Summary:


NtAddAtom(>)  1 
NtUserCallOneParam(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationProcess(>)  13 

NtAdjustPrivilegesToken(>)  1 
NtUserGetDC(>)  1 
NtSetValueKey(>)  3 
NtUnmapViewOfSection(>)  13 

NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtFsControlFile(>)  4 
NtCreateSection(>)  16 

NtContinue(>)  1 
NtAccessCheck(>)  2 
NtOpenThreadToken(>)  4 
NtQuerySystemInformation(>)  18 

NtCreateMutant(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteVirtualMemory(>)  4 
NtReadFile(>)  19 

NtCreateProcessEx(>)  1 
NtEnumerateKey(>)  2 
NtCreateKey(>)  5 
NtWriteFile(>)  21 

NtCreateThread(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenSection(>)  22 

NtDelayExecution(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  6 
NtQueryAttributesFile(>)  22 

NtDuplicateToken(>)  1 
NtOpenEvent(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtOpenProcessTokenEx(>)  24 

NtEnumerateValueKey(>)  1 
NtOpenMutant(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenThreadTokenEx(>)  24 

NtGdiCreateBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtSetInformationProcess(>)  6 
NtProtectVirtualMemory(>)  27 

NtGdiInit(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserSystemParametersInfo(>)  6 
NtUserUnregisterClass(>)  27 

NtGdiQueryFontAssocInfo(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQuerySection(>)  7 
NtUserGetClassInfo(>)  28 

NtGdiSelectBitmap(>)  1 
NtQueryVirtualMemory(>)  2 
NtSetInformationThread(>)  7 
NtOpenFile(>)  29 

NtOpenKeyedEvent(>)  1 
NtReadVirtualMemory(>)  2 
NtCreateEvent(>)  8 
NtQueryInformationToken(>)  30 

NtQueryInformationJobObject(>)  1 
NtReleaseMutant(>)  2 
NtRequestWaitReplyPort(>)  8 
NtMapViewOfSection(>)  33 

NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtSetInformationFile(>)  9 
NtUserFindExistingCursorIcon(>)  33 

NtQuerySystemTime(>)  1 
NtUserRegisterWindowMessage(>)  2 
NtQueryDebugFilterState(>)  10 
NtAllocateVirtualMemory(>)  35 

NtRegisterThreadTerminatePort(>)  1 
NtUserWaitForInputIdle(>)  2 
NtQueryDirectoryFile(>)  10 
NtUserRegisterClassExWOW(>)  43 

NtResumeThread(>)  1 
NtWaitForSingleObject(>)  2 
NtCreateFile(>)  11 
NtQueryValueKey(>)  48 

NtSecureConnectPort(>)  1 
NtDuplicateObject(>)  3 
NtFlushInstructionCache(>)  13 
NtOpenKey(>)  105 

NtTestAlert(>)  1 
NtFreeVirtualMemory(>)  3 
NtQueryDefaultLocale(>)  13 
NtClose(>)  154 

NtUserCallNoParam(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryInformationFile(>)  13 

