Summary:


NtAdjustPrivilegesToken(>)  1 
NtOpenMutant(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateFile(>)  15 

NtCallbackReturn(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiGetDCObject(>)  7 
NtCreateEvent(>)  16 

NtCreateMutant(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtQueryDirectoryFile(>)  16 

NtCreateProcessEx(>)  1 
NtReadVirtualMemory(>)  2 
NtGdiGetStockObject(>)  7 
NtGdiDeleteObjectApp(>)  18 

NtDelayExecution(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtGdiRestoreDC(>)  7 
NtReadFile(>)  20 

NtEnumerateValueKey(>)  1 
NtReleaseMutant(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 

NtGdiCreatePaletteInternal(>)  1 
NtResumeThread(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtCreateSection(>)  21 

NtGdiInit(>)  1 
NtSetEventBoostPriority(>)  2 
NtQueryVolumeInformationFile(>)  7 
NtQueryInformationProcess(>)  21 

NtGdiQueryFontAssocInfo(>)  1 
NtTestAlert(>)  2 
NtSetInformationProcess(>)  7 
NtWriteFile(>)  24 

NtNotifyChangeKey(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserDestroyCursor(>)  7 
NtOpenSection(>)  25 

NtOpenEvent(>)  1 
NtAddAtom(>)  3 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  27 

NtOpenKeyedEvent(>)  1 
NtContinue(>)  3 
NtEnumerateKey(>)  8 
NtOpenThreadTokenEx(>)  27 

NtOpenProcess(>)  1 
NtGdiHfontCreate(>)  3 
NtGdiCreateBitmap(>)  8 
NtQuerySystemInformation(>)  31 

NtQueryInformationJobObject(>)  1 
NtQueryPerformanceCounter(>)  3 
NtQueryDefaultUILanguage(>)  8 
NtQueryAttributesFile(>)  33 

NtQueryInformationThread(>)  1 
NtSetInformationObject(>)  3 
NtQuerySection(>)  9 
NtQueryInformationToken(>)  34 

NtQueryInstallUILanguage(>)  1 
NtTerminateProcess(>)  3 
NtSetInformationThread(>)  9 
NtOpenFile(>)  38 

NtQueryObject(>)  1 
NtWaitForMultipleObjects(>)  3 
NtGdiCreateCompatibleDC(>)  10 
NtMapViewOfSection(>)  41 

NtQuerySystemTime(>)  1 
NtCreateSemaphore(>)  4 
NtGdiExtGetObjectW(>)  10 
NtUserGetAtomName(>)  47 

NtSecureConnectPort(>)  1 
NtDuplicateObject(>)  4 
NtOpenProcessToken(>)  10 
NtUserUnregisterClass(>)  47 

NtUserCallNoParam(>)  1 
NtFreeVirtualMemory(>)  4 
NtQueryDebugFilterState(>)  10 
NtAllocateVirtualMemory(>)  51 

NtUserEnumDisplayMonitors(>)  1 
NtFsControlFile(>)  4 
NtQueryVirtualMemory(>)  10 
NtGdiSelectBitmap(>)  57 

NtUserGetKeyboardLayoutList(>)  1 
NtWaitForSingleObject(>)  4 
NtRequestWaitReplyPort(>)  11 
NtUserRegisterClassExWOW(>)  61 

NtUserGetThreadDesktop(>)  1 
NtWriteVirtualMemory(>)  4 
NtUserGetDC(>)  11 
NtUserFindExistingCursorIcon(>)  74 

NtUserSetWindowsHookEx(>)  1 
NtAccessCheck(>)  5 
NtDeviceIoControlFile(>)  12 
NtQueryValueKey(>)  77 

NtCreateIoCompletion(>)  2 
NtOpenThreadToken(>)  5 
NtSetInformationFile(>)  12 
NtFlushInstructionCache(>)  87 

NtCreateThread(>)  2 
NtSetEvent(>)  5 
NtQueryDefaultLocale(>)  14 
NtOpenKey(>)  147 

NtDeleteAtom(>)  2 
NtUserRegisterWindowMessage(>)  5 
NtQueryInformationFile(>)  14 
NtProtectVirtualMemory(>)  174 

NtDuplicateToken(>)  2 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  14 
NtClose(>)  208 

