Summary:





NtAdjustPrivilegesToken(>)  1 
NtDeleteAtom(>)  2 
NtGdiBitBlt(>)  7 
NtQueryInformationProcess(>)  15 


NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateSection(>)  17 


NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtGdiDeleteObjectApp(>)  18 


NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtReadFile(>)  19 


NtCreateThread(>)  1 
NtOpenEvent(>)  2 
NtGdiGetStockObject(>)  7 
NtContinue(>)  20 


NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiRestoreDC(>)  7 
NtQuerySystemInformation(>)  20 


NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 


NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWaitForSingleObject(>)  21 


NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtFlushInstructionCache(>)  23 


NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtWriteFile(>)  23 


NtGdiQueryFontAssocInfo(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  24 


NtNotifyChangeKey(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenThreadTokenEx(>)  24 


NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  8 
NtOpenSection(>)  25 


NtOpenProcess(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  8 
NtOpenFile(>)  30 


NtQueryInformationJobObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  8 
NtQueryAttributesFile(>)  31 


NtQueryObject(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  31 


NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtSetInformationFile(>)  9 
NtMapViewOfSection(>)  37 


NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtCreateEvent(>)  10 
NtReleaseMutant(>)  40 


NtResumeThread(>)  1 
NtFsControlFile(>)  4 
NtGdiCreateCompatibleDC(>)  10 
NtAllocateVirtualMemory(>)  41 


NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  4 
NtGdiExtGetObjectW(>)  10 
NtProtectVirtualMemory(>)  45 


NtTestAlert(>)  1 
NtSetValueKey(>)  4 
NtQueryDirectoryFile(>)  10 
NtUserUnregisterClass(>)  45 


NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  11 
NtQueryValueKey(>)  51 


NtUserEnumDisplayMonitors(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetDC(>)  11 
NtGdiSelectBitmap(>)  57 


NtUserGetKeyboardLayoutList(>)  1 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  12 
NtUserRegisterClassExWOW(>)  63 


NtUserGetThreadDesktop(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtQueryDefaultLocale(>)  13 
NtUserGetClassInfo(>)  64 


NtUserSetWindowsHookEx(>)  1 
NtQueryVirtualMemory(>)  6 
NtQueryInformationFile(>)  13 
NtUserFindExistingCursorIcon(>)  72 


NtAccessCheck(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserSystemParametersInfo(>)  13 
NtOpenKey(>)  112 


NtCreateIoCompletion(>)  2 
NtSetInformationProcess(>)  6 
NtUserSelectPalette(>)  14 
NtClose(>)  165 





Trace:

 00001   396   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   396   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   396   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   396   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   396   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   396   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   396   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   396   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   396   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   396   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   396   NtClose  (12, ... ) == 0x0
 00014   396   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   396   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   396   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   396   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   396   NtClose  (16, ... ) == 0x0
 00021   396   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   396   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   396   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   396   NtClose  (16, ... ) == 0x0
 00026   396   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   396   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   396   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   396   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   396   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 368, 396, 1490, 0} "@N\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 368, 396, 1490, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 368, 396, 1490, 0} "@N\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   396   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   396   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   396   NtClose  (16, ... ) == 0x0
 00036   396   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   396   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   396   NtClose  (28, ... ) == 0x0
 00041   396   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   396   NtClose  (28, ... ) == 0x0
 00045   396   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   396   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   396   NtClose  (28, ... ) == 0x0
 00049   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   396   NtClose  (28, ... ) == 0x0
 00052   396   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   396   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 368, 396, 1493, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 368, 396, 1493, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 368, 396, 1493, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 128, ) == 0x0
 00057   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 128, ... (0x31428000), 8192, 4, ) == 0x0
 00058   396   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00059   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   396   NtClose  (28, ... ) == 0x0
 00062   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   396   NtClose  (28, ... ) == 0x0
 00065   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00066   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00067   396   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00068   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   396   NtClose  (28, ... ) == 0x0
 00071   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00072   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00073   396   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00074   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   396   NtClose  (28, ... ) == 0x0
 00077   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   396   NtClose  (28, ... ) == 0x0
 00080   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00081   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00082   396   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00083   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   396   NtClose  (28, ... ) == 0x0
 00086   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   396   NtClose  (28, ... ) == 0x0
 00089   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   396   NtClose  (28, ... ) == 0x0
 00092   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   396   NtClose  (28, ... ) == 0x0
 00095   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   396   NtClose  (28, ... ) == 0x0
 00098   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   396   NtClose  (28, ... ) == 0x0
 00101   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00102   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00103   396   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00104   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   396   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   396   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   396   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   396   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   396   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   396   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   396   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   396   NtClose  (40, ... ) == 0x0
 00118   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   396   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   396   NtClose  (40, ... ) == 0x0
 00122   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   396   NtClose  (36, ... ) == 0x0
 00124   396   NtClose  (28, ... ) == 0x0
 00125   396   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   396   NtClose  (32, ... ) == 0x0
 00127   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   396   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   396   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   396   NtClose  (32, ... ) == 0x0
 00135   396   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   396   NtClose  (28, ... ) == 0x0
 00137   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00138   396   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00139   396   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00140   396   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   396   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   396   NtClose  (28, ... ) == 0x0
 00143   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   396   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   396   NtClose  (28, ... ) == 0x0
 00146   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   396   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   396   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   396   NtClose  (28, ... ) == 0x0
 00150   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   396   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   396   NtClose  (28, ... ) == 0x0
 00153   396   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   396   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   396   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   396   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   396   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   396   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   396   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   396   NtClose  (32, ... ) == 0x0
 00163   396   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   396   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 368, 396, 1501, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 368, 396, 1501, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 368, 396, 1501, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00166   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   396   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   396   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   396   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   396   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00171   396   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   396   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   396   NtClose  (-2147482208, ... ) == 0x0
 00174   396   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   396   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   396   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   396   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00178   396   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   396   NtClose  (-2147482208, ... ) == 0x0
 00180   396   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00181   396   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   396   NtClose  (-2147482208, ... ) == 0x0
 00183   396   NtQueryDefaultLocale  (0, -131036660, ... ) == 0x0
 00184   396   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   396   NtUserCallNoParam  (24, ... ) == 0x0
 00186   396   NtGdiCreateCompatibleDC  (0, ...
 00187   396   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   396   NtGdiCreateCompatibleDC  ... ) == 0x120103c6
 00188   396   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   396   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   396   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050404
 00191   396   NtGdiCreateSolidBrush  (0, 0, ...
 00192   396   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   396   NtGdiCreateSolidBrush  ... ) == 0xe10040a
 00193   396   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   396   NtGdiCreateCompatibleDC  (0, ... ) == 0x70010384
 00195   396   NtGdiSelectBitmap  (1879114628, 319095812, ... ) == 0x185000f
 00196   396   NtUserGetThreadDesktop  (396, 0, ... ) == 0x2c
 00197   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   396   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   396   NtClose  (52, ... ) == 0x0
 00200   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00202   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00204   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00206   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00208   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00210   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00212   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00214   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00216   396   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   396   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00218   396   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00219   396   NtAllocateVirtualMemory  (-1, 5533696, 0, 4096, 4096, 32, ... 5533696, 4096, ) == 0x0
 00218   396   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00220   396   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00221   396   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00222   396   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00223   396   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00224   396   NtCallbackReturn  (0, 0, 0, ...
 00225   396   NtGdiInit  (... ) == 0x1
 00226   396   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   396   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   396   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   396   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   396   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   396   NtClose  (52, ... ) == 0x0
 00234   396   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   396   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   396   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   396   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   396   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   396   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   396   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   396   NtClose  (60, ... ) == 0x0
 00245   396   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   396   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   396   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   396   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   396   NtClose  (60, ... ) == 0x0
 00255   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   396   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   396   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   396   NtClose  (60, ... ) == 0x0
 00259   396   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   396   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   396   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   396   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   396   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   396   NtClose  (60, ... ) == 0x0
 00269   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   396   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   396   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   396   NtQueryDefaultUILanguage  (1241768, ...
 00273   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00275   396   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   396   NtClose  (-2147482208, ... ) == 0x0
 00277   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00278   396   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   396   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00280   396   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   396   NtClose  (-2147482204, ... ) == 0x0
 00282   396   NtClose  (-2147482208, ... ) == 0x0
 00272   396   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   396   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   396   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   396   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   396   NtQueryDefaultUILanguage  (2013024600, ...
 00290   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00292   396   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   396   NtClose  (-2147482208, ... ) == 0x0
 00294   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00295   396   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   396   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00297   396   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   396   NtClose  (-2147482204, ... ) == 0x0
 00299   396   NtClose  (-2147482208, ... ) == 0x0
 00289   396   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   396   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   396   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   396   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   396   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 368, 396, 1506, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 368, 396, 1506, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 368, 396, 1506, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   396   NtClose  (68, ... ) == 0x0
 00306   396   NtClose  (72, ... ) == 0x0
 00307   396   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   396   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   396   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   396   NtClose  (68, ... ) == 0x0
 00323   396   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   396   NtClose  (76, ... ) == 0x0
 00325   396   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   396   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   396   NtClose  (76, ... ) == 0x0
 00330   396   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   396   NtClose  (68, ... ) == 0x0
 00332   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   396   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   396   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   396   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   396   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   396   NtQueryDefaultUILanguage  (1238836, ...
 00355   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00357   396   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   396   NtClose  (-2147482208, ... ) == 0x0
 00359   396   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00360   396   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   396   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00362   396   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   396   NtClose  (-2147482204, ... ) == 0x0
 00364   396   NtClose  (-2147482208, ... ) == 0x0
 00354   396   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   396   NtClose  (68, ... ) == 0x0
 00370   396   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   396   NtClose  (76, ... ) == 0x0
 00372   396   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   396   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   396   NtClose  (76, ... ) == 0x0
 00377   396   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   396   NtClose  (68, ... ) == 0x0
 00379   396   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   396   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   396   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   396   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   396   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 368, 396, 1507, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 368, 396, 1507, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 368, 396, 1507, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   396   NtClose  (68, ... ) == 0x0
 00387   396   NtClose  (76, ... ) == 0x0
 00388   396   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   396   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   396   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   396   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   396   NtUserGetDC  (0, ... ) == 0x1010050
 00394   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00395   396   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   396   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   396   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   396   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   396   NtClose  (76, ... ) == 0x0
 00400   396   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   396   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   396   NtClose  (76, ... ) == 0x0
 00403   396   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   396   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   396   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   396   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   396   NtClose  (68, ... ) == 0x0
 00409   396   NtClose  (76, ... ) == 0x0
 00410   396   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   396   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   396   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   396   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   396   NtClose  (76, ... ) == 0x0
 00415   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03b
 00417   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03d
 00418   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc03f
 00420   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc041
 00422   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc043
 00424   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc045
 00425   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc047
 00427   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc049
 00429   396   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04b
 00432   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04d
 00434   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04f
 00436   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc051
 00437   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc053
 00439   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc055
 00441   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc057
 00442   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc059
 00444   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05b
 00446   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05d
 00448   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05f
 00450   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc017
 00452   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc019
 00454   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc018
 00456   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc01a
 00458   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   396   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ...
 00460   396   NtAllocateVirtualMemory  (-1, 5537792, 0, 4096, 4096, 32, ... 5537792, 4096, ) == 0x0
 00459   396   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00461   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00462   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc01e
 00463   396   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00464   396   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810dc01b
 00465   396   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00466   396   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810dc068
 00467   396   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00468   396   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc06a