Trace:
 00001   448   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   448   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   448   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   448   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   448   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   448   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   448   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   448   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   448   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   448   NtClose  (12, ... ) == 0x0
 00014   448   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   448   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   448   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   448   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   448   NtClose  (16, ... ) == 0x0
 00021   448   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   448   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   448   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18350080}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18350080}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   448   NtClose  (16, ... ) == 0x0
 00026   448   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   448   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   448   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   448   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" ... {28, 56, reply, 0, 436, 448, 1511, 0} "0\32\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" )  ... {28, 56, reply, 0, 436, 448, 1511, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" ... {28, 56, reply, 0, 436, 448, 1511, 0} "0\32\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\30\1\4\0\0\0" )  ) == 0x0
 00032   448   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   448   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   448   NtClose  (16, ... ) == 0x0
 00036   448   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   448   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   448   NtClose  (28, ... ) == 0x0
 00041   448   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   448   NtClose  (28, ... ) == 0x0
 00045   448   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   448   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   448   NtClose  (28, ... ) == 0x0
 00049   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   448   NtClose  (28, ... ) == 0x0
 00052   448   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" ... {28, 56, reply, 0, 436, 448, 1515, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" )  ... {28, 56, reply, 0, 436, 448, 1515, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\30\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" ... {28, 56, reply, 0, 436, 448, 1515, 0} "\10\240\30\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\30\18\6\0\0" )  ) == 0x0
 00056   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 4, ... (0x31009000), 8192, 128, ) == 0x0
 00057   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 128, ... (0x31009000), 8192, 4, ) == 0x0
 00058   448   NtFlushInstructionCache  (-1, 822120448, 8192, ... ) == 0x0
 00059   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   448   NtClose  (28, ... ) == 0x0
 00062   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   448   NtClose  (28, ... ) == 0x0
 00065   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 4, ... (0x31009000), 8192, 64, ) == 0x0
 00066   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 64, ... (0x31009000), 8192, 4, ) == 0x0
 00067   448   NtFlushInstructionCache  (-1, 822120448, 8192, ... ) == 0x0
 00068   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   448   NtClose  (28, ... ) == 0x0
 00071   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 4, ... (0x31009000), 8192, 64, ) == 0x0
 00072   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 64, ... (0x31009000), 8192, 4, ) == 0x0
 00073   448   NtFlushInstructionCache  (-1, 822120448, 8192, ... ) == 0x0
 00074   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   448   NtClose  (28, ... ) == 0x0
 00077   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   448   NtClose  (28, ... ) == 0x0
 00080   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 4, ... (0x31009000), 8192, 64, ) == 0x0
 00081   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 64, ... (0x31009000), 8192, 4, ) == 0x0
 00082   448   NtFlushInstructionCache  (-1, 822120448, 8192, ... ) == 0x0
 00083   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   448   NtClose  (28, ... ) == 0x0
 00086   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   448   NtClose  (28, ... ) == 0x0
 00089   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   448   NtClose  (28, ... ) == 0x0
 00092   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   448   NtClose  (28, ... ) == 0x0
 00095   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   448   NtClose  (28, ... ) == 0x0
 00098   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   448   NtClose  (28, ... ) == 0x0
 00101   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 4, ... (0x31009000), 8192, 64, ) == 0x0
 00102   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 64, ... (0x31009000), 8192, 4, ) == 0x0
 00103   448   NtFlushInstructionCache  (-1, 822120448, 8192, ... ) == 0x0
 00104   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   448   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   448   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   448   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   448   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   448   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   448   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   448   NtClose  (40, ... ) == 0x0
 00118   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   448   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   448   NtClose  (40, ... ) == 0x0
 00122   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   448   NtClose  (36, ... ) == 0x0
 00124   448   NtClose  (28, ... ) == 0x0
 00125   448   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   448   NtClose  (32, ... ) == 0x0
 00127   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   448   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   448   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   448   NtClose  (32, ... ) == 0x0
 00135   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   448   NtClose  (28, ... ) == 0x0
 00137   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 4, ... (0x31009000), 8192, 64, ) == 0x0
 00138   448   NtProtectVirtualMemory  (-1, (0x31009000), 8192, 64, ... (0x31009000), 8192, 4, ) == 0x0
 00139   448   NtFlushInstructionCache  (-1, 822120448, 8192, ... ) == 0x0
 00140   448   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   448   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   448   NtClose  (28, ... ) == 0x0
 00143   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   448   NtClose  (28, ... ) == 0x0
 00146   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   448   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   448   NtClose  (28, ... ) == 0x0
 00150   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   448   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   448   NtClose  (28, ... ) == 0x0
 00153   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   448   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   448   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   448   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   448   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   448   NtClose  (32, ... ) == 0x0
 00163   448   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\30\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\30\1$\1\0\0" ... {28, 56, reply, 0, 436, 448, 1525, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\30\1$\1\0\0" )  ... {28, 56, reply, 0, 436, 448, 1525, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\30\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\30\1$\1\0\0" ... {28, 56, reply, 0, 436, 448, 1525, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\30\1$\1\0\0" )  ) == 0x0
 00166   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   448   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   448   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   448   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482036, ) == 0x0
 00171   448   NtQueryInformationToken  (-2147482036, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   448   NtQueryInformationToken  (-2147482036, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   448   NtClose  (-2147482036, ... ) == 0x0
 00174   448   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   448   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   448   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00178   448   NtQueryValueKey  (-2147482036,  (-2147482036, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   448   NtClose  (-2147482036, ... ) == 0x0
 00180   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00181   448   NtQueryValueKey  (-2147482036,  (-2147482036, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   448   NtClose  (-2147482036, ... ) == 0x0
 00183   448   NtQueryDefaultLocale  (0, -130971124, ... ) == 0x0
 00184   448   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   448   NtUserCallNoParam  (24, ... ) == 0x0
 00186   448   NtGdiCreateCompatibleDC  (0, ...
 00187   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   448   NtGdiCreateCompatibleDC  ... ) == 0x100103ca
 00188   448   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   448   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   448   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x130503fe
 00191   448   NtGdiCreateSolidBrush  (0, 0, ...
 00192   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   448   NtGdiCreateSolidBrush  ... ) == 0xe100404
 00193   448   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   448   NtGdiCreateCompatibleDC  (0, ... ) == 0x3901040e
 00195   448   NtGdiSelectBitmap  (956367886, 319095806, ... ) == 0x185000f
 00196   448   NtUserGetThreadDesktop  (448, 0, ... ) == 0x2c
 00197   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   448   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   448   NtClose  (52, ... ) == 0x0
 00200   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00202   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00204   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00206   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00208   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00210   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00212   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00214   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00216   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00218   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00219   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00220   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00221   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00222   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00223   448   NtCallbackReturn  (0, 0, 0, ...
 00224   448   NtGdiInit  (... ) == 0x1
 00225   448   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00226   448   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00227   448   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   448   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00230   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00231   448   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   448   NtClose  (52, ... ) == 0x0
 00233   448   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00234   448   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00235   448   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00236   448   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00237   448   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00238   448   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00239   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00240   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00241   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00242   448   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00243   448   NtClose  (60, ... ) == 0x0
 00244   448   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00245   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00246   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00247   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00248   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00249   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00250   448   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251   448   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   448   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   448   NtClose  (60, ... ) == 0x0
 00254   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00255   448   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00256   448   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   448   NtClose  (60, ... ) == 0x0
