Summary:





NtAdjustPrivilegesToken(>)  1 
NtDeleteAtom(>)  2 
NtGdiBitBlt(>)  7 
NtQueryInformationProcess(>)  15 


NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateSection(>)  17 


NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtGdiDeleteObjectApp(>)  18 


NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtReadFile(>)  19 


NtCreateThread(>)  1 
NtOpenEvent(>)  2 
NtGdiGetStockObject(>)  7 
NtContinue(>)  20 


NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiRestoreDC(>)  7 
NtQuerySystemInformation(>)  20 


NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 


NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWaitForSingleObject(>)  21 


NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtFlushInstructionCache(>)  23 


NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtWriteFile(>)  23 


NtGdiQueryFontAssocInfo(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  24 


NtNotifyChangeKey(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenThreadTokenEx(>)  24 


NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  8 
NtOpenSection(>)  25 


NtOpenProcess(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  8 
NtOpenFile(>)  30 


NtQueryInformationJobObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  8 
NtQueryAttributesFile(>)  31 


NtQueryObject(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  31 


NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtSetInformationFile(>)  9 
NtMapViewOfSection(>)  37 


NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtCreateEvent(>)  10 
NtReleaseMutant(>)  40 


NtResumeThread(>)  1 
NtFsControlFile(>)  4 
NtGdiCreateCompatibleDC(>)  10 
NtAllocateVirtualMemory(>)  41 


NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  4 
NtGdiExtGetObjectW(>)  10 
NtProtectVirtualMemory(>)  45 


NtTestAlert(>)  1 
NtSetValueKey(>)  4 
NtQueryDirectoryFile(>)  10 
NtUserUnregisterClass(>)  45 


NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  11 
NtQueryValueKey(>)  50 


NtUserEnumDisplayMonitors(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetDC(>)  11 
NtGdiSelectBitmap(>)  57 


NtUserGetKeyboardLayoutList(>)  1 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  12 
NtUserRegisterClassExWOW(>)  63 


NtUserGetThreadDesktop(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtQueryDefaultLocale(>)  13 
NtUserGetClassInfo(>)  64 


NtUserSetWindowsHookEx(>)  1 
NtQueryVirtualMemory(>)  6 
NtQueryInformationFile(>)  13 
NtUserFindExistingCursorIcon(>)  72 


NtAccessCheck(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserSystemParametersInfo(>)  13 
NtOpenKey(>)  111 


NtCreateIoCompletion(>)  2 
NtSetInformationProcess(>)  6 
NtUserSelectPalette(>)  14 
NtClose(>)  164 





Trace:

 00001   440   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   440   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   440   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   440   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   440   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   440   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   440   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   440   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   440   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   440   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   440   NtClose  (12, ... ) == 0x0
 00014   440   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   440   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   440   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   440   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   440   NtClose  (16, ... ) == 0x0
 00021   440   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   440   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   440   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   440   NtClose  (16, ... ) == 0x0
 00026   440   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   440   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   440   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   440   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   440   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 436, 440, 1482, 0} "\360\252\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 436, 440, 1482, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 436, 440, 1482, 0} "\360\252\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   440   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   440   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   440   NtClose  (16, ... ) == 0x0
 00036   440   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   440   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   440   NtClose  (28, ... ) == 0x0
 00041   440   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   440   NtClose  (28, ... ) == 0x0
 00045   440   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   440   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   440   NtClose  (28, ... ) == 0x0
 00049   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   440   NtClose  (28, ... ) == 0x0
 00052   440   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   440   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 436, 440, 1484, 0} "\310\10\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 436, 440, 1484, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 436, 440, 1484, 0} "\310\10\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 128, ) == 0x0
 00057   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 128, ... (0x31509000), 8192, 4, ) == 0x0
 00058   440   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00059   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   440   NtClose  (28, ... ) == 0x0
 00062   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   440   NtClose  (28, ... ) == 0x0
 00065   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00066   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00067   440   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00068   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   440   NtClose  (28, ... ) == 0x0
 00071   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00072   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00073   440   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00074   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   440   NtClose  (28, ... ) == 0x0
 00077   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   440   NtClose  (28, ... ) == 0x0
 00080   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00081   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00082   440   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00083   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   440   NtClose  (28, ... ) == 0x0
 00086   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   440   NtClose  (28, ... ) == 0x0
 00089   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   440   NtClose  (28, ... ) == 0x0
 00092   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   440   NtClose  (28, ... ) == 0x0
 00095   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   440   NtClose  (28, ... ) == 0x0
 00098   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   440   NtClose  (28, ... ) == 0x0
 00101   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00102   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00103   440   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00104   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   440   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   440   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   440   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   440   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   440   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   440   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   440   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   440   NtClose  (40, ... ) == 0x0
 00118   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   440   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   440   NtClose  (40, ... ) == 0x0
 00122   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   440   NtClose  (36, ... ) == 0x0
 00124   440   NtClose  (28, ... ) == 0x0
 00125   440   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   440   NtClose  (32, ... ) == 0x0
 00127   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   440   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   440   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   440   NtClose  (32, ... ) == 0x0
 00135   440   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   440   NtClose  (28, ... ) == 0x0
 00137   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00138   440   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00139   440   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00140   440   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   440   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   440   NtClose  (28, ... ) == 0x0
 00143   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   440   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   440   NtClose  (28, ... ) == 0x0
 00146   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   440   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   440   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   440   NtClose  (28, ... ) == 0x0
 00150   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   440   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   440   NtClose  (28, ... ) == 0x0
 00153   440   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   440   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   440   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   440   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   440   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   440   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   440   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   440   NtClose  (32, ... ) == 0x0
 00163   440   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   440   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 436, 440, 1496, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 436, 440, 1496, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 436, 440, 1496, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00166   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   440   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   440   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   440   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   440   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00171   440   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   440   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   440   NtClose  (-2147482208, ... ) == 0x0
 00174   440   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   440   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   440   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   440   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00178   440   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   440   NtClose  (-2147482208, ... ) == 0x0
 00180   440   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00181   440   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   440   NtClose  (-2147482208, ... ) == 0x0
 00183   440   NtQueryDefaultLocale  (0, -130840052, ... ) == 0x0
 00184   440   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   440   NtUserCallNoParam  (24, ... ) == 0x0
 00186   440   NtGdiCreateCompatibleDC  (0, ...
 00187   440   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   440   NtGdiCreateCompatibleDC  ... ) == 0x160103c7
 00188   440   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   440   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   440   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xf0503d1
 00191   440   NtGdiCreateSolidBrush  (0, 0, ...
 00192   440   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   440   NtGdiCreateSolidBrush  ... ) == 0x111003d3
 00193   440   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   440   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00195   440   NtGdiSelectBitmap  (1040253964, 251986897, ... ) == 0x185000f
 00196   440   NtUserGetThreadDesktop  (440, 0, ... ) == 0x2c
 00197   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   440   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   440   NtClose  (52, ... ) == 0x0
 00200   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00202   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00204   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00206   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00208   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00210   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00212   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00214   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00216   440   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   440   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00218   440   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00219   440   NtAllocateVirtualMemory  (-1, 5533696, 0, 4096, 4096, 32, ... 5533696, 4096, ) == 0x0
 00218   440   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00220   440   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00221   440   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00222   440   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00223   440   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00224   440   NtCallbackReturn  (0, 0, 0, ...
 00225   440   NtGdiInit  (... ) == 0x1
 00226   440   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   440   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   440   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   440   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   440   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   440   NtClose  (52, ... ) == 0x0
 00234   440   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   440   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   440   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   440   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   440   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   440   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   440   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   440   NtClose  (60, ... ) == 0x0
 00245   440   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   440   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   440   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   440   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   440   NtClose  (60, ... ) == 0x0
 00255   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   440   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   440   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   440   NtClose  (60, ... ) == 0x0
 00259   440   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   440   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   440   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   440   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   440   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   440   NtClose  (60, ... ) == 0x0
 00269   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   440   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   440   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   440   NtQueryDefaultUILanguage  (1241768, ...
 00273   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00275   440   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   440   NtClose  (-2147482208, ... ) == 0x0
 00277   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00278   440   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   440   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00280   440   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   440   NtClose  (-2147482196, ... ) == 0x0
 00282   440   NtClose  (-2147482208, ... ) == 0x0
 00272   440   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   440   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   440   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   440   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   440   NtQueryDefaultUILanguage  (2013024600, ...
 00290   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00292   440   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   440   NtClose  (-2147482208, ... ) == 0x0
 00294   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00295   440   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   440   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00297   440   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   440   NtClose  (-2147482196, ... ) == 0x0
 00299   440   NtClose  (-2147482208, ... ) == 0x0
 00289   440   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   440   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   440   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   440   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   440   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 440, 1497, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 436, 440, 1497, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 440, 1497, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   440   NtClose  (68, ... ) == 0x0
 00306   440   NtClose  (72, ... ) == 0x0
 00307   440   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   440   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   440   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   440   NtClose  (68, ... ) == 0x0
 00323   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   440   NtClose  (76, ... ) == 0x0
 00325   440   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   440   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   440   NtClose  (76, ... ) == 0x0
 00330   440   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   440   NtClose  (68, ... ) == 0x0
 00332   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   440   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   440   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   440   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   440   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   440   NtQueryDefaultUILanguage  (1238836, ...
 00355   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00357   440   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   440   NtClose  (-2147482208, ... ) == 0x0
 00359   440   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00360   440   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   440   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00362   440   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   440   NtClose  (-2147482196, ... ) == 0x0
 00364   440   NtClose  (-2147482208, ... ) == 0x0
 00354   440   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   440   NtClose  (68, ... ) == 0x0
 00370   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   440   NtClose  (76, ... ) == 0x0
 00372   440   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   440   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   440   NtClose  (76, ... ) == 0x0
 00377   440   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   440   NtClose  (68, ... ) == 0x0
 00379   440   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   440   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   440   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   440   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   440   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 440, 1498, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 436, 440, 1498, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 436, 440, 1498, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   440   NtClose  (68, ... ) == 0x0
 00387   440   NtClose  (76, ... ) == 0x0
 00388   440   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   440   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   440   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   440   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   440   NtUserGetDC  (0, ... ) == 0x1010051
 00394   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00395   440   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   440   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   440   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   440   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   440   NtClose  (76, ... ) == 0x0
 00400   440   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   440   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   440   NtClose  (76, ... ) == 0x0
 00403   440   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   440   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   440   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   440   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   440   NtClose  (68, ... ) == 0x0
 00409   440   NtClose  (76, ... ) == 0x0
 00410   440   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   440   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   440   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   440   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   440   NtClose  (76, ... ) == 0x0
 00415   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03b
 00417   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03d
 00418   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc03f
 00420   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc041
 00422   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc043
 00424   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc045
 00425   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc047
 00427   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc049