 00469   396   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   396   NtTestAlert  (... ) == 0x0
 00473   396   NtContinue  (1244464, 1, ...
 00474   396   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3142a000,}, 4, ... ) == 0x0
 00475   396   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00476   396   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   396   NtClose  (68, ... ) == 0x0
 00478   396   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00479   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00480   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00481   396   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 368, 396, 1508, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 368, 396, 1508, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 368, 396, 1508, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00482   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00483   396   NtClose  (80, ... ) == 0x0
 00484   396   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00485   396   NtClose  (-2147482208, ... ) == 0x0
 00484   396   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00486   396   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00487   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\33?f\0Te6\0Re9\0\251\2326\0\356e6\0Ve6\0\26e,\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Vg6\0\354u6\16I\321?\315w\3357L\233D\246\220\2\15_sv\25Do1\27Wmv\10Cs"ETev\27Cnv\20Xd3\27\26W?\13\52[o\227Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0", ) ETev\27Cnv\20Xd3\27\26W?\13\52[o\227Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0Ve6\0", ) == 0x0
 00488   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00489   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\3m\0\349Y{E9\27O,\366\10W\10ff\267\7\236\255P\3314\245w\304\236&\376#\232\267\32\210f\243M\22\27k\327\311\256#\36I\262S-\37R\252\306f\206\231\2023P\246\327\15g\347\3164\210\11t\266\6\1\306XhS\344 \222WqW\236\341\376\257\32KGP\277!6(W\271\266\24\325_\34\12&`3\34=\316\340\12\2765\344\321\324\2026\225\17\322t\204\1\272z\207\222-\376\324Q\241l\2743\314\321$]n-a\320\251\260[\372\225\353\17", ) , ) == 0x0
 00490   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00491   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\201\247=X\356w#wgo:H\205(\365\30\34\363z\340\3\300\204HV\316\244\345\346\340\201}N!v\221\263\365SZ29nYX>\254\0\4.UT\6\1\17dM\7"62\5\247\345\306\0\!:\15g\226\25\363D\14"\25\32\35\237\5\375z*PN@|\344\256CF\31,\301)\340\242\235\315\5Q\20\370\25\215\363o\316`%D\355:9}\341&\274Q\356\2609\314$\272\14\336\12v\323\251\222\34\276~\357q\10l\265B9\240#\2153\374,\343\256\316\271a\4\257\11s]\341ap4\245#)\306\340'"\270\370\211"\5Z+3>R\362|Vf\23\224\310\274\343\13\366Sn\266K\26=\365\13\304\342c?]\25\365k\371H\335\221\352\201\376\257b\2557\367WK\316\27\262#Wl%\342X\31\262\346eT$\20S\1xf\276\49\220\7\322\3345 DFg\1\304\323\33\275wmT\377\212\36&r\10\252\232t\267\11e>\215#j\275|^b\7\300\334k\15J\252\20\201~\367>\270\\\227*\16\240\246\351\237\37\20\324o\15\316\307\371A%\22\16W\\316~\213\300Q\5{\241\15\200nB9MR>\315\302$\201\263\2579\322\211\202"\312\277\321_\4=\212\21\357\34\201\2467\330\356\267\232\351\177\215\357nc\302\357h\12\323>eo:\31(\13@}\271\36[\\302\355[\233n\32\326\202\3519\235\231\201\0\31t.\33#\211\333\355`g\207 \301\216\376?\326\200\351:\340\245\333\355L\216\324\35\334\11,\221:}t\305\304\232\364\11\256\202}u\246\352\225:\335Z\205\4\326Z3\266\13\3061\203\207*7\267Y\227\311\255\374\322|\20,b\310\261$nA\15Y\332\377\3\34\271\234\5j\242\311\321\330\277\311B\263\353\17\1", ) 62\5\247\345\306\0\!:\15g\226\25\363D\14 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\201\247=X\356w#wgo:H\205(\365\30\34\363z\340\3\300\204HV\316\244\345\346\340\201}N!v\221\263\365SZ29nYX>\254\0\4.UT\6\1\17dM\7"62\5\247\345\306\0\!:\15g\226\25\363D\14"\25\32\35\237\5\375z*PN@|\344\256CF\31,\301)\340\242\235\315\5Q\20\370\25\215\363o\316`%D\355:9}\341&\274Q\356\2609\314$\272\14\336\12v\323\251\222\34\276~\357q\10l\265B9\240#\2153\374,\343\256\316\271a\4\257\11s]\341ap4\245#)\306\340'"\270\370\211"\5Z+3>R\362|Vf\23\224\310\274\343\13\366Sn\266K\26=\365\13\304\342c?]\25\365k\371H\335\221\352\201\376\257b\2557\367WK\316\27\262#Wl%\342X\31\262\346eT$\20S\1xf\276\49\220\7\322\3345 DFg\1\304\323\33\275wmT\377\212\36&r\10\252\232t\267\11e>\215#j\275|^b\7\300\334k\15J\252\20\201~\367>\270\\\227*\16\240\246\351\237\37\20\324o\15\316\307\371A%\22\16W\\316~\213\300Q\5{\241\15\200nB9MR>\315\302$\201\263\2579\322\211\202"\312\277\321_\4=\212\21\357\34\201\2467\330\356\267\232\351\177\215\357nc\302\357h\12\323>eo:\31(\13@}\271\36[\\302\355[\233n\32\326\202\3519\235\231\201\0\31t.\33#\211\333\355`g\207 \301\216\376?\326\200\351:\340\245\333\355L\216\324\35\334\11,\221:}t\305\304\232\364\11\256\202}u\246\352\225:\335Z\205\4\326Z3\266\13\3061\203\207*7\267Y\227\311\255\374\322|\20,b\310\261$nA\15Y\332\377\3\34\271\234\5j\242\311\321\330\277\311B\263\353\17\1", ) \270\370\211 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\201\247=X\356w#wgo:H\205(\365\30\34\363z\340\3\300\204HV\316\244\345\346\340\201}N!v\221\263\365SZ29nYX>\254\0\4.UT\6\1\17dM\7"62\5\247\345\306\0\!:\15g\226\25\363D\14"\25\32\35\237\5\375z*PN@|\344\256CF\31,\301)\340\242\235\315\5Q\20\370\25\215\363o\316`%D\355:9}\341&\274Q\356\2609\314$\272\14\336\12v\323\251\222\34\276~\357q\10l\265B9\240#\2153\374,\343\256\316\271a\4\257\11s]\341ap4\245#)\306\340'"\270\370\211"\5Z+3>R\362|Vf\23\224\310\274\343\13\366Sn\266K\26=\365\13\304\342c?]\25\365k\371H\335\221\352\201\376\257b\2557\367WK\316\27\262#Wl%\342X\31\262\346eT$\20S\1xf\276\49\220\7\322\3345 DFg\1\304\323\33\275wmT\377\212\36&r\10\252\232t\267\11e>\215#j\275|^b\7\300\334k\15J\252\20\201~\367>\270\\\227*\16\240\246\351\237\37\20\324o\15\316\307\371A%\22\16W\\316~\213\300Q\5{\241\15\200nB9MR>\315\302$\201\263\2579\322\211\202"\312\277\321_\4=\212\21\357\34\201\2467\330\356\267\232\351\177\215\357nc\302\357h\12\323>eo:\31(\13@}\271\36[\\302\355[\233n\32\326\202\3519\235\231\201\0\31t.\33#\211\333\355`g\207 \301\216\376?\326\200\351:\340\245\333\355L\216\324\35\334\11,\221:}t\305\304\232\364\11\256\202}u\246\352\225:\335Z\205\4\326Z3\266\13\3061\203\207*7\267Y\227\311\255\374\322|\20,b\310\261$nA\15Y\332\377\3\34\271\234\5j\242\311\321\330\277\311B\263\353\17\1", ) \312\277\321_\4=\212\21\357\34\201\2467\330\356\267\232\351\177\215\357nc\302\357h\12\323>eo:\31(\13@}\271\36[\\302\355[\233n\32\326\202\3519\235\231\201\0\31t.\33#\211\333\355`g\207 \301\216\376?\326\200\351:\340\245\333\355L\216\324\35\334\11,\221:}t\305\304\232\364\11\256\202}u\246\352\225:\335Z\205\4\326Z3\266\13\3061\203\207*7\267Y\227\311\255\374\322|\20,b\310\261$nA\15Y\332\377\3\34\271\234\5j\242\311\321\330\277\311B\263\353\17\1", ) == 0x0
 00492   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00493   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\300\216\313\265\326\262\232f\5\354\263\6@\345\274\265!\243\263\227)kA\210\332\202\22\3iS\211_\305o\6\345\242W\35f\331*\210\342\36\251\240\334\350\243>\e\202\2741Kq\263'O\3660O<\2554W\2424\316\322\307i\271\337\362\2t^?2\310\313\341\240\244}\273\307t5>e\364\37\22\361\3md"\21\345\3605\336\351s\13\36\347\235\200\370\357:&\177\345\7\254k\201\335\12KnA\266\240\343\313\13\31\357c\373A4svc\3\367if\344\3221\2219@\214s\35\32\2\%\264\32\322n\316B\361s\266{c\323&\31\230\373F\353QA\342\350e\345\240t\325'\21!>"\310\2629\244\246\366\326yX\246\216*\30\12\305\235a\236\326&\35e\254b\17\301\357-\0\321\211.\1\224\25\357\22\364k\365^id\304\204\15\342\35\271\3\233\302\15\343\2232\322+\223s\376!3\356\353|t\32\332T#\312\26\210\30\5:j\30=`\302||\33X\377^O\307!k\25^A\24\16Wyw\3406\362T\364\25\357$\20\242?\220\266PlY\21\256\225\232\0N\2052Uxl\37*_a\221\26^5Z\253\352\221%\4\235\355\21\247\24c\34H\276\375\3059\217+\203j\243c\306\354\270\16d\321\205%\316\234\224g\2\0\5\22H\350)\25]\330\372u)\322\2560k8", ) \21\345\3605\336\351s\13\36\347\235\200\370\357:&\177\345\7\254k\201\335\12KnA\266\240\343\313\13\31\357c\373A4svc\3\367if\344\3221\2219@\214s\35\32\2\%\264\32\322n\316B\361s\266{c\323&\31\230\373F\353QA\342\350e\345\240t\325'\21!>273\5B\203\365\377{H\332N0\304\241\3600\302\26\364C\343\226\266\202o\302\364\206\257&\240t5\206\326{\2741C\252(Y\0m5\12/zD\25\207F\22\128M\27\376\310j]\128\177D\20\205\361\202y\210Q\276\15w\15k\242\341Wi\226\346\227\3706\233^\370\243Mg\30,\223\242`\272\374T z\240\247&\360\7\350\244`\325s (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\300\216\313\265\326\262\232f\5\354\263\6@\345\274\265!\243\263\227)kA\210\332\202\22\3iS\211_\305o\6\345\242W\35f\331*\210\342\36\251\240\334\350\243>\e\202\2741Kq\263'O\3660O<\2554W\2424\316\322\307i\271\337\362\2t^?2\310\313\341\240\244}\273\307t5>e\364\37\22\361\3md"\21\345\3605\336\351s\13\36\347\235\200\370\357:&\177\345\7\254k\201\335\12KnA\266\240\343\313\13\31\357c\373A4svc\3\367if\344\3221\2219@\214s\35\32\2\%\264\32\322n\316B\361s\266{c\323&\31\230\373F\353QA\342\350e\345\240t\325'\21!>"\310\2629\244\246\366\326yX\246\216*\30\12\305\235a\236\326&\35e\254b\17\301\357-\0\321\211.\1\224\25\357\22\364k\365^id\304\204\15\342\35\271\3\233\302\15\343\2232\322+\223s\376!3\356\353|t\32\332T#\312\26\210\30\5:j\30=`\302||\33X\377^O\307!k\25^A\24\16Wyw\3406\362T\364\25\357$\20\242?\220\266PlY\21\256\225\232\0N\2052Uxl\37*_a\221\26^5Z\253\352\221%\4\235\355\21\247\24c\34H\276\375\3059\217+\203j\243c\306\354\270\16d\321\205%\316\234\224g\2\0\5\22H\350)\25]\330\372u)\322\2560k8", ) , ) == 0x0
 00494   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00495   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "I\12\364#wu\366\11\356I\344\3452j\237y0\247\267\307\26\7-\341HG\264|Wm\264.\16s#&u\316\336{\27\327\365\270Xi\216%\27\331\347\273\337=\20w\200\350F\30A\335\207\263\221o\277\34\237wK\314\20\337= ^3\255\301\300\315\354\233;h\320{\332e\330Y\214\17*\334\212M1\361#\260\233\210Ta\361]V\333\27\264\260\215'xl\3)a\346\255V\315\242x\312\252\3\367\34\262\374ec\315(\362\16\322c\23\23_"za\307Xn4CsM\2548\275d\331\305\364FX\5\346\254@Y\272\10;Px8\332\271!)N\353k\324\214\370F\21?F\212}X\303^\303\21\25\212{>D)\375\333\2425E\203\347\226%\217\14e$\343\222*d\210v\336D\2610\342\253F\302O\254\177q\16\15\370\345:"\237#,\222;\23\345C>2\10\356C\2\23\2J\2\246\276=Vo\334\4\346_\26ml\14\215\3030\254^*`|\343\241\246\352\36\30c\325\235\366d\275R$\310\14;Xa\247\21h\332V\355\265M\345\3320a\254\302\246On\2765\374\302\0\31`KG\265^s&\214\274r\277\342z\250\353q>\315\206$\22\320\177\4Vp\276\367\;f\345n\376Z\362D\25s\344\6\335/F\314\351=\254\323\5\277\24\200\345\262\35\7\241\213\332d7X\356\347\223IZ<\321\362D\205U\2\204\365\322iZ\13\326\14\244`3\333W\177\326\262Y\342\253\330\\355\15td\233\210j\\374\326\340\4\311\15\205\353\22\220\21\352D\206\177\346\254\240\30Z\363e|\0\307w\357\326\324~iE\177!\217\1\267m\370?X \311d\275\244\215@\251\37\343]/~\7", ) za\307Xn4CsM\2548\275d\331\305\364FX\5\346\254@Y\272\10;Px8\332\271!)N\353k\324\214\370F\21?F\212}X\303^\303\21\25\212{>D)\375\333\2425E\203\347\226%\217\14e$\343\222*d\210v\336D\2610\342\253F\302O\254\177q\16\15\370\345: (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "I\12\364#wu\366\11\356I\344\3452j\237y0\247\267\307\26\7-\341HG\264|Wm\264.\16s#&u\316\336{\27\327\365\270Xi\216%\27\331\347\273\337=\20w\200\350F\30A\335\207\263\221o\277\34\237wK\314\20\337= ^3\255\301\300\315\354\233;h\320{\332e\330Y\214\17*\334\212M1\361#\260\233\210Ta\361]V\333\27\264\260\215'xl\3)a\346\255V\315\242x\312\252\3\367\34\262\374ec\315(\362\16\322c\23\23_"za\307Xn4CsM\2548\275d\331\305\364FX\5\346\254@Y\272\10;Px8\332\271!)N\353k\324\214\370F\21?F\212}X\303^\303\21\25\212{>D)\375\333\2425E\203\347\226%\217\14e$\343\222*d\210v\336D\2610\342\253F\302O\254\177q\16\15\370\345:"\237#,\222;\23\345C>2\10\356C\2\23\2J\2\246\276=Vo\334\4\346_\26ml\14\215\3030\254^*`|\343\241\246\352\36\30c\325\235\366d\275R$\310\14;Xa\247\21h\332V\355\265M\345\3320a\254\302\246On\2765\374\302\0\31`KG\265^s&\214\274r\277\342z\250\353q>\315\206$\22\320\177\4Vp\276\367\;f\345n\376Z\362D\25s\344\6\335/F\314\351=\254\323\5\277\24\200\345\262\35\7\241\213\332d7X\356\347\223IZ<\321\362D\205U\2\204\365\322iZ\13\326\14\244`3\333W\177\326\262Y\342\253\330\\355\15td\233\210j\\374\326\340\4\311\15\205\353\22\220\21\352D\206\177\346\254\240\30Z\363e|\0\307w\357\326\324~iE\177!\217\1\267m\370?X \311d\275\244\215@\251\37\343]/~\7", ) , ) == 0x0
 00496   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00497   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "d\373f\20\221Ev\12\344-\12\350\210n`\34^H\23\14b\2677\324\235B\302\377\3268\217At\353\255\275\211-=\250\211C\304+\221;d J\256\310\342\24\320\346R\312{\275\373\306\12\335\22\15r8\3320\232 -R\2\213K\271^\335J=\377\35U"=\1W`EQ\22UA\23\21\245Q\27%\371\361\266\341\23\265kN\314\352S\377\262BO\336D\27\270\252\323tB%`\255W\267\264"\260\312\270\7\306\330\34cZ\25UNfj\320%\333u\10\322\254[C\241\22\1\323\374\377\325\314\303\217tU\220\374\21{+Y\11\345\303_\237\216\201z\223o\11S\206\37\15-\3\231ef\135u\26kG{\250\212\360E\336\13-:,\3\348\267xB\241l\357x]H\23\3C\227'\32\323]'!\1b\317\4c&S\12\1}c\335x\317JnNZ\260\201\364,\304]k\344 \3PZ\24Yz\230\32B\33\356;\5A\236\345\220\304\224]S\362u\30\330\241\333\200\243)\232#\206\354\24\306\25b\263\373\235V\337\1\207\241\34eV$\262\12\0\301]\337(\232%\211R\243v,Vf\23@;Q4\324\305IP\210\313\15R\242R\264M~v\205'\360)Y\321:\14\315L\237\240 B\371Z\276{\21M\177\372-b\265H\49\216\32\215\22\2360\205\204\304\300}a%\353\2353\224j\3x(\14"k2\217\357(\33\27FN\364\263c\22A\4(c\356\344\236N\374\15`\7\32>\335jk\20"x\202\205\306$\214\0\217\335\2663\17\212\364\342\2502w\36b\340[\200\215^_tO\225:PKW?'\230]\377;f\345j\310V\321\6\366w\305E0\345j\276\4\352H\272\204a6\16\27\3375\16\221\327\317\247&\344f"\275", ) =\1W`EQ\22UA\23\21\245Q\27%\371\361\266\341\23\265kN\314\352S\377\262BO\336D\27\270\252\323tB%`\255W\267\264 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "d\373f\20\221Ev\12\344-\12\350\210n`\34^H\23\14b\2677\324\235B\302\377\3268\217At\353\255\275\211-=\250\211C\304+\221;d J\256\310\342\24\320\346R\312{\275\373\306\12\335\22\15r8\3320\232 -R\2\213K\271^\335J=\377\35U"=\1W`EQ\22UA\23\21\245Q\27%\371\361\266\341\23\265kN\314\352S\377\262BO\336D\27\270\252\323tB%`\255W\267\264"\260\312\270\7\306\330\34cZ\25UNfj\320%\333u\10\322\254[C\241\22\1\323\374\377\325\314\303\217tU\220\374\21{+Y\11\345\303_\237\216\201z\223o\11S\206\37\15-\3\231ef\135u\26kG{\250\212\360E\336\13-:,\3\348\267xB\241l\357x]H\23\3C\227'\32\323]'!\1b\317\4c&S\12\1}c\335x\317JnNZ\260\201\364,\304]k\344 \3PZ\24Yz\230\32B\33\356;\5A\236\345\220\304\224]S\362u\30\330\241\333\200\243)\232#\206\354\24\306\25b\263\373\235V\337\1\207\241\34eV$\262\12\0\301]\337(\232%\211R\243v,Vf\23@;Q4\324\305IP\210\313\15R\242R\264M~v\205'\360)Y\321:\14\315L\237\240 B\371Z\276{\21M\177\372-b\265H\49\216\32\215\22\2360\205\204\304\300}a%\353\2353\224j\3x(\14"k2\217\357(\33\27FN\364\263c\22A\4(c\356\344\236N\374\15`\7\32>\335jk\20"x\202\205\306$\214\0\217\335\2663\17\212\364\342\2502w\36b\340[\200\215^_tO\225:PKW?'\230]\377;f\345j\310V\321\6\366w\305E0\345j\276\4\352H\272\204a6\16\27\3375\16\221\327\317\247&\344f"\275", ) k2\217\357(\33\27FN\364\263c\22A\4(c\356\344\236N\374\15`\7\32>\335jk\20 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "d\373f\20\221Ev\12\344-\12\350\210n`\34^H\23\14b\2677\324\235B\302\377\3268\217At\353\255\275\211-=\250\211C\304+\221;d J\256\310\342\24\320\346R\312{\275\373\306\12\335\22\15r8\3320\232 -R\2\213K\271^\335J=\377\35U"=\1W`EQ\22UA\23\21\245Q\27%\371\361\266\341\23\265kN\314\352S\377\262BO\336D\27\270\252\323tB%`\255W\267\264"\260\312\270\7\306\330\34cZ\25UNfj\320%\333u\10\322\254[C\241\22\1\323\374\377\325\314\303\217tU\220\374\21{+Y\11\345\303_\237\216\201z\223o\11S\206\37\15-\3\231ef\135u\26kG{\250\212\360E\336\13-:,\3\348\267xB\241l\357x]H\23\3C\227'\32\323]'!\1b\317\4c&S\12\1}c\335x\317JnNZ\260\201\364,\304]k\344 \3PZ\24Yz\230\32B\33\356;\5A\236\345\220\304\224]S\362u\30\330\241\333\200\243)\232#\206\354\24\306\25b\263\373\235V\337\1\207\241\34eV$\262\12\0\301]\337(\232%\211R\243v,Vf\23@;Q4\324\305IP\210\313\15R\242R\264M~v\205'\360)Y\321:\14\315L\237\240 B\371Z\276{\21M\177\372-b\265H\49\216\32\215\22\2360\205\204\304\300}a%\353\2353\224j\3x(\14"k2\217\357(\33\27FN\364\263c\22A\4(c\356\344\236N\374\15`\7\32>\335jk\20"x\202\205\306$\214\0\217\335\2663\17\212\364\342\2502w\36b\340[\200\215^_tO\225:PKW?'\230]\377;f\345j\310V\321\6\366w\305E0\345j\276\4\352H\272\204a6\16\27\3375\16\221\327\317\247&\344f"\275", ) \275", ) == 0x0
 00498   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00499   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "T\226\356H#\317\234\277\236$\24\210\213\346\273\327\5:\206\337A\245\376dD<\36`\0`\202aMw\213\377@\265\325'\356?\17\212\32d\311\200\277o\270\375\214?\216\4U\372|\215p\1\2?Q\220\273I\26/C\336\11\27\235\14\212\124\25&i\304L\265lL\4\221\33\227\4\374\306\304dW@A\2u\231\3642t'\215\31\20\200x5\244&\370W^wBh\334\206\276Nl\0_\325\373\235e=l\356\11\355\216G\354\370\242\323\17\325J\323\340Y#\264+;zG\245\335\336\205N\0\246\317d*[6\302-\304F\204\215+\235\223v<\344\3540"\246\276\0,l:\254\265\342\310 v\307'\3\264\270\350\201L\204E\36\274\373\371\223W\3065}"\21X\243\30S\22]:\33d\16\202\222\216"I8~\354^\207tn]\3277\12\274\2548IaS\365\3T\355\377\26\246{\2166\12\265\170*\221\0\213\352^\251\220\334|e\32\22(\313\372\362\221\245\307\331w$DD(\25<\3266"CW\337\246j\306\2\245&\337\266w"(v\303C^\5:tMH\311\257R\347Y\272D\344u\4\3345q\351\37K\365\35\275\249\270\256\342\12\344\306\235\316CR\235\376\0$@\316\3703\245\325M\256\27\217kr`\263\344p\365\205"\23\376\246\324\244\276m\306\334^\214\220Ow\24\36\266\245T\246\240\3360=g6\311E\254\21\357TM9aPu\213oV*na\7\264THFB\235\360f\361R\24jep`\225M~`q}\7\30", ) \246\276\0,l:\254\265\342\310 v\307'\3\264\270\350\201L\204E\36\274\373\371\223W\3065} (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "T\226\356H#\317\234\277\236$\24\210\213\346\273\327\5:\206\337A\245\376dD<\36`\0`\202aMw\213\377@\265\325'\356?\17\212\32d\311\200\277o\270\375\214?\216\4U\372|\215p\1\2?Q\220\273I\26/C\336\11\27\235\14\212\124\25&i\304L\265lL\4\221\33\227\4\374\306\304dW@A\2u\231\3642t'\215\31\20\200x5\244&\370W^wBh\334\206\276Nl\0_\325\373\235e=l\356\11\355\216G\354\370\242\323\17\325J\323\340Y#\264+;zG\245\335\336\205N\0\246\317d*[6\302-\304F\204\215+\235\223v<\344\3540"\246\276\0,l:\254\265\342\310 v\307'\3\264\270\350\201L\204E\36\274\373\371\223W\3065}"\21X\243\30S\22]:\33d\16\202\222\216"I8~\354^\207tn]\3277\12\274\2548IaS\365\3T\355\377\26\246{\2166\12\265\170*\221\0\213\352^\251\220\334|e\32\22(\313\372\362\221\245\307\331w$DD(\25<\3266"CW\337\246j\306\2\245&\337\266w"(v\303C^\5:tMH\311\257R\347Y\272D\344u\4\3345q\351\37K\365\35\275\249\270\256\342\12\344\306\235\316CR\235\376\0$@\316\3703\245\325M\256\27\217kr`\263\344p\365\205"\23\376\246\324\244\276m\306\334^\214\220Ow\24\36\266\245T\246\240\3360=g6\311E\254\21\357TM9aPu\213oV*na\7\264THFB\235\360f\361R\24jep`\225M~`q}\7\30", ) I8~\354^\207tn]\3277\12\274\2548IaS\365\3T\355\377\26\246{\2166\12\265\170*\221\0\213\352^\251\220\334|e\32\22(\313\372\362\221\245\307\331w$DD(\25<\3266 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "T\226\356H#\317\234\277\236$\24\210\213\346\273\327\5:\206\337A\245\376dD<\36`\0`\202aMw\213\377@\265\325'\356?\17\212\32d\311\200\277o\270\375\214?\216\4U\372|\215p\1\2?Q\220\273I\26/C\336\11\27\235\14\212\124\25&i\304L\265lL\4\221\33\227\4\374\306\304dW@A\2u\231\3642t'\215\31\20\200x5\244&\370W^wBh\334\206\276Nl\0_\325\373\235e=l\356\11\355\216G\354\370\242\323\17\325J\323\340Y#\264+;zG\245\335\336\205N\0\246\317d*[6\302-\304F\204\215+\235\223v<\344\3540"\246\276\0,l:\254\265\342\310 v\307'\3\264\270\350\201L\204E\36\274\373\371\223W\3065}"\21X\243\30S\22]:\33d\16\202\222\216"I8~\354^\207tn]\3277\12\274\2548IaS\365\3T\355\377\26\246{\2166\12\265\170*\221\0\213\352^\251\220\334|e\32\22(\313\372\362\221\245\307\331w$DD(\25<\3266"CW\337\246j\306\2\245&\337\266w"(v\303C^\5:tMH\311\257R\347Y\272D\344u\4\3345q\351\37K\365\35\275\249\270\256\342\12\344\306\235\316CR\235\376\0$@\316\3703\245\325M\256\27\217kr`\263\344p\365\205"\23\376\246\324\244\276m\306\334^\214\220Ow\24\36\266\245T\246\240\3360=g6\311E\254\21\357TM9aPu\213oV*na\7\264THFB\235\360f\361R\24jep`\225M~`q}\7\30", ) (v\303C^\5:tMH\311\257R\347Y\272D\344u\4\3345q\351\37K\365\35\275\249\270\256\342\12\344\306\235\316CR\235\376\0$@\316\3703\245\325M\256\27\217kr`\263\344p\365\205274\343\240\335\362\2246%\367p\215\356\367 *%\362\30\262C\3477r\\235\362N\376\274S\21\3428\16V\301:\353o\227#HS\3264(^\346d\362Sg\21\350J\357iR\27\325\217h (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "T\226\356H#\317\234\277\236$\24\210\213\346\273\327\5:\206\337A\245\376dD<\36`\0`\202aMw\213\377@\265\325'\356?\17\212\32d\311\200\277o\270\375\214?\216\4U\372|\215p\1\2?Q\220\273I\26/C\336\11\27\235\14\212\124\25&i\304L\265lL\4\221\33\227\4\374\306\304dW@A\2u\231\3642t'\215\31\20\200x5\244&\370W^wBh\334\206\276Nl\0_\325\373\235e=l\356\11\355\216G\354\370\242\323\17\325J\323\340Y#\264+;zG\245\335\336\205N\0\246\317d*[6\302-\304F\204\215+\235\223v<\344\3540"\246\276\0,l:\254\265\342\310 v\307'\3\264\270\350\201L\204E\36\274\373\371\223W\3065}"\21X\243\30S\22]:\33d\16\202\222\216"I8~\354^\207tn]\3277\12\274\2548IaS\365\3T\355\377\26\246{\2166\12\265\170*\221\0\213\352^\251\220\334|e\32\22(\313\372\362\221\245\307\331w$DD(\25<\3266"CW\337\246j\306\2\245&\337\266w"(v\303C^\5:tMH\311\257R\347Y\272D\344u\4\3345q\351\37K\365\35\275\249\270\256\342\12\344\306\235\316CR\235\376\0$@\316\3703\245\325M\256\27\217kr`\263\344p\365\205"\23\376\246\324\244\276m\306\334^\214\220Ow\24\36\266\245T\246\240\3360=g6\311E\254\21\357TM9aPu\213oV*na\7\264THFB\235\360f\361R\24jep`\225M~`q}\7\30", ) , ) == 0x0