NtGdiCreateSolidBrush(>)  2 
NtSetValueKey(>)  6 
NtUserSelectPalette(>)  14 

NtOpenDirectoryObject(>)  2 
NtGdiBitBlt(>)  7 

Trace:
 00001   940   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   940   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   940   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   940   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   940   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   940   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   940   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   940   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   940   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   940   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   940   NtClose  (12, ... ) == 0x0
 00015   940   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   940   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   940   NtClose  (16, ... ) == 0x0
 00021   940   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   940   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   940   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   940   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   940   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   940   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   940   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   940   NtClose  (16, ... ) == 0x0
 00030   940   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   940   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   940   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   940   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   940   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1628, 940, 57936, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1628, 940, 57936, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1628, 940, 57936, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   940   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   940   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   940   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   940   NtClose  (16, ... ) == 0x0
 00041   940   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   940   NtClose  (16, ... ) == 0x0
 00044   940   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   940   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   940   NtClose  (16, ... ) == 0x0
 00048   940   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   940   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   940   NtClose  (16, ... ) == 0x0
 00052   940   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   940   NtClose  (16, ... ) == 0x0
 00055   940   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   940   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   940   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   940   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   940   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1628, 940, 57937, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1628, 940, 57937, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1628, 940, 57937, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   940   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1628, 940, 57938, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1628, 940, 57938, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1628, 940, 57938, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 128, ) == 0x0
 00062   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 128, ... (0x31428000), 8192, 4, ) == 0x0
 00063   940   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00064   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00065   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00066   940   NtClose  (16, ... ) == 0x0
 00067   940   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00068   940   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00069   940   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00070   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00071   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00072   940   NtClose  (16, ... ) == 0x0
 00073   940   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00074   940   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00075   940   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00076   940   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00077   940   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00078   940   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00079   940   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00080   940   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00081   940   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00082   940   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00083   940   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00084   940   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00085   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00086   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00087   940   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00088   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00089   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00090   940   NtClose  (16, ... ) == 0x0
 00091   940   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00092   940   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00093   940   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00094   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00095   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00096   940   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00097   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00098   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00099   940   NtClose  (16, ... ) == 0x0
 00100   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00101   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00102   940   NtClose  (16, ... ) == 0x0
 00103   940   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00104   940   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00105   940   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00106   940   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00107   940   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00108   940   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00109   940   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00110   940   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00111   940   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00112   940   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00113   940   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00114   940   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00115   940   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00116   940   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00117   940   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00118   940   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00119   940   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00120   940   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00121   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00122   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00123   940   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00124   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00125   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 00126   940   NtClose  (16, ... ) == 0x0
 00127   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00128   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00129   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00130   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00131   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00132   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00133   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00134   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00135   940   NtClose  (16, ... ) == 0x0
 00136   940   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00137   940   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00138   940   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00139   940   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00140   940   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00141   940   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00142   940   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00143   940   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00144   940   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00145   940   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00146   940   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00147   940   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00148   940   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00149   940   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00150   940   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00151   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00152   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00153   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00154   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00155   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00156   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00157   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00158   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00159   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00160   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00161   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00162   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00163   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00164   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x400000), 0x0, 36864, ) == 0x0
 00165   940   NtClose  (16, ... ) == 0x0
 00166   940   NtProtectVirtualMemory  (-1, (0x401000), 160, 4, ... (0x401000), 4096, 32, ) == 0x0
 00167   940   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00168   940   NtFlushInstructionCache  (-1, 4198400, 160, ... ) == 0x0
 00169   940   NtProtectVirtualMemory  (-1, (0x401000), 160, 4, ... (0x401000), 4096, 32, ) == 0x0
 00170   940   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00171   940   NtFlushInstructionCache  (-1, 4198400, 160, ... ) == 0x0
 00172   940   NtProtectVirtualMemory  (-1, (0x401000), 160, 4, ... (0x401000), 4096, 32, ) == 0x0
 00173   940   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00174   940   NtFlushInstructionCache  (-1, 4198400, 160, ... ) == 0x0
 00175   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00176   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00177   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00178   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00179   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00180   940   NtClose  (16, ... ) == 0x0
 00181   940   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00182   940   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00183   940   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00184   940   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00185   940   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00186   940   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00187   940   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00188   940   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00189   940   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00190   940   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00191   940   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00192   940   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00193   940   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00194   940   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00195   940   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00196   940   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00197   940   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00198   940   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00199   940   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00200   940   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00201   940   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00202   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00203   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00204   940   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00205   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   940   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00207   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   940   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00209   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00210   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00211   940   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00212   940   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00213   940   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00214   940   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00215   940   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00217   940   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00218   940   NtClose  (36, ... ) == 0x0
 00219   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00220   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00221   940   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00222   940   NtClose  (36, ... ) == 0x0
 00223   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00224   940   NtClose  (32, ... ) == 0x0
 00225   940   NtClose  (16, ... ) == 0x0
 00226   940   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00227   940   NtClose  (28, ... ) == 0x0
 00228   940   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00229   940   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00230   940   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00231   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00234   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00235   940   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00236   940   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00237   940   NtClose  (28, ... ) == 0x0
 00238   940   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00239   940   NtClose  (16, ... ) == 0x0
 00240   940   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00241   940   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00242   940   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00243   940   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00244   940   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00245   940   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00246   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00247   940   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00248   940   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00249   940   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00250   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00251   940   NtReadFile  (16, 0, 0, 0, 4, {187348, 0}, 0, ... {status=0x0, info=4},  (16, 0, 0, 0, 4, {187348, 0}, 0, ... {status=0x0, info=4}, "Y\240\6\0", ) , ) == 0x0
 00252   940   NtClose  (16, ... ) == 0x0
 00253   940   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00254   940   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00255   940   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00256   940   NtClose  (16, ... ) == 0x0
 00257   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00258   940   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00259   940   NtClose  (16, ... ) == 0x0
 00260   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00263   940   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00264   940   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00265   940   NtClose  (16, ... ) == 0x0
 00266   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00267   940   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00268   940   NtClose  (16, ... ) == 0x0
 00269   940   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00270   940   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00271   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00274   940   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00275   940   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00276   940   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00277   940   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00278   940   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00279   940   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00280   940   NtClose  (28, ... ) == 0x0
 00281   940   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00282   940   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00283   940   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00284   940   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00285   940   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00286   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00287   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00289   940   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1628, 940, 57939, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1628, 940, 57939, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6\31\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1628, 940, 57939, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00290   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00291   940   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   940   NtClose  (28, ... ) == 0x0
 00293   940   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00294   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00295   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00296   940   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00297   940   NtClose  (28, ... ) == 0x0
 00298   940   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00299   940   NtClose  (32, ... ) == 0x0
 00300   940   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00301   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00302   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00303   940   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00304   940   NtClose  (32, ... ) == 0x0
 00305   940   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00306   940   NtClose  (28, ... ) == 0x0
 00307   940   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00308   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00309   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00310   940   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00311   940   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00312   940   NtClose  (28, ... ) == 0x0
 00313   940   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00314   940   NtClose  (32, ... ) == 0x0
 00315   940   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00316   940   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00317   940   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00318   940   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00319   940   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00320   940   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00321   940   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00322   940   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00323   940   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00324   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00325   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00326   940   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00327   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00328   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00333   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00337   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00339   940   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   940   NtClose  (32, ... ) == 0x0
 00341   940   NtMapViewOfSection  (-2147482584, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4e0000), 0x0, 1060864, ) == 0x0
 00342   940   NtClose  (-2147482584, ... ) == 0x0
 00343   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00344   940   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00345   940   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482584, ) == 0x0
 00346   940   NtQueryInformationToken  (-2147482584, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00347   940   NtQueryInformationToken  (-2147482584, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00348   940   NtClose  (-2147482584, ... ) == 0x0
 00349   940   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00350   940   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00351   940   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00352   940   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00353   940   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   940   NtClose  (-2147482584, ... ) == 0x0
 00355   940   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00356   940   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00357   940   NtClose  (-2147482584, ... ) == 0x0
 00358   940   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00359   940   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00360   940   NtUserCallNoParam  (24, ... ) == 0x0
 00361   940   NtGdiCreateCompatibleDC  (0, ...
 00362   940   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00361   940   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00363   940   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00364   940   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00365   940   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00366   940   NtGdiCreateSolidBrush  (0, 0, ...
 00367   940   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00366   940   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00368   940   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00369   940   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00370   940   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00371   940   NtUserGetThreadDesktop  (940, 0, ... ) == 0x24
 00372   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00373   940   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00374   940   NtClose  (44, ... ) == 0x0
 00375   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00376   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x81b1c017
 00377   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00378   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x81b1c01c
 00379   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00380   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x81b1c01e
 00381   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00382   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81b18002
 00383   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00384   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x81b1c018
 00385   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00386   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x81b1c01a
 00387   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00388   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x81b1c01d
 00389   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00390   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x81b1c026
 00391   940   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00392   940   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x81b1c019
 00393   940   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x81b1c020
 00394   940   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x81b1c022
 00395   940   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x81b1c023
 00396   940   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x81b1c024
 00397   940   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x81b1c025
 00398   940   NtCallbackReturn  (0, 0, 0, ...
 00399   940   NtGdiInit  (... ) == 0x1
 00400   940   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00401   940   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00402   940   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   940   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00404   940   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1329368, 0,  (0x1f0003, {24, 44, 0x80, 1329368, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 48, ) }, 0, 2147483647, ... 48, ) == STATUS_OBJECT_NAME_EXISTS
 00405   940   NtQueryPerformanceCounter  (... {933760481, 10}, {3579545, 0}, ) == 0x0
 00406   940   NtQueryPerformanceCounter  (... {933868905, 10}, {3579545, 0}, ) == 0x0
 00407   940   NtAllocateVirtualMemory  (-1, 1331200, 0, 8192, 4096, 4, ... 1331200, 8192, ) == 0x0
 00408   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00409   940   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9371648, 1048576, ) == 0x0
 00410   940   NtAllocateVirtualMemory  (-1, 9371648, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00411   940   NtAllocateVirtualMemory  (-1, 9375744, 0, 8192, 4096, 4, ... 9375744, 8192, ) == 0x0
 00412   940   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00413   940   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242800,  (0xc0100080, {24, 0, 0x40, 0, 1242800, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00414   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 60, ) == 0x0
 00415   940   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f710, 0x22414c,  (56, 60, 0x0, 0x12f710, 0x22414c, "X\367\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00416   940   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00417   940   NtQueryValueKey  (-2147482584,  (-2147482584, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   940   NtQueryValueKey  (-2147482584,  (-2147482584, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419   940   NtClose  (-2147482584, ... ) == 0x0
 00420   940   NtClose  (1064, ... ) == 0x0
 00415   940   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\240\277)\342\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#7achePat\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00421   940   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243016,  (0xc0100080, {24, 0, 0x40, 0, 1243016, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00422   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00423   940   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 76, ) == 0x0
 00424   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00425   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00426   940   NtAllocateVirtualMemory  (-1, 9383936, 0, 8192, 4096, 4, ... 9383936, 8192, ) == 0x0
 00427   940   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10420224, 1048576, ) == 0x0
 00428   940   NtAllocateVirtualMemory  (-1, 11460608, 0, 8192, 4096, 4, ... 11460608, 8192, ) == 0x0
 00429   940   NtProtectVirtualMemory  (-1, (0xaee000), 4096, 260, ... (0xaee000), 4096, 4, ) == 0x0
 00430   940   NtCreateThread  (0x1f03ff, 0x0, -1, 1242100, 1242044, 1, ... 88, {1628, 776}, ) == 0x0
 00431   940   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffde000,Pid=1628,Tid=776,}, 0x0, ) == 0x0
