564, 4096, 64, ... 43319296, 4096, ) == 0x0
 01410   444   NtAllocateVirtualMemory  (-1, 0, 0, 3646, 4096, 64, ... 43384832, 4096, ) == 0x0
 01411   444   NtAllocateVirtualMemory  (-1, 0, 0, 1579, 4096, 64, ... 43450368, 4096, ) == 0x0
 01412   444   NtAllocateVirtualMemory  (-1, 0, 0, 431, 4096, 64, ... 43515904, 4096, ) == 0x0
 01413   444   NtAllocateVirtualMemory  (-1, 0, 0, 1324, 4096, 64, ... 43581440, 4096, ) == 0x0
 01414   444   NtAllocateVirtualMemory  (-1, 0, 0, 4062, 4096, 64, ... 43646976, 4096, ) == 0x0
 01415   444   NtAllocateVirtualMemory  (-1, 0, 0, 3425, 4096, 64, ... 43712512, 4096, ) == 0x0
 01416   444   NtAllocateVirtualMemory  (-1, 0, 0, 3946, 4096, 64, ... 43778048, 4096, ) == 0x0
 01417   444   NtAllocateVirtualMemory  (-1, 0, 0, 1404, 4096, 64, ... 43843584, 4096, ) == 0x0
 01418   444   NtAllocateVirtualMemory  (-1, 0, 0, 5612, 4096, 64, ... 43909120, 8192, ) == 0x0
 01419   444   NtAllocateVirtualMemory  (-1, 0, 0, 7696, 4096, 64, ... 43974656, 8192, ) == 0x0
 01420   444   NtAllocateVirtualMemory  (-1, 0, 0, 1948, 4096, 64, ... 44040192, 4096, ) == 0x0
 01421   444   NtAllocateVirtualMemory  (-1, 0, 0, 3348, 4096, 64, ... 44105728, 4096, ) == 0x0
 01422   444   NtAllocateVirtualMemory  (-1, 0, 0, 1427, 4096, 64, ... 44171264, 4096, ) == 0x0
 01423   444   NtAllocateVirtualMemory  (-1, 0, 0, 6923, 4096, 64, ... 44236800, 8192, ) == 0x0
 01424   444   NtAllocateVirtualMemory  (-1, 0, 0, 3325, 4096, 64, ... 44302336, 4096, ) == 0x0
 01425   444   NtAllocateVirtualMemory  (-1, 0, 0, 1425, 4096, 64, ... 44367872, 4096, ) == 0x0
 01426   444   NtAllocateVirtualMemory  (-1, 0, 0, 1645, 4096, 64, ... 44433408, 4096, ) == 0x0
 01427   444   NtFreeVirtualMemory  (-1, (0x2760000), 0, 32768, ... (0x2760000), 4096, ) == 0x0
 01428   444   NtFreeVirtualMemory  (-1, (0x25e0000), 0, 32768, ... (0x25e0000), 200704, ) == 0x0
 01429   444   NtFreeVirtualMemory  (-1, (0x2620000), 0, 32768, ... (0x2620000), 4096, ) == 0x0
 01430   444   NtFreeVirtualMemory  (-1, (0x2740000), 0, 32768, ... (0x2740000), 8192, ) == 0x0
 01431   444   NtFreeVirtualMemory  (-1, (0x2750000), 0, 32768, ... (0x2750000), 65536, ) == 0x0
 01432   444   NtFreeVirtualMemory  (-1, (0x2730000), 0, 32768, ... (0x2730000), 4096, ) == 0x0
 01433   444   NtSetEvent  (140, ...
 01215   788   NtWaitForSingleObject  ... ) == 0x0
 01434   788   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01435   788   NtWaitForSingleObject  (140, 0, 0x0, ...
 01433   444   NtSetEvent  ... 0x0, ) == 0x0
 01436   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01437   444   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01438   444   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01439   444   NtSetEvent  (192, ...
 01226   892   NtWaitForSingleObject  ... ) == 0x0
 01440   892   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01441   892   NtWaitForSingleObject  (192, 0, 0x0, ...
 01439   444   NtSetEvent  ... 0x0, ) == 0x0
 01442   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01443   444   NtSetEvent  (188, ...
 01132   888   NtWaitForSingleObject  ... ) == 0x0
 01444   888   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01445   888   NtWaitForSingleObject  (188, 0, 0x0, ...
 01443   444   NtSetEvent  ... 0x0, ) == 0x0
 01446   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01447   444   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 01448   444   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 01449   444   NtSetEvent  (160, ...
 01322   860   NtWaitForSingleObject  ... ) == 0x0
 01450   860   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01451   860   NtWaitForSingleObject  (160, 0, 0x0, ...
 01449   444   NtSetEvent  ... 0x0, ) == 0x0
 01452   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01453   444   NtSetEvent  (168, ...
 01282   868   NtWaitForSingleObject  ... ) == 0x0
 01454   868   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01455   868   NtWaitForSingleObject  (168, 0, 0x0, ...
 01453   444   NtSetEvent  ... 0x0, ) == 0x0
 01456   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01457   444   NtSetEvent  (196, ...
 01359   908   NtWaitForSingleObject  ... ) == 0x0
 01458   908   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01459   908   NtWaitForSingleObject  (196, 0, 0x0, ...
 01457   444   NtSetEvent  ... 0x0, ) == 0x0
 01460   444   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 01461   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01462   444   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 39714816, 65536, ) == 0x0
 01463   444   NtAllocateVirtualMemory  (-1, 39714816, 0, 4096, 4096, 4, ... 39714816, 4096, ) == 0x0
 01464   444   NtAllocateVirtualMemory  (-1, 39718912, 0, 4096, 4096, 4, ... 39718912, 4096, ) == 0x0
 01465   444   NtQueryInformationProcess  (-1, DebugPort, 4, ... {process info, class 7, size 4}, 0x0, ) == 0x0
 01466   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01467   444   NtQueryInformationJobObject  (0, BasicLimit, 48, ... ) == STATUS_ACCESS_DENIED
 01468   444   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"}, ... 268, ) }, ... 268, ) == 0x0
 01469   444   NtQueryValueKey  (268,  (268, "Debugger", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_BUFFER_OVERFLOW
 01470   444   NtQueryValueKey  (268,  (268, "Debugger", Partial, 64, ... TitleIdx=0, Type=1, Data="d\0r\0w\0t\0s\0n\03\02\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0 \0-\0g\0\0\0"}, 64, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (268, "Debugger", Partial, 64, ... TitleIdx=0, Type=1, Data="d\0r\0w\0t\0s\0n\03\02\0 \0-\0p\0 \0%\0l\0d\0 \0-\0e\0 \0%\0l\0d\0 \0-\0g\0\0\0"}, 64, ) }, 64, ) == 0x0
 01471   444   NtQueryKey  (268, Basic, 24, ... ) == STATUS_BUFFER_OVERFLOW
 01472   444   NtQueryValueKey  (268,  (268, "Auto", Partial, 16, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 16, ... TitleIdx=0, Type=1, Data= (268, "Auto", Partial, 16, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01473   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 1240200, ... ) }, 1240200, ... ) == 0x0
 01474   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01475   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 280, ) == 0x0
 01476   444   NtClose  (276, ... ) == 0x0
 01477   444   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x25f0000), 0x0, 65536, ) == 0x0
 01478   444   NtClose  (280, ... ) == 0x0
 01479   444   NtUnmapViewOfSection  (-1, 0x25f0000, ... ) == 0x0
 01480   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 1240516, ... ) }, 1240516, ... ) == 0x0
 01481   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\faultrep.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01482   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 276, ) == 0x0
 01483   444   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01484   444   NtClose  (280, ... ) == 0x0
 01485   444   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x69450000), 0x0, 73728, ) == 0x0
 01486   444   NtClose  (276, ... ) == 0x0
 01487   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 276, ) }, ... 276, ) == 0x0
 01488   444   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01489   444   NtClose  (276, ... ) == 0x0
 01490   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 276, ) }, ... 276, ) == 0x0
 01491   444   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01492   444   NtClose  (276, ... ) == 0x0
 01493   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239704, ... ) }, 1239704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1239704, ... ) }, 1239704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1239704, ... ) }, 1239704, ... ) == 0x0
 01497   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 01498   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 276, ... 280, ) == 0x0
 01499   444   NtQuerySection  (280, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01500   444   NtClose  (276, ... ) == 0x0
 01501   444   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01502   444   NtClose  (280, ... ) == 0x0
 01503   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1239704, ... ) }, 1239704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   444   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1239704, ... ) }, 1239704, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1239704, ... ) }, 1239704, ... ) == 0x0
 01507   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01508   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 276, ) == 0x0
 01509   444   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01510   444   NtClose  (280, ... ) == 0x0
 01511   444   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01512   444   NtClose  (276, ... ) == 0x0
 01513   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 276, ) }, ... 276, ) == 0x0
 01514   444   NtQueryValueKey  (276,  (276, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   444   NtClose  (276, ... ) == 0x0
 01516   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 276, ) }, ... 276, ) == 0x0
 01517   444   NtQueryValueKey  (276,  (276, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   444   NtClose  (276, ... ) == 0x0
 01519   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 276, ) }, ... 276, ) == 0x0
 01520   444   NtQueryValueKey  (276,  (276, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (276, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01521   444   NtClose  (276, ... ) == 0x0
 01522   444   NtCreateEvent  (0x1f0003, {24, 76, 0x80, 1240132, 0,  (0x1f0003, {24, 76, 0x80, 1240132, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 276, ) }, 0, 1, ... 276, ) == STATUS_OBJECT_NAME_EXISTS
 01523   444   NtQueryDefaultUILanguage  (2013024600, ...