 00500   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00501   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ".\5\30\230\35+Y\374A\227\31{\35v~S&\11_t\0\311\327,w:{\4?5\317b)<\261S\7)aa~\62\205\326\3403\323\342B4\366F(6\227Rb\2 7\336\372\327\15m\1\260\15\222\255\0a\7\35zUv\5\25\344A\1\12\315(\206\17UJ\25\340V2\275\326\37q\12\0>\32~S\37!7\340[\35\357\220\324\207\333\353FD\375I\354\235n\305W\207U\262em\257\260d\31u\214B\247h}\33367\271W&w\202\334v\24|#e\15\200O\347x`\214p\276\267U\205>*S\304?\12n`\17\327\374U\264\216 \129\271{\0\11\242\364\321\13\215@\354\237(F\331+ \305d\242<\343d\362u\251\345"\6CX\266XF\202\17\242\3[4\201JeQ\307t\3051\25\264k\36h\237\326\232\221Y4=\5\226vLr9~\224\362\242^N\4z\2325\24m3>I\2v\274|\235b*\325\372\7\203\252R\261\272\325S\177B\364\306J\236\11)\236\316\207\313uj\235\252A\36\242q\316n\24XR,9\244\365\3458\10c\177s\22tR\200\24\2\326U\33+\214"q\232\3354\0\312u9\377\232u\213\2h(~u[0\263"\240\230o8\275X\210\16\222Y\205 V\241\335&\376\364)*>p\303\205R\3656|\23\22\34\12"\30NE\26\313\344I\375$rM\36,zq\255\04\262\307\202\6$\272\355\2e\235SY\220\276f\7\332}\242u?4\213\207f\334\11\202\306\223v6\211:\3", ) \6CX\266XF\202\17\242\3[4\201JeQ\307t\3051\25\264k\36h\237\326\232\221Y4=\5\226vLr9~\224\362\242^N\4z\2325\24m3>I\2v\274|\235b*\325\372\7\203\252R\261\272\325S\177B\364\306J\236\11)\236\316\207357\276;\376f\241\200\302<\264'\22\12\346\4\333(\316\346\326\5\367\11\276D>\313uj\235\252A\36\242q\316n\24XR,9\244\365\3458\10c\177s\22tR\200\24\2\326U\33+\214 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ".\5\30\230\35+Y\374A\227\31{\35v~S&\11_t\0\311\327,w:{\4?5\317b)<\261S\7)aa~\62\205\326\3403\323\342B4\366F(6\227Rb\2 7\336\372\327\15m\1\260\15\222\255\0a\7\35zUv\5\25\344A\1\12\315(\206\17UJ\25\340V2\275\326\37q\12\0>\32~S\37!7\340[\35\357\220\324\207\333\353FD\375I\354\235n\305W\207U\262em\257\260d\31u\214B\247h}\33367\271W&w\202\334v\24|#e\15\200O\347x`\214p\276\267U\205>*S\304?\12n`\17\327\374U\264\216 \129\271{\0\11\242\364\321\13\215@\354\237(F\331+ \305d\242<\343d\362u\251\345"\6CX\266XF\202\17\242\3[4\201JeQ\307t\3051\25\264k\36h\237\326\232\221Y4=\5\226vLr9~\224\362\242^N\4z\2325\24m3>I\2v\274|\235b*\325\372\7\203\252R\261\272\325S\177B\364\306J\236\11)\236\316\207\313uj\235\252A\36\242q\316n\24XR,9\244\365\3458\10c\177s\22tR\200\24\2\326U\33+\214"q\232\3354\0\312u9\377\232u\213\2h(~u[0\263"\240\230o8\275X\210\16\222Y\205 V\241\335&\376\364)*>p\303\205R\3656|\23\22\34\12"\30NE\26\313\344I\375$rM\36,zq\255\04\262\307\202\6$\272\355\2e\235SY\220\276f\7\332}\242u?4\213\207f\334\11\202\306\223v6\211:\3", ) \240\230o8\275X\210\16\222Y\205 V\241\335&\376\364)*>p\303\205R\3656|\23\22\34\12201\252\341\310\224G\212\233CG\221?7\3T\7R\236z\256\204lSi:\20Fq\204,\235\327 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ".\5\30\230\35+Y\374A\227\31{\35v~S&\11_t\0\311\327,w:{\4?5\317b)<\261S\7)aa~\62\205\326\3403\323\342B4\366F(6\227Rb\2 7\336\372\327\15m\1\260\15\222\255\0a\7\35zUv\5\25\344A\1\12\315(\206\17UJ\25\340V2\275\326\37q\12\0>\32~S\37!7\340[\35\357\220\324\207\333\353FD\375I\354\235n\305W\207U\262em\257\260d\31u\214B\247h}\33367\271W&w\202\334v\24|#e\15\200O\347x`\214p\276\267U\205>*S\304?\12n`\17\327\374U\264\216 \129\271{\0\11\242\364\321\13\215@\354\237(F\331+ \305d\242<\343d\362u\251\345"\6CX\266XF\202\17\242\3[4\201JeQ\307t\3051\25\264k\36h\237\326\232\221Y4=\5\226vLr9~\224\362\242^N\4z\2325\24m3>I\2v\274|\235b*\325\372\7\203\252R\261\272\325S\177B\364\306J\236\11)\236\316\207\313uj\235\252A\36\242q\316n\24XR,9\244\365\3458\10c\177s\22tR\200\24\2\326U\33+\214"q\232\3354\0\312u9\377\232u\213\2h(~u[0\263"\240\230o8\275X\210\16\222Y\205 V\241\335&\376\364)*>p\303\205R\3656|\23\22\34\12"\30NE\26\313\344I\375$rM\36,zq\255\04\262\307\202\6$\272\355\2e\235SY\220\276f\7\332}\242u?4\213\207f\334\11\202\306\223v6\211:\3", ) , ) == 0x0
 00502   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00503   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "C\202\371o\323G'1\215\2166\314J1%\329\23W'\205H\222PJ\315\306\354y\37b\36\231=o>#\273$\234\264lZ\1R\332z \3401:\360gb\314\17\34)\234~v~\255l\17\35\337P\35y8\212\211\257\177\25\252\371\14P\7\26\341\16Gd4\216\331,#\4\365FN\203Ce\221\322\312M50u\6=|J\34398\230b&\213\23\225\266\0z\373]6F\30\342H(\240+ \3\225\354\25\307W\214d-%(\3250\267\302Y^g\246CX\5\4S.\234`$V\366\3030\211-\311\203\10\206h\362i#<\3040\350\222\264u.I\215\253@\11\326\244\34\336;\307\223_\346}\26\206Z-r\3\336\254=\211\0\\340\23\25\37d1\306\354{\354\235\35\332\205\206\366\276\\200\177q`\22\21271M\367d\350\302U\332E8\276\26\1Q\33M\321\32dXz\356T\322\27'\7rK!\260\276LOa\6\37\242E\26\200\252g\341\25\36\244\324\262\204'b\27Xu"h\3Lv\0\235S\303$@\313\275\1\204\225\302z\227~=\200\21a\2239Dm\326%{\225\322\200"t\222\344\201y\2217\350\35\364\221\27\227\322\346\313\34{OdgED7\273H\7I\317\332\216n\15\203\3fM.\21\206A\24\300m.`\211\2\343#_\35\274\206\221\272\3474:\262\356\22\251\266|\333\16f=\372~ \314\232\367z\231\300w\23\204\3^n>$x)N\24!\177/\177\220=:\11\225\210\301\336\360\315\262\\216!\2315\7I\255\220\244p.5\322K\344\251\354\323\370?\322N*E+ttP\273#Au\243b\15\271\350gt\242_\317\266\200\3521\331\2W\15!\13\177?\307=\256\270\204\375\3344\260\246\321\360\256\14", ) h\3Lv\0\235S\303$@\313\275\1\204\225\302z\227~=\200\21a\2239Dm\326%{\225\322\200 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "C\202\371o\323G'1\215\2166\314J1%\329\23W'\205H\222PJ\315\306\354y\37b\36\231=o>#\273$\234\264lZ\1R\332z \3401:\360gb\314\17\34)\234~v~\255l\17\35\337P\35y8\212\211\257\177\25\252\371\14P\7\26\341\16Gd4\216\331,#\4\365FN\203Ce\221\322\312M50u\6=|J\34398\230b&\213\23\225\266\0z\373]6F\30\342H(\240+ \3\225\354\25\307W\214d-%(\3250\267\302Y^g\246CX\5\4S.\234`$V\366\3030\211-\311\203\10\206h\362i#<\3040\350\222\264u.I\215\253@\11\326\244\34\336;\307\223_\346}\26\206Z-r\3\336\254=\211\0\\340\23\25\37d1\306\354{\354\235\35\332\205\206\366\276\\200\177q`\22\21271M\367d\350\302U\332E8\276\26\1Q\33M\321\32dXz\356T\322\27'\7rK!\260\276LOa\6\37\242E\26\200\252g\341\25\36\244\324\262\204'b\27Xu"h\3Lv\0\235S\303$@\313\275\1\204\225\302z\227~=\200\21a\2239Dm\326%{\225\322\200"t\222\344\201y\2217\350\35\364\221\27\227\322\346\313\34{OdgED7\273H\7I\317\332\216n\15\203\3fM.\21\206A\24\300m.`\211\2\343#_\35\274\206\221\272\3474:\262\356\22\251\266|\333\16f=\372~ \314\232\367z\231\300w\23\204\3^n>$x)N\24!\177/\177\220=:\11\225\210\301\336\360\315\262\\216!\2315\7I\255\220\244p.5\322K\344\251\354\323\370?\322N*E+ttP\273#Au\243b\15\271\350gt\242_\317\266\200\3521\331\2W\15!\13\177?\307=\256\270\204\375\3344\260\246\321\360\256\14", ) , ) == 0x0
 00504   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00505   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "W\304\311N\362\260>\22\11xR\262\212\341\35q}$/\367\336R34\364\350\264:\331+\204C8\11o\205(E\5\31s/\32\13\375c\266\1\317%\210&qd4\20\6\13W\315\222\26y6\336\342>\370\275c\14\7\355\220f\201;f\327\367lg\255\315\2\24C\32?\327\244\254\4?*\254\27\342\341/\302IFx\327\270!\367\4x\30\14\344!\202\254\32c\5\204\347\17\177\23\236\253m\251\210\315\20\330\270\355u\20\240]\307E&\340\371\300>\234\274\276\340d\34 \337n*FU\335\313\11!%\361F\22{\326?\312\371\303m\270V\26&^`nsZ\37\275\300^].*\264;RV\315{\347\352\224[u\270K\5\335Fx\251#\32d}:\320z\345z\204w\332[\2\272\345z\37\27\31\232\360Mn} t'\256\33"I\255[n\10\226 \230`"\24\266 \362\262N}EKq\256\340\257Zi:\30TqU\7\275\363\15u\m\273_B\202 \212\333\20\233\2111\231q\327\21\317\300\2766RR\353A\257%\30H}\264\220\313\21:\301\246\341\254\20C,\332O\26\335\240\252\371p\275DN\357l\31\16\310C\346\15R\376\213\27i8\33\\31\355Y%\322t\2\34}%\10\3665\201Q\344I\355\22=D"\14N}K\266\216\27:\30{\336~P^!\32a\232h\266[\2410\373\22u?}\270/_\330\12L'\201\232\224\32\34[m\3235~\37\2313\370}\7$|,\205\307\261AG\302\307Vw=\222\246\275\26\237;\24\7\316\24gC9V$\372\326\3771\35\204ef\2351\346\205\270\341V4\361Z\27Y\316\200\353\221V\366|\353v dj\271\370\251q\303\222X\245\362\3$}\15\306\226\11\241mO\273\368[\265\377N", ) I\255[n\10\226 \230` (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "W\304\311N\362\260>\22\11xR\262\212\341\35q}$/\367\336R34\364\350\264:\331+\204C8\11o\205(E\5\31s/\32\13\375c\266\1\317%\210&qd4\20\6\13W\315\222\26y6\336\342>\370\275c\14\7\355\220f\201;f\327\367lg\255\315\2\24C\32?\327\244\254\4?*\254\27\342\341/\302IFx\327\270!\367\4x\30\14\344!\202\254\32c\5\204\347\17\177\23\236\253m\251\210\315\20\330\270\355u\20\240]\307E&\340\371\300>\234\274\276\340d\34 \337n*FU\335\313\11!%\361F\22{\326?\312\371\303m\270V\26&^`nsZ\37\275\300^].*\264;RV\315{\347\352\224[u\270K\5\335Fx\251#\32d}:\320z\345z\204w\332[\2\272\345z\37\27\31\232\360Mn} t'\256\33"I\255[n\10\226 \230`"\24\266 \362\262N}EKq\256\340\257Zi:\30TqU\7\275\363\15u\m\273_B\202 \212\333\20\233\2111\231q\327\21\317\300\2766RR\353A\257%\30H}\264\220\313\21:\301\246\341\254\20C,\332O\26\335\240\252\371p\275DN\357l\31\16\310C\346\15R\376\213\27i8\33\\31\355Y%\322t\2\34}%\10\3665\201Q\344I\355\22=D"\14N}K\266\216\27:\30{\336~P^!\32a\232h\266[\2410\373\22u?}\270/_\330\12L'\201\232\224\32\34[m\3235~\37\2313\370}\7$|,\205\307\261AG\302\307Vw=\222\246\275\26\237;\24\7\316\24gC9V$\372\326\3771\35\204ef\2351\346\205\270\341V4\361Z\27Y\316\200\353\221V\366|\353v dj\271\370\251q\303\222X\245\362\3$}\15\306\226\11\241mO\273\368[\265\377N", ) \14N}K\266\216\27:\30{\336~P^!\32a\232h\266[\2410\373\22u?}\270/_\330\12L'\201\232\224\32\34[m\3235~\37\2313\370}\7$|,\205\307\261AG\302\307Vw=\222\246\275\26\237;\24\7\316\24gC9V$\372\326\3771\35\204ef\2351\346\205\270\341V4\361Z\27Y\316\200\353\221V\366|\353v dj\271\370\251q\303\222X\245\362\3$}\15\306\226\11\241mO\273\368[\265\377N", ) == 0x0
 00506   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00507   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\36C\15$dH\34\0\373\177\217\360\310\316\226CH\261f\13\251\362\353&\177\257\14Fl=\25\232`\2028I\244R\333\30\275I\360Xgb\5\225\350\31\370{\2625\11\374,E\267\374\250b\23ICu\271\220\345lQ\246sU\275\307\31\264\233\337\201\14\234\32\27\2627^\215\272\341\33\347\246\343k\236\2673BTm\244\237\3574\216\350\365\2\262x\355\216\1\224\344\315W\ki\343(l\361\20^\216\3450T]\267m\342p\320\216x\227\247\217\321H4~S\3563\340\3409\247\311\272\363\207\30\35s\242\13\252\221\266\3D\270\35\336"\266\37\221\30013Dt\235\7!\326\344-\234G\260~\269a\215\235\327k\247\35\217\1\276K\300\31\332\250.t?E\307\225*\330\255\367D\263\212\6\301\31\33\266\16\220("\243\364M\0\25\276\30kdr\7|\365\246#\36D-\323\253\353a\342\3418n\354N\344\262\257@y+A\16\364\322 d\24\342r\214\222v\345\235\4\236\7u`\247\261\310\0\10or\211\264\365\3\375RCX3)\265M\14td\302\256@\312?s^N\301a\2257\2138A^\370\302\247|5\307\2471"\217\26I7sZc\226\350w\344\365f\316\271j\276\253lB\140\232\377\4\275u\277P]d0\3\6Ow=\7jvS\36D\261\214\345\366\216DWB\27\353", ) \366\36C\15$dH\34\0\373\177\217\360\310\316\226CH\261f\13\251\362\353&\177\257\14Fl=\25\232`\2028I\244R\333\30\275I\360Xgb\5\225\350\31\370{\2625\11\374,E\267\374\250b\23ICu\271\220\345lQ\246sU\275\307\31\264\233\337\201\14\234\32\27\2627^\215\272\341\33\347\246\343k\236\2673BTm\244\237\3574\216\350\365\2\262x\355\216\1\224\344\315W\ki\343(l\361\20^\216\3450T]\267m\342p\320\216x\227\247\217\321H4~S\3563\340\3409\247\311\272\363\207\30\35s\242\13\252\221\266\3D\270\35\336 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\36C\15$dH\34\0\373\177\217\360\310\316\226CH\261f\13\251\362\353&\177\257\14Fl=\25\232`\2028I\244R\333\30\275I\360Xgb\5\225\350\31\370{\2625\11\374,E\267\374\250b\23ICu\271\220\345lQ\246sU\275\307\31\264\233\337\201\14\234\32\27\2627^\215\272\341\33\347\246\343k\236\2673BTm\244\237\3574\216\350\365\2\262x\355\216\1\224\344\315W\ki\343(l\361\20^\216\3450T]\267m\342p\320\216x\227\247\217\321H4~S\3563\340\3409\247\311\272\363\207\30\35s\242\13\252\221\266\3D\270\35\336"\266\37\221\30013Dt\235\7!\326\344-\234G\260~\269a\215\235\327k\247\35\217\1\276K\300\31\332\250.t?E\307\225*\330\255\367D\263\212\6\301\31\33\266\16\220("\243\364M\0\25\276\30kdr\7|\365\246#\36D-\323\253\353a\342\3418n\354N\344\262\257@y+A\16\364\322 d\24\342r\214\222v\345\235\4\236\7u`\247\261\310\0\10or\211\264\365\3\375RCX3)\265M\14td\302\256@\312?s^N\301a\2257\2138A^\370\302\247|5\307\2471"\217\26I7sZc\226\350w\344\365f\316\271j\276\253lB\140\232\377\4\275u\277P]d0\3\6Ow=\7jvS\36D\261\214\345\366\216DWB\27\353", ) \243\364M\0\25\276\30kdr\7|\365\246#\36D-\323\253\353a\342\3418n\354N\344\262\257@y+A\16\364\322 d\24\342r\214\222v\345\235\4\236\7u`\247\261\310\0\10or\211\264\365\3\375RCX3)\265M\14td\302\256@\312?s^N\301a\2257\2138A^\370\302\247|5\307\2471 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\366\36C\15$dH\34\0\373\177\217\360\310\316\226CH\261f\13\251\362\353&\177\257\14Fl=\25\232`\2028I\244R\333\30\275I\360Xgb\5\225\350\31\370{\2625\11\374,E\267\374\250b\23ICu\271\220\345lQ\246sU\275\307\31\264\233\337\201\14\234\32\27\2627^\215\272\341\33\347\246\343k\236\2673BTm\244\237\3574\216\350\365\2\262x\355\216\1\224\344\315W\ki\343(l\361\20^\216\3450T]\267m\342p\320\216x\227\247\217\321H4~S\3563\340\3409\247\311\272\363\207\30\35s\242\13\252\221\266\3D\270\35\336"\266\37\221\30013Dt\235\7!\326\344-\234G\260~\269a\215\235\327k\247\35\217\1\276K\300\31\332\250.t?E\307\225*\330\255\367D\263\212\6\301\31\33\266\16\220("\243\364M\0\25\276\30kdr\7|\365\246#\36D-\323\253\353a\342\3418n\354N\344\262\257@y+A\16\364\322 d\24\342r\214\222v\345\235\4\236\7u`\247\261\310\0\10or\211\264\365\3\375RCX3)\265M\14td\302\256@\312?s^N\301a\2257\2138A^\370\302\247|5\307\2471"\217\26I7sZc\226\350w\344\365f\316\271j\276\253lB\140\232\377\4\275u\277P]d0\3\6Ow=\7jvS\36D\261\214\345\366\216DWB\27\353", ) , ) == 0x0
 00508   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00509   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "EB%\223-Lj\15\254\215I\3Y$\223\240;\10\366+oA\352?\37\337\33\335\370\225T\215\13K\364\10\255mC\323b\250A\367\233B\25\363\271&\3454\33{,$v6\26w\240\246pO\364\261j\273\275\250\200\306B\235m\373\35_\302\212p\345\312+(a\33u\212W\322\271\313\323\340.\376$p0\7\234\372\232\343\6g^\5\357@\214\220\37\275-\15s\311[\275\355\225\303\251\33\276\12\220~J\14\17\271\311M\216\33]\245\254\20\300\353[\232;\261\225\201H\22\275$\344cM\363\36CHn}\21\266\33\7}\344{\226\212\342n]\271P\317C\353H\370<\27w>\354\25\6\2069\262\236\227\272M\204P\226S\33;\3\26\14\360C\350IF\267\272\214s@\215K\204??\245&M\320\3564\336S\244\316\20+\214\303\227\276H\351\370\217\204\3741\36\274\312\333{\356\\13\211\303F\330\217\376\353\202\3156\304\350\211\7KA"l\354\273\270\235\351u\260\350M\3\251\210)\202r\376\274DC\200\352\300\276a\266\344Y\33\360\273\322\3540f\204W\353d\245\234\213\262fK\10/\304\320\340\13\227\264;+i\15\4\256\33\315\27,wE'`^55$@\360DPeyx[\233\327n\251\2021\22o\22\333\353I\3\361\245geW\139\325\201^\351\367\22\31v\305\307\333m\305^\360M\235P\301\274\17\277\7F\205\316\3\33664\303\27\2544\340\373g\17\310]\257K\201\15\364"\373/b@\367\216\346\354\12\326\310\6\120n{|\256\223\15zR\31)\277X$\33!", ) \204P\226S\33;\3\26\14\360C\350IF\267\272\214s@\215K\204??\245&M\320\3564\336S\244\316\20+\214\303\227\276H\351\370\217\204\3741\36\274\312\333{\356\\13\211\303F\330\217\376\353\202\3156\304\350\211\7KA (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "EB%\223-Lj\15\254\215I\3Y$\223\240;\10\366+oA\352?\37\337\33\335\370\225T\215\13K\364\10\255mC\323b\250A\367\233B\25\363\271&\3454\33{,$v6\26w\240\246pO\364\261j\273\275\250\200\306B\235m\373\35_\302\212p\345\312+(a\33u\212W\322\271\313\323\340.\376$p0\7\234\372\232\343\6g^\5\357@\214\220\37\275-\15s\311[\275\355\225\303\251\33\276\12\220~J\14\17\271\311M\216\33]\245\254\20\300\353[\232;\261\225\201H\22\275$\344cM\363\36CHn}\21\266\33\7}\344{\226\212\342n]\271P\317C\353H\370<\27w>\354\25\6\2069\262\236\227\272M\204P\226S\33;\3\26\14\360C\350IF\267\272\214s@\215K\204??\245&M\320\3564\336S\244\316\20+\214\303\227\276H\351\370\217\204\3741\36\274\312\333{\356\\13\211\303F\330\217\376\353\202\3156\304\350\211\7KA"l\354\273\270\235\351u\260\350M\3\251\210)\202r\376\274DC\200\352\300\276a\266\344Y\33\360\273\322\3540f\204W\353d\245\234\213\262fK\10/\304\320\340\13\227\264;+i\15\4\256\33\315\27,wE'`^55$@\360DPeyx[\233\327n\251\2021\22o\22\333\353I\3\361\245geW\139\325\201^\351\367\22\31v\305\307\333m\305^\360M\235P\301\274\17\277\7F\205\316\3\33664\303\27\2544\340\373g\17\310]\257K\201\15\364"\373/b@\367\216\346\354\12\326\310\6\120n{|\256\223\15zR\31)\277X$\33!", ) \373/b@\367\216\346\354\12\326\310\6\120n{|\256\223\15zR\31)\277X$\33!", ) == 0x0
 00510   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00511   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "fD\36\336\300i\335'@f`\15\320\233\241\254[y!\213\211^\335u\224\360 \13|\333\363\237\272C\27\<\366Z\15\265\315\2139\221\35\240d\376Dl\30f|\4-V7\4i\16\373w\10t\217\255\220n\273W\33\356\31\26\3253)\356!R\20'\206\0\353\300o\275\377U\253w\304 N\4\27m\252\313)@e\217\266\313C"A\354\20\347(\364\340\370\213\275\345`\24D\315\3424\0O\16\331\322\216:n\5%\206F\252~\15\373#\340\342\221\3773\231Yu8\277\30\313[\353\236PL\267\306b\344\320"2$\17g\332\24!\23\3550\217\345\24\243\272\355>R\22a\15\270\267\351k\350\270f\363\211\243\356+TA\177HN\2754\304s\331\213A\14\212H\32\200U\23\15\31!^\15c\376\37\256\333\320\3543\24Z\23\15b\325\330\32t\0\27\263\12\221\260W\234\354`s\250\316j\351\251\264\241\231\252\16\20\221Qo Yk\227\300\211\31Xl6\360W!&\344@d\13\334^h\230[\351\365\226\10\15\265\275\352\327\347X[\207\2006\376Ui\267\302c\376M\233[\344\324\16\220\r(\272\5iT\307\240s\213c\253\277\216t\5\12\316(\331\200\335<\6\315\217 o\353;-m\217/Yr\352\213S\232@\36\1u\35\373\1\324+v\3506\366B\363\216?6sl\274\317X\334\212\210\244|\0&}\320\305\241\327\203\377\20\262S\2\235\275fy\310\237\4\353F\240N0A\322]\340m9Z*$%f\275\4m\212E\214", ) A\354\20\347(\364\340\370\213\275\345`\24D\315\3424\0O\16\331\322\216:n\5%\206F\252~\15\373#\340\342\221\3773\231Yu8\277\30\313[\353\236PL\267\306b\344\32032\204aQk\235\277;A\266\216Gh\7\15\254\232\6%$\326\5\350V\213\227\272\36\222\315_W\373\270_\3\215\325`<\23\366\276\347ayh]0duI\353\315p (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "fD\36\336\300i\335'@f`\15\320\233\241\254[y!\213\211^\335u\224\360 \13|\333\363\237\272C\27\<\366Z\15\265\315\2139\221\35\240d\376Dl\30f|\4-V7\4i\16\373w\10t\217\255\220n\273W\33\356\31\26\3253)\356!R\20'\206\0\353\300o\275\377U\253w\304 N\4\27m\252\313)@e\217\266\313C"A\354\20\347(\364\340\370\213\275\345`\24D\315\3424\0O\16\331\322\216:n\5%\206F\252~\15\373#\340\342\221\3773\231Yu8\277\30\313[\353\236PL\267\306b\344\320"2$\17g\332\24!\23\3550\217\345\24\243\272\355>R\22a\15\270\267\351k\350\270f\363\211\243\356+TA\177HN\2754\304s\331\213A\14\212H\32\200U\23\15\31!^\15c\376\37\256\333\320\3543\24Z\23\15b\325\330\32t\0\27\263\12\221\260W\234\354`s\250\316j\351\251\264\241\231\252\16\20\221Qo Yk\227\300\211\31Xl6\360W!&\344@d\13\334^h\230[\351\365\226\10\15\265\275\352\327\347X[\207\2006\376Ui\267\302c\376M\233[\344\324\16\220\r(\272\5iT\307\240s\213c\253\277\216t\5\12\316(\331\200\335<\6\315\217 o\353;-m\217/Yr\352\213S\232@\36\1u\35\373\1\324+v\3506\366B\363\216?6sl\274\317X\334\212\210\244|\0&}\320\305\241\327\203\377\20\262S\2\235\275fy\310\237\4\353F\240N0A\322]\340m9Z*$%f\275\4m\212E\214", ) , ) == 0x0
 00512   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00513   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "EH\275\274\325_\10\334\253P{\15\\3547\241P\271\360\0X\34J\3640\256\34\263\351\352a\2\201`\243\32\221l\362\231\314D>\17\322\366\21\353} \322\35\6N2\202\257\377+\257\6\214K\217^5'0\304|@\11^\353\242c\11F\26 \351\252bp\316\327\370\207%\363R\177\300\31\372-\3369\200;\322\200(\0\227-c|\375]2\270\241&\33\1721t\0v\246\331Tgs)\20\202v\230\265\34c\221~\jm\25\32\4)tk\14aP\226sQ\34\31\300\235\255\304\231\232DOQN\353\42e\246\33\20B_\1e"\360N]\210\240f\350F\30\241\301e\300\26$\363\261\214\25;\211\\347\335.O\367}+\352\365\236\222_\|\320\376<7d2\365\236\33\312\\65E\242U\227\6q\366\3\315>cP\374\3454\22\361\343\215\220.{\6\3102\22=\230\257\305\277\312\7\10nL\227\257\240\320\b\201S\373g\306Z^\336I\331v\315\243\202Rd\357\233\27\270\5\213\234\362\251#}\345\311\260w^\310rw\21\33\375OgN\255{B\307\272\10[\261HY\312\261\252jp\2575Y\241\177\37\352a\212\246\325\25\340\355uf\212\266\222\364\374\338P\253\256\322Y\231\333)!\374P"4\213Q\244\334\3D\0\355\332;b=\4\34\2723\10^i\240e\17\363\21\20B{.\34\17\363SYCE\22\14~.3\277\23oI0\34\20\376\350\27mP\255\353\231Xm\b\357[\365\2129\13\336b\310\312\344\5r\27\251pX\257#\326\275\2050j\341\3630\316\251\2\16\223/\357\310W\366$\252\365\311\374\244\313\273w\251\356K\14}\234\261\367~\225{\21:\204s\250U\20\33\213\2133\373\1Z\177\376\1V\344h\340\341\250\324\200", ) \360N]\210\240f\350F\30\241\301e\300\26$\363\261\214\25;\211\\347\335.O\367}+\352\365\236\222_\|\320\376<7d2\365\236\33\312\\65E\242U\227\6q\366\3\315>cP\374\3454\22\361\343\215\220.{\6\3102\22=\230\257\305\277\312\7\10nL\227\257\240\320\b\201S\373g\306Z^\336I\331v\315\243\202Rd\357\233\27\270\5\213\234\362\251#}\345\311\260w^\310rw\21\33\375OgN\255{B\307\272\10[\261HY\312\261\252jp\2575Y\241\177\37\352a\212\246\325\25\340\355uf\212\266\222\364\374\338P\253\256\322Y\231\333)!\374P (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "EH\275\274\325_\10\334\253P{\15\\3547\241P\271\360\0X\34J\3640\256\34\263\351\352a\2\201`\243\32\221l\362\231\314D>\17\322\366\21\353} \322\35\6N2\202\257\377+\257\6\214K\217^5'0\304|@\11^\353\242c\11F\26 \351\252bp\316\327\370\207%\363R\177\300\31\372-\3369\200;\322\200(\0\227-c|\375]2\270\241&\33\1721t\0v\246\331Tgs)\20\202v\230\265\34c\221~\jm\25\32\4)tk\14aP\226sQ\34\31\300\235\255\304\231\232DOQN\353\42e\246\33\20B_\1e"\360N]\210\240f\350F\30\241\301e\300\26$\363\261\214\25;\211\\347\335.O\367}+\352\365\236\222_\|\320\376<7d2\365\236\33\312\\65E\242U\227\6q\366\3\315>cP\374\3454\22\361\343\215\220.{\6\3102\22=\230\257\305\277\312\7\10nL\227\257\240\320\b\201S\373g\306Z^\336I\331v\315\243\202Rd\357\233\27\270\5\213\234\362\251#}\345\311\260w^\310rw\21\33\375OgN\255{B\307\272\10[\261HY\312\261\252jp\2575Y\241\177\37\352a\212\246\325\25\340\355uf\212\266\222\364\374\338P\253\256\322Y\231\333)!\374P"4\213Q\244\334\3D\0\355\332;b=\4\34\2723\10^i\240e\17\363\21\20B{.\34\17\363SYCE\22\14~.3\277\23oI0\34\20\376\350\27mP\255\353\231Xm\b\357[\365\2129\13\336b\310\312\344\5r\27\251pX\257#\326\275\2050j\341\3630\316\251\2\16\223/\357\310W\366$\252\365\311\374\244\313\273w\251\356K\14}\234\261\367~\225{\21:\204s\250U\20\33\213\2133\373\1Z\177\376\1V\344h\340\341\250\324\200", ) , ) == 0x0