 00258   448   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00259   448   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00260   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   448   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   448   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00264   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00265   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00266   448   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00267   448   NtClose  (60, ... ) == 0x0
 00268   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00269   448   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00270   448   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00271   448   NtQueryDefaultUILanguage  (1241768, ...
 00272   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00273   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482036, ) == 0x0
 00274   448   NtQueryInformationToken  (-2147482036, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00275   448   NtClose  (-2147482036, ... ) == 0x0
 00276   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00277   448   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   448   NtOpenKey  (0x80000000, {24, -2147482036, 0x640, 0, 0,  (0x80000000, {24, -2147482036, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00279   448   NtQueryValueKey  (-2147482048,  (-2147482048, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   448   NtClose  (-2147482048, ... ) == 0x0
 00281   448   NtClose  (-2147482036, ... ) == 0x0
 00271   448   NtQueryDefaultUILanguage  ... ) == 0x0
 00282   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   448   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00284   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00285   448   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00286   448   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00287   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   448   NtQueryDefaultUILanguage  (2013024600, ...
 00289   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00290   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482036, ) == 0x0
 00291   448   NtQueryInformationToken  (-2147482036, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00292   448   NtClose  (-2147482036, ... ) == 0x0
 00293   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00294   448   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00295   448   NtOpenKey  (0x80000000, {24, -2147482036, 0x640, 0, 0,  (0x80000000, {24, -2147482036, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00296   448   NtQueryValueKey  (-2147482048,  (-2147482048, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00297   448   NtClose  (-2147482048, ... ) == 0x0
 00298   448   NtClose  (-2147482036, ... ) == 0x0
 00288   448   NtQueryDefaultUILanguage  ... ) == 0x0
 00299   448   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00300   448   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00301   448   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00302   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   448   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\30\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 448, 1526, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 436, 448, 1526, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\30\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 448, 1526, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\30\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\30\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00304   448   NtClose  (68, ... ) == 0x0
 00305   448   NtClose  (72, ... ) == 0x0
 00306   448   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00307   448   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00308   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00309   448   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00311   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00314   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00317   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00318   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00319   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00320   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00321   448   NtClose  (68, ... ) == 0x0
 00322   448   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00323   448   NtClose  (76, ... ) == 0x0
 00324   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00325   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00326   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00327   448   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00328   448   NtClose  (76, ... ) == 0x0
 00329   448   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00330   448   NtClose  (68, ... ) == 0x0
 00331   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00332   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00333   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00334   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00335   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00336   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00337   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00338   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00339   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00340   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00341   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00342   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00343   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00344   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00345   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00346   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00347   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00348   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00349   448   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00350   448   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00351   448   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00352   448   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00353   448   NtQueryDefaultUILanguage  (1238836, ...
 00354   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00355   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482036, ) == 0x0
 00356   448   NtQueryInformationToken  (-2147482036, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00357   448   NtClose  (-2147482036, ... ) == 0x0
 00358   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00359   448   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00360   448   NtOpenKey  (0x80000000, {24, -2147482036, 0x640, 0, 0,  (0x80000000, {24, -2147482036, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 00361   448   NtQueryValueKey  (-2147482048,  (-2147482048, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00362   448   NtClose  (-2147482048, ... ) == 0x0
 00363   448   NtClose  (-2147482036, ... ) == 0x0
 00353   448   NtQueryDefaultUILanguage  ... ) == 0x0
 00364   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00366   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00367   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00368   448   NtClose  (68, ... ) == 0x0
 00369   448   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00370   448   NtClose  (76, ... ) == 0x0
 00371   448   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00372   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00373   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00374   448   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00375   448   NtClose  (76, ... ) == 0x0
 00376   448   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00377   448   NtClose  (68, ... ) == 0x0
 00378   448   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00379   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00380   448   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00381   448   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00382   448   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00383   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384   448   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\30\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 448, 1527, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 436, 448, 1527, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\30\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 448, 1527, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\30\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\30\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00385   448   NtClose  (68, ... ) == 0x0
 00386   448   NtClose  (76, ... ) == 0x0
 00387   448   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00388   448   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00389   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00390   448   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00391   448   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00392   448   NtUserGetDC  (0, ... ) == 0x1010052
 00393   448   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00394   448   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00395   448   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00396   448   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00397   448   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00398   448   NtClose  (76, ... ) == 0x0
 00399   448   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00400   448   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   448   NtClose  (76, ... ) == 0x0
 00402   448   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00403   448   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00404   448   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00406   448   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407   448   NtClose  (68, ... ) == 0x0
 00408   448   NtClose  (76, ... ) == 0x0
 00409   448   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00410   448   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00411   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00412   448   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00413   448   NtClose  (76, ... ) == 0x0
 00414   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00415   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03b
 00416   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03d
 00417   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00418   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc03f
 00419   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00420   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc041
 00421   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00422   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc043
 00423   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc045
 00424   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00425   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc047
 00426   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00427   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ...
 00428   448   NtAllocateVirtualMemory  (-1, 5525504, 0, 4096, 4096, 32, ... 5525504, 4096, ) == 0x0
 00427   448   NtUserRegisterClassExWOW  ... ) == 0x810cc049
 00429   448   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04b
 00432   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04d
 00434   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04f
 00436   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc051
 00437   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc053
 00439   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc055
 00441   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc057
 00442   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc059
 00444   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05b
 00446   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05d
 00448   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05f
 00450   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc017
 00452   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc019
 00454   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc018
 00456   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01a
 00458   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   448   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc01c
 00460   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00461   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01e
 00462   448   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00463   448   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810cc01b
 00464   448   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00465   448   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810cc068
 00466   448   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00467   448   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc06a
 00468   448   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00469   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00470   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00471   448   NtTestAlert  (... ) == 0x0
 00472   448   NtContinue  (1244464, 1, ...
 00473   448   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3100b000,}, 4, ... ) == 0x0
 00474   448   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00475   448   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   448   NtClose  (68, ... ) == 0x0