 01524   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01525   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01526   444   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01527   444   NtClose  (-2147482032, ... ) == 0x0
 01528   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01529   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01530   444   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01531   444   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   444   NtClose  (-2147482044, ... ) == 0x0
 01533   444   NtClose  (-2147482032, ... ) == 0x0
 01523   444   NtQueryDefaultUILanguage  ... ) == 0x0
 01534   444   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 01535   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01536   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01537   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01538   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01539   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01540   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01541   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01542   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01543   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01544   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01545   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01546   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01547   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01548   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01549   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01550   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01551   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01552   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01553   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01554   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01555   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01556   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01557   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01558   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01559   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01560   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01561   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01562   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 280, ) == 0x0
 01563   444   NtQueryInformationToken  (280, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01564   444   NtClose  (280, ... ) == 0x0
 01565   444   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 280, ) }, ... 280, ) == 0x0
 01566   444   NtOpenKey  (0x20019, {24, 280, 0x40, 0, 0,  (0x20019, {24, 280, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 284, ) }, ... 284, ) == 0x0
 01567   444   NtQueryValueKey  (284,  (284, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (284, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01568   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01569   444   NtQueryValueKey  (284,  (284, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (284, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01570   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01571   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01572   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01573   444   NtQueryDefaultLocale  (1, 1237968, ... ) == 0x0
 01574   444   NtClose  (284, ... ) == 0x0
 01575   444   NtClose  (280, ... ) == 0x0
 01576   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 280, ) }, ... 280, ) == 0x0
 01577   444   NtQueryValueKey  (280,  (280, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   444   NtClose  (280, ... ) == 0x0
 01579   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 280, ) }, ... 280, ) == 0x0
 01580   444   NtQueryValueKey  (280,  (280, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   444   NtQueryValueKey  (280,  (280, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582   444   NtClose  (280, ... ) == 0x0
 01583   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 280, ) }, ... 280, ) == 0x0
 01585   444   NtQueryValueKey  (280,  (280, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   444   NtClose  (280, ... ) == 0x0
 01587   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   444   NtOpenKey  (0x20119, {24, 48, 0x40, 0, 0,  (0x20119, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\PCHealth\ErrorReporting"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   444   NtCreateKey  (0x20119, {24, 48, 0x40, 0, 0,  (0x20119, {24, 48, 0x40, 0, 0, "Software\Microsoft\PCHealth\ErrorReporting"}, 0, 0x0, 0, ... 280, 2, ) }, 0, 0x0, 0, ... 280, 2, ) == 0x0
 01590   444   NtOpenKey  (0x10000, {24, 280, 0x40, 0, 0,  (0x10000, {24, 280, 0x40, 0, 0, "DW"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   444   NtQueryValueKey  (280,  (280, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "DoReport", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01592   444   NtQueryValueKey  (280,  (280, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "ShowUI", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593   444   NtQueryValueKey  (280,  (280, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "AllOrNone", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01594   444   NtQueryValueKey  (280,  (280, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "IncludeMicrosoftApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01595   444   NtQueryValueKey  (280,  (280, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "IncludeWindowsApps", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01596   444   NtQueryValueKey  (280,  (280, "DoTextLog", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   444   NtQueryValueKey  (280,  (280, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "IncludeKernelFaults", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01598   444   NtQueryValueKey  (280,  (280, "IncludeShutdownErrs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   444   NtQueryValueKey  (280,  (280, "NumberOfFaultPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   444   NtQueryValueKey  (280,  (280, "NumberOfHangPipes", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   444   NtQueryValueKey  (280,  (280, "MaxUserQueueSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   444   NtQueryValueKey  (280,  (280, "ForceQueueMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   444   NtQueryValueKey  (280,  (280, "UseInternalServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604   444   NtCreateKey  (0x20119, {24, 280, 0x40, 0, 0,  (0x20119, {24, 280, 0x40, 0, 0, "ExclusionList"}, 0, 0x0, 0, ... 284, 2, ) }, 0, 0x0, 0, ... 284, 2, ) == 0x0
 01605   444   NtCreateKey  (0x20119, {24, 280, 0x40, 0, 0,  (0x20119, {24, 280, 0x40, 0, 0, "InclusionList"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01606   444   NtClose  (280, ... ) == 0x0
 01607   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 280, ) }, ... 280, ) == 0x0
 01608   444   NtQueryValueKey  (280,  (280, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (280, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01609   444   NtClose  (280, ... ) == 0x0
 01610   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01611   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01612   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1236180, ... ) }, 1236180, ... ) == 0x0
 01613   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234992, ... ) }, 1234992, ... ) == 0x0
 01614   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01615   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01616   444   NtQueryValueKey  (284,  (284, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617   444   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01618   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01619   444   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 01620   444   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01621   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 280, ) }, ... 280, ) == 0x0
 01623   444   NtQueryValueKey  (280,  (280, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   444   NtClose  (280, ... ) == 0x0
 01625   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 280, ) == 0x0
 01627   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 292, ) == 0x0
 01628   444   NtQuerySystemTime  (... {-656201394, 29889263}, ) == 0x0
 01629   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 01630   444   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   444   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01632   444   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01633   444   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01634   444   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0
 01635   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 304, ) == 0x0
 01636   444   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 01637   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 308, ) == 0x0
 01638   444   NtConnectPort  ( ("\RPC Control\IcaApi", {12, 2, 1, 0}, 0x0, 0x0, 1235396, 112, ... 312, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 0}, 0x0, 0x0, 1235396, 112, ... 312, 0x0, 0x0, 0x0, 112, ) == 0x0
 01639   444   NtRequestWaitReplyPort  (312, {128, 152, new_msg, 0, 1310720, 120728, 1310720, 1235160}  (312, {128, 152, new_msg, 0, 1310720, 120728, 1310720, 1235160} "\0$\370w\210\337\22\0\2$\370w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0H\243\24\0\4\0\0\0H\243\24\0\20\344\314wH\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\360"$\0\24\0\26\0\250\241\24\0\30\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\235\1\0\0" ... {128, 152, reply, 0, 436, 444, 1519, 0} "\7$\370w\210\337\22\0\2$\370w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H\243\24\0\377\377\377\377H\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\360"$\0\24\0\26\0\250\241\24\0\30\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\235\1\0\0" ) $\0\24\0\26\0\250\241\24\0\30\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\235\1\0\0 (312, {128, 152, new_msg, 0, 1310720, 120728, 1310720, 1235160} "\0$\370w\210\337\22\0\2$\370w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0H\243\24\0\4\0\0\0H\243\24\0\20\344\314wH\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\360"$\0\24\0\26\0\250\241\24\0\30\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\235\1\0\0" ... {128, 152, reply, 0, 436, 444, 1519, 0} "\7$\370w\210\337\22\0\2$\370w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H\243\24\0\377\377\377\377H\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\360"$\0\24\0\26\0\250\241\24\0\30\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\235\1\0\0" ) \7$\370w\210\337\22\0\2$\370w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H\243\24\0\377\377\377\377H\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\360 (312, {128, 152, new_msg, 0, 1310720, 120728, 1310720, 1235160} "\0$\370w\210\337\22\0\2$\370w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0H\243\24\0\4\0\0\0H\243\24\0\20\344\314wH\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\360"$\0\24\0\26\0\250\241\24\0\30\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\235\1\0\0" ... {128, 152, reply, 0, 436, 444, 1519, 0} "\7$\370w\210\337\22\0\2$\370w`\247\244\\261\353\317\21\206\21\0\240$T \355\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0H\243\24\0\377\377\377\377H\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\360"$\0\24\0\26\0\250\241\24\0\30\243\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\235\1\0\0" )  ) == 0x0