 00429   440   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04b
 00432   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04d
 00434   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04f
 00436   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc051
 00437   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc053
 00439   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc055
 00441   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc057
 00442   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc059
 00444   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05b
 00446   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05d
 00448   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05f
 00450   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc017
 00452   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc019
 00454   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc018
 00456   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc01a
 00458   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   440   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc01c
 00460   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00461   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ...
 00462   440   NtAllocateVirtualMemory  (-1, 5537792, 0, 4096, 4096, 32, ... 5537792, 4096, ) == 0x0
 00461   440   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00463   440   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00464   440   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810dc01b
 00465   440   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00466   440   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810dc068
 00467   440   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00468   440   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc06a
 00469   440   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   440   NtTestAlert  (... ) == 0x0
 00473   440   NtContinue  (1244464, 1, ...
 00474   440   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3150b000,}, 4, ... ) == 0x0
 00475   440   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00476   440   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   440   NtClose  (68, ... ) == 0x0
 00478   440   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00479   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00480   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00481   440   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 436, 440, 1499, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 436, 440, 1499, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 436, 440, 1499, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00482   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00483   440   NtClose  (80, ... ) == 0x0
 00484   440   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00485   440   NtClose  (-2147482208, ... ) == 0x0
 00484   440   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00486   440   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00487   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\375^M\0\262\4\35\0\264\4\22\0O\373\35\0\10\4\35\0\260\4\35\0\360\4\7\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\6\35\0\12\24\35\16\257\260\24\315\221\274\34L}%\215\220\344lts\220too\327v|m\220ihs\304$\177e\220vhn\220qsd\325v=W\331j.2\275\1697\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0\260\4\35\0", ) , ) == 0x0
 00488   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00489   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\345\14+\34\3378PE\337vd,\20i|\10\200\7\234\7x\314{\331\322\304\\304xG\325<\262Ho\334X\365wD\332dL\271\264\37a\377\226\306E}5\253\23D\353\254\325\2708Ub\300\326\217M\1\340\222vg\321\6]\315\314;\34\2\16@0\323\306\30RE1L\21:\335.e\220\264\267K\316l^,X\246\317\305\263=\365\353\356S\301\200\267\203\235\302g\17jC\234\25?\301\241\4\27^\355x\238\375\225\3041\355\37\13\31 \224\305\225\13\266M\12\34\23\226Q\377\14y\203 \0\25#|\3261\210\200\302f\22\361\12\374\311HB5IT2\6\37\264\313\355f`\370\2513\266\307\374\15\201\206\3454nh_\266\340`\355X\2162\317 t6ZWx\200\325\257\374*lPY@\35(\261\330\235\243>7\12\300\1\30\34\333\257\313\12XT\317<\226t\263\10\346ph\310\365\202\10\212m\311\361\10v\4z)3=\345\251K \327\232\362G$R\252DJ\344 2,\15;E)\324\31\255\320\\371\21\30-| \205\365\360\11O\314\340\227\235\221\35\226\363\334)\3259\370\25yHup\217@\304{]\213\357<\307\265\306\34\264\251F\340\12\374\224\210\314N\1.\254*\225\226\3205\217\3\267\330\223F>:\250\21\4\243m\337<\236x\350i-\213\4\217WX\235 \32\220\317\314=^\251\3476\227\244\373\342\12\234|!\231\221\34y\360d\225e]\215*\276\261da\372\354\261\337\21p\272\332\356P\327g\325\266\256F>\350\311\354\265\331\262\371&T\\22\11m\331-\2\262d]\3"L\265\211\362\&2\224_\372\324dW\276\174\25\257\1\\33\254\22\324L\325\324\267\300G\274\325\255\372$\273\17\6a6\310\233[\34\364\300\17", ) L\265\211\362\&2\224_\372\324dW\276\174\25\257\1\\33\254\22\324L\325\324\267\300G\274\325\255\372$\273\17\6a6\310\233[\34\364\300\17", ) == 0x0
 00490   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00491   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "g\306\26X\10\26\10w\201\16\21HcI\336\30\372\222Q\340\345\241\257H\260\257\217\345\0\201\252}\250@]\221U\224xZ\324XEY\276_\207\0\342O~T\340`$d\253f\116\324d\214\345 aw!\334lL\226\363\222o\14\304t1\35yd\326z\3141e@\232\205\205C\240x\7\301\317\201\211\235+dz\20\36t\246\363\211\257K%\242\214\219\233\200\15\274\267\217\2339*E\221\148k]\323O\3637\276\230\216Z\10\212\324i9FB\2463\32M\310\256(\330J\4IhX]\7\0[4CB\2\306\6F\11\270\36\350\11\5\274J\30>\264\223WV\200r\277\310Z\202 \366\265\17\235K\360\\336\13"\203H?\273t\336k\37)\366\221\14\340\325\257\204\314\34\367\261*\345\27TB|l\303\203s\31T\207NT\302qx\1\236\7\225\4\337\361,\322:T\13D\240\6*\3045z\226w\2135\324\212\370GY\10L\373_\267\357\4\25\215\305\13\226|\270\3,\300:\12&JLq\252~\21_\223\\272\366\1\16F\307\302\237\371q\377o\353\257\354\371\247D9\16\261=\345~m\241z\5\235\300&\200\210#\22M\264_\346\302\302\340\230\257\337\263\242\202\304\253\224\321\271e\26\212\367\2167\201@V\363\356Q\373\302\177k\216Ec$\216C\125_No\334x\3\13\246\34\222\36\275=\351\355\275\372E\320\343\3029{\370\252\0\377\25\5\33\305\350\360\355\206\6\254 '\357\325?0\341\302:\6\304\360\355\252\357\377\35:h\7\221\334\34_\305"\373\337\11H\343Vu@\213\276:;;\256\40;\30\266\355\247\32\203aK\34\267\277\366\342\255\32\263W\20\312\3\343\261\302\17j\15\277\273\324\3\372\330\267\5\214\303\342\321>\336\342BU\212$\1", ) \203H?\273t\336k\37)\366\221\14\340\325\257\204\314\34\367\261*\345\27TB|l\303\203s\31T\207NT\302qx\1\236\7\225\4\337\361,\322:T\13D\240\6*\3045z\226w\2135\324\212\370GY\10L\373_\267\357\4\25\215\305\13\226|\270\3,\300:\12&JLq\252~\21_\223\\272\366\1\16F\307\302\237\371q\377o\353\257\354\371\247D9\16\261=\345~m\241z\5\235\300&\200\210#\22M\264_\346\302\302\340\230\257\337\263\242\202\304\253\224\321\271e\26\212\367\2167\201@V\363\356Q\373\302\177k\216Ec$\216C\125_No\334x\3\13\246\34\222\36\275=\351\355\275\372E\320\343\3029{\370\252\0\377\25\5\33\305\350\360\355\206\6\254 '\357\325?0\341\302:\6\304\360\355\252\357\377\35:h\7\221\334\34_\305 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "g\306\26X\10\26\10w\201\16\21HcI\336\30\372\222Q\340\345\241\257H\260\257\217\345\0\201\252}\250@]\221U\224xZ\324XEY\276_\207\0\342O~T\340`$d\253f\116\324d\214\345 aw!\334lL\226\363\222o\14\304t1\35yd\326z\3141e@\232\205\205C\240x\7\301\317\201\211\235+dz\20\36t\246\363\211\257K%\242\214\219\233\200\15\274\267\217\2339*E\221\148k]\323O\3637\276\230\216Z\10\212\324i9FB\2463\32M\310\256(\330J\4IhX]\7\0[4CB\2\306\6F\11\270\36\350\11\5\274J\30>\264\223WV\200r\277\310Z\202 \366\265\17\235K\360\\336\13"\203H?\273t\336k\37)\366\221\14\340\325\257\204\314\34\367\261*\345\27TB|l\303\203s\31T\207NT\302qx\1\236\7\225\4\337\361,\322:T\13D\240\6*\3045z\226w\2135\324\212\370GY\10L\373_\267\357\4\25\215\305\13\226|\270\3,\300:\12&JLq\252~\21_\223\\272\366\1\16F\307\302\237\371q\377o\353\257\354\371\247D9\16\261=\345~m\241z\5\235\300&\200\210#\22M\264_\346\302\302\340\230\257\337\263\242\202\304\253\224\321\271e\26\212\367\2167\201@V\363\356Q\373\302\177k\216Ec$\216C\125_No\334x\3\13\246\34\222\36\275=\351\355\275\372E\320\343\3029{\370\252\0\377\25\5\33\305\350\360\355\206\6\254 '\357\325?0\341\302:\6\304\360\355\252\357\377\35:h\7\221\334\34_\305"\373\337\11H\343Vu@\213\276:;;\256\40;\30\266\355\247\32\203aK\34\267\277\366\342\255\32\263W\20\312\3\343\261\302\17j\15\277\273\324\3\372\330\267\5\214\303\342\321>\336\342BU\212$\1", ) , ) == 0x0
 00492   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00493   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "&\357\340\2650\323\261f\343\215\230\6\246\204\227\265\307\302\230\227\317\12j\21\326\273\251\22\345\10x\211\271\244D\6\3\303|\35\200\270\1\210\4\177\202\240:\211\210>\272\4\251\274\327*Z\263\301.\3350\251]\2064\261\303\37\3164\246B\2719\223)t\270^\31\310-\200\213\244\233\332\354t\323_N\364\345V9\361\345\14O"\367\204\33358\210X\13\370\206\266\200\36\216\21&\231\204,\254\215\340\366\12\255\17j\266F\202\340\13\377\216H\373\247UXv\205b\334i\200\205\3711wXk\214\225|1\2\272D\237\324\17\345B\27\22\235{\205\262\15\31~\232m\353\267 \311\350\203\204\213t3F:!\330]]{#\6\220\5\244\342\336\377\235)\361N\326\245\212\360\326\243=\364\245\202\275\266d\16\351\364`\316\15\240\222T\255\326\235\335\32CLIr\0\213T!/\234%>\207\240s!8\253v\325\310\214367\204\33358\210X\13\370\206\266\200\36\216\21&\231\204,\254\215\340\366\12\255\17j\266F\202\340\13\377\216H\373\247UXv\205b\334i\200\205\3711wXk\214\225|1\2\272D\237\324\17\345B\27\22\235{\205\262\15\31~\232m\353\267 \311\350\203\204\213t3F:!\330]]{#\6\220\5\244\342\336\377\235)\361N\326\245\212\360\326\243=\364\245\202\275\266d\16\351\364`\316\15\240\222T\255\326\235\335\32CLIr\0\213T!/\234%>\207\240s!8\253v\325\310\2148\231%;\205\27\343R\210\267\337&w\353\12\211\341\261\10\275\346q\231\35\233\270~\33\243\253\63,u\303K\272\325\13zF\306\15\360\341\211\217`3\22\11\310TX\217\246\20\267RX@\357\1\30\354\244\266ax\267\15\35\203\315I\17'\216\6\07\350\5\1rt\304\22\22\12\336^\217\5\357\204\353\2036\271\345\372\351\15\5\362\31\322\315\362X\376\307R\305\353\232\251\332\262B\341\26ny.:\214y\26`$\35W\33\276\236uO!@@\25\270 ?\16\261\30\\340\320\223\177\364\363\216\17\20D^\273\266\266\15r\21H\364\261\0\250\344\31U\236\154*\271\0\272\26\270Tq\253\14\360\16\4{\214:\247\362\27HX\234\3569iJ\250jE\2\355\354^oO\321cD\345\234r\6)\0\343sc\350\317tv\330\34\24\2\322HQ@8", ) == 0x0
 00494   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00495   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\257k\337#\221\24\335\11\10(\317\345\324\13\264y\326\306\234\307\360f\6\341\256&\237|\261\14\237.\350\22\10&\223\257\365{\361\266\336\270\276\10\245%\361\270\314\2739\;wf\211m\30\247\274\254\263w\16\224\34y\26`\314\366\276\26 \270R\206\301&\254\307\233\335\11\373{<\4\363Yjn\1\334l,\32\361\305\321\260\210\262\0\332]\260\272<\264V\354\14x\212b\2a\0\314}\315D\31\341\252\345\2267\262\32\4H\315\316\223%\322\205r8_\304\33J\307\276\17\37C\225,\2078[\5\362\305\22's\5\0\315kY\i\20P\236Y\361\271\307He\353\215\265\247\370\240p\24Fl\34s\303\270\242:\25l\32\25D\317\234\360\242\323$\250\347pD\244\14\203E\310\222\314\5\243v8%\2320\4\312m\302\251\315Tq\347W&\370\3[\11\237\305M\271;\365\204h>\324i\305C\344r)J\344\307\225=\260\16\367\4\0>=m\212m\246\303\326\315u*\206\35\310\241@\2135\30\205\264\266\366\202\334y$.m\20X\207\306:h<7\306\265\253\204\3610\207\315\351\246\251\17\2255\32\243+\31\206*l\265\270\22\15\214Z\23\224\342\234\311\300q\330\254\255$\364\261T\4\260\21\225\367\272ZM\345\210\237q\362\242tX\344\340\274\4F*\210\26\2545d\224\24f\204\231\35\332@)=\266d>Fk\211\273H\36\273\221\2\366\272\366 \330f\212\213<\5\34X\10\206\270I\274]\372\362\242\344~\2b\224\371i\274j\375\14B\1\30\333\261\36\375\262\277\203\200\330\272\214&t\202\372\243j\272\235\375\340\342\250&\205\15s\273\21\14%\255\177\0\315\213\30\274\222N|\346\246\\3570\265Ui\243\36\12\217\347\326F\370\3319\13\311\202\334\217\215\246\3104\343\273NU\7", ) , ) == 0x0
 00496   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00497   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\202\232M\20w$]\12\2L!\350n\17K\34\270)8\14\204\326\34\324{#\351\3770Y\244A\222\212\206\275oL\26\250o"\357+wZO \254\317\343\342\362\261\315R,\32\226\373 k\366\22\353\23\23\332\326\373\13-\264c\240K_?\366J\333\2366U\304\*W\206$z\22\263 8\21C0<%\37\220\235\341\365\324@N*\213x\377T#d\336\242v\223\2525\25i%\206\314|\267RC\233\312^f\355\330\372\2q\25\263/Mj6D\360u\356\263\207[\245\3009\15\235\324\325*\242\244t\263\361\327\21\235Jr\11\3\242t\237h\340Q\223\211hx\206\371l\6\3\177\4M\13\323\24=k\241\32\203\212\26$\365\13\313[\7\3\372Y\234x\244\300G\357\236"\274'\374\262v'\307`I\317\342\2\15S\354`Vc;\31\344J\210/q\260g\225\7\304\273\12\317 \3451q\24\277\33\263\32\244z\305;\343 \265\345v\245\277]\265\223^\30>\300\360\200EH\261#`\215?\306\363\3\230\373{7\364\1a\3007e\260E\231\12\346\240v\337\316\373\16\211\264\302],\260\78@\3350\37\324#({\210-ly\242\264\325f~\220\344\14\360\3178\372:\352\254g\237FAi\371\274\337P\21\253\36\321-\204\324c\4\337\3571\215\364\377\33\205by\37\300\233\0\16\353{R\277j\345\31\3\14\304\12\31\217\11I0\27\240/\337\263\205sj\4\316\2\305\344x/\327\15\206f1>;\13@\20\304\31\251\205 E\247\0i\274\2353\351\353\337\342NS\\36\204\201p\200k?tt\251\364\21P\2556\24'~<\324;\200\204A\310\260\260-\366\221\244n0\3\13\225\4\14)\221\204\207W%\279T%\2211\256\214&\2\7\11\275", ) \357+wZO \254\317\343\342\362\261\315R,\32\226\373 k\366\22\353\23\23\332\326\373\13-\264c\240K_?\366J\333\2366U\304\*W\206$z\22\263 8\21C0<%\37\220\235\341\365\324@N*\213x\377T#d\336\242v\223\2525\25i%\206\314|\267RC\233\312^f\355\330\372\2q\25\263/Mj6D\360u\356\263\207[\245\3009\15\235\324\325*\242\244t\263\361\327\21\235Jr\11\3\242t\237h\340Q\223\211hx\206\371l\6\3\177\4M\13\323\24=k\241\32\203\212\26$\365\13\313[\7\3\372Y\234x\244\300G\357\23623\345 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\202\232M\20w$]\12\2L!\350n\17K\34\270)8\14\204\326\34\324{#\351\3770Y\244A\222\212\206\275oL\26\250o"\357+wZO \254\317\343\342\362\261\315R,\32\226\373 k\366\22\353\23\23\332\326\373\13-\264c\240K_?\366J\333\2366U\304\*W\206$z\22\263 8\21C0<%\37\220\235\341\365\324@N*\213x\377T#d\336\242v\223\2525\25i%\206\314|\267RC\233\312^f\355\330\372\2q\25\263/Mj6D\360u\356\263\207[\245\3009\15\235\324\325*\242\244t\263\361\327\21\235Jr\11\3\242t\237h\340Q\223\211hx\206\371l\6\3\177\4M\13\323\24=k\241\32\203\212\26$\365\13\313[\7\3\372Y\234x\244\300G\357\236"\274'\374\262v'\307`I\317\342\2\15S\354`Vc;\31\344J\210/q\260g\225\7\304\273\12\317 \3451q\24\277\33\263\32\244z\305;\343 \265\345v\245\277]\265\223^\30>\300\360\200EH\261#`\215?\306\363\3\230\373{7\364\1a\3007e\260E\231\12\346\240v\337\316\373\16\211\264\302],\260\78@\3350\37\324#({\210-ly\242\264\325f~\220\344\14\360\3178\372:\352\254g\237FAi\371\274\337P\21\253\36\321-\204\324c\4\337\3571\215\364\377\33\205by\37\300\233\0\16\353{R\277j\345\31\3\14\304\12\31\217\11I0\27\240/\337\263\205sj\4\316\2\305\344x/\327\15\206f1>;\13@\20\304\31\251\205 E\247\0i\274\2353\351\353\337\342NS\\36\204\201p\200k?tt\251\364\21P\2556\24'~<\324;\200\204A\310\260\260-\366\221\244n0\3\13\225\4\14)\221\204\207W%\279T%\2211\256\214&\2\7\11\275", ) , ) == 0x0
 00498   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00499   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\262\367\305H\305\256\267\277xE?\210m\207\220\327\343[\255\337\247\304\325d\242]5`\346\1\251a\253\26\240\377\246\324\376'\10^$\212\374\5\342\200Y\16\223\375j^\245\4\263\233W\215\226`)?\267\361\220I\360Nh\336\357v\266\14lk\37\25\300\10\357LS\15g\4wz\274\4\32\247\357d\261!j\2\223\370\3372\222F\246\31\366\341S5BG\323W\270\26ih:\347\225N\212at\325\35\374N=\212\217"\355h&\307\370D\262$\325\254\262\313Y\305\325\0;\234&\216\3358\344e\0@\256O*\275W\351-"'\257\215\315\374\270v\332\205\3070\304\307\225\0\312\15\21\254S\203\343 \220\246\14\3R\331\303\201\252\345n\36Z\232\322\223\261\247\36}\304ps\243\37629]\334zO\16d\363\245"\257YU\354\270\346_n\273\266\34\12Z\315\23I\2072\336\3\262\214\324\26@\32\2456\354\324$0\314\360+\213\14?\202\220:\35N\32\364I\340\372\24\360\216\307?\26\17D\242I><0W\11C\261\276\215j c\216&9\327\"\316\27\350C\270d\21t\253)\342\257\264\206r\272\242\205^\4:TZ\351\371*\336\35[u\22\270H\203!\344 \374\345C\264\374\325\0\302!\345\370\325\304\376MHv\244k\224\1\230\344\226\224\256<\307\10\227\343F\274\331\224\320D\334pk\217\334 \314D\331\30T"\3147\224=\266\362\250\237\227S\367\203\23\16\260\240\21\353\211\366\10H\265\267\37(\270\207O\362\265\6:\350\254\216BR\361\264\244h\304r\325\2462\305\225m \275u\214v.\\24\370\327\216T@\301\3650\333\6\35\311\243\315:\357\262,\22a\266\24\240o\260KEa\341\325\177H\240#\266\360\200\220y\24\214\4[`s,U`\227\34,\30", ) \355h&\307\370D\262$\325\254\262\313Y\305\325\0;\234&\216\3358\344e\0@\256O*\275W\351- (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\262\367\305H\305\256\267\277xE?\210m\207\220\327\343[\255\337\247\304\325d\242]5`\346\1\251a\253\26\240\377\246\324\376'\10^$\212\374\5\342\200Y\16\223\375j^\245\4\263\233W\215\226`)?\267\361\220I\360Nh\336\357v\266\14lk\37\25\300\10\357LS\15g\4wz\274\4\32\247\357d\261!j\2\223\370\3372\222F\246\31\366\341S5BG\323W\270\26ih:\347\225N\212at\325\35\374N=\212\217"\355h&\307\370D\262$\325\254\262\313Y\305\325\0;\234&\216\3358\344e\0@\256O*\275W\351-"'\257\215\315\374\270v\332\205\3070\304\307\225\0\312\15\21\254S\203\343 \220\246\14\3R\331\303\201\252\345n\36Z\232\322\223\261\247\36}\304ps\243\37629]\334zO\16d\363\245"\257YU\354\270\346_n\273\266\34\12Z\315\23I\2072\336\3\262\214\324\26@\32\2456\354\324$0\314\360+\213\14?\202\220:\35N\32\364I\340\372\24\360\216\307?\26\17D\242I><0W\11C\261\276\215j c\216&9\327\"\316\27\350C\270d\21t\253)\342\257\264\206r\272\242\205^\4:TZ\351\371*\336\35[u\22\270H\203!\344 \374\345C\264\374\325\0\302!\345\370\325\304\376MHv\244k\224\1\230\344\226\224\256<\307\10\227\343F\274\331\224\320D\334pk\217\334 \314D\331\30T"\3147\224=\266\362\250\237\227S\367\203\23\16\260\240\21\353\211\366\10H\265\267\37(\270\207O\362\265\6:\350\254\216BR\361\264\244h\304r\325\2462\305\225m \275u\214v.\\24\370\327\216T@\301\3650\333\6\35\311\243\315:\357\262,\22a\266\24\240o\260KEa\341\325\177H\240#\266\360\200\220y\24\214\4[`s,U`\227\34,\30", ) \257YU\354\270\346_n\273\266\34\12Z\315\23I\2072\336\3\262\214\324\26@\32\2456\354\324$0\314\360+\213\14?\202\220:\35N\32\364I\340\372\24\360\216\307?\26\17D\242I><0W\11C\261\276\215j c\216&9\327\ (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\262\367\305H\305\256\267\277xE?\210m\207\220\327\343[\255\337\247\304\325d\242]5`\346\1\251a\253\26\240\377\246\324\376'\10^$\212\374\5\342\200Y\16\223\375j^\245\4\263\233W\215\226`)?\267\361\220I\360Nh\336\357v\266\14lk\37\25\300\10\357LS\15g\4wz\274\4\32\247\357d\261!j\2\223\370\3372\222F\246\31\366\341S5BG\323W\270\26ih:\347\225N\212at\325\35\374N=\212\217"\355h&\307\370D\262$\325\254\262\313Y\305\325\0;\234&\216\3358\344e\0@\256O*\275W\351-"'\257\215\315\374\270v\332\205\3070\304\307\225\0\312\15\21\254S\203\343 \220\246\14\3R\331\303\201\252\345n\36Z\232\322\223\261\247\36}\304ps\243\37629]\334zO\16d\363\245"\257YU\354\270\346_n\273\266\34\12Z\315\23I\2072\336\3\262\214\324\26@\32\2456\354\324$0\314\360+\213\14?\202\220:\35N\32\364I\340\372\24\360\216\307?\26\17D\242I><0W\11C\261\276\215j c\216&9\327\"\316\27\350C\270d\21t\253)\342\257\264\206r\272\242\205^\4:TZ\351\371*\336\35[u\22\270H\203!\344 \374\345C\264\374\325\0\302!\345\370\325\304\376MHv\244k\224\1\230\344\226\224\256<\307\10\227\343F\274\331\224\320D\334pk\217\334 \314D\331\30T"\3147\224=\266\362\250\237\227S\367\203\23\16\260\240\21\353\211\366\10H\265\267\37(\270\207O\362\265\6:\350\254\216BR\361\264\244h\304r\325\2462\305\225m \275u\214v.\\24\370\327\216T@\301\3650\333\6\35\311\243\315:\357\262,\22a\266\24\240o\260KEa\341\325\177H\240#\266\360\200\220y\24\214\4[`s,U`\227\34,\30", ) \3147\224=\266\362\250\237\227S\367\203\23\16\260\240\21\353\211\366\10H\265\267\37(\270\207O\362\265\6:\350\254\216BR\361\264\244h\304r\325\2462\305\225m \275u\214v.\\24\370\327\216T@\301\3650\333\6\35\311\243\315:\357\262,\22a\266\24\240o\260KEa\341\325\177H\240#\266\360\200\220y\24\214\4[`s,U`\227\34,\30", ) == 0x0
