Summary:


NtAdjustPrivilegesToken(>)  1 
NtDeleteAtom(>)  2 
NtGdiBitBlt(>)  7 
NtQueryInformationProcess(>)  15 

NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateSection(>)  17 

NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtGdiDeleteObjectApp(>)  18 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtReadFile(>)  19 

NtCreateThread(>)  1 
NtOpenEvent(>)  2 
NtGdiGetStockObject(>)  7 
NtContinue(>)  20 

NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiRestoreDC(>)  7 
NtQuerySystemInformation(>)  20 

NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 

NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWaitForSingleObject(>)  21 

NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtFlushInstructionCache(>)  23 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtWriteFile(>)  23 

NtGdiQueryFontAssocInfo(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  24 

NtNotifyChangeKey(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenThreadTokenEx(>)  24 

NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  8 
NtOpenSection(>)  25 

NtOpenProcess(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  8 
NtOpenFile(>)  30 

NtQueryInformationJobObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  8 
NtQueryAttributesFile(>)  31 

NtQueryObject(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  31 

NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtSetInformationFile(>)  9 
NtMapViewOfSection(>)  37 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtCreateEvent(>)  10 
NtReleaseMutant(>)  40 

NtResumeThread(>)  1 
NtFsControlFile(>)  4 
NtGdiCreateCompatibleDC(>)  10 
NtAllocateVirtualMemory(>)  41 

NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  4 
NtGdiExtGetObjectW(>)  10 
NtProtectVirtualMemory(>)  45 

NtTestAlert(>)  1 
NtSetValueKey(>)  4 
NtQueryDirectoryFile(>)  10 
NtUserUnregisterClass(>)  45 

NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  11 
NtQueryValueKey(>)  50 

NtUserEnumDisplayMonitors(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetDC(>)  11 
NtGdiSelectBitmap(>)  57 

NtUserGetKeyboardLayoutList(>)  1 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  12 
NtUserRegisterClassExWOW(>)  63 

NtUserGetThreadDesktop(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtQueryDefaultLocale(>)  13 
NtUserGetClassInfo(>)  64 

NtUserSetWindowsHookEx(>)  1 
NtQueryVirtualMemory(>)  6 
NtQueryInformationFile(>)  13 
NtUserFindExistingCursorIcon(>)  72 

NtAccessCheck(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserSystemParametersInfo(>)  13 
NtOpenKey(>)  111 

NtCreateIoCompletion(>)  2 
NtSetInformationProcess(>)  6 
NtUserSelectPalette(>)  14 
NtClose(>)  164 