 00432   940   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 9372024}  (24, {28, 56, new_msg, 0, 0, 0, 0, 9372024} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1628, 940, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\\6\0\0\10\3\0\0" )  ... {28, 56, reply, 0, 1628, 940, 57947, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 9372024} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\\6\0\0\10\3\0\0" ... {28, 56, reply, 0, 1628, 940, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\\6\0\0\10\3\0\0" )  ) == 0x0
 00433   940   NtResumeThread  (88, ... 1, ) == 0x0
 00434   940   NtClose  (88, ... ) == 0x0
 00435   940   NtSetEvent  (72, ... 0x0, ) == 0x0
 00436   940   NtSetEvent  (52, ...
 00437   776   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 88, ) == 0x0
 00438   776   NtWaitForSingleObject  (88, 0, 0x0, ...
 00436   940   NtSetEvent  ... 0x0, ) == 0x0
 00439   940   NtClose  (52, ... ) == 0x0
 00440   940   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00441   940   NtAllocateVirtualMemory  (-1, 9392128, 0, 4096, 4096, 4, ... 9392128, 4096, ) == 0x0
 00442   940   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f710, 0x22414c,  (56, 60, 0x0, 0x12f710, 0x22414c, "X\367\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00443   940   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00444   940   NtQueryValueKey  (-2147482584,  (-2147482584, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   940   NtQueryValueKey  (-2147482584,  (-2147482584, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   940   NtClose  (-2147482584, ... ) == 0x0
 00447   940   NtClose  (1064, ... ) == 0x0
 00442   940   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\320\247\10\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\3449Path#5\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00448   940   NtSetEvent  (72, ... 0x0, ) == 0x0
 00449   940   NtSetEvent  (52, ... 0x0, ) == 0x0
 00450   940   NtClose  (52, ... ) == 0x0
 00451   940   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00452   940   NtOpenProcessToken  (-1, 0xa, ... 52, ) == 0x0
 00453   940   NtDuplicateToken  (52, 0xc, {24, 0, 0x0, 0, 1243284, 0x0}, 0, 2, ... 96, ) == 0x0
 00454   940   NtClose  (52, ... ) == 0x0
 00455   940   NtAccessCheck  (1335152, 96, 0x1, 1243360, 1243412, 56, 1243392, ... (0x1), ) == 0x0
 00456   940   NtClose  (96, ... ) == 0x0
 00457   940   NtQueryDefaultUILanguage  (1242164, ...
 00458   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00459   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 00460   940   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00461   940   NtClose  (-2147482584, ... ) == 0x0
 00462   940   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00463   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00464   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 00465   940   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00466   940   NtClose  (-2147481332, ... ) == 0x0
 00467   940   NtClose  (-2147482584, ... ) == 0x0
 00457   940   NtQueryDefaultUILanguage  ... ) == 0x0
 00468   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00469   940   NtQueryDefaultUILanguage  (2090319928, ...
 00470   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00471   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 00472   940   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00473   940   NtClose  (-2147482584, ... ) == 0x0
 00474   940   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00475   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 00477   940   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00478   940   NtClose  (-2147481332, ... ) == 0x0
 00479   940   NtClose  (-2147482584, ... ) == 0x0
 00469   940   NtQueryDefaultUILanguage  ... ) == 0x0
 00480   940   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00481   940   NtQueryDefaultLocale  (1, 1240260, ... ) == 0x0
 00482   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00483   940   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020}  (24, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 1628, 940, 57948, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1628, 940, 57948, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 1628, 940, 57948, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ) == 0x0
 00484   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00485   940   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00486   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00487   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00488   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239488, ... ) }, 1239488, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00490   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00491   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00492   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239552, ... ) }, 1239552, ... ) == 0x0
 00493   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00494   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00495   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00496   940   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00497   940   NtClose  (52, ... ) == 0x0
 00498   940   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaf0000), 0x0, 1056768, ) == 0x0
 00499   940   NtClose  (100, ... ) == 0x0
 00500   940   NtUnmapViewOfSection  (-1, 0xaf0000, ... ) == 0x0
 00501   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00502   940   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 52, ) == 0x0
 00503   940   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00504   940   NtClose  (100, ... ) == 0x0
 00505   940   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00506   940   NtClose  (52, ... ) == 0x0
 00507   940   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00508   940   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00509   940   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00510   940   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00511   940   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00512   940   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00513   940   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00514   940   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00515   940   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00516   940   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00517   940   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00518   940   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00519   940   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00520   940   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00521   940   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00522   940   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00523   940   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00524   940   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00525   940   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00526   940   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00527   940   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00528   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   940   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1241032, ... ) , 42, 1241032, ... ) == 0x0
 00530   940   NtQueryDefaultUILanguage  (1239716, ...
 00531   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00532   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 00533   940   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00534   940   NtClose  (-2147482584, ... ) == 0x0
 00535   940   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00536   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00537   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 00538   940   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539   940   NtClose  (-2147481332, ... ) == 0x0
 00540   940   NtClose  (-2147482584, ... ) == 0x0
 00530   940   NtQueryDefaultUILanguage  ... ) == 0x0
 00541   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238556, ... ) }, 1238556, ... ) == 0x0
 00542   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00543   940   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00544   940   NtClose  (52, ... ) == 0x0
 00545   940   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00546   940   NtClose  (100, ... ) == 0x0
 00547   940   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00548   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238152, ... ) }, 1238152, ... ) == 0x0
 00549   940   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238896,  (0x80100080, {24, 0, 0x40, 0, 1238896, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00550   940   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 100, ... 52, ) == 0x0
 00551   940   NtClose  (100, ... ) == 0x0
 00552   940   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00553   940   NtClose  (52, ... ) == 0x0
 00554   940   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00555   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00556   940   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 100, ) == 0x0
 00557   940   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00558   940   NtQueryInformationFile  (52, 1238548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00559   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00560   940   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572}  (24, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1628, 940, 57949, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1628, 940, 57949, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1628, 940, 57949, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ) == 0x0
 00561   940   NtClose  (52, ... ) == 0x0
 00562   940   NtClose  (100, ... ) == 0x0
 00563   940   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00564   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00565   940   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00566   940   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00567   940   NtUserGetDC  (0, ... ) == 0x1010051
 00568   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00569   940   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00570   940   NtUserSystemParametersInfo  (66, 12, 1240548, 0, ... ) == 0x1
 00571   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00572   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00573   940   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00574   940   NtClose  (100, ... ) == 0x0
 00575   940   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00576   940   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00577   940   NtAccessCheck  (1335152, 52, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00578   940   NtClose  (52, ... ) == 0x0
 00579   940   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00580   940   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00581   940   NtClose  (52, ... ) == 0x0
 00582   940   NtUserSystemParametersInfo  (41, 500, 1240576, 0, ... ) == 0x1
 00583   940   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00584   940   NtAccessCheck  (1335152, 52, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00585   940   NtClose  (52, ... ) == 0x0
 00586   940   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00587   940   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   940   NtClose  (52, ... ) == 0x0
 00589   940   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 00590   940   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 00591   940   NtClose  (100, ... ) == 0x0
 00592   940   NtUserSystemParametersInfo  (4130, 0, 1241080, 0, ... ) == 0x1
 00593   940   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 100, ) }, ... 100, ) == 0x0
 00594   940   NtEnumerateValueKey  (100, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00595   940   NtClose  (100, ... ) == 0x0
 00596   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00597   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c03b
 00598   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c03d
 00599   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00600   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c03f
 00601   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00602   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c041
 00603   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00604   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c043
 00605   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c045
 00606   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00607   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c047
 00608   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00609   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c049
 00610   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00611   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c04b
 00612   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00613   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c04d
 00614   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00615   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c04f
 00616   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c051
 00617   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00618   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c053
 00619   940   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 00620   940   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x81b1c055
 00621   940   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 00622   940   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x81b1c057
 00623   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00624   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c059
 00625   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 00626   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c05b
 00627   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00628   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c05d
 00629   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00630   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c05f
 00631   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00632   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c017
 00633   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00634   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c019
 00635   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 00636   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c018
 00637   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00638   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c01a
 00639   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00640   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c01c
 00641   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00642   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c01e
 00643   940   NtUserFindExistingCursorIcon  (1240320, 1240336, 1240384, ... ) == 0x10011
 00644   940   NtUserRegisterClassExWOW  (1240320, 1240388, 1240404, 1240420, 0, 384, 0, ... ) == 0x81b1c01b
 00645   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00646   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c068
 00647   940   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00648   940   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x81b1c06a
 00649   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00650   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00651   940   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00652   940   NtClose  (100, ... ) == 0x0
 00653   940   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00654   940   NtSetInformationObject  (100, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00655   940   NtCreateKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 52, 2, ) }, 0, 0x0, 0, ... 52, 2, ) == 0x0
 00656   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00657   940   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00658   940   NtSetEventBoostPriority  (88, ...
 00438   776   NtWaitForSingleObject  ... ) == 0x0
 00659   776   NtTestAlert  (... ) == 0x0
 00660   776   NtContinue  (11468080, 1, ...
 00661   776   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00662   776   NtDeviceIoControlFile  (68, 80, 0x0, 0x77e466a0, 0x228144,  (68, 80, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00658   940   NtSetEventBoostPriority  ... ) == 0x0
 00663   940   NtTestAlert  (... ) == 0x0
 00664   940   NtContinue  (1244464, 1, ...
 00665   940   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3142a000,}, 4, ... ) == 0x0
 00666   940   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 104, ) }, ... 104, ) == 0x0
 00667   940   NtQueryValueKey  (104,  (104, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   940   NtClose  (104, ...
 00669   776   NtWaitForMultipleObjects  (2, (72, 80, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 00670   776   NtDeviceIoControlFile  (68, 84, 0x0, 0x77e46680, 0x228144,  (68, 84, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00671   776   NtWaitForMultipleObjects  (2, (72, 84, ), 1, 1, {1294967296, -1}, ...
 00668   940   NtClose  ... ) == 0x0
 00672   940   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00673   940   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00674   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp"}, 1233816, ... ) }, 1233816, ... ) == 0x0
 00675   940   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0$\206\0\0\2\0\0\0" ... {20, 48, reply, 0, 1628, 940, 57950, 0} "\0\0\0\0\2\0\1\0\2\0\0\0$\206\0\0\2\0\0\0" )  ... {20, 48, reply, 0, 1628, 940, 57950, 0}  (24, {20, 48, new_msg, 0, 1234168, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0$\206\0\0\2\0\0\0" ... {20, 48, reply, 0, 1628, 940, 57950, 0} "\0\0\0\0\2\0\1\0\2\0\0\0$\206\0\0\2\0\0\0" )  ) == 0x0
 00676   940   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233824,  (0x80100080, {24, 0, 0x40, 0, 1233824, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ...
 00677   940   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00678   940   NtClose  (-2147482584, ... ) == 0x0
 00679   940   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00680   940   NtClose  (-2147482584, ... ) == 0x0
 00681   940   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00682   940   NtClose  (-2147482584, ... ) == 0x0
 00676   940   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00683   940   NtClose  (108, ... ) == 0x0
 00684   940   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00685   940   NtClose  (-2147482584, ... ) == 0x0
 00686   940   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0
 00687   940   NtClose  (-2147482584, ... ) == 0x0
 00688   940   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00689   940   NtClose  (-2147482584, ... ) == 0x0
 00690   940   NtQueryDirectoryFile  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1,  (-2147482584, 0, 0, 0, -519819264, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0
 00691   940   NtClose  (-2147482584, ... ) == 0x0
 00684   940   NtCreateFile  ... 108, {status=0x0, info=3}, ) == 0x0
 00692   940   NtSetInformationFile  (104, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00693   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\24\372V\0[\240\6\0]\240\11\0\246_\6\0\341\240\6\0Y\240\6\0\31\240\34\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\242\6\0\343\260\6\16F\24\17\315x\30\7L\224\201\226\220\15\310osy\320to>\322gmy\315ss-\200dey\322sny\325hd<\322&W0\31652T\252"7Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0", ) 7Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0", ) == 0x0
 00694   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... , 10240, 0x0, 0, ...
 00695   940   NtContinue  (-139612716, 0, ...
 00694   940   NtWriteFile  ... {status=0x0, info=10240}, ) == 0x0
 00696   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\14\2500\346\234KE6\322\177,\371\315g\10i\243\207\7\221h`\331;`G\304\221\343\316<[\354t\334\261QlD3\300W\271]\273z\377\177b^}\334\17\10D\2\10\316\270\321\361y\300?+V\1\116mg8\242F\315%\237\7\2\347\344+\32\332b\3R\254\225W\21\323y5ey\20\254K'\310E,\261\2\324\305Z\231\356\353\7\367\332\200^'\206\302\216\253qCu\261$\301H\240\14^\4\334\108\241\3371\4\273\20\31\3110\336\225\342\22V\12\365\267\215Q\26\250b\203\311\244\16#\225r*\210if}\22\30\256\347\311\241\346.I\275\226\35\37]o\366f\211\\2623_c\347\15h"\3764\207\314D\266\11\304\366Xg\226\324 \235\222AW\221$\316\257\25\216wP\260\344\6(X|\206\24\332\232,\12)\245\3\342\13\320\12\261\360\324<\177\320\250\10\17\324s\310\34&\23\212\204m\352\10\237\240a)\332\231\376\251\242\204\314\232\33\343?RC\340Q\344\311\2267\15\322\3412\324\360\11\313\\20\265\3-\225\204\236\365\31\255T\314\113\206\221\3642\350\334\300q"\370\374\335Su\231+[\304\222\371\220\357\325c\256\306\365\20\262F\11\256\347\224ahU\1\307\101\225\177t.\217\352\23\303\223\257\232!\250\370\240\270m6\230\205x\1\3156\213\355+LXt\204\1\220&h&^@C-\227M_\371\12u\330:\231x\270b\360\2151~]d\216\245\261\215\305\341\354X{\12pS~\365P>\303\316\266G\342%\350 H\1550\26\342&\275\370\11\11\204}6\2[\300F\3\313\350\256\211\33\370=2}\373\341\324\215\363\245\17\335\261\264\1\265\277\267\22=\350\316\324^d\\274<\11\341$R\253\35a\337l\200[\365P\333\17", ) \3764\207\314D\266\11\304\366Xg\226\324 \235\222AW\221$\316\257\25\216wP\260\344\6(X|\206\24\332\232,\12)\245\3\342\13\320\12\261\360\324<\177\320\250\10\17\324s\310\34&\23\212\204m\352\10\237\240a)\332\231\376\251\242\204\314\232\33\343?RC\340Q\344\311\2267\15\322\3412\324\360\11\313\\20\265\3-\225\204\236\365\31\255T\314\113\206\221\3642\350\334\300q (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\14\2500\346\234KE6\322\177,\371\315g\10i\243\207\7\221h`\331;`G\304\221\343\316<[\354t\334\261QlD3\300W\271]\273z\377\177b^}\334\17\10D\2\10\316\270\321\361y\300?+V\1\116mg8\242F\315%\237\7\2\347\344+\32\332b\3R\254\225W\21\323y5ey\20\254K'\310E,\261\2\324\305Z\231\356\353\7\367\332\200^'\206\302\216\253qCu\261$\301H\240\14^\4\334\108\241\3371\4\273\20\31\3110\336\225\342\22V\12\365\267\215Q\26\250b\203\311\244\16#\225r*\210if}\22\30\256\347\311\241\346.I\275\226\35\37]o\366f\211\\2623_c\347\15h"\3764\207\314D\266\11\304\366Xg\226\324 \235\222AW\221$\316\257\25\216wP\260\344\6(X|\206\24\332\232,\12)\245\3\342\13\320\12\261\360\324<\177\320\250\10\17\324s\310\34&\23\212\204m\352\10\237\240a)\332\231\376\251\242\204\314\232\33\343?RC\340Q\344\311\2267\15\322\3412\324\360\11\313\\20\265\3-\225\204\236\365\31\255T\314\113\206\221\3642\350\334\300q"\370\374\335Su\231+[\304\222\371\220\357\325c\256\306\365\20\262F\11\256\347\224ahU\1\307\101\225\177t.\217\352\23\303\223\257\232!\250\370\240\270m6\230\205x\1\3156\213\355+LXt\204\1\220&h&^@C-\227M_\371\12u\330:\231x\270b\360\2151~]d\216\245\261\215\305\341\354X{\12pS~\365P>\303\316\266G\342%\350 H\1550\26\342&\275\370\11\11\204}6\2[\300F\3\313\350\256\211\33\370=2}\373\341\324\215\363\245\17\335\261\264\1\265\277\267\22=\350\316\324^d\\274<\11\341$R\253\35a\337l\200[\365P\333\17", ) , ) == 0x0
 00697   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00698   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\216b\15X\341\262\23wh\252\12H\212\355\305\30\236J\340\14\5\264HY\13\224\345\351%\261}A\344F\221\2740cZ=\374^YW\373\234\0\13\353eT\11\304?dB\302\226=\300\227\345\311\305l!5\310W\226\326t\14-\320*\35\220\300\315z%\225~@s!\236CI\334\34\301&%\222\235\302\300a\20\367\320\275\363`\13P%K(\129r$\26\274^+\2009\303\341\212\14\321\317F\323\246W,\276q*A\10cpr9\257\346\2753\363\351\323\256\301|Q\4\240\314C]\356\244@4\252\346\31\306\357\342\22\270\367L\22\5U\356\3>]7LVi\326\244\310\263&;\366\\253\206K\31\370\305\13\313'S?R\320\305k\366\215\355\221\345D\316\257mh\7\367X\216\376\27\275\346gl*'h\31\275#UT+\325c\1w\243\216\46U7\322\323\360\20DI\2421\304\334\336\215wb\221\317\212\21\343B\10\245_D\267\6\240\16\215,\257\215|Q\2477\300\323\256=J\245\325\261~\370\373\210\SR\32\16\257c\331\237\20\325\344o\2\13\367\371N\340"\16X\231\376~\204\5a\5td=\200a\207\11M]\373\375\302+D\203\2576\27\271\202-\17\217\321P\301\15\212\36*,\201\251\362\350\356\270_\331\177\202*^c\315*X\12\334\373Uo5\334\30\13O\270\211\36T\231\362\355T^^\32\331G\3319\222\\261\0\26\261\36\33,L\353\355o\242\267 \316K\316?\331E\331:\357`\353\355CK\344\35\323\314\34\2215\270D\305\313_\304\11\241GMu\251/\245:\322\237\265\4\331\237\3\266\4\3\1\203\210\357\7\267VR\371\255\363\27L\20#\247\370\261+\253q\15V\37\317\3\23|\254\5eg\371\321\327z\371B\274.?\1", ) \16X\231\376~\204\5a\5td=\200a\207\11M]\373\375\302+D\203\2576\27\271\202-\17\217\321P\301\15\212\36*,\201\251\362\350\356\270_\331\177\202*^c\315*X\12\334\373Uo5\334\30\13O\270\211\36T\231\362\355T^^\32\331G\3319\222\\261\0\26\261\36\33,L\353\355o\242\267 \316K\316?\331E\331:\357`\353\355CK\344\35\323\314\34\2215\270D\305\313_\304\11\241GMu\251/\245:\322\237\265\4\331\237\3\266\4\3\1\203\210\357\7\267VR\371\255\363\27L\20#\247\370\261+\253q\15V\37\317\3\23|\254\5eg\371\321\327z\371B\274.?\1", ) == 0x0
 00699   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00700   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\317K\373\265\331w\252f\12)\203\6O \214\265.f\203\227&\256q\21?\37\262\22\14\254c\211P\0_\6\352gg\35i\34\32\210\355\333\231\240\323-\223>S\240\262\274>\216A\263(\212\3060@\371\2354Xg\4\316\335\2Y\271\32072tQ\372\2\310\304$\220\244r~\367t:\373U\364\14\362"\361\14\250T"\36 \3005\321,C\13\21"\255\200\367*\12&p 7\254dD\355\12D\253q\266\257&\373\13\26*S\373N\361Cvl\306\307ii!\3421\236\374p\214|\330*\2S\340\204\32\335\253\376B\376\266\206{l\26\26\31\227>v\353^\204\322\350j \220t\332\342!!1\371F{\312\242\213\5MF\305\377t\215\352N?\1\221\360?\7&\364L&\246\266\215\252\362\364\211j\26\240{\360\266\326ty\1C\245\355i\0b\360:/u\201%\207I\327:8B\322\316\310e\230:8p\201 \205\376GI\210^{=w\2\256\222\341X\254\246\346\230=\6\233Q\332\0\243B\242(,\234gP\272\363\221\20z\257b\26\360\10-\224`\332\266\22\310\275\374\224\246\371\23IX\251K\32\30\5\0\255a\221\23\26\35jiR\17\316*\35\0\336L\36\1\233\320\337\22\373\256\305^f\241\364\204\2'-\271\14^\362\15\354V\2\322$VC\376.\366\336\353s\261*\332[\346\372\26\207\3355:e\335\15`\315\271L\33W:nO\310\344[\25Q\204$\16X\274G\34097d\364\32*\24\20\255\372\240\266_\251i\21\241P\252\0A@\2Uw\251/*P\244\241\26Q\360j\253\345T\25\4\222(!\247\33\246,H\2618\3659\200\356\263j\254\246\366\354\267\313T\321\212\340\376\234\233\2422\0\12\327x\350&\320m\330\365\260\31\322\241\365[8", ) \361\14\250T (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\317K\373\265\331w\252f\12)\203\6O \214\265.f\203\227&\256q\21?\37\262\22\14\254c\211P\0_\6\352gg\35i\34\32\210\355\333\231\240\323-\223>S\240\262\274>\216A\263(\212\3060@\371\2354Xg\4\316\335\2Y\271\32072tQ\372\2\310\304$\220\244r~\367t:\373U\364\14\362"\361\14\250T"\36 \3005\321,C\13\21"\255\200\367*\12&p 7\254dD\355\12D\253q\266\257&\373\13\26*S\373N\361Cvl\306\307ii!\3421\236\374p\214|\330*\2S\340\204\32\335\253\376B\376\266\206{l\26\26\31\227>v\353^\204\322\350j \220t\332\342!!1\371F{\312\242\213\5MF\305\377t\215\352N?\1\221\360?\7&\364L&\246\266\215\252\362\364\211j\26\240{\360\266\326ty\1C\245\355i\0b\360:/u\201%\207I\327:8B\322\316\310e\230:8p\201 \205\376GI\210^{=w\2\256\222\341X\254\246\346\230=\6\233Q\332\0\243B\242(,\234gP\272\363\221\20z\257b\26\360\10-\224`\332\266\22\310\275\374\224\246\371\23IX\251K\32\30\5\0\255a\221\23\26\35jiR\17\316*\35\0\336L\36\1\233\320\337\22\373\256\305^f\241\364\204\2'-\271\14^\362\15\354V\2\322$VC\376.\366\336\353s\261*\332[\346\372\26\207\3355:e\335\15`\315\271L\33W:nO\310\344[\25Q\204$\16X\274G\34097d\364\32*\24\20\255\372\240\266_\251i\21\241P\252\0A@\2Uw\251/*P\244\241\26Q\360j\253\345T\25\4\222(!\247\33\246,H\2618\3659\200\356\263j\254\246\366\354\267\313T\321\212\340\376\234\233\2422\0\12\327x\350&\320m\330\365\260\31\322\241\365[8", ) \255\200\367*\12&p 7\254dD\355\12D\253q\266\257&\373\13\26*S\373N\361Cvl\306\307ii!\3421\236\374p\214|\330*\2S\340\204\32\335\253\376B\376\266\206{l\26\26\31\227>v\353^\204\322\350j \220t\332\342!!1\371F{\312\242\213\5MF\305\377t\215\352N?\1\221\360?\7&\364L&\246\266\215\252\362\364\211j\26\240{\360\266\326ty\1C\245\355i\0b\360:/u\201%\207I\327:8B\322\316\310e\230:8p\201 \205\376GI\210^{=w\2\256\222\341X\254\246\346\230=\6\233Q\332\0\243B\242(,\234gP\272\363\221\20z\257b\26\360\10-\224`\332\266\22\310\275\374\224\246\371\23IX\251K\32\30\5\0\255a\221\23\26\35jiR\17\316*\35\0\336L\36\1\233\320\337\22\373\256\305^f\241\364\204\2'-\271\14^\362\15\354V\2\322$VC\376.\366\336\353s\261*\332[\346\372\26\207\3355:e\335\15`\315\271L\33W:nO\310\344[\25Q\204$\16X\274G\34097d\364\32*\24\20\255\372\240\266_\251i\21\241P\252\0A@\2Uw\251/*P\244\241\26Q\360j\253\345T\25\4\222(!\247\33\246,H\2618\3659\200\356\263j\254\246\366\354\267\313T\321\212\340\376\234\233\2422\0\12\327x\350&\320m\330\365\260\31\322\241\365[8", ) == 0x0