 00500   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00501   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\310d3\230\373Jr\374\247\3662{\373\27US\300htt\346\250\374,\221[P\4\331T\344b\317]\232S\341HJa\230g\31\2050\201\30\323\4#\37\366\240I\35\227\264\3) \321\277\321\327\353\14*\260\353\363\206\0\207f6z\263\27.\25\2 *\12+I\255\17\263+>\340\260S\226\326\371\20!\0\330{US\371@\34\340\275|\304\2202\346\360\353\240%\326I\12\374E\305\261\346~\262\203\14\204\260\202x^\214\244\306C}=W\34\271\261G\\202:\27?|\305\4&\200\251\206S`j\21\225\267\263\344\25*\265\245\24\12\210\1$\327\324\237\216\306k\22\271\235a"\242\22\260 \215\246\215\264(\240\270\0 #\5\211<\5\5\331uO\204\11\6\2459\235X\240\343$\242\345:\37\201\254\4z\307\222\244\32\25R\125hy\267\261\221\277U\26\5p\27gr\337\37\277\362D?e\4\234\373\36\24\213R\25I\344\27\227|{\3\1\325\34f\250\252\264\320\221\325\265\36i\364 +\265\11\317\377\345\207\332\15L-\250\216\225;\30\7\212\200$]\237'\364k\315\4=I\345\3460d\334\11X%\25\313\223\13\266\252\247\177\211q(\17?X\264M\22\244\23\204\23\10\205\36X\22\2223\253\24\344\267~\33\315\355\11q|\274\37\0,\24\22\377|\24\240\2\216IUu\275Q\230"F\371D8[9\243\16t8\256 \260\300\366&\30\225\2*\330\21\350\205\264\224\35|\365s7\12\332\6\252\252\7\251\277Gl\372hGw^\34\3\262fy\236\234\317\257l\265\10\21\20\240\20\257,{\266\11\30\250$=\313\2(\326$\224,5,\234\20\206\0\322\323\354\202\340E\221\355\344\4\266S\277\361\225f\341\273V\242\223^\37\213a\7\367\11d\247\270v\320\350\21\3", ) \242\22\260 \215\246\215\264(\240\270\0 #\5\211<\5\5\331uO\204\11\6\2459\235X\240\343$\242\345:\37\201\254\4z\307\222\244\32\25R\125hy\267\261\221\277U\26\5p\27gr\337\37\277\362D?e\4\234\373\36\24\213R\25I\344\27\227|{\3\1\325\34f\250\252\264\320\221\325\265\36i\364 +\265\11\317\377\345\207\332\15L-\250\216\225;\30\7\212\200$]\237'\364k\315\4=I\345\3460d\334\11X%\25\313\223\13\266\252\247\177\211q(\17?X\264M\22\244\23\204\23\10\205\36X\22\2223\253\24\344\267~\33\315\355\11q|\274\37\0,\24\22\377|\24\240\2\216IUu\275Q\230 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\310d3\230\373Jr\374\247\3662{\373\27US\300htt\346\250\374,\221[P\4\331T\344b\317]\232S\341HJa\230g\31\2050\201\30\323\4#\37\366\240I\35\227\264\3) \321\277\321\327\353\14*\260\353\363\206\0\207f6z\263\27.\25\2 *\12+I\255\17\263+>\340\260S\226\326\371\20!\0\330{US\371@\34\340\275|\304\2202\346\360\353\240%\326I\12\374E\305\261\346~\262\203\14\204\260\202x^\214\244\306C}=W\34\271\261G\\202:\27?|\305\4&\200\251\206S`j\21\225\267\263\344\25*\265\245\24\12\210\1$\327\324\237\216\306k\22\271\235a"\242\22\260 \215\246\215\264(\240\270\0 #\5\211<\5\5\331uO\204\11\6\2459\235X\240\343$\242\345:\37\201\254\4z\307\222\244\32\25R\125hy\267\261\221\277U\26\5p\27gr\337\37\277\362D?e\4\234\373\36\24\213R\25I\344\27\227|{\3\1\325\34f\250\252\264\320\221\325\265\36i\364 +\265\11\317\377\345\207\332\15L-\250\216\225;\30\7\212\200$]\237'\364k\315\4=I\345\3460d\334\11X%\25\313\223\13\266\252\247\177\211q(\17?X\264M\22\244\23\204\23\10\205\36X\22\2223\253\24\344\267~\33\315\355\11q|\274\37\0,\24\22\377|\24\240\2\216IUu\275Q\230"F\371D8[9\243\16t8\256 \260\300\366&\30\225\2*\330\21\350\205\264\224\35|\365s7\12\332\6\252\252\7\251\277Gl\372hGw^\34\3\262fy\236\234\317\257l\265\10\21\20\240\20\257,{\266\11\30\250$=\313\2(\326$\224,5,\234\20\206\0\322\323\354\202\340E\221\355\344\4\266S\277\361\225f\341\273V\242\223^\37\213a\7\367\11d\247\270v\320\350\21\3", ) , ) == 0x0
 00502   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00503   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\245\343\322o5&\141k\357\35\314\254P\16\32\337r|'c)\271P\254\254\355\354\237~I\36\177\D>\305\332\17\234R\15q\1\264\273Q \6P\21\360\201\3\347\17\372H\267~\220\37\206l\351|\364P\373\30\23\212o\316T\25L\230'P\341w\312\16\241\5\37\216?M\10\4\23'e\203\245\4\272\322,,\360\223g\26|\254\202\228~\3\15\213\365\364\235\0\234\232v6\240y\311H\316\301\0 \345\364\307\25!6\247d\313D\3\325\326\326\351Y\270\6\215C\276=\36\4\265O\267`\3027\335\303\326\350\6\311ei\255h\24\10\10<"Q\303\222R\24\5Ik\312k\110\3057\336\335\246\270_\0\34=\206\274LY\38\315\26\211\346=\313\23\363~O1 \215P\354{|\361\205`\227\225\f\36Z`\364\353\341\253\226O\350$4\361E\336\337=\1\267zf\321\374\5sz\105\371\27\301fYK\307\321\225L\251\0-\37D$=\200L\6\312\25\370\305\377\262bFI\27\276\24\11h\345-]\0{2\350$\246\252\226\1b\364\351zq\37\26\200\367\0\2709\242\14\375%\235\364\371\200\304\25\271\344g\3091\321\2116\364wv\274\322\0\2527{\251\5LE\242V\220H\341(\344\332h\17&\203\345\7f.\367\347j\24&\14\5`oc\310#\271|\227\206w\333\3144\334\323\305\22O\327W\333\350\7\26\372\230A\347\232\21\33\262\300\221r\257\3\270\17\25$\236He\24\307\36\4\177v\\21\11s\351\352\336\26\254\231\h@\2625\341(\206\220B\21\554*\317\251\12\262\323?4/\1E\315\25_P]BjuE\3&\271\16\6_\242\271\256\235\200\14P\362\2\261l\12\13\231^\354=H\331\257\375:U\233\2467\221\205\14", ) Q\303\222R\24\5Ik\312k\110\3057\336\335\246\270_\0\34=\206\274LY\38\315\26\211\346=\313\23\363~O1 \215P\354{|\361\205`\227\225\f\36Z`\364\353\341\253\226O\350$4\361E\336\337=\1\267zf\321\374\5sz\105\371\27\301fYK\307\321\225L\251\0-\37D$=\200L\6\312\25\370\305\377\262bFI\27\276\24\11h\345-]\0{2\350$\246\252\226\1b\364\351zq\37\26\200\367\0\2709\242\14\375%\235\364\371\200\304\25\271\344g\3091\321\2116\364wv\274\322\0\2527{\251\5LE\242V\220H\341(\344\332h\17&\203\345\7f.\367\347j\24&\14\5`oc\310#\271|\227\206w\333\3144\334\323\305\22O\327W\333\350\7\26\372\230A\347\232\21\33\262\300\221r\257\3\270\17\25$\236He\24\307\36\4\177v\\21\11s\351\352\336\26\254\231\h@\2625\341(\206\220B\21\554*\317\251\12\262\323?4/\1E\315\25_P]BjuE\3&\271\16\6_\242\271\256\235\200\14P\362\2\261l\12\13\231^\354=H\331\257\375:U\233\2467\221\205\14", ) == 0x0
 00504   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00505   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\261\245\342N\24\321\25\22\357\31y\262l\2006q\233E\4\36783\304\22\211\237:?J\257C\336hD\205\316$.\31\225N1\13\33\2\235\1)D\243&\227\5\37\20\340j|\315twR68\203\25\370[\2'\7\13\361M\201\335\7\374\367\212\6\206\315\344uh\32\331\266\217\254\342^\1\254\361\203\312/$(mx1\331\12\367\342\313\14\2@\251\254\374\2.\204\1nT\23x\312F\251n\254;\330^\214^\20F<\354E\300\201\322\300\330\375\227\276\6\57 9\17\1F\263\274\340\11\307D\332F\364\32\375?,\230\350m^7=&\270\1Es\274~\226\300\270<\5*RZyV+\32\314\352r:^\270\255d\366F\236\310\10\32\202\34\21\320\234\204Q\204\221\273p\2\\204Q\37\361x\261\360\253\17V \222F\205\33\304(\206[\210i\275 ~\1\11\24PA\331\262\250\34nK\227\317\313\257\274\10\21\30\262\20~\7[\222&u\272\14\220_\244\343\13\212=q\260\211\327\370Z\327\367\256\353\276\3203y\353\247\316\16\30\256\34\237\220-p\21\301@\200\207\20\245M\361O\360\274\213\252\37\21\226D\250\216G\31\350\251h\346\3533\325\213\361\10\23\33\272x\306Y\303\263_\2\372\34\16\10\20T\252Q\2(\306\22\333%\11\14\250\34`\266hv\21\30\235\277UP\270@1a|\11\235[GQ\320\22\223^V\270\311>\363\12\252F\252\232r{7[\213\262\36~\371\370\30\370\233f\17|\312\344\354\261\247&\351\307\260\26\26\222@\334=\237\335u,\316\362\6h9\260E\321\326\31P6\204\203\7\2661\0\344\223\341\260U\332Z\3618\345\200\15\360}\366\232\212] \202\13\222\370O\20\350\222\276\304\331\3\302\34&\306ph\212m\251\33258\275\324\324N", ) , ) == 0x0
 00506   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00507   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\332\0\357\30\316\352\236\332\361\244\311|8\13\256\237~fx\204X\344\336{;\10X\332\332\234\32606\325$\35\241\223\375D\243\213\321]0\323yD\230\223c"\20\177h\15\302\5c\34\346\232T\217\26\251\345\226\245)\232f\355\310\331\353\300\36\204\14\240\15\26\25|\1\2518\257\305y\333\376\334b\360\276\6I\5s\2112\370\235\323\36\11\32Mn\267\32\311I\23\257"^\271v\204GQ@\22~\275!x\237\2339\340'\234\374v\2317\270\354\221\341\375\206\215\343\215\377\2343\2445F\244y\216\37\216\16\224)\262\236\214\245\1r\205\346W\272\12B\343\316\15\332\20\270\357\3160\262<\234m\4\21\373\216\236\366\214\2177)\37~\265\217\30\340\6X\214\311\\222\254\30\373\22\211\13L\360\235\3\242\3316\336\304\3274\221&P\30D\222\374,!0\205\6\234\241\321U\26\337\0\246\2351\12\214\35i`\225K&x\361\250\310\25\24E!\364\1\330K\226o\263lg\352\31\375]H\211L\3637*N\256<\3M\230\334L\244e\376|\277\0\31\373 \314\22\267y\26\225!\4\346.\5R\326\33\32\233.\2b\257\30F\30\271Q@\3649t`\254:\201`\10\326\205\327\265r_\235\16vI\11\243\22,+\25Xy@d\224fW\365@B5D\313\262\200\353\207\203\3128\210\215e\344T\316ky\315 %\3644AO\24\4\23\247\222\220\204\266\4xf^`A\320\343\0\356\16Y\211R\224(\375\264"s3\317\324f\14\222\5\351\256\246\253\24s\270/\352asV\2408\247?\323\302A\35\36\307AP\11\217\360(\34s\274\2\275\350\221\205\336f(\330A\276M\15i\14\326\373\324\4[\24\224P\273\5\33\3\340.\=\341\13]S\370%\232\214\3\227\245D\261#<\353", ) \20\177h\15\302\5c\34\346\232T\217\26\251\345\226\245)\232f\355\310\331\353\300\36\204\14\240\15\26\25|\1\2518\257\305y\333\376\334b\360\276\6I\5s\2112\370\235\323\36\11\32Mn\267\32\311I\23\257 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\332\0\357\30\316\352\236\332\361\244\311|8\13\256\237~fx\204X\344\336{;\10X\332\332\234\32606\325$\35\241\223\375D\243\213\321]0\323yD\230\223c"\20\177h\15\302\5c\34\346\232T\217\26\251\345\226\245)\232f\355\310\331\353\300\36\204\14\240\15\26\25|\1\2518\257\305y\333\376\334b\360\276\6I\5s\2112\370\235\323\36\11\32Mn\267\32\311I\23\257"^\271v\204GQ@\22~\275!x\237\2339\340'\234\374v\2317\270\354\221\341\375\206\215\343\215\377\2343\2445F\244y\216\37\216\16\224)\262\236\214\245\1r\205\346W\272\12B\343\316\15\332\20\270\357\3160\262<\234m\4\21\373\216\236\366\214\2177)\37~\265\217\30\340\6X\214\311\\222\254\30\373\22\211\13L\360\235\3\242\3316\336\304\3274\221&P\30D\222\374,!0\205\6\234\241\321U\26\337\0\246\2351\12\214\35i`\225K&x\361\250\310\25\24E!\364\1\330K\226o\263lg\352\31\375]H\211L\3637*N\256<\3M\230\334L\244e\376|\277\0\31\373 \314\22\267y\26\225!\4\346.\5R\326\33\32\233.\2b\257\30F\30\271Q@\3649t`\254:\201`\10\326\205\327\265r_\235\16vI\11\243\22,+\25Xy@d\224fW\365@B5D\313\262\200\353\207\203\3128\210\215e\344T\316ky\315 %\3644AO\24\4\23\247\222\220\204\266\4xf^`A\320\343\0\356\16Y\211R\224(\375\264"s3\317\324f\14\222\5\351\256\246\253\24s\270/\352asV\2408\247?\323\302A\35\36\307AP\11\217\360(\34s\274\2\275\350\221\205\336f(\330A\276M\15i\14\326\373\324\4[\24\224P\273\5\33\3\340.\=\341\13]S\370%\232\214\3\227\245D\261#<\353", ) s3\317\324f\14\222\5\351\256\246\253\24s\270/\352asV\2408\247?\323\302A\35\36\307AP\11\217\360(\34s\274\2\275\350\221\205\336f(\330A\276M\15i\14\326\373\324\4[\24\224P\273\5\33\3\340.\=\341\13]S\370%\232\214\3\227\245D\261#<\353", ) == 0x0
 00508   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00509   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\243#\16\223\313-A\15J\354b\3\277E\270\240\335i\335+\211 \301?\371\2760\335\36\364\177\215\355*\337\10K\14h\323\204\311j\367}#>\363_G\3164\375\32\7$\220W=wF\307[O\22\320A\273[\311\253\306\244\374F\373\373>\351\212\226\204\341+\316\00ul6\371\271-\262\313.\30E[0\341\375\321\232\5gL^\343\216k\214v~\226-\353\22\342[[\214\276\303Oz\225\12v\37a\14\351\330\342Mhzv\245Jq\353\353\275\373\20\261s\340c\22[E\317c\253\2225C\256\17V\21Pz,}\2\32\275\212\4\17v\271\266\256h\353\256\231\27\27\221_\307\25\340\347\22\262x\366\221M\332\24H.\16\14.F\31PU\322\252\314;\303\346W\6\371\234h\360O\37\256\33\343\L0\10\6\373\13\16\253\2418\364\2629\33u\222b\352\240zQ\332F\266\232\14\35\304\345{\226\265z\20\3\360m\333C\16(m\267\\355X@k*\257?\331\304\15M6\217\37\336\265\305\345\20\315\355\350\227X)\302\370i\345\3271\370\335\341\333\235\217w\13o\242m\330i\237\300\202+W\357\350of`A\304\15\307\273^\374\302uV\211f\3O\351\2\202\224\237\227D\245\341\301\300X\0\235\344\277b\30\360]\263\3070\200\345|\353\202\304\267\213T\7`\10\311\245\373\340\355\366\237;\315\10&\4Hz\346\27\312\26n'\206?\365\302!\333D\266\4Rx\275\372\374nO\343\32\22\211s\360\353\257b\332\245\201\4|\13\337\264\252^\17\2269\31\220\244\354\333\213\244u\360\253\374{\301Zn\224\7\240\344\345\38W\37\303\361\315\37\340\35\6$\310\273\316`\201\353\225\11\373\311\3k\367h\207\307\120\251-\12\326\17P|H\362&z\264x\2\277\276E0!", ) , ) == 0x0
 00510   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00511   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\200%5\336&\10\366'\246\7K\156\372\212\254\275\30\12\213o?\366ur\221\13\13\232\272\330\237\")7\272]\335Z\353\324\346\213\337\3606\240\202\237ol\376\7W\4\3137\34\4\217o\320w\356\25\244\255\364QE\273\261z\305\31\360\264\30)\10@y\20\301\347+\353&\16\226\377\263\312\\304\306//\27\213\313\340)\246\4\244\266-"\11A\12q\314(\22\201\323\213[\204K\24\242\254\3114\346.%\3314\357\21n\343D\255FL\37&\373\305\201\311\221\31R\262Y\223Y\224\30-:\300\236\266-\234\306\204\205\373<\211\4\7\1\200\33\5Uq\26LV\374\345JQ\215\374\224;\247\327\245G\216f&\254|g\16$0=\36\350\260\352\274\272\370\363\346_\261\232\223_\345\354\376`\332r\335\276\1\0Rh\273QOu\257|\30\315\226C\31$\351\6\361\24\307r\3060i\204?\243\\214\25R\364\0&\270Q\210@\350^\7\330\211E\217\0T\247\36cN[U\357s?\352j\14l)1\200\263r&\31\307?&c\30~\205\3336\215\30\24\274r&b3\2711t\346v\230\12w\321|\234\12\1X\250(\13\302\251R\300\262\252\350q\272Q\211Arkq\241\242\31\276\15\35\360\261@\15\344\246\5 \334\270\11\263[\17\224\275\10\353\324\226\3521\206s[a\341\35\376\263\10\234\302\205\237f\233\275\205\377\16v=Y(\dBT!\301X\213\205\312\224\216\222d!\316\316\270\253\335\332g\346\217\306\16\300;\313\14\244/\277\23\301\213\265\373k\36\347\246\373\347\265\0v\16W\335B\25\357\246\225\15\227\317\276\275\241\210B\35+&\233\261\356\2411\342\324\20T2)\235[\7R\310ye\300FF/\33A4<\313m\337;\1$\303\7\226\4\213\353n\214", ) )7\272]\335Z\353\324\346\213\337\3606\240\202\237ol\376\7W\4\3137\34\4\217o\320w\356\25\244\255\364QE\273\261z\305\31\360\264\30)\10@y\20\301\347+\353&\16\226\377\263\312\\304\306//\27\213\313\340)\246\4\244\266- (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\200%5\336&\10\366'\246\7K\156\372\212\254\275\30\12\213o?\366ur\221\13\13\232\272\330\237\")7\272]\335Z\353\324\346\213\337\3606\240\202\237ol\376\7W\4\3137\34\4\217o\320w\356\25\244\255\364QE\273\261z\305\31\360\264\30)\10@y\20\301\347+\353&\16\226\377\263\312\\304\306//\27\213\313\340)\246\4\244\266-"\11A\12q\314(\22\201\323\213[\204K\24\242\254\3114\346.%\3314\357\21n\343D\255FL\37&\373\305\201\311\221\31R\262Y\223Y\224\30-:\300\236\266-\234\306\204\205\373<\211\4\7\1\200\33\5Uq\26LV\374\345JQ\215\374\224;\247\327\245G\216f&\254|g\16$0=\36\350\260\352\274\272\370\363\346_\261\232\223_\345\354\376`\332r\335\276\1\0Rh\273QOu\257|\30\315\226C\31$\351\6\361\24\307r\3060i\204?\243\\214\25R\364\0&\270Q\210@\350^\7\330\211E\217\0T\247\36cN[U\357s?\352j\14l)1\200\263r&\31\307?&c\30~\205\3336\215\30\24\274r&b3\2711t\346v\230\12w\321|\234\12\1X\250(\13\302\251R\300\262\252\350q\272Q\211Arkq\241\242\31\276\15\35\360\261@\15\344\246\5 \334\270\11\263[\17\224\275\10\353\324\226\3521\206s[a\341\35\376\263\10\234\302\205\237f\233\275\205\377\16v=Y(\dBT!\301X\213\205\312\224\216\222d!\316\316\270\253\335\332g\346\217\306\16\300;\313\14\244/\277\23\301\213\265\373k\36\347\246\373\347\265\0v\16W\335B\25\357\246\225\15\227\317\276\275\241\210B\35+&\233\261\356\2411\342\324\20T2)\235[\7R\310ye\300FF/\33A4<\313m\337;\1$\303\7\226\4\213\353n\214", ) , ) == 0x0
 00512   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00513   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\243)\226\2743>#\334M1P\15\272\215\34\241\266\330\333\0\276}a\364\326\3177\263\17\213J\2g\1\210\32w\15\331\231*%\25\174\227:\353\233A\371\35\340/\31\202I\236\0\257\340\355`\217\270T\140"\35k\11\270\212\211c\357'= \17\313Ip(\266\323\207\303\222y\177&x\321-8X\253;4\341\3\0qLH|\33<\31\270GG0\17\324P_\0\220\307\362T\201\22\2\20d\27\263\265\372\2\272~\272\13F\25\374e\2t\215mJPp\22z\34\377\241\266\255"\370\261D\2510e\353\342SN\246\375qi_\347\4\11\360\250<\243\240\200\211m\30G\240N\300\360E\330\261jt\20\211\272\206\366.\251\226V+\14\224\265\222\271=W\320\30]\34d\324\224\265\33,=-5\243\303~\227\340\20\335\3+_HP\32\204\37\22\27\202\246\220\310\32-\310\324s\26\230I\244\224\312\341iELq\316\213\320\272\3\252S\35\6\355Z\270\277b\331\220\254\210\202\264\5\304\233\361\331.\213z\223\202#\233\204\342\260\221?\343r\221p0\375\251\6e\255\235#37\ip\261\2568\341\261L\13[\257\3238\212\177\371\213J\212@\264>\340\13\24M\212P\363\337\374\375Y{\253H\263r\231=H\12\374\266C\37\213\267\305\367\3\242a\306\332\335\3\26\4\372\333\30\10\270\10\213e\351\222:\20\244\32\5\34\351\222xY\245$9\14\230O\30\277\365\16b0\372q\325\350\361\14{\255\15\370sm\272\3\304[\23\353\22\138\3\343\312\2dY\27O\21s\257\305\267\226\205\326\13\312\363\326\257\202\2\350\362\4\357.6\335$L\224\342\374B\252\220wO\217`\14\233\375\232\367\230\364P\21\334\345X\250\263q0\213mR\320\1\274\36\325\1\260\205C\340\7\311\377\200", ) \35k\11\270\212\211c\357'= \17\313Ip(\266\323\207\303\222y\177&x\321-8X\253;4\341\3\0qLH|\33<\31\270GG0\17\324P_\0\220\307\362T\201\22\2\20d\27\263\265\372\2\272~\272\13F\25\374e\2t\215mJPp\22z\34\377\241\266\255 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\243)\226\2743>#\334M1P\15\272\215\34\241\266\330\333\0\276}a\364\326\3177\263\17\213J\2g\1\210\32w\15\331\231*%\25\174\227:\353\233A\371\35\340/\31\202I\236\0\257\340\355`\217\270T\140"\35k\11\270\212\211c\357'= \17\313Ip(\266\323\207\303\222y\177&x\321-8X\253;4\341\3\0qLH|\33<\31\270GG0\17\324P_\0\220\307\362T\201\22\2\20d\27\263\265\372\2\272~\272\13F\25\374e\2t\215mJPp\22z\34\377\241\266\255"\370\261D\2510e\353\342SN\246\375qi_\347\4\11\360\250<\243\240\200\211m\30G\240N\300\360E\330\261jt\20\211\272\206\366.\251\226V+\14\224\265\222\271=W\320\30]\34d\324\224\265\33,=-5\243\303~\227\340\20\335\3+_HP\32\204\37\22\27\202\246\220\310\32-\310\324s\26\230I\244\224\312\341iELq\316\213\320\272\3\252S\35\6\355Z\270\277b\331\220\254\210\202\264\5\304\233\361\331.\213z\223\202#\233\204\342\260\221?\343r\221p0\375\251\6e\255\235#37\ip\261\2568\341\261L\13[\257\3238\212\177\371\213J\212@\264>\340\13\24M\212P\363\337\374\375Y{\253H\263r\231=H\12\374\266C\37\213\267\305\367\3\242a\306\332\335\3\26\4\372\333\30\10\270\10\213e\351\222:\20\244\32\5\34\351\222xY\245$9\14\230O\30\277\365\16b0\372q\325\350\361\14{\255\15\370sm\272\3\304[\23\353\22\138\3\343\312\2dY\27O\21s\257\305\267\226\205\326\13\312\363\326\257\202\2\350\362\4\357.6\335$L\224\342\374B\252\220wO\217`\14\233\375\232\367\230\364P\21\334\345X\250\263q0\213mR\320\1\274\36\325\1\260\205C\340\7\311\377\200", ) , ) == 0x0