 00477   448   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00478   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00479   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00480   448   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 436, 448, 1528, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 436, 448, 1528, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 436, 448, 1528, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00481   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00482   448   NtClose  (80, ... ) == 0x0
 00483   448   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00484   448   NtClose  (-2147482036, ... ) == 0x0
 00483   448   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00485   448   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00486   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\232\2208\0\325\312h\0\323\312g\0(5h\0o\312h\0\327\312h\0\227\312r\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\310h\0m\332h\16\310~a\315\366riL\32\353\370\220\203\242\1s\367\272\32o\260\270\11m\367\247\35s\243\352\12e\367\270\35n\367\277\6d\262\270HW\276\244[2\332\300L7\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0\327\312h\0", ) , ) == 0x0
 00487   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00488   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\3335x\377\3035\304\3\216\213/Uc\1~Y\32\3135\364\324\202\7<\360\303s^\233\207=o\245\263X\11\341\326T\260\272\327c\230G\325\207l(\231\262\361B\213X(\275\216\2\302S\360sb\253h\307?\266f\326\16\223y\300\310\27\254\343P\16\226,\252\326H\335/\273Z\204U;GO\355\326\210)\241\373A\250\275\303\364\235u\347\342\223\262\352;R/\361\375A\247N\203^\345\336Tj;\346)\356\372\354Dn\257\317J\312\202\312\21\350\305x\343\7D7\23%\313\242\254"\336\326\206\2227\2229\27\357\222$\220\317\\4\25o\6\256\332\263\343p\223\3052\27C\23.xI3\314\0O\202b\206<\322\37qc\33\302\222\202/\376\76\366\218d'\222V6\304N\11\31\220+\357l\242\224\240\310\204\6\225\320\307d\32\360\335.\274\240\227\301u`\5\240j"\326;i\21T\233\244\234\322$\353\33\33\14hg\376\34\2700~\341\364S\371\320(W\222\304\201\1\342\376\274\220M\20\244I\302\317E\314\363\330H_\2l\244@\356.\344\343\177fD\271\227\301\250\264\331\236\10\24\23H?\24$\3345\3\253r\4\301\277jnEgw\245\316\177kP\203\257\222\50\227\342\260\219\2000f\213|\370\34\37\3526\24(5\342\326gh>\37G\332u\313\226\3629la\356\27\212\16&\345M;98\33\224|\316\274\225\351\200y?}!\263\352.N\344\217\301\343\11o\21\35\2\325\322\14\233[b\341B\217\304>\204s,\373\0\215j%\227\230-\3\214\177\0\376\310\314L\360\220\254+\273\334\212, ) \336\326\206\2227\2229\27\357\222$\220\317\\4\25o\6\256\332\263\343p\223\3052\27C\23.xI3\314\0O\202b\206<\322\37qc\33\302\222\202/\376\76\366\218d'\222V6\304N\11\31\220+\357l\242\224\240\310\204\6\225\320\307d\32\360\335.\274\240\227\301u`\5\240j (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\3335x\377\3035\304\3\216\213/Uc\1~Y\32\3135\364\324\202\7<\360\303s^\233\207=o\245\263X\11\341\326T\260\272\327c\230G\325\207l(\231\262\361B\213X(\275\216\2\302S\360sb\253h\307?\266f\326\16\223y\300\310\27\254\343P\16\226,\252\326H\335/\273Z\204U;GO\355\326\210)\241\373A\250\275\303\364\235u\347\342\223\262\352;R/\361\375A\247N\203^\345\336Tj;\346)\356\372\354Dn\257\317J\312\202\312\21\350\305x\343\7D7\23%\313\242\254"\336\326\206\2227\2229\27\357\222$\220\317\\4\25o\6\256\332\263\343p\223\3052\27C\23.xI3\314\0O\202b\206<\322\37qc\33\302\222\202/\376\76\366\218d'\222V6\304N\11\31\220+\357l\242\224\240\310\204\6\225\320\307d\32\360\335.\274\240\227\301u`\5\240j"\326;i\21T\233\244\234\322$\353\33\33\14hg\376\34\2700~\341\364S\371\320(W\222\304\201\1\342\376\274\220M\20\244I\302\317E\314\363\330H_\2l\244@\356.\344\343\177fD\271\227\301\250\264\331\236\10\24\23H?\24$\3345\3\253r\4\301\277jnEgw\245\316\177kP\203\257\222\50\227\342\260\219\2000f\213|\370\34\37\3526\24(5\342\326gh>\37G\332u\313\226\3629la\356\27\212\16&\345M;98\33\224|\316\274\225\351\200y?}!\263\352.N\344\217\301\343\11o\21\35\2\325\322\14\233[b\341B\217\304>\204s,\373\0\215j%\227\230-\3\214\177\0\376\310\314L\360\220\254+\273\334\212, ) , ) == 0x0
 00489   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373350\22\262\213\7\223\375{%\34h\304 (80, 0, 0, 0, "\14\377\20\377\24\377\254\3YAGU\264\313\26Y\315\1]\364\3Ho<'\11\33^LMUory0\116\34<\260m\35\13\230\220\37\357l\377S\332\361\225A0(jDj\302\204:\33b|\242\257?a\254\276\16D\263\250\310\300f\213P\331\D\252\1\202\265/l\220\354U\354\215'\355\1BA\241,\213\300\275\24>\365u0(z3e SR\370;\225Ap\204\353^2\24\312U\0y\350\22\262\213\7\223\375{%\34h\304"\11\34\356\222\340XQ\278XL\220\30\226l\25\270\314\306\332d)\30\223\22\370\177C\304\344\20I\344\6hOU\250\356<\5\325\31c\314\10\372\202\3704o6!\333Pd\360X>6\23\204a\31G\341\207lu^\310\310S\314\375\320\20\256r\360\12\344\324\240@\13\35`\322j\2"\1\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\3731\361\1\21\203Q\314\234\5\356\203\33\314\306\0g)\326\3200\251+\234S.\32@WE\16\351\154\324\220\232\332\314I\25\5-\314$\22 _\325\246\314@9\344\214\343\250\254,\271@\13\300\264\16T`\24\304\202W\24\363\26]\3|\270l\301h\240\6E\260\275\315\316\250\2418\203xXm0@(\330\21\356JXf\\266\220\34\310 ^\24\377\377\212\326\260\242V\37\220\20\35\313A8Ql\266$\177\212\331\354\215M\354\363P\33C\266\246\274B#\350y\350\267I\263=\344&\344X\13\213\11\270\333u\2\2\30d\233\214\250\211BX\16V\204\244\346\223\\347G\2%@RE\3[\265h\376\37\6$\360GfC\273\13@Ty\2664\1\262\25j\260\17\264\326\32B\301\20\2657,\373227\345fz8\213MAE\334\334\17\216\266\342\271\12\252AD\327 \311!\334Y", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00490   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\234\2510\241f\216\33!\22\177\13W\201(X\24\301t\227\353f\322\263c\11\3\270\246^0\2173\357\320xC\313\237\14\247\13\327\344\221\253\4sP\231\37\313\367\325\374\242w\235\13\12D4\12%\326f\366\24\25\367I\242;y\177\14\220\221\27\227\356f\1\3562\26\335\375\367Ch\23\361\3508\360\13?j\171\2522\321\256\226\270 }\263_xC\271\11\266\301\342G]\340\351\341(\25\277\257\343\37\333]\222\13\224]\224bl\253\324\227\302zcc\26\317Ev\15\356\222r\2000\25Q\313\3260\236\6+}hO\306\322su;{\236\366\241\321H\227<\2W\2002\25R\32<(u|\214*\236\212\273\320\371l\317\210\255\2220\201\35\360\6\265\211\4XiR\213\350yl\200\350\315\263\2\14d\353\321\230\313\337\17%\200xz7ux\301\3204Zr\334\275e\17h\3k\^\221\335<\205\271\216Y\227\223_\177\363i\301]\313\350\373\325\270b~\320\316\310\3329\22\32\2\321\271w\23\244\332lAf\213|eR\357\246\262b\34'_\264\365d\5(m3\350 9\267\327", ) \374\242w\235\13\12D4\12%\326f\366\24\25\367I\242;y\177\14\220\221\27\227\356f\1\3562\26\335\375\367Ch\23\361\3508\360\13?j\171\2522\321\256\226\270 }\263_xC\271\11\266\301\342G]\340\351\341(\25\277\257\343\37\333]\222\13\224]\224bl\253\324\227\302zcc\26\317Ev\15\356\222r\2000\25Q\313\3260\236\6+}hO\306\322su;{\236\366\241\321H\227<\2W\2002\25R\32<(u|\214*\236\212\273\320\371l\317\210\255\2220\201\35\360\6\265\211\4XiR\213\350yl\200\350\315\263\2\14d\353\321\230\313\337\17%\200xz7ux\301\3204Zr\334\275e\17h\3k\^\221\335<\205\271\216Y\227\223_\177\363i\301]\313\350\373\325\270b~\320\316\310\3329\22\32\2\321\271w\23\244\332lAf\213|eR\357\246\262b\34'_\264\365d\5(m3\350 9\267\327", ) == 0x0
 00491   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "KcTP,\207l#b\246d`\262\34\262\214j!lh\312r\3102r\14tp\245#\31,\313z|5H%\20\223xC\202O#\30\177\205\236\235\244\244\14\302\25\16\273\3639\252D\2\361\264P9\34\202\367\300+\213\2069\232\203Ha@o*\201\246\377\357\276(\212G\10:\320t9\366F\2733\230U\223\252]\334W\4\371\331\212\272n\4F4\363F\37\306m\205(p\2700\24\5\14N\30z\10.JV0v\254\346\33\366\330\27\13\200K@X\303\13\34\227<\254\272\263\264\303k\270q\224X\217\344%\270x\224\1\367\14p\301\277\344Fals\207Sw\313 \37True\1.\31\322\212D$x\253P\26D\20\27%.\364[w;1\311\212HCD\10_\342\377\27\272\0\10\215u\17\213|\10\71\300\212\16;J\374u\275\365\13\335\216\\12\362\34\16\366\303\337\237Iu\361\21\177\333Z\371\27@$\16\19\370~\335*=+h\304;\2008'\301Wj\330\373\3022\6d\376\270\367\267\333_\257\211\321\11a\13\212G\212*\201\341\377\337\1777x)w\333\212Xc\224\212^\12l|\36\377\302\255\251\13\26\30\217\36\159X\32\200\347\3379\313\1\372\366\6\374\267\0O\21\30\33u\354\261\366\366v\33 \227\353\310?\200\345\337:\32\353\342\35|[\340\366\212l\32\221l\30B\305\222\347Ku\360\321\177\341\4\217\243:\213?\263\4\200?\7\333\2\333\256\203\321O\1\267\17\362J\20z\340\277\20\301\7\3762r\13w\15\17\277\311\3\\211[\265<\307\377\321\216\216]\373_\2509\1\301\212\1\200\373\2r\12~\7\4\240\332\356\330r\2\6s\37\23s\20\4A\261A\24e\205%\316\262\265\326O_c?\14\5\377\247[\350\367\363\337\327", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00492   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "_@\345\225\351b\220\367\33/\340\263\246\340\2500\316\226\373&W\15j\212X\274\343\316S\360\17\10_\3161,vh*?Ph\307\352\363;\34c\205\356j4\11P\231U\337\230]\210[\217$t\302\363|\214]\306\277m\306;\352\6\206\300\225\200\346fu\13\240\336\373\212\2021X\266!L\177Q\222\274]\201\362\254\251i3\373\257x\225\226\36\214\373\310{\204U\320\317\232S\301\220\26W\261]\266\247S\302\26\376\367=\226W\\34\20T\210\0Y\227\371O{Z\317|!D,\253\302\361\204j\377\261k\2644\261m\2K\12\30H\364\302\300P\364\7\0j\5\274\302x\326\372\23\254\337\323\340\7\0\354\232T2\337\273P/\373\275T\207[\326Z8\353\362Tb\205~L8p\262\330\235\305-Sw\214\304\374\36\133\354\341\326\337,\233\337\260I\340\325\240n,\22\251\3117m\15>\272!\10x\360\206G\0Av\320\276\3103\360\223\4\341\226\372X'!t\30wLTk\335jx\35\344\3ipo\320<\17@&p!=j\320\1\34~\253^\350r\35\230\372\313C\271\2024H\335\360\205\234\26.<-\376\240\234E`\263\205\260\353\375\333\224\243\24\11\312\26\11\267c`Cj\341\326\340\323"OF\216\212\20g+5\25\337\326\36)\221\350)\364\224@z\20\274Zh\16#\220\7\21/\313&`\275:\304U\371h\372\0W\316l(IZ\317\1\300\312\234\202\262\216c'\324\337\314\11p"\360lp\220I\363\275?n\360\342c\200\234;\31i\32\327=(\370K\231\37~\342\246>a?\265x\37\313/r\270\52=\351\207\305vp#\5F\311\302\16,f \15j f\207\337\11\202\267_b)!F\16\224~\315\210\333\12\257w\241\347\265s\332\34`\260", ) OF\216\212\20g+5\25\337\326\36)\221\350)\364\224@z\20\274Zh\16#\220\7\21/\313&`\275:\304U\371h\372\0W\316l(IZ\317\1\300\312\234\202\262\216c'\324\337\314\11p (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "_@\345\225\351b\220\367\33/\340\263\246\340\2500\316\226\373&W\15j\212X\274\343\316S\360\17\10_\3161,vh*?Ph\307\352\363;\34c\205\356j4\11P\231U\337\230]\210[\217$t\302\363|\214]\306\277m\306;\352\6\206\300\225\200\346fu\13\240\336\373\212\2021X\266!L\177Q\222\274]\201\362\254\251i3\373\257x\225\226\36\214\373\310{\204U\320\317\232S\301\220\26W\261]\266\247S\302\26\376\367=\226W\\34\20T\210\0Y\227\371O{Z\317|!D,\253\302\361\204j\377\261k\2644\261m\2K\12\30H\364\302\300P\364\7\0j\5\274\302x\326\372\23\254\337\323\340\7\0\354\232T2\337\273P/\373\275T\207[\326Z8\353\362Tb\205~L8p\262\330\235\305-Sw\214\304\374\36\133\354\341\326\337,\233\337\260I\340\325\240n,\22\251\3117m\15>\272!\10x\360\206G\0Av\320\276\3103\360\223\4\341\226\372X'!t\30wLTk\335jx\35\344\3ipo\320<\17@&p!=j\320\1\34~\253^\350r\35\230\372\313C\271\2024H\335\360\205\234\26.<-\376\240\234E`\263\205\260\353\375\333\224\243\24\11\312\26\11\267c`Cj\341\326\340\323"OF\216\212\20g+5\25\337\326\36)\221\350)\364\224@z\20\274Zh\16#\220\7\21/\313&`\275:\304U\371h\372\0W\316l(IZ\317\1\300\312\234\202\262\216c'\324\337\314\11p"\360lp\220I\363\275?n\360\342c\200\234;\31i\32\327=(\370K\231\37~\342\246>a?\265x\37\313/r\270\52=\351\207\305vp#\5F\311\302\16,f \15j f\207\337\11\202\267_b)!F\16\224~\315\210\333\12\257w\241\347\265s\332\34`\260", ) , ) == 0x0
 00493   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\210\212\215\225>\250\370\367\314\345\210\263q*\3000\31\\223&\200\307\2\212\217v\213\316\204:g\10\210\4Y,\241\242B?\207\242\257\352$\361tcR$\24\336\232\361U\10R5\210\214ELt\259\24\214\212\14\327m\21\361\202\6Q\12\375\2001\254\35\13w\24\223\212U\3730\266\366\206\27QEv5\201%f\301i\3441\307xB\v\214,\2\23\204\202\32\247\232\204\13\370\26\200{5\266p\231\252\26)=U\226\200\226t\20\203BhY@3'{\215\5\24!\223\346\303\302&N\2\377f\241\3344f\247jK\335\322 \364\25\128\364\320\312\2\5k\10\20\326-\331\304\337\4*o\0;P<2\10q8/,w<\207\214\3428<8A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) A\364C\212\22\20k\220\0\16\364Zo\21\370\1N`j\360\254U.\242\222\0\200\4\4(\236\220\247\1\27\0\364\202eD\13'\3\25\244\11\247\350\230l\247Z!\363j\365\6\3605\251\350\234\354\323\1\32\0\367@\370\234Sw~5lVa\350\177\20\37\34\345\32\270\322\370U\351P\17\36p\364\317.\311\25\304Df\367\307\2 \261M\267\11U}7b\376\353.\16C\264\245\210\14\300\307wv-\335s\15\326\10\260", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00494   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "_\375\22w\362C0&\240\34\345p\317\310_v\341\15b\211\313\3\347\331\237=z\13\367\302>\233\305\237\23\263\26\247e\346\254\12UK\14F\2\34\13\26@\7md\322\25_\310l\307\212\312\326o\1\324U\250\247\360\16\37\333\334q\214\32>u\374\235\230-6}`hU\210A\302\247\5Z\241_\243\11\352@d\325?C\362\261\331\350f\246\3628<\351\6\5g\227~{\27\247eP\245\327{^e\227\204\353\352{\322\370P\21\30\356\307\276aF\337lO\25\13\11\204\303|\263\232l\263\177\217\252A\356\222\300\227sd|\326\363\354\231\336t\36\264\305\251$F\333\203\274q\200\2649\300\336\231S\237\242\203\11\176\5\314;\222J\35>\203\274\J\327\342\370\265\203\11\250\250\366<\202\4\355\270}2}\253\235p\332\242\311j\267\237\4\360Xa\241H\207\372\236\236\245\205\270dg\307\364\214\344\244\372oS\21\335\33W>\202\31\272\370\260a\334\6]z\371\352pU\230\273\335\352\216Py,\300\27\31h_\240{\305\177\203l\25k\252!\0\302\232\214%\307%\2158\247\217\214d\34\310\266\27\361Df#\232\14\230\205\267C|j\364\241(\302\223\376U@\324zy\333Zljr\302\260\232\143!H]@Fi\343\225A\2h\21o!\14\216-\232\227\251j\322G.\32P\271*d\362\322\317\263\1\315*\332\17PW\260\12\33\361\342)J1\12N*_S\17\261Ywq\333\324*L\246\341\261#\265d\226\204\266>\242\24\304p\13\237\270?\325;\242\240\353\221\32\201\301\3143\262&\3~\314\376))\11>\212\313p\356N\310`\21\271p\2\226YP\360\377p\10\330\326\201+s\324\365P\263\332#\343\350V:\217ngy`\301\350\2647\317\307[\242\234", ) , ) == 0x0