Trace:
 00001   368   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   368   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   368   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   368   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   368   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   368   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   368   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   368   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   368   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   368   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   368   NtClose  (12, ... ) == 0x0
 00014   368   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   368   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   368   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   368   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   368   NtClose  (16, ... ) == 0x0
 00021   368   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   368   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   368   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   368   NtClose  (16, ... ) == 0x0
 00026   368   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   368   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   368   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   368   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   368   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 368, 1480, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 316, 368, 1480, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 368, 1480, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   368   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   368   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   368   NtClose  (16, ... ) == 0x0
 00036   368   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   368   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   368   NtClose  (28, ... ) == 0x0
 00041   368   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   368   NtClose  (28, ... ) == 0x0
 00045   368   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   368   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   368   NtClose  (28, ... ) == 0x0
 00049   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   368   NtClose  (28, ... ) == 0x0
 00052   368   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   368   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 368, 1483, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 316, 368, 1483, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 368, 1483, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 128, ) == 0x0
 00057   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 128, ... (0x31509000), 8192, 4, ) == 0x0
 00058   368   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00059   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   368   NtClose  (28, ... ) == 0x0
 00062   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   368   NtClose  (28, ... ) == 0x0
 00065   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00066   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00067   368   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00068   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   368   NtClose  (28, ... ) == 0x0
 00071   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00072   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00073   368   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00074   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   368   NtClose  (28, ... ) == 0x0
 00077   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   368   NtClose  (28, ... ) == 0x0
 00080   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00081   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00082   368   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00083   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   368   NtClose  (28, ... ) == 0x0
 00086   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   368   NtClose  (28, ... ) == 0x0
 00089   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   368   NtClose  (28, ... ) == 0x0
 00092   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   368   NtClose  (28, ... ) == 0x0
 00095   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   368   NtClose  (28, ... ) == 0x0
 00098   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   368   NtClose  (28, ... ) == 0x0
 00101   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00102   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00103   368   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00104   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   368   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   368   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   368   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   368   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   368   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   368   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   368   NtClose  (40, ... ) == 0x0
 00118   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   368   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   368   NtClose  (40, ... ) == 0x0
 00122   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   368   NtClose  (36, ... ) == 0x0
 00124   368   NtClose  (28, ... ) == 0x0
 00125   368   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   368   NtClose  (32, ... ) == 0x0
 00127   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   368   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   368   NtClose  (32, ... ) == 0x0
 00135   368   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   368   NtClose  (28, ... ) == 0x0
 00137   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00138   368   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00139   368   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00140   368   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   368   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   368   NtClose  (28, ... ) == 0x0