 00514   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00515   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\223\361\10\205\326B\341\6\253p\226\22\265\337\25s\237\337\203\242\3360'C.\6\377\6\241\353\352\4v\363/\35\376&\373\307\246`\31\0\25\0\353Kr\362\377\334\373\32\16\220\246\210\12\213I\345\177 \7%\0\260\265h\213\4V\346xy\\3200lc\`[\365\303\5\270\2630\227T\202\201\231\25\354\315\16t\34\253\375H\3\365\13\304,\4W\245Y\266\200\247@\220_\264J\247\24P27\32zQ\5\24y\35\245?\202?*|Zk\262\330W\205\235\14h\24\375\202\320\325\217\330Kn\33\304\274\260\373oQi\212\2673\373\360h\361y\30\5\10^\33\15J]\270\32H\355\17\17;7CN\364\206\204\350\351\365\345\226!\204\251\36\0\340\255\17\232\204j\30\243\207a\223\177R~\201\362{\364t\366\4\0\247\230\204\234\21\23\321\26\14\313)\306\213\250UJ\341\216A\2\237\346\303\316\364\2175\266w\7\225J\3\224\373\20~e\301\5_\203/I\224\149#\301&\13\236%\14f\203\360\226\200\\13\261N\204\3\242\4\3246\244\374Ln\27\254\214\12\372k\340\336\367\267\37\316\243\271\20\22\240\34'\237\16)>\367\305\317\362\363\25Nr\370\370\276\210\34\23\13\354k\255\246\14m,\360L\303\337\6\30\346\254TNa\377\364\235n\300\3714\376\22\375\15\1zV\\301N\310\264"\320\25\345\2734e\35,8\227\36\370\3055\357\243\355TL\351\33d\336\202\243`%\213z\276\5O\270\34\34\346\351\I20\255\323\370\344\266\315\262\242\274\317\22\2470\12(\247/\355\323T]\335c\346\0~\17\2667\212Ds\260\26\260\30\202Ex\343\21M\376k\5\234{'\211\1\224\365\3\34\1\315\22\200|\224(\365\0\304\217/]\332\30[\354\241\3607\361kG\332k_r\36\", ) \320\25\345\2734e\35,8\227\36\370\3055\357\243\355TL\351\33d\336\202\243`%\213z\276\5O\270\34\34\346\351\I20\255\323\370\344\266\315\262\242\274\317\22\2470\12(\247/\355\323T]\335c\346\0~\17\2667\212Ds\260\26\260\30\202Ex\343\21M\376k\5\234{'\211\1\224\365\3\34\1\315\22\200|\224(\365\0\304\217/]\332\30[\354\241\3607\361kG\332k_r\36\", ) == 0x0
 00516   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00517   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\323J\5!\234?>\264*\7kB\361P\26D\244\5~t\360Jyt\244c\\14xa\320\4\244<>\220\34O\212<3 A\310\217L\364^\321\230\225\233\362\>\364\363\315x(\314M\21\240\30ZI\5\303\33\325\3\261\257WD\265G\5\316\267\315\326H\261\7x\30\260:9\313\22.\305\7`\326\227A\232\204\215\204\364\376\31\2310\317\24:\220AK\7i\3573M\234s\31\306\273\340Q\201\363D*\3F\314G+\363\210\26|\330DS\232\244\5\201\254 \223\354J\267K\273\357\341Y\313*\313+L\274C\223\36%\0h\35O\17K<\233\320\333Y\24\3640\25K\266\350x\13\364\24>8\3\23\324\2154G\17\24\364\340\316\14\310\0\17S\365\14\246\11\211\221\201S\205A%\35rT\305S\254ke3\274\223 \204$[\326E\30[Ia\14\314k/\345\14\356Ehk\314\267|pH\303?\13)t\237=\214_\365\370[\30\337\220W\232\235\225>H\10\203\235\220\253h\36w^\276Pp+SZ\30\263c\32\246\320$\244\12#\34\271\330\7\344 I\4\164\260S%\217M\2\371\0\341\344\37i\2To\3\345`{T\244\313mT\260$\237*\10\335\263\27\342<\15\344\307R\324&\267\34\13P\241sK\1\5\312\14\27Kw\335\354\34\16 \347\217W}\20\240\226\34E\200\220MTP\372"Sx\25r\351\12\350\231\346\273PO\2oX\326\30\220\265\213\334k\7\223p\261\26\366\2{C\241\367\232\375a\4\260C\305H\244'W.\363M\2458\351\314\33\244\272\34A\242\264\377\21\2\375q\15\257\370\7y\2\22\242Eh\333\341zp\253\35\371\3\37(\324\360\211\363\31\4\243\224\37\3b\11\31\266\274\4\35\10\254\7\327\226\204\7] \243\271\230M", ) Sx\25r\351\12\350\231\346\273PO\2oX\326\30\220\265\213\334k\7\223p\261\26\366\2{C\241\367\232\375a\4\260C\305H\244'W.\363M\2458\351\314\33\244\272\34A\242\264\377\21\2\375q\15\257\370\7y\2\22\242Eh\333\341zp\253\35\371\3\37(\324\360\211\363\31\4\243\224\37\3b\11\31\266\274\4\35\10\254\7\327\226\204\7] \243\271\230M", ) == 0x0
 00518   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00519   440   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "*D\15\214\262\30\15\205;U\6\27p?Q8\341%\370R\335\243K\210@\272\36|zh\203\11\220Z\215\346\253\304\330hF\130\330\2405\255F[\370Q\15\324\17f\301\274\4\305\17\214\16[\21t\22AkJ${A\255\5\311k\370\227\27\345S\342\225a\337\334\26+\273h\253\214\222\272\15\201\262\246\366\301\17\5{@\14\3356v>\12\305\262\220D\22\21\04\205\315\3726P\263\!\206@\310\12\233\14y\311\17\226\230L\23\13\224D\336@\240A\227\261\351\37\234|\324\16\24\221\207\237\30\20\27\25N\360\15\307\257\11\371\17ABw\7\3\357\7\10\333\217NFM\2614.A\203\321\305_\20:\377;\364\270\206\267\211\212\265q\26\24\212\17\14\226w,\353'\6\206\11\336 \15sq*g\266\211Y3Y<6z\20kpM\5\3\164\370\2\15\326\352\247\260\322:\274 \6B\340\16I\20\270\22\31M\266U1\2\264\300bd\265o\11\6\366\240\215\11\246\17\237\242\333"\3#\351\31\37=X\310\205\5Q\221\3768\240\37\4\263\265Ki\242Z\26\213\260\243-(\26\213\34\33\234\346a&;tfQ\20<\27\276\10\320\267%$\34#\14I\370\234v\4\2764m\232\235\177\14n\275\354}\3003e-\211\237(\304\214it\11\2L\12>\250\250\306E\337\354\315\203-\277q\177\236\365RL\21\264\32\22\22\362\10[@\317V\257Cz\16\257\14m\272\25\322\0\246N\344\335\0qYs\257[\162\35\256%-\13\277\336\203p\326Fah\256\274d\202)\222\371\247A\274\\335\340\3218\\315\234\223\240\2\322U!s\244\0\354NHV\353h\373\236E\237\241=\357\1\230f\240\11W3\216\226}\330\21\224\271Y\305\222q\266y\20G\24Gx\6\376\13\4", ) \3#\351\31\37=X\310\205\5Q\221\3768\240\37\4\263\265Ki\242Z\26\213\260\243-(\26\213\34\33\234\346a&;tfQ\20<\27\276\10\320\267%$\34#\14I\370\234v\4\2764m\232\235\177\14n\275\354}\3003e-\211\237(\304\214it\11\2L\12>\250\250\306E\337\354\315\203-\277q\177\236\365RL\21\264\32\22\22\362\10[@\317V\257Cz\16\257\14m\272\25\322\0\246N\344\335\0qYs\257[\162\35\256%-\13\277\336\203p\326Fah\256\274d\202)\222\371\247A\274\\335\340\3218\\315\234\223\240\2\322U!s\244\0\354NHV\353h\373\236E\237\241=\357\1\230f\240\11W3\216\226}\330\21\224\271Y\305\222q\266y\20G\24Gx\6\376\13\4", ) == 0x0
 00520   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00521   440   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\360O\35\0\340O\35\0\324_\35\0\304_\35\0Tm\35\0Dm\35\0\264n\35\0\274n\35\0\244n\35\0\254n\35\0\224n\35\0\234n\35\0\204n\35\0\214n\35\0\364n\35\0\374n\35\0\20n\35\0\4n\35\0hn\35\0\254o\35\0\340o\35\0\30o\35\0`o\35\0\240h\35\0 h\35\0Xh\35\04j\35\0@k\35\0\200t\35\0\244u\35\0\20u\35\0\304w\35\0\314q\35\0\364s\35\0\230|\35\0x|\35\0\370}\35\08}\35\0\314~\35\0,~\35\0p~\35\0@~\35\0(G\30\0PG\30\0g-\32\0[-\32\0\262.\32\0\252.\32\0\204.\32\0\376.\32\0\331.\32\04.\32\0\20.\32\0\11.\32\0d.\32\0X.\32\0N.\32\0\242/\32\0\230/\32\0\361/\32\0\340/\32\0\315/\32\0&/\32\0\7/\32\0a/\32\0H/\32\0\253(\32\0\372(\32\0\337(\32\0"(\32\0q(\32\0Q(\32\0\264)\32\0\211)\32\0\327)\32\0\314)\32\0")\32\0\32)\32\0p)\32\0f)\32\0\)\32\0\261*\32\0\252*\32\0\237*\32\0\364*\32\0\356*\32\0\311*\32\04*\32\0:*\32\0#*\32\0/*\32\0\254\4\13\0\247\4\4\0\244\4\5\0\245\4\7\0\264\4\36\0\270\4\32\0\266\4\30\0\233\4\6\0\255\4\3\0\224\4=\0\230\47\0\231\4<\0\223\4?\0\257\48\0\226\4:\0\243\4\14\0\242\4\21\0\240\4\23\0\277\4\20\0\273\4\27\0\271\41\0\260\4\37\0\261\43\0\235\4\35\0\260\4\35\0\260\4\35\0\260\4\35@\224|m$\2016Sm\305`m@\344JPU\364T\35@\224|m$\2011Sm", ) (\32\0q(\32\0Q(\32\0\264)\32\0\211)\32\0\327)\32\0\314)\32\0 (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\360O\35\0\340O\35\0\324_\35\0\304_\35\0Tm\35\0Dm\35\0\264n\35\0\274n\35\0\244n\35\0\254n\35\0\224n\35\0\234n\35\0\204n\35\0\214n\35\0\364n\35\0\374n\35\0\20n\35\0\4n\35\0hn\35\0\254o\35\0\340o\35\0\30o\35\0`o\35\0\240h\35\0 h\35\0Xh\35\04j\35\0@k\35\0\200t\35\0\244u\35\0\20u\35\0\304w\35\0\314q\35\0\364s\35\0\230|\35\0x|\35\0\370}\35\08}\35\0\314~\35\0,~\35\0p~\35\0@~\35\0(G\30\0PG\30\0g-\32\0[-\32\0\262.\32\0\252.\32\0\204.\32\0\376.\32\0\331.\32\04.\32\0\20.\32\0\11.\32\0d.\32\0X.\32\0N.\32\0\242/\32\0\230/\32\0\361/\32\0\340/\32\0\315/\32\0&/\32\0\7/\32\0a/\32\0H/\32\0\253(\32\0\372(\32\0\337(\32\0"(\32\0q(\32\0Q(\32\0\264)\32\0\211)\32\0\327)\32\0\314)\32\0")\32\0\32)\32\0p)\32\0f)\32\0\)\32\0\261*\32\0\252*\32\0\237*\32\0\364*\32\0\356*\32\0\311*\32\04*\32\0:*\32\0#*\32\0/*\32\0\254\4\13\0\247\4\4\0\244\4\5\0\245\4\7\0\264\4\36\0\270\4\32\0\266\4\30\0\233\4\6\0\255\4\3\0\224\4=\0\230\47\0\231\4<\0\223\4?\0\257\48\0\226\4:\0\243\4\14\0\242\4\21\0\240\4\23\0\277\4\20\0\273\4\27\0\271\41\0\260\4\37\0\261\43\0\235\4\35\0\260\4\35\0\260\4\35\0\260\4\35@\224|m$\2016Sm\305`m@\344JPU\364T\35@\224|m$\2011Sm", ) , ) == 0x0
 00522   440   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00523   440   NtClose  (80, ... ) == 0x0
 00524   440   NtClose  (68, ... ) == 0x0
 00525   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00526   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00528   440   NtClose  (68, ... ) == 0x0
 00529   440   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00530   440   NtClose  (80, ... ) == 0x0
 00531   440   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00532   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00533   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00534   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00535   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00536   440   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00537   440   NtClose  (80, ... ) == 0x0
 00538   440   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00539   440   NtMapViewOfSection  (68, -1, (0x860000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00540   440   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00541   440   NtClose  (68, ... ) == 0x0
 00542   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 8, ) == 0x0
 00543   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 8, ... (0x8d2000), 4096, 4, ) == 0x0
 00544   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00545   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00546   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00547   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00548   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00549   440   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00550   440   NtClose  (68, ... ) == 0x0
 00551   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00552   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00553   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00554   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00555   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00556   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00557   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00558   440   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00559   440   NtClose  (68, ... ) == 0x0
 00560   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00561   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00562   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00563   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00564   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00565   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00566   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00567   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00568   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00569   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00570   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00571   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00572   440   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   440   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00576   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00577   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00578   440   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   440   NtClose  (68, ... ) == 0x0
 00580   440   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00581   440   NtClose  (80, ... ) == 0x0
 00582   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00583   440   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00584   440   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00585   440   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {436, 0}, ... 80, ) == 0x0
 00586   440   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00587   440   NtClose  (80, ... ) == 0x0
 00588   440   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00589   440   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00590   440   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00591   440   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00592   440   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   440   NtClose  (80, ... ) == 0x0
 00594   440   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00595   440   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00596   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00597   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00598   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03b
 00599   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00600   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03d
 00601   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00602   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00603   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03f
 00604   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00605   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00606   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc041
 00607   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00608   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00609   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc043
 00610   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00611   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc045
 00612   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00613   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00614   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc047
 00615   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00616   440   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00617   440   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810dc049
 00618   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00619   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00620   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04b
 00621   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00622   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00623   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04d
 00624   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00625   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00626   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04f
 00627   440   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00628   440   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810dc051
 00629   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00630   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00631   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc053
 00632   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00633   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00634   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc055
 00635   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc057
 00636   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00637   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00638   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc059
 00639   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00640   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00641   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05b
 00642   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00643   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00644   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05d
 00645   440   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00646   440   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00647   440   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05f
 00648   440   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00649   440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00650   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00651   440   NtNotifyChangeKey  (84, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00652   440   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00653   440   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00654   440   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00655   440   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00656   440   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00657   440   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00658   440   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00659   440   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9371648, 1048576, ) == 0x0
 00660   440   NtAllocateVirtualMemory  (-1, 9371648, 0, 16384, 4096, 4, ... 9371648, 16384, ) == 0x0
 00661   440   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00662   440   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00663   440   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   440   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   440   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00666   440   NtQueryInformationToken  (96, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00667   440   NtClose  (96, ... ) == 0x0
 00668   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00669   440   NtReleaseMutant  (16, ...
 00670   440   NtContinue  (-130842488, 0, ...
 00669   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00671   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\sja1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   440   NtReleaseMutant  (16, ...
 00679   440   NtContinue  (-130842488, 0, ...
 00678   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00681   440   NtReleaseMutant  (16, ...
 00682   440   NtContinue  (-130842488, 0, ...
 00681   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00683   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00684   440   NtReleaseMutant  (16, ...
 00685   440   NtContinue  (-130842488, 0, ...
 00684   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00686   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   440   NtReleaseMutant  (16, ...
 00688   440   NtContinue  (-130842488, 0, ...
 00687   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   440   NtReleaseMutant  (16, ...
 00691   440   NtContinue  (-130842488, 0, ...
 00690   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   440   NtReleaseMutant  (16, ...
 00694   440   NtContinue  (-130842488, 0, ...
 00693   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   440   NtReleaseMutant  (16, ...
 00697   440   NtContinue  (-130842488, 0, ...
 00696   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   440   NtReleaseMutant  (16, ...
 00700   440   NtContinue  (-130842488, 0, ...
 00699   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   440   NtReleaseMutant  (16, ...
 00703   440   NtContinue  (-130842488, 0, ...
 00702   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   440   NtReleaseMutant  (16, ...
 00706   440   NtContinue  (-130842488, 0, ...
 00705   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   440   NtReleaseMutant  (16, ...
 00709   440   NtContinue  (-130842488, 0, ...
 00708   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   440   NtReleaseMutant  (16, ...
 00712   440   NtContinue  (-130842488, 0, ...
 00711   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   440   NtReleaseMutant  (16, ...
 00715   440   NtContinue  (-130842488, 0, ...
 00714   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   440   NtReleaseMutant  (16, ...
 00718   440   NtContinue  (-130842488, 0, ...
 00717   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   440   NtReleaseMutant  (16, ...
 00721   440   NtContinue  (-130842488, 0, ...
 00720   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   440   NtReleaseMutant  (16, ...
 00724   440   NtContinue  (-130842488, 0, ...
 00723   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   440   NtReleaseMutant  (16, ...
 00727   440   NtContinue  (-130842488, 0, ...
 00726   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   440   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   440   NtReleaseMutant  (16, ...