 00495   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2107zw%\211X&w\326\215p\30\27v6\307\12\211\34\311\217\331H\367\22\13 \10V\233\22U{\263\301m\15\346{\300=K\333\214j\34\334\334(\7\272\256\272\25\210\2\4\307]\0\276o\326\36=\250p:f\37\14\26\31\214\315\364\35\374JRE6\252\252\0U_\213\252\247\322\220\311_t\303\202@\263\37WC%{\261\350\261l\2328\353#n\5\260]\26{\300m\15Pr\35\23^\262]\354\353=\261\272\370\207\333p\356\20t\11F\10\246'\25\334\303\354\303\253y\362ld\265\347\252\226$\372\300@\271\14|\19\204\231\11\276v\264\22cLF\14I\324qW~Q\300\11S;\237uIa\17\341\317\244;E\200u>Tv4J\0(\220\265T\303\300\250!\366\352\4:r\252\252a\365p\15h\241j`Ul\360\217\253\311HP0\366\236rO\320d\260\15\234\2143n\222o\204\333\265\33\200\364\352\31m2\330a\13\3145z. \30UOq\265\352Y\232\21,\27\335qh\210j\23\305\250I\4\25\274`I\0\25P\344%\20\357\3458pE\344d\313\2\336\27&\216\16#M\306\360\205`\211\24j#k@\302D4=@\3\260\21\333\215\246\2r\25z\362\14\344\353 ]\227\214\1\343B\213jh\306\245I\14Y\347\362\22\340c\2\322\220\344rPn\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\314;t2\376\200Y\12\231\3407S\330{1w\246\21\274*\233l\211\261\364\177\14\226S|V\242\303\16\30\13HrW\32\342\361\312\240<[r\201\26\6[\262\361\311\26\314)\343A\11\351@\243p9\204\240`\306s\30\2A\2238\360(\272`\330\1KCs\3?8\263\15\351\213\350\201\360\347n\260\263\10\301?~_\317\20\221\312\234", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00496   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "K\250\343\373G\335f\322,\21\322\332\2615~-\323\361\203J\274P\240\331\216%CU\243\222_\22\324\202\241\225\332\356M\21\243\35TMx^\350NME\15\377S\226\20\213\355\346\252\1\267\366\267R\333\34%\341\215\201>\345\250\14\300Q\326\230\25\324\254`\204z\341\205un\237i\245\211\16L\1\343\207\37\253RS\273\31\324\363=q\274\344%\323Ey\213\324\313\342$V\261RX\223\236\242l\265G\11s\3\301+\231L\200\332\366\212qz\237\5e\352r\3\235\227\235\356Ut\351x\303\362\26\23\202\354\323v\225f\311'\240\256<\317\205\314\3364\21\256xS\\327\221J\357!q\310\222\341r\304\315\374^\330\334\304\272\24\330\300W\220}\325\260;\204\356\300\256\325\235e\345\21]\250\372\207\33+\30Y\226\20#*\257\212v\7CJ\306\224\371\201\1\14\302*\205T\10Be\201\245W\200\3675{\211\323\14(,\326\240\272\265\327\311M@D\370\2716\315\346\16\210\323\33`\370\231\376\23~\250J<=\307:\217\237!Be\35\372\217\34\371\333\320\275qu7\205\246\343\32\26\4\270!n\205\5\267j\300\206\377\376F\374\316{\353\202\15\264e\374\327v\14\243\207E\27\307\341S\2\320H\252\263\251\332t\344H\17\362\273\37\341\242\15\341\3055\20\243\3275\0\346\334\334\205\16r\5a\37\352\350\342)C\210\366kf+\36M\312Si\243\323\341s\266\321\230\14\207\327l\311\345J$\302\354\372\350\350\313\352\1770\347\351\311}\337yg\210\323\375\2$\270\301;8\300C88\331j\7\240\361\332\355\311\252\317z"&\34\332\20\316\205l\306V\367\324\335\317\26Y\36\326s\253\35]J{\30\363\214\311\265\326D_z4\301\200\375I\256\374!\21r-}\314}P\304f\254\263", ) &\34\332\20\316\205l\306V\367\324\335\317\26Y\36\326s\253\35]J{\30\363\214\311\265\326D_z4\301\200\375I\256\374!\21r-}\314}P\304f\254\263", ) == 0x0
 00497   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\234b\213\373\220\27\16\322\373\333\272\332f\377\26-\4;\353Jk\232\310\331Y\357+UtX7\22\3H\311\225\15$%\21t\3272bd\300\206\34\360\25\3f\10\204\255+\355u\271U\1\245^\304$\14Mw\253\205\231\323\31\39Uqk.M\323\222\263\343\324\34(LVf\2300\223Ih\4\265\220\303\33\3\26\341\361LW\20\236\212\246\260\367\5\262 \32\3J]\365\356\202\276\201x\248~\23U&\273vB\254\241'wdT\317R\6\2664\306d\20S\213\35\371J8\353\31\310E+\32\304\3266\330\13\16\322\24\17\12?\220\252\37\330;S$\250\256\2W\15\345\306\227\300\372P\321C\30\216\x#\375e\342v\320\211"\306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22"\361\326\262\20\31O\4\306\201=\274\335\30\3341\36\1\271\303\35\212\200\23\30$\333\\311b\34,_\255\376\251\200*\203\306\374\366\333\32-\252\6\25P\23\254\304\263", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22 (80, 0, 0, 0, "\234b\213\373\220\27\16\322\373\333\272\332f\377\26-\4;\353Jk\232\310\331Y\357+UtX7\22\3H\311\225\15$%\21t\3272bd\300\206\34\360\25\3f\10\204\255+\355u\271U\1\245^\304$\14Mw\253\205\231\323\31\39Uqk.M\323\222\263\343\324\34(LVf\2300\223Ih\4\265\220\303\33\3\26\341\361LW\20\236\212\246\260\367\5\262 \32\3J]\365\356\202\276\201x\248~\23U&\273vB\254\241'wdT\317R\6\2664\306d\20S\213\35\371J8\353\31\310E+\32\304\3266\330\13\16\322\24\17\12?\220\252\37\330;S$\250\256\2W\15\345\306\227\300\372P\321C\30\216\x#\375e\342v\320\211"\306C3\351\1\333\10B\205\203\302*eVo?\200 \377\23\211\4\306@,\1j\322\265\0\3%@\2232\3216\32,f\210\4\321\10\370N4{~\177\200T=\20\360\347\237\366\210\15\35-Et\371\14\32\325q\242\375\355\2464\320~\4o\353\6\205\322}\2\300Q5\226F+\4\23\353U\307\334e+\35\36\14tM-\27\20+;\2\7\202\302\263~\20\34\344\237\305\232\273\310+\312\156\17]\20t\35]\01\26\264\205\331\270ma\310 \200\342\376\211\340\366\274\254C\36\232\0;it\31\211sa\33\360\14P\35\4\3112\200L\302;0\200\350\34 \2700#\241}\10\263\17\210\47j$o\13S8\27\211P8\16\240o\240&\20\205\311}\5\22"\361\326\262\20\31O\4\306\201=\274\335\30\3341\36\1\271\303\35\212\200\23\30$\333\\311b\34,_\255\376\251\200*\203\306\374\366\333\32-\252\6\25P\23\254\304\263", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00498   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=8722},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=8722}, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", )  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=8722}, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", ) \320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", ) == 0x0
 00499   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) !\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304( (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) N)z)\2012 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) O\26\313r\33\336\273\17\307\206\237\256\346 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) %\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00500   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00501   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, )  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00502   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00503   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) !\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304( (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) N)z)\2012 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) O\26\313r\33\336\273\17\307\206\237\256\346 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) %\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00504   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00505   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, )  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00506   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00507   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) !\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304( (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) N)z)\2012 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) O\26\313r\33\336\273\17\307\206\237\256\346 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) %\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00508   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00509   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, )  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00510   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00511   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) !\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304( (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) N)z)\2012 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) O\26\313r\33\336\273\17\307\206\237\256\346 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) %\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00512   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00513   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, )  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00514   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00515   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) !\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304( (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) N)z)\2012 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) O\26\313r\33\336\273\17\307\206\237\256\346 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) %\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00516   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00517   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, )  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00518   448   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00519   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) !\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304( (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) N)z)\2012 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) O\26\313r\33\336\273\17\307\206\237\256\346 (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F (80, 0, 0, 0, "heQMq`e\12\33\5\253\272\204\343\153\0?!\206\217\337t\37h\227\305\236\354\221\1\230b\353o[.#^\346\347"!\22`\330\204\325\263\17\21\22\331s\1\357\307\354%X\220-\364*\361^\20\27T\35\20\202A!K:\260 \207\273\373\36h\5\205\4(\300a\51\210u7\210\361\249(\231}\334\20\304("\17\266E\30\22z\253j9W\30\302\3P\7.\314$\22\6\203W\35\346\233\201G\213J\253[B\254\266[T~I5XX}\37Eq\342FX\337\4E\14\2\26E\222\31<\307\233\234"N)z)\201"Ua\26\364"O\26\313r\33\336\273\17\307\206\237\256\346"\365\335\2638\354\222\362r\344\25\305T\0Z\21\231\17\300\222+\4\246\5\311\4&_}P\272\324U\263N\352)\2\265=\242pS\356\311X\14r\204\353'\33\202\212\273\355\241\37$\320\30\16\3u\13\213\263R\317\225\1l\32\31\244\177\260bF1GvDc\1o.o\334\10\1;;#\245\34\22T\261A\360\26\242"\212\347\227 8#\\362\266\314\325#\236\257\364\2\2\20N\302\222x_oP#\343lVTL\206WH\221\351\6&\22\1\356\232Q-t\25\354\373\37B\325.)\361\212%\246,\352\6\212\276\17\353\25\204\330\241\212\303^2\337\331\310\210\200\251#-\30+)\242\234 \201#x\20\223\337\1\256\367^<\14\6F"\7\251\226\263\325$\232\201\2421\11\336\237\360`\324\11\305\267L\31*\32\364\6\"%\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) %\220'\3v\2$\241\205\5\30787\343!\260]\30\31,\212s\340\340\335\344\331kc\273\335\244'Tg\236\35\12\6\203Hxu9\254\306\262\236\244t\30nF\223\311 \317\267\274\3404\3409\240\372Jp(\10", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00520   448   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00521   448   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 2048, 0x0, 0, ... {status=0x0, info=2048}, )  (80, 0, 0, 0, "\277\2579M\246\252\15\12\314\317\303\272S)e3\327\365I\206X\25\34\37\277]\255\23\341&\371\1O\250\203o\214\344K^1-J!\305\252\260\204\2yg\21\305\23\33\18\15\204%\217ZE\364\375;6\20\300\236u\20U\213IK\355zH\207l1vh\322Ol(\27\253m1_\277_\210&\336Q(N\267\264\20\23\342J\17a\217p\22\255a\29\200\322\252\3\207\315F\314\363\330n\203\200\327\216\233\307\373/\213\235a3B{|3T\251\203]X\217\267wE\246(.X\10\316-\14\325\334-\222\316\366\257\233K\350&)\255\343\351<\236\237:\2\365\237\11\26#\350'\26\34\270s\336l\305\257\206Hd\216""\27\3338;X\232r3\337\255T\327\220y\231\330\12\372+\323lm\311\323\3547}\207p\274Ud\204\202)\325\177U\242\247\231\206\311\217\306\32\204<\355s\202]q\205\241\310\356\270\30\331\311\35\13\y:\317B\313\4\32\316n\27\260\265\214YG\241\216\13\1\270\344\7\334\337\313S;\364ot\22\203{)\360\301hJ\2120]H8\364\226\232\266\33\37K\236x>j\2\307\204\252\222\257\225\7P\364)\4V\203\206\356W\237[\201\6\361\330i\356M\233Et\302&\223\37\225\37F)&@M\246\373 n\212i\305\203\25S\22\311\212\24\224Z\337\16\2\340\200~\351E\30\374\343\312\234\367KKx\307Y\267\1y=6<\333\314."\320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \320c\376\263\2\356\362\201u\373a\336H:\10\324\336\17\337L\316\340r\364\321\226J%G\355kv\325\356\311\205\322\15P74\353\330]\317\323D\212\244*\210\3353\23\3cl\27\314'\203\255\366\35\335\314\353H\257\277Q\254\21x\366\244\243\322\6FD\3H\317`v\21047\363\310\372\235\272@\10", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00522   448   NtClose  (80, ... ) == 0x0
 00523   448   NtClose  (68, ... ) == 0x0
 00524   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 1242416, ... ) }, 1242416, ... ) == 0x0
 00525   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00526   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00527   448   NtClose  (68, ... ) == 0x0
 00528   448   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00529   448   NtClose  (80, ... ) == 0x0
 00530   448   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00531   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00532   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 1242732, ... ) }, 1242732, ... ) == 0x0
 00533   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\yka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00534   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00535   448   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00536   448   NtClose  (80, ... ) == 0x0
 00537   448   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 475136, ) == STATUS_IMAGE_NOT_AT_BASE