 01640   444   NtRequestWaitReplyPort  (312, {32, 56, new_msg, 0, 0, 0, 0, 0}  (312, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 436, 444, 1520, 0} "\21\3141\1\0\3341\3441\3541\3641\3741\42\142\242\342$2,242<2\0\0\0\0\0\0\0\0\377\10"\26\343~\334\21\261\310\0\14)\371\246\305\1\0\0\0\12\2742\3042\3142\3242\3342\3442\3542\3642\3742\43\143\243\343$3,343<3D3L3T3\3d3l3t3|3\2043\2143\2243\2343\2443\2543" )  ... {124, 148, reply, 0, 436, 444, 1520, 0}  (312, {32, 56, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\3\0\0`\247\244\\261\353\317\21\206\21\0\240$T \355\377\377\377\377\0\0\0\0" ... {124, 148, reply, 0, 436, 444, 1520, 0} "\21\3141\1\0\3341\3441\3541\3641\3741\42\142\242\342$2,242<2\0\0\0\0\0\0\0\0\377\10"\26\343~\334\21\261\310\0\14)\371\246\305\1\0\0\0\12\2742\3042\3142\3242\3342\3442\3542\3642\3742\43\143\243\343$3,343<3D3L3T3\3d3l3t3|3\2043\2143\2243\2343\2443\2543" ) \26\343~\334\21\261\310\0\14)\371\246\305\1\0\0\0\12\2742\3042\3142\3242\3342\3442\3542\3642\3742\43\143\243\343$3,343<3D3L3T3\3d3l3t3|3\2043\2143\2243\2343\2443\2543" ) == 0x0
 01641   444   NtRequestWaitReplyPort  (312, {44, 68, new_msg, 56, 436, 444, 1520, 0}  (312, {44, 68, new_msg, 56, 436, 444, 1520, 0} "\11\0\0B\2\5\0\3441\3541\3641\3741\42\142\242\342\377\377\377\37742<2\1\0\0\0\270\245\24\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 1521, 0} "\2\226#\341\4\0\0\0\210\33\377\367\360\15W\200J\1\0\0\1\0\0\0\241\16W\200X\226#\341\14\5\0\0\270\201\23\0" )  ... {40, 64, reply, 0, 436, 444, 1521, 0}  (312, {44, 68, new_msg, 56, 436, 444, 1520, 0} "\11\0\0B\2\5\0\3441\3541\3641\3741\42\142\242\342\377\377\377\37742<2\1\0\0\0\270\245\24\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 1521, 0} "\2\226#\341\4\0\0\0\210\33\377\367\360\15W\200J\1\0\0\1\0\0\0\241\16W\200X\226#\341\14\5\0\0\270\201\23\0" )  ) == 0x0
 01642   444   NtRequestWaitReplyPort  (312, {64, 88, new_msg, 56, 0, 1353136, 1311096, 0}  (312, {64, 88, new_msg, 56, 0, 1353136, 1311096, 0} "\10\1\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\270\245\24\0\14\5\0\0\14\5\0\0\270\201\23\0\0\0\0\0\0\0\0\0\0\0\24\0" ... {64, 88, reply, 56, 436, 444, 1522, 0} "\10\1\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\270\245\24\0\14\5\0\0\14\5\0\0\270\201\23\0\0\0\0\0\0\0\0\0\0\0\24\0" )  ... {64, 88, reply, 56, 436, 444, 1522, 0}  (312, {64, 88, new_msg, 56, 0, 1353136, 1311096, 0} "\10\1\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\270\245\24\0\14\5\0\0\14\5\0\0\270\201\23\0\0\0\0\0\0\0\0\0\0\0\24\0" ... {64, 88, reply, 56, 436, 444, 1522, 0} "\10\1\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\270\245\24\0\14\5\0\0\14\5\0\0\270\201\23\0\0\0\0\0\0\0\0\0\0\0\24\0" )  ) == 0x0
 01643   444   NtRequestWaitReplyPort  (312, {44, 68, new_msg, 56, 436, 444, 1521, 0}  (312, {44, 68, new_msg, 56, 436, 444, 1521, 0} "\1\226\0\0B\2\5\0\210\33\377\367\360\15W\200J\1\0\0\1\0\0\0\377\377\377\377X\226#\341\1\0\0\0\210\252\24\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 1523, 0} "\21\3141\4\0\3341\3441\3541\3641\3741\42\142\242\342$2,242<2\14\5\0\0\320o\23\0" )  ... {40, 64, reply, 0, 436, 444, 1523, 0}  (312, {44, 68, new_msg, 56, 436, 444, 1521, 0} "\1\226\0\0B\2\5\0\210\33\377\367\360\15W\200J\1\0\0\1\0\0\0\377\377\377\377X\226#\341\1\0\0\0\210\252\24\0\10\5\0\0" ... {40, 64, reply, 0, 436, 444, 1523, 0} "\21\3141\4\0\3341\3441\3541\3641\3741\42\142\242\342$2,242<2\14\5\0\0\320o\23\0" )  ) == 0x0
 01644   444   NtRequestWaitReplyPort  (312, {64, 88, new_msg, 56, 0, 1354368, 1311096, 0}  (312, {64, 88, new_msg, 56, 0, 1354368, 1311096, 0} "\10\0\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\210\252\24\0\14\5\0\0\14\5\0\0\320o\23\0\0\0\0\0\0\0\0\0\0\0\24\0" ... {64, 88, reply, 56, 436, 444, 1524, 0} "\10\0\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\210\252\24\0\14\5\0\0\14\5\0\0\320o\23\0\0\0\0\0\0\0\0\0\0\0\24\0" )  ... {64, 88, reply, 56, 436, 444, 1524, 0}  (312, {64, 88, new_msg, 56, 0, 1354368, 1311096, 0} "\10\0\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\210\252\24\0\14\5\0\0\14\5\0\0\320o\23\0\0\0\0\0\0\0\0\0\0\0\24\0" ... {64, 88, reply, 56, 436, 444, 1524, 0} "\10\0\0\0@\0\0\0\260\244\24\0\314\333\22\04\334\22\0\242\0\1\1\0\0\24\0\320\332\22\0\1\0\0\0\210\252\24\0\14\5\0\0\14\5\0\0\320o\23\0\0\0\0\0\0\0\0\0\0\0\24\0" )  ) == 0x0
 01645   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 316, ) }, ... 316, ) == 0x0
 01646   444   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "ActiveComputerName"}, ... 320, ) }, ... 320, ) == 0x0
 01647   444   NtQueryValueKey  (320,  (320, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (320, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (320, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01648   444   NtClose  (320, ... ) == 0x0
 01649   444   NtClose  (316, ... ) == 0x0
 01650   444   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 316, ) == 0x0
 01651   444   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 320, ) == 0x0
 01652   444   NtDuplicateObject  (-1, 316, -1, 0x0, 0, 2, ... 324, ) == 0x0
 01653   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01654   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 328, ) == 0x0
 01655   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01656   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01657   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235352,  (0xc0100080, {24, 0, 0x40, 0, 1235352, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 01658   444   NtSetInformationFile  (332, 1235408, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01659   444   NtSetInformationFile  (332, 1235400, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01660   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01661   444   NtWriteFile  (332, 301, 0, 0,  (332, 301, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01662   444   NtReadFile  (332, 301, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 301, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\24\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01663   444   NtFsControlFile  (332, 301, 0x0, 0x0, 0x11c017,  (332, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\24\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (332, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\24\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01664   444   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01665   444   NtFsControlFile  (332, 301, 0x0, 0x0, 0x11c017,  (332, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0/xg\23\343~\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\360\342\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0/xg\23\343~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\360\342\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (332, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\0/xg\23\343~\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\360\342\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0/xg\23\343~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0/xg\23\343~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01666   444   NtFsControlFile  (332, 301, 0x0, 0x0, 0x11c017,  (332, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0/xg\23\343~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0`\260\24\0\1\0\0\0l\260\24\0 \0\0\0\1\0\0\0\16\0\20\0x\260\24\0\210\260\24\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\260\24\0\1\0\0\0\1\0\0\0\330\260\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (332, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0/xg\23\343~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0`\260\24\0\1\0\0\0l\260\24\0 \0\0\0\1\0\0\0\16\0\20\0x\260\24\0\210\260\24\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\260\24\0\1\0\0\0\1\0\0\0\330\260\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01667   444   NtClose  (328, ... ) == 0x0
 01668   444   NtClose  (332, ... ) == 0x0
 01669   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01670   444   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 01671   444   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01672   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01673   444   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235324,  (0xc0100080, {24, 0, 0x40, 0, 1235324, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 328, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 328, {status=0x0, info=1}, ) == 0x0
 01674   444   NtSetInformationFile  (328, 1235380, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01675   444   NtSetInformationFile  (328, 1235372, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01676   444   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01677   444   NtWriteFile  (328, 301, 0, 0,  (328, 301, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01678   444   NtReadFile  (328, 301, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (328, 301, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\25\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01679   444   NtFsControlFile  (328, 301, 0x0, 0x0, 0x11c017,  (328, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\25\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (328, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\340\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\25\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01680   444   NtFsControlFile  (328, 301, 0x0, 0x0, 0x11c017,  (328, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\00xg\23\343~\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\360\342\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\00xg\23\343~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\360\342\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (328, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\200\0\0\0\2\0\0\0h\0\0\0\0\0D\0\0\0\0\00xg\23\343~\334\21\261\310\0\14)\371\246\305\1\0\0\0\1\0\0\0 \0"\0\360\342\22\0\21\0\0\0\0\0\0\0\20\0\0\0M\0Y\0W\0O\0R\0L\0D\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 128, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\00xg\23\343~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\00xg\23\343~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01681   444   NtFsControlFile  (328, 301, 0x0, 0x0, 0x11c017,  (328, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\00xg\23\343~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0`\260\24\0\1\0\0\0l\260\24\0 \0\0\0\1\0\0\0\16\0\20\0x\260\24\0\210\260\24\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\260\24\0\1\0\0\0\1\0\0\0\330\260\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (328, 301, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\00xg\23\343~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0`\260\24\0\1\0\0\0l\260\24\0 \0\0\0\1\0\0\0\16\0\20\0x\260\24\0\210\260\24\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\260\24\0\1\0\0\0\1\0\0\0\330\260\24\0\0\0\0\0\0\0\0\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01682   444   NtClose  (332, ... ) == 0x0
 01683   444   NtClose  (328, ... ) == 0x0
 01684   444   NtOpenProcessToken  (-1, 0x20008, ... 328, ) == 0x0
 01685   444   NtQueryInformationToken  (328, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01686   444   NtQueryInformationToken  (328, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 01687   444   NtOpenDirectoryObject  (0x2, {24, 0, 0x40, 0, 0,  (0x2, {24, 0, 0x40, 0, 0, "\Windows\WindowStations"}, ... 332, ) }, ... 332, ) == 0x0
 01688   444   NtUserOpenWindowStation  ({24, 332, 0x40, 0, 0,  ({24, 332, 0x40, 0, 0, "winsta0"}, 0x37f, ... ) }, 0x37f, ... ) == 0x150
 01689   444   NtClose  (332, ... ) == 0x0
 01690   444   NtUserCloseWindowStation  (336, ...
 01691   444   NtClose  (336, ... ) == 0x0
 01690   444   NtUserCloseWindowStation  ... ) == 0x1
 01692   444   NtClose  (328, ... ) == 0x0
 01693   444   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 328, ) == 0x0
 01694   444   NtCreateEvent  (0x1f0003, {24, 0, 0x2, 0, 0, 0x0}, 1, 0, ... 336, ) == 0x0
 01695   444   NtCreateMutant  (0x1f0001, {24, 0, 0x2, 0, 0, 0x0}, 0, ... 332, ) == 0x0
 01696   444   NtDuplicateObject  (-1, -1, -1, 0x1f0fff, 2, 0, ... 340, ) == 0x0
 01697   444   NtCreateSection  (0xf0007, {24, 0, 0x2, 0, 0, 0x0}, {7248, 0}, 4, 134217728, 0, ... 344, ) == 0x0
 01698   444   NtMapViewOfSection  (344, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x25f0000), {0, 0}, 8192, ) == 0x0
 01699   444   NtQueryDefaultUILanguage  (1236524, ...