 00701   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (108, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00702   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "F\317\304#x\260\306\11\341\214\324\345=\257\257y?b\207\307\31\302\35\341G\202\204|X\250\204.\1\266\23&z\13\356{\30\22\305\270W\254\276%\30\34\327\273\320\370 w\217-v\30N\30\267\263\236\252\217\34\220\262{\314\37\32\15 Q\366\235\301\317\10\334\2334\255\340{\325\240\350Y\203\312\32\334\205\210\1\361,u\253\210[\244\301]Y\36'\264\277H\27xc\306\31a\351hf\315\255\275\372\252\142,\262\363\240S\315'7>\322l\326#_-\277Q\307W\253\4C|\210\2348\262\241\351\305\373\203h\5\351ipY\265\315\13Pw\375\352\271.\354~\353d\21\274\370I\324\17F\205\270h\303Q\6!\25\205\276\16D&8\353\242:\200\263\347\231\340\277\14j\341\323\222%\241\270v\321\201\2010\355nv\302@iOq\16\363=\370\352\377\22\237,\351\242;\34 s>=\315\336C\15\3262J\15c\216=Y\252\354\4\351\232&mc\311\275\303?in*o\271\323\241\251/.\30l\20\255\366kxb$\307\311\13Xnb!h\325\223\335\265B \3520ni\362\246@\253\2165\363\70\31o\216w\265Q\266\26\214\263\267\217\342um\333q1\10\266$\35\25O\4Y\265\216\367S\376V\345a;j\362K\320C\344\11\30\37F\303,\15\254\334\300\217\24\217 \202\353\3442=_\300%F\202-\240H\367\37\212\2\37\36\355 1\302\221\213\325\241\7X\341"\243IU\371\341\362K@e\2\2130\342iU\316\346\14\253\245\3\333X\272\346\262V'\233\330S(=tk^\270jS9\346\340\13\14=\205\344\327\240\21\345\201\266\177\351i\220\30U6U|\17\2G\357\331\21NiJ\272\21\217\16r]\3700\235\20\311kx\224\215Ol/\343R\352N\7", ) \243IU\371\341\362K@e\2\2130\342iU\316\346\14\253\245\3\333X\272\346\262V'\233\330S(=tk^\270jS9\346\340\13\14=\205\344\327\240\21\345\201\266\177\351i\220\30U6U|\17\2G\357\331\21NiJ\272\21\217\16r]\3700\235\20\311kx\224\215Ol/\343R\352N\7", ) == 0x0
 00703   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00704   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "k>V\20\236\200F\12\353\350:\350\207\253P\34Q\215#\14mr\7\324\222\207\362\377\331\375\277A{.\235\275\206\350\15\250\206\206\364+\236\376T Ek\370\342\33\25\326R\305\276\215\373\311\317\355\22\2\267\10\332?_\20-]\307\273K\266\233\355J2:-U-\3701Wo\200a\22Z\204#\21\252\224'%\3664\206\341\34p[N\303/c\377\275\207\177\336K\322\210\252\334\261r%ohg\267\273\347\200\312\267\302\366\330\23\246j\25Z\213Vj\337\340\353u\7\27\234[Ld"\1\3349\317\325\303\6\277tZU\314\21t\356i\11\352\6o\237\201DJ\223`\314c\206\20\310\35\3\226\240V\13:\260&kH\276\230\212\377\200\356\13"\377\34\3\23\375\207xMd\\357w\230x\23\14\206\247'\25\26m'.\304R\317\13\246\26S\5\304Mc\322\275\377Ja\213j\260\2161\34\304R\256\324 \14\225j\24V\277\250\32M\336\336;\12\204\256\345\237\1\244]\7E\30\327d\353\200\254\354\252#\211)$\306\32\247\203\373\222\223\357\1\210d,eY\341\202\12\17\4m\337'_\25\211]fF,Y\243#@4\224\4\324\312\214`\210\304\310b\242]q}~y@\27\360&\234\341:\3\10|\237\257\345r\371U{K\21B\272\312-mpx\46K*\215\35[\0\205\213\335\4\300r\244\25\353\222\366\244j\14\275\30\14-\256\2\217\340\355+\27I\213\304\263l\327q\4'\246\336\344\221\213\314\15o\302*>\322\257[\20-\275\262\205\311\341\274\0\200\30\2063\0O\304\342\247\367G\36m%k\200\202\233ot@P\12PD\222\17'\227\230\317;i Z\310Y\246\366x\0u0\352\257\216\4\345\215\212\204n\363>\27\320\360>\221\330\12\227&\353\243\22\275", ) \1\3349\317\325\303\6\277tZU\314\21t\356i\11\352\6o\237\201DJ\223`\314c\206\20\310\35\3\226\240V\13:\260&kH\276\230\212\377\200\356\13 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "k>V\20\236\200F\12\353\350:\350\207\253P\34Q\215#\14mr\7\324\222\207\362\377\331\375\277A{.\235\275\206\350\15\250\206\206\364+\236\376T Ek\370\342\33\25\326R\305\276\215\373\311\317\355\22\2\267\10\332?_\20-]\307\273K\266\233\355J2:-U-\3701Wo\200a\22Z\204#\21\252\224'%\3664\206\341\34p[N\303/c\377\275\207\177\336K\322\210\252\334\261r%ohg\267\273\347\200\312\267\302\366\330\23\246j\25Z\213Vj\337\340\353u\7\27\234[Ld"\1\3349\317\325\303\6\277tZU\314\21t\356i\11\352\6o\237\201DJ\223`\314c\206\20\310\35\3\226\240V\13:\260&kH\276\230\212\377\200\356\13"\377\34\3\23\375\207xMd\\357w\230x\23\14\206\247'\25\26m'.\304R\317\13\246\26S\5\304Mc\322\275\377Ja\213j\260\2161\34\304R\256\324 \14\225j\24V\277\250\32M\336\336;\12\204\256\345\237\1\244]\7E\30\327d\353\200\254\354\252#\211)$\306\32\247\203\373\222\223\357\1\210d,eY\341\202\12\17\4m\337'_\25\211]fF,Y\243#@4\224\4\324\312\214`\210\304\310b\242]q}~y@\27\360&\234\341:\3\10|\237\257\345r\371U{K\21B\272\312-mpx\46K*\215\35[\0\205\213\335\4\300r\244\25\353\222\366\244j\14\275\30\14-\256\2\217\340\355+\27I\213\304\263l\327q\4'\246\336\344\221\213\314\15o\302*>\322\257[\20-\275\262\205\311\341\274\0\200\30\2063\0O\304\342\247\367G\36m%k\200\202\233ot@P\12PD\222\17'\227\230\317;i Z\310Y\246\366x\0u0\352\257\216\4\345\215\212\204n\363>\27\320\360>\221\330\12\227&\353\243\22\275", ) , ) == 0x0
 00705   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (108, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00706   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "[S\336H,\12\254\277\221\341$\210\204#\213\327\12\377\266\337N`\316dK\371.`\17\245\262aB\262\273\377Op\345'\341\372?\212\25\241\371\200\260\252\210\375\203\372\276\4Z?L\215\177\3042?^U\213I\31\352s\336\6\322\255\14\205\317\4\25)\254\364L\272\251|\4\236\336\247\4\363\3\364dX\205q\2z\\3042{\342\275\31\37EH5\253\343\310WQ\262rh\323C\216Nc\305o\325\364XU=c+9\355\201\202\334\370\255\26?\325E\26\320Y,q\33;u\202\225\335\321@~\0\251\12T*T\363\362-\313\203\264\215$X\243v3!\3340-c\216\0#\251\12\254\272'\370 y\2\27\3\273}\330\201CAu\36\263>\311\223X\3\5}-\324h\243\27\226"]5\336T\16\215W\276"F\375N\354QBDnR\22\7\12\263i\10In\226\305\3[(\317\26\251\276\2766\5p?0%T0\213\345\233\231\220\323\271U\32\35\355\373\372\375T\225\307\326\262\24DK\355%<\331\363\22CX\32\226j\311\307\225&\320sG"'\263\363CQ\300\12tB\215\371\257]"i\272K!E\4\323\360A\351\20\216\305\35\262\321\11\270\241':\344\311X\376C]X\316\0+\205\376\370<`\345M\241\322\277k}\245\203\344\1770\265<.\254\214\343\257\30\302\2249\340\307p\202+\307 %\340\302\30\275\206\3277}\231\255\362A;\214S\36'\10\16Y\4\12\353`R\23H\\23\4(Q#T\362\\242!\350E*YR\30\20\277h-\326\316\246\333a\216m\311\31n\214\237\212G\24\21s\225T\251e\35602\242\6\311Ji!\357[\210\11a_\260\273oY\357^a\10qdHI\207\255\360i4b\24e\240@`\232\210N`~\2707\30", ) ]5\336T\16\215W\276 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "[S\336H,\12\254\277\221\341$\210\204#\213\327\12\377\266\337N`\316dK\371.`\17\245\262aB\262\273\377Op\345'\341\372?\212\25\241\371\200\260\252\210\375\203\372\276\4Z?L\215\177\3042?^U\213I\31\352s\336\6\322\255\14\205\317\4\25)\254\364L\272\251|\4\236\336\247\4\363\3\364dX\205q\2z\\3042{\342\275\31\37EH5\253\343\310WQ\262rh\323C\216Nc\305o\325\364XU=c+9\355\201\202\334\370\255\26?\325E\26\320Y,q\33;u\202\225\335\321@~\0\251\12T*T\363\362-\313\203\264\215$X\243v3!\3340-c\216\0#\251\12\254\272'\370 y\2\27\3\273}\330\201CAu\36\263>\311\223X\3\5}-\324h\243\27\226"]5\336T\16\215W\276"F\375N\354QBDnR\22\7\12\263i\10In\226\305\3[(\317\26\251\276\2766\5p?0%T0\213\345\233\231\220\323\271U\32\35\355\373\372\375T\225\307\326\262\24DK\355%<\331\363\22CX\32\226j\311\307\225&\320sG"'\263\363CQ\300\12tB\215\371\257]"i\272K!E\4\323\360A\351\20\216\305\35\262\321\11\270\241':\344\311X\376C]X\316\0+\205\376\370<`\345M\241\322\277k}\245\203\344\1770\265<.\254\214\343\257\30\302\2249\340\307p\202+\307 %\340\302\30\275\206\3277}\231\255\362A;\214S\36'\10\16Y\4\12\353`R\23H\\23\4(Q#T\362\\242!\350E*YR\30\20\277h-\326\316\246\333a\216m\311\31n\214\237\212G\24\21s\225T\251e\35602\242\6\311Ji!\357[\210\11a_\260\273oY\357^a\10qdHI\207\255\360i4b\24e\240@`\232\210N`~\2707\30", ) '\263\363CQ\300\12tB\215\371\257] (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "[S\336H,\12\254\277\221\341$\210\204#\213\327\12\377\266\337N`\316dK\371.`\17\245\262aB\262\273\377Op\345'\341\372?\212\25\241\371\200\260\252\210\375\203\372\276\4Z?L\215\177\3042?^U\213I\31\352s\336\6\322\255\14\205\317\4\25)\254\364L\272\251|\4\236\336\247\4\363\3\364dX\205q\2z\\3042{\342\275\31\37EH5\253\343\310WQ\262rh\323C\216Nc\305o\325\364XU=c+9\355\201\202\334\370\255\26?\325E\26\320Y,q\33;u\202\225\335\321@~\0\251\12T*T\363\362-\313\203\264\215$X\243v3!\3340-c\216\0#\251\12\254\272'\370 y\2\27\3\273}\330\201CAu\36\263>\311\223X\3\5}-\324h\243\27\226"]5\336T\16\215W\276"F\375N\354QBDnR\22\7\12\263i\10In\226\305\3[(\317\26\251\276\2766\5p?0%T0\213\345\233\231\220\323\271U\32\35\355\373\372\375T\225\307\326\262\24DK\355%<\331\363\22CX\32\226j\311\307\225&\320sG"'\263\363CQ\300\12tB\215\371\257]"i\272K!E\4\323\360A\351\20\216\305\35\262\321\11\270\241':\344\311X\376C]X\316\0+\205\376\370<`\345M\241\322\277k}\245\203\344\1770\265<.\254\214\343\257\30\302\2249\340\307p\202+\307 %\340\302\30\275\206\3277}\231\255\362A;\214S\36'\10\16Y\4\12\353`R\23H\\23\4(Q#T\362\\242!\350E*YR\30\20\277h-\326\316\246\333a\216m\311\31n\214\237\212G\24\21s\225T\251e\35602\242\6\311Ji!\357[\210\11a_\260\273oY\357^a\10qdHI\207\255\360i4b\24e\240@`\232\210N`~\2707\30", ) , ) == 0x0
 00707   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (108, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (108, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (108, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00708   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "!\300(\230\22\356i\374NR){\22\263NS)\314ot\17\14\347,x\377K\40\360\377b&\371\201S\10\354Qaq\303\2\205\331%\3\323\355\207\4\366I\355\6\227]\2472 8\33\312\327\2\2501\260\2W\235\0n\302-zZ\2635\25\353\2041\12\302\355\266\17Z\217%\340Y\367\215\326\20\264:\01\337NS\20\344\7\340T\330\337\220\333B\353\353I\201\315I\343X^\305XBe\262j\250\237\260k\334E\214MbX}\324\363\7\271X\343G\202\323\263$|,\240=\200@"H`\203\265\216\267Z@\16*\\1\17\12a\245?\327\363\220\204\216/\317\11\271t\3059\242\373\24;\215O)\257(I\34\33 \312\241\222<\354\241\302u\246 \22\6L\235\206XIG?\242\14\236\4\201E\240a\307{\0\1\25\273\256.h\220\23\252\221V\361\15\5\231\263|r6\273\244\362\255\233~\4u_\5\24b\366\16I\15\263\214|\222\247\32\325\365\302\263\252]t\212\325\\272r\364\311\217\256\11&[\376\2073\251W-A*\216;\361\243\221\200\315\371\204'\35\317\326\4\324\355\376\346\331\300\307\11\261\201\16\313z\257\255\252N\333\222q\301\253$X]\351\11\244\372 \10\10l\272C\22{\227\260\24\15\23e\33$I\22q\225\30\4\0\305\260\11\377\225\260\273\2g\355NuT\365\203"\257]_8\262\235\270\16\235\234\265 Yd\355&\3611\31*1\265\363\205]0\6|\34\327,\123\242\261\252\356\15\244G\205^sG\236\372\7\3[\302b\236uk\264l\\254\12\20I\264\264,\222\22\22\30A\200&\313\353\214\315$}\210.,u\264\235\0;w\367\202\11\341\212\355\15\240\255SVU\216f\10\37M\242z\372\4\213\210\243\354\11\215\3\243v9L\12\3", ) H`\203\265\216\267Z@\16*\\1\17\12a\245?\327\363\220\204\216/\317\11\271t\3059\242\373\24;\215O)\257(I\34\33 \312\241\222<\354\241\302u\246 \22\6L\235\206XIG?\242\14\236\4\201E\240a\307{\0\1\25\273\256.h\220\23\252\221V\361\15\5\231\263|r6\273\244\362\255\233~\4u_\5\24b\366\16I\15\263\214|\222\247\32\325\365\302\263\252]t\212\325\\272r\364\311\217\256\11&[\376\2073\251W-A*\216;\361\243\221\200\315\371\204'\35\317\326\4\324\355\376\346\331\300\307\11\261\201\16\313z\257\255\252N\333\222q\301\253$X]\351\11\244\372 \10\10l\272C\22{\227\260\24\15\23e\33$I\22q\225\30\4\0\305\260\11\377\225\260\273\2g\355NuT\365\203 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "!\300(\230\22\356i\374NR){\22\263NS)\314ot\17\14\347,x\377K\40\360\377b&\371\201S\10\354Qaq\303\2\205\331%\3\323\355\207\4\366I\355\6\227]\2472 8\33\312\327\2\2501\260\2W\235\0n\302-zZ\2635\25\353\2041\12\302\355\266\17Z\217%\340Y\367\215\326\20\264:\01\337NS\20\344\7\340T\330\337\220\333B\353\353I\201\315I\343X^\305XBe\262j\250\237\260k\334E\214MbX}\324\363\7\271X\343G\202\323\263$|,\240=\200@"H`\203\265\216\267Z@\16*\\1\17\12a\245?\327\363\220\204\216/\317\11\271t\3059\242\373\24;\215O)\257(I\34\33 \312\241\222<\354\241\302u\246 \22\6L\235\206XIG?\242\14\236\4\201E\240a\307{\0\1\25\273\256.h\220\23\252\221V\361\15\5\231\263|r6\273\244\362\255\233~\4u_\5\24b\366\16I\15\263\214|\222\247\32\325\365\302\263\252]t\212\325\\272r\364\311\217\256\11&[\376\2073\251W-A*\216;\361\243\221\200\315\371\204'\35\317\326\4\324\355\376\346\331\300\307\11\261\201\16\313z\257\255\252N\333\222q\301\253$X]\351\11\244\372 \10\10l\272C\22{\227\260\24\15\23e\33$I\22q\225\30\4\0\305\260\11\377\225\260\273\2g\355NuT\365\203"\257]_8\262\235\270\16\235\234\265 Yd\355&\3611\31*1\265\363\205]0\6|\34\327,\123\242\261\252\356\15\244G\205^sG\236\372\7\3[\302b\236uk\264l\\254\12\20I\264\264,\222\22\22\30A\200&\313\353\214\315$}\210.,u\264\235\0;w\367\202\11\341\212\355\15\240\255SVU\216f\10\37M\242z\372\4\213\210\243\354\11\215\3\243v9L\12\3", ) , ) == 0x0
 00709   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (108, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (108, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00710   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "LG\311o\334\202\271\202K\6\314E\364\25\326\326g'\212\215\242PE\10\366\354v\332R\36\226\370_>,~\24\234\273\251j\1]\37J \357\364\12\360h\247\374\17\23\354\254~y\273\235l\0\330\357P\22\274\10\212\206jO\25\245<m6I\335\322H'e\33 \14P\334\25\310\222\274d"\340\30\325?r\362YQ\242\226CW\231\5\4\\353\254`+\223\306\303?L\35\311\214\315\266h\375\254\23<\313\365\330\222\273\260\36I\202np\11\331a,\3364\2\243_\351\270&\206U\350B\3\321i\15\211\17\231\320\23\32\332T1\311)K\354\222\330\352\205\2113\216\\217\272A`\35O\71B2T\350\315\220\352E7{&\1^\336}\321\25\241hz\341\221\342\27(\302BK.u\216L@\2446\37\255\200&\200\245\242\321\25\21a\344\262\213\342R\27W\260\22h\14\211F\0\222\226\363$O\16\215\1\213P\362z\230\273\15\200\36\244\2439K\250\346%tP\342\200-\261\242\344\216\274"18--\364\236\322\247\322\351\16,{@\241WEK\362\213H\10\214\377\332\201\253=\203\14\243}.\36Cq\24\317\250\36`\206\307\323#P\330\214\206\236\177\32745w\336\22\246sL\333\1\243\15\372q\345\374\232\370\277\251\300x\326\264\3Q\253\16$w\354~\24.\272\37\177\237\370\12\11\232M\361\336\377\10\202\\201\344\2515\10\214\235\220\253\265\365\335\216\324\251\343\26\310?\335\213\32E$\261DP\264\346qu\254\247=\271\347\242D\242P\12\206\200\345\364\351\2X\310\21\13p\372\367=\241}\264\375\323\361\200\246\3365\236\14", ) \340\30\325?r\362YQ\242\226CW\231\5\4\\353\254`+\223\306\303?L\35\311\214\315\266h\375\254\23<\313\365\330\222\273\260\36I\202np\11\331a,\3364\2\243_\351\270&\206U\350B\3\321i\15\211\17\231\320\23\32\332T1\311)K\354\222\330\352\205\2113\216\\217\272A`\35O\71B2T\350\315\220\352E7{&\1^\336}\321\25\241hz\341\221\342\27(\302BK.u\216L@\2446\37\255\200&\200\245\242\321\25\21a\344\262\213\342R\27W\260\22h\14\211F\0\222\226\363$O\16\215\1\213P\362z\230\273\15\200\36\244\2439K\250\346%tP\342\200-\261\242\344\216\274 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "LG\311o\334\202\271\202K\6\314E\364\25\326\326g'\212\215\242PE\10\366\354v\332R\36\226\370_>,~\24\234\273\251j\1]\37J \357\364\12\360h\247\374\17\23\354\254~y\273\235l\0\330\357P\22\274\10\212\206jO\25\245<m6I\335\322H'e\33 \14P\334\25\310\222\274d"\340\30\325?r\362YQ\242\226CW\231\5\4\\353\254`+\223\306\303?L\35\311\214\315\266h\375\254\23<\313\365\330\222\273\260\36I\202np\11\331a,\3364\2\243_\351\270&\206U\350B\3\321i\15\211\17\231\320\23\32\332T1\311)K\354\222\330\352\205\2113\216\\217\272A`\35O\71B2T\350\315\220\352E7{&\1^\336}\321\25\241hz\341\221\342\27(\302BK.u\216L@\2446\37\255\200&\200\245\242\321\25\21a\344\262\213\342R\27W\260\22h\14\211F\0\222\226\363$O\16\215\1\213P\362z\230\273\15\200\36\244\2439K\250\346%tP\342\200-\261\242\344\216\274"18--\364\236\322\247\322\351\16,{@\241WEK\362\213H\10\214\377\332\201\253=\203\14\243}.\36Cq\24\317\250\36`\206\307\323#P\330\214\206\236\177\32745w\336\22\246sL\333\1\243\15\372q\345\374\232\370\277\251\300x\326\264\3Q\253\16$w\354~\24.\272\37\177\237\370\12\11\232M\361\336\377\10\202\\201\344\2515\10\214\235\220\253\265\365\335\216\324\251\343\26\310?\335\213\32E$\261DP\264\346qu\254\247=\271\347\242D\242P\12\206\200\345\364\351\2X\310\21\13p\372\367=\241}\264\375\323\361\200\246\3365\236\14", ) , ) == 0x0
 00711   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00712   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "X\1\371N\375u\16\22\6\275b\262\205$-qr\341\37\367\321\227\34\373-\204:\326\356\264C7\314_\205'\2005\31|\352*\13\362\246\206\1\300\340\270&~\241\4\20\11\316g\315\235\323I6\321'\16\370\262\246<\7\342UV\2014\243\347\367c\242\235\315\15\321s\320\22\224\254\13\372\32\254\30'\321/\315\214vx\330}\21\367\13\275(\14\353\344\262\254\25\2465\204\350\312O\23\221n]\251\207\10 \330\267(E\20\257\230\367E)%\311\3001Y\214\276\357\241, \320\253\32FZ\30\373\11.\340\301F\35\276\346?\305<\363m\267\223&&Q\245^sU\332\215\300Q\230\36*\273\376bV\302\276\327\352\233\236E\270D\300\355Fwl\23\32k\270\12\320u J\204x\37k\2\265 J\37\30\334\252\360B\253M {\342\236\33-\214\235[a\315\246 \227\245\22\24\271\345\302\262A\270uK~k\320\257U\254\12\30[\264e\7\2626=uS\250\213_MG\20\212\324\325\253\211>\A\327\36\12\360\2769\227b\353Nj\25\30G\270\204\220\304\324\12\301\251$\234\20L\351\352O\31\30\220\252\366\265\215DA*\\31\1\15s\346\2\227\316\213\30\254\10\33S\334\335Y*\27D\2\23\270\25\10\371\360\261Q\353\214\335\222\201\22\14A\270{\266\201\322\12\30t\33NPQ\344*a\225\255\206[\256\365\313\22z\372M\270 \232\350\12C\342\261\232\233\337,[b\26\5~\20\\3\370r\302\24|#@\367\261N\202\362\307Y\262\15\222\251x&\2374\3217\316\33\242s9Y\341\312\326\360\364-\204j\243\2551\351@\210\341Y\361\301Z\30\234\376\200\344Tf\366s.F k\257\211\370\246\264\363\222W`\302\3+\270=\306\231\314\221m@~.8Tp\317N", ) , ) == 0x0
 00713   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (108, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00714   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "3\244\364\30'N\205\332\30\0\322|\321\257\265\237\227\302c\204\261@\305{\322\254C\33238\3150\337q?\35H7\346DJ/\312]\331wbDq7x"\371\333s\15+\241x\34\17>O\217\377\15\376\226L\215\201f\4l\302\353)\272\237\14I\251\15\25\225\245\2628Fab\333\27xy\360W\242R\5\232-)\370tw\5\11\363\351u\267\363mR\23F\206E\271\237 \Q\251\266e\275\310\334\204\233\320D<\234\25\322\2027QH\212\341\24"\226\343d[\2073M\221]\244\220*\4\216\34702\262w(\276\1\233!\375WS\256Y\343'\251\301\20QK\3250[\230\207m\355\265\340\216wR\227\217\336\215\4~\+\3\340\357\374\227\311\2656\267\30\22\266\222\13\245T\206\3K}-\336-s/\221\317\364\3D{X7!\331!\35\234HuN\266\244\275\235\330\256\227\35\200\304\216K\317\334\352\250!\261\17E\310P\32\330\2422t\263\205\303\361\31\24\371S\211\245W,*\247\12'\3\244<\307LM\301\345|V\244\2\373\311h\11\267\220\262\216!\355B5\5\273r\0\32r\212\31bF\274]\30P\365[\364\320\320{\254\323%{\10?!\314\265\233\373\206\16\237\355\22\243\373\2100\25\261\335[d}\302L\365\251\346.D"\26\233\353n'\3218a)~\344\275jpy$\204>\364\335\345T\24\355\267\274\222y \255\4\221\302E`\250t\370\0\7\252B\211\27303\375]\206h3&p}\14{\241\362\256O\17\17sQ\213\361a\232\362\2738N\233\310\302\250\271\5\307\250\364\22\217\31\214\7sU\246\246\350x!\305f\301|Z\276\244\251r\14?_\317\4\262\260\217PR\241\0\3\11\212G=\10\257FS\21\201\201\214\3523\276DX\207'\353", ) \371\333s\15+\241x\34\17>O\217\377\15\376\226L\215\201f\4l\302\353)\272\237\14I\251\15\25\225\245\2628Fab\333\27xy\360W\242R\5\232-)\370tw\5\11\363\351u\267\363mR\23F\206E\271\237 \Q\251\266e\275\310\334\204\233\320D<\234\25\322\2027QH\212\341\24 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "3\244\364\30'N\205\332\30\0\322|\321\257\265\237\227\302c\204\261@\305{\322\254C\33238\3150\337q?\35H7\346DJ/\312]\331wbDq7x"\371\333s\15+\241x\34\17>O\217\377\15\376\226L\215\201f\4l\302\353)\272\237\14I\251\15\25\225\245\2628Fab\333\27xy\360W\242R\5\232-)\370tw\5\11\363\351u\267\363mR\23F\206E\271\237 \Q\251\266e\275\310\334\204\233\320D<\234\25\322\2027QH\212\341\24"\226\343d[\2073M\221]\244\220*\4\216\34702\262w(\276\1\233!\375WS\256Y\343'\251\301\20QK\3250[\230\207m\355\265\340\216wR\227\217\336\215\4~\+\3\340\357\374\227\311\2656\267\30\22\266\222\13\245T\206\3K}-\336-s/\221\317\364\3D{X7!\331!\35\234HuN\266\244\275\235\330\256\227\35\200\304\216K\317\334\352\250!\261\17E\310P\32\330\2422t\263\205\303\361\31\24\371S\211\245W,*\247\12'\3\244<\307LM\301\345|V\244\2\373\311h\11\267\220\262\216!\355B5\5\273r\0\32r\212\31bF\274]\30P\365[\364\320\320{\254\323%{\10?!\314\265\233\373\206\16\237\355\22\243\373\2100\25\261\335[d}\302L\365\251\346.D"\26\233\353n'\3218a)~\344\275jpy$\204>\364\335\345T\24\355\267\274\222y \255\4\221\302E`\250t\370\0\7\252B\211\27303\375]\206h3&p}\14{\241\362\256O\17\17sQ\213\361a\232\362\2738N\233\310\302\250\271\5\307\250\364\22\217\31\214\7sU\246\246\350x!\305f\301|Z\276\244\251r\14?_\317\4\262\260\217PR\241\0\3\11\212G=\10\257FS\21\201\201\214\3523\276DX\207'\353", ) \26\233\353n'\3218a)~\344\275jpy$\204>\364\335\345T\24\355\267\274\222y \255\4\221\302E`\250t\370\0\7\252B\211\27303\375]\206h3&p}\14{\241\362\256O\17\17sQ\213\361a\232\362\2738N\233\310\302\250\271\5\307\250\364\22\217\31\214\7sU\246\246\350x!\305f\301|Z\276\244\251r\14?_\317\4\262\260\217PR\241\0\3\11\212G=\10\257FS\21\201\201\214\3523\276DX\207'\353", ) == 0x0
 00715   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (108, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00716   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "J\207\25\223"\211Z\15\243Hy\3V\341\243\2404\315\306+`\204\332?\20\32+\335\367Pd\215\4\216\304\10\242\250s\323mmq\367\224\207%\363\266\343\3254\24\276\34$y\363&w\257c@O\373tZ\273\262m\260\306MX]\373\22\232\362\212\177 \372+'\244+u\205\222\342\271\304\26\320.\361\341@0\10Y\312\232\354\303W^\12*p\214\237\332\215-\2\266\371[\262(\245\303\246\336\216\12\237\273z\14\0|\371M\201\336m\245\243\325\360\353T_\13\261\232Dx\22\262\341\324cB6.CG\253M\21\271\3367}\353\276\246\212\355\253m\271_\12s\353G=\14\27x\373\334\25\11C\11\262\221R\212M3\260S.\347\2505F\360\364N\322Ch \303\17\363\35\371u\314\353O\366\12\0\343\265\350+\10\357_\20\16B\5#\364[\235\0u{\306\361\240\223\365\301F_>\27\35-A`\226\\336\13\3\31\311\300C\347\214v\267\265IC@\202\216\264?0`\26M\337+\4\336\a\376\20$I\363\227\261\215\331\370\200A\3141\21y\372\333t+l\13\206\6v\330\200;\333\202\302\363\364\350\206\302{A-\251\334\273\267X\331u\277-}\3\246M\31\202};\214DLE\332\300\261\244\206\344V\306\3\360\264\27\3340iAg\353k`\254\213\275\243{\10 \1\340\340\4R\204;$\254=\4\241\336\375\27#\262u'o\233\55+\205\300D_\240IxT^\347n\246G\1\22`\327\353\353F\306\301\245h\240g\136\20\261^\3462"\31y\0\367\333b\0n\360BX`\301\263\312\217\7I@\376\3\321\363\4\303\30i\4\340\364\242?\310Rj{\201\21\22\373 \247p\367\201#\334\12\331\156\12?\253K|\241V=z]\334\31\277W\341+!", ) \211Z\15\243Hy\3V\341\243\2404\315\306+`\204\332?\20\32+\335\367Pd\215\4\216\304\10\242\250s\323mmq\367\224\207%\363\266\343\3254\24\276\34$y\363&w\257c@O\373tZ\273\262m\260\306MX]\373\22\232\362\212\177 \372+'\244+u\205\222\342\271\304\26\320.\361\341@0\10Y\312\232\354\303W^\12*p\214\237\332\215-\2\266\371[\262(\245\303\246\336\216\12\237\273z\14\0|\371M\201\336m\245\243\325\360\353T_\13\261\232Dx\22\262\341\324cB6.CG\253M\21\271\3367}\353\276\246\212\355\253m\271_\12s\353G=\14\27x\373\334\25\11C\11\262\221R\212M3\260S.\347\2505F\360\364N\322Ch \303\17\363\35\371u\314\353O\366\12\0\343\265\350+\10\357_\20\16B\5#\364[\235\0u{\306\361\240\223\365\301F_>\27\35-A`\226\\336\13\3\31\311\300C\347\214v\267\265IC@\202\216\264?0`\26M\337+\4\336\a\376\20$I\363\227\261\215\331\370\200A\3141\21y\372\333t+l\13\206\6v\330\200;\333\202\302\363\364\350\206\302{A-\251\334\273\267X\331u\277-}\3\246M\31\202};\214DLE\332\300\261\244\206\344V\306\3\360\264\27\3340iAg\353k`\254\213\275\243{\10 \1\340\340\4R\204;$\254=\4\241\336\375\27#\262u'o\233\55+\205\300D_\240IxT^\347n\246G\1\22`\327\353\353F\306\301\245h\240g\136\20\261^\3462 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "J\207\25\223"\211Z\15\243Hy\3V\341\243\2404\315\306+`\204\332?\20\32+\335\367Pd\215\4\216\304\10\242\250s\323mmq\367\224\207%\363\266\343\3254\24\276\34$y\363&w\257c@O\373tZ\273\262m\260\306MX]\373\22\232\362\212\177 \372+'\244+u\205\222\342\271\304\26\320.\361\341@0\10Y\312\232\354\303W^\12*p\214\237\332\215-\2\266\371[\262(\245\303\246\336\216\12\237\273z\14\0|\371M\201\336m\245\243\325\360\353T_\13\261\232Dx\22\262\341\324cB6.CG\253M\21\271\3367}\353\276\246\212\355\253m\271_\12s\353G=\14\27x\373\334\25\11C\11\262\221R\212M3\260S.\347\2505F\360\364N\322Ch \303\17\363\35\371u\314\353O\366\12\0\343\265\350+\10\357_\20\16B\5#\364[\235\0u{\306\361\240\223\365\301F_>\27\35-A`\226\\336\13\3\31\311\300C\347\214v\267\265IC@\202\216\264?0`\26M\337+\4\336\a\376\20$I\363\227\261\215\331\370\200A\3141\21y\372\333t+l\13\206\6v\330\200;\333\202\302\363\364\350\206\302{A-\251\334\273\267X\331u\277-}\3\246M\31\202};\214DLE\332\300\261\244\206\344V\306\3\360\264\27\3340iAg\353k`\254\213\275\243{\10 \1\340\340\4R\204;$\254=\4\241\336\375\27#\262u'o\233\55+\205\300D_\240IxT^\347n\246G\1\22`\327\353\353F\306\301\245h\240g\136\20\261^\3462"\31y\0\367\333b\0n\360BX`\301\263\312\217\7I@\376\3\321\363\4\303\30i\4\340\364\242?\310Rj{\201\21\22\373 \247p\367\201#\334\12\331\156\12?\253K|\241V=z]\334\31\277W\341+!", ) , ) == 0x0
 00717   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00718   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "i\201.\336\317\254\355'O\243P\15\337^\221\254T\274\21\213\206\233\355u\2335\20\13s\36\303\237\265\20627S\371\306Z\2p\375\2136T-\240k;tl\27\243L\4"\223\7\4f\313\313w\7\261\277\255\35\365^\273X\336\336\31\31\20\3)\341\344b\20(C0\353\317\252\215\377ZnG\304/\2134\27bo\373)O\240\277\266\304\206\22A\343\325\327(\373%\310\213\262 P\24K\10\3224\17\212>\331\335K\12n\12\340\266F\245\273=\373,%\322\221\360\366\251Yz\375\217\30\304\236\333\236_\211\207\306m!\340<`\240\34\1i\277\36U\230\262WV\25AQQdX\217;Ns\276Gg\302=\254\225\303\25$\331\231\5\350YN\247\272\21W\375_X>\210_\14H\345`3\326\306\276\350\244IhR\365TuF\330\3\315\177\347\2$\0\242\352\24.\326\3350\200 $\243\265(\16R\35\244=\270\270,[\350\267\243\303\211\254+\33TN\272xN\262\361\364s\326Nq\14\205\215*\200Z\326=\31.\233=c\361\332\236\333\337)\3\24U\326=b\332\35*t\17\322\203\12\236ug\234\343\245C\250\301\257\331\251\273d\251\252\1\325\241Q`\345ik\230\5\271\31W\251\6\360X\344\26\344O\241;\334Q\255\250[\3460\246\10\2p\215\352\330"h[\210E\6\376Z\254\207\302l;}\233T!\344\16\237\231B(\265\300YT\310eC\213ln\217\216{\300:\316'\34\260\3353\303\375\217/\252\333;"\250\277/V\267\332\213\_p\36\16\260-\373\16\21\33v\347\363\306B\374K\176|\251\214\317W\31\272\210\253\2710&r\25\365\241\330F\317\20\275\2262\235\262\243I\310\220\301\333F\257\213\0A\335\230\320m6\237\32$*\243\215\4bOu\214", ) \223\7\4f\313\313w\7\261\277\255\35\365^\273X\336\336\31\31\20\3)\341\344b\20(C0\353\317\252\215\377ZnG\304/\2134\27bo\373)O\240\277\266\304\206\22A\343\325\327(\373%\310\213\262 P\24K\10\3224\17\212>\331\335K\12n\12\340\266F\245\273=\373,%\322\221\360\366\251Yz\375\217\30\304\236\333\236_\211\207\306m!\340<`\240\34\1i\277\36U\230\262WV\25AQQdX\217;Ns\276Gg\302=\254\225\303\25$\331\231\5\350YN\247\272\21W\375_X>\210_\14H\345`3\326\306\276\350\244IhR\365TuF\330\3\315\177\347\2$\0\242\352\24.\326\3350\200 $\243\265(\16R\35\244=\270\270,[\350\267\243\303\211\254+\33TN\272xN\262\361\364s\326Nq\14\205\215*\200Z\326=\31.\233=c\361\332\236\333\337)\3\24U\326=b\332\35*t\17\322\203\12\236ug\234\343\245C\250\301\257\331\251\273d\251\252\1\325\241Q`\345ik\230\5\271\31W\251\6\360X\344\26\344O\241;\334Q\255\250[\3460\246\10\2p\215\352\330 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "i\201.\336\317\254\355'O\243P\15\337^\221\254T\274\21\213\206\233\355u\2335\20\13s\36\303\237\265\20627S\371\306Z\2p\375\2136T-\240k;tl\27\243L\4"\223\7\4f\313\313w\7\261\277\255\35\365^\273X\336\336\31\31\20\3)\341\344b\20(C0\353\317\252\215\377ZnG\304/\2134\27bo\373)O\240\277\266\304\206\22A\343\325\327(\373%\310\213\262 P\24K\10\3224\17\212>\331\335K\12n\12\340\266F\245\273=\373,%\322\221\360\366\251Yz\375\217\30\304\236\333\236_\211\207\306m!\340<`\240\34\1i\277\36U\230\262WV\25AQQdX\217;Ns\276Gg\302=\254\225\303\25$\331\231\5\350YN\247\272\21W\375_X>\210_\14H\345`3\326\306\276\350\244IhR\365TuF\330\3\315\177\347\2$\0\242\352\24.\326\3350\200 $\243\265(\16R\35\244=\270\270,[\350\267\243\303\211\254+\33TN\272xN\262\361\364s\326Nq\14\205\215*\200Z\326=\31.\233=c\361\332\236\333\337)\3\24U\326=b\332\35*t\17\322\203\12\236ug\234\343\245C\250\301\257\331\251\273d\251\252\1\325\241Q`\345ik\230\5\271\31W\251\6\360X\344\26\344O\241;\334Q\255\250[\3460\246\10\2p\215\352\330"h[\210E\6\376Z\254\207\302l;}\233T!\344\16\237\231B(\265\300YT\310eC\213ln\217\216{\300:\316'\34\260\3353\303\375\217/\252\333;"\250\277/V\267\332\213\_p\36\16\260-\373\16\21\33v\347\363\306B\374K\176|\251\214\317W\31\272\210\253\2710&r\25\365\241\330F\317\20\275\2262\235\262\243I\310\220\301\333F\257\213\0A\335\230\320m6\237\32$*\243\215\4bOu\214", ) \250\277/V\267\332\213\_p\36\16\260-\373\16\21\33v\347\363\306B\374K\176|\251\214\317W\31\272\210\253\2710&r\25\365\241\330F\317\20\275\2262\235\262\243I\310\220\301\333F\257\213\0A\335\230\320m6\237\32$*\243\215\4bOu\214", ) == 0x0