 00538   448   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00539   448   NtClose  (68, ... ) == 0x0
 00540   448   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00541   448   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   448   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm12"}, 1, ... 68, ) }, 1, ... 68, ) == 0x0
 00543   448   NtOpenProcessToken  (-1, 0x20, ... 80, ) == 0x0
 00544   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00545   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 84, ) }, ... 84, ) == 0x0
 00547   448   NtQueryValueKey  (84,  (84, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   448   NtClose  (84, ... ) == 0x0
 00549   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00551   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 88, ) == 0x0
 00552   448   NtQuerySystemTime  (... {-1495590790, 29873114}, ) == 0x0
 00553   448   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00554   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00555   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   448   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00557   448   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00558   448   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00559   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00560   448   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 100, ) == 0x0
 00561   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 104, ) }, ... 104, ) == 0x0
 00562   448   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "ActiveComputerName"}, ... 108, ) }, ... 108, ) == 0x0
 00563   448   NtQueryValueKey  (108,  (108, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (108, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (108, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00564   448   NtClose  (108, ... ) == 0x0
 00565   448   NtClose  (104, ... ) == 0x0
 00566   448   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 104, ) == 0x0
 00567   448   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 108, ) == 0x0
 00568   448   NtDuplicateObject  (-1, 104, -1, 0x0, 0, 2, ... 112, ) == 0x0
 00569   448   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00570   448   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00571   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00572   448   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00573   448   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00574   448   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243248,  (0xc0100080, {24, 0, 0x40, 0, 1243248, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00575   448   NtSetInformationFile  (120, 1243304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00576   448   NtSetInformationFile  (120, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00577   448   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00578   448   NtWriteFile  (120, 97, 0, 0,  (120, 97, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00579   448   NtReadFile  (120, 97, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (120, 97, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00580   448   NtFsControlFile  (120, 97, 0x0, 0x0, 0x11c017,  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00581   448   NtFsControlFile  (120, 97, 0x0, 0x0, 0x11c017,  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\07\22|\341\315?\334\21\261\310\0\14)\371\246\305 \0"\0`\253\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\22|\341\315?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0`\253\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\07\22|\341\315?\334\21\261\310\0\14)\371\246\305 \0"\0`\253\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\22|\341\315?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\22|\341\315?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00582   448   NtFsControlFile  (120, 97, 0x0, 0x0, 0x11c017,  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\07\22|\341\315?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\07\22|\341\315?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00583   448   NtClose  (116, ... ) == 0x0
 00584   448   NtClose  (120, ... ) == 0x0
 00585   448   NtAdjustPrivilegesToken  (80, 0, 1245084, 16, 0, 0, ... ) == 0x0
 00586   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00587   448   NtQueryValueKey  (120,  (120, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   448   NtClose  (120, ... ) == 0x0
 00589   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00590   448   NtQueryValueKey  (120,  (120, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   448   NtClose  (120, ... ) == 0x0
 00592   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00593   448   NtQueryValueKey  (120,  (120, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   448   NtClose  (120, ... ) == 0x0
 00595   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00596   448   NtQueryValueKey  (120,  (120, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   448   NtClose  (120, ... ) == 0x0
 00598   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00599   448   NtQueryValueKey  (120,  (120, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   448   NtClose  (120, ... ) == 0x0
 00601   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00602   448   NtQueryValueKey  (120,  (120, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   448   NtClose  (120, ... ) == 0x0
 00604   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00605   448   NtQueryValueKey  (120,  (120, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   448   NtClose  (120, ... ) == 0x0
 00607   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00608   448   NtQueryValueKey  (120,  (120, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   448   NtClose  (120, ... ) == 0x0
 00610   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00611   448   NtQueryValueKey  (120,  (120, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00612   448   NtClose  (120, ... ) == 0x0
 00613   448   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00614   448   NtQueryValueKey  (120,  (120, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   448   NtClose  (120, ... ) == 0x0
 00616   448   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00617   448   NtSetInformationFile  (-2147482824, -130972636, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00618   448   NtSetInformationFile  (-2147482824, -130973108, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00616   448   NtCreateKey  ... 120, 1, ) == 0x0
 00619   448   NtSetValueKey  (120,  (120, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (120, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00620   448   NtClose  (120, ... ) == 0x0
 00621   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243532,  (0x80100080, {24, 0, 0x40, 0, 1243532, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00622   448   NtQueryInformationFile  (120, 1244468, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00623   448   NtQueryInformationFile  (120, 1244440, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00624   448   NtQueryInformationFile  (120, 1244392, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00625   448   NtAllocateVirtualMemory  (-1, 1363968, 0, 8192, 4096, 4, ... 1363968, 8192, ) == 0x0
 00626   448   NtQueryInformationFile  (120, 1362376, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00627   448   NtQueryInformationFile  (120, 1242936, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00628   448   NtQueryInformationFile  (120, 1242780, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00629   448   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242788,  (0x40110080, {24, 0, 0x40, 0, 1242788, "\??\C:\WINDOWS\System32\azmcvlu.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00630   448   NtClose  (-2147482036, ... ) == 0x0
 00629   448   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 00631   448   NtQueryVolumeInformationFile  (116, 1242160, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00632   448   NtQueryInformationFile  (116, 1242120, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00633   448   NtQueryVolumeInformationFile  (120, 1242160, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00634   448   NtQueryVolumeInformationFile  (120, 1241844, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00635   448   NtSetInformationFile  (116, 1241948, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00636   448   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 120, ... 124, ) == 0x0
 00637   448   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x860000), {0, 0}, 86016, ) == 0x0
 00638   448   NtClose  (124, ... ) == 0x0
 00639   448   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211h9\210\315\11W\333\315\11W\333\315\11W\333N\25Y\333\317\11W\333%\26S\333\317\11W\333\315\11W\333\313\11W\333\315\11V\333\222\11W\333\257\26D\333\304\11W\333%\26\\333\307\11W\333Rich\315\11W\333\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\320n\301@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0\01\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\340UPX1", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00640   448   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "\5\301:f\220\272\257\302\16]\335\302%D\214j\302\4\233\303a\12!\301\352\27\370O\11ysD`\276\21\236\236G\23}W\260\266\316hH\27\306\12i,@)\24o\25b\14\364u\10E}\300\11x\321Z\7\216\375\375/\273\333\314d\334U*us\326\212\243\273\363\230l3\37\310}^\334\107\273\367\300\30o\300Wb\315\362\261`\23\307\303[\243&\361\371\354\273\263y\20t\333fp\21\340\302=\4\257\372\214\330 \16\6\21\214\3\31\330\213%\212\245y\217\226=\332)\26\252]u\355\306Z\377\274\344\311\376\20UB\223\273\315Jc\366o\303\14m\201\303\263hP\177\177N\245\263b\11\215\306b\14h\335C\12\333\205\324\14\220](I\325\311\206\274\213WA\332\337\314\351\346o\232\3\301j'\2700\335\351d\16\370Mh\312f\247.}G\2118\10\300\202(pO\342i\315\261\255m\240\333\357d\1\377\233\2757_\355\2703\247NM<\3371M\266\262\232}\273\354\16\16\224^\350\7>\203\335\222\301\356\333kM\244\255\331W\232\334zEkbi\7\237.\233a\242\352\6\7\326tH\3\256\263!xi\210\327\246\78\344.\6\313\216\3570j\213\11C\316\342G\211"`\1:\322\243't\201\37\351\27\311\224\353\337)i\363\230\3\215\221\377\310CL3\266i\360\3374\355<\366\313\230\374%:h\1&vK\257G\215i\363\2772\24\2\345 F\273\323\365`P\320\332\303P4\27\373<%\332,\2\363\346j\26\227\11\204\15J\261\33\263\350\310O\3240\271K\366\334\356H\330n\326O\213%&w\363;\333N$\302pH8\320\206$\300\207\313b\212z:\37\274\21\316\201\327kY\21\326\335i \326\325\266v\203j\201\12\347\330i\246\365\310@\370z\332", 21780, 0x0, 0, ... {status=0x0, info=21780}, ) `\1:\322\243't\201\37\351\27\311\224\353\337)i\363\230\3\215\221\377\310CL3\266i\360\3374\355<\366\313\230\374%:h\1&vK\257G\215i\363\2772\24\2\345 F\273\323\365`P\320\332\303P4\27\373<%\332,\2\363\346j\26\227\11\204\15J\261\33\263\350\310O\3240\271K\366\334\356H\330n\326O\213%&w\363;\333N$\302pH8\320\206$\300\207\313b\212z:\37\274\21\316\201\327kY\21\326\335i \326\325\266v\203j\201\12\347\330i\246\365\310@\370z\332", 21780, 0x0, 0, ... {status=0x0, info=21780}, ) == 0x0
 00641   448   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00642   448   NtSetInformationFile  (116, 1244392, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00643   448   NtClose  (120, ... ) == 0x0
 00644   448   NtClose  (116, ... ) == 0x0
 00645   448   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00646   448   NtSetValueKey  (116,  (116, "Windows Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0z\0m\0c\0v\0l\0u\0.\0e\0x\0e\0\0\0", 64, ... , 0, 1,  (116, "Windows Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0z\0m\0c\0v\0l\0u\0.\0e\0x\0e\0\0\0", 64, ... , 64, ...
 00647   448   NtSetInformationFile  (-2147482824, -130971852, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00648   448   NtSetInformationFile  (-2147482824, -130971944, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00646   448   NtSetValueKey  ... ) == 0x0
 00649   448   NtClose  (116, ... ) == 0x0
 00650   448   NtClose  (68, ... ) == 0x0
 00651   448   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00652   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\azmcvlu.exe"}, 1241024, ... ) }, 1241024, ... ) == 0x0
 00653   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\azmcvlu.exe"}, 1241716, ... ) }, 1241716, ... ) == 0x0
 00654   448   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\azmcvlu.exe"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00655   448   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 68, ... 116, ) == 0x0
 00656   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 120, ) }, ... 120, ) == 0x0
 00658   448   NtQueryValueKey  (120,  (120, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   448   NtClose  (120, ... ) == 0x0
 00660   448   NtQueryVolumeInformationFile  (68, 1241024, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00661   448   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 120, ) }, ... 120, ) == 0x0
 00662   448   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 00663   448   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 124, ) }, ... 124, ) == 0x0
 00664   448   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x840000), {0, 0}, 57344, ) == 0x0
 00665   448   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00666   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239008, ... ) }, 1239008, ... ) == 0x0