 01700   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01701   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01702   444   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01703   444   NtClose  (-2147482032, ... ) == 0x0
 01704   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01705   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706   444   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01707   444   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01708   444   NtClose  (-2147482044, ... ) == 0x0
 01709   444   NtClose  (-2147482032, ... ) == 0x0
 01699   444   NtQueryDefaultUILanguage  ... ) == 0x0
 01710   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01711   444   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 01712   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01713   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01714   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234804, ... ) }, 1234804, ... ) == 0x0
 01715   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233616, ... ) }, 1233616, ... ) == 0x0
 01716   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01717   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01718   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1236032, ... ) }, 1236032, ... ) == 0x0
 01719   444   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2012563070, 1356056, 2012568802, 0}  (24, {20, 48, new_msg, 0, 2012563070, 1356056, 2012568802, 0} "\0\0\0\0\2\0\1\0\0\0\0\0D\0\0\0\0\336\22\0" ... {20, 48, reply, 0, 436, 444, 1525, 0} "\0\0\0\0\2\0\1\0\2\0\0\0D\0\0\0\2\0\0\0" )  ... {20, 48, reply, 0, 436, 444, 1525, 0}  (24, {20, 48, new_msg, 0, 2012563070, 1356056, 2012568802, 0} "\0\0\0\0\2\0\1\0\0\0\0\0D\0\0\0\0\336\22\0" ... {20, 48, reply, 0, 436, 444, 1525, 0} "\0\0\0\0\2\0\1\0\2\0\0\0D\0\0\0\2\0\0\0" )  ) == 0x0
 01720   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236040,  (0x80100080, {24, 0, 0x40, 0, 1236040, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 348, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 348, {status=0x0, info=2}, ) == 0x0
 01721   444   NtClose  (348, ... ) == 0x0
 01722   444   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp.dir00"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 348, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 348, {status=0x0, info=2}, ) == 0x0
 01723   444   NtClose  (348, ... ) == 0x0
 01724   444   NtCreateSection  (0xf001f, 0x0, {4194304, 0}, 4, 67108864, 0, ... 348, ) == 0x0
 01725   444   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 4194304, 2, 0, 4, ... (0x2a70000), 0x0, 4194304, ) == 0x0
 01726   444   NtAllocateVirtualMemory  (-1, 44498944, 0, 1, 4096, 4, ... 44498944, 4096, ) == 0x0
 01727   444   NtAllocateVirtualMemory  (-1, 44503040, 0, 2252, 4096, 4, ... 44503040, 4096, ) == 0x0
 01728   444   NtCreateSection  (0xf0007, 0x0, {23460, 0}, 4, 134217728, 0, ... 352, ) == 0x0
 01729   444   NtMapViewOfSection  (352, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2600000), {0, 0}, 24576, ) == 0x0
 01730   444   NtUnmapViewOfSection  (-1, 0x2600000, ... ) == 0x0
 01731   444   NtMapViewOfSection  (352, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2600000), {0, 0}, 24576, ) == 0x0
 01732   444   NtClose  (348, ... ) == 0x0
 01733   444   NtUnmapViewOfSection  (-1, 0x2a70000, ... ) == 0x0
 01734   444   NtUnmapViewOfSection  (-1, 0x2600000, ... ) == 0x0
 01735   444   NtMapViewOfSection  (352, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2600000), {0, 0}, 24576, ) == 0x0
 01736   444   NtUnmapViewOfSection  (-1, 0x2600000, ... ) == 0x0
 01737   444   NtClose  (352, ... ) == 0x0
 01738   444   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01739   444   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 352, {status=0x0, info=1}, ) }, 3, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 01740   444   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 348, ) }, ... 348, ) == 0x0
 01741   444   NtQuerySymbolicLinkObject  (348, ...  (348, ... "\Device\WinDfs\U:000000000000926a", 66, ) , 66, ) == 0x0
 01742   444   NtClose  (348, ... ) == 0x0
 01743   444   NtQueryVolumeInformationFile  (352, 1236140, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01744   444   NtClose  (352, ... ) == 0x0
 01745   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 1234000, ... ) }, 1234000, ... ) == 0x0
 01746   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 01747   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 352, ... 348, ) == 0x0
 01748   444   NtClose  (352, ... ) == 0x0
 01749   444   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2600000), 0x0, 106496, ) == 0x0
 01750   444   NtClose  (348, ... ) == 0x0
 01751   444   NtUnmapViewOfSection  (-1, 0x2600000, ... ) == 0x0
 01752   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 1234316, ... ) }, 1234316, ... ) == 0x0
 01753   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\apphelp.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 01754   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 352, ) == 0x0
 01755   444   NtQuerySection  (352, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01756   444   NtClose  (348, ... ) == 0x0
 01757   444   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01758   444   NtClose  (352, ... ) == 0x0
 01759   444   NtAllocateVirtualMemory  (-1, 1359872, 0, 12288, 4096, 4, ... 1359872, 12288, ) == 0x0
 01760   444   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shlwapi.dll"}, ... 352, ) }, ... 352, ) == 0x0
 01761   444   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 01762   444   NtClose  (352, ... ) == 0x0
 01763   444   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1235576, ... ) }, 1235576, ... ) == 0x0
 01765   444   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1235584,  (0x40100080, {24, 0, 0x40, 0, 1235584, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp.dir00\appcompat.txt"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01766   444   NtClose  (-2147482032, ... ) == 0x0
 01765   444   NtCreateFile  ... 352, {status=0x0, info=2}, ) == 0x0
 01767   444   NtAllocateVirtualMemory  (-1, 1372160, 0, 12288, 4096, 4, ... 1372160, 12288, ) == 0x0
 01768   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01769   444   NtQueryDirectoryFile  (348, 0, 0, 0, 1234176, 616, BothDirectory, 1,  (348, 0, 0, 0, 1234176, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01770   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, "\377\376", 2, 0x0, 0, ... {status=0x0, info=2}, ) , 2, 0x0, 0, ... {status=0x0, info=2}, ) == 0x0
 01771   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \01\0.\00\0 (352, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) \0U\0T\0F\0-\01\06\0 (352, 0, 0, 0, "<\0?\0x\0m\0l\0 \0v\0e\0r\0s\0i\0o\0n\0=\0"\01\0.\00\0"\0 \0e\0n\0c\0o\0d\0i\0n\0g\0=\0"\0U\0T\0F\0-\01\06\0"\0?\0>\0\15\0\12\0<\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 106, 0x0, 0, ... {status=0x0, info=106}, ) , 106, 0x0, 0, ... {status=0x0, info=106}, ) == 0x0
 01772   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (352, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (352, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 122, 0x0, 0, ... {status=0x0, info=122}, ) , 122, 0x0, 0, ... {status=0x0, info=122}, ) == 0x0
 01773   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1234632, ... ) }, 1234632, ... ) == 0x0
 01774   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 01775   444   NtQueryDirectoryFile  (356, 0, 0, 0, 1234192, 592, Directory, 1,  (356, 0, 0, 0, 1234192, 592, Directory, 1, "packed.exe", 0, ... {status=0x0, info=84}, ) , 0, ... {status=0x0, info=84}, ) == 0x0
 01776   444   NtClose  (356, ... ) == 0x0
 01777   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01778   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01779   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1233556, ... ) }, 1233556, ... ) == 0x0
 01780   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1232368, ... ) }, 1232368, ... ) == 0x0
 01781   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01782   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01783   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 356, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 356, {status=0x0, info=1}, ) == 0x0
 01784   444   NtQueryInformationFile  (356, 1234720, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01785   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 356, ... 360, ) == 0x0
 01786   444   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2a70000), 0x0, 724992, ) == 0x0
 01787   444   NtUnmapViewOfSection  (-1, 0x2a70000, ... ) == 0x0
 01788   444   NtClose  (360, ... ) == 0x0
 01789   444   NtClose  (356, ... ) == 0x0
 01790   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \07\02\04\09\09\02\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \00\0x\08\01\0C\05\0B\08\0F\04\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \0W\0I\0N\03\02\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \00\0x\08\06\07\08\0F\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \00\0x\00\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) \00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0 \0S\0I\0Z\0E\0=\0"\07\02\04\09\09\02\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\01\0C\05\0B\08\0F\04\0"\0 \0M\0O\0D\0U\0L\0E\0_\0T\0Y\0P\0E\0=\0"\0W\0I\0N\03\02\0"\0 \0P\0E\0_\0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\08\06\07\08\0F\0"\0 \0L\0I\0N\0K\0E\0R\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\00\0x\00\0"\0 \0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0U\0P\0T\0O\0_\0L\0I\0N\0K\0_\0D\0A\0T\0E\0=\0"\00\09\0/\01\04\0/\02\00\00\07\0 \01\07\0:\03\06\0:\00\00\0"\0 \0/\0>\0\15\0\12\0", 418, 0x0, 0, ... {status=0x0, info=418}, ) , 418, 0x0, 0, ... {status=0x0, info=418}, ) == 0x0
 01791   444   NtQueryDirectoryFile  (348, 0, 0, 0, 1373128, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01792   444   NtClose  (348, ... ) == 0x0
 01793   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0", 16, 0x0, 0, ... {status=0x0, info=16}, ) , 16, 0x0, 0, ... {status=0x0, info=16}, ) == 0x0
 01794   444   NtClose  (352, ... ) == 0x0
 01795   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1235576, ... ) }, 1235576, ... ) == 0x0
 01796   444   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1235584,  (0x40100080, {24, 0, 0x40, 0, 1235584, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\WER2.tmp.dir00\appcompat.txt"}, 0x0, 128, 0, 3, 96, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 01797   444   NtQueryInformationFile  (352, 1235608, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01798   444   NtSetInformationFile  (352, 1235640, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01799   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01800   444   NtQueryDirectoryFile  (348, 0, 0, 0, 1234176, 616, BothDirectory, 1,  (348, 0, 0, 0, 1234176, 616, BothDirectory, 1, "kernel32.dll", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01801   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (352, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) \0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0 (352, 0, 0, 0, "<\0E\0X\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0F\0I\0L\0T\0E\0R\0=\0"\0G\0R\0A\0B\0M\0I\0_\0F\0I\0L\0T\0E\0R\0_\0T\0H\0I\0S\0F\0I\0L\0E\0O\0N\0L\0Y\0"\0>\0\15\0\12\0", 126, 0x0, 0, ... {status=0x0, info=126}, ) , 126, 0x0, 0, ... {status=0x0, info=126}, ) == 0x0
 01802   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1234604, ... ) }, 1234604, ... ) == 0x0
 01803   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 3, 16417, ... 356, {status=0x0, info=1}, ) }, 3, 16417, ... 356, {status=0x0, info=1}, ) == 0x0
 01804   444   NtQueryDirectoryFile  (356, 0, 0, 0, 1234192, 592, Directory, 1,  (356, 0, 0, 0, 1234192, 592, Directory, 1, "kernel32.dll", 0, ... {status=0x0, info=88}, ) , 0, ... {status=0x0, info=88}, ) == 0x0
 01805   444   NtClose  (356, ... ) == 0x0
 01806   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01807   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01808   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1233556, ... ) }, 1233556, ... ) == 0x0
 01809   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1232368, ... ) }, 1232368, ... ) == 0x0
 01810   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01811   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01812   444   NtQueryDefaultLocale  (1, 1234420, ... ) == 0x0
 01813   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01814   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01815   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1233548, ... ) }, 1233548, ... ) == 0x0
 01816   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 1232360, ... ) }, 1232360, ... ) == 0x0
 01817   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01818   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01819   444   NtQueryDefaultLocale  (1, 1234412, ... ) == 0x0
 01820   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\kernel32.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 356, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 356, {status=0x0, info=1}, ) == 0x0
 01821   444   NtQueryInformationFile  (356, 1234720, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01822   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 356, ... 360, ) == 0x0
 01823   444   NtMapViewOfSection  (360, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2a70000), 0x0, 929792, ) == 0x0
 01824   444   NtUnmapViewOfSection  (-1, 0x2a70000, ... ) == 0x0
 01825   444   NtClose  (360, ... ) == 0x0
 01826   444   NtClose  (356, ... ) == 0x0
 01827   444   NtQueryDefaultUILanguage  (1234084, ...