 00719   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (108, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00720   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "J\215\215\274\332\2328\334\244\225K\15S)\7\241_|\300\0W\331z\364?k,\263\346/Q\2\216\245\223\32\236\251\302\231\303\201\16\17\3353!\353r\345\342\35\11\213\2\202\240:\33\257\11I{\217Q\360\270\313\271p\11Q.\222c\6\203& \346oRp\301\22\310\207*6b\177\317\334\312-\321\374\260;\335E\30\0\230\350S|\362\230\2\270\256\343+\17=\364D\0yc\351Th\266\31\20\215\263\250\265\23\246\241~S\257]\25\25\301\31td\311QP\231\266a\34\26\5\255\255\313\\252D@\224~\353\13\367U\246\24\325r_\16\240\22\360A\230\270\240i-v\30\256\4U\300\31\341\303\261\203\320\13\211S"\355.@2M+\3450\256\222P\231L\320\361\371\7d=0\256\33\305\23165Jge\227\11\264\306\3\302\373SP\363 \4\22\376&\275\220!\2766\310=\327\15\230\240\0\217\312\10\315^L\230j\220\320S\247\261S\364\242\366ZQ\33y\331y\10\223\202]\241\337\233\30}5\213\2237\231#r \371\260x\233\370rx\324+\375@\242~\255t\207(7\265\315k\261G\234\372\261\245\257@\257:\234\221\177\20/Q\212\251\20%\340\342\260V\212\271W\304\374\24\375`\253\241\27i\231\324\354\21\374_\347\4\213^a\354\3K\305\335\3324\247\15\4\23\177\3\10Q\254\220e\06!\20M\276\36\34\06cYL\200"\14q\353\3\277\34\252y0\23\325\316\350\30\250`\255\344\hmS\247\337[\372O\11\13\321\247\370\312\353\300B\27\246\265h\257,\23\215\205?\257\321\363?\13\231\2\1V\37\357\307\222\306$\2450\371\374\253\16\213w\246+{\14rY\201\367qPK\215AC\250Z\325+\213\204\366\313\1U\272\316\1Y!X\340\356m\344\200", ) \355.@2M+\3450\256\222P\231L\320\361\371\7d=0\256\33\305\23165Jge\227\11\264\306\3\302\373SP\363 \4\22\376&\275\220!\2766\310=\327\15\230\240\0\217\312\10\315^L\230j\220\320S\247\261S\364\242\366ZQ\33y\331y\10\223\202]\241\337\233\30}5\213\2237\231#r \371\260x\233\370rx\324+\375@\242~\255t\207(7\265\315k\261G\234\372\261\245\257@\257:\234\221\177\20/Q\212\251\20%\340\342\260V\212\271W\304\374\24\375`\253\241\27i\231\324\354\21\374_\347\4\213^a\354\3K\305\335\3324\247\15\4\23\177\3\10Q\254\220e\06!\20M\276\36\34\06cYL\200 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "J\215\215\274\332\2328\334\244\225K\15S)\7\241_|\300\0W\331z\364?k,\263\346/Q\2\216\245\223\32\236\251\302\231\303\201\16\17\3353!\353r\345\342\35\11\213\2\202\240:\33\257\11I{\217Q\360\270\313\271p\11Q.\222c\6\203& \346oRp\301\22\310\207*6b\177\317\334\312-\321\374\260;\335E\30\0\230\350S|\362\230\2\270\256\343+\17=\364D\0yc\351Th\266\31\20\215\263\250\265\23\246\241~S\257]\25\25\301\31td\311QP\231\266a\34\26\5\255\255\313\\252D@\224~\353\13\367U\246\24\325r_\16\240\22\360A\230\270\240i-v\30\256\4U\300\31\341\303\261\203\320\13\211S"\355.@2M+\3450\256\222P\231L\320\361\371\7d=0\256\33\305\23165Jge\227\11\264\306\3\302\373SP\363 \4\22\376&\275\220!\2766\310=\327\15\230\240\0\217\312\10\315^L\230j\220\320S\247\261S\364\242\366ZQ\33y\331y\10\223\202]\241\337\233\30}5\213\2237\231#r \371\260x\233\370rx\324+\375@\242~\255t\207(7\265\315k\261G\234\372\261\245\257@\257:\234\221\177\20/Q\212\251\20%\340\342\260V\212\271W\304\374\24\375`\253\241\27i\231\324\354\21\374_\347\4\213^a\354\3K\305\335\3324\247\15\4\23\177\3\10Q\254\220e\06!\20M\276\36\34\06cYL\200"\14q\353\3\277\34\252y0\23\325\316\350\30\250`\255\344\hmS\247\337[\372O\11\13\321\247\370\312\353\300B\27\246\265h\257,\23\215\205?\257\321\363?\13\231\2\1V\37\357\307\222\306$\2450\371\374\253\16\213w\246+{\14rY\201\367qPK\215AC\250Z\325+\213\204\366\313\1U\272\316\1Y!X\340\356m\344\200", ) , ) == 0x0
 00721   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00722   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "zU\23\205?\346\372\6B\324\215\22\{\16sv{\230\2427\224\0Y\21s\213\355\362\375x\220\370\3130\205\307G`\262Q\330\5Q\27+\227\275&\232\231\374H\326\16\235\270\260\375\241\247\356\13-\210\37WL\375\255\200N\344\213_]\356\274\24\271\226,\32\223\365\36\24\220\271\276?k\2331|\263\317\251\330\276!\206\14\201\260\346\2029q\224\330\242\312\0\304U\24\340o\270\315\221\267\332_\353h\30\335\3\5\341\372\0\15\243\371\243\32\241I\24\17\322\223XN\35"\237\350\0Q\376\226\310 \262\36\351D\266\17s q\30J#z\223\226\366e\201\33\337\357t\37\240\33\247q \207\21\372u\15\14"\215\335\213A\361Q\341g\345\31\237\17g\325\364f\221\255w\3561Q\3}_\13~\214e\36_j\213R\224\345\2358\301\317\257\205%\345\302\230\360\177$G\13X\352\237\3K\240\3176MXWn\376\10\227\12\23\317\373\336\36\23\4\316J\35\13\22I\270<\237\347\215%\367,k\351\363\374\352i\370\21\32\223\34\372\257\367kD\2\27m\305TW\3036\242\3\346E\360Ua\26P\206n)]/\376\373Y\26\1\223\362G\301\247l\257"9\261\376\273\335\301\6,\3213\5\370,\221\364\243\4\360W\351\362\300\305\202J\304>\213\223\32\36OQ\270\7\346\0\370R2\331\11\310\370\15\22\326\262K\30\324\22N\224\21(N\213\366\323\275\371\306c\17\244e\17_\223\221D\232\24\15\260\361&^x\12\265V\376\202\241\207{\316-\32\224\34\247\7\1$\266\233|}\214\356\0-+4]3\274@\354HT,\361\202\343\301k\266\326\5\", ) \237\350\0Q\376\226\310 \262\36\351D\266\17s q\30J#z\223\226\366e\201\33\337\357t\37\240\33\247q \207\21\372u\15\14 (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "zU\23\205?\346\372\6B\324\215\22\{\16sv{\230\2427\224\0Y\21s\213\355\362\375x\220\370\3130\205\307G`\262Q\330\5Q\27+\227\275&\232\231\374H\326\16\235\270\260\375\241\247\356\13-\210\37WL\375\255\200N\344\213_]\356\274\24\271\226,\32\223\365\36\24\220\271\276?k\2331|\263\317\251\330\276!\206\14\201\260\346\2029q\224\330\242\312\0\304U\24\340o\270\315\221\267\332_\353h\30\335\3\5\341\372\0\15\243\371\243\32\241I\24\17\322\223XN\35"\237\350\0Q\376\226\310 \262\36\351D\266\17s q\30J#z\223\226\366e\201\33\337\357t\37\240\33\247q \207\21\372u\15\14"\215\335\213A\361Q\341g\345\31\237\17g\325\364f\221\255w\3561Q\3}_\13~\214e\36_j\213R\224\345\2358\301\317\257\205%\345\302\230\360\177$G\13X\352\237\3K\240\3176MXWn\376\10\227\12\23\317\373\336\36\23\4\316J\35\13\22I\270<\237\347\215%\367,k\351\363\374\352i\370\21\32\223\34\372\257\367kD\2\27m\305TW\3036\242\3\346E\360Ua\26P\206n)]/\376\373Y\26\1\223\362G\301\247l\257"9\261\376\273\335\301\6,\3213\5\370,\221\364\243\4\360W\351\362\300\305\202J\304>\213\223\32\36OQ\270\7\346\0\370R2\331\11\310\370\15\22\326\262K\30\324\22N\224\21(N\213\366\323\275\371\306c\17\244e\17_\223\221D\232\24\15\260\361&^x\12\265V\376\202\241\207{\316-\32\224\34\247\7\1$\266\233|}\214\356\0-+4]3\274@\354HT,\361\202\343\301k\266\326\5\", ) 9\261\376\273\335\301\6,\3213\5\370,\221\364\243\4\360W\351\362\300\305\202J\304>\213\223\32\36OQ\270\7\346\0\370R2\331\11\310\370\15\22\326\262K\30\324\22N\224\21(N\213\366\323\275\371\306c\17\244e\17_\223\221D\232\24\15\260\361&^x\12\265V\376\202\241\207{\316-\32\224\34\247\7\1$\266\233|}\214\356\0-+4]3\274@\354HT,\361\202\343\301k\266\326\5\", ) == 0x0
 00723   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00724   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ":\356\36!u\233%\264\303\243pB\30\364\15DM\241et\31\356btM\307G\14\221\305\313\4M\230%\220\365\353\221<\332\204Z\310f\350\357^8<\216\233\33\370%\364\32ic(%\351\12\240\361\376R\5*\277\316\3X\13LD\\343\36\316^i\315HX\243c\30Y\236"\313\373\212\336\7\211r\214As \226\204\35Z\2\231\331k\17:y\345P\7\200K(Mu\327\2\306RDJ\201\32\3401\3\257h\+\32,\15|1\340H\232M\241\232\254\3117\367J^\357\240\357\10\375\320*"\217W\274\2527\5%\351\314\6O\346\357'\2339\177B\24\35\224\16K_Lc\13\35\260%8\352\267\317\215\335\343\24\24\35D\325\14!\244\24S\34\250\275\11`5\232Sl\345>\35\233\360\336SE\317~3U7;\204\315\377\315E\361\377Ra\345hp/\14\250\365E\201\317\327\267\225\324S\303\326\2572tv\231\227_\34\@\3064L\232t1%H\341'\206\220B\314\5w\267\32Kp\302\367A\30Z\307\1\2469\200\277\1\333\207\7\2711\243\377 \240\240\254Y\367>\217\244\246\342\0\10@\4i\353\360t\3\14\304`TMovTY\200\204*\341y\250\27\13\230\26\344.\366\317&^\270\20PH\327P\1\354n\27\27\242\323\306\354\365\252;\347f\363f\20I2\7Ei4VT\271^9S\221\261i\351\343L\202\346R\364T\2\206\374\315\30y\21\220\334\202\243\210pX\262\355\2\222\347\272\367sYz\4Y\347\336HM\203L.\32\351\2768\0h\0\244S\270Z\242][\12\2\24\325\26\257\21\243b\2\373\6^h2EapB\271\342\3\366\214\317\360`W\2\4J0\4\3\213\255\2\266U\240\6\10E\243\314\226m\243F J\35\203M", ) \313\373\212\336\7\211r\214As \226\204\35Z\2\231\331k\17:y\345P\7\200K(Mu\327\2\306RDJ\201\32\3401\3\257h\+\32,\15|1\340H\232M\241\232\254\3117\367J^\357\240\357\10\375\320* (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ":\356\36!u\233%\264\303\243pB\30\364\15DM\241et\31\356btM\307G\14\221\305\313\4M\230%\220\365\353\221<\332\204Z\310f\350\357^8<\216\233\33\370%\364\32ic(%\351\12\240\361\376R\5*\277\316\3X\13LD\\343\36\316^i\315HX\243c\30Y\236"\313\373\212\336\7\211r\214As \226\204\35Z\2\231\331k\17:y\345P\7\200K(Mu\327\2\306RDJ\201\32\3401\3\257h\+\32,\15|1\340H\232M\241\232\254\3117\367J^\357\240\357\10\375\320*"\217W\274\2527\5%\351\314\6O\346\357'\2339\177B\24\35\224\16K_Lc\13\35\260%8\352\267\317\215\335\343\24\24\35D\325\14!\244\24S\34\250\275\11`5\232Sl\345>\35\233\360\336SE\317~3U7;\204\315\377\315E\361\377Ra\345hp/\14\250\365E\201\317\327\267\225\324S\303\326\2572tv\231\227_\34\@\3064L\232t1%H\341'\206\220B\314\5w\267\32Kp\302\367A\30Z\307\1\2469\200\277\1\333\207\7\2711\243\377 \240\240\254Y\367>\217\244\246\342\0\10@\4i\353\360t\3\14\304`TMovTY\200\204*\341y\250\27\13\230\26\344.\366\317&^\270\20PH\327P\1\354n\27\27\242\323\306\354\365\252;\347f\363f\20I2\7Ei4VT\271^9S\221\261i\351\343L\202\346R\364T\2\206\374\315\30y\21\220\334\202\243\210pX\262\355\2\222\347\272\367sYz\4Y\347\336HM\203L.\32\351\2768\0h\0\244S\270Z\242][\12\2\24\325\26\257\21\243b\2\373\6^h2EapB\271\342\3\366\214\317\360`W\2\4J0\4\3\213\255\2\266U\240\6\10E\243\314\226m\243F J\35\203M", ) , ) == 0x0
 00725   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00726   940   NtReadFile  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (104, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\303\340\26\214[\274\26\205\322\361\35\27\231\233J8\10\201\343R4\7P\210\251\36\5|\223\314\230\11y\376\226\346B`\303h\257\257+\330I\221\266F\262\J\15=\253}\301U\240\336\17e\252@\21\235\266Zk\243\200`AD\241\322k\213\14\345\272F\216a6x\15+R\314\260\214{\36\26\201[\2\355\301\346\241`@\345y-v\327\256\336\262y\340\11\21\351\220\236\315\23\222K\263\265\205\235@!\256\200\14\220m\24\226q\350\10\13}\340\305@I\345\214\261\0\273\207|=\252\17\221n;\3\20\376\261U\360\344c\264\11\20\253ZB\236\243\30\357\356\254\300\217\247\342V\261\335\212Z\2038aD\20\323[ \364Q"\254\211c\21j\26\375.\24\14\177\3237\353\316\242\235\117\204\26s\230\216|\266`\375(Y\325\222a\20\202\324V\5\352\252/\370\353\251\315\352N\24\311:U\204\35B\11\252R\20Q\266\2M_\361*\2]dyd\\313\22\6\37\4\226\11O\253\204\2422\206\30#\0\275\4=\261l\236\5\2705\3458I\273\37\263\\357r\242\263\262\220\260J\2113\26b\270\0\234\17\305=;\235\302J\20\325\263\245\109\23>$\365\207\27I\218m\4W\220v\232t\333\27nTHf\300\332\3016\211v\214\337\214\200\320\22\2\245\256%\250Ab^\337\5i\230-V\325d\236\34\366W\21]\276\11\22\33\254@@&\362\264C\223\252\264\14\204\36\16\322\351\2U\3444\244jY\232\13@\16\333\271\265%\304\257\244\336j\324\315F\210\314\166U\300\231){]\274AU\370\306\3408\234G\315u7\273\2;\361:sM\244\367N\241\362\360h\22:^\237H\231\364\1q\302\273\11\276\227\225\226\224|\12\224P\375\336\222\230\22b\20\256\260\x\357Z\20\4", ) \254\211c\21j\26\375.\24\14\177\3237\353\316\242\235\117\204\26s\230\216|\266`\375(Y\325\222a\20\202\324V\5\352\252/\370\353\251\315\352N\24\311:U\204\35B\11\252R\20Q\266\2M_\361*\2]dyd\\313\22\6\37\4\226\11O\253\204\2422\206\30#\0\275\4=\261l\236\5\2705\3458I\273\37\263\\357r\242\263\262\220\260J\2113\26b\270\0\234\17\305=;\235\302J\20\325\263\245\109\23>$\365\207\27I\218m\4W\220v\232t\333\27nTHf\300\332\3016\211v\214\337\214\200\320\22\2\245\256%\250Ab^\337\5i\230-V\325d\236\34\366W\21]\276\11\22\33\254@@&\362\264C\223\252\264\14\204\36\16\322\351\2U\3444\244jY\232\13@\16\333\271\265%\304\257\244\336j\324\315F\210\314\166U\300\231){]\274AU\370\306\3408\234G\315u7\273\2;\361:sM\244\367N\241\362\360h\22:^\237H\231\364\1q\302\273\11\276\227\225\226\224|\12\224P\375\336\222\230\22b\20\256\260\x\357Z\20\4", ) == 0x0
 00727   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (108, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00728   940   NtReadFile  (104, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (104, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\31\353\6\0\11\353\6\0=\373\6\0-\373\6\0\275\311\6\0\255\311\6\0]\312\6\0U\312\6\0M\312\6\0E\312\6\0}\312\6\0u\312\6\0m\312\6\0e\312\6\0\35\312\6\0\25\312\6\0\371\312\6\0\355\312\6\0\201\312\6\0E\313\6\0\11\313\6\0\361\313\6\0\211\313\6\0I\314\6\0\311\314\6\0\261\314\6\0\335\316\6\0\251\317\6\0i\320\6\0M\321\6\0\371\321\6\0-\323\6\0%\325\6\0\35\327\6\0q\330\6\0\221\330\6\0\21\331\6\0\321\331\6\0%\332\6\0\305\332\6\0\231\332\6\0\251\332\6\0\301\343\3\0\271\343\3\0\216\211\1\0\262\211\1\0[\212\1\0C\212\1\0m\212\1\0\27\212\1\00\212\1\0\335\212\1\0\371\212\1\0\340\212\1\0\215\212\1\0\261\212\1\0\247\212\1\0K\213\1\0q\213\1\0\30\213\1\0\11\213\1\0$\213\1\0\317\213\1\0\356\213\1\0\210\213\1\0\241\213\1\0B\214\1\0\23\214\1\06\214\1\0\313\214\1\0\230\214\1\0\270\214\1\0]\215\1\0`\215\1\0>\215\1\0%\215\1\0\313\215\1\0\363\215\1\0\231\215\1\0\217\215\1\0\265\215\1\0X\216\1\0C\216\1\0v\216\1\0\35\216\1\0\7\216\1\0 \216\1\0\335\216\1\0\323\216\1\0\312\216\1\0\306\216\1\0E\240\20\0N\240\37\0M\240\36\0L\240\34\0]\240\5\0Q\240\1\0_\240\3\0r\240\35\0D\240\30\0}\240&\0q\240,\0p\240'\0z\240$\0F\240#\0\177\240!\0J\240\27\0K\240\12\0I\240\10\0V\240\13\0R\240\14\0P\240*\0Y\240\4\0X\240(\0t\240\6\0Y\240\6\0Y\240\6\0Y\240\6@}\330v$h\222Hm,\304v@\15\356KU\35\360\6@}\330v$h\225Hm", ) , ) == 0x0
 00729   940   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00730   940   NtClose  (108, ... ) == 0x0
 00731   940   NtClose  (104, ... ) == 0x0
 00732   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.tmp"}, 1242360, ... ) }, 1242360, ... ) == 0x0
 00733   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.tmp"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00734   940   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0
 00735   940   NtClose  (104, ... ) == 0x0
 00736   940   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 176128, ) == 0x0
 00737   940   NtClose  (108, ... ) == 0x0
 00738   940   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00739   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00740   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.tmp"}, 1242668, ... ) }, 1242668, ... ) == 0x0
 00741   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.tmp"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00742   940   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00743   940   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00744   940   NtClose  (108, ... ) == 0x0
 00745   940   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0xaf0000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00746   940   NtMapViewOfSection  (104, -1, (0xaf0000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00747   940   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00748   940   NtClose  (104, ... ) == 0x0
 00749   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 8, ) == 0x0
 00750   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 8, ... (0xb62000), 4096, 4, ) == 0x0
 00751   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00752   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00753   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00754   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00755   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 104, ) }, ... 104, ) == 0x0
 00756   940   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00757   940   NtClose  (104, ... ) == 0x0
 00758   940   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00759   940   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00760   940   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00761   940   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00762   940   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00763   940   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00764   940   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00765   940   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00766   940   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00767   940   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00768   940   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00769   940   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00770   940   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00771   940   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00772   940   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00773   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00774   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00775   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00776   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00777   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00778   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00779   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 104, ) }, ... 104, ) == 0x0
 00780   940   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 73728, ) == 0x0
 00781   940   NtClose  (104, ... ) == 0x0
 00782   940   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00783   940   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00784   940   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00785   940   NtProtectVirtualMemory  (-1, (0x71b21000), 440, 4, ... (0x71b21000), 4096, 32, ) == 0x0
 00786   940   NtProtectVirtualMemory  (-1, (0x71b21000), 4096, 32, ... (0x71b21000), 4096, 4, ) == 0x0
 00787   940   NtFlushInstructionCache  (-1, 1907494912, 440, ... ) == 0x0
 00788   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00789   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00790   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00791   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 104, ) }, ... 104, ) == 0x0
 00792   940   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00793   940   NtClose  (104, ... ) == 0x0
 00794   940   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00795   940   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00796   940   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00797   940   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00798   940   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00799   940   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00800   940   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00801   940   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00802   940   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00803   940   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00804   940   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00805   940   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00806   940   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00807   940   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00808   940   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00809   940   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00810   940   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00811   940   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00812   940   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00813   940   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00814   940   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00815   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00816   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00817   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00818   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 104, ) }, ... 104, ) == 0x0
 00819   940   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00820   940   NtClose  (104, ... ) == 0x0
 00821   940   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00822   940   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00823   940   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00824   940   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00825   940   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00826   940   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00827   940   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00828   940   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00829   940   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00830   940   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00831   940   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00832   940   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00833   940   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00834   940   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00835   940   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00836   940   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00837   940   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00838   940   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00839   940   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00840   940   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00841   940   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00842   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00843   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00844   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00845   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00846   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00847   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00848   940   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241872, ... ) }, 1241872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WSOCK32.DLL"}, 1241872, ... ) }, 1241872, ... ) == 0x0
 00851   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WSOCK32.DLL"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00852   940   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00853   940   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00854   940   NtClose  (104, ... ) == 0x0
 00855   940   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 36864, ) == 0x0
 00856   940   NtClose  (108, ... ) == 0x0
 00857   940   NtProtectVirtualMemory  (-1, (0x71ad1000), 52, 4, ... (0x71ad1000), 4096, 32, ) == 0x0
 00858   940   NtProtectVirtualMemory  (-1, (0x71ad1000), 4096, 32, ... (0x71ad1000), 4096, 4, ) == 0x0
 00859   940   NtFlushInstructionCache  (-1, 1907167232, 52, ... ) == 0x0
 00860   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00861   940   NtProtectVirtualMemory  (-1, (0xb62000), 4096, 4, ... (0xb62000), 4096, 4, ) == 0x0
 00862   940   NtFlushInstructionCache  (-1, 11935744, 4096, ... ) == 0x0
 00863   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00865   940   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3604480, 65536, ) == 0x0
 00866   940   NtAllocateVirtualMemory  (-1, 3604480, 0, 4096, 4096, 4, ... 3604480, 4096, ) == 0x0
 00867   940   NtAllocateVirtualMemory  (-1, 3608576, 0, 8192, 4096, 4, ... 3608576, 8192, ) == 0x0
 00868   940   NtAllocateVirtualMemory  (-1, 3616768, 0, 4096, 4096, 4, ... 3616768, 4096, ) == 0x0
 00869   940   NtAllocateVirtualMemory  (-1, 3620864, 0, 4096, 4096, 4, ... 3620864, 4096, ) == 0x0
 00870   940   NtQueryDefaultUILanguage  (1240988, ...
 00871   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00872   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 00873   940   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00874   940   NtClose  (-2147482584, ... ) == 0x0
 00875   940   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00876   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   940   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 00878   940   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   940   NtClose  (-2147481332, ... ) == 0x0
 00880   940   NtClose  (-2147482584, ... ) == 0x0
 00870   940   NtQueryDefaultUILanguage  ... ) == 0x0
 00881   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.DLL"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00882   940   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 104, ) == 0x0
 00883   940   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xb70000), 0x0, 618496, ) == 0x0
 00884   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.DLL.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   940   NtQueryDefaultLocale  (1, 1239084, ... ) == 0x0
 00886   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.DLL.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   940   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240120, 1179817, 1239844}  (24, {128, 156, new_msg, 0, 2088850039, 1240120, 1179817, 1239844} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\340q\276\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0,\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 1628, 940, 57953, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\340q\276\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0,\360\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1628, 940, 57953, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240120, 1179817, 1239844} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\340q\276\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0,\360\22\0\0\0\0\0" ... {128, 156, reply, 0, 1628, 940, 57953, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\340q\276\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0,\360\22\0\0\0\0\0" )  ) == 0x0
 00888   940   NtClose  (108, ... ) == 0x0
 00889   940   NtClose  (104, ... ) == 0x0
 00890   940   NtUnmapViewOfSection  (-1, 0xb70000, ... ) == 0x0
 00891   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00892   940   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1628, 0}, ... 104, ) == 0x0
 00893   940   NtQueryInformationProcess  (104, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00894   940   NtClose  (104, ... ) == 0x0