 00667   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00668   448   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 00669   448   NtClose  (128, ... ) == 0x0
 00670   448   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 106496, ) == 0x0
 00671   448   NtClose  (132, ... ) == 0x0
 00672   448   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00673   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239324, ... ) }, 1239324, ... ) == 0x0
 00674   448   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00675   448   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 00676   448   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00677   448   NtClose  (132, ... ) == 0x0
 00678   448   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00679   448   NtClose  (128, ... ) == 0x0
 00680   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 00681   448   NtQueryInformationFile  (128, 1239612, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00682   448   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 128, ... 132, ) == 0x0
 00683   448   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8f0000), 0x0, 1028096, ) == 0x0
 00684   448   NtQueryInformationFile  (128, 1239708, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00685   448   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00687   448   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00688   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00689   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1237272, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237272, 616, BothDirectory, 1, "azmcvlu.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 00690   448   NtClose  (136, ... ) == 0x0
 00691   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00692   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00693   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\azmcvlu.exe"}, 1236660, ... ) }, 1236660, ... ) == 0x0
 00694   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00695   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1236020, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236020, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00696   448   NtClose  (136, ... ) == 0x0
 00697   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00698   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1236020, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236020, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00699   448   NtClose  (136, ... ) == 0x0
 00700   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00701   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1236020, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236020, 616, BothDirectory, 1, "azmcvlu.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 00702   448   NtClose  (136, ... ) == 0x0
 00703   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00704   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00705   448   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00706   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00707   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00708   448   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00709   448   NtClose  (136, ... ) == 0x0
 00710   448   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711   448   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\azmcvlu.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00712   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00713   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00714   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\azmcvlu.exe"}, 1238940, ... ) }, 1238940, ... ) == 0x0
 00715   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00716   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1238300, 616, BothDirectory, 1,  (136, 0, 0, 0, 1238300, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00717   448   NtClose  (136, ... ) == 0x0
 00718   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00719   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1238300, 616, BothDirectory, 1,  (136, 0, 0, 0, 1238300, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00720   448   NtClose  (136, ... ) == 0x0
 00721   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00722   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1238300, 616, BothDirectory, 1,  (136, 0, 0, 0, 1238300, 616, BothDirectory, 1, "azmcvlu.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 00723   448   NtClose  (136, ... ) == 0x0
 00724   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00725   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00726   448   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 00727   448   NtQueryVolumeInformationFile  (68, 1239584, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00728   448   NtQueryInformationFile  (68, 1239564, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00729   448   NtQueryInformationFile  (68, 1239604, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00730   448   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00731   448   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00732   448   NtClose  (132, ... ) == 0x0
 00733   448   NtClose  (128, ... ) == 0x0
 00734   448   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00735   448   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\azmcvlu.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00736   448   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00737   448   NtOpenProcessToken  (-1, 0xa, ... 128, ) == 0x0
 00738   448   NtQueryInformationToken  (128, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00739   448   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00740   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00741   448   NtQueryValueKey  (132,  (132, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (132, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00742   448   NtQueryValueKey  (132,  (132, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (132, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00743   448   NtClose  (132, ... ) == 0x0
 00744   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00745   448   NtQueryValueKey  (132,  (132, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00746   448   NtQueryValueKey  (132,  (132, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (132, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00747   448   NtClose  (132, ... ) == 0x0
 00748   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00750   448   NtQueryValueKey  (132,  (132, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751   448   NtClose  (132, ... ) == 0x0
 00752   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00753   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00754   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00755   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00756   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00757   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00758   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00759   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00760   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00761   448   NtQueryDefaultLocale  (1, 1240396, ... ) == 0x0
 00762   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 132, ) }, ... 132, ) == 0x0
 00763   448   NtEnumerateKey  (132, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (132, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00764   448   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 136, ) }, ... 136, ) == 0x0
 00765   448   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00766   448   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00767   448   NtClose  (136, ... ) == 0x0
 00768   448   NtEnumerateKey  (132, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00769   448   NtClose  (132, ... ) == 0x0
 00770   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00772   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00774   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00775   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00781   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00783   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00785   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00786   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00787   448   NtClose  (132, ... ) == 0x0
 00788   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00790   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00791   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00792   448   NtClose  (132, ... ) == 0x0
 00793   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00794   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00795   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00796   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00797   448   NtClose  (132, ... ) == 0x0
 00798   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00800   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00801   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00802   448   NtClose  (132, ... ) == 0x0
 00803   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00805   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00806   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00807   448   NtClose  (132, ... ) == 0x0
 00808   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00810   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00811   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00812   448   NtClose  (132, ... ) == 0x0
 00813   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00814   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00815   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00816   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00817   448   NtClose  (132, ... ) == 0x0
 00818   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00820   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00821   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00822   448   NtClose  (132, ... ) == 0x0
 00823   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00824   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00825   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00826   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00827   448   NtClose  (132, ... ) == 0x0
 00828   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00830   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00831   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00832   448   NtClose  (132, ... ) == 0x0
 00833   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00835   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00836   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00837   448   NtClose  (132, ... ) == 0x0
 00838   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00839   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00840   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00841   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00842   448   NtClose  (132, ... ) == 0x0
 00843   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00845   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00846   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00847   448   NtClose  (132, ... ) == 0x0
 00848   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00850   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00851   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00852   448   NtClose  (132, ... ) == 0x0
 00853   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00855   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00856   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00857   448   NtClose  (132, ... ) == 0x0
 00858   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00860   448   NtQueryValueKey  (132,  (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00861   448   NtClose  (132, ... ) == 0x0
 00862   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00863   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00864   448   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00865   448   NtClose  (132, ... ) == 0x0
 00866   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   448   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00868   448   NtOpenProcessToken  (-1, 0xa, ... 132, ) == 0x0
 00869   448   NtDuplicateToken  (132, 0xc, {24, 0, 0x0, 0, 1240916, 0x0}, 0, 2, ... 136, ) == 0x0
 00870   448   NtClose  (132, ... ) == 0x0
 00871   448   NtAccessCheck  (1369904, 136, 0x1, 1241044, 1240988, 56, 1241072, ... (0x1), ) == 0x0
 00872   448   NtClose  (136, ... ) == 0x0
 00873   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 00874   448   NtQueryValueKey  (136,  (136, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (136, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00875   448   NtClose  (136, ... ) == 0x0
 00876   448   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 136, ) }, ... 136, ) == 0x0
 00877   448   NtQuerySymbolicLinkObject  (136, ...  (136, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00878   448   NtClose  (136, ... ) == 0x0
 00879   448   NtQueryInformationFile  (68, 1239376, 528, Name, ... {status=0x0, info=62}, ) == 0x0
 00880   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00881   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00882   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\azmcvlu.exe"}, 1238056, ... ) }, 1238056, ... ) == 0x0