 01828   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01829   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01830   444   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01831   444   NtClose  (-2147482032, ... ) == 0x0
 01832   444   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01833   444   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   444   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01835   444   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   444   NtClose  (-2147482044, ... ) == 0x0
 01837   444   NtClose  (-2147482032, ... ) == 0x0
 01827   444   NtQueryDefaultUILanguage  ... ) == 0x0
 01838   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \09\02\06\07\02\00\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \00\0x\06\02\06\02\0E\0E\0A\05\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \05\0.\01\0.\02\06\00\00\0.\00\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0 (352, 0, 0, 0, " \0 \0 \0 \0<\0M\0A\0T\0C\0H\0I\0N\0G\0_\0F\0I\0L\0E\0 \0N\0A\0M\0E\0=\0"\0k\0e\0r\0n\0e\0l\03\02\0.\0d\0l\0l\0"\0 \0S\0I\0Z\0E\0=\0"\09\02\06\07\02\00\0"\0 \0C\0H\0E\0C\0K\0S\0U\0M\0=\0"\00\0x\06\02\06\02\0E\0E\0A\05\0"\0 \0B\0I\0N\0_\0F\0I\0L\0E\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0B\0I\0N\0_\0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0P\0R\0O\0D\0U\0C\0T\0_\0V\0E\0R\0S\0I\0O\0N\0=\0"\05\0.\01\0.\02\06\00\00\0.\00\0"\0 \0F\0I\0L\0E\0_\0D\0E\0S\0C\0R\0I\0P\0T\0I\0O\0N\0=\0"\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \0B\0A\0S\0E\0 \0A\0P\0I\0 \0C\0l\0i\0e\0n\0t\0 \0D\0L\0L\0"\0 \0C\0O\0M\0P\0A\0N\0Y\0_\0N\0A\0M\0E\0=\0"\0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0C\0o\0r\0p\0o\0r\0a\0t\0i\0", 1622, 0x0, 0, ... {status=0x0, info=1622}, ) == 0x0
 01840   444   NtQueryDirectoryFile  (348, 0, 0, 0, 1375696, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01841   444   NtClose  (348, ... ) == 0x0
 01842   444   NtWriteFile  (352, 0, 0, 0,  (352, 0, 0, 0, "<\0/\0E\0X\0E\0>\0\15\0\12\0<\0/\0D\0A\0T\0A\0B\0A\0S\0E\0>\0\15\0\12\0", 42, 0x0, 0, ... {status=0x0, info=42}, ) , 42, 0x0, 0, ... {status=0x0, info=42}, ) == 0x0
 01843   444   NtClose  (352, ... ) == 0x0
 01844   444   NtUnmapViewOfSection  (-1, 0x75f40000, ... ) == 0x0
 01845   444   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01846   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1232992, ... ) }, 1232992, ... ) == 0x0
 01847   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1233684, ... ) }, 1233684, ... ) == 0x0
 01848   444   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 01849   444   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 352, ... 348, ) == 0x0
 01850   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 356, ) }, ... 356, ) == 0x0
 01852   444   NtQueryValueKey  (356,  (356, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01853   444   NtClose  (356, ... ) == 0x0
 01854   444   NtQueryVolumeInformationFile  (352, 1232992, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01855   444   NtOpenMutant  (0x120001, {24, 76, 0x0, 0, 0,  (0x120001, {24, 76, 0x0, 0, 0, "ShimCacheMutex"}, ... 356, ) }, ... 356, ) == 0x0
 01856   444   NtWaitForSingleObject  (356, 0, {-1000000, -1}, ... ) == 0x0
 01857   444   NtOpenSection  (0x2, {24, 76, 0x0, 0, 0,  (0x2, {24, 76, 0x0, 0, 0, "ShimSharedMemory"}, ... 360, ) }, ... 360, ) == 0x0
 01858   444   NtMapViewOfSection  (360, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x2600000), {0, 0}, 57344, ) == 0x0
 01859   444   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 01860   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1230976, ... ) }, 1230976, ... ) == 0x0
 01861   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 364, {status=0x0, info=1}, ) }, 5, 96, ... 364, {status=0x0, info=1}, ) == 0x0
 01862   444   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 364, ... 368, ) == 0x0
 01863   444   NtClose  (364, ... ) == 0x0
 01864   444   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2610000), 0x0, 106496, ) == 0x0
 01865   444   NtClose  (368, ... ) == 0x0
 01866   444   NtUnmapViewOfSection  (-1, 0x2610000, ... ) == 0x0
 01867   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1231292, ... ) }, 1231292, ... ) == 0x0
 01868   444   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 01869   444   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 364, ) == 0x0
 01870   444   NtQuerySection  (364, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01871   444   NtClose  (368, ... ) == 0x0
 01872   444   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01873   444   NtClose  (364, ... ) == 0x0
 01874   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 364, {status=0x0, info=1}, ) == 0x0
 01875   444   NtQueryInformationFile  (364, 1231580, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01876   444   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 364, ... 368, ) == 0x0
 01877   444   NtMapViewOfSection  (368, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2a70000), 0x0, 1028096, ) == 0x0
 01878   444   NtQueryInformationFile  (364, 1231676, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01879   444   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   444   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01881   444   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01882   444   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01883   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 01884   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1229240, 616, BothDirectory, 1,  (372, 0, 0, 0, 1229240, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01885   444   NtClose  (372, ... ) == 0x0
 01886   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01887   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01888   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1228628, ... ) }, 1228628, ... ) == 0x0
 01889   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 01890   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1227988, 616, BothDirectory, 1,  (372, 0, 0, 0, 1227988, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01891   444   NtClose  (372, ... ) == 0x0
 01892   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 01893   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1227988, 616, BothDirectory, 1,  (372, 0, 0, 0, 1227988, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01894   444   NtClose  (372, ... ) == 0x0
 01895   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 01896   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1227988, 616, BothDirectory, 1,  (372, 0, 0, 0, 1227988, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01897   444   NtClose  (372, ... ) == 0x0
 01898   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01899   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01900   444   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01901   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01902   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 01903   444   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01904   444   NtClose  (372, ... ) == 0x0
 01905   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01906   444   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01907   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01908   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01909   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1230908, ... ) }, 1230908, ... ) == 0x0
 01910   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 01911   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1230268, 616, BothDirectory, 1,  (372, 0, 0, 0, 1230268, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01912   444   NtClose  (372, ... ) == 0x0
 01913   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 01914   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1230268, 616, BothDirectory, 1,  (372, 0, 0, 0, 1230268, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01915   444   NtClose  (372, ... ) == 0x0
 01916   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 01917   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1230268, 616, BothDirectory, 1,  (372, 0, 0, 0, 1230268, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01918   444   NtClose  (372, ... ) == 0x0
 01919   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01920   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01921   444   NtWaitForSingleObject  (356, 0, {-1000000, -1}, ... ) == 0x0
 01922   444   NtQueryVolumeInformationFile  (352, 1231552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01923   444   NtQueryInformationFile  (352, 1231532, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01924   444   NtQueryInformationFile  (352, 1231572, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01925   444   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 01926   444   NtUnmapViewOfSection  (-1, 0x2a70000, ... ) == 0x0
 01927   444   NtClose  (368, ... ) == 0x0
 01928   444   NtClose  (364, ... ) == 0x0
 01929   444   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01930   444   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01931   444   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01932   444   NtOpenProcessToken  (-1, 0xa, ... 364, ) == 0x0
 01933   444   NtQueryInformationToken  (364, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01934   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 01936   444   NtQueryValueKey  (368,  (368, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (368, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01937   444   NtQueryValueKey  (368,  (368, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (368, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01938   444   NtClose  (368, ... ) == 0x0
 01939   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 01940   444   NtQueryValueKey  (368,  (368, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01941   444   NtQueryValueKey  (368,  (368, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (368, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01942   444   NtClose  (368, ... ) == 0x0
 01943   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01944   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 01945   444   NtQueryValueKey  (368,  (368, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01946   444   NtClose  (368, ... ) == 0x0
 01947   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01948   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01949   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01950   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01951   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01952   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01953   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01954   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01955   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01956   444   NtQueryDefaultLocale  (1, 1232364, ... ) == 0x0
 01957   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 368, ) }, ... 368, ) == 0x0
 01958   444   NtEnumerateKey  (368, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (368, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01959   444   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 372, ) }, ... 372, ) == 0x0
 01960   444   NtQueryValueKey  (372,  (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (372, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01961   444   NtQueryValueKey  (372,  (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (372, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01962   444   NtClose  (372, ... ) == 0x0
 01963   444   NtEnumerateKey  (368, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01964   444   NtClose  (368, ... ) == 0x0
 01965   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01966   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01967   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01968   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01970   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01971   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01973   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01974   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01975   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01978   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01979   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01980   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 01981   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01982   444   NtClose  (368, ... ) == 0x0
 01983   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01985   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 01986   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01987   444   NtClose  (368, ... ) == 0x0
 01988   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01989   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01990   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 01991   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01992   444   NtClose  (368, ... ) == 0x0
 01993   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01995   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 01996   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01997   444   NtClose  (368, ... ) == 0x0
 01998   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02000   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02001   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02002   444   NtClose  (368, ... ) == 0x0
 02003   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02005   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02006   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02007   444   NtClose  (368, ... ) == 0x0
 02008   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02010   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02011   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02012   444   NtClose  (368, ... ) == 0x0
 02013   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02014   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02015   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02016   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02017   444   NtClose  (368, ... ) == 0x0
 02018   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02019   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02020   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02021   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02022   444   NtClose  (368, ... ) == 0x0
 02023   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02024   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02025   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02026   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02027   444   NtClose  (368, ... ) == 0x0
 02028   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02030   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02031   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02032   444   NtClose  (368, ... ) == 0x0
 02033   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02034   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02035   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02036   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02037   444   NtClose  (368, ... ) == 0x0
 02038   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02039   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02040   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02041   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02042   444   NtClose  (368, ... ) == 0x0
 02043   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02044   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02045   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02046   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02047   444   NtClose  (368, ... ) == 0x0
 02048   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02049   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02050   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02051   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02052   444   NtClose  (368, ... ) == 0x0
 02053   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 02055   444   NtQueryValueKey  (368,  (368, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (368, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (368, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02056   444   NtClose  (368, ... ) == 0x0
 02057   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02058   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 368, ) == 0x0
 02059   444   NtQueryInformationToken  (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02060   444   NtClose  (368, ... ) == 0x0
 02061   444   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02062   444   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02063   444   NtOpenProcessToken  (-1, 0xa, ... 368, ) == 0x0
 02064   444   NtDuplicateToken  (368, 0xc, {24, 0, 0x0, 0, 1232884, 0x0}, 0, 2, ... 372, ) == 0x0
 02065   444   NtClose  (368, ... ) == 0x0
 02066   444   NtAccessCheck  (1375600, 372, 0x1, 1233012, 1232956, 56, 1233040, ... (0x1), ) == 0x0
 02067   444   NtClose  (372, ... ) == 0x0
 02068   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 372, ) }, ... 372, ) == 0x0
 02069   444   NtQueryValueKey  (372,  (372, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (372, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02070   444   NtClose  (372, ... ) == 0x0
 02071   444   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 372, ) }, ... 372, ) == 0x0
 02072   444   NtQuerySymbolicLinkObject  (372, ...  (372, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02073   444   NtClose  (372, ... ) == 0x0
 02074   444   NtQueryInformationFile  (352, 1231344, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 02075   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02076   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02077   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe"}, 1230024, ... ) }, 1230024, ... ) == 0x0