 00143   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   368   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   368   NtClose  (28, ... ) == 0x0
 00146   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   368   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   368   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   368   NtClose  (28, ... ) == 0x0
 00150   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   368   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   368   NtClose  (28, ... ) == 0x0
 00153   368   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   368   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   368   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   368   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   368   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   368   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   368   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   368   NtClose  (32, ... ) == 0x0
 00163   368   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   368   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 368, 1493, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 316, 368, 1493, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 368, 1493, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00166   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   368   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   368   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   368   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00171   368   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   368   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   368   NtClose  (-2147482020, ... ) == 0x0
 00174   368   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   368   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   368   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   368   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   368   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   368   NtClose  (-2147482020, ... ) == 0x0
 00180   368   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00181   368   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   368   NtClose  (-2147482020, ... ) == 0x0
 00183   368   NtQueryDefaultLocale  (0, -128865780, ... ) == 0x0
 00184   368   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   368   NtUserCallNoParam  (24, ... ) == 0x0
 00186   368   NtGdiCreateCompatibleDC  (0, ...
 00187   368   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   368   NtGdiCreateCompatibleDC  ... ) == 0x100103d4
 00188   368   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   368   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   368   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x3a050401
 00191   368   NtGdiCreateSolidBrush  (0, 0, ...
 00192   368   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   368   NtGdiCreateSolidBrush  ... ) == 0x201003d3
 00193   368   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   368   NtGdiCreateCompatibleDC  (0, ... ) == 0x1e01039c
 00195   368   NtGdiSelectBitmap  (503382940, 973407233, ... ) == 0x185000f
 00196   368   NtUserGetThreadDesktop  (368, 0, ... ) == 0x2c
 00197   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   368   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   368   NtClose  (52, ... ) == 0x0
 00200   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00202   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00204   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00206   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00208   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00210   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00212   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00214   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00216   368   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   368   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00218   368   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00219   368   NtAllocateVirtualMemory  (-1, 5533696, 0, 4096, 4096, 32, ... 5533696, 4096, ) == 0x0
 00218   368   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00220   368   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00221   368   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00222   368   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00223   368   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00224   368   NtCallbackReturn  (0, 0, 0, ...
 00225   368   NtGdiInit  (... ) == 0x1
 00226   368   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   368   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   368   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   368   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   368   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   368   NtClose  (52, ... ) == 0x0
 00234   368   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   368   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   368   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   368   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   368   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   368   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   368   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   368   NtClose  (60, ... ) == 0x0
 00245   368   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   368   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   368   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   368   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   368   NtClose  (60, ... ) == 0x0
 00255   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   368   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   368   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   368   NtClose  (60, ... ) == 0x0