 00730   440   NtContinue  (-130842488, 0, ...
 00729   440   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   440   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 96, ) == 0x0
 00732   440   NtUserGetDC  (0, ... ) == 0x1010051
 00733   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00734   440   NtUserGetDC  (0, ... ) == 0x1010051
 00735   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00736   440   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x1608040b
 00737   440   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00738   440   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00739   440   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00740   440   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\0B\04\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00741   440   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\08\06\00\00\00\00\00\00\00\00\00\01\0B\08\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00742   440   NtUserSystemParametersInfo  (104, 0, 9376892, 0, ... ) == 0x1
 00743   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00744   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00745   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00746   440   NtUserGetDC  (0, ... ) == 0x1010051
 00747   440   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x60503e3
 00748   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00749   440   NtGdiSelectBitmap  (369165255, 100991971, ... ) == 0x185000f
 00750   440   NtGdiGetDCforBitmap  (100991971, ... ) == 0x160103c7
 00751   440   NtGdiSaveDC  (369165255, ... ) == 0x1
 00752   440   NtGdiSelectBitmap  (369165255, 100991971, ... ) == 0x60503e3
 00753   440   NtGdiGetDCObject  (369165255, 524288, ... ) == 0x188000b
 00754   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00755   440   NtGdiSetDIBitsToDeviceInternal  (369165255, 0, 0, 32, 64, 0, 0, 0, 64, 9188876, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00756   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00757   440   NtGdiSelectBitmap  (369165255, 100991971, ... ) == 0x60503e3
 00758   440   NtGdiRestoreDC  (369165255, -1, ... ) == 0x1
 00759   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x60503e3
 00760   440   NtGdiCreateCompatibleDC  (369165255, ... ) == 0x2c01040d
 00761   440   NtGdiExtGetObjectW  (100991971, 24, 1241324, ... ) == 0x18
 00762   440   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x1505040a
 00763   440   NtGdiSelectBitmap  (369165255, 100991971, ... ) == 0x185000f
 00764   440   NtGdiSelectBitmap  (738264077, 352650250, ... ) == 0x185000f
 00765   440   NtGdiBitBlt  (738264077, 0, 0, 32, 64, 369165255, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00766   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x60503e3
 00767   440   NtGdiSelectBitmap  (738264077, 25493519, ... ) == 0x1505040a
 00768   440   NtGdiDeleteObjectApp  (100991971, ... ) == 0x1
 00769   440   NtGdiDeleteObjectApp  (738264077, ... ) == 0x1
 00770   440   NtUserCallOneParam  (0, 33, ... ) == 0x3004d
 00771   440   NtUserSetCursorIconData  (196685, 1241432, 1241448, 1242028, ... ) == 0x1
 00772   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00773   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00774   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00775   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00776   440   NtUserGetDC  (0, ... ) == 0x1010051
 00777   440   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x90503d6
 00778   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00779   440   NtGdiSelectBitmap  (369165255, 151323606, ... ) == 0x185000f
 00780   440   NtGdiGetDCforBitmap  (151323606, ... ) == 0x160103c7
 00781   440   NtGdiSaveDC  (369165255, ... ) == 0x1
 00782   440   NtGdiSelectBitmap  (369165255, 151323606, ... ) == 0x90503d6
 00783   440   NtGdiGetDCObject  (369165255, 524288, ... ) == 0x188000b
 00784   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00785   440   NtGdiSetDIBitsToDeviceInternal  (369165255, 0, 0, 32, 64, 0, 0, 0, 64, 9189184, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00786   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00787   440   NtGdiSelectBitmap  (369165255, 151323606, ... ) == 0x90503d6
 00788   440   NtGdiRestoreDC  (369165255, -1, ... ) == 0x1
 00789   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x90503d6
 00790   440   NtGdiCreateCompatibleDC  (369165255, ... ) == 0x80103e3
 00791   440   NtGdiExtGetObjectW  (151323606, 24, 1241324, ... ) == 0x18
 00792   440   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x1b050404
 00793   440   NtGdiSelectBitmap  (369165255, 151323606, ... ) == 0x185000f
 00794   440   NtGdiSelectBitmap  (134284259, 453313540, ... ) == 0x185000f
 00795   440   NtGdiBitBlt  (134284259, 0, 0, 32, 64, 369165255, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00796   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x90503d6
 00797   440   NtGdiSelectBitmap  (134284259, 25493519, ... ) == 0x1b050404
 00798   440   NtGdiDeleteObjectApp  (151323606, ... ) == 0x1
 00799   440   NtGdiDeleteObjectApp  (134284259, ... ) == 0x1
 00800   440   NtUserCallOneParam  (0, 33, ... ) == 0x2006b
 00801   440   NtUserSetCursorIconData  (131179, 1241432, 1241448, 1242028, ... ) == 0x1
 00802   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00803   440   NtUserGetDC  (0, ... ) == 0x1010051
 00804   440   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x2e05040d
 00805   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00806   440   NtGdiSelectBitmap  (369165255, 772080653, ... ) == 0x185000f
 00807   440   NtGdiGetDCforBitmap  (772080653, ... ) == 0x160103c7
 00808   440   NtGdiSaveDC  (369165255, ... ) == 0x1
 00809   440   NtGdiSelectBitmap  (369165255, 772080653, ... ) == 0x2e05040d
 00810   440   NtGdiGetDCObject  (369165255, 524288, ... ) == 0x188000b
 00811   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00812   440   NtGdiSetDIBitsToDeviceInternal  (369165255, 0, 0, 32, 64, 0, 0, 0, 64, 9189492, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00813   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00814   440   NtGdiSelectBitmap  (369165255, 772080653, ... ) == 0x2e05040d
 00815   440   NtGdiRestoreDC  (369165255, -1, ... ) == 0x1
 00816   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x2e05040d
 00817   440   NtGdiCreateCompatibleDC  (369165255, ... ) == 0xb0103d6
 00818   440   NtGdiExtGetObjectW  (772080653, 24, 1241324, ... ) == 0x18
 00819   440   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xe0503ff
 00820   440   NtGdiSelectBitmap  (369165255, 772080653, ... ) == 0x185000f
 00821   440   NtGdiSelectBitmap  (184615894, 235209727, ... ) == 0x185000f
 00822   440   NtGdiBitBlt  (184615894, 0, 0, 32, 64, 369165255, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00823   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x2e05040d
 00824   440   NtGdiSelectBitmap  (184615894, 25493519, ... ) == 0xe0503ff
 00825   440   NtGdiDeleteObjectApp  (772080653, ... ) == 0x1
 00826   440   NtGdiDeleteObjectApp  (184615894, ... ) == 0x1
 00827   440   NtUserCallOneParam  (0, 33, ... ) == 0x2006d
 00828   440   NtUserSetCursorIconData  (131181, 1241432, 1241448, 1242028, ... ) == 0x1
 00829   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00830   440   NtUserGetDC  (0, ... ) == 0x1010051
 00831   440   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xa0503e3
 00832   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00833   440   NtGdiSelectBitmap  (369165255, 168100835, ... ) == 0x185000f
 00834   440   NtGdiGetDCforBitmap  (168100835, ... ) == 0x160103c7
 00835   440   NtGdiSaveDC  (369165255, ... ) == 0x1
 00836   440   NtGdiSelectBitmap  (369165255, 168100835, ... ) == 0xa0503e3
 00837   440   NtGdiGetDCObject  (369165255, 524288, ... ) == 0x188000b
 00838   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00839   440   NtGdiSetDIBitsToDeviceInternal  (369165255, 0, 0, 32, 64, 0, 0, 0, 64, 9189800, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00840   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00841   440   NtGdiSelectBitmap  (369165255, 168100835, ... ) == 0xa0503e3
 00842   440   NtGdiRestoreDC  (369165255, -1, ... ) == 0x1
 00843   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0xa0503e3
 00844   440   NtGdiCreateCompatibleDC  (369165255, ... ) == 0x3001040d
 00845   440   NtGdiExtGetObjectW  (168100835, 24, 1241324, ... ) == 0x18
 00846   440   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xa050407
 00847   440   NtGdiSelectBitmap  (369165255, 168100835, ... ) == 0x185000f
 00848   440   NtGdiSelectBitmap  (805372941, 168100871, ... ) == 0x185000f
 00849   440   NtGdiBitBlt  (805372941, 0, 0, 32, 64, 369165255, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00850   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0xa0503e3
 00851   440   NtGdiSelectBitmap  (805372941, 25493519, ... ) == 0xa050407
 00852   440   NtGdiDeleteObjectApp  (168100835, ... ) == 0x1
 00853   440   NtGdiDeleteObjectApp  (805372941, ... ) == 0x1
 00854   440   NtUserCallOneParam  (0, 33, ... ) == 0x30097
 00855   440   NtUserSetCursorIconData  (196759, 1241432, 1241448, 1242028, ... ) == 0x1
 00856   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00857   440   NtUserGetDC  (0, ... ) == 0x1010051
 00858   440   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xd0503d6
 00859   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00860   440   NtGdiSelectBitmap  (369165255, 218432470, ... ) == 0x185000f
 00861   440   NtGdiGetDCforBitmap  (218432470, ... ) == 0x160103c7
 00862   440   NtGdiSaveDC  (369165255, ... ) == 0x1
 00863   440   NtGdiSelectBitmap  (369165255, 218432470, ... ) == 0xd0503d6
 00864   440   NtGdiGetDCObject  (369165255, 524288, ... ) == 0x188000b
 00865   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00866   440   NtGdiSetDIBitsToDeviceInternal  (369165255, 0, 0, 32, 64, 0, 0, 0, 64, 9190108, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00867   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00868   440   NtGdiSelectBitmap  (369165255, 218432470, ... ) == 0xd0503d6
 00869   440   NtGdiRestoreDC  (369165255, -1, ... ) == 0x1
 00870   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0xd0503d6
 00871   440   NtGdiCreateCompatibleDC  (369165255, ... ) == 0xc0103e3
 00872   440   NtGdiExtGetObjectW  (218432470, 24, 1241324, ... ) == 0x18
 00873   440   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb050408
 00874   440   NtGdiSelectBitmap  (369165255, 218432470, ... ) == 0x185000f
 00875   440   NtGdiSelectBitmap  (201393123, 184878088, ... ) == 0x185000f
 00876   440   NtGdiBitBlt  (201393123, 0, 0, 32, 64, 369165255, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00877   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0xd0503d6
 00878   440   NtGdiSelectBitmap  (201393123, 25493519, ... ) == 0xb050408
 00879   440   NtGdiDeleteObjectApp  (218432470, ... ) == 0x1
 00880   440   NtGdiDeleteObjectApp  (201393123, ... ) == 0x1
 00881   440   NtUserCallOneParam  (0, 33, ... ) == 0x400a7
 00882   440   NtUserSetCursorIconData  (262311, 1241432, 1241448, 1242028, ... ) == 0x1
 00883   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00884   440   NtUserGetDC  (0, ... ) == 0x1010051
 00885   440   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x3205040d
 00886   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00887   440   NtGdiSelectBitmap  (369165255, 839189517, ... ) == 0x185000f
 00888   440   NtGdiGetDCforBitmap  (839189517, ... ) == 0x160103c7
 00889   440   NtGdiSaveDC  (369165255, ... ) == 0x1
 00890   440   NtGdiSelectBitmap  (369165255, 839189517, ... ) == 0x3205040d
 00891   440   NtGdiGetDCObject  (369165255, 524288, ... ) == 0x188000b
 00892   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00893   440   NtGdiSetDIBitsToDeviceInternal  (369165255, 0, 0, 32, 64, 0, 0, 0, 64, 9190724, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00894   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00895   440   NtGdiSelectBitmap  (369165255, 839189517, ... ) == 0x3205040d
 00896   440   NtGdiRestoreDC  (369165255, -1, ... ) == 0x1
 00897   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x3205040d
 00898   440   NtGdiCreateCompatibleDC  (369165255, ... ) == 0xf0103d6
 00899   440   NtGdiExtGetObjectW  (839189517, 24, 1241324, ... ) == 0x18
 00900   440   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050405
 00901   440   NtGdiSelectBitmap  (369165255, 839189517, ... ) == 0x185000f
 00902   440   NtGdiSelectBitmap  (251724758, 134546437, ... ) == 0x185000f
 00903   440   NtGdiBitBlt  (251724758, 0, 0, 32, 64, 369165255, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00904   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0x3205040d
 00905   440   NtGdiSelectBitmap  (251724758, 25493519, ... ) == 0x8050405
 00906   440   NtGdiDeleteObjectApp  (839189517, ... ) == 0x1
 00907   440   NtGdiDeleteObjectApp  (251724758, ... ) == 0x1
 00908   440   NtUserCallOneParam  (0, 33, ... ) == 0x300a5
 00909   440   NtUserSetCursorIconData  (196773, 1241432, 1241448, 1242028, ... ) == 0x1
 00910   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00911   440   NtUserGetDC  (0, ... ) == 0x1010051
 00912   440   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xe0503e3
 00913   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00914   440   NtGdiSelectBitmap  (369165255, 235209699, ... ) == 0x185000f
 00915   440   NtGdiGetDCforBitmap  (235209699, ... ) == 0x160103c7
 00916   440   NtGdiSaveDC  (369165255, ... ) == 0x1
 00917   440   NtGdiSelectBitmap  (369165255, 235209699, ... ) == 0xe0503e3
 00918   440   NtGdiGetDCObject  (369165255, 524288, ... ) == 0x188000b
 00919   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00920   440   NtGdiSetDIBitsToDeviceInternal  (369165255, 0, 0, 32, 64, 0, 0, 0, 64, 9190416, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00921   440   NtUserSelectPalette  (369165255, 25690123, 0, ... ) == 0x188000b
 00922   440   NtGdiSelectBitmap  (369165255, 235209699, ... ) == 0xe0503e3
 00923   440   NtGdiRestoreDC  (369165255, -1, ... ) == 0x1
 00924   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0xe0503e3
 00925   440   NtGdiCreateCompatibleDC  (369165255, ... ) == 0x3401040d
 00926   440   NtGdiExtGetObjectW  (235209699, 24, 1241324, ... ) == 0x18
 00927   440   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050406
 00928   440   NtGdiSelectBitmap  (369165255, 235209699, ... ) == 0x185000f
 00929   440   NtGdiSelectBitmap  (872481805, 134546438, ... ) == 0x185000f
 00930   440   NtGdiBitBlt  (872481805, 0, 0, 32, 64, 369165255, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00931   440   NtGdiSelectBitmap  (369165255, 25493519, ... ) == 0xe0503e3
 00932   440   NtGdiSelectBitmap  (872481805, 25493519, ... ) == 0x8050406
 00933   440   NtGdiDeleteObjectApp  (235209699, ... ) == 0x1
 00934   440   NtGdiDeleteObjectApp  (872481805, ... ) == 0x1
 00935   440   NtUserCallOneParam  (0, 33, ... ) == 0x300a3
 00936   440   NtUserSetCursorIconData  (196771, 1241432, 1241448, 1242028, ... ) == 0x1
 00937   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00938   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00939   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00940   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00941   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00942   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00943   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00944   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00945   440   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00946   440   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00947   440   NtUserGetDC  (0, ... ) == 0x1010051
 00948   440   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00949   440   NtUserEnumDisplayMonitors  (0, 0, 8913508, 9377472, ... ) == 0x1
 00950   440   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00951   440   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344496, ... ) == 0x350a040d
 00952   440   NtGdiExtGetObjectW  (889848845, 420, 1241808, ... ) == 0x164
 00953   440   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00954   440   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344488, ... ) == 0x110a03d6
 00955   440   NtGdiExtGetObjectW  (285869014, 420, 1241808, ... ) == 0x164
 00956   440   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344480, ... ) == 0xf0a03e3
 00957   440   NtGdiExtGetObjectW  (252314595, 420, 1241808, ... ) == 0x164
 00958   440   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00959   440   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 8650752, 4096, ) == 0x0
 00960   440   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00961   440   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00962   440   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00963   440   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00964   440   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   440   NtUserSetWindowsHookEx  (8781824, 1243796, 0, 4, 8789692, 2, ... ) == 0x200a1
 00966   440   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   440   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm13.2i"}, 1, ... 100, ) }, 1, ... 100, ) == 0x0
 00968   440   NtOpenProcessToken  (-1, 0x20, ... 104, ) == 0x0
 00969   440   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 108, ) }, ... 108, ) == 0x0
 00972   440   NtQueryValueKey  (108,  (108, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   440   NtClose  (108, ... ) == 0x0
 00974   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   440   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00976   440   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00977   440   NtQuerySystemTime  (... {1604063702, 29868088}, ) == 0x0
 00978   440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00979   440   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   440   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00981   440   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00982   440   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00983   440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00984   440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00985   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 128, ) }, ... 128, ) == 0x0
 00986   440   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00987   440   NtQueryValueKey  (132,  (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00988   440   NtClose  (132, ... ) == 0x0
 00989   440   NtClose  (128, ... ) == 0x0
 00990   440   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 128, ) == 0x0
 00991   440   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 132, ) == 0x0