 00514   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00515   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "u\220#\2050#\312\6M\21\275\22S\276>sy\276\250\2428Q\14C\310g\324\6G\21262\342\27\330/\373\237\15\373!\307K\31\346t+\353\255\23\331\377:\2321\16v\307\243\12m(\316\177\306f\16\0V\324C\213\3427\315x\237=\3730\212\2w`\275\224\350\5^\322\33\227\262\343\252\231\363\215\346\16\222}\200\375\256b\336\13"M/WC8\235\200A!\273_R+\214\24\266S\34\32\2340.\24\237|\216?d^\1|\274\12\231\330\261\344\266\14\216u\326\2026\264\244\330\255\170\304Z\321\320o\267\10\241\267\325\232\333h\27\303\5\356?0\15\254<\223\32\256\214$\17\335VhN\22\347\257\350\17\224\316\226\307\345\202\36\346\201\206\17|\345A\30E\346J\223\2313U\201\24\32\337t\20e+\247~\345\267\21\365\260=\14-H\355\213N4a\341h )\237\0\242\345\364iT\235w\341\364a\3r\232;~\203\240._eNb\224\352X\10\301\300j\265%\352\7\250\360p\341w\13W/\257\3De\3776B\235gn\361\315\247\12\34\12\313\336\21\3264\316E\330;\22F}\14\237\350H\25\367#\256\331\363\363/Y\370\36\337\243\34\365j\307kK\307'm\312\221g\3039g3\346J5ea\31\225\266n&\230\37\376\364\234&\1\2347w\301\250\251\237"6t\316\273\322\46,\336\3665\370#T\304\243\135g\351\375\5\365\202E\1\16\213\234\337.O^}7\346\17=b2\326\314\370\370\2\327\346\262D\335\344\22AQ!(AN\306\323\262<\366c\0aU\17PV\241D\225\321=\260\376\343nx\5pf\376\215d\267{\301\350*\224\23b7\1+s\253|rI\336\0"\356\4]235\200A!\273_R+\214\24\266S\34\32\2340.\24\237|\216?d^\1|\274\12\231\330\261\344\266\14\216u\326\2026\264\244\330\255\170\304Z\321\320o\267\10\241\267\325\232\333h\27\303\5\356?0\15\254<\223\32\256\214$\17\335VhN\22\347\257\350\17\224\316\226\307\345\202\36\346\201\206\17|\345A\30E\346J\223\2313U\201\24\32\337t\20e+\247~\345\267\21\365\260=\14-H\355\213N4a\341h )\237\0\242\345\364iT\235w\341\364a\3r\232;~\203\240._eNb\224\352X\10\301\300j\265%\352\7\250\360p\341w\13W/\257\3De\3776B\235gn\361\315\247\12\34\12\313\336\21\3264\316E\330;\22F}\14\237\350H\25\367#\256\331\363\363/Y\370\36\337\243\34\365j\307kK\307'm\312\221g\3039g3\346J5ea\31\225\266n&\230\37\376\364\234&\1\2347w\301\250\251\237 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "u\220#\2050#\312\6M\21\275\22S\276>sy\276\250\2428Q\14C\310g\324\6G\21262\342\27\330/\373\237\15\373!\307K\31\346t+\353\255\23\331\377:\2321\16v\307\243\12m(\316\177\306f\16\0V\324C\213\3427\315x\237=\3730\212\2w`\275\224\350\5^\322\33\227\262\343\252\231\363\215\346\16\222}\200\375\256b\336\13"M/WC8\235\200A!\273_R+\214\24\266S\34\32\2340.\24\237|\216?d^\1|\274\12\231\330\261\344\266\14\216u\326\2026\264\244\330\255\170\304Z\321\320o\267\10\241\267\325\232\333h\27\303\5\356?0\15\254<\223\32\256\214$\17\335VhN\22\347\257\350\17\224\316\226\307\345\202\36\346\201\206\17|\345A\30E\346J\223\2313U\201\24\32\337t\20e+\247~\345\267\21\365\260=\14-H\355\213N4a\341h )\237\0\242\345\364iT\235w\341\364a\3r\232;~\203\240._eNb\224\352X\10\301\300j\265%\352\7\250\360p\341w\13W/\257\3De\3776B\235gn\361\315\247\12\34\12\313\336\21\3264\316E\330;\22F}\14\237\350H\25\367#\256\331\363\363/Y\370\36\337\243\34\365j\307kK\307'm\312\221g\3039g3\346J5ea\31\225\266n&\230\37\376\364\234&\1\2347w\301\250\251\237"6t\316\273\322\46,\336\3665\370#T\304\243\135g\351\375\5\365\202E\1\16\213\234\337.O^}7\346\17=b2\326\314\370\370\2\327\346\262D\335\344\22AQ!(AN\306\323\262<\366c\0aU\17PV\241D\225\321=\260\376\343nx\5pf\376\215d\267{\301\350*\224\23b7\1+s\253|rI\336\0"\356\4]356\4]221\34\361\215&\361k\271\235\", ) == 0x0
 00516   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00517   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5+.!z^\25\264\314f@B\271=DBdUt\26+RtB\2w\14\236\0\373\4B]\25\220\372.\241<\325Aj\310i-\337^7\371\276\233\24=\25\364\25\254S(*,:\240\376;b\5%z\376\3W\316|DS&.\316Q\254\375HWfS\30V[\22\313\364O\356\7\206\267\274A|\345\246\204\22\2372\231\326\256?:v `\7\217\216\30Mz\222\306]\201z\201\25%\1\3\240\255l+\25\351=|>%x\232Bd\252\254\306\362\307JQ*\220\357\78\340*-Jg\274\245\3625%\346\116O\351*\27\2336\272r\24\22Q>KP\211S\13\22u\258\345r\377\215\322&$\24\22\201\345\14.a$S\23m\215\11o\360\252Sc \16\35\2245\356SJ\12N3Z\362\13\204\302:\375E\376:ba\352\255@/\3m\305E\216\12\347\267\232\21c\303\331j\2ty\\247_\23\231p\309\361|\232{\364\25H\356\342\266\220M\115w\270\337{p\3152q\30U\21\2466E\217\1\324B7\271>f\317 \257e%4V2\16\217\253c\322\0\7\2054i\3445D\3\3\1PTB\252FTVE\264*\356\274\230\27\4]&\344!3\377&Q} PG\22`\1\343\253'\27\255\26\366\354\372o\13\347i6V\20F\3677Ef\361fT\266\233\11S\236tY\351\354\211\262\346]1d\2\2119\375\30v\324\240\334\215f\270pWw\335\2\235"\212\367|\234J\4V"\356HBF|.\25,\2168\17\2550\244\}j\242R\236:\2\33\20&\257\36fR\2\364\303nh=\200QpM|\322\3\371I\377\360o\2222\4E\3654\3\204h2\266Ze6\10Jf\374\226bfv E\330\263M", ) \212\367|\234J\4V (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "5+.!z^\25\264\314f@B\271=DBdUt\26+RtB\2w\14\236\0\373\4B]\25\220\372.\241<\325Aj\310i-\337^7\371\276\233\24=\25\364\25\254S(*,:\240\376;b\5%z\376\3W\316|DS&.\316Q\254\375HWfS\30V[\22\313\364O\356\7\206\267\274A|\345\246\204\22\2372\231\326\256?:v `\7\217\216\30Mz\222\306]\201z\201\25%\1\3\240\255l+\25\351=|>%x\232Bd\252\254\306\362\307JQ*\220\357\78\340*-Jg\274\245\3625%\346\116O\351*\27\2336\272r\24\22Q>KP\211S\13\22u\258\345r\377\215\322&$\24\22\201\345\14.a$S\23m\215\11o\360\252Sc \16\35\2245\356SJ\12N3Z\362\13\204\302:\375E\376:ba\352\255@/\3m\305E\216\12\347\267\232\21c\303\331j\2ty\\247_\23\231p\309\361|\232{\364\25H\356\342\266\220M\115w\270\337{p\3152q\30U\21\2466E\217\1\324B7\271>f\317 \257e%4V2\16\217\253c\322\0\7\2054i\3445D\3\3\1PTB\252FTVE\264*\356\274\230\27\4]&\344!3\377&Q} PG\22`\1\343\253'\27\255\26\366\354\372o\13\347i6V\20F\3677Ef\361fT\266\233\11S\236tY\351\354\211\262\346]1d\2\2119\375\30v\324\240\334\215f\270pWw\335\2\235"\212\367|\234J\4V"\356HBF|.\25,\2168\17\2550\244\}j\242R\236:\2\33\20&\257\36fR\2\364\303nh=\200QpM|\322\3\371I\377\360o\2222\4E\3654\3\204h2\266Ze6\10Jf\374\226bfv E\330\263M", ) , ) == 0x0
 00518   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00519   396   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\314%&\214Ty&\205\3354-\27\226^z8\7D\323R;\302`\210\246\3335|\234\11\250\11v;\246\346M\245\363h\240j\33\330FT\206F\275\231z\152nM\301Ze\356\17jop\21\222sjk\254EPAKd\342k\36\366<\345\265\203\276a9\275=+]\11\200\214t\333&\201T\307\335\301\351dP@\352\274\35v\330k\356\262v%9\21\346U\256\315\34W{\263\272@\255@.k\260\14\237\250$\226~-8\13r%\365@F \274\261\17~\267|2o?\221a\3763\20\361te\360\353\246\204\11\37njB\221f(\357\341i\360\217\250'f\261\322Oj\2037\244t\20\334\236\20\364^\347\234\211l\324Z\26\362\353$\14p\26\7\353\301g\255\118A&s\227KL\266o8\30Y\332WQ\20\215\21f\5\345o\37\370\344l\375\352A\321\371:ZA-B\6ob\20^s2MP4\32\2R\241IdS\16"\6\20\301\246\11@n\264\242=C(#\17x4=\276\251\256\5\267\360\3258F~/\263S*B\242\274w\240\260EL\3\26m}0\234\0\0\15;\222\7z\20\332v\225\106\326\16$\372B'I\36\375]\4XUF\232{\36'n[\215V\300\325\4\6\211yI\357\214\217\25"\2\252k\25\250N\247n\337\12\254\250-Y\20T\236\233g\21R{9\22\24ip@)7\204C\234o\204\14\213\333>\322\346\307e\344;aZY\225\316p\16\324|\205%\313j\224\336e\21\375F\207\11>6Z\5\251)t\230\214AZ=\366\3407Yw\315z\362\213\244\12sBa\307N\2567\300h\35\377n\237G\\304\1~\7\213\11\261R\245\226\233\271:\224_8\356\222\227\327R\20\241ulx\340\237 \4", ) \6\20\301\246\11@n\264\242=C(#\17x4=\276\251\256\5\267\360\3258F~/\263S*B\242\274w\240\260EL\3\26m}0\234\0\0\15;\222\7z\20\332v\225\106\326\16$\372B'I\36\375]\4XUF\232{\36'n[\215V\300\325\4\6\211yI\357\214\217\25 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\314%&\214Ty&\205\3354-\27\226^z8\7D\323R;\302`\210\246\3335|\234\11\250\11v;\246\346M\245\363h\240j\33\330FT\206F\275\231z\152nM\301Ze\356\17jop\21\222sjk\254EPAKd\342k\36\366<\345\265\203\276a9\275=+]\11\200\214t\333&\201T\307\335\301\351dP@\352\274\35v\330k\356\262v%9\21\346U\256\315\34W{\263\272@\255@.k\260\14\237\250$\226~-8\13r%\365@F \274\261\17~\267|2o?\221a\3763\20\361te\360\353\246\204\11\37njB\221f(\357\341i\360\217\250'f\261\322Oj\2037\244t\20\334\236\20\364^\347\234\211l\324Z\26\362\353$\14p\26\7\353\301g\255\118A&s\227KL\266o8\30Y\332WQ\20\215\21f\5\345o\37\370\344l\375\352A\321\371:ZA-B\6ob\20^s2MP4\32\2R\241IdS\16"\6\20\301\246\11@n\264\242=C(#\17x4=\276\251\256\5\267\360\3258F~/\263S*B\242\274w\240\260EL\3\26m}0\234\0\0\15;\222\7z\20\332v\225\106\326\16$\372B'I\36\375]\4XUF\232{\36'n[\215V\300\325\4\6\211yI\357\214\217\25"\2\252k\25\250N\247n\337\12\254\250-Y\20T\236\233g\21R{9\22\24ip@)7\204C\234o\204\14\213\333>\322\346\307e\344;aZY\225\316p\16\324|\205%\313j\224\336e\21\375F\207\11>6Z\5\251)t\230\214AZ=\366\3407Yw\315z\362\213\244\12sBa\307N\2567\300h\35\377n\237G\\304\1~\7\213\11\261R\245\226\233\271:\224_8\356\222\227\327R\20\241ulx\340\237 \4", ) , ) == 0x0
 00520   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00521   396   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\26.6\0\6.6\02>6\0">6\0\262\146\0\242\146\0R\176\0Z\176\0B\176\0J\176\0r\176\0z\176\0b\176\0j\176\0\22\176\0\32\176\0\366\176\0\342\176\0\216\176\0J\166\0\6\166\0\376\166\0\206\166\0F\116\0\306\116\0\276\116\0\322\136\0\246\126\0f\256\0B\246\0\366\246\0"\266\0*\206\0\22\226\0~\356\0\236\356\0\36\346\0\336\346\0*\376\0\312\376\0\226\376\0\246\376\0\316&3\0\266&3\0\201L1\0\275L1\0TO1\0LO1\0bO1\0\30O1\0?O1\0\322O1\0\366O1\0\357O1\0\202O1\0\276O1\0\250O1\0DN1\0~N1\0\27N1\0\6N1\0+N1\0\300N1\0\341N1\0\207N1\0\256N1\0MI1\0\34I1\09I1\0\304I1\0\227I1\0\267I1\0RH1\0oH1\01H1\0*H1\0\304H1\0\374H1\0\226H1\0\200H1\0\272H1\0WK1\0LK1\0yK1\0\22K1\0\10K1\0/K1\0\322K1\0\334K1\0\305K1\0\311K1\0Je \0Ae/\0Be.\0Ce,\0Re5\0^e1\0Pe3\0}e-\0Ke(\0re\26\0~e\34\0\177e\27\0ue\24\0Ie\23\0pe\21\0Ee'\0De:\0Fe8\0Ye;\0]e<\0_e\32\0Ve4\0We\30\0{e6\0Ve6\0Ve6\0Ve6@r\35F$gWxm#\1F@\2+{U\2256@r\35F$gPxm", ) >6\0\262\146\0\242\146\0R\176\0Z\176\0B\176\0J\176\0r\176\0z\176\0b\176\0j\176\0\22\176\0\32\176\0\366\176\0\342\176\0\216\176\0J\166\0\6\166\0\376\166\0\206\166\0F\116\0\306\116\0\276\116\0\322\136\0\246\126\0f\256\0B\246\0\366\246\0 (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\26.6\0\6.6\02>6\0">6\0\262\146\0\242\146\0R\176\0Z\176\0B\176\0J\176\0r\176\0z\176\0b\176\0j\176\0\22\176\0\32\176\0\366\176\0\342\176\0\216\176\0J\166\0\6\166\0\376\166\0\206\166\0F\116\0\306\116\0\276\116\0\322\136\0\246\126\0f\256\0B\246\0\366\246\0"\266\0*\206\0\22\226\0~\356\0\236\356\0\36\346\0\336\346\0*\376\0\312\376\0\226\376\0\246\376\0\316&3\0\266&3\0\201L1\0\275L1\0TO1\0LO1\0bO1\0\30O1\0?O1\0\322O1\0\366O1\0\357O1\0\202O1\0\276O1\0\250O1\0DN1\0~N1\0\27N1\0\6N1\0+N1\0\300N1\0\341N1\0\207N1\0\256N1\0MI1\0\34I1\09I1\0\304I1\0\227I1\0\267I1\0RH1\0oH1\01H1\0*H1\0\304H1\0\374H1\0\226H1\0\200H1\0\272H1\0WK1\0LK1\0yK1\0\22K1\0\10K1\0/K1\0\322K1\0\334K1\0\305K1\0\311K1\0Je \0Ae/\0Be.\0Ce,\0Re5\0^e1\0Pe3\0}e-\0Ke(\0re\26\0~e\34\0\177e\27\0ue\24\0Ie\23\0pe\21\0Ee'\0De:\0Fe8\0Ye;\0]e<\0_e\32\0Ve4\0We\30\0{e6\0Ve6\0Ve6\0Ve6@r\35F$gWxm#\1F@\2+{U\2256@r\35F$gPxm", ) , ) == 0x0
 00522   396   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00523   396   NtClose  (80, ... ) == 0x0
 00524   396   NtClose  (68, ... ) == 0x0
 00525   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00526   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00528   396   NtClose  (68, ... ) == 0x0
 00529   396   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00530   396   NtClose  (80, ... ) == 0x0
 00531   396   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00532   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00533   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00534   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00535   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00536   396   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00537   396   NtClose  (80, ... ) == 0x0
 00538   396   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00539   396   NtMapViewOfSection  (68, -1, (0x860000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00540   396   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00541   396   NtClose  (68, ... ) == 0x0
 00542   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 8, ) == 0x0
 00543   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 8, ... (0x8d2000), 4096, 4, ) == 0x0
 00544   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00545   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00546   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00547   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00548   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00549   396   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00550   396   NtClose  (68, ... ) == 0x0
 00551   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00552   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00553   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00554   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00555   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00556   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00557   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00558   396   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00559   396   NtClose  (68, ... ) == 0x0
 00560   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00561   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00562   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00563   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00564   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00565   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00566   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00567   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00568   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00569   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00570   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00571   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00572   396   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   396   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00576   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00577   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00578   396   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   396   NtClose  (68, ... ) == 0x0
 00580   396   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00581   396   NtClose  (80, ... ) == 0x0
 00582   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00583   396   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00584   396   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00585   396   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {368, 0}, ... 80, ) == 0x0
 00586   396   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00587   396   NtClose  (80, ... ) == 0x0
 00588   396   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00589   396   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00590   396   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00591   396   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00592   396   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   396   NtClose  (80, ... ) == 0x0
 00594   396   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00595   396   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00596   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00597   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00598   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03b
 00599   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00600   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03d
 00601   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00602   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00603   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03f
 00604   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00605   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00606   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc041
 00607   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00608   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00609   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc043
 00610   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00611   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc045
 00612   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00613   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00614   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc047
 00615   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00616   396   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00617   396   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810dc049
 00618   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00619   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00620   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04b
 00621   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00622   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00623   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04d
 00624   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00625   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00626   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04f
 00627   396   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00628   396   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810dc051
 00629   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00630   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00631   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc053
 00632   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00633   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00634   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc055
 00635   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc057
 00636   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00637   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00638   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc059
 00639   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00640   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00641   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05b
 00642   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00643   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00644   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05d
 00645   396   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00646   396   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00647   396   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05f
 00648   396   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00649   396   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00650   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00651   396   NtNotifyChangeKey  (84, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00652   396   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00653   396   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00654   396   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00655   396   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00656   396   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00657   396   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00658   396   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00659   396   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9371648, 1048576, ) == 0x0
 00660   396   NtAllocateVirtualMemory  (-1, 9371648, 0, 16384, 4096, 4, ... 9371648, 16384, ) == 0x0
 00661   396   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00662   396   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00663   396   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   396   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   396   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00666   396   NtQueryInformationToken  (96, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00667   396   NtClose  (96, ... ) == 0x0