 00895   940   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00896   940   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00897   940   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00898   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00899   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00900   940   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00901   940   NtClose  (104, ... ) == 0x0
 00902   940   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 104, ) }, ... 104, ) == 0x0
 00903   940   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 00904   940   NtAccessCheck  (1335152, 108, 0x1, 1242180, 1242232, 56, 1242212, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00905   940   NtClose  (108, ... ) == 0x0
 00906   940   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00907   940   NtQueryValueKey  (108,  (108, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   940   NtClose  (108, ... ) == 0x0
 00909   940   NtUserSystemParametersInfo  (41, 500, 1242360, 0, ... ) == 0x1
 00910   940   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00911   940   NtClose  (104, ... ) == 0x0
 00912   940   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00913   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00914   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c03b
 00915   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c03d
 00916   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00917   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c03f
 00918   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00919   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c041
 00920   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00921   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c043
 00922   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c045
 00923   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00924   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c047
 00925   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00926   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c049
 00927   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00928   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c04b
 00929   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00930   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c04d
 00931   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00932   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c04f
 00933   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c051
 00934   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00935   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c053
 00936   940   NtUserFindExistingCursorIcon  (1242108, 1242124, 1242172, ... ) == 0x10011
 00937   940   NtUserRegisterClassExWOW  (1242052, 1242120, 1242136, 1242152, 0, 384, 0, ... ) == 0x81b1c055
 00938   940   NtUserFindExistingCursorIcon  (1242108, 1242124, 1242172, ... ) == 0x10011
 00939   940   NtUserRegisterClassExWOW  (1242052, 1242120, 1242136, 1242152, 0, 384, 0, ... ) == 0x81b1c057
 00940   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00941   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c059
 00942   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10013
 00943   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c05b
 00944   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00945   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c05d
 00946   940   NtUserFindExistingCursorIcon  (1242112, 1242128, 1242176, ... ) == 0x10011
 00947   940   NtUserRegisterClassExWOW  (1242056, 1242124, 1242140, 1242156, 0, 384, 0, ... ) == 0x81b1c05f
 00948   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPR.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   940   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 104, ) == 0x0
 00950   940   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 00951   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 112, ) }, ... 112, ) == 0x0
 00952   940   NtNotifyChangeKey  (112, 108, 0, 0, 2011455960, 4, 0, 0, 0, 1, ... ) == 0x103
 00953   940   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00954   940   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 116, ) == 0x0
 00955   940   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 120, ) == 0x0
 00956   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLE32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 124, {status=0x0, info=0}, ) }, 7, 16, ... 124, {status=0x0, info=0}, ) == 0x0
 00958   940   NtDeviceIoControlFile  (124, 0, 0x0, 0x0, 0x390008,  (124, 0, 0x0, 0x0, 0x390008, "\205\10-\375=\270p\301[\13\16i\230\14z"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 00959   940   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00960   940   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00961   940   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00962   940   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00963   940   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00964   940   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00965   940   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00966   940   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00967   940   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "1;\316aN\201\35\221\37\6Yf\311o\211\30\353Y\35\260\341+\214\340vj\221?\204z:\227#\326\325\226\322\371\7\356U;\13\254\30\34\35%\333\360\213\244\214\317\360U\325^a\31\251:\177\214oG\366\261\340\345U'\223\307\2250\323W\354\303", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "1;\316aN\201\35\221\37\6Yf\311o\211\30\353Y\35\260\341+\214\340vj\221?\204z:\227#\326\325\226\322\371\7\356U;\13\254\30\34\35%\333\360\213\244\214\317\360U\325^a\31\251:\177\214oG\366\261\340\345U'\223\307\2250\323W\354\303", 80, ... ) , 80, ... ) == 0x0
 00968   940   NtClose  (-2147482584, ... ) == 0x0
 00958   940   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\243uh`\227\230\267\221\311\212a \361\262\307\3\26\21U;$\323\250\345!\311\316<\335\327\245E\302\34\252\255 \364\341\245\10\177-\215\15>.\207\203\373\210\313k\363\241}\223\314:M\303\350\351F\327@k\304\312=Gk\322\273\16~)5\342", ) \342", ) == 0x0
 00969   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   940   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00971   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 128, ) }, ... 128, ) == 0x0
 00972   940   NtQueryValueKey  (128,  (128, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (128, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00973   940   NtClose  (128, ... ) == 0x0
 00974   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 128, ) }, ... 128, ) == 0x0
 00975   940   NtQueryValueKey  (128,  (128, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   940   NtClose  (128, ... ) == 0x0
 00977   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00978   940   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00979   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00980   940   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00981   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 128, ) }, ... 128, ) == 0x0
 00982   940   NtQueryValueKey  (128,  (128, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   940   NtQueryValueKey  (128,  (128, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   940   NtQueryValueKey  (128,  (128, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00985   940   NtClose  (128, ... ) == 0x0
 00986   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 128, ) }, ... 128, ) == 0x0
 00987   940   NtQueryValueKey  (128,  (128, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   940   NtQueryValueKey  (128,  (128, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   940   NtClose  (128, ... ) == 0x0
 00990   940   NtOpenEvent  (0x1f0003, {24, 44, 0x0, 0, 0,  (0x1f0003, {24, 44, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   940   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00993   940   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   940   NtOpenKey  (0x9, {24, 16, 0x40, 0, 0,  (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   940   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00996   940   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998   940   NtQueryPerformanceCounter  (... {935897327, 10}, {3579545, 0}, ) == 0x0
 00999   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ybs2.tmp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000   940   NtUserCallOneParam  (0, 41, ... ) == 0x4
 01001   940   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 01002   940   NtQueryVirtualMemory  (-1, 0x12f630, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01003   940   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 11993088, 1048576, ) == 0x0
 01004   940   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01005   940   NtAllocateVirtualMemory  (-1, 11993088, 0, 16384, 4096, 4, ... 11993088, 16384, ) == 0x0
 01006   940   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 01007   940   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 01008   940   NtOpenKey  (0xf003f, {24, 100, 0x40, 0, 0,  (0xf003f, {24, 100, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   940   NtOpenKey  (0xf003f, {24, 100, 0x40, 0, 0,  (0xf003f, {24, 100, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   940   NtOpenProcessToken  (-1, 0x8, ... 128, ) == 0x0
 01011   940   NtQueryInformationToken  (128, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01012   940   NtClose  (128, ... ) == 0x0
 01013   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.ENU"}, 1241100, ... ) }, 1241100, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01014   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.ENU"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.ENU.DLL"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.EN"}, 1241100, ... ) }, 1241100, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.EN"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\ybs2.EN.DLL"}, 1240696, ... ) }, 1240696, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01019   940   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 128, ) == 0x0
 01020   940   NtUserGetDC  (0, ... ) == 0x1010051
 01021   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01022   940   NtUserGetDC  (0, ... ) == 0x1010051
 01023   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01024   940   NtGdiCreatePaletteInternal  (1241804, 16, ... ) == 0x330804e1
 01025   940   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 01026   940   NtGdiGetStockObject  (5, ... ) == 0x1900015
 01027   940   NtUserFindExistingCursorIcon  (1242168, 1242184, 1242232, ... ) == 0x10003
 01028   940   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\06\05\0C\0", 28, 1242732, ... ) , 28, 1242732, ... ) == 0x0
 01029   940   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\0A\0F\00\00\00\00\00\00\00\00\00\03\0A\0C\0", 52, 1242732, ... ) , 52, 1242732, ... ) == 0x0
 01030   940   NtUserSystemParametersInfo  (104, 0, 12000836, 0, ... ) == 0x1
 01031   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10011
 01032   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10023
 01033   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 01034   940   NtUserGetDC  (0, ... ) == 0x1010051
 01035   940   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x2a050697
 01036   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01037   940   NtGdiSelectBitmap  (-301922896, 704972439, ... ) == 0x185000f
 01038   940   NtGdiGetDCforBitmap  (704972439, ... ) == 0xee0105b0
 01039   940   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01040   940   NtGdiSelectBitmap  (-301922896, 704972439, ... ) == 0x2a050697
 01041   940   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01042   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01043   940   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 32, 64, 0, 0, 0, 64, 11875852, 1343256, 0, 256, 48, 1, 0, ... ) == 0x40
 01044   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01045   940   NtGdiSelectBitmap  (-301922896, 704972439, ... ) == 0x2a050697
 01046   940   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01047   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x2a050697
 01048   940   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x73010798
 01049   940   NtGdiExtGetObjectW  (704972439, 24, 1241212, ... ) == 0x18
 01050   940   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x6f0506ed
 01051   940   NtGdiSelectBitmap  (-301922896, 704972439, ... ) == 0x185000f
 01052   940   NtGdiSelectBitmap  (1929447320, 1862600429, ... ) == 0x185000f
 01053   940   NtGdiBitBlt  (1929447320, 0, 0, 32, 64, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01054   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x2a050697
 01055   940   NtGdiSelectBitmap  (1929447320, 25493519, ... ) == 0x6f0506ed
 01056   940   NtGdiDeleteObjectApp  (704972439, ... ) == 0x1
 01057   940   NtGdiDeleteObjectApp  (1929447320, ... ) == 0x1
 01058   940   NtUserCallOneParam  (0, 33, ... ) == 0x601df
 01059   940   NtUserSetCursorIconData  (393695, 1241316, 1241332, 1241396, ... ) == 0x1
 01060   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10029
 01061   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10027
 01062   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10025
 01063   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 01064   940   NtUserGetDC  (0, ... ) == 0x1010051
 01065   940   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x53050634
 01066   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01067   940   NtGdiSelectBitmap  (-301922896, 1392838196, ... ) == 0x185000f
 01068   940   NtGdiGetDCforBitmap  (1392838196, ... ) == 0xee0105b0
 01069   940   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01070   940   NtGdiSelectBitmap  (-301922896, 1392838196, ... ) == 0x53050634
 01071   940   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01072   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01073   940   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 32, 64, 0, 0, 0, 64, 11876160, 1343256, 0, 256, 48, 1, 0, ... ) == 0x40
 01074   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01075   940   NtGdiSelectBitmap  (-301922896, 1392838196, ... ) == 0x53050634
 01076   940   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01077   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x53050634
 01078   940   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x2c010697
 01079   940   NtGdiExtGetObjectW  (1392838196, 24, 1241212, ... ) == 0x18
 01080   940   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x3e05056c
 01081   940   NtGdiSelectBitmap  (-301922896, 1392838196, ... ) == 0x185000f
 01082   940   NtGdiSelectBitmap  (738264727, 1040516460, ... ) == 0x185000f
 01083   940   NtGdiBitBlt  (738264727, 0, 0, 32, 64, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01084   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x53050634
 01085   940   NtGdiSelectBitmap  (738264727, 25493519, ... ) == 0x3e05056c
 01086   940   NtGdiDeleteObjectApp  (1392838196, ... ) == 0x1
 01087   940   NtGdiDeleteObjectApp  (738264727, ... ) == 0x1
 01088   940   NtUserCallOneParam  (0, 33, ... ) == 0x18022f
 01089   940   NtUserSetCursorIconData  (1573423, 1241316, 1241332, 1241396, ... ) == 0x1
 01090   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 01091   940   NtUserGetDC  (0, ... ) == 0x1010051
 01092   940   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x75050798
 01093   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01094   940   NtGdiSelectBitmap  (-301922896, 1963263896, ... ) == 0x185000f
 01095   940   NtGdiGetDCforBitmap  (1963263896, ... ) == 0xee0105b0
 01096   940   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01097   940   NtGdiSelectBitmap  (-301922896, 1963263896, ... ) == 0x75050798
 01098   940   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01099   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01100   940   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 32, 64, 0, 0, 0, 64, 11876468, 1343256, 0, 256, 48, 1, 0, ... ) == 0x40
 01101   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01102   940   NtGdiSelectBitmap  (-301922896, 1963263896, ... ) == 0x75050798
 01103   940   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01104   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x75050798
 01105   940   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x55010634
 01106   940   NtGdiExtGetObjectW  (1963263896, 24, 1241212, ... ) == 0x18
 01107   940   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x9f05066e
 01108   940   NtGdiSelectBitmap  (-301922896, 1963263896, ... ) == 0x185000f
 01109   940   NtGdiSelectBitmap  (1426130484, -1627060626, ... ) == 0x185000f
 01110   940   NtGdiBitBlt  (1426130484, 0, 0, 32, 64, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01111   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x75050798
 01112   940   NtGdiSelectBitmap  (1426130484, 25493519, ... ) == 0x9f05066e
 01113   940   NtGdiDeleteObjectApp  (1963263896, ... ) == 0x1
 01114   940   NtGdiDeleteObjectApp  (1426130484, ... ) == 0x1
 01115   940   NtUserCallOneParam  (0, 33, ... ) == 0x501e3
 01116   940   NtUserSetCursorIconData  (328163, 1241316, 1241332, 1241396, ... ) == 0x1
 01117   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 01118   940   NtUserGetDC  (0, ... ) == 0x1010051
 01119   940   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x2e050697
 01120   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01121   940   NtGdiSelectBitmap  (-301922896, 772081303, ... ) == 0x185000f
 01122   940   NtGdiGetDCforBitmap  (772081303, ... ) == 0xee0105b0
 01123   940   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01124   940   NtGdiSelectBitmap  (-301922896, 772081303, ... ) == 0x2e050697
 01125   940   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01126   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01127   940   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 32, 64, 0, 0, 0, 64, 11876776, 1343256, 0, 256, 48, 1, 0, ... ) == 0x40
 01128   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01129   940   NtGdiSelectBitmap  (-301922896, 772081303, ... ) == 0x2e050697
 01130   940   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01131   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x2e050697
 01132   940   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x77010798
 01133   940   NtGdiExtGetObjectW  (772081303, 24, 1241212, ... ) == 0x18
 01134   940   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xc90504aa
 01135   940   NtGdiSelectBitmap  (-301922896, 772081303, ... ) == 0x185000f
 01136   940   NtGdiSelectBitmap  (1996556184, -922418006, ... ) == 0x185000f
 01137   940   NtGdiBitBlt  (1996556184, 0, 0, 32, 64, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01138   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x2e050697
 01139   940   NtGdiSelectBitmap  (1996556184, 25493519, ... ) == 0xc90504aa
 01140   940   NtGdiDeleteObjectApp  (772081303, ... ) == 0x1
 01141   940   NtGdiDeleteObjectApp  (1996556184, ... ) == 0x1
 01142   940   NtUserCallOneParam  (0, 33, ... ) == 0xc029d
 01143   940   NtUserSetCursorIconData  (787101, 1241316, 1241332, 1241396, ... ) == 0x1
 01144   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 01145   940   NtUserGetDC  (0, ... ) == 0x1010051
 01146   940   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x57050634
 01147   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01148   940   NtGdiSelectBitmap  (-301922896, 1459947060, ... ) == 0x185000f
 01149   940   NtGdiGetDCforBitmap  (1459947060, ... ) == 0xee0105b0
 01150   940   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01151   940   NtGdiSelectBitmap  (-301922896, 1459947060, ... ) == 0x57050634
 01152   940   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01153   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01154   940   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 32, 64, 0, 0, 0, 64, 11877084, 1343256, 0, 256, 48, 1, 0, ... ) == 0x40
 01155   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01156   940   NtGdiSelectBitmap  (-301922896, 1459947060, ... ) == 0x57050634
 01157   940   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01158   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x57050634
 01159   940   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x30010697
 01160   940   NtGdiExtGetObjectW  (1459947060, 24, 1241212, ... ) == 0x18
 01161   940   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x9d050551
 01162   940   NtGdiSelectBitmap  (-301922896, 1459947060, ... ) == 0x185000f
 01163   940   NtGdiSelectBitmap  (805373591, -1660615343, ... ) == 0x185000f
 01164   940   NtGdiBitBlt  (805373591, 0, 0, 32, 64, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01165   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x57050634
 01166   940   NtGdiSelectBitmap  (805373591, 25493519, ... ) == 0x9d050551
 01167   940   NtGdiDeleteObjectApp  (1459947060, ... ) == 0x1
 01168   940   NtGdiDeleteObjectApp  (805373591, ... ) == 0x1
 01169   940   NtUserCallOneParam  (0, 33, ... ) == 0x9024b
 01170   940   NtUserSetCursorIconData  (590411, 1241316, 1241332, 1241396, ... ) == 0x1
 01171   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 01172   940   NtUserGetDC  (0, ... ) == 0x1010051
 01173   940   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x79050798
 01174   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01175   940   NtGdiSelectBitmap  (-301922896, 2030372760, ... ) == 0x185000f
 01176   940   NtGdiGetDCforBitmap  (2030372760, ... ) == 0xee0105b0
 01177   940   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01178   940   NtGdiSelectBitmap  (-301922896, 2030372760, ... ) == 0x79050798
 01179   940   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01180   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01181   940   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 32, 64, 0, 0, 0, 64, 11877700, 1343256, 0, 256, 48, 1, 0, ... ) == 0x40
 01182   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01183   940   NtGdiSelectBitmap  (-301922896, 2030372760, ... ) == 0x79050798
 01184   940   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01185   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x79050798
 01186   940   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x59010634
 01187   940   NtGdiExtGetObjectW  (2030372760, 24, 1241212, ... ) == 0x18
 01188   940   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xab0506b2
 01189   940   NtGdiSelectBitmap  (-301922896, 2030372760, ... ) == 0x185000f
 01190   940   NtGdiSelectBitmap  (1493239348, -1425733966, ... ) == 0x185000f
 01191   940   NtGdiBitBlt  (1493239348, 0, 0, 32, 64, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01192   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x79050798
 01193   940   NtGdiSelectBitmap  (1493239348, 25493519, ... ) == 0xab0506b2
 01194   940   NtGdiDeleteObjectApp  (2030372760, ... ) == 0x1
 01195   940   NtGdiDeleteObjectApp  (1493239348, ... ) == 0x1
 01196   940   NtUserCallOneParam  (0, 33, ... ) == 0x1201a7
 01197   940   NtUserSetCursorIconData  (1180071, 1241316, 1241332, 1241396, ... ) == 0x1
 01198   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x0
 01199   940   NtUserGetDC  (0, ... ) == 0x1010051
 01200   940   NtGdiCreateDIBitmapInternal  (16842833, 32, 64, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0x32050697
 01201   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01202   940   NtGdiSelectBitmap  (-301922896, 839190167, ... ) == 0x185000f
 01203   940   NtGdiGetDCforBitmap  (839190167, ... ) == 0xee0105b0
 01204   940   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01205   940   NtGdiSelectBitmap  (-301922896, 839190167, ... ) == 0x32050697
 01206   940   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01207   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01208   940   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 32, 64, 0, 0, 0, 64, 11877392, 1343256, 0, 256, 48, 1, 0, ... ) == 0x40
 01209   940   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01210   940   NtGdiSelectBitmap  (-301922896, 839190167, ... ) == 0x32050697
 01211   940   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01212   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x32050697
 01213   940   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x7b010798
 01214   940   NtGdiExtGetObjectW  (839190167, 24, 1241212, ... ) == 0x18
 01215   940   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xe0505d6
 01216   940   NtGdiSelectBitmap  (-301922896, 839190167, ... ) == 0x185000f
 01217   940   NtGdiSelectBitmap  (2063665048, 235210198, ... ) == 0x185000f
 01218   940   NtGdiBitBlt  (2063665048, 0, 0, 32, 64, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01219   940   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x32050697
 01220   940   NtGdiSelectBitmap  (2063665048, 25493519, ... ) == 0xe0505d6
 01221   940   NtGdiDeleteObjectApp  (839190167, ... ) == 0x1
 01222   940   NtGdiDeleteObjectApp  (2063665048, ... ) == 0x1
 01223   940   NtUserCallOneParam  (0, 33, ... ) == 0x402a3
 01224   940   NtUserSetCursorIconData  (262819, 1241316, 1241332, 1241396, ... ) == 0x1
 01225   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10015
 01226   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10019
 01227   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001f
 01228   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001b
 01229   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10021
 01230   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x1001d
 01231   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10013
 01232   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10017
 01233   940   NtUserFindExistingCursorIcon  (1242052, 1242068, 1242116, ... ) == 0x10011
 01234   940   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 01235   940   NtUserGetDC  (0, ... ) == 0x1010051
 01236   940   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01237   940   NtUserEnumDisplayMonitors  (0, 0, 11600484, 12001416, ... ) == 0x1
 01238   940   NtUserSystemParametersInfo  (31, 60, 1241032, 0, ... ) == 0x1
 01239   940   NtGdiHfontCreate  (1241912, 356, 0, 0, 1335224, ... ) == 0x7c0a0798
 01240   940   NtGdiExtGetObjectW  (2081032088, 420, 1241736, ... ) == 0x164
 01241   940   NtUserSystemParametersInfo  (41, 0, 1241232, 0, ... ) == 0x1
 01242   940   NtGdiHfontCreate  (1241912, 356, 0, 0, 1335216, ... ) == 0x5b0a0634
 01243   940   NtGdiExtGetObjectW  (1527383604, 420, 1241736, ... ) == 0x164
 01244   940   NtGdiHfontCreate  (1241912, 356, 0, 0, 1335208, ... ) == 0x330a0697
 01245   940   NtGdiExtGetObjectW  (856295063, 420, 1241736, ... ) == 0x164
 01246   940   NtUserFindExistingCursorIcon  (1241812, 1241828, 1241876, ... ) == 0x0
 01247   940   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 3801088, 4096, ) == 0x0
 01248   940   NtUserGetKeyboardLayoutList  (64, 1242400, ... ) == 0x1
 01249   940   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc13a
 01250   940   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc13b
 01251   940   NtOpenMutant  (0x1f0001, {24, 44, 0x0, 0, 0,  (0x1f0001, {24, 44, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   940   NtUserSetWindowsHookEx  (11468800, 1243784, 0, 4, 11476668, 2, ... ) == 0x90299