 02078   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02079   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1229384, 616, BothDirectory, 1,  (372, 0, 0, 0, 1229384, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02080   444   NtClose  (372, ... ) == 0x0
 02081   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02082   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1229384, 616, BothDirectory, 1,  (372, 0, 0, 0, 1229384, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02083   444   NtClose  (372, ... ) == 0x0
 02084   444   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 372, {status=0x0, info=1}, ) }, 3, 16417, ... 372, {status=0x0, info=1}, ) == 0x0
 02085   444   NtQueryDirectoryFile  (372, 0, 0, 0, 1229384, 616, BothDirectory, 1,  (372, 0, 0, 0, 1229384, 616, BothDirectory, 1, "dwwin.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02086   444   NtClose  (372, ... ) == 0x0
 02087   444   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02088   444   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02089   444   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02090   444   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 02091   444   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02092   444   NtClose  (372, ... ) == 0x0
 02093   444   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 372, ) }, ... 372, ) == 0x0
 02094   444   NtOpenKey  (0x20019, {24, 372, 0x40, 0, 0,  (0x20019, {24, 372, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 368, ) }, ... 368, ) == 0x0
 02095   444   NtClose  (372, ... ) == 0x0
 02096   444   NtQueryValueKey  (368,  (368, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02097   444   NtQueryValueKey  (368,  (368, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (368, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 02098   444   NtClose  (368, ... ) == 0x0
 02099   444   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 39911424, 4096, ) == 0x0
 02100   444   NtAllocateVirtualMemory  (-1, 39911424, 0, 4096, 4096, 4, ... 39911424, 4096, ) == 0x0
 02101   444   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 368, ) }, ... 368, ) == 0x0
 02102   444   NtQueryValueKey  (368,  (368, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   444   NtClose  (368, ... ) == 0x0
 02104   444   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   444   NtQueryInformationToken  (364, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02106   444   NtQueryInformationToken  (364, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02107   444   NtClose  (364, ... ) == 0x0
 02108   444   NtCreateProcessEx  (1235620, 2035711, 0, -1, 4, 348, 0, 0, 0, ... ) == 0x0
 02109   444   NtSetInformationProcess  (364, PriorityClass, {process info, class 18, size 2}, 83886592, ... ) == 0x0
 02110   444   NtSetInformationProcess  (364, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02111   444   NtQueryInformationProcess  (364, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=436,}, 0x0, ) == 0x0
 02112   444   NtReadVirtualMemory  (364, 0x7ffdf008, 4, ...  (364, 0x7ffdf008, 4, ... "\0\0\00", 0x0, ) , 0x0, ) == 0x0
 02113   444   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\dwwin.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   444   NtReadVirtualMemory  (364, 0x30000000, 4096, ...  (364, 0x30000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\270\277\220\252\374\336\376\371\374\336\376\371\374\336\376\371\24\301\365\371\375\336\376\371\177\302\360\371\365\336\376\371\24\301\364\371\325\336\376\371\252\301\355\371\364\336\376\371\202\374\342\371\373\336\376\371\14\301\365\371\354\336\376\371\374\336\376\371\343\337\376\371Rich\374\336\376\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0_\245\35;\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\24\00\2\0\0\220\0\0\0\0\0\0jr\0\0\0\20\0\0\0p\3\0\0\0\00\0\20\0\0\0\20\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\320\2\0\0\20\0\0\15"\3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 4096, ) \3\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31%\2\0:\1\0\0\0\300\2\0\200\12\0\0\0\0\0\0\0\0\0\0\0`\2\0P\31\0\0\0\0\0\0\0\0\0\0Z8\2\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\204\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\222(\2\0\0\20\0\0\00\2\0", 4096, ) == 0x0
 02115   444   NtReadVirtualMemory  (364, 0x3002c000, 256, ...  (364, 0x3002c000, 256, ... "\0\0\0\0Z\245\35;\0\0\0\0\0\0\3\0\5\0\0\0(\0\0\200\13\0\0\0@\0\0\200\20\0\0\0X\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0e\0\0\0p\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\1\0\0\0\210\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\1\0\0\0\240\0\0\200\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\270\0\0\0\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\310\0\0\0\0\0\0\0Z\245\35;\0\0\0\0\0\0\1\0\11\4\0\0\330\0\0\0\360\300\2\0\26\3\0\0\0\0\0\0\0\0\0\0\10\304\2\0\210\1\0\0\0\0\0\0\0\0\0\0\220\305\2\0\360\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\310\200\0\0\0\0\14\0\0\0\0\0f\1", 256, ) , 256, ) == 0x0
 02116   444   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02117   444   NtQueryInformationProcess  (364, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=436,}, 0x0, ) == 0x0
 02118   444   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1233684, ... ) }, 1233684, ... ) == 0x0
 02119   444   NtAllocateVirtualMemory  (-1, 0, 0, 1668, 4096, 4, ... 39976960, 4096, ) == 0x0
 02120   444   NtAllocateVirtualMemory  (364, 0, 0, 1942, 4096, 4, ... 65536, 4096, ) == 0x0
 02121   444   NtWriteVirtualMemory  (364, 0x10000,  (364, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1942, ... 0x0, ) , 1942, ... 0x0, ) == 0x0
 02122   444   NtAllocateVirtualMemory  (364, 0, 0, 1668, 4096, 4, ... 131072, 4096, ) == 0x0
 02123   444   NtWriteVirtualMemory  (364, 0x20000,  (364, 0x20000, "\0\20\0\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0&\0\10\2\220\2\0\0\16\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0N\0P\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\0<\0$\6\0\0\36\0 \0`\6\0\0\0\0\2\0\200\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1668, ... 0x0, ) , 1668, ... 0x0, ) == 0x0
 02124   444   NtWriteVirtualMemory  (364, 0x7ffdf010,  (364, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02125   444   NtWriteVirtualMemory  (364, 0x7ffdf1e8,  (364, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02126   444   NtFreeVirtualMemory  (-1, (0x2620000), 0, 32768, ... (0x2620000), 4096, ) == 0x0
 02127   444   NtAllocateVirtualMemory  (364, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02128   444   NtAllocateVirtualMemory  (364, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02129   444   NtProtectVirtualMemory  (364, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02130   444   NtCreateThread  (0x1f03ff, 0x0, 364, 1233884, 1234604, 1, ... 368, {916, 920}, ) == 0x0
 02131   444   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 6684672, 875836265, 100, 0}  (24, {168, 196, new_msg, 0, 6684672, 875836265, 100, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0o\1\0\0p\1\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" ... {168, 196, reply, 0, 436, 444, 1526, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0l\1\0\0p\1\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" )  ... {168, 196, reply, 0, 436, 444, 1526, 0}  (24, {168, 196, new_msg, 0, 6684672, 875836265, 100, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0o\1\0\0p\1\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" ... {168, 196, reply, 0, 436, 444, 1526, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0l\1\0\0p\1\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\316'\365w" )  ) == 0x0
 02132   444   NtResumeThread  (368, ... 1, ) == 0x0
 02133   444   NtClose  (352, ... ) == 0x0
 02134   444   NtClose  (348, ... ) == 0x0
 02135   444   NtClose  (368, ... ) == 0x0
 02136   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 02137   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02138   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ... ) == 0x0
 02139   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02140   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 00914   744   NtDelayExecution  ... ) == 0x0
 02141   744   NtDelayExecution  (0, {-20010000, -1}, ...
 01139   588   NtDelayExecution  ... ) == 0x0
 02142   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01140   580   NtDelayExecution  ... ) == 0x0
 02143   580   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 368, ) == 0x0
 02144   580   NtCallbackReturn  (0, 0, 0, ...
 02145   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 01141   584   NtDelayExecution  ... ) == 0x0
 01142   576   NtDelayExecution  ... ) == 0x0
 01143   596   NtDelayExecution  ... ) == 0x0
 01144   636   NtDelayExecution  ... ) == 0x0
 01145   732   NtDelayExecution  ... ) == 0x0
 02146   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02147   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02148   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02149   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02150   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02151   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02152   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02153   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02141   744   NtDelayExecution  ... ) == 0x0
 02154   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02142   588   NtDelayExecution  ... ) == 0x0
 02155   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01357   912   NtDelayExecution  ... ) == 0x0
 02156   912   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02157   912   NtCallbackReturn  (0, 0, 0, ...
 02158   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02159   912   NtDelayExecution  (0, {-3000000, -1}, ...
 02146   584   NtDelayExecution  ... ) == 0x0
 02160   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02147   576   NtDelayExecution  ... ) == 0x0
 02161   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02148   596   NtDelayExecution  ... ) == 0x0
 02162   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02149   636   NtDelayExecution  ... ) == 0x0
 02163   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02150   732   NtDelayExecution  ... ) == 0x0
 02164   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02153   580   NtDelayExecution  ... ) == 0x0
 02165   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02166   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02167   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02168   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02159   912   NtDelayExecution  ... ) == 0x0
 02169   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02170   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02171   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02172   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02154   744   NtDelayExecution  ... ) == 0x0
 02173   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02155   588   NtDelayExecution  ... ) == 0x0
 02174   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02160   584   NtDelayExecution  ... ) == 0x0
 02175   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02161   576   NtDelayExecution  ... ) == 0x0
 02176   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02162   596   NtDelayExecution  ... ) == 0x0
 02177   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02163   636   NtDelayExecution  ... ) == 0x0
 02178   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02164   732   NtDelayExecution  ... ) == 0x0
 02179   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02168   580   NtDelayExecution  ... ) == 0x0
 02180   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02181   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02182   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02183   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02140   444   NtWaitForMultipleObjects  ... ) == 0x0
 02184   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02185   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02173   744   NtDelayExecution  ... ) == 0x0
 02186   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02174   588   NtDelayExecution  ... ) == 0x0
 02187   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02175   584   NtDelayExecution  ... ) == 0x0
 02188   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02176   576   NtDelayExecution  ... ) == 0x0
 02189   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02177   596   NtDelayExecution  ... ) == 0x0
 02190   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02178   636   NtDelayExecution  ... ) == 0x0
 02191   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02179   732   NtDelayExecution  ... ) == 0x0
 02192   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02183   580   NtDelayExecution  ... ) == 0x0
 02193   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02194   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02195   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02196   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02172   912   NtDelayExecution  ... ) == 0x0
 02197   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02198   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02199   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02200   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02201   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02202   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02186   744   NtDelayExecution  ... ) == 0x0
 02203   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02187   588   NtDelayExecution  ... ) == 0x0
 02204   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02188   584   NtDelayExecution  ... ) == 0x0
 02205   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02189   576   NtDelayExecution  ... ) == 0x0
 02206   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02190   596   NtDelayExecution  ... ) == 0x0
 02207   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02191   636   NtDelayExecution  ... ) == 0x0
 02208   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02192   732   NtDelayExecution  ... ) == 0x0
 02209   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02196   580   NtDelayExecution  ... ) == 0x0
 02210   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02211   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02212   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02213   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02203   744   NtDelayExecution  ... ) == 0x0
 02214   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02204   588   NtDelayExecution  ... ) == 0x0
 02215   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02205   584   NtDelayExecution  ... ) == 0x0
 02216   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02206   576   NtDelayExecution  ... ) == 0x0
 02217   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02207   596   NtDelayExecution  ... ) == 0x0
 02218   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02208   636   NtDelayExecution  ... ) == 0x0
 02219   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02209   732   NtDelayExecution  ... ) == 0x0
 02220   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02213   580   NtDelayExecution  ... ) == 0x0
 02221   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02222   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02223   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02224   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02202   912   NtDelayExecution  ... ) == 0x0
 02225   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02226   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02185   444   NtWaitForMultipleObjects  ... ) == 0x0
 02227   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02228   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02229   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02230   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02231   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02232   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02214   744   NtDelayExecution  ... ) == 0x0
 02233   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02215   588   NtDelayExecution  ... ) == 0x0
 02234   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02216   584   NtDelayExecution  ... ) == 0x0
 02235   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02217   576   NtDelayExecution  ... ) == 0x0
 02236   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02218   596   NtDelayExecution  ... ) == 0x0
 02237   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02219   636   NtDelayExecution  ... ) == 0x0
 02238   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02220   732   NtDelayExecution  ... ) == 0x0
 02239   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02224   580   NtDelayExecution  ... ) == 0x0
 02240   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02241   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02242   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02243   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02233   744   NtDelayExecution  ... ) == 0x0
 02244   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02234   588   NtDelayExecution  ... ) == 0x0
 02245   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02235   584   NtDelayExecution  ... ) == 0x0
 02246   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02236   576   NtDelayExecution  ... ) == 0x0
 02247   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02237   596   NtDelayExecution  ... ) == 0x0
 02248   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02238   636   NtDelayExecution  ... ) == 0x0
 02249   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02239   732   NtDelayExecution  ... ) == 0x0
 02250   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02243   580   NtDelayExecution  ... ) == 0x0
 02251   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02252   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02253   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02254   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02232   912   NtDelayExecution  ... ) == 0x0
 02255   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02256   912   NtDelayExecution  (0, {-3000000, -1}, ...