 00259   368   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   368   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   368   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   368   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   368   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   368   NtClose  (60, ... ) == 0x0
 00269   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   368   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   368   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   368   NtQueryDefaultUILanguage  (1241768, ...
 00273   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00275   368   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   368   NtClose  (-2147482020, ... ) == 0x0
 00277   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00278   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   368   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00280   368   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   368   NtClose  (-2147482024, ... ) == 0x0
 00282   368   NtClose  (-2147482020, ... ) == 0x0
 00272   368   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   368   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   368   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   368   NtQueryDefaultUILanguage  (2013024600, ...
 00290   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00292   368   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   368   NtClose  (-2147482020, ... ) == 0x0
 00294   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00295   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   368   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00297   368   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   368   NtClose  (-2147482024, ... ) == 0x0
 00299   368   NtClose  (-2147482020, ... ) == 0x0
 00289   368   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   368   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   368   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   368   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   368   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1494, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 368, 1494, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1494, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   368   NtClose  (68, ... ) == 0x0
 00306   368   NtClose  (72, ... ) == 0x0
 00307   368   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   368   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   368   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   368   NtClose  (68, ... ) == 0x0
 00323   368   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   368   NtClose  (76, ... ) == 0x0
 00325   368   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   368   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   368   NtClose  (76, ... ) == 0x0
 00330   368   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   368   NtClose  (68, ... ) == 0x0
 00332   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   368   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   368   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   368   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   368   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   368   NtQueryDefaultUILanguage  (1238836, ...
 00355   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00357   368   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   368   NtClose  (-2147482020, ... ) == 0x0
 00359   368   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00360   368   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   368   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00362   368   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   368   NtClose  (-2147482024, ... ) == 0x0
 00364   368   NtClose  (-2147482020, ... ) == 0x0
 00354   368   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   368   NtClose  (68, ... ) == 0x0
 00370   368   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   368   NtClose  (76, ... ) == 0x0
 00372   368   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   368   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   368   NtClose  (76, ... ) == 0x0
 00377   368   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   368   NtClose  (68, ... ) == 0x0
 00379   368   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   368   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   368   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   368   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1497, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 368, 1497, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 368, 1497, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   368   NtClose  (68, ... ) == 0x0
 00387   368   NtClose  (76, ... ) == 0x0
 00388   368   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   368   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   368   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   368   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   368   NtUserGetDC  (0, ... ) == 0x1010052
 00394   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00395   368   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   368   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   368   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   368   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   368   NtClose  (76, ... ) == 0x0
 00400   368   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   368   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   368   NtClose  (76, ... ) == 0x0
 00403   368   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   368   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   368   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   368   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   368   NtClose  (68, ... ) == 0x0
 00409   368   NtClose  (76, ... ) == 0x0
 00410   368   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   368   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   368   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   368   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   368   NtClose  (76, ... ) == 0x0