 00668   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00669   396   NtReleaseMutant  (16, ...
 00670   396   NtContinue  (-131039096, 0, ...
 00669   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00671   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\jka1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   396   NtReleaseMutant  (16, ...
 00679   396   NtContinue  (-131039096, 0, ...
 00678   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00681   396   NtReleaseMutant  (16, ...
 00682   396   NtContinue  (-131039096, 0, ...
 00681   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00683   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00684   396   NtReleaseMutant  (16, ...
 00685   396   NtContinue  (-131039096, 0, ...
 00684   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00686   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   396   NtReleaseMutant  (16, ...
 00688   396   NtContinue  (-131039096, 0, ...
 00687   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   396   NtReleaseMutant  (16, ...
 00691   396   NtContinue  (-131039096, 0, ...
 00690   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   396   NtReleaseMutant  (16, ...
 00694   396   NtContinue  (-131039096, 0, ...
 00693   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   396   NtReleaseMutant  (16, ...
 00697   396   NtContinue  (-131039096, 0, ...
 00696   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   396   NtReleaseMutant  (16, ...
 00700   396   NtContinue  (-131039096, 0, ...
 00699   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   396   NtReleaseMutant  (16, ...
 00703   396   NtContinue  (-131039096, 0, ...
 00702   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   396   NtReleaseMutant  (16, ...
 00706   396   NtContinue  (-131039096, 0, ...
 00705   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   396   NtReleaseMutant  (16, ...
 00709   396   NtContinue  (-131039096, 0, ...
 00708   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   396   NtReleaseMutant  (16, ...
 00712   396   NtContinue  (-131039096, 0, ...
 00711   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   396   NtReleaseMutant  (16, ...
 00715   396   NtContinue  (-131039096, 0, ...
 00714   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   396   NtReleaseMutant  (16, ...
 00718   396   NtContinue  (-131039096, 0, ...
 00717   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   396   NtReleaseMutant  (16, ...
 00721   396   NtContinue  (-131039096, 0, ...
 00720   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   396   NtReleaseMutant  (16, ...
 00724   396   NtContinue  (-131039096, 0, ...
 00723   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   396   NtReleaseMutant  (16, ...
 00727   396   NtContinue  (-131039096, 0, ...
 00726   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   396   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   396   NtReleaseMutant  (16, ...
 00730   396   NtContinue  (-131039096, 0, ...
 00729   396   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   396   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 96, ) == 0x0
 00732   396   NtUserGetDC  (0, ... ) == 0x1010050
 00733   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00734   396   NtUserGetDC  (0, ... ) == 0x1010050
 00735   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00736   396   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x16080382
 00737   396   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00738   396   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00739   396   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00740   396   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\07\00\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00741   396   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\08\06\00\00\00\00\00\00\00\00\00\01\08\0C\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00742   396   NtUserSystemParametersInfo  (104, 0, 9376892, 0, ... ) == 0x1
 00743   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00744   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00745   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00746   396   NtUserGetDC  (0, ... ) == 0x1010050
 00747   396   NtGdiCreateDIBitmapInternal  (16842832, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x805040c
 00748   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00749   396   NtGdiSelectBitmap  (302056390, 134546444, ... ) == 0x185000f
 00750   396   NtGdiGetDCforBitmap  (134546444, ... ) == 0x120103c6
 00751   396   NtGdiSaveDC  (302056390, ... ) == 0x1
 00752   396   NtGdiSelectBitmap  (302056390, 134546444, ... ) == 0x805040c
 00753   396   NtGdiGetDCObject  (302056390, 524288, ... ) == 0x188000b
 00754   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00755   396   NtGdiSetDIBitsToDeviceInternal  (302056390, 0, 0, 32, 64, 0, 0, 0, 64, 9188876, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00756   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00757   396   NtGdiSelectBitmap  (302056390, 134546444, ... ) == 0x805040c
 00758   396   NtGdiRestoreDC  (302056390, -1, ... ) == 0x1
 00759   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0x805040c
 00760   396   NtGdiCreateCompatibleDC  (302056390, ... ) == 0xd0103ff
 00761   396   NtGdiExtGetObjectW  (134546444, 24, 1241324, ... ) == 0x18
 00762   396   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x9050407
 00763   396   NtGdiSelectBitmap  (302056390, 134546444, ... ) == 0x185000f
 00764   396   NtGdiSelectBitmap  (218170367, 151323655, ... ) == 0x185000f
 00765   396   NtGdiBitBlt  (218170367, 0, 0, 32, 64, 302056390, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00766   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0x805040c
 00767   396   NtGdiSelectBitmap  (218170367, 25493519, ... ) == 0x9050407
 00768   396   NtGdiDeleteObjectApp  (134546444, ... ) == 0x1
 00769   396   NtGdiDeleteObjectApp  (218170367, ... ) == 0x1
 00770   396   NtUserCallOneParam  (0, 33, ... ) == 0x2006b
 00771   396   NtUserSetCursorIconData  (131179, 1241432, 1241448, 1242028, ... ) == 0x1
 00772   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00773   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00774   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00775   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00776   396   NtUserGetDC  (0, ... ) == 0x1010050
 00777   396   NtGdiCreateDIBitmapInternal  (16842832, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xa05040b
 00778   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00779   396   NtGdiSelectBitmap  (302056390, 168100875, ... ) == 0x185000f
 00780   396   NtGdiGetDCforBitmap  (168100875, ... ) == 0x120103c6
 00781   396   NtGdiSaveDC  (302056390, ... ) == 0x1
 00782   396   NtGdiSelectBitmap  (302056390, 168100875, ... ) == 0xa05040b
 00783   396   NtGdiGetDCObject  (302056390, 524288, ... ) == 0x188000b
 00784   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00785   396   NtGdiSetDIBitsToDeviceInternal  (302056390, 0, 0, 32, 64, 0, 0, 0, 64, 9189184, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00786   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00787   396   NtGdiSelectBitmap  (302056390, 168100875, ... ) == 0xa05040b
 00788   396   NtGdiRestoreDC  (302056390, -1, ... ) == 0x1
 00789   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xa05040b
 00790   396   NtGdiCreateCompatibleDC  (302056390, ... ) == 0xa01040c
 00791   396   NtGdiExtGetObjectW  (168100875, 24, 1241324, ... ) == 0x18
 00792   396   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb050408
 00793   396   NtGdiSelectBitmap  (302056390, 168100875, ... ) == 0x185000f
 00794   396   NtGdiSelectBitmap  (167838732, 184878088, ... ) == 0x185000f
 00795   396   NtGdiBitBlt  (167838732, 0, 0, 32, 64, 302056390, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00796   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xa05040b
 00797   396   NtGdiSelectBitmap  (167838732, 25493519, ... ) == 0xb050408
 00798   396   NtGdiDeleteObjectApp  (168100875, ... ) == 0x1
 00799   396   NtGdiDeleteObjectApp  (167838732, ... ) == 0x1
 00800   396   NtUserCallOneParam  (0, 33, ... ) == 0x2006d
 00801   396   NtUserSetCursorIconData  (131181, 1241432, 1241448, 1242028, ... ) == 0x1
 00802   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00803   396   NtUserGetDC  (0, ... ) == 0x1010050
 00804   396   NtGdiCreateDIBitmapInternal  (16842832, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xf0503ff
 00805   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00806   396   NtGdiSelectBitmap  (302056390, 251986943, ... ) == 0x185000f
 00807   396   NtGdiGetDCforBitmap  (251986943, ... ) == 0x120103c6
 00808   396   NtGdiSaveDC  (302056390, ... ) == 0x1
 00809   396   NtGdiSelectBitmap  (302056390, 251986943, ... ) == 0xf0503ff
 00810   396   NtGdiGetDCObject  (302056390, 524288, ... ) == 0x188000b
 00811   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00812   396   NtGdiSetDIBitsToDeviceInternal  (302056390, 0, 0, 32, 64, 0, 0, 0, 64, 9189492, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00813   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00814   396   NtGdiSelectBitmap  (302056390, 251986943, ... ) == 0xf0503ff
 00815   396   NtGdiRestoreDC  (302056390, -1, ... ) == 0x1
 00816   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xf0503ff
 00817   396   NtGdiCreateCompatibleDC  (302056390, ... ) == 0xc01040b
 00818   396   NtGdiExtGetObjectW  (251986943, 24, 1241324, ... ) == 0x18
 00819   396   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050405
 00820   396   NtGdiSelectBitmap  (302056390, 251986943, ... ) == 0x185000f
 00821   396   NtGdiSelectBitmap  (201393163, 134546437, ... ) == 0x185000f
 00822   396   NtGdiBitBlt  (201393163, 0, 0, 32, 64, 302056390, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00823   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xf0503ff
 00824   396   NtGdiSelectBitmap  (201393163, 25493519, ... ) == 0x8050405
 00825   396   NtGdiDeleteObjectApp  (251986943, ... ) == 0x1
 00826   396   NtGdiDeleteObjectApp  (201393163, ... ) == 0x1
 00827   396   NtUserCallOneParam  (0, 33, ... ) == 0x300a5
 00828   396   NtUserSetCursorIconData  (196773, 1241432, 1241448, 1242028, ... ) == 0x1
 00829   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00830   396   NtUserGetDC  (0, ... ) == 0x1010050
 00831   396   NtGdiCreateDIBitmapInternal  (16842832, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xc05040c
 00832   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00833   396   NtGdiSelectBitmap  (302056390, 201655308, ... ) == 0x185000f
 00834   396   NtGdiGetDCforBitmap  (201655308, ... ) == 0x120103c6
 00835   396   NtGdiSaveDC  (302056390, ... ) == 0x1
 00836   396   NtGdiSelectBitmap  (302056390, 201655308, ... ) == 0xc05040c
 00837   396   NtGdiGetDCObject  (302056390, 524288, ... ) == 0x188000b
 00838   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00839   396   NtGdiSetDIBitsToDeviceInternal  (302056390, 0, 0, 32, 64, 0, 0, 0, 64, 9189800, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00840   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00841   396   NtGdiSelectBitmap  (302056390, 201655308, ... ) == 0xc05040c
 00842   396   NtGdiRestoreDC  (302056390, -1, ... ) == 0x1
 00843   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xc05040c
 00844   396   NtGdiCreateCompatibleDC  (302056390, ... ) == 0x110103ff
 00845   396   NtGdiExtGetObjectW  (201655308, 24, 1241324, ... ) == 0x18
 00846   396   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050406
 00847   396   NtGdiSelectBitmap  (302056390, 201655308, ... ) == 0x185000f
 00848   396   NtGdiSelectBitmap  (285279231, 134546438, ... ) == 0x185000f
 00849   396   NtGdiBitBlt  (285279231, 0, 0, 32, 64, 302056390, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00850   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xc05040c
 00851   396   NtGdiSelectBitmap  (285279231, 25493519, ... ) == 0x8050406
 00852   396   NtGdiDeleteObjectApp  (201655308, ... ) == 0x1
 00853   396   NtGdiDeleteObjectApp  (285279231, ... ) == 0x1
 00854   396   NtUserCallOneParam  (0, 33, ... ) == 0x300a3
 00855   396   NtUserSetCursorIconData  (196771, 1241432, 1241448, 1242028, ... ) == 0x1
 00856   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00857   396   NtUserGetDC  (0, ... ) == 0x1010050
 00858   396   NtGdiCreateDIBitmapInternal  (16842832, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xe05040b
 00859   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00860   396   NtGdiSelectBitmap  (302056390, 235209739, ... ) == 0x185000f
 00861   396   NtGdiGetDCforBitmap  (235209739, ... ) == 0x120103c6
 00862   396   NtGdiSaveDC  (302056390, ... ) == 0x1
 00863   396   NtGdiSelectBitmap  (302056390, 235209739, ... ) == 0xe05040b
 00864   396   NtGdiGetDCObject  (302056390, 524288, ... ) == 0x188000b
 00865   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00866   396   NtGdiSetDIBitsToDeviceInternal  (302056390, 0, 0, 32, 64, 0, 0, 0, 64, 9190108, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00867   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00868   396   NtGdiSelectBitmap  (302056390, 235209739, ... ) == 0xe05040b
 00869   396   NtGdiRestoreDC  (302056390, -1, ... ) == 0x1
 00870   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xe05040b
 00871   396   NtGdiCreateCompatibleDC  (302056390, ... ) == 0xe01040c
 00872   396   NtGdiExtGetObjectW  (235209739, 24, 1241324, ... ) == 0x18
 00873   396   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x70503e3
 00874   396   NtGdiSelectBitmap  (302056390, 235209739, ... ) == 0x185000f
 00875   396   NtGdiSelectBitmap  (234947596, 117769187, ... ) == 0x185000f
 00876   396   NtGdiBitBlt  (234947596, 0, 0, 32, 64, 302056390, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00877   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0xe05040b
 00878   396   NtGdiSelectBitmap  (234947596, 25493519, ... ) == 0x70503e3
 00879   396   NtGdiDeleteObjectApp  (235209739, ... ) == 0x1
 00880   396   NtGdiDeleteObjectApp  (234947596, ... ) == 0x1
 00881   396   NtUserCallOneParam  (0, 33, ... ) == 0x300a1
 00882   396   NtUserSetCursorIconData  (196769, 1241432, 1241448, 1242028, ... ) == 0x1
 00883   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00884   396   NtUserGetDC  (0, ... ) == 0x1010050
 00885   396   NtGdiCreateDIBitmapInternal  (16842832, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x130503ff
 00886   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00887   396   NtGdiSelectBitmap  (302056390, 319095807, ... ) == 0x185000f
 00888   396   NtGdiGetDCforBitmap  (319095807, ... ) == 0x120103c6
 00889   396   NtGdiSaveDC  (302056390, ... ) == 0x1
 00890   396   NtGdiSelectBitmap  (302056390, 319095807, ... ) == 0x130503ff
 00891   396   NtGdiGetDCObject  (302056390, 524288, ... ) == 0x188000b
 00892   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00893   396   NtGdiSetDIBitsToDeviceInternal  (302056390, 0, 0, 32, 64, 0, 0, 0, 64, 9190724, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00894   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00895   396   NtGdiSelectBitmap  (302056390, 319095807, ... ) == 0x130503ff
 00896   396   NtGdiRestoreDC  (302056390, -1, ... ) == 0x1
 00897   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0x130503ff
 00898   396   NtGdiCreateCompatibleDC  (302056390, ... ) == 0x1001040b
 00899   396   NtGdiExtGetObjectW  (319095807, 24, 1241324, ... ) == 0x18
 00900   396   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xa0503e7
 00901   396   NtGdiSelectBitmap  (302056390, 319095807, ... ) == 0x185000f
 00902   396   NtGdiSelectBitmap  (268502027, 168100839, ... ) == 0x185000f
 00903   396   NtGdiBitBlt  (268502027, 0, 0, 32, 64, 302056390, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00904   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0x130503ff
 00905   396   NtGdiSelectBitmap  (268502027, 25493519, ... ) == 0xa0503e7
 00906   396   NtGdiDeleteObjectApp  (319095807, ... ) == 0x1
 00907   396   NtGdiDeleteObjectApp  (268502027, ... ) == 0x1
 00908   396   NtUserCallOneParam  (0, 33, ... ) == 0x2009f
 00909   396   NtUserSetCursorIconData  (131231, 1241432, 1241448, 1242028, ... ) == 0x1
 00910   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00911   396   NtUserGetDC  (0, ... ) == 0x1010050
 00912   396   NtGdiCreateDIBitmapInternal  (16842832, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1005040c
 00913   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00914   396   NtGdiSelectBitmap  (302056390, 268764172, ... ) == 0x185000f
 00915   396   NtGdiGetDCforBitmap  (268764172, ... ) == 0x120103c6
 00916   396   NtGdiSaveDC  (302056390, ... ) == 0x1
 00917   396   NtGdiSelectBitmap  (302056390, 268764172, ... ) == 0x1005040c
 00918   396   NtGdiGetDCObject  (302056390, 524288, ... ) == 0x188000b
 00919   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00920   396   NtGdiSetDIBitsToDeviceInternal  (302056390, 0, 0, 32, 64, 0, 0, 0, 64, 9190416, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00921   396   NtUserSelectPalette  (302056390, 25690123, 0, ... ) == 0x188000b
 00922   396   NtGdiSelectBitmap  (302056390, 268764172, ... ) == 0x1005040c
 00923   396   NtGdiRestoreDC  (302056390, -1, ... ) == 0x1
 00924   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0x1005040c
 00925   396   NtGdiCreateCompatibleDC  (302056390, ... ) == 0x150103ff
 00926   396   NtGdiExtGetObjectW  (268764172, 24, 1241324, ... ) == 0x18
 00927   396   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503e5
 00928   396   NtGdiSelectBitmap  (302056390, 268764172, ... ) == 0x185000f
 00929   396   NtGdiSelectBitmap  (352388095, 151323621, ... ) == 0x185000f
 00930   396   NtGdiBitBlt  (352388095, 0, 0, 32, 64, 302056390, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00931   396   NtGdiSelectBitmap  (302056390, 25493519, ... ) == 0x1005040c
 00932   396   NtGdiSelectBitmap  (352388095, 25493519, ... ) == 0x90503e5
 00933   396   NtGdiDeleteObjectApp  (268764172, ... ) == 0x1
 00934   396   NtGdiDeleteObjectApp  (352388095, ... ) == 0x1
 00935   396   NtUserCallOneParam  (0, 33, ... ) == 0x3009d
 00936   396   NtUserSetCursorIconData  (196765, 1241432, 1241448, 1242028, ... ) == 0x1
 00937   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00938   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00939   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00940   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00941   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00942   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00943   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00944   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00945   396   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00946   396   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00947   396   NtUserGetDC  (0, ... ) == 0x1010050
 00948   396   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00949   396   NtUserEnumDisplayMonitors  (0, 0, 8913508, 9377472, ... ) == 0x1
 00950   396   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00951   396   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344496, ... ) == 0x160a03ff
 00952   396   NtGdiExtGetObjectW  (369755135, 420, 1241808, ... ) == 0x164
 00953   396   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00954   396   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344488, ... ) == 0x120a040b
 00955   396   NtGdiExtGetObjectW  (302646283, 420, 1241808, ... ) == 0x164
 00956   396   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344480, ... ) == 0x110a040c
 00957   396   NtGdiExtGetObjectW  (285869068, 420, 1241808, ... ) == 0x164
 00958   396   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00959   396   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 8650752, 4096, ) == 0x0
 00960   396   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00961   396   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00962   396   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00963   396   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00964   396   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   396   NtUserSetWindowsHookEx  (8781824, 1243796, 0, 4, 8789692, 2, ... ) == 0x4009b
 00966   396   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   396   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm19"}, 1, ... 100, ) }, 1, ... 100, ) == 0x0
 00968   396   NtOpenProcessToken  (-1, 0x20, ... 104, ) == 0x0
 00969   396   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 108, ) }, ... 108, ) == 0x0
 00972   396   NtQueryValueKey  (108,  (108, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   396   NtClose  (108, ... ) == 0x0
 00974   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   396   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00976   396   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00977   396   NtQuerySystemTime  (... {-1647894640, 29868089}, ) == 0x0