 02244   744   NtDelayExecution  ... ) == 0x0
 02257   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02245   588   NtDelayExecution  ... ) == 0x0
 02258   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02246   584   NtDelayExecution  ... ) == 0x0
 02259   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02247   576   NtDelayExecution  ... ) == 0x0
 02260   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02248   596   NtDelayExecution  ... ) == 0x0
 02261   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02249   636   NtDelayExecution  ... ) == 0x0
 02262   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02250   732   NtDelayExecution  ... ) == 0x0
 02263   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02254   580   NtDelayExecution  ... ) == 0x0
 02264   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02265   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02266   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02267   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02256   912   NtDelayExecution  ... ) == 0x0
 02268   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02269   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02270   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02271   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02257   744   NtDelayExecution  ... ) == 0x0
 02272   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02258   588   NtDelayExecution  ... ) == 0x0
 02273   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02259   584   NtDelayExecution  ... ) == 0x0
 02274   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02260   576   NtDelayExecution  ... ) == 0x0
 02275   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02261   596   NtDelayExecution  ... ) == 0x0
 02276   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02262   636   NtDelayExecution  ... ) == 0x0
 02277   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02263   732   NtDelayExecution  ... ) == 0x0
 02278   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02267   580   NtDelayExecution  ... ) == 0x0
 02279   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02280   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02281   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02282   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02228   444   NtWaitForMultipleObjects  ... ) == 0x0
 02283   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02284   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02272   744   NtDelayExecution  ... ) == 0x0
 02285   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02273   588   NtDelayExecution  ... ) == 0x0
 02286   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02274   584   NtDelayExecution  ... ) == 0x0
 02287   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02275   576   NtDelayExecution  ... ) == 0x0
 02288   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02276   596   NtDelayExecution  ... ) == 0x0
 02289   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02277   636   NtDelayExecution  ... ) == 0x0
 02290   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02278   732   NtDelayExecution  ... ) == 0x0
 02291   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02282   580   NtDelayExecution  ... ) == 0x0
 02292   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02293   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02294   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02295   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02271   912   NtDelayExecution  ... ) == 0x0
 02296   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02297   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02298   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02299   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02300   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02301   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02285   744   NtDelayExecution  ... ) == 0x0
 02302   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02286   588   NtDelayExecution  ... ) == 0x0
 02303   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02287   584   NtDelayExecution  ... ) == 0x0
 02304   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02288   576   NtDelayExecution  ... ) == 0x0
 02305   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02289   596   NtDelayExecution  ... ) == 0x0
 02306   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02290   636   NtDelayExecution  ... ) == 0x0
 02307   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02291   732   NtDelayExecution  ... ) == 0x0
 02308   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02295   580   NtDelayExecution  ... ) == 0x0
 02309   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02310   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02311   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02312   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02302   744   NtDelayExecution  ... ) == 0x0
 02313   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02303   588   NtDelayExecution  ... ) == 0x0
 02314   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02304   584   NtDelayExecution  ... ) == 0x0
 02315   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02305   576   NtDelayExecution  ... ) == 0x0
 02316   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02306   596   NtDelayExecution  ... ) == 0x0
 02317   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02307   636   NtDelayExecution  ... ) == 0x0
 02318   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02308   732   NtDelayExecution  ... ) == 0x0
 02319   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02312   580   NtDelayExecution  ... ) == 0x0
 02320   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02321   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02322   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02323   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02284   444   NtWaitForMultipleObjects  ... ) == 0x0
 02324   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02325   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02301   912   NtDelayExecution  ... ) == 0x0
 02326   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02327   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02328   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02329   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02330   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02331   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02313   744   NtDelayExecution  ... ) == 0x0
 02332   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02314   588   NtDelayExecution  ... ) == 0x0
 02333   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02315   584   NtDelayExecution  ... ) == 0x0
 02334   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02316   576   NtDelayExecution  ... ) == 0x0
 02335   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02317   596   NtDelayExecution  ... ) == 0x0
 02336   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02318   636   NtDelayExecution  ... ) == 0x0
 02337   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02319   732   NtDelayExecution  ... ) == 0x0
 02338   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02323   580   NtDelayExecution  ... ) == 0x0
 02339   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02340   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02341   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02342   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02332   744   NtDelayExecution  ... ) == 0x0
 02343   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02333   588   NtDelayExecution  ... ) == 0x0
 02344   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02334   584   NtDelayExecution  ... ) == 0x0
 02345   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02335   576   NtDelayExecution  ... ) == 0x0
 02346   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02336   596   NtDelayExecution  ... ) == 0x0
 02347   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02337   636   NtDelayExecution  ... ) == 0x0
 02348   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02338   732   NtDelayExecution  ... ) == 0x0
 02349   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02342   580   NtDelayExecution  ... ) == 0x0
 02350   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02351   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02352   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02353   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02331   912   NtDelayExecution  ... ) == 0x0
 02354   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02355   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02356   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02357   912   NtDelayExecution  (0, {-3000000, -1}, ...
 02343   744   NtDelayExecution  ... ) == 0x0
 02358   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02344   588   NtDelayExecution  ... ) == 0x0
 02359   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02345   584   NtDelayExecution  ... ) == 0x0
 02360   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02346   576   NtDelayExecution  ... ) == 0x0
 02361   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02347   596   NtDelayExecution  ... ) == 0x0
 02362   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02348   636   NtDelayExecution  ... ) == 0x0
 02363   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02349   732   NtDelayExecution  ... ) == 0x0
 02364   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02353   580   NtDelayExecution  ... ) == 0x0
 02365   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02366   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02367   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02368   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02357   912   NtDelayExecution  ... ) == 0x0
 02369   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02370   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02325   444   NtWaitForMultipleObjects  ... ) == 0x0
 02371   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02372   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02358   744   NtDelayExecution  ... ) == 0x0
 02373   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02359   588   NtDelayExecution  ... ) == 0x0
 02374   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02360   584   NtDelayExecution  ... ) == 0x0
 02375   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02361   576   NtDelayExecution  ... ) == 0x0
 02376   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02362   596   NtDelayExecution  ... ) == 0x0
 02377   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02363   636   NtDelayExecution  ... ) == 0x0
 02378   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02364   732   NtDelayExecution  ... ) == 0x0
 02379   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02368   580   NtDelayExecution  ... ) == 0x0
 02380   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02381   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02382   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02383   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02373   744   NtDelayExecution  ... ) == 0x0
 02384   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02374   588   NtDelayExecution  ... ) == 0x0
 02385   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02375   584   NtDelayExecution  ... ) == 0x0
 02386   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02376   576   NtDelayExecution  ... ) == 0x0
 02387   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02377   596   NtDelayExecution  ... ) == 0x0
 02388   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02378   636   NtDelayExecution  ... ) == 0x0
 02389   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02379   732   NtDelayExecution  ... ) == 0x0
 02390   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02383   580   NtDelayExecution  ... ) == 0x0
 02391   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02392   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02393   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02394   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02370   912   NtDelayExecution  ... ) == 0x0
 02395   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02396   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02397   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02398   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02399   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02400   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02384   744   NtDelayExecution  ... ) == 0x0
 02401   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02385   588   NtDelayExecution  ... ) == 0x0
 02402   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02386   584   NtDelayExecution  ... ) == 0x0
 02403   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02387   576   NtDelayExecution  ... ) == 0x0
 02404   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02388   596   NtDelayExecution  ... ) == 0x0
 02405   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02389   636   NtDelayExecution  ... ) == 0x0
 02406   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02390   732   NtDelayExecution  ... ) == 0x0
 02407   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02394   580   NtDelayExecution  ... ) == 0x0
 02408   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02409   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02410   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02411   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02372   444   NtWaitForMultipleObjects  ... ) == 0x0
 02412   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02413   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02401   744   NtDelayExecution  ... ) == 0x0
 02414   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02402   588   NtDelayExecution  ... ) == 0x0
 02415   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02403   584   NtDelayExecution  ... ) == 0x0
 02416   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02404   576   NtDelayExecution  ... ) == 0x0
 02417   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02405   596   NtDelayExecution  ... ) == 0x0
 02418   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02406   636   NtDelayExecution  ... ) == 0x0
 02419   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02407   732   NtDelayExecution  ... ) == 0x0
 02420   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02411   580   NtDelayExecution  ... ) == 0x0
 02421   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02422   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02423   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02424   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02400   912   NtDelayExecution  ... ) == 0x0
 02425   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02426   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02427   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02428   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02429   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02430   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02414   744   NtDelayExecution  ... ) == 0x0
 02431   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02415   588   NtDelayExecution  ... ) == 0x0
 02432   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02416   584   NtDelayExecution  ... ) == 0x0
 02433   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02417   576   NtDelayExecution  ... ) == 0x0
 02434   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02418   596   NtDelayExecution  ... ) == 0x0
 02435   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02419   636   NtDelayExecution  ... ) == 0x0
 02436   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02420   732   NtDelayExecution  ... ) == 0x0
 02437   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02424   580   NtDelayExecution  ... ) == 0x0
 02438   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02439   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02440   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02441   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02431   744   NtDelayExecution  ... ) == 0x0
 02442   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02432   588   NtDelayExecution  ... ) == 0x0
 02443   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02433   584   NtDelayExecution  ... ) == 0x0
 02444   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02434   576   NtDelayExecution  ... ) == 0x0
 02445   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02435   596   NtDelayExecution  ... ) == 0x0
 02446   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02436   636   NtDelayExecution  ... ) == 0x0
 02447   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02437   732   NtDelayExecution  ... ) == 0x0
 02448   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02441   580   NtDelayExecution  ... ) == 0x0
 02449   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02450   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02451   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02452   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02430   912   NtDelayExecution  ... ) == 0x0
 02453   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02454   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02455   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02456   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02457   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02458   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02442   744   NtDelayExecution  ... ) == 0x0
 02459   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02443   588   NtDelayExecution  ... ) == 0x0
 02460   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02444   584   NtDelayExecution  ... ) == 0x0
 02461   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02445   576   NtDelayExecution  ... ) == 0x0
 02462   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02446   596   NtDelayExecution  ... ) == 0x0
 02463   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02447   636   NtDelayExecution  ... ) == 0x0
 02464   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02448   732   NtDelayExecution  ... ) == 0x0
 02465   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02452   580   NtDelayExecution  ... ) == 0x0
 02466   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02467   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02468   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02469   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02413   444   NtWaitForMultipleObjects  ... ) == 0x0
 02470   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02471   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02459   744   NtDelayExecution  ... ) == 0x0
 02472   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02460   588   NtDelayExecution  ... ) == 0x0
 02473   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02461   584   NtDelayExecution  ... ) == 0x0
 02474   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02462   576   NtDelayExecution  ... ) == 0x0
 02475   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02463   596   NtDelayExecution  ... ) == 0x0
 02476   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02464   636   NtDelayExecution  ... ) == 0x0
 02477   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02465   732   NtDelayExecution  ... ) == 0x0
 02478   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02469   580   NtDelayExecution  ... ) == 0x0
 02479   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02480   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02481   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02482   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02458   912   NtDelayExecution  ... ) == 0x0
 02483   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02484   912   NtDelayExecution  (0, {-3000000, -1}, ...