 00415   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03b
 00417   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03d
 00418   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc03f
 00420   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc041
 00422   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc043
 00424   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc045
 00425   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc047
 00427   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc049
 00429   368   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04b
 00432   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04d
 00434   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04f
 00436   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc051
 00437   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc053
 00439   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc055
 00441   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc057
 00442   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc059
 00444   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05b
 00446   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05d
 00448   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05f
 00450   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc017
 00452   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc019
 00454   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc018
 00456   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc01a
 00458   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   368   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc01c
 00460   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00461   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ...
 00462   368   NtAllocateVirtualMemory  (-1, 5537792, 0, 4096, 4096, 32, ... 5537792, 4096, ) == 0x0
 00461   368   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00463   368   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00464   368   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810dc01b
 00465   368   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00466   368   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810dc068
 00467   368   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00468   368   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc06a
 00469   368   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   368   NtTestAlert  (... ) == 0x0
 00473   368   NtContinue  (1244464, 1, ...
 00474   368   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3150b000,}, 4, ... ) == 0x0
 00475   368   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00476   368   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   368   NtClose  (68, ... ) == 0x0
 00478   368   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00479   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00480   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00481   368   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 316, 368, 1498, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 316, 368, 1498, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 316, 368, 1498, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00482   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00483   368   NtClose  (80, ... ) == 0x0
 00484   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00485   368   NtClose  (-2147482020, ... ) == 0x0
 00484   368   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00486   368   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00487   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "#\367;\0l\255k\0j\255d\0\221Rk\0\326\255k\0n\255k\0.\255q\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\257k\0\324\275k\16q\31b\315O\25jL\243\214\373\220:\305\2sN\335\31o\11\337\12mN\300\36s\32\215\11eN\337\36nN\330\5d\13\337KW\7\303X2c\247O7n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0n\255k\0", ) , ) == 0x0
 00488   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00489   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ";\245]\34\1\221&E\1\337\22,\316\300\12\10^\256\352\7\246e\15\331\14m*\304\246\356\243;\0g\17\257+\315\22\222j\2\320\351F\32\355onR\233\230:\21\344tXeN\35\301K\20\305(,\206\17\271\305m\224\203\3530\372\267\200i*\353\302\271\246\34CB\274I\301\177\255a^3\321e8#<\26213\266}\31\376=\263\225\325\37;\12\302\272\340Q!\245\17\203\376\251c#\242\177G\210^k\20\22/\243\212\311\226\353CI\212\233p\37jb\233f\276Q\3373hn\212\15_/\2234\260\301)\266>\311\233XP\233\271 \252\237,W\246)\243\257"\203\32P\207\351k(oq\353\24\355\227A\12\36\250n\34\5\6\275\12\206\375\271>\353\221\303?\205\334\367|O\370\313\320>u\256&6\304\245\364\375\357\342n\303\306\302\35\337F>\243\212\224Ve8\1\360\5\\225HyC\217\335\36\256\223\230\227L\250\317\255\325m\1\225\350x6\300[\213\332&!XC\211l\220\21eK^wN@\227zR\224\12B\325W\231O\265\17\360\272<\23]S\203\310\261\272\310\214\354ovgpds\230P\11\316\243\266p\357H\350\27E`5\7\33\217&\212\365d\11\263p[\2l\315+\3\374\345\303\211,\365P2J\366\214\324\272\376\310\17\352\274\331\1\202\262\332\22\12\345\243\324ii1\274\13\4\214$e\246pa\350a\355[\302]\266\17", ) \203\32P\207\351k(oq\353\24\355\227A\12\36\250n\34\5\6\275\12\206\375\271335\305\108\331\36\310++~\212\263`\207\10\250\255\14)\355\224\223\251\225\211\241\232,\356RRt\355<\344\376\233Z\15\345\354_\324\307\4\246\'\270n-\242\211\363\365.\2409\314>>\353\221\303?\205\334\367|O\370\313\320>u\256&6\304\245\364\375\357\342n\303\306\302\35\337F>\243\212\224Ve8\1\360\5\\225HyC\217\335\36\256\223\230\227L\250\317\255\325m\1\225\350x6\300[\213\332&!XC\211l\220\21eK^wN@\227zR\224\12B\325W\231O\265\17\360\272<\23]S\203\310\261\272\310\214\354ovgpds\230P\11\316\243\266p\357H\350\27E`5\7\33\217&\212\365d\11\263p[\2l\315+\3\374\345\303\211,\365P2J\366\214\324\272\376\310\17\352\274\331\1\202\262\332\22\12\345\243\324ii1\274\13\4\214$e\246pa\350a\355[\302]\266\17", ) == 0x0