 00992   440   NtDuplicateObject  (-1, 128, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00993   440   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00994   440   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   440   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00996   440   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00997   440   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00998   440   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243248,  (0xc0100080, {24, 0, 0x40, 0, 1243248, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00999   440   NtSetInformationFile  (144, 1243304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01000   440   NtSetInformationFile  (144, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01001   440   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01002   440   NtWriteFile  (144, 121, 0, 0,  (144, 121, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01003   440   NtReadFile  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\365\34\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01004   440   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\365\34\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\365\34\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01005   440   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\227x\232+,\334\21\261\306\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\227x\232+,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\227x\232+,\334\21\261\306\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\227x\232+,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\227x\232+,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01006   440   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\227x\232+,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\227x\232+,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01007   440   NtClose  (140, ... ) == 0x0
 01008   440   NtClose  (144, ... ) == 0x0
 01009   440   NtAdjustPrivilegesToken  (104, 0, 1245084, 16, 0, 0, ... ) == 0x0
 01010   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01011   440   NtQueryValueKey  (144,  (144, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   440   NtClose  (144, ... ) == 0x0
 01013   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01014   440   NtQueryValueKey  (144,  (144, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   440   NtClose  (144, ... ) == 0x0
 01016   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01017   440   NtQueryValueKey  (144,  (144, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   440   NtClose  (144, ... ) == 0x0
 01019   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01020   440   NtQueryValueKey  (144,  (144, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   440   NtClose  (144, ... ) == 0x0
 01022   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01023   440   NtQueryValueKey  (144,  (144, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   440   NtClose  (144, ... ) == 0x0
 01025   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01026   440   NtQueryValueKey  (144,  (144, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   440   NtClose  (144, ... ) == 0x0
 01028   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01029   440   NtQueryValueKey  (144,  (144, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   440   NtClose  (144, ... ) == 0x0
 01031   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01032   440   NtQueryValueKey  (144,  (144, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   440   NtClose  (144, ... ) == 0x0
 01034   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01035   440   NtQueryValueKey  (144,  (144, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   440   NtClose  (144, ... ) == 0x0
 01037   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01038   440   NtQueryValueKey  (144,  (144, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   440   NtClose  (144, ... ) == 0x0
 01040   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   440   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01042   440   NtSetInformationFile  (-2147482808, -130841564, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01043   440   NtSetInformationFile  (-2147482808, -130842036, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01041   440   NtCreateKey  ... 144, 1, ) == 0x0
 01044   440   NtSetValueKey  (144,  (144, "ID", 0, 1, "q\0d\0g\0g\0s\0x\0l\0x\0c\0u\0l\0\0\0", 24, ... ) , 0, 1,  (144, "ID", 0, 1, "q\0d\0g\0g\0s\0x\0l\0x\0c\0u\0l\0\0\0", 24, ... ) , 24, ... ) == 0x0
 01045   440   NtClose  (144, ... ) == 0x0
 01046   440   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01047   440   NtQueryValueKey  (144,  (144, "System Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   440   NtClose  (144, ... ) == 0x0
 01049   440   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 01050   440   NtSetValueKey  (144,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01051   440   NtClose  (144, ... ) == 0x0
 01052   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243520,  (0x80100080, {24, 0, 0x40, 0, 1243520, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01053   440   NtQueryInformationFile  (144, 1244456, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01054   440   NtQueryInformationFile  (144, 1244428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01055   440   NtQueryInformationFile  (144, 1244380, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01056   440   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01057   440   NtQueryInformationFile  (144, 1371664, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01058   440   NtQueryInformationFile  (144, 1242924, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01059   440   NtQueryInformationFile  (144, 1242768, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01060   440   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242776,  (0x40110080, {24, 0, 0x40, 0, 1242776, "\??\C:\WINDOWS\System32\wnmdgabr.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01061   440   NtClose  (-2147482208, ... ) == 0x0
 01060   440   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01062   440   NtQueryVolumeInformationFile  (140, 1242148, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01063   440   NtQueryInformationFile  (140, 1242108, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01064   440   NtQueryVolumeInformationFile  (144, 1242148, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01065   440   NtQueryVolumeInformationFile  (144, 1241832, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01066   440   NtSetInformationFile  (140, 1241936, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01067   440   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 01068   440   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9f0000), {0, 0}, 192512, ) == 0x0
 01069   440   NtClose  (148, ... ) == 0x0
 01070   440   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01071   440   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "V\1j\20\305\30;\224\272B\261\336\301!0E\325\331\224w1\6\366\31\304H\32CU\2664t\264\30\223\13\371Q!8|\330\223\243\265\10F4\374\6\344\21\36\7\274`\15\332\301\33*\14\213S-C\270\201?1\240X8\23\220\25\17r%\30\235\23\244!N\311\345\21\13E\202\220\21\27\250\0\325\21x\35\7\1x\0\325\33\254\4\325\21x\31\3\\225S\324\37\220%\325T\202\221?#\221W\324\4\224!=G\220\27;'\220\3=\7\230-=\7\220\37+\220\7=\7\234)\211L\225\73/\2616\31r\2005\352\2616/3\265v\342\2041Hr\264v+7\264\314\31\310\210=\367\277\270\314'\17\0\344\22\11\371\11\25\34\204\242\327\311\224\216\341\377\263a\261\1\346v\243\253%P\314\21/\2612\20\14\326\202\261\274\13\25I\377\304\15,\334\375\2\364q\345\37\315jV\273*\224\233F\203\265%r\335t&+\216\265)\10\326Y\27\10\375@\13\250\232EQ\11\271\371\237\340u\162\205\321}>\202\37\265\271TFC\235\267\277h\5\201\260La\14\16f\15\305\322m\265\337\272\3142Xa\10\267\12\321|\325\333\23\316\337\367\314\33\14\265\305\352\16\303\5]_P#~3x\317\37]\267\330\31\257\265\345\27p\337\23\200\12F\342\217=\243\24\243\23hd\21\240\232\345\235\370\247\14\16\300\327xc\323\21\310\222<\13[k\303q.\3\251\13\M&\356\23E\11\335\15A]\324\277\17{\25\212\262\3107c\300\242F\225\373\2p\24d\335F\36pqR\24\333\376\1\360\260Fvd\12\271^\21\12p4\353b\272\10R\310\367\177/\226\224\7V\2t\2\234\232\337X\346\10Tv0\235\274\252\35\272'\21\16\237\203[\340\366\252} G", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01072   440   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\214<\17\17\34\0\250\16+N\232t`~F\21T\376\272\345\36\322\371\305e\212\266T\242G\317\24(\14\245\355\367\236W\375\217\325\264\34\1 \224\314%Ta7\314\227\273\15\244d\16\302\11\14\326l\2140M\222\214\275\266R\315,'\364=\5\375\312\206\321\221h\30\305\272\267\375\356\337\222\217\227b\334\14,\226\364>z77v\370\377Xo$\260'\316\234<\362\225\10\265\376\275)\337\223\21 V\12\317x\375\203\225|!\224\24\224\374\276\370\260\29\234\275\240\275K,\2422\233-\306\13\270\341!\231\270\250\265>p\10\251h\330(A\10\332\353\316\2438\263\214@_\242\34s\331RX\262s\207w@\376p\30p\211\375\251\37t\4\231\200\245\305\215\220\231\212\361H\16%\211\230\240\230EV\243\204\366I\3209\15({\320\306T&\276P\301F\240\235\270\201\354%v\220\344\313)\373HiMl\11\365\335\2015\235\14\366,\244/\\32\226 <\334\255\4\321\320\5\222\365\30\353\330\257\14\374@_\07\15\21A\36"2Q\253\223Kz\351fF\217\352\353\273\276\333\5\206\5j\344\225\320\356\3060\5l\324R\264?b4\215\32\30\361\304\370\17\367aiT+\214?g\361\4\325f\251\237\202\256X$\310x\322KK\250{\252\335SO\26\350\255\225\244\334\310\237\327\236\302\4rbS\240Q\17t\244Ni\25\372\16n\24Zl\31\210\267\11#\11\360\10\213\210\274\1\373\361\360ANG\266\223\203\20\200\375?\2073\24\300\212\270V\300\225\323w$\354\200~\306\233\274\210\367NB\314{#f\10\325\260\262\314J\325+\36\323\215x\32(\36w\207\375\3\335[I\324A!/$\265\10\350Y\33R\307\364\0?\36~\230\16\5S\17\367\260\222\354\12o\16F\354\242.", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 2Q\253\223Kz\351fF\217\352\353\273\276\333\5\206\5j\344\225\320\356\3060\5l\324R\264?b4\215\32\30\361\304\370\17\367aiT+\214?g\361\4\325f\251\237\202\256X$\310x\322KK\250{\252\335SO\26\350\255\225\244\334\310\237\327\236\302\4rbS\240Q\17t\244Ni\25\372\16n\24Zl\31\210\267\11#\11\360\10\213\210\274\1\373\361\360ANG\266\223\203\20\200\375?\2073\24\300\212\270V\300\225\323w$\354\200~\306\233\274\210\367NB\314{#f\10\325\260\262\314J\325+\36\323\215x\32(\36w\207\375\3\335[I\324A!/$\265\10\350Y\33R\307\364\0?\36~\230\16\5S\17\367\260\222\354\12o\16F\354\242.", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01073   440   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "X\220=\31\11\6\264\4\310AN\373\35P\365\4\35L\261\3\35N\34\273&\0P\4\255n\233\265\204\13\306\14-\3\20\20\365\354\255h\15\3\360\1\31\13\262xE\22\260\350\32\0p\2\20 \360\260\33U\240\3731\337+7\24'\220\347\355\5\260\3218\214\272\316(0\274\224I`\13\5}\27\350\4\35\261\251@\311.\36\347(\27fy\215(\267\2` \236E\247C\264M\346\240\336j\337\276\3568\30'\360\361Rl\303\4t\272y\330\375'\262\210)\335\247htP[\364:&>&\21\362$D3e\240/\227\1\24\335:\10\4v\34!\346\244\346\307\363T\277\16\0\270:e\339x\3bW}\354\227T\35\2600\362d\273\2534\340\27\33\302\33\353B\2\35\0\260\4\35\0\360\6\342\0\260\4\35\0\260\4\35\00x9\10\261\13\230\206\261\4\35`\16*\235D\260\211\243\322?\377\342W3\311\342\353\275\224\215\220:\2[\210\267C\34\333\305\3\226\363\352\341\21kv\360\270\261\4\35\0\261\337h\7;\32\236\356L\25\306\21p\5\306s_q\24\213\256\207\363\374\241\337n\344\201\315\236\350\263v\20\301P\14\227\6\366\207\355\377\304p\224\305\261\337h\7;\32\236\356L\25\306\21y\5\306u\267\217\3\203^\370\14\333\241\315h \361\5\306u\267\217\3\203^\370\14\333\241\315\34\333\303\353h\11;\32\236\356L\25\306sT\207\334\21\371\35\363O\373\236\321\261\211\11/3\371\341v\277\216\37B8\3ZI\305\363\364cO\373\342\220;\6\236\302\264\215\32\203w\0\236\351\264s\354\1\177\355Q\377O\373C\211G\275\243'\260\4\227\7\367(\365<\261s\352\200\217\11h\362;\3\227_\264b\334\350\270\305\335\206\3004\3700\357\365\1@\215\32\203w\1\224\330R\335", 5078, 0x0, 0, ... {status=0x0, info=5078}, ) , 5078, 0x0, 0, ... {status=0x0, info=5078}, ) == 0x0
 01074   440   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 01075   440   NtSetInformationFile  (140, 1244380, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01076   440   NtClose  (144, ... ) == 0x0
 01077   440   NtClose  (140, ... ) == 0x0
 01078   440   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01079   440   NtSetValueKey  (140,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0n\0m\0d\0g\0a\0b\0r\0.\0e\0x\0e\0\0\0", 66, ... , 0, 1,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0n\0m\0d\0g\0a\0b\0r\0.\0e\0x\0e\0\0\0", 66, ... , 66, ...
 01080   440   NtSetInformationFile  (-2147482808, -130840780, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01081   440   NtSetInformationFile  (-2147482808, -130840872, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01079   440   NtSetValueKey  ... ) == 0x0
 01082   440   NtClose  (140, ... ) == 0x0
 01083   440   NtClose  (100, ... ) == 0x0
 01084   440   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01085   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wnmdgabr.exe"}, 1241012, ... ) }, 1241012, ... ) == 0x0
 01086   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wnmdgabr.exe"}, 1241704, ... ) }, 1241704, ... ) == 0x0
 01087   440   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wnmdgabr.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01088   440   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 140, ) == 0x0
 01089   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 144, ) }, ... 144, ) == 0x0
 01091   440   NtQueryValueKey  (144,  (144, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   440   NtClose  (144, ... ) == 0x0
 01093   440   NtQueryVolumeInformationFile  (100, 1241012, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01094   440   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 144, ) }, ... 144, ) == 0x0
 01095   440   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01096   440   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 148, ) }, ... 148, ) == 0x0
 01097   440   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 57344, ) == 0x0
 01098   440   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01099   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238996, ... ) }, 1238996, ... ) == 0x0
 01100   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01101   440   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 156, ) == 0x0
 01102   440   NtClose  (152, ... ) == 0x0
 01103   440   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 106496, ) == 0x0
 01104   440   NtClose  (156, ... ) == 0x0
 01105   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01106   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239312, ... ) }, 1239312, ... ) == 0x0
 01107   440   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01108   440   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 152, ) == 0x0
 01109   440   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01110   440   NtClose  (156, ... ) == 0x0
 01111   440   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01112   440   NtClose  (152, ... ) == 0x0
 01113   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01114   440   NtQueryInformationFile  (152, 1239600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01115   440   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 152, ... 156, ) == 0x0
 01116   440   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa00000), 0x0, 1028096, ) == 0x0
 01117   440   NtQueryInformationFile  (152, 1239696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01118   440   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   440   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01120   440   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01121   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01122   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1, "wnmdgabr.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01123   440   NtClose  (160, ... ) == 0x0
 01124   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01125   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01126   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wnmdgabr.exe"}, 1236648, ... ) }, 1236648, ... ) == 0x0
 01127   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01128   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01129   440   NtClose  (160, ... ) == 0x0
 01130   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01131   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01132   440   NtClose  (160, ... ) == 0x0
 01133   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01134   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "wnmdgabr.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01135   440   NtClose  (160, ... ) == 0x0
 01136   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01137   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01138   440   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01139   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01140   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01141   440   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01142   440   NtClose  (160, ... ) == 0x0
 01143   440   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   440   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\wnmdgabr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01146   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01147   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wnmdgabr.exe"}, 1238928, ... ) }, 1238928, ... ) == 0x0
 01148   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01149   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01150   440   NtClose  (160, ... ) == 0x0
 01151   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01152   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01153   440   NtClose  (160, ... ) == 0x0
 01154   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01155   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "wnmdgabr.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01156   440   NtClose  (160, ... ) == 0x0
 01157   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01158   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01159   440   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01160   440   NtQueryVolumeInformationFile  (100, 1239572, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01161   440   NtQueryInformationFile  (100, 1239552, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01162   440   NtQueryInformationFile  (100, 1239592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01163   440   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01164   440   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01165   440   NtClose  (156, ... ) == 0x0
 01166   440   NtClose  (152, ... ) == 0x0
 01167   440   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01168   440   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnmdgabr.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   440   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01170   440   NtOpenProcessToken  (-1, 0xa, ... 152, ) == 0x0
 01171   440   NtQueryInformationToken  (152, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01172   440   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01174   440   NtQueryValueKey  (156,  (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01175   440   NtQueryValueKey  (156,  (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01176   440   NtClose  (156, ... ) == 0x0
 01177   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01178   440   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01179   440   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01180   440   NtClose  (156, ... ) == 0x0