 00883   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00884   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1237416, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237416, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00885   448   NtClose  (136, ... ) == 0x0
 00886   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00887   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1237416, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237416, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00888   448   NtClose  (136, ... ) == 0x0
 00889   448   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00890   448   NtQueryDirectoryFile  (136, 0, 0, 0, 1237416, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237416, 616, BothDirectory, 1, "azmcvlu.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 00891   448   NtClose  (136, ... ) == 0x0
 00892   448   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00893   448   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00894   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00895   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00896   448   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00897   448   NtClose  (136, ... ) == 0x0
 00898   448   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 136, ) }, ... 136, ) == 0x0
 00899   448   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 132, ) }, ... 132, ) == 0x0
 00900   448   NtClose  (136, ... ) == 0x0
 00901   448   NtQueryValueKey  (132,  (132, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00902   448   NtQueryValueKey  (132,  (132, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (132, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00903   448   NtClose  (132, ... ) == 0x0
 00904   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 8781824, 4096, ) == 0x0
 00905   448   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00906   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00907   448   NtQueryValueKey  (132,  (132, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   448   NtClose  (132, ... ) == 0x0
 00909   448   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   448   NtQueryInformationToken  (128, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00911   448   NtQueryInformationToken  (128, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00912   448   NtClose  (128, ... ) == 0x0
 00913   448   NtCreateProcessEx  (1243652, 2035711, 0, -1, 0, 116, 0, 0, 0, ... ) == 0x0
 00914   448   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=576,ParentPid=436,}, 0x0, ) == 0x0
 00915   448   NtReadVirtualMemory  (128, 0x7ffdf008, 4, ...  (128, 0x7ffdf008, 4, ... "\0\0\01", 0x0, ) , 0x0, ) == 0x0
 00916   448   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\azmcvlu.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   448   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 00918   448   NtReadVirtualMemory  (128, 0x31000000, 4096, ...  (128, 0x31000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211h9\210\315\11W\333\315\11W\333\315\11W\333N\25Y\333\317\11W\333%\26S\333\317\11W\333\315\11W\333\313\11W\333\315\11V\333\222\11W\333\257\26D\333\304\11W\333%\26\\333\307\11W\333Rich\315\11W\333\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\320n\301@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0\01\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\340UPX1", 4096, ) , 4096, ) == 0x0
 00919   448   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00920   448   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=576,ParentPid=436,}, 0x0, ) == 0x0
 00921   448   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 8847360, 4096, ) == 0x0
 00922   448   NtAllocateVirtualMemory  (128, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00923   448   NtWriteVirtualMemory  (128, 0x10000,  (128, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00924   448   NtAllocateVirtualMemory  (128, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 00925   448   NtWriteVirtualMemory  (128, 0x20000,  (128, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0>\0@\0\230\5\0\0>\0@\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0>\0@\0\30\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 00926   448   NtWriteVirtualMemory  (128, 0x7ffdf010,  (128, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00927   448   NtWriteVirtualMemory  (128, 0x7ffdf1e8,  (128, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00928   448   NtFreeVirtualMemory  (-1, (0x870000), 0, 32768, ... (0x870000), 4096, ) == 0x0
 00929   448   NtAllocateVirtualMemory  (128, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00930   448   NtAllocateVirtualMemory  (128, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00931   448   NtProtectVirtualMemory  (128, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00932   448   NtCreateThread  (0x1f03ff, 0x0, 128, 1241916, 1242636, 1, ... 132, {576, 596}, ) == 0x0
 00933   448   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1358952, 1243736}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1358952, 1243736} "\0\0\0\0\0\0\1\0\2$\370w U\367w\203\0\0\0\204\0\0\0@\2\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\225\314w\320\276\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\20\0\0\0" ... {168, 196, reply, 0, 436, 448, 1529, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\200\0\0\0\204\0\0\0@\2\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\225\314w\320\276\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\20\0\0\0" )  ... {168, 196, reply, 0, 436, 448, 1529, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1358952, 1243736} "\0\0\0\0\0\0\1\0\2$\370w U\367w\203\0\0\0\204\0\0\0@\2\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\225\314w\320\276\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\20\0\0\0" ... {168, 196, reply, 0, 436, 448, 1529, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\200\0\0\0\204\0\0\0@\2\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\225\314w\320\276\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\20\0\0\0" )  ) == 0x0
 00934   448   NtResumeThread  (132, ... 1, ) == 0x0
 00935   448   NtClose  (68, ... ) == 0x0
 00936   448   NtClose  (116, ... ) == 0x0
 00937   448   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=576,ParentPid=436,}, 0x0, ) == 0x0
 00938   448   NtUserWaitForInputIdle  (576, 30000, 0, ...
 00939   448   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00940   448   NtClose  (116, ... ) == 0x0
 00938   448   NtUserWaitForInputIdle  ... ) == 0x0
 00941   448   NtClose  (128, ... ) == 0x0
 00942   448   NtClose  (132, ... ) == 0x0
 00943   448   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 00944   448   NtTerminateProcess  (0, 0, ... ) == 0x0
 00945   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc03b
 00946   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00947   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc03d
 00948   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00949   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc03f
 00950   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00951   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc041
 00952   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00953   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc043
 00954   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00955   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc045
 00956   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00957   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc047
 00958   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00959   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc049
 00960   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00961   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc04b
 00962   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00963   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc04d
 00964   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00965   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc04f
 00966   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00967   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc051
 00968   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00969   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc053
 00970   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00971   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc057
 00972   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00973   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc059
 00974   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00975   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc05b
 00976   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00977   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc05d
 00978   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00979   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc05f
 00980   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00981   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc017
 00982   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00983   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc019
 00984   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00985   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc018
 00986   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00987   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc01a
 00988   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00989   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc01c
 00990   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00991   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc01e
 00992   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00993   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc01b
 00994   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00995   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc068
 00996   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00997   448   NtUserGetClassInfo  (1905590272, 1244188, 1244140, 1244216, 0, ... ) == 0xc06a
 00998   448   NtUserUnregisterClass  (1244192, 1905590272, 1244180, ... ) == 0x1
 00999   448   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01000   448   NtClose  (76, ... ) == 0x0
 01001   448   NtClose  (64, ... ) == 0x0
 01002   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01003   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01004   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01005   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01006   448   NtFreeVirtualMemory  (-1, (0x860000), 4096, 32768, ... (0x860000), 4096, ) == 0x0
 01007   448   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 436, 448, 1573, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 436, 448, 1573, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 436, 448, 1573, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01008   448   NtTerminateProcess  (-1, 0, ...
 01009   448   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserCallOneParam(>)	1	NtSetInformationObject(>)	3	NtQueryInformationProcess(>)	13
NtAdjustPrivilegesToken(>)	1	NtUserGetDC(>)	1	NtSetValueKey(>)	3	NtUnmapViewOfSection(>)	13
NtCallbackReturn(>)	1	NtUserGetThreadDesktop(>)	1	NtFsControlFile(>)	4	NtCreateSection(>)	16
NtContinue(>)	1	NtAccessCheck(>)	2	NtOpenThreadToken(>)	4	NtQuerySystemInformation(>)	18
NtCreateMutant(>)	1	NtCreateIoCompletion(>)	2	NtWriteVirtualMemory(>)	4	NtReadFile(>)	19
NtCreateProcessEx(>)	1	NtEnumerateKey(>)	2	NtCreateKey(>)	5	NtWriteFile(>)	21
NtCreateThread(>)	1	NtGdiCreateSolidBrush(>)	2	NtGdiGetStockObject(>)	5	NtOpenSection(>)	22
NtDelayExecution(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessToken(>)	6	NtQueryAttributesFile(>)	22
NtDuplicateToken(>)	1	NtOpenEvent(>)	2	NtQueryDefaultUILanguage(>)	6	NtOpenProcessTokenEx(>)	24
NtEnumerateValueKey(>)	1	NtOpenMutant(>)	2	NtQueryVolumeInformationFile(>)	6	NtOpenThreadTokenEx(>)	24
NtGdiCreateBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtSetInformationProcess(>)	6	NtProtectVirtualMemory(>)	27
NtGdiInit(>)	1	NtQueryInstallUILanguage(>)	2	NtUserSystemParametersInfo(>)	6	NtUserUnregisterClass(>)	27
NtGdiQueryFontAssocInfo(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQuerySection(>)	7	NtUserGetClassInfo(>)	28
NtGdiSelectBitmap(>)	1	NtQueryVirtualMemory(>)	2	NtSetInformationThread(>)	7	NtOpenFile(>)	29
NtOpenKeyedEvent(>)	1	NtReadVirtualMemory(>)	2	NtCreateEvent(>)	8	NtQueryInformationToken(>)	30
NtQueryInformationJobObject(>)	1	NtReleaseMutant(>)	2	NtRequestWaitReplyPort(>)	8	NtMapViewOfSection(>)	33
NtQueryObject(>)	1	NtTerminateProcess(>)	2	NtSetInformationFile(>)	9	NtUserFindExistingCursorIcon(>)	33
NtQuerySystemTime(>)	1	NtUserRegisterWindowMessage(>)	2	NtQueryDebugFilterState(>)	10	NtAllocateVirtualMemory(>)	35
NtRegisterThreadTerminatePort(>)	1	NtUserWaitForInputIdle(>)	2	NtQueryDirectoryFile(>)	10	NtUserRegisterClassExWOW(>)	43
NtResumeThread(>)	1	NtWaitForSingleObject(>)	2	NtCreateFile(>)	11	NtQueryValueKey(>)	48
NtSecureConnectPort(>)	1	NtDuplicateObject(>)	3	NtFlushInstructionCache(>)	13	NtOpenKey(>)	105
NtTestAlert(>)	1	NtFreeVirtualMemory(>)	3	NtQueryDefaultLocale(>)	13	NtClose(>)	154
NtUserCallNoParam(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryInformationFile(>)	13