 01253   940   NtQueryVirtualMemory  (-1, 0x31428210, Basic, 28, ... {BaseAddress=0x31428000,AllocationBase=0x31420000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01254   940   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   940   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "uterm19"}, 1, ... 132, ) }, 1, ... 132, ) == 0x0
 01256   940   NtOpenProcessToken  (-1, 0x20, ... 136, ) == 0x0
 01257   940   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01258   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 140, ) }, ... 140, ) == 0x0
 01260   940   NtQueryValueKey  (140,  (140, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   940   NtClose  (140, ... ) == 0x0
 01262   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 01264   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 01265   940   NtQuerySystemTime  (... {-1938531874, 29915143}, ) == 0x0
 01266   940   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 148, ) == 0x0
 01267   940   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01268   940   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01269   940   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01270   940   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01271   940   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 01272   940   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 156, ) == 0x0
 01273   940   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01274   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 160, ) }, ... 160, ) == 0x0
 01275   940   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "ActiveComputerName"}, ... 164, ) }, ... 164, ) == 0x0
 01276   940   NtQueryValueKey  (164,  (164, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (164, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (164, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01277   940   NtClose  (164, ... ) == 0x0
 01278   940   NtClose  (160, ... ) == 0x0
 01279   940   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 160, ) == 0x0
 01280   940   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 164, ) == 0x0
 01281   940   NtDuplicateObject  (-1, 160, -1, 0x0, 0, 2, ... 168, ) == 0x0
 01282   940   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01283   940   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01284   940   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01285   940   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01286   940   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243228,  (0xc0100080, {24, 0, 0x40, 0, 1243228, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01287   940   NtSetInformationFile  (176, 1243284, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01288   940   NtSetInformationFile  (176, 1243272, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01289   940   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01290   940   NtWriteFile  (176, 153, 0, 0,  (176, 153, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01291   940   NtReadFile  (176, 153, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (176, 153, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01292   940   NtFsControlFile  (176, 153, 0x0, 0x0, 0x11c017,  (176, 153, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (176, 153, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01293   940   NtFsControlFile  (176, 153, 0x0, 0x0, 0x11c017,  (176, 153, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0\200\264\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \0\200\264\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (176, 153, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse \0"\0\200\264\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) == 0x103
 01294   940   NtFsControlFile  (176, 153, 0x0, 0x0, 0x11c017,  (176, 153, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (176, 153, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01295   940   NtClose  (172, ... ) == 0x0
 01296   940   NtClose  (176, ... ) == 0x0
 01297   940   NtAdjustPrivilegesToken  (136, 0, 1245080, 16, 0, 0, ... ) == 0x0
 01298   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01299   940   NtQueryValueKey  (176,  (176, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   940   NtClose  (176, ... ) == 0x0
 01301   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01302   940   NtQueryValueKey  (176,  (176, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   940   NtClose  (176, ... ) == 0x0
 01304   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01305   940   NtQueryValueKey  (176,  (176, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   940   NtClose  (176, ... ) == 0x0
 01307   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01308   940   NtQueryValueKey  (176,  (176, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   940   NtClose  (176, ... ) == 0x0
 01310   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01311   940   NtQueryValueKey  (176,  (176, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   940   NtClose  (176, ... ) == 0x0
 01313   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01314   940   NtQueryValueKey  (176,  (176, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   940   NtClose  (176, ... ) == 0x0
 01316   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01317   940   NtQueryValueKey  (176,  (176, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01318   940   NtClose  (176, ... ) == 0x0
 01319   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01320   940   NtQueryValueKey  (176,  (176, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   940   NtClose  (176, ... ) == 0x0
 01322   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01323   940   NtQueryValueKey  (176,  (176, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01324   940   NtClose  (176, ... ) == 0x0
 01325   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01326   940   NtQueryValueKey  (176,  (176, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01327   940   NtClose  (176, ... ) == 0x0
 01328   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01329   940   NtQueryValueKey  (176,  (176, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   940   NtClose  (176, ... ) == 0x0
 01331   940   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01332   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   940   NtCreateKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01334   940   NtSetInformationFile  (-2147482448, -139611120, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01335   940   NtSetInformationFile  (-2147482448, -139611588, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01336   940   NtSetInformationFile  (-2147482448, -139611404, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01337   940   NtSetInformationFile  (-2147482448, -139611216, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01333   940   NtCreateKey  ... 176, 1, ) == 0x0
 01338   940   NtSetValueKey  (176,  (176, "ID", 0, 1, "q\0t\0m\0j\0a\0a\0l\0i\0k\0u\0u\0\0\0", 24, ... ) , 0, 1,  (176, "ID", 0, 1, "q\0t\0m\0j\0a\0a\0l\0i\0k\0u\0u\0\0\0", 24, ... ) , 24, ... ) == 0x0
 01339   940   NtClose  (176, ... ) == 0x0
 01340   940   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 176, ) }, ... 176, ) == 0x0
 01341   940   NtQueryValueKey  (176,  (176, "Cryptographic Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01342   940   NtClose  (176, ... ) == 0x0
 01343   940   NtCreateKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 176, 2, ) }, 0, 0x0, 0, ... 176, 2, ) == 0x0
 01344   940   NtSetValueKey  (176,  (176, "Client", 0, 1, "1\0\0\0", 4, ... , 0, 1,  (176, "Client", 0, 1, "1\0\0\0", 4, ... , 4, ...
 01345   940   NtSetInformationFile  (-2147482448, -139610768, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01344   940   NtSetValueKey  ... ) == 0x0
 01346   940   NtClose  (176, ... ) == 0x0
 01347   940   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243484,  (0x80100080, {24, 0, 0x40, 0, 1243484, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01348   940   NtQueryInformationFile  (176, 1243920, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01349   940   NtQueryInformationFile  (176, 1243836, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01350   940   NtQueryInformationFile  (176, 1243652, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01351   940   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01352   940   NtQueryInformationFile  (176, 1364160, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01353   940   NtQueryInformationFile  (176, 1242100, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01354   940   NtQueryInformationFile  (176, 1242376, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01355   940   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242252,  (0x40110080, {24, 0, 0x40, 0, 1242252, "\??\C:\WINDOWS\system32\xypyuagn.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01356   940   NtClose  (-2147482584, ... ) == 0x0
 01355   940   NtCreateFile  ... 172, {status=0x0, info=2}, ) == 0x0
 01357   940   NtQueryVolumeInformationFile  (172, 1242404, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01358   940   NtQueryInformationFile  (172, 1241988, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01359   940   NtQueryVolumeInformationFile  (176, 1242404, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01360   940   NtQueryVolumeInformationFile  (176, 1241748, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01361   940   NtSetInformationFile  (172, 1242304, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01362   940   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 176, ... 180, ) == 0x0
 01363   940   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 188416, ) == 0x0
 01364   940   NtClose  (180, ... ) == 0x0
 01365   940   NtWriteFile  (172, 0, 0, 0,  (172, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\310Y\330@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01366   940   NtWriteFile  (172, 0, 0, 0,  (172, 0, 0, 0, "\364\306\265\3566\256^;\14|r\37T\261$.\365\335r\277{\300n\12\335\267\204\370E\320\366X\217\375a\242\241\276\232m\253aj21\23fBT\2\10*&\335e\326N\13\214\24\206X\372\242\266\345F\344\245\363\301\320\224\312\241`Y\377\35\341\335(\361\257a\247%r\330[\236\250$W\215\360\2314\302'\323\275h\350?W\300\4jr\273U\214 \315\1P\250\24zmN\1Q\242\26\20I\12\336\212v\262\216\260Z\340\333\16[\274}-\370*\331S\233\204\272{\22\10\344X\340\375N_9\375V\227-\233v\366\37\371@\266\201\260\206\216Q\261\2\22\310\305b\31[\241\16\2\2702z\227I\244\206Hy\240\17y<\260\341\302\213\10^\242\227\273"\5\212\220\3cI\347\\357\3670:0\321L\304\331X\275\5`^K\4\0\201\0\10\27\253W$\34\312g\304\263\351H\255\240x\220\5a\366\261\6\332X*\350X!\10|\311\232\335\304\340\253\221D\5e\0\24\235\14;\217by\26\362.\2263\35\362\320\374\362\262=\260&dH\325N\303\335\355\16&\10\217\254\377H\341$\213sU1\2421\256\335\210\36\270`\271\11\240\334\272I\14I\12\223a\322LXT\300\261V\264\306[\'A\34X\203An\366\225\24\6\31\244:\14q@psH;\31,X\243B\1\4\365\14\13D\246\214\204\35\245\353@F\224\240\23EC\11\362X:\206*\322^\214WE\14\312\340=\271u\20\307\251\306\14Y\246\16z\222\320`\351t\3&\32\212\214\302\257q\302\237_A\240\343` \342\335\306y\201P3\276\202\334\323\351D\274\347\31b}K]\244UVR7\270}:\3145\212\220\3cI\347\\357\3670:0\321L\304\331X\275\5`^K\4\0\201\0\10\27\253W$\34\312g\304\263\351H\255\240x\220\5a\366\261\6\332X*\350X!\10|\311\232\335\304\340\253\221D\5e\0\24\235\14;\217by\26\362.\2263\35\362\320\374\362\262=\260&dH\325N\303\335\355\16&\10\217\254\377H\341$\213sU1\2421\256\335\210\36\270`\271\11\240\334\272I\14I\12\223a\322LXT\300\261V\264\306[\'A\34X\203An\366\225\24\6\31\244:\14q@psH;\31,X\243B\1\4\365\14\13D\246\214\204\35\245\353@F\224\240\23EC\11\362X:\206*\322^\214WE\14\312\340=\271u\20\307\251\306\14Y\246\16z\222\320`\351t\3&\32\212\214\302\257q\302\237_A\240\343` \342\335\306y\201P3\276\202\334\323\351D\274\347\31b}K]\244UVR7\270}:\314207\364\214C\22bt\12u\242\362\355\366\242\210<\262\343\20KZ\324\24\321\266^P\231", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01367   940   NtWriteFile  (172, 0, 0, 0,  (172, 0, 0, 0, "O\244\271s\22F"[\242\314_\11V\303\321\346y\256\244\264@\341W$t\201&j\4\20\27\12\326\243\246\370\364\311\231s\11\301ek~\225CSHqb\10Z\217\366\377\340\230\26'\31\326242\314_\11V\303\321\346y\256\244\264@\341W$t\201&j\4\20\27\12\326\243\246\370\364\311\231s\11\301ek~\225CSHqb\10Z\217\366\377\340\230\26'\31\326263\215F\27\341.j\254\3H\235\265\274zD\?l\331\341\2\206\371\234\206\214\342d+{\5\10\23\332^h\251\24~K)V\301\337{\354\270V\347\342\20o\321\220*\230T\16\373\265\201\260\22T \302\211R\215q[\276\202\232:*\342\316\27\276\234\213\342\246#\333\264\20\14z\271\0S\242\353z-s\347V\26q\33]\361\37 -\244\2wP\302\25\264K\3643\354[\23]\24\355\375k\24\304\213\341\264r\206\23@6+]^\6C;\310\374{\27JZ\14\356\37\334\14\14\267\334VM=Z\206N\232'EtP\215\254\27\361\312\267\3035\353 \322b\226w\373\246\355\12\177F#\377\375%\272\15\311&\274 \252\331\273F\240vB\335;\30\373\254\367\200\257\365\252\262\274\220w\265O\275B\36\324\37\252\273X\1\25\323@$f\362\255.Q%{\1#\241\211\15\3446\26\22\321\314\354-a]\326\267\355\265\223\214%q+nII\342\262+\346\335}\333T\250r\4+\242*\260\34*[\345\346\365\342J\363{\253\253\261\252\335u\347\252A}_\6\361n\2\335\375\332\262\246\14\344\351*\302\252\313\223\332\30\256\225\271\333\247\273\32`\331b6\210J\343O\13\215M\267\351\22*\5\252bcib\257|s\370\1\322\231\203\243\262t\5\343!\266P\212\35\347\325\KP\333\226^1\352\336]\307H\352\243\360\363\323|E\215\20\324a\335\264W\13K,T\313Z\363\270\355\352\235\272\370\343\204\336\360\273P\230LtU\341s\371s\352s\367\232\346\214\35", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01368   940   NtWriteFile  (172, 0, 0, 0,  (172, 0, 0, 0, "Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0\31\244\6\0m\374\0\02\241\6\0Y\240\6\0Y\240\6\0Y\240\6\0\340\351A+Y\240\6\0Y\240\1\0\240\337\6\0\301\244\6\200\243\337\6\0\231\244\6\200\242\337\6\0\261\244\6\200\245\337\6\0I\245\6\200\244\337\6\0a\245\6\200\247\337\6\09\245\6\200\246\337\6\0\321\245\6\200Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0\351\244\6\0\371\375\0\0M\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0\201\244\6\0\355\375\0\0M\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0Y\245\6\0\221\375\0\0M\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0q\245\6\0\205\375\0\0M\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0\11\245\6\0\251\375\0\0M\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0!\245\6\0]\376\0\0M\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0\340\351A+Y\240\6\0Y\240\7\0Y\240\6\0\371\245\6\0A\376\0\0M\240\6\0Y\240\6\0Y\240\6\0_\240B\0\17\240E\0\25\240G\0\25\240\15\0\15\240@\0\14\240H\0\32\240K\0\26\240B\0\14\240J\0\34\240\6\0Y\240\6\0Y\240\6\0Y\240\6\0\265\206\1\0\371\206\1\0Y\240\6\0Y\240\6\0Y\240\6\0\240\206\1\0\365\206\1\0Y\240\6\0Y\240\6\0Y\240\6\0_\207\1\0\355\206\1\0Y\240\6\0Y\240\6\0", 3032, 0x0, 0, ... {status=0x0, info=3032}, ) , 3032, 0x0, 0, ... {status=0x0, info=3032}, ) == 0x0
 01369   940   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01370   940   NtSetInformationFile  (172, 1243652, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01371   940   NtClose  (176, ... ) == 0x0
 01372   940   NtClose  (172, ... ) == 0x0
 01373   940   NtCreateKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01374   940   NtSetValueKey  (172,  (172, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0x\0y\0p\0y\0u\0a\0g\0n\0.\0e\0x\0e\0\0\0", 66, ... , 0, 1,  (172, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0x\0y\0p\0y\0u\0a\0g\0n\0.\0e\0x\0e\0\0\0", 66, ... , 66, ...
 01375   940   NtSetInformationFile  (-2147482448, -139610320, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01376   940   NtSetInformationFile  (-2147482448, -139610412, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01374   940   NtSetValueKey  ... ) == 0x0
 01377   940   NtClose  (172, ... ) == 0x0
 01378   940   NtClose  (132, ... ) == 0x0
 01379   940   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01380   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xypyuagn.exe"}, 1240872, ... ) }, 1240872, ... ) == 0x0
 01381   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xypyuagn.exe"}, 1241608, ... ) }, 1241608, ... ) == 0x0
 01382   940   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xypyuagn.exe"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01383   940   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 132, ... 172, ) == 0x0
 01384   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 176, ) }, ... 176, ) == 0x0
 01386   940   NtQueryValueKey  (176,  (176, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01387   940   NtClose  (176, ... ) == 0x0
 01388   940   NtQueryVolumeInformationFile  (132, 1240884, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01389   940   NtOpenMutant  (0x120001, {24, 44, 0x0, 0, 0,  (0x120001, {24, 44, 0x0, 0, 0, "ShimCacheMutex"}, ... 176, ) }, ... 176, ) == 0x0
 01390   940   NtWaitForSingleObject  (176, 0, {-1000000, -1}, ... ) == 0x0
 01391   940   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "ShimSharedMemory"}, ... 180, ) }, ... 180, ) == 0x0
 01392   940   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3b0000), {0, 0}, 57344, ) == 0x0
 01393   940   NtReleaseMutant  (176, ... 0x0, ) == 0x0
 01394   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238816, ... ) }, 1238816, ... ) == 0x0
 01395   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01396   940   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 184, ... 188, ) == 0x0
 01397   940   NtClose  (184, ... ) == 0x0
 01398   940   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3c0000), 0x0, 126976, ) == 0x0
 01399   940   NtClose  (188, ... ) == 0x0
 01400   940   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01401   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239124, ... ) }, 1239124, ... ) == 0x0
 01402   940   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 188, {status=0x0, info=1}, ) }, 5, 96, ... 188, {status=0x0, info=1}, ) == 0x0
 01403   940   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 188, ... 184, ) == 0x0
 01404   940   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01405   940   NtClose  (188, ... ) == 0x0
 01406   940   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01407   940   NtClose  (184, ... ) == 0x0
 01408   940   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01409   940   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01410   940   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01411   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412   940   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01413   940   NtQueryInformationFile  (184, 1239140, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01414   940   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 184, ... 188, ) == 0x0
 01415   940   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc70000), 0x0, 1191936, ) == 0x0
 01416   940   NtQueryInformationFile  (184, 1239240, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01417   940   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   940   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01419   940   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01420   940   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421   940   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 192, ) }, ... 192, ) == 0x0
 01422   940   NtQueryValueKey  (192,  (192, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (192, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01423   940   NtClose  (192, ... ) == 0x0
 01424   940   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01426   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1236836, 616, BothDirectory, 1,  (192, 0, 0, 0, 1236836, 616, BothDirectory, 1, "xypyuagn.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01427   940   NtClose  (192, ... ) == 0x0
 01428   940   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01429   940   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01430   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xypyuagn.exe"}, 1237212, ... ) }, 1237212, ... ) == 0x0
 01431   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01432   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1236640, 616, BothDirectory, 1,  (192, 0, 0, 0, 1236640, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01433   940   NtClose  (192, ... ) == 0x0
 01434   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01435   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1236640, 616, BothDirectory, 1,  (192, 0, 0, 0, 1236640, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01436   940   NtClose  (192, ... ) == 0x0
 01437   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01438   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1236640, 616, BothDirectory, 1,  (192, 0, 0, 0, 1236640, 616, BothDirectory, 1, "xypyuagn.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01439   940   NtClose  (192, ... ) == 0x0
 01440   940   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01441   940   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01442   940   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01443   940   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01445   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 192, ) == 0x0
 01446   940   NtQueryInformationToken  (192, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01447   940   NtClose  (192, ... ) == 0x0
 01448   940   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   940   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\xypyuagn.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   940   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01451   940   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01452   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xypyuagn.exe"}, 1238464, ... ) }, 1238464, ... ) == 0x0
 01453   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01454   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1237892, 616, BothDirectory, 1,  (192, 0, 0, 0, 1237892, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01455   940   NtClose  (192, ... ) == 0x0
 01456   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01457   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1237892, 616, BothDirectory, 1,  (192, 0, 0, 0, 1237892, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01458   940   NtClose  (192, ... ) == 0x0
 01459   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01460   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1237892, 616, BothDirectory, 1,  (192, 0, 0, 0, 1237892, 616, BothDirectory, 1, "xypyuagn.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01461   940   NtClose  (192, ... ) == 0x0
 01462   940   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01463   940   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01464   940   NtWaitForSingleObject  (176, 0, {-1000000, -1}, ... ) == 0x0
 01465   940   NtQueryVolumeInformationFile  (132, 1239120, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01466   940   NtQueryInformationFile  (132, 1239100, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01467   940   NtQueryInformationFile  (132, 1239140, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01468   940   NtReleaseMutant  (176, ... 0x0, ) == 0x0
 01469   940   NtUnmapViewOfSection  (-1, 0xc70000, ... ) == 0x0
 01470   940   NtClose  (188, ... ) == 0x0
 01471   940   NtClose  (184, ... ) == 0x0
 01472   940   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01473   940   NtOpenProcessToken  (-1, 0xa, ... 184, ) == 0x0
 01474   940   NtQueryInformationToken  (184, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01475   940   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01477   940   NtQueryValueKey  (188,  (188, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01478   940   NtQueryValueKey  (188,  (188, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (188, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01479   940   NtClose  (188, ... ) == 0x0
 01480   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01482   940   NtQueryValueKey  (188,  (188, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   940   NtClose  (188, ... ) == 0x0
 01484   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01485   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01486   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01487   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01488   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01489   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01490   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01491   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01492   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01493   940   NtQueryDefaultLocale  (1, 1240312, ... ) == 0x0
 01494   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 188, ) }, ... 188, ) == 0x0
 01495   940   NtEnumerateKey  (188, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (188, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01496   940   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 192, ) }, ... 192, ) == 0x0
 01497   940   NtQueryValueKey  (192,  (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01498   940   NtQueryValueKey  (192,  (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01499   940   NtClose  (192, ... ) == 0x0
 01500   940   NtEnumerateKey  (188, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01501   940   NtClose  (188, ... ) == 0x0
 01502   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 188, ) }, ... 188, ) == 0x0
 01503   940   NtEnumerateKey  (188, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (188, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01504   940   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 192, ) }, ... 192, ) == 0x0
 01505   940   NtQueryValueKey  (192,  (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01506   940   NtQueryValueKey  (192,  (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01507   940   NtQueryValueKey  (192,  (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01508   940   NtQueryValueKey  (192,  (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01509   940   NtClose  (192, ... ) == 0x0
 01510   940   NtEnumerateKey  (188, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (188, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01511   940   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 192, ) }, ... 192, ) == 0x0
 01512   940   NtQueryValueKey  (192,  (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01513   940   NtQueryValueKey  (192,  (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01514   940   NtQueryValueKey  (192,  (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01515   940   NtQueryValueKey  (192,  (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01516   940   NtClose  (192, ... ) == 0x0
 01517   940   NtEnumerateKey  (188, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (188, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01518   940   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 192, ) }, ... 192, ) == 0x0
 01519   940   NtQueryValueKey  (192,  (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01520   940   NtQueryValueKey  (192,  (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01521   940   NtQueryValueKey  (192,  (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01522   940   NtQueryValueKey  (192,  (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01523   940   NtClose  (192, ... ) == 0x0
 01524   940   NtEnumerateKey  (188, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (188, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01525   940   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 192, ) }, ... 192, ) == 0x0