 01181   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01183   440   NtQueryValueKey  (156,  (156, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   440   NtClose  (156, ... ) == 0x0
 01185   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01186   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01187   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01188   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01189   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01190   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01191   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01192   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01193   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01194   440   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01195   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01196   440   NtEnumerateKey  (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01197   440   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 160, ) }, ... 160, ) == 0x0
 01198   440   NtQueryValueKey  (160,  (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01199   440   NtQueryValueKey  (160,  (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01200   440   NtClose  (160, ... ) == 0x0
 01201   440   NtEnumerateKey  (156, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01202   440   NtClose  (156, ... ) == 0x0
 01203   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01218   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01219   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01220   440   NtClose  (156, ... ) == 0x0
 01221   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01223   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01224   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01225   440   NtClose  (156, ... ) == 0x0
 01226   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01228   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01229   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01230   440   NtClose  (156, ... ) == 0x0
 01231   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01233   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01234   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01235   440   NtClose  (156, ... ) == 0x0
 01236   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01238   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01239   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01240   440   NtClose  (156, ... ) == 0x0
 01241   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01243   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01244   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01245   440   NtClose  (156, ... ) == 0x0
 01246   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01248   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01249   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01250   440   NtClose  (156, ... ) == 0x0
 01251   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01253   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01254   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01255   440   NtClose  (156, ... ) == 0x0
 01256   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01258   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01259   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01260   440   NtClose  (156, ... ) == 0x0
 01261   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01263   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01264   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01265   440   NtClose  (156, ... ) == 0x0
 01266   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01268   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01269   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01270   440   NtClose  (156, ... ) == 0x0
 01271   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01273   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01274   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01275   440   NtClose  (156, ... ) == 0x0
 01276   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01278   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01279   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01280   440   NtClose  (156, ... ) == 0x0
 01281   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01283   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01284   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01285   440   NtClose  (156, ... ) == 0x0
 01286   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01288   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01289   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01290   440   NtClose  (156, ... ) == 0x0
 01291   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01293   440   NtQueryValueKey  (156,  (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01294   440   NtClose  (156, ... ) == 0x0
 01295   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01297   440   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   440   NtClose  (156, ... ) == 0x0
 01299   440   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   440   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01301   440   NtOpenProcessToken  (-1, 0xa, ... 156, ) == 0x0
 01302   440   NtDuplicateToken  (156, 0xc, {24, 0, 0x0, 0, 1240904, 0x0}, 0, 2, ... 160, ) == 0x0
 01303   440   NtClose  (156, ... ) == 0x0
 01304   440   NtAccessCheck  (1378880, 160, 0x1, 1241032, 1240976, 56, 1241060, ... (0x1), ) == 0x0
 01305   440   NtClose  (160, ... ) == 0x0
 01306   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 160, ) }, ... 160, ) == 0x0
 01307   440   NtQueryValueKey  (160,  (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01308   440   NtClose  (160, ... ) == 0x0
 01309   440   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 160, ) }, ... 160, ) == 0x0
 01310   440   NtQuerySymbolicLinkObject  (160, ...  (160, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01311   440   NtClose  (160, ... ) == 0x0
 01312   440   NtQueryInformationFile  (100, 1239364, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 01313   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01314   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01315   440   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wnmdgabr.exe"}, 1238044, ... ) }, 1238044, ... ) == 0x0
 01316   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01317   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01318   440   NtClose  (160, ... ) == 0x0
 01319   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01320   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01321   440   NtClose  (160, ... ) == 0x0
 01322   440   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01323   440   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "wnmdgabr.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01324   440   NtClose  (160, ... ) == 0x0
 01325   440   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01326   440   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01327   440   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01328   440   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01329   440   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01330   440   NtClose  (160, ... ) == 0x0
 01331   440   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01332   440   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01333   440   NtClose  (160, ... ) == 0x0
 01334   440   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01335   440   NtQueryValueKey  (156,  (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01336   440   NtClose  (156, ... ) == 0x0
 01337   440   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10485760, 4096, ) == 0x0
 01338   440   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01339   440   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01340   440   NtQueryValueKey  (156,  (156, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   440   NtClose  (156, ... ) == 0x0
 01342   440   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   440   NtQueryInformationToken  (152, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01344   440   NtQueryInformationToken  (152, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01345   440   NtClose  (152, ... ) == 0x0
 01346   440   NtCreateProcessEx  (1243640, 2035711, 0, -1, 0, 140, 0, 0, 0, ... ) == 0x0
 01347   440   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=436,}, 0x0, ) == 0x0
 01348   440   NtReadVirtualMemory  (152, 0x7ffdf008, 4, ...  (152, 0x7ffdf008, 4, ... "\0\0P1", 0x0, ) , 0x0, ) == 0x0
 01349   440   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wnmdgabr.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   440   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01351   440   NtReadVirtualMemory  (152, 0x31500000, 4096, ...  (152, 0x31500000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01352   440   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01353   440   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=436,}, 0x0, ) == 0x0
 01354   440   NtAllocateVirtualMemory  (-1, 0, 0, 1672, 4096, 4, ... 10551296, 4096, ) == 0x0
 01355   440   NtAllocateVirtualMemory  (152, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01356   440   NtWriteVirtualMemory  (152, 0x10000,  (152, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01357   440   NtAllocateVirtualMemory  (152, 0, 0, 1672, 4096, 4, ... 131072, 4096, ) == 0x0
 01358   440   NtWriteVirtualMemory  (152, 0x20000,  (152, 0x20000, "\0\20\0\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0@\0B\0\230\5\0\0@\0B\0\334\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0@\0B\0 \6\0\0\36\0 \0d\6\0\0\0\0\2\0\204\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1672, ... 0x0, ) , 1672, ... 0x0, ) == 0x0
 01359   440   NtWriteVirtualMemory  (152, 0x7ffdf010,  (152, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01360   440   NtWriteVirtualMemory  (152, 0x7ffdf1e8,  (152, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01361   440   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 01362   440   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01363   440   NtAllocateVirtualMemory  (152, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01364   440   NtProtectVirtualMemory  (152, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01365   440   NtCreateThread  (0x1f03ff, 0x0, 152, 1241904, 1242624, 1, ... 156, {380, 568}, ) == 0x0
 01366   440   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1344776, 1243724}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1344776, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 436, 440, 1500, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 436, 440, 1500, 0}  (24, {168, 196, new_msg, 0, 1312872, 1310720, 1344776, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 436, 440, 1500, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0|\1\0\08\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 01367   440   NtResumeThread  (156, ... 1, ) == 0x0
 01368   440   NtClose  (100, ... ) == 0x0
 01369   440   NtClose  (140, ... ) == 0x0
 01370   440   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=380,ParentPid=436,}, 0x0, ) == 0x0
 01371   440   NtUserWaitForInputIdle  (380, 30000, 0, ...
 01372   440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01373   440   NtClose  (140, ... ) == 0x0
 01371   440   NtUserWaitForInputIdle  ... ) == 0x0
 01374   440   NtClose  (152, ... ) == 0x0
 01375   440   NtClose  (156, ... ) == 0x0
 01376   440   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01377   440   NtTerminateProcess  (0, 0, ... ) == 0x0
 01378   440   NtQueryVirtualMemory  (-1, 0x896d20, Basic, 28, ... {BaseAddress=0x896000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01379   440   NtQueryVirtualMemory  (-1, 0x89762c, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x11000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01380   440   NtQueryVirtualMemory  (-1, 0x86cef4, Basic, 28, ... {BaseAddress=0x86c000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01381   440   NtGdiDeleteObjectApp  (285869014, ... ) == 0x1
 01382   440   NtGdiDeleteObjectApp  (252314595, ... ) == 0x1
 01383   440   NtGdiDeleteObjectApp  (889848845, ... ) == 0x1
 01384   440   NtUserDestroyCursor  (196771, 1, ... ) == 0x1
 01385   440   NtUserDestroyCursor  (196773, 1, ... ) == 0x1
 01386   440   NtUserDestroyCursor  (262311, 1, ... ) == 0x1
 01387   440   NtUserDestroyCursor  (196759, 1, ... ) == 0x1
 01388   440   NtUserDestroyCursor  (131181, 1, ... ) == 0x1
 01389   440   NtUserDestroyCursor  (131179, 1, ... ) == 0x1
 01390   440   NtUserDestroyCursor  (196685, 1, ... ) == 0x1
 01391   440   NtUserFindExistingCursorIcon  (1243476, 1243492, 1244060, ... ) == 0x10011
 01392   440   NtDeleteAtom  (49180, ... ) == 0x0
 01393   440   NtDeleteAtom  (49181, ... ) == 0x0
 01394   440   NtGdiDeleteObjectApp  (369624075, ... ) == 0x1
 01395   440   NtClose  (96, ... ) == 0x0
 01396   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01397   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01398   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01399   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01400   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01401   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01402   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01403   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01404   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01405   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01406   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01407   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01408   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01409   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01410   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01411   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01412   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01413   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01414   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01415   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01416   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01417   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01418   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01419   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01420   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01421   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01422   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01423   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01424   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01425   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01426   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01427   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01428   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01429   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01430   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01431   440   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01432   440   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01433   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01434   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01435   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01436   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01437   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01438   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01439   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01440   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01441   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01442   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01443   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01444   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01445   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01446   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01447   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01448   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01449   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01450   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01451   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01452   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01453   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01454   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01455   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01456   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01457   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01458   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01459   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01460   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01461   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01462   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01463   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01464   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01465   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01466   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01467   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01468   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01469   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc017
 01470   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01471   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc019
 01472   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01473   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc018
 01474   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01475   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01a
 01476   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01477   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01c
 01478   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01479   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01e
 01480   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01481   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01b
 01482   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01483   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc068
 01484   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01485   440   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc06a
 01486   440   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01487   440   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01488   440   NtClose  (76, ... ) == 0x0
 01489   440   NtClose  (64, ... ) == 0x0
 01490   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01491   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01492   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01493   440   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01494   440   NtFreeVirtualMemory  (-1, (0xa00000), 4096, 32768, ... (0xa00000), 4096, ) == 0x0
 01495   440   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 436, 440, 2018, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 436, 440, 2018, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 436, 440, 2018, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01496   440   NtTerminateProcess  (-1, 0, ...
 01497   440   NtClose  (44, ... ) == 0x0