 00978   396   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00979   396   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   396   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00981   396   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00982   396   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00983   396   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00984   396   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00985   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 128, ) }, ... 128, ) == 0x0
 00986   396   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00987   396   NtQueryValueKey  (132,  (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00988   396   NtClose  (132, ... ) == 0x0
 00989   396   NtClose  (128, ... ) == 0x0
 00990   396   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 128, ) == 0x0
 00991   396   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 132, ) == 0x0
 00992   396   NtDuplicateObject  (-1, 128, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00993   396   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00994   396   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   396   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00996   396   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00997   396   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00998   396   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243244,  (0xc0100080, {24, 0, 0x40, 0, 1243244, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00999   396   NtSetInformationFile  (144, 1243300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01000   396   NtSetInformationFile  (144, 1243292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01001   396   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01002   396   NtWriteFile  (144, 121, 0, 0,  (144, 121, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01003   396   NtReadFile  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01004   396   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20K!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01005   396   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\245'2\327,,\334\21\261\306\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\245'2\327,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\245'2\327,,\334\21\261\306\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\245'2\327,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\245'2\327,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01006   396   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\245'2\327,,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\245'2\327,,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01007   396   NtClose  (140, ... ) == 0x0
 01008   396   NtClose  (144, ... ) == 0x0
 01009   396   NtAdjustPrivilegesToken  (104, 0, 1245080, 16, 0, 0, ... ) == 0x0
 01010   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01011   396   NtQueryValueKey  (144,  (144, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   396   NtClose  (144, ... ) == 0x0
 01013   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01014   396   NtQueryValueKey  (144,  (144, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   396   NtClose  (144, ... ) == 0x0
 01016   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01017   396   NtQueryValueKey  (144,  (144, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   396   NtClose  (144, ... ) == 0x0
 01019   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01020   396   NtQueryValueKey  (144,  (144, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   396   NtClose  (144, ... ) == 0x0
 01022   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01023   396   NtQueryValueKey  (144,  (144, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   396   NtClose  (144, ... ) == 0x0
 01025   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01026   396   NtQueryValueKey  (144,  (144, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   396   NtClose  (144, ... ) == 0x0
 01028   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01029   396   NtQueryValueKey  (144,  (144, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   396   NtClose  (144, ... ) == 0x0
 01031   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01032   396   NtQueryValueKey  (144,  (144, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   396   NtClose  (144, ... ) == 0x0
 01034   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01035   396   NtQueryValueKey  (144,  (144, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   396   NtClose  (144, ... ) == 0x0
 01037   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01038   396   NtQueryValueKey  (144,  (144, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   396   NtClose  (144, ... ) == 0x0
 01040   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01041   396   NtQueryValueKey  (144,  (144, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   396   NtClose  (144, ... ) == 0x0
 01043   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   396   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01045   396   NtSetInformationFile  (-2147482808, -131038172, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01046   396   NtSetInformationFile  (-2147482808, -131038644, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01044   396   NtCreateKey  ... 144, 1, ) == 0x0
 01047   396   NtSetValueKey  (144,  (144, "ID", 0, 1, "e\0u\0r\0n\0w\0h\0q\0k\0i\0u\0o\0d\0t\0e\0d\0i\0y\0s\0\0\0", 38, ... ) , 0, 1,  (144, "ID", 0, 1, "e\0u\0r\0n\0w\0h\0q\0k\0i\0u\0o\0d\0t\0e\0d\0i\0y\0s\0\0\0", 38, ... ) , 38, ... ) == 0x0
 01048   396   NtClose  (144, ... ) == 0x0
 01049   396   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01050   396   NtQueryValueKey  (144,  (144, "Cryptographic Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   396   NtClose  (144, ... ) == 0x0
 01052   396   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 01053   396   NtSetValueKey  (144,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01054   396   NtClose  (144, ... ) == 0x0
 01055   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243516,  (0x80100080, {24, 0, 0x40, 0, 1243516, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01056   396   NtQueryInformationFile  (144, 1244452, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01057   396   NtQueryInformationFile  (144, 1244424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01058   396   NtQueryInformationFile  (144, 1244376, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01059   396   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01060   396   NtQueryInformationFile  (144, 1371664, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01061   396   NtQueryInformationFile  (144, 1242920, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01062   396   NtQueryInformationFile  (144, 1242764, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01063   396   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242772,  (0x40110080, {24, 0, 0x40, 0, 1242772, "\??\C:\WINDOWS\System32\idtkuf.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01064   396   NtClose  (-2147482208, ... ) == 0x0
 01063   396   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01065   396   NtQueryVolumeInformationFile  (140, 1242144, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01066   396   NtQueryInformationFile  (140, 1242104, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01067   396   NtQueryVolumeInformationFile  (144, 1242144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01068   396   NtQueryVolumeInformationFile  (144, 1241828, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01069   396   NtSetInformationFile  (140, 1241932, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01070   396   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 01071   396   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9f0000), {0, 0}, 188416, ) == 0x0
 01072   396   NtClose  (148, ... ) == 0x0
 01073   396   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\310Y\330@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01074   396   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\373\3\205\3569kn;\3\271B\37[t\24.\372\30B\277t\5^\12\322r\264\370J\25\306X\2008Q\242\256{\252m\244\244Z2>\326VB[\3078*)\30U\326A\316\274\24\211\235\312\242\271 v\344\2526\361\320\233\17\221`V:-\341\322\355\301\257nb\25r\327\236\256\250+\222\275\360\226\361\362'\334xX\3500\222\360\4e\267\213U\203\345\375\1_m24u\250~\1^g&\20F\317\356\212yw\276\260U%\353\16TyM-\367\357\351S\224A\212{\35\315\324X\3578~_68f\227"^F\366\20\2\267\367J\227Fa\266Hve?y3u\321\302\204\315n\242\230~\22\5\205U3cF"l\357\370\365\120\336\211\364\331Wx5`Q\2164\0\216\3058\27\244\222\24\34\305\242\364\263\346\215\235\240wU5a\371t6\332W\357\330X.\315L\311\225\30\364\340\244Tt\5j\305$\235\3\376\277bv\323\302.\231\366-\362\3379\302\2622u\26dG\20~\303\322(>&\7J\234\377G$\24\213|\220\1\242>k\355\210\21}P\271\6e\354\272F\311y\12\234\244\342LW\221\360\261Yq\366[S\342q\34WFqn\371P$\6\26a\12\14~\205@sG\376),Wfr\1\130<\13Kc\274\204\22`\333@IQ\220\23J\2069\362W\377\266*\335\233\274WJ\311\372\3402|E\20\310l\366\14Vc>z\235\25P\351{\306\26\32\205I\362\257~\7\257_Ne\323`/'\355\306vD`3\261G\354\323\346\201\214\347\26\247MKRaeV]\362\210}5\11\14G\2101\274C\35\247D\12zg\302\355\371g\270<\275& KU\21$\321\271\233`\231", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) ^F\366\20266\216u\266\216^t2\22\307\0R\31Td>\2\267\367J\227Fa\266Hve?y3u\321\302\204\315n\242\230~\22\5\205U3cF (140, 0, 0, 0, "\373\3\205\3569kn;\3\271B\37[t\24.\372\30B\277t\5^\12\322r\264\370J\25\306X\2008Q\242\256{\252m\244\244Z2>\326VB[\3078*)\30U\326A\316\274\24\211\235\312\242\271 v\344\2526\361\320\233\17\221`V:-\341\322\355\301\257nb\25r\327\236\256\250+\222\275\360\226\361\362'\334xX\3500\222\360\4e\267\213U\203\345\375\1_m24u\250~\1^g&\20F\317\356\212yw\276\260U%\353\16TyM-\367\357\351S\224A\212{\35\315\324X\3578~_68f\227"^F\366\20\2\267\367J\227Fa\266Hve?y3u\321\302\204\315n\242\230~\22\5\205U3cF"l\357\370\365\120\336\211\364\331Wx5`Q\2164\0\216\3058\27\244\222\24\34\305\242\364\263\346\215\235\240wU5a\371t6\332W\357\330X.\315L\311\225\30\364\340\244Tt\5j\305$\235\3\376\277bv\323\302.\231\366-\362\3379\302\2622u\26dG\20~\303\322(>&\7J\234\377G$\24\213|\220\1\242>k\355\210\21}P\271\6e\354\272F\311y\12\234\244\342LW\221\360\261Yq\366[S\342q\34WFqn\371P$\6\26a\12\14~\205@sG\376),Wfr\1\130<\13Kc\274\204\22`\333@IQ\220\23J\2069\362W\377\266*\335\233\274WJ\311\372\3402|E\20\310l\366\14Vc>z\235\25P\351{\306\26\32\205I\362\257~\7\257_Ne\323`/'\355\306vD`3\261G\354\323\346\201\214\347\26\247MKRaeV]\362\210}5\11\14G\2101\274C\35\247D\12zg\302\355\371g\270<\275& KU\21$\321\271\233`\231", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01075   396   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "@a\211s\35\203\22[\255\11o\11Y\6\341\346vk\224\264O$g${D\26j\13\325'\12\331f\226\370\373\14\251s\6\4UkqPsSG\264R\10UJ\306\377\357]&'\26\23\14k]\273\14@iv\275F\30$\36j\243\306x\235\272yJDS\372\\331\356\307\266\371\223C\274\342k\356K\5\7\326\352^gl$~D\354f\301\320\276\334\270Y"\322\20`\24\240*\227\221>\373\272D\200\22[\345\362\211]HA[\261G\252:%'\376\27\261Y\273\342\251\346\353\264\37\311J\271\17\226\222\353u\350C\347Y\323A\33R4/ "a2w_\7%\264D1\3\354T\326m\24\3428[\24\313N\321\264}C#@9\356m^\11\206\13\310\363\276'JU\311\336\37\323\311<\267\323\223}=U\325\6N\225\342ut_H\234\27\376\17\207\303:.\20\322mSG\373\251(:\177I\346\317\375*\177=\311)y\20\252\326~v\240y\207\355;\27>\234\367\217j\305\252\275y\240w\272\212\215B\21\21/\252\264\2351\25\334\205\24f\375h\36Q*\2761#\256L=\3449\323"\321\303)\35aR\23\207\355\272V\274%~\356^IF'\202+\351\30M\333[mB\4$g\32\260\23\357k\345\3510\322J\374\276\233\253\276o\355u\350oq}P\303\301n\15\30\315\332\275c<\344\346\357\362\252\304V\352\30\241P\211\333\250~*`\326\247\6\210E&\177\13\202\210\207\351\35\3575\252m\246Yb\240\271C\370\16\27\251\203\254wD\5\354\344\206P\205\330\327\325S\216`\333\231\233\1\352\321\230\367H\345f\300\363\334\271u\215\37\21Q\335\273\222;K#\221\373Z\374}\335\352\222\177\310\343\213\33\300\273_]|tZ$C\371|/C\367\225#\274\35", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \322\20`\24\240*\227\221>\373\272D\200\22[\345\362\211]HA[\261G\252:%'\376\27\261Y\273\342\251\346\353\264\37\311J\271\17\226\222\353u\350C\347Y\323A\33R4/  (140, 0, 0, 0, "@a\211s\35\203\22[\255\11o\11Y\6\341\346vk\224\264O$g${D\26j\13\325'\12\331f\226\370\373\14\251s\6\4UkqPsSG\264R\10UJ\306\377\357]&'\26\23\14k]\273\14@iv\275F\30$\36j\243\306x\235\272yJDS\372\\331\356\307\266\371\223C\274\342k\356K\5\7\326\352^gl$~D\354f\301\320\276\334\270Y"\322\20`\24\240*\227\221>\373\272D\200\22[\345\362\211]HA[\261G\252:%'\376\27\261Y\273\342\251\346\353\264\37\311J\271\17\226\222\353u\350C\347Y\323A\33R4/ "a2w_\7%\264D1\3\354T\326m\24\3428[\24\313N\321\264}C#@9\356m^\11\206\13\310\363\276'JU\311\336\37\323\311<\267\323\223}=U\325\6N\225\342ut_H\234\27\376\17\207\303:.\20\322mSG\373\251(:\177I\346\317\375*\177=\311)y\20\252\326~v\240y\207\355;\27>\234\367\217j\305\252\275y\240w\272\212\215B\21\21/\252\264\2351\25\334\205\24f\375h\36Q*\2761#\256L=\3449\323"\321\303)\35aR\23\207\355\272V\274%~\356^IF'\202+\351\30M\333[mB\4$g\32\260\23\357k\345\3510\322J\374\276\233\253\276o\355u\350oq}P\303\301n\15\30\315\332\275c<\344\346\357\362\252\304V\352\30\241P\211\333\250~*`\326\247\6\210E&\177\13\202\210\207\351\35\3575\252m\246Yb\240\271C\370\16\27\251\203\254wD\5\354\344\206P\205\330\327\325S\216`\333\231\233\1\352\321\230\367H\345f\300\363\334\271u\215\37\21Q\335\273\222;K#\221\373Z\374}\335\352\222\177\310\343\213\33\300\273_]|tZ$C\371|/C\367\225#\274\35", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \321\303)\35aR\23\207\355\272V\274%~\356^IF'\202+\351\30M\333[mB\4$g\32\260\23\357k\345\3510\322J\374\276\233\253\276o\355u\350oq}P\303\301n\15\30\315\332\275c<\344\346\357\362\252\304V\352\30\241P\211\333\250~*`\326\247\6\210E&\177\13\202\210\207\351\35\3575\252m\246Yb\240\271C\370\16\27\251\203\254wD\5\354\344\206P\205\330\327\325S\216`\333\231\233\1\352\321\230\367H\345f\300\363\334\271u\215\37\21Q\335\273\222;K#\221\373Z\374}\335\352\222\177\310\343\213\33\300\273_]|tZ$C\371|/C\367\225#\274\35", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01076   396   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "Ve6\0\357,q+Ve6\0Ve7\0Ve6\0\26a6\0b90\0=d6\0Ve6\0Ve6\0Ve6\0\357,q+Ve6\0Ve1\0\257\326\0\316a6\200\254\326\0\226a6\200\255\326\0\276a6\200\252\326\0F`6\200\253\326\0n`6\200\250\326\06`6\200\251\326\0\336`6\200Ve6\0\357,q+Ve6\0Ve7\0Ve6\0\346a6\0\36680\0Be6\0Ve6\0Ve6\0Ve6\0\357,q+Ve6\0Ve7\0Ve6\0\216a6\0\34280\0Be6\0Ve6\0Ve6\0Ve6\0\357,q+Ve6\0Ve7\0Ve6\0V`6\0\23680\0Be6\0Ve6\0Ve6\0Ve6\0\357,q+Ve6\0Ve7\0Ve6\0~`6\0\21280\0Be6\0Ve6\0Ve6\0Ve6\0\357,q+Ve6\0Ve7\0Ve6\0\6`6\0\24680\0Be6\0Ve6\0Ve6\0Ve6\0\357,q+Ve6\0Ve7\0Ve6\0.`6\0R;0\0Be6\0Ve6\0Ve6\0Ve6\0\357,q+Ve6\0Ve7\0Ve6\0\366`6\0N;0\0Be6\0Ve6\0Ve6\0Per\0\0eu\0\32ew\0\32e=\0\2ep\0\3ex\0\25e{\0\31er\0\3ez\0\23e6\0Ve6\0Ve6\0Ve6\0\272C1\0\366C1\0Ve6\0Ve6\0Ve6\0\257C1\0\372C1\0Ve6\0Ve6\0Ve6\0PB1\0\342C1\0Ve6\0Ve6\0", 3032, 0x0, 0, ... {status=0x0, info=3032}, ) , 3032, 0x0, 0, ... {status=0x0, info=3032}, ) == 0x0
 01077   396   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 01078   396   NtSetInformationFile  (140, 1244376, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01079   396   NtClose  (144, ... ) == 0x0
 01080   396   NtClose  (140, ... ) == 0x0
 01081   396   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01082   396   NtSetValueKey  (140,  (140, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0d\0t\0k\0u\0f\0.\0e\0x\0e\0\0\0", 62, ... , 0, 1,  (140, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0d\0t\0k\0u\0f\0.\0e\0x\0e\0\0\0", 62, ... , 62, ...
 01083   396   NtSetInformationFile  (-2147482808, -131037388, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01084   396   NtSetInformationFile  (-2147482808, -131037480, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01082   396   NtSetValueKey  ... ) == 0x0
 01085   396   NtClose  (140, ... ) == 0x0
 01086   396   NtClose  (100, ... ) == 0x0
 01087   396   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01088   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\idtkuf.exe"}, 1241008, ... ) }, 1241008, ... ) == 0x0
 01089   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\idtkuf.exe"}, 1241700, ... ) }, 1241700, ... ) == 0x0
 01090   396   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\idtkuf.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01091   396   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 140, ) == 0x0
 01092   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 144, ) }, ... 144, ) == 0x0
 01094   396   NtQueryValueKey  (144,  (144, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   396   NtClose  (144, ... ) == 0x0
 01096   396   NtQueryVolumeInformationFile  (100, 1241008, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01097   396   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 144, ) }, ... 144, ) == 0x0
 01098   396   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01099   396   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 148, ) }, ... 148, ) == 0x0
 01100   396   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 57344, ) == 0x0
 01101   396   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01102   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238992, ... ) }, 1238992, ... ) == 0x0
 01103   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01104   396   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 156, ) == 0x0
 01105   396   NtClose  (152, ... ) == 0x0
 01106   396   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 106496, ) == 0x0
 01107   396   NtClose  (156, ... ) == 0x0
 01108   396   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01109   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239308, ... ) }, 1239308, ... ) == 0x0
 01110   396   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01111   396   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 152, ) == 0x0
 01112   396   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01113   396   NtClose  (156, ... ) == 0x0
 01114   396   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01115   396   NtClose  (152, ... ) == 0x0
 01116   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01117   396   NtQueryInformationFile  (152, 1239596, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01118   396   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 152, ... 156, ) == 0x0
 01119   396   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa00000), 0x0, 1028096, ) == 0x0
 01120   396   NtQueryInformationFile  (152, 1239692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01121   396   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   396   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01123   396   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01124   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01125   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1237256, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237256, 616, BothDirectory, 1, "idtkuf.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01126   396   NtClose  (160, ... ) == 0x0
 01127   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01128   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01129   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\idtkuf.exe"}, 1236644, ... ) }, 1236644, ... ) == 0x0
 01130   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01131   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01132   396   NtClose  (160, ... ) == 0x0
 01133   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01134   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01135   396   NtClose  (160, ... ) == 0x0
 01136   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01137   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "idtkuf.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01138   396   NtClose  (160, ... ) == 0x0
 01139   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01140   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01141   396   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01142   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01143   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01144   396   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01145   396   NtClose  (160, ... ) == 0x0
 01146   396   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   396   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\idtkuf.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01149   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01150   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\idtkuf.exe"}, 1238924, ... ) }, 1238924, ... ) == 0x0
 01151   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01152   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01153   396   NtClose  (160, ... ) == 0x0
 01154   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01155   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01156   396   NtClose  (160, ... ) == 0x0