 02472   744   NtDelayExecution  ... ) == 0x0
 02485   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02473   588   NtDelayExecution  ... ) == 0x0
 02486   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02474   584   NtDelayExecution  ... ) == 0x0
 02487   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02475   576   NtDelayExecution  ... ) == 0x0
 02488   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02476   596   NtDelayExecution  ... ) == 0x0
 02489   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02477   636   NtDelayExecution  ... ) == 0x0
 02490   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02478   732   NtDelayExecution  ... ) == 0x0
 02491   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02482   580   NtDelayExecution  ... ) == 0x0
 02492   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02493   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02494   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02495   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02484   912   NtDelayExecution  ... ) == 0x0
 02496   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02497   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02498   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02499   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02485   744   NtDelayExecution  ... ) == 0x0
 02500   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02486   588   NtDelayExecution  ... ) == 0x0
 02501   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02487   584   NtDelayExecution  ... ) == 0x0
 02502   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02488   576   NtDelayExecution  ... ) == 0x0
 02503   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02489   596   NtDelayExecution  ... ) == 0x0
 02504   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02490   636   NtDelayExecution  ... ) == 0x0
 02505   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02491   732   NtDelayExecution  ... ) == 0x0
 02506   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02495   580   NtDelayExecution  ... ) == 0x0
 02507   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02508   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02509   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02510   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02471   444   NtWaitForMultipleObjects  ... ) == 0x0
 02511   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02512   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02500   744   NtDelayExecution  ... ) == 0x0
 02513   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02501   588   NtDelayExecution  ... ) == 0x0
 02514   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02502   584   NtDelayExecution  ... ) == 0x0
 02515   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02503   576   NtDelayExecution  ... ) == 0x0
 02516   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02504   596   NtDelayExecution  ... ) == 0x0
 02517   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02505   636   NtDelayExecution  ... ) == 0x0
 02518   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02506   732   NtDelayExecution  ... ) == 0x0
 02519   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02510   580   NtDelayExecution  ... ) == 0x0
 02520   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02521   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02522   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02523   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02499   912   NtDelayExecution  ... ) == 0x0
 02524   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02525   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02526   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02527   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02528   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02529   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02513   744   NtDelayExecution  ... ) == 0x0
 02530   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02514   588   NtDelayExecution  ... ) == 0x0
 02531   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02515   584   NtDelayExecution  ... ) == 0x0
 02532   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02516   576   NtDelayExecution  ... ) == 0x0
 02533   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02517   596   NtDelayExecution  ... ) == 0x0
 02534   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02518   636   NtDelayExecution  ... ) == 0x0
 02535   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02519   732   NtDelayExecution  ... ) == 0x0
 02536   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02523   580   NtDelayExecution  ... ) == 0x0
 02537   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02538   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02539   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02540   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02530   744   NtDelayExecution  ... ) == 0x0
 02541   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02531   588   NtDelayExecution  ... ) == 0x0
 02542   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02532   584   NtDelayExecution  ... ) == 0x0
 02543   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02533   576   NtDelayExecution  ... ) == 0x0
 02544   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02534   596   NtDelayExecution  ... ) == 0x0
 02545   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02535   636   NtDelayExecution  ... ) == 0x0
 02546   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02536   732   NtDelayExecution  ... ) == 0x0
 02547   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02540   580   NtDelayExecution  ... ) == 0x0
 02548   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02549   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02550   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02551   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02529   912   NtDelayExecution  ... ) == 0x0
 02552   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02553   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02554   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02555   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02556   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02557   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02512   444   NtWaitForMultipleObjects  ... ) == 0x0
 02558   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02559   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02541   744   NtDelayExecution  ... ) == 0x0
 02560   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02542   588   NtDelayExecution  ... ) == 0x0
 02561   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02543   584   NtDelayExecution  ... ) == 0x0
 02562   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02544   576   NtDelayExecution  ... ) == 0x0
 02563   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02545   596   NtDelayExecution  ... ) == 0x0
 02564   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02546   636   NtDelayExecution  ... ) == 0x0
 02565   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02547   732   NtDelayExecution  ... ) == 0x0
 02566   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02551   580   NtDelayExecution  ... ) == 0x0
 02567   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02568   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02569   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02570   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02560   744   NtDelayExecution  ... ) == 0x0
 02571   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02561   588   NtDelayExecution  ... ) == 0x0
 02572   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02562   584   NtDelayExecution  ... ) == 0x0
 02573   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02563   576   NtDelayExecution  ... ) == 0x0
 02574   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02564   596   NtDelayExecution  ... ) == 0x0
 02575   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02565   636   NtDelayExecution  ... ) == 0x0
 02576   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02566   732   NtDelayExecution  ... ) == 0x0
 02577   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02570   580   NtDelayExecution  ... ) == 0x0
 02578   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02579   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02580   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02581   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02557   912   NtDelayExecution  ... ) == 0x0
 02582   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02583   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02584   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02585   912   NtDelayExecution  (0, {-3000000, -1}, ...
 02571   744   NtDelayExecution  ... ) == 0x0
 02586   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02572   588   NtDelayExecution  ... ) == 0x0
 02587   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02573   584   NtDelayExecution  ... ) == 0x0
 02588   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02574   576   NtDelayExecution  ... ) == 0x0
 02589   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02575   596   NtDelayExecution  ... ) == 0x0
 02590   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02576   636   NtDelayExecution  ... ) == 0x0
 02591   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02577   732   NtDelayExecution  ... ) == 0x0
 02592   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02581   580   NtDelayExecution  ... ) == 0x0
 02593   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02594   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02595   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02596   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02585   912   NtDelayExecution  ... ) == 0x0
 02597   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02598   912   NtDelayExecution  (0, {-40000000, -1}, ...
 02586   744   NtDelayExecution  ... ) == 0x0
 02599   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02587   588   NtDelayExecution  ... ) == 0x0
 02600   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02588   584   NtDelayExecution  ... ) == 0x0
 02601   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02589   576   NtDelayExecution  ... ) == 0x0
 02602   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02590   596   NtDelayExecution  ... ) == 0x0
 02603   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02591   636   NtDelayExecution  ... ) == 0x0
 02604   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02592   732   NtDelayExecution  ... ) == 0x0
 02605   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02596   580   NtDelayExecution  ... ) == 0x0
 02606   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02607   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02608   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02609   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02559   444   NtWaitForMultipleObjects  ... ) == 0x0
 02610   444   NtWaitForSingleObject  (328, 0, {0, 0}, ... ) == 0x102
 02611   444   NtWaitForMultipleObjects  (2, (336, 364, ), 1, 0, {-1200000000, -1}, ...
 02599   744   NtDelayExecution  ... ) == 0x0
 02612   744   NtDelayExecution  (0, {-20010000, -1}, ...
 02600   588   NtDelayExecution  ... ) == 0x0
 02613   588   NtDelayExecution  (0, {-20010000, -1}, ...
 02601   584   NtDelayExecution  ... ) == 0x0
 02614   584   NtDelayExecution  (0, {-20010000, -1}, ...
 02602   576   NtDelayExecution  ... ) == 0x0
 02615   576   NtDelayExecution  (0, {-20010000, -1}, ...
 02603   596   NtDelayExecution  ... ) == 0x0
 02616   596   NtDelayExecution  (0, {-20010000, -1}, ...
 02604   636   NtDelayExecution  ... ) == 0x0
 02617   636   NtDelayExecution  (0, {-20010000, -1}, ...
 02605   732   NtDelayExecution  ... ) == 0x0
 02618   732   NtDelayExecution  (0, {-20010000, -1}, ...
 02609   580   NtDelayExecution  ... ) == 0x0
 02619   580   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02620   580   NtUserFindWindowEx  (0, 0,  (0, 0, "GBDYLLO", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02621   580   NtUserFindWindowEx  (0, 0,  (0, 0, "pediy06", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02622   580   NtDelayExecution  (0, {-20010000, -1}, ...
 02598   912   NtDelayExecution  ... ) == 0x0
 02623   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Regmonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02624   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02625   912   NtUserFindWindowEx  (0, 0,  (0, 0, "18467-41", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02626   912   NtDelayExecution  (0, {-3000000, -1}, ... ) == 0x0
 02627   912   NtUserFindWindowEx  (0, 0,  (0, 0, "Filemonclass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 02628   912   NtDelayExecution  (0, {-40000000, -1}, ...