 01526   940   NtQueryValueKey  (192,  (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01527   940   NtQueryValueKey  (192,  (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01528   940   NtQueryValueKey  (192,  (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01529   940   NtQueryValueKey  (192,  (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01530   940   NtClose  (192, ... ) == 0x0
 01531   940   NtEnumerateKey  (188, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (188, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01532   940   NtOpenKey  (0x20019, {24, 188, 0x40, 0, 0,  (0x20019, {24, 188, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 192, ) }, ... 192, ) == 0x0
 01533   940   NtQueryValueKey  (192,  (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (192, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01534   940   NtQueryValueKey  (192,  (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01535   940   NtQueryValueKey  (192,  (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (192, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01536   940   NtQueryValueKey  (192,  (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (192, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01537   940   NtClose  (192, ... ) == 0x0
 01538   940   NtEnumerateKey  (188, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01539   940   NtClose  (188, ... ) == 0x0
 01540   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01542   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01546   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01554   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01555   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01556   940   NtClose  (188, ... ) == 0x0
 01557   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01558   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01559   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01560   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01561   940   NtClose  (188, ... ) == 0x0
 01562   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01564   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01565   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01566   940   NtClose  (188, ... ) == 0x0
 01567   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01569   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01570   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01571   940   NtClose  (188, ... ) == 0x0
 01572   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01574   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01575   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01576   940   NtClose  (188, ... ) == 0x0
 01577   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01579   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01580   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01581   940   NtClose  (188, ... ) == 0x0
 01582   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01584   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01585   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01586   940   NtClose  (188, ... ) == 0x0
 01587   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01589   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01590   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01591   940   NtClose  (188, ... ) == 0x0
 01592   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01594   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01595   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01596   940   NtClose  (188, ... ) == 0x0
 01597   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01599   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01600   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01601   940   NtClose  (188, ... ) == 0x0
 01602   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01604   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01605   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01606   940   NtClose  (188, ... ) == 0x0
 01607   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01609   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01610   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01611   940   NtClose  (188, ... ) == 0x0
 01612   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01614   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01615   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01616   940   NtClose  (188, ... ) == 0x0
 01617   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01618   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01619   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01620   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01621   940   NtClose  (188, ... ) == 0x0
 01622   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01624   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01625   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01626   940   NtClose  (188, ... ) == 0x0
 01627   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01629   940   NtQueryValueKey  (188,  (188, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (188, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (188, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01630   940   NtClose  (188, ... ) == 0x0
 01631   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01632   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 188, ) == 0x0
 01633   940   NtQueryInformationToken  (188, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01634   940   NtClose  (188, ... ) == 0x0
 01635   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   940   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01637   940   NtOpenProcessToken  (-1, 0xa, ... 188, ) == 0x0
 01638   940   NtDuplicateToken  (188, 0xc, {24, 0, 0x0, 0, 1240744, 0x0}, 0, 2, ... 192, ) == 0x0
 01639   940   NtClose  (188, ... ) == 0x0
 01640   940   NtAccessCheck  (1372608, 192, 0x1, 1240820, 1240872, 56, 1240852, ... (0x1), ) == 0x0
 01641   940   NtClose  (192, ... ) == 0x0
 01642   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 192, ) }, ... 192, ) == 0x0
 01643   940   NtQueryValueKey  (192,  (192, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (192, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01644   940   NtClose  (192, ... ) == 0x0
 01645   940   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 192, ) }, ... 192, ) == 0x0
 01646   940   NtQuerySymbolicLinkObject  (192, ...  (192, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01647   940   NtClose  (192, ... ) == 0x0
 01648   940   NtQueryVolumeInformationFile  (132, 1238576, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01649   940   NtQueryInformationFile  (132, 1238692, 528, Name, ... {status=0x0, info=64}, ) == 0x0
 01650   940   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01651   940   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01652   940   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xypyuagn.exe"}, 1237864, ... ) }, 1237864, ... ) == 0x0
 01653   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01654   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1237292, 616, BothDirectory, 1,  (192, 0, 0, 0, 1237292, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01655   940   NtClose  (192, ... ) == 0x0
 01656   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01657   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1237292, 616, BothDirectory, 1,  (192, 0, 0, 0, 1237292, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01658   940   NtClose  (192, ... ) == 0x0
 01659   940   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 192, {status=0x0, info=1}, ) }, 3, 16417, ... 192, {status=0x0, info=1}, ) == 0x0
 01660   940   NtQueryDirectoryFile  (192, 0, 0, 0, 1237292, 616, BothDirectory, 1,  (192, 0, 0, 0, 1237292, 616, BothDirectory, 1, "xypyuagn.exe", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01661   940   NtClose  (192, ... ) == 0x0
 01662   940   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01663   940   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01664   940   NtQueryInformationFile  (132, 1240732, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01665   940   NtCreateSection  (0xf0005, 0x0, {187352, 0}, 2, 134217728, 132, ... 192, ) == 0x0
 01666   940   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 187352, 1, 0, 2, ... (0x3c0000), {0, 0}, 188416, ) == 0x0
 01667   940   NtClose  (192, ... ) == 0x0
 01668   940   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01669   940   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 192, ) == 0x0
 01670   940   NtQueryInformationToken  (192, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01671   940   NtClose  (192, ... ) == 0x0
 01672   940   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 192, ) }, ... 192, ) == 0x0
 01673   940   NtOpenKey  (0x20019, {24, 192, 0x40, 0, 0,  (0x20019, {24, 192, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 188, ) }, ... 188, ) == 0x0
 01674   940   NtClose  (192, ... ) == 0x0
 01675   940   NtQueryValueKey  (188,  (188, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01676   940   NtQueryValueKey  (188,  (188, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (188, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 01677   940   NtClose  (188, ... ) == 0x0
 01678   940   NtUnmapViewOfSection  (-1, 0x3c0000, ... ) == 0x0
 01679   940   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 3932160, 4096, ) == 0x0
 01680   940   NtAllocateVirtualMemory  (-1, 3932160, 0, 4096, 4096, 4, ... 3932160, 4096, ) == 0x0
 01681   940   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 188, ) }, ... 188, ) == 0x0
 01682   940   NtQueryValueKey  (188,  (188, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01683   940   NtClose  (188, ... ) == 0x0
 01684   940   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01685   940   NtQueryInformationToken  (184, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01686   940   NtQueryInformationToken  (184, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01687   940   NtClose  (184, ... ) == 0x0
 01688   940   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01689   940   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xypyuagn.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   940   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 01691   940   NtCreateProcessEx  (1242656, 2035711, 0, -1, 0, 172, 0, 0, 0, ... ) == 0x0
 01692   940   NtQueryInformationProcess  (184, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1764,ParentPid=1628,}, 0x0, ) == 0x0
 01693   940   NtReadVirtualMemory  (184, 0x7ffde008, 4, ...  (184, 0x7ffde008, 4, ... "\0\0B1", 0x0, ) , 0x0, ) == 0x0
 01694   940   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xypyuagn.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01695   940   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 01696   940   NtReadVirtualMemory  (184, 0x31420000, 4096, ...  (184, 0x31420000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\310Y\330@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01697   940   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01698   940   NtQueryInformationProcess  (184, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1764,ParentPid=1628,}, 0x0, ) == 0x0
 01699   940   NtAllocateVirtualMemory  (-1, 0, 0, 2432, 4096, 4, ... 3997696, 4096, ) == 0x0
 01700   940   NtAllocateVirtualMemory  (184, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 01701   940   NtWriteVirtualMemory  (184, 0x10000,  (184, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 01702   940   NtAllocateVirtualMemory  (184, 0, 0, 2432, 4096, 4, ... 131072, 4096, ) == 0x0
 01703   940   NtWriteVirtualMemory  (184, 0x20000,  (184, 0x20000, "\0\20\0\0\200\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\364\3\366\3\230\4\0\0@\0B\0\220\10\0\0@\0B\0\324\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0@\0B\0\30\11\0\0\36\0 \0\\11\0\0\0\0\2\0|\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2432, ... 0x0, ) , 2432, ... 0x0, ) == 0x0
 01704   940   NtWriteVirtualMemory  (184, 0x7ffde010,  (184, 0x7ffde010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01705   940   NtWriteVirtualMemory  (184, 0x7ffde1e8,  (184, 0x7ffde1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01706   940   NtFreeVirtualMemory  (-1, (0x3d0000), 0, 32768, ... (0x3d0000), 4096, ) == 0x0
 01707   940   NtAllocateVirtualMemory  (184, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01708   940   NtAllocateVirtualMemory  (184, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01709   940   NtProtectVirtualMemory  (184, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01710   940   NtCreateThread  (0x1f03ff, 0x0, 184, 1242664, 1242328, 1, ... 188, {1764, 760}, ) == 0x0
 01711   940   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 69, 1364160, -2146434944, 1244532}  (24, {168, 196, new_msg, 0, 69, 1364160, -2146434944, 1244532} "\0\0\0\0\0\0\1\0\377\377\377\377\0\0\0\0\273\0\0\0\274\0\0\0\344\6\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0x\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" ... {168, 196, reply, 0, 1628, 940, 57954, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\270\0\0\0\274\0\0\0\344\6\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0x\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" )  ... {168, 196, reply, 0, 1628, 940, 57954, 0}  (24, {168, 196, new_msg, 0, 69, 1364160, -2146434944, 1244532} "\0\0\0\0\0\0\1\0\377\377\377\377\0\0\0\0\273\0\0\0\274\0\0\0\344\6\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0x\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" ... {168, 196, reply, 0, 1628, 940, 57954, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\270\0\0\0\274\0\0\0\344\6\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0x\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" )  ) == 0x0
 01712   940   NtResumeThread  (188, ... 1, ) == 0x0
 01713   940   NtClose  (132, ... ) == 0x0
 01714   940   NtClose  (172, ... ) == 0x0
 01715   940   NtQueryInformationProcess  (184, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1764,ParentPid=1628,}, 0x0, ) == 0x0
 01716   940   NtUserWaitForInputIdle  (1764, 30000, 0, ...
 01717   940   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01718   940   NtClose  (172, ... ) == 0x0
 01716   940   NtUserWaitForInputIdle  ... ) == 0x0
 01719   940   NtClose  (184, ... ) == 0x0
 01720   940   NtClose  (188, ... ) == 0x0
 01721   940   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01722   940   NtTerminateProcess  (0, 0, ...
 00671   776   NtWaitForMultipleObjects  ... ) == 0xc0
 01722   940   NtTerminateProcess  ... ) == 0x0
 01723   940   NtQueryVirtualMemory  (-1, 0xb26d20, Basic, 28, ... {BaseAddress=0xb26000,AllocationBase=0xaf0000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01724   940   NtQueryVirtualMemory  (-1, 0xb2762c, Basic, 28, ... {BaseAddress=0xb27000,AllocationBase=0xaf0000,AllocationProtect=0x80,RegionSize=0x3b000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01725   940   NtQueryVirtualMemory  (-1, 0xafcef4, Basic, 28, ... {BaseAddress=0xafc000,AllocationBase=0xaf0000,AllocationProtect=0x80,RegionSize=0x66000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01726   940   NtGdiDeleteObjectApp  (1527383604, ... ) == 0x1
 01727   940   NtGdiDeleteObjectApp  (856295063, ... ) == 0x1
 01728   940   NtGdiDeleteObjectApp  (2081032088, ... ) == 0x1
 01729   940   NtUserDestroyCursor  (262819, 1, ... ) == 0x1
 01730   940   NtUserDestroyCursor  (1180071, 1, ... ) == 0x1
 01731   940   NtUserDestroyCursor  (590411, 1, ... ) == 0x1
 01732   940   NtUserDestroyCursor  (787101, 1, ... ) == 0x1
 01733   940   NtUserDestroyCursor  (328163, 1, ... ) == 0x1
 01734   940   NtUserDestroyCursor  (1573423, 1, ... ) == 0x1
 01735   940   NtUserDestroyCursor  (393695, 1, ... ) == 0x1
 01736   940   NtUserFindExistingCursorIcon  (1243440, 1243456, 1243504, ... ) == 0x10011
 01737   940   NtDeleteAtom  (49188, ... ) == 0x0
 01738   940   NtDeleteAtom  (49195, ... ) == 0x0
 01739   940   NtGdiDeleteObjectApp  (856163553, ... ) == 0x1
 01740   940   NtClose  (128, ... ) == 0x0
 01741   940   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01742   940   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01743   940   NtUserGetAtomName  (49211, 1243528, ... ) == 0xf
 01744   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01745   940   NtUserGetAtomName  (49213, 1243528, ... ) == 0xd
 01746   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01747   940   NtUserGetAtomName  (49215, 1243528, ... ) == 0x10
 01748   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01749   940   NtUserGetAtomName  (49217, 1243528, ... ) == 0x12
 01750   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01751   940   NtUserGetAtomName  (49219, 1243528, ... ) == 0xd
 01752   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01753   940   NtUserGetAtomName  (49221, 1243528, ... ) == 0xb
 01754   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01755   940   NtUserGetAtomName  (49223, 1243528, ... ) == 0xf
 01756   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01757   940   NtUserGetAtomName  (49225, 1243528, ... ) == 0xd
 01758   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01759   940   NtUserGetAtomName  (49227, 1243528, ... ) == 0x11
 01760   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01761   940   NtUserGetAtomName  (49229, 1243528, ... ) == 0xf
 01762   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01763   940   NtUserGetAtomName  (49231, 1243528, ... ) == 0x11
 01764   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01765   940   NtUserGetAtomName  (49233, 1243528, ... ) == 0xf
 01766   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01767   940   NtUserGetAtomName  (49235, 1243528, ... ) == 0xc
 01768   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01769   940   NtUserGetAtomName  (49237, 1243520, ... ) == 0xd
 01770   940   NtUserUnregisterClass  (1243580, 1560870912, 1243568, ... ) == 0x1
 01771   940   NtUserGetAtomName  (49239, 1243520, ... ) == 0x11
 01772   940   NtUserUnregisterClass  (1243580, 1560870912, 1243568, ... ) == 0x1
 01773   940   NtUserGetAtomName  (49241, 1243528, ... ) == 0xc
 01774   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01775   940   NtUserGetAtomName  (49243, 1243528, ... ) == 0xe
 01776   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01777   940   NtUserGetAtomName  (49245, 1243528, ... ) == 0x8
 01778   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01779   940   NtUserGetAtomName  (49247, 1243528, ... ) == 0xd
 01780   940   NtUserUnregisterClass  (1243588, 1560870912, 1243576, ... ) == 0x1
 01781   940   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01782   940   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01783   940   NtFreeVirtualMemory  (-1, (0x370000), 0, 32768, ... (0x370000), 65536, ) == 0x0
 01784   940   NtUserGetAtomName  (49211, 1243560, ... ) == 0xf
 01785   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01786   940   NtUserGetAtomName  (49213, 1243560, ... ) == 0xd
 01787   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01788   940   NtUserGetAtomName  (49215, 1243560, ... ) == 0x10
 01789   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01790   940   NtUserGetAtomName  (49217, 1243560, ... ) == 0x12
 01791   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01792   940   NtUserGetAtomName  (49219, 1243560, ... ) == 0xd
 01793   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01794   940   NtUserGetAtomName  (49221, 1243560, ... ) == 0xb
 01795   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01796   940   NtUserGetAtomName  (49223, 1243560, ... ) == 0xf
 01797   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01798   940   NtUserGetAtomName  (49225, 1243560, ... ) == 0xd
 01799   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01800   940   NtUserGetAtomName  (49227, 1243560, ... ) == 0x11
 01801   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01802   940   NtUserGetAtomName  (49229, 1243560, ... ) == 0xf
 01803   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01804   940   NtUserGetAtomName  (49231, 1243560, ... ) == 0x11
 01805   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01806   940   NtUserGetAtomName  (49233, 1243560, ... ) == 0xf
 01807   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01808   940   NtUserGetAtomName  (49235, 1243560, ... ) == 0xc
 01809   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01810   940   NtUserGetAtomName  (49237, 1243552, ... ) == 0xd
 01811   940   NtUserUnregisterClass  (1243612, 2000486400, 1243600, ... ) == 0x1
 01812   940   NtUserGetAtomName  (49239, 1243552, ... ) == 0x11
 01813   940   NtUserUnregisterClass  (1243612, 2000486400, 1243600, ... ) == 0x1
 01814   940   NtUserGetAtomName  (49241, 1243560, ... ) == 0xc
 01815   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01816   940   NtUserGetAtomName  (49243, 1243560, ... ) == 0xe
 01817   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01818   940   NtUserGetAtomName  (49245, 1243560, ... ) == 0x8
 01819   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01820   940   NtUserGetAtomName  (49247, 1243560, ... ) == 0xd
 01821   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01822   940   NtUserGetAtomName  (49175, 1243560, ... ) == 0x6
 01823   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01824   940   NtUserGetAtomName  (49177, 1243560, ... ) == 0x6
 01825   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01826   940   NtUserGetAtomName  (49176, 1243560, ... ) == 0x4
 01827   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01828   940   NtUserGetAtomName  (49178, 1243560, ... ) == 0x7
 01829   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01830   940   NtUserGetAtomName  (49180, 1243560, ... ) == 0x8
 01831   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01832   940   NtUserGetAtomName  (49182, 1243560, ... ) == 0x9
 01833   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01834   940   NtUserGetAtomName  (49179, 1243552, ... ) == 0x9
 01835   940   NtUserUnregisterClass  (1243612, 2000486400, 1243600, ... ) == 0x1
 01836   940   NtUserGetAtomName  (49256, 1243560, ... ) == 0x7
 01837   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01838   940   NtUserGetAtomName  (49258, 1243560, ... ) == 0xd
 01839   940   NtUserUnregisterClass  (1243620, 2000486400, 1243608, ... ) == 0x1
 01840   940   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 01841   940   NtDeviceIoControlFile  (56, 60, 0x0, 0x12facc, 0x22415c,  (56, 60, 0x0, 0x12facc, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (56, 60, 0x0, 0x12facc, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , ) == 0x0
 01842   940   NtDeviceIoControlFile  (56, 60, 0x0, 0x12fa94, 0x228168,  (56, 60, 0x0, 0x12fa94, 0x228168, "@\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01843   940   NtDeviceIoControlFile  (56, 60, 0x0, 0x12facc, 0x22415c,  (56, 60, 0x0, 0x12facc, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (56, 60, 0x0, 0x12facc, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , ) == 0x0
 01844   940   NtDeviceIoControlFile  (56, 60, 0x0, 0x12fa94, 0x228168,  (56, 60, 0x0, 0x12fa94, 0x228168, "\\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01845   940   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01846   940   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01847   940   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01848   940   NtClose  (48, ... ) == 0x0
 01849   940   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 48, ) }, ... 48, ) == 0x0
 01850   940   NtQueryValueKey  (48,  (48, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   940   NtClose  (48, ... ) == 0x0
 01852   940   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01853   940   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01854   940   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01855   940   NtClose  (124, ... ) == 0x0
 01856   940   NtClose  (56, ... ) == 0x0
 01857   940   NtFreeVirtualMemory  (-1, (0x3c0000), 4096, 32768, ... (0x3c0000), 4096, ) == 0x0
 01858   940   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2089871292, 1310720, 1244456, 0}  (24, {20, 48, new_msg, 0, 2089871292, 1310720, 1244456, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 1628, 940, 58004, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 1628, 940, 58004, 0}  (24, {20, 48, new_msg, 0, 2089871292, 1310720, 1244456, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 1628, 940, 58004, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01859   940   NtTerminateProcess  (-1, 0, ...
NtAdjustPrivilegesToken(>)	1	NtOpenMutant(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtCreateFile(>)	15
NtCallbackReturn(>)	1	NtOpenSymbolicLinkObject(>)	2	NtGdiGetDCObject(>)	7	NtCreateEvent(>)	16
NtCreateMutant(>)	1	NtQuerySymbolicLinkObject(>)	2	NtGdiGetDCforBitmap(>)	7	NtQueryDirectoryFile(>)	16
NtCreateProcessEx(>)	1	NtReadVirtualMemory(>)	2	NtGdiGetStockObject(>)	7	NtGdiDeleteObjectApp(>)	18
NtDelayExecution(>)	1	NtRegisterThreadTerminatePort(>)	2	NtGdiRestoreDC(>)	7	NtReadFile(>)	20
NtEnumerateValueKey(>)	1	NtReleaseMutant(>)	2	NtGdiSaveDC(>)	7	NtUserCallOneParam(>)	20
NtGdiCreatePaletteInternal(>)	1	NtResumeThread(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtCreateSection(>)	21
NtGdiInit(>)	1	NtSetEventBoostPriority(>)	2	NtQueryVolumeInformationFile(>)	7	NtQueryInformationProcess(>)	21
NtGdiQueryFontAssocInfo(>)	1	NtTestAlert(>)	2	NtSetInformationProcess(>)	7	NtWriteFile(>)	24
NtNotifyChangeKey(>)	1	NtUserWaitForInputIdle(>)	2	NtUserDestroyCursor(>)	7	NtOpenSection(>)	25
NtOpenEvent(>)	1	NtAddAtom(>)	3	NtUserSetCursorIconData(>)	7	NtOpenProcessTokenEx(>)	27
NtOpenKeyedEvent(>)	1	NtContinue(>)	3	NtEnumerateKey(>)	8	NtOpenThreadTokenEx(>)	27
NtOpenProcess(>)	1	NtGdiHfontCreate(>)	3	NtGdiCreateBitmap(>)	8	NtQuerySystemInformation(>)	31
NtQueryInformationJobObject(>)	1	NtQueryPerformanceCounter(>)	3	NtQueryDefaultUILanguage(>)	8	NtQueryAttributesFile(>)	33
NtQueryInformationThread(>)	1	NtSetInformationObject(>)	3	NtQuerySection(>)	9	NtQueryInformationToken(>)	34
NtQueryInstallUILanguage(>)	1	NtTerminateProcess(>)	3	NtSetInformationThread(>)	9	NtOpenFile(>)	38
NtQueryObject(>)	1	NtWaitForMultipleObjects(>)	3	NtGdiCreateCompatibleDC(>)	10	NtMapViewOfSection(>)	41
NtQuerySystemTime(>)	1	NtCreateSemaphore(>)	4	NtGdiExtGetObjectW(>)	10	NtUserGetAtomName(>)	47
NtSecureConnectPort(>)	1	NtDuplicateObject(>)	4	NtOpenProcessToken(>)	10	NtUserUnregisterClass(>)	47
NtUserCallNoParam(>)	1	NtFreeVirtualMemory(>)	4	NtQueryDebugFilterState(>)	10	NtAllocateVirtualMemory(>)	51
NtUserEnumDisplayMonitors(>)	1	NtFsControlFile(>)	4	NtQueryVirtualMemory(>)	10	NtGdiSelectBitmap(>)	57
NtUserGetKeyboardLayoutList(>)	1	NtWaitForSingleObject(>)	4	NtRequestWaitReplyPort(>)	11	NtUserRegisterClassExWOW(>)	61
NtUserGetThreadDesktop(>)	1	NtWriteVirtualMemory(>)	4	NtUserGetDC(>)	11	NtUserFindExistingCursorIcon(>)	74
NtUserSetWindowsHookEx(>)	1	NtAccessCheck(>)	5	NtDeviceIoControlFile(>)	12	NtQueryValueKey(>)	77
NtCreateIoCompletion(>)	2	NtOpenThreadToken(>)	5	NtSetInformationFile(>)	12	NtFlushInstructionCache(>)	87
NtCreateThread(>)	2	NtSetEvent(>)	5	NtQueryDefaultLocale(>)	14	NtOpenKey(>)	147
NtDeleteAtom(>)	2	NtUserRegisterWindowMessage(>)	5	NtQueryInformationFile(>)	14	NtProtectVirtualMemory(>)	174
NtDuplicateToken(>)	2	NtCreateKey(>)	6	NtUnmapViewOfSection(>)	14	NtClose(>)	208
NtGdiCreateSolidBrush(>)	2	NtSetValueKey(>)	6	NtUserSelectPalette(>)	14
NtOpenDirectoryObject(>)	2	NtGdiBitBlt(>)	7