 00490   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00491   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\271o`X\326\277~w_\247gH\275\340\250\30$;'\340;\10\331Hn\6\371\345\336(\334}v\351+\221\213=\16Z\12\3613Y`\366\361\0<\346\10T>\311Rdu\317\1776\12\315\372\345\376\310\1!\2\305:\226-;\31\14\32\335G\35\247\315\240z\22\230\23@D,\363C~\321q\301\21(\377\235\365\315\14\20\300\335\320\363W\6=%|%g9E){\274i&\3559\364\354\347\14\346\302+\323\221ZA\276F',\10T}\379\230\353\3203\304\344\276\256\366q<\4\227\301.]\331\251-4\235\353t\306\330\357\177\270\300A\177\5b\343n>j:!V^\333\311\310\204+V\366k\246\353K.\365\250\13\374*>?e\335\250k\301\200\200\221\322I\243\257Zej\367o\203\223\27\212\353\12l\35*\5\31\212.8T\34\330\16\1@\256\343\4\1XZ\322\344\375}D~\257\\304\353\323\340wU\234\242\212&\356/\10\222R)\2671\255c\215\33\242\340|f\252Z\300\344\243PJ\222\330\334~\317\366\345\d_w\16\230n\264\237'\330\211o5\6\232\371y\355O\16o\224\223~\263\10\14\5CiP\200V\212dMj\366\220\302\34I\356\257\1\32\324\202\32\2\342\321g\314`\212)'A\201\236\377\205\356\217R\264\177\265'3c\372'5\12\353\3668o\2\321u\13x\265\344\36c\224\237\355cS3\32\356J\2649\245Q\334\0!\274s\33\33A\206\355X\257\332 \371F\243?\356H\264:\330m\206\355tF\211\35\344\301q\221\2\265)\305\374R\251\11\226J u\236"\310:\345\222\330\4\356\222n\2663\16l\203\277\342j\267a_\224\255\304\32!\20\24\252\225\261\34\246\34\15a\22\242\3$q\301\5Rj\224\321\340w\224B\213#R\1", ) \310:\345\222\330\4\356\222n\2663\16l\203\277\342j\267a_\224\255\304\32!\20\24\252\225\261\34\246\34\15a\22\242\3$q\301\5Rj\224\321\340w\224B\213#R\1", ) == 0x0
 00492   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00493   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\370F\226\265\356z\307f=$\356\6x-\341\265\31k\356\227\21\243\34\21\10\22\337\22;\241\16\211g\152\6\335j\12\35^\21w\210\332\326\364\240\344 \376>d\255\337\274\11\203,\263\37\207\2530w\364\3604oji\316\352\174\271\347:_tf\367o\310\363)\375\244Es\232t\15\3668\364;\377O\361;\2459")-\2555\346!.\13&/\300\200\300'g&G-Z\254SI\200\12s\246\34\266\230+\226\13!'>\373y\374.v[\313\252i^,\2171\251\361\35\214K\325G\2d\355\351\32\352\246\223B\311\273\353{[\33{\31\2403\33\353i\211\277\350]-\375t\355\357L!\6\364+{\375\257\346\5zK\250\377C\200\207N\10\14\374\360\10\12K\364{+\313\266\272\247\237\364\276g{\240L\375\333\326CtlC\222\340\4\0U\375W/B\214H\207~\332W8u\337\243\310R\225W8G\214M\205\311J$\210ivPw5\243\377\341o\241\313\346\2570k\233f\327m\243u\257E,\253j=\272\304\234}z\230o{\360? \371`\355\273\177\310\212\361\371\246\316\36$X\236Fw\302\15\300a\246\36{\35]d?\17\371'p\0\351As\1\254\335\262\22\314\243\250^Q\254\231\2045*@\271;S\237\15\333[o\322\23[.\376\31\373\263\353D\274G\332l\353\227\26\260\320X:R\320``\372\264!\33`7\3O\377\3516\25f\211I\16o\261*\340\16:\11\364-'y\20\232\367\315\266h\244\4\21\226]\307\0vMoU@\244B*g\251\314\26f\375\7\253\322Yx\4\245%L\247,\253AH\2065\2309\267\343\336j\233\253\233\354\200\3069\321\275\355\223\234\254\257_\0=\332\25\350\21\335\0\330\302\275t\322\226\37068", ) )-\2555\346!.\13&/\300\200\300'g&G-Z\254SI\200\12s\246\34\266\230+\226\13!'>\373y\374.v[\313\252i^,\2171\251\361\35\214K\325G\2d\355\351\32\352\246\223B\311\273\353{[\33{\31\2403\33\353i\211\277\350]-\375t\355\357L!\6\364+{\375\257\346\5zK\250\377C\200\207N\10\14\374\360\10\12K\364{+\313\266\272\247\237\364\276g{\240L\375\333\326CtlC\222\340\4\0U\375W/B\214H\207~\332W8u\337\243\310R\225W8G\214M\205\311J$\210ivPw5\243\377\341o\241\313\346\2570k\233f\327m\243u\257E,\253j=\272\304\234}z\230o{\360? \371`\355\273\177\310\212\361\371\246\316\36$X\236Fw\302\15\300a\246\36{\35]d?\17\371'p\0\351As\1\254\335\262\22\314\243\250^Q\254\231\2045*@\271;S\237\15\333[o\322\23[.\376\31\373\263\353D\274G\332l\353\227\26\260\320X:R\320``\372\264!\33`7\3O\377\3516\25f\211I\16o\261*\340\16:\11\364-'y\20\232\367\315\266h\244\4\21\226]\307\0vMoU@\244B*g\251\314\26f\375\7\253\322Yx\4\245%L\247,\253AH\2065\2309\267\343\336j\233\253\233\354\200\3069\321\275\355\223\234\254\257_\0=\332\25\350\21\335\0\330\302\275t\322\226\37068", ) == 0x0
 00494   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00495   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "q\302\251#O\275\253\11\326\201\271\345\12\242\302y\10o\352\307.\317p\341p\217\351|o\245\351.6\273~&M\6\203{/\37\250\270`\241\323%/\21\272\273\347\365Mw\270 \33\30y\25\332\263\251\247\342\34\247\277\26\314(\27` f\373\360\301\370\5\261\233\3\240\215{\342\255\205Y\264\307w\334\262\205l\361\33x\306\210l\251\254]n\23J\264\210EzxT\313ta\336e\13\315\232\260\227\252;?A\262\304\255>\315\20:S\322[\333N_\32\262<\307`\246iCK\205\3618\205\254\204\305\314\216\5\5\336d\35Y\202\300fP@\360\207\271\31\341\23\353S\34\321\370~\331bF\262\265\5\303f\13L\25\262\263cD\215\206\242\15\215\336\347\256\355\322\14]\354\276\222\22\254\325v\346\214\3540\332c\33\302wd"q9\376P\370\335\362\177\237\33\344\317;+-\36>\12\300\263C:\333_J:n\343=n\247\201\4\336\227KmT\304\320\303\10d\3*X\264\276\241\236"C\30[\35\300\366\u\17$\360\304fXYoLh\342\236\260\265u-\2070Yd\237\246w\246\3435\304\12]\31X\203\32\265f\273{\214\204\272\342\342B`\266q\6\5\333$*\30"\4n\270\343\367d\363;\345V6\7\362|\335.\344>\25rF\364!`\254\353\315\342\24\270-\357\35\4\351_=h\315HF\265 \315H\300\22\347\2(\23\200 \6\317\374\213\342\254jX\326/\316Ib\364\214\362|M\10\2\274=\217ib\303\213\14\234\250n\333o\267\213\262a*\366\330d%Pt\S\325jd4\213\340<\1P\205\323\332\315\21\322\214\333\177\336d\375\30b;8|8\17*\357\356\34#i}\267|\2179\1770\370\7\220}\311\u\371\215xaB\343e\347#\7", ) q9\376P\370\335\362\177\237\33\344\317;+-\36>\12\300\263C:\333_J:n\343=n\247\201\4\336\227KmT\304\320\303\10d\3*X\264\276\241\236 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "q\302\251#O\275\253\11\326\201\271\345\12\242\302y\10o\352\307.\317p\341p\217\351|o\245\351.6\273~&M\6\203{/\37\250\270`\241\323%/\21\272\273\347\365Mw\270 \33\30y\25\332\263\251\247\342\34\247\277\26\314(\27` f\373\360\301\370\5\261\233\3\240\215{\342\255\205Y\264\307w\334\262\205l\361\33x\306\210l\251\254]n\23J\264\210EzxT\313ta\336e\13\315\232\260\227\252;?A\262\304\255>\315\20:S\322[\333N_\32\262<\307`\246iCK\205\3618\205\254\204\305\314\216\5\5\336d\35Y\202\300fP@\360\207\271\31\341\23\353S\34\321\370~\331bF\262\265\5\303f\13L\25\262\263cD\215\206\242\15\215\336\347\256\355\322\14]\354\276\222\22\254\325v\346\214\3540\332c\33\302wd"q9\376P\370\335\362\177\237\33\344\317;+-\36>\12\300\263C:\333_J:n\343=n\247\201\4\336\227KmT\304\320\303\10d\3*X\264\276\241\236"C\30[\35\300\366\u\17$\360\304fXYoLh\342\236\260\265u-\2070Yd\237\246w\246\3435\304\12]\31X\203\32\265f\273{\214\204\272\342\342B`\266q\6\5\333$*\30"\4n\270\343\367d\363;\345V6\7\362|\335.