 01157   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01158   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "idtkuf.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01159   396   NtClose  (160, ... ) == 0x0
 01160   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01161   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01162   396   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01163   396   NtQueryVolumeInformationFile  (100, 1239568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01164   396   NtQueryInformationFile  (100, 1239548, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01165   396   NtQueryInformationFile  (100, 1239588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01166   396   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01167   396   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01168   396   NtClose  (156, ... ) == 0x0
 01169   396   NtClose  (152, ... ) == 0x0
 01170   396   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01171   396   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idtkuf.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   396   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01173   396   NtOpenProcessToken  (-1, 0xa, ... 152, ) == 0x0
 01174   396   NtQueryInformationToken  (152, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01175   396   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01177   396   NtQueryValueKey  (156,  (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01178   396   NtQueryValueKey  (156,  (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01179   396   NtClose  (156, ... ) == 0x0
 01180   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01181   396   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01182   396   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01183   396   NtClose  (156, ... ) == 0x0
 01184   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01186   396   NtQueryValueKey  (156,  (156, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   396   NtClose  (156, ... ) == 0x0
 01188   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01189   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01190   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01191   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01192   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01193   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01194   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01195   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01196   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01197   396   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01198   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01199   396   NtEnumerateKey  (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01200   396   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 160, ) }, ... 160, ) == 0x0
 01201   396   NtQueryValueKey  (160,  (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01202   396   NtQueryValueKey  (160,  (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01203   396   NtClose  (160, ... ) == 0x0
 01204   396   NtEnumerateKey  (156, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01205   396   NtClose  (156, ... ) == 0x0
 01206   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01218   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01221   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01222   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01223   396   NtClose  (156, ... ) == 0x0
 01224   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01226   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01227   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01228   396   NtClose  (156, ... ) == 0x0
 01229   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01231   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01232   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01233   396   NtClose  (156, ... ) == 0x0
 01234   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01236   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01237   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01238   396   NtClose  (156, ... ) == 0x0
 01239   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01241   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01242   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01243   396   NtClose  (156, ... ) == 0x0
 01244   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01246   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01247   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01248   396   NtClose  (156, ... ) == 0x0
 01249   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01251   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01252   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01253   396   NtClose  (156, ... ) == 0x0
 01254   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01256   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01257   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01258   396   NtClose  (156, ... ) == 0x0
 01259   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01261   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01262   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01263   396   NtClose  (156, ... ) == 0x0
 01264   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01266   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01267   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01268   396   NtClose  (156, ... ) == 0x0
 01269   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01271   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01272   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01273   396   NtClose  (156, ... ) == 0x0
 01274   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01276   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01277   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01278   396   NtClose  (156, ... ) == 0x0
 01279   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01281   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01282   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01283   396   NtClose  (156, ... ) == 0x0
 01284   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01286   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01287   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01288   396   NtClose  (156, ... ) == 0x0
 01289   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01291   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01292   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01293   396   NtClose  (156, ... ) == 0x0
 01294   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01296   396   NtQueryValueKey  (156,  (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01297   396   NtClose  (156, ... ) == 0x0
 01298   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01299   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01300   396   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01301   396   NtClose  (156, ... ) == 0x0
 01302   396   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   396   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01304   396   NtOpenProcessToken  (-1, 0xa, ... 156, ) == 0x0
 01305   396   NtDuplicateToken  (156, 0xc, {24, 0, 0x0, 0, 1240900, 0x0}, 0, 2, ... 160, ) == 0x0
 01306   396   NtClose  (156, ... ) == 0x0
 01307   396   NtAccessCheck  (1378928, 160, 0x1, 1241028, 1240972, 56, 1241056, ... (0x1), ) == 0x0
 01308   396   NtClose  (160, ... ) == 0x0
 01309   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 160, ) }, ... 160, ) == 0x0
 01310   396   NtQueryValueKey  (160,  (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01311   396   NtClose  (160, ... ) == 0x0
 01312   396   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 160, ) }, ... 160, ) == 0x0
 01313   396   NtQuerySymbolicLinkObject  (160, ...  (160, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01314   396   NtClose  (160, ... ) == 0x0
 01315   396   NtQueryInformationFile  (100, 1239360, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01316   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01317   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01318   396   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\idtkuf.exe"}, 1238040, ... ) }, 1238040, ... ) == 0x0
 01319   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01320   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01321   396   NtClose  (160, ... ) == 0x0
 01322   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01323   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01324   396   NtClose  (160, ... ) == 0x0
 01325   396   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01326   396   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "idtkuf.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01327   396   NtClose  (160, ... ) == 0x0
 01328   396   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01329   396   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01330   396   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01331   396   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01332   396   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01333   396   NtClose  (160, ... ) == 0x0
 01334   396   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01335   396   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01336   396   NtClose  (160, ... ) == 0x0
 01337   396   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01338   396   NtQueryValueKey  (156,  (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01339   396   NtClose  (156, ... ) == 0x0
 01340   396   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10485760, 4096, ) == 0x0
 01341   396   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01342   396   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01343   396   NtQueryValueKey  (156,  (156, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   396   NtClose  (156, ... ) == 0x0
 01345   396   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   396   NtQueryInformationToken  (152, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347   396   NtQueryInformationToken  (152, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01348   396   NtClose  (152, ... ) == 0x0
 01349   396   NtCreateProcessEx  (1243636, 2035711, 0, -1, 0, 140, 0, 0, 0, ... ) == 0x0
 01350   396   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=368,}, 0x0, ) == 0x0
 01351   396   NtReadVirtualMemory  (152, 0x7ffdf008, 4, ...  (152, 0x7ffdf008, 4, ... "\0\0B1", 0x0, ) , 0x0, ) == 0x0
 01352   396   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\idtkuf.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   396   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01354   396   NtReadVirtualMemory  (152, 0x31420000, 4096, ...  (152, 0x31420000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\310Y\330@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01355   396   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01356   396   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=368,}, 0x0, ) == 0x0
 01357   396   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 10551296, 4096, ) == 0x0
 01358   396   NtAllocateVirtualMemory  (152, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01359   396   NtWriteVirtualMemory  (152, 0x10000,  (152, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01360   396   NtAllocateVirtualMemory  (152, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 01361   396   NtWriteVirtualMemory  (152, 0x20000,  (152, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0<\0>\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0<\0>\0\30\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 01362   396   NtWriteVirtualMemory  (152, 0x7ffdf010,  (152, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01363   396   NtWriteVirtualMemory  (152, 0x7ffdf1e8,  (152, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01364   396   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 01365   396   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01366   396   NtAllocateVirtualMemory  (152, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01367   396   NtProtectVirtualMemory  (152, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01368   396   NtCreateThread  (0x1f03ff, 0x0, 152, 1241900, 1242620, 1, ... 156, {364, 564}, ) == 0x0
 01369   396   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 368, 396, 1511, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 368, 396, 1511, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 368, 396, 1511, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 01370   396   NtResumeThread  (156, ... 1, ) == 0x0
 01371   396   NtClose  (100, ... ) == 0x0
 01372   396   NtClose  (140, ... ) == 0x0
 01373   396   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=368,}, 0x0, ) == 0x0
 01374   396   NtUserWaitForInputIdle  (364, 30000, 0, ...
 01375   396   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01376   396   NtClose  (140, ... ) == 0x0
 01374   396   NtUserWaitForInputIdle  ... ) == 0x0
 01377   396   NtClose  (152, ... ) == 0x0
 01378   396   NtClose  (156, ... ) == 0x0
 01379   396   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01380   396   NtTerminateProcess  (0, 0, ... ) == 0x0
 01381   396   NtQueryVirtualMemory  (-1, 0x896d20, Basic, 28, ... {BaseAddress=0x896000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01382   396   NtQueryVirtualMemory  (-1, 0x89762c, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x11000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01383   396   NtQueryVirtualMemory  (-1, 0x86cef4, Basic, 28, ... {BaseAddress=0x86c000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01384   396   NtGdiDeleteObjectApp  (302646283, ... ) == 0x1
 01385   396   NtGdiDeleteObjectApp  (285869068, ... ) == 0x1
 01386   396   NtGdiDeleteObjectApp  (369755135, ... ) == 0x1
 01387   396   NtUserDestroyCursor  (196765, 1, ... ) == 0x1
 01388   396   NtUserDestroyCursor  (131231, 1, ... ) == 0x1
 01389   396   NtUserDestroyCursor  (196769, 1, ... ) == 0x1
 01390   396   NtUserDestroyCursor  (196771, 1, ... ) == 0x1
 01391   396   NtUserDestroyCursor  (196773, 1, ... ) == 0x1
 01392   396   NtUserDestroyCursor  (131181, 1, ... ) == 0x1
 01393   396   NtUserDestroyCursor  (131179, 1, ... ) == 0x1
 01394   396   NtUserFindExistingCursorIcon  (1243472, 1243488, 1244056, ... ) == 0x10011
 01395   396   NtDeleteAtom  (49180, ... ) == 0x0
 01396   396   NtDeleteAtom  (49181, ... ) == 0x0
 01397   396   NtGdiDeleteObjectApp  (369623938, ... ) == 0x1
 01398   396   NtClose  (96, ... ) == 0x0
 01399   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01400   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 01401   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01402   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 01403   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01404   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 01405   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01406   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 01407   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01408   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 01409   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01410   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 01411   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01412   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 01413   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01414   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 01415   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01416   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 01417   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01418   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 01419   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01420   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 01421   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01422   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 01423   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01424   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 01425   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01426   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 01427   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01428   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 01429   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01430   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 01431   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01432   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 01433   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01434   396   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 01435   396   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01436   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 01437   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01438   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 01439   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01440   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 01441   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01442   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 01443   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01444   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 01445   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01446   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 01447   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01448   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 01449   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01450   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 01451   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01452   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 01453   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01454   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 01455   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01456   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 01457   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01458   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 01459   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01460   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 01461   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01462   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 01463   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01464   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 01465   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01466   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 01467   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01468   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 01469   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01470   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 01471   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01472   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc017
 01473   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01474   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc019
 01475   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01476   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc018
 01477   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01478   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01a
 01479   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01480   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01c
 01481   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01482   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01e
 01483   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01484   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01b
 01485   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01486   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc068
 01487   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01488   396   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc06a
 01489   396   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01490   396   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01491   396   NtClose  (76, ... ) == 0x0
 01492   396   NtClose  (64, ... ) == 0x0
 01493   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01494   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01495   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01496   396   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01497   396   NtFreeVirtualMemory  (-1, (0xa00000), 4096, 32768, ... (0xa00000), 4096, ) == 0x0
 01498   396   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 368, 396, 3419, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 368, 396, 3419, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 368, 396, 3419, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01499   396   NtTerminateProcess  (-1, 0, ...
 01500   396   NtClose  (44, ... ) == 0x0