\344>\25rF\364!`\254\353\315\342\24\270-\357\35\4\351_=h\315HF\265 \315H\300\22\347\2(\23\200 \6\317\374\213\342\254jX\326/\316Ib\364\214\362|M\10\2\274=\217ib\303\213\14\234\250n\333o\267\213\262a*\366\330d%Pt\S\325jd4\213\340<\1P\205\323\332\315\21\322\214\333\177\336d\375\30b;8|8\17*\357\356\34#i}\267|\2179\1770\370\7\220}\311\u\371\215xaB\343e\347#\7", ) \4n\270\343\367d\363;\345V6\7\362|\335.\344>\25rF\364!`\254\353\315\342\24\270-\357\35\4\351_=h\315HF\265 \315H\300\22\347\2(\23\200 \6\317\374\213\342\254jX\326/\316Ib\364\214\362|M\10\2\274=\217ib\303\213\14\234\250n\333o\267\213\262a*\366\330d%Pt\S\325jd4\213\340<\1P\205\323\332\315\21\322\214\333\177\336d\375\30b;8|8\17*\357\356\34#i}\267|\2179\1770\370\7\220}\311\u\371\215xaB\343e\347#\7", ) == 0x0
 00496   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00497   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\3;\20\251\215+\12\334\345W\350\260\246=\34f\200N\14Z\177j\324\245\212\237\377\356\360\322AL#\360\275\261\345`\250\261\213\231+\251\3639 rf\225\342,\30\273R\362\263\340\373\376\302\200\225\272e\332\10R}-j\312\326K\201\226\200J\57@U\32\365\WX\215\14\22m\211N\21\235\231J%\3019\353\341+}6N\364"\16\377\212\212\22\336|\337\345\252\353\274\37%Xe\12\267\214\352\355\312\200\317\233\330$\253\7\25m\206;j\350\355\206u0\32\361[{iO\1\3534\242\325\364\13\322tmX\241\21C\343\4\11\335\13\2\237\266I'\223W\301\16\206'\305p\3\241\255;\13\15\275Kk\177\263\365\212\310\215\203\13\25\362q\3$\360\352xzi1\357@\225\25\23;\213\312'"\33\0'\31\311?\317<\253{S2\311 c\345\260\222JV\206\7\260\271\345\2426\20\32\260\337\205\376\354\321\0\267\25\35337B\251\342\220\372*\36Z(\6\200\265\226\2tw]gPs\237b'\240\225\242;^-7\310n\31[\366O\15\300\335\242\343\4\322\200\347\204Y\376S\27\347\375S\221\357\7\372&\334\256\177\275", ) \16\377\212\212\22\336|\337\345\252\353\274\37%Xe\12\267\214\352\355\312\200\317\233\330$\253\7\25m\206;j\350\355\206u0\32\361[{iO\1\3534\242\325\364\13\322tmX\241\21C\343\4\11\335\13\2\237\266I'\223W\301\16\206'\305p\3\241\255;\13\15\275Kk\177\263\365\212\310\215\203\13\25\362q\3$\360\352xzi1\357@\225\25\23;\213\312' (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\3;\20\251\215+\12\334\345W\350\260\246=\34f\200N\14Z\177j\324\245\212\237\377\356\360\322AL#\360\275\261\345`\250\261\213\231+\251\3639 rf\225\342,\30\273R\362\263\340\373\376\302\200\225\272e\332\10R}-j\312\326K\201\226\200J\57@U\32\365\WX\215\14\22m\211N\21\235\231J%\3019\353\341+}6N\364"\16\377\212\212\22\336|\337\345\252\353\274\37%Xe\12\267\214\352\355\312\200\317\233\330$\253\7\25m\206;j\350\355\206u0\32\361[{iO\1\3534\242\325\364\13\322tmX\241\21C\343\4\11\335\13\2\237\266I'\223W\301\16\206'\305p\3\241\255;\13\15\275Kk\177\263\365\212\310\215\203\13\25\362q\3$\360\352xzi1\357@\225\25\23;\213\312'"\33\0'\31\311?\317<\253{S2\311 c\345\260\222JV\206\7\260\271\345\2426\20\32\260\337\205\376\354\321\0\267\25\35337B\251\342\220\372*\36Z(\6\200\265\226\2tw]gPs\237b'\240\225\242;^-7\310n\31[\366O\15\300\335\242\343\4\322\200\347\204Y\376S\27\347\375S\221\357\7\372&\334\256\177\275", ) , ) == 0x0
 00498   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00499   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "l^\263H\33\7\301\277\246\354I\210\263.\346\327=\362\333\337ym\243d|\364C`8\250\337au\277\326\377x}\210'\326\367R\212"\254\224\200\207\247\345\375\264\367\323\4m2!\215H\311_?iX\346I.\347\36\3361\337\300\14\262\302i\25\36\241\231L\215\244\21\4\251\323\312\4\304\16\231do\210\34\2MQ\2512L\357\320\31(H%5\234\356\245Wf\277\37h\344N\343NT\310\2\325\303U8=T&T\355\266\217\261\370\232\33R\325r\33\275Y\33|v;B\217\370\335\346M\23\0\236\79*c\376\237-\374\216\331\215\23U\316v\4,\2610\32n\343\0\24\244g\254\215*\225 N\17z\3\214p\265\201tL\30\36\2043\244\223o\16h}\32\331\5\243 \233O]\2\3239\16\272Z\323"q\360#\354fO)ne\37j\12\204deIY\233\250\3l%\242\26\236\263\32362}R0\22Y]\213\322\226\364\220\344\2648\32*\340\226\372\312Y\370\307\341\277yD|\340H<\356\376\177Co\27\373j\376\312\370&\347~*"\20\276\236Cf\315gtu\200\224\257j/\4\272|,(\4\344\375,\351'\203\250\35\205\334d\270\226*W\344\376U\223CjU\243\0\34\210\223\370\13m\210M\226\337\322kJ\250\356\344H=\330<\31\241\341\343\230\25\257\224\16\355\252p\265&\252 \22\355\257\30\212\213\2727J\224\300\362v6\341S)*e\16n\11g\353W_~Hk\36i(f.9\362k\257L\350r'4R/\35\322h\32\333\243\246\354l\343m\376\24\3\214\250\207*\24&~\370T\236h\2030\5\257k\311}dL\357l\205dah\275\326on\3423a?|\11H~\212\300\360^9\17\24R\255-`\255\205#`I\265Z\30", ) \254\224\200\207\247\345\375\264\367\323\4m2!\215H\311_?iX\346I.\347\36\3361\337\300\14\262\302i\25\36\241\231L\215\244\21\4\251\323\312\4\304\16\231do\210\34\2MQ\2512L\357\320\31(H%5\234\356\245Wf\277\37h\344N\343NT\310\2\325\303U8=T&T\355\266\217\261\370\232\33R\325r\33\275Y\33|v;B\217\370\335\346M\23\0\236\79*c\376\237-\374\216\331\215\23U\316v\4,\2610\32n\343\0\24\244g\254\215*\225 N\17z\3\214p\265\201tL\30\36\2043\244\223o\16h}\32\331\5\243 \233O]\2\3239\16\272Z\323 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "l^\263H\33\7\301\277\246\354I\210\263.\346\327=\362\333\337ym\243d|\364C`8\250\337au\277\326\377x}\210'\326\367R\212"\254\224\200\207\247\345\375\264\367\323\4m2!\215H\311_?iX\346I.\347\36\3361\337\300\14\262\302i\25\36\241\231L\215\244\21\4\251\323\312\4\304\16\231do\210\34\2MQ\2512L\357\320\31(H%5\234\356\245Wf\277\37h\344N\343NT\310\2\325\303U8=T&T\355\266\217\261\370\232\33R\325r\33\275Y\33|v;B\217\370\335\346M\23\0\236\79*c\376\237-\374\216\331\215\23U\316v\4,\2610\32n\343\0\24\244g\254\215*\225 N\17z\3\214p\265\201tL\30\36\2043\244\223o\16h}\32\331\5\243 \233O]\2\3239\16\272Z\323"q\360#\354fO)ne\37j\12\204deIY\233\250\3l%\242\26\236\263\32362}R0\22Y]\213\322\226\364\220\344\2648\32*\340\226\372\312Y\370\307\341\277yD|\340H<\356\376\177Co\27\373j\376\312\370&\347~*"\20\276\236Cf\315gtu\200\224\257j/\4\272|,(\4\344\375,\351'\203\250\35\205\334d\270\226*W\344\376U\223CjU\243\0\34\210\223\370\13m\210M\226\337\322kJ\250\356\344H=\330<\31\241\341\343\230\25\257\224\16\355\252p\265&\252 \22\355\257\30\212\213\2727J\224\300\362v6\341S)*e\16n\11g\353W_~Hk\36i(f.9\362k\257L\350r'4R/\35\322h\32\333\243\246\354l\343m\376\24\3\214\250\207*\24&~\370T\236h\2030\5\257k\311}dL\357l\205dah\275\326on\3423a?|\11H~\212\300\360^9\17\24R\255-`\255\205#`I\265Z\30", ) \20\276\236Cf\315gtu\200\224\257j/\4\272|,(\4\344\375,\351'\203\250\35\205\334d\270\226*W\344\376U\223CjU\243\0\34\210\223\370\13m\210M\226\337\322kJ\250\356\344H=\330<\31\241\341\343\230\25\257\224\16\355\252p\265&\252 \22\355\257\30\212\213\2727J\224\300\362v6\341S)*e\16n\11g\353W_~Hk\36i(f.9\362k\257L\350r'4R/\35\322h\32\333\243\246\354l\343m\376\24\3\214\250\207*\24&~\370T\236h\2030\5\257k\311}dL\357l\205dah\275\326on\3423a?|\11H~\212\300\360^9\17\24R\255-`\255\205#`I\265Z\30", ) == 0x0
 00500   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00501   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\26\315E\230%\343\4\374y_D{%\276#S\36\301\2t8\1\212,O\362&\4\7\375\222b\21\364\354S?\341\230P28\205\220\325\16\252\221\330 ni\200&\306\354\347\355:\255\300SaX\343f?\22 \242M\367i\213\277\256\201\11\272\16\316v\16Ag\3", ) \230P28\205\220\325\16\252\221\330 ni\200&\3066\270\236\205j=k|+\332A\12\4\257\334\252\331\0\311G\262S\36G\251\367j\3l\317\17\236Bf\331lk\241g\20~\271\331,\245\37\177\30v\215K\313\334\201\240$J\205C,B\271\360\0\14z\232\202>\354\347\355:\255\300SaX\343f?\22 \242M\367i\213\277\256\201\11\272\16\316v\16Ag\3", ) == 0x0
 00502   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00503   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "{J\244o\353\217z1\265Fk\314r\371x\32\1\333\12'\275\200\317Pr\5\233\354A\327?\36\241\3652>\33sy\234\214\244\7\1j\22' \330\371g\360_\252\221\17$\341\301~N\266\360l7\325\202P%\261e\212\261g"\25\2221QP?\336\274\16\177\254i\216\341\344~\4\315\216\23\203{\255\314\322\362\205h0M\316`|r+d8\240\252{\213+]\353\0B3\06~\320\277H\20hv ;]\261\25\377\237\321d\25\355u\325\10\177\237Yf\257\373C`\224h\4k\346\301`\34\236\253\303\10Ap\311\273\300\333h\312\241~<\374\370\265\222\214\275sI\265c\35\11\356lA\336\3\17\316_\336\265K\206b\345/\3\346d`\2118\224\275\23-\32791\376$&\354\245\325\207\205\276>\343\\270\267,`*Bj1u?9\350\372\235\207E\0vK\1i\323\20\321"\254\5z\326\234\217\27\37\317/K\31x\343Lw\251[\37\232\215K\200\222\257\274\25&l\211\262\274\357?\27`\275\177h;\204+\0\245\233\236$x\3\340\1\274]\237z\257\266`\200)\251\3169|\245\213%C]\217\200\32\274\317\344\271\261O1\17 @\364\251\337\312\322\336\3A{w\254:E|\377\346H?\201\222\332\266\246P\203;\256\20.)N\34\24\370\245s`\261\312\276#g\325\341\206\251r\2724\2z\263\22\221~!\3336\256`\372F\350\221\232\317\262\304\300O\333\331\3f\246c$@\341\23\24\31\267r\177\250\365g\11\255@\234\336\310\5\357\\266\351\3045?\201\360\220\234\270s5\352\203\271\251\324\33\245?\352\206wE\23\274)P\203\353\34u\233\252P\271\320\257)\242g\7\353\200\322\371\204\2o\305|\13G\367\232=\226p\331\375\344\374\355\246\3518\363\14", ) \25\2221QP?\336\274\16\177\254i\216\341\344~\4\315\216\23\203{\255\314\322\362\205h0M\316`|r+d8\240\252{\213+]\353\0B3\06~\320\277H\20hv ;]\261\25\377\237\321d\25\355u\325\10\177\237Yf\257\373C`\224h\4k\346\301`\34\236\253\303\10Ap\311\273\300\333h\312\241~<\374\370\265\222\214\275sI\265c\35\11\356lA\336\3\17\316_\336\265K\206b\345/\3\346d`\2118\224\275\23-\32791\376$&\354\245\325\207\205\276>\343\\270\267,`*Bj1u?9\350\372\235\207E\0vK\1i\323\20\321 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "{J\244o\353\217z1\265Fk\314r\371x\32\1\333\12'\275\200\317Pr\5\233\354A\327?\36\241\3652>\33sy\234\214\244\7\1j\22' \330\371g\360_\252\221\17$\341\301~N\266\360l7\325\202P%\261e\212\261g"\25\2221QP?\336\274\16\177\254i\216\341\344~\4\315\216\23\203{\255\314\322\362\205h0M\316`|r+d8\240\252{\213+]\353\0B3\06~\320\277H\20hv ;]\261\25\377\237\321d\25\355u\325\10\177\237Yf\257\373C`\224h\4k\346\301`\34\236\253\303\10Ap\311\273\300\333h\312\241~<\374\370\265\222\214\275sI\265c\35\11\356lA\336\3\17\316_\336\265K\206b\345/\3\346d`\2118\224\275\23-\32791\376$&\354\245\325\207\205\276>\343\\270\267,`*Bj1u?9\350\372\235\207E\0vK\1i\323\20\321"\254\5z\326\234\217\27\37\317/K\31x\343Lw\251[\37\232\215K\200\222\257\274\25&l\211\262\274\357?\27`\275\177h;\204+\0\245\233\236$x\3\340\1\274]\237z\257\266`\200)\251\3169|\245\213%C]\217\200\32\274\317\344\271\261O1\17 @\364\251\337\312\322\336\3A{w\254:E|\377\346H?\201\222\332\266\246P\203;\256\20.)N\34\24\370\245s`\261\312\276#g\325\341\206\251r\2724\2z\263\22\221~!\3336\256`\372F\350\221\232\317\262\304\300O\333\331\3f\246c$@\341\23\24\31\267r\177\250\365g\11\255@\234\336\310\5\357\\266\351\3045?\201\360\220\234\270s5\352\203\271\251\324\33\245?\352\206wE\23\274)P\203\353\34u\233\252P\271\320\257)\242g\7\353\200\322\371\204\2o\305|\13G\367\232=\226p\331\375\344\374\355\246\3518\363\14", ) , ) == 0x0
 00504   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00505   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "o\14\224N\312xc\221\260\17\262\262)@qE\354r\367\346\232n4\314 \351:\341\343\331C\0\3012\205\20\215X\31K\347G\13\305\253\353\1\367\355\325&I\254i\20>\303\12\315\252\336$6\346*c\370\205\253Q\7\325X;\201\3\256\212\367T\257\360\315:\334\36\32\7\37\371\254<\367w\254/*\274/\372\201\33x\357p|\367<\260E\14\334\351\337\254"\253X\204\337\307"\23\246c0\251\260\5M\330\200%(\20\230\225\232E\36(\244\300\6T\341\276\330\254A \347\246wFm\25\226\11\31\355\254F*\263\213?\3621\236m\200\236K&f\2503sb\327\340\300f\225s*\214\363\17V\365\263\272\352\254\223(\270s\315\200F@a~\32\\265g\320B-'\204O\22\6\2\202-'\37/\321\307\360u\246  L\357\363\33\32\201\360[V\300\313 \240\250\177\24\216\350\257\262v\265\30KIf\275\257b\241g\30l\271\10\7\205;Pud\245\346_zJ}\212\343\330\306\211\11Q,\327)\7\235\276\16\232\17\353ygx\30p\265\351\220\363\331g\301\236)\361\20{\344\207O.\25\375\252\301\270\340Dv'1\316\0\36\3465\232\243\213/\241e\33d\321\260Y\35\32)\2$\265x\10\316\375\334Q\334\201\260\22\5\214\177\14v\265\26\266\266\337g\30C\26#Pf\351Ga\242\240\353[\231\370\246\22M\367 \270\27\227\205\12t\357\334\232\254\322A[U\33h~'Qn\370E\317y|\24M\232\261y\217\237\307n\277`\222\236uK\237\3\334Z\316,\257\369n\354\247\326\307\371@\204]\256\3001\336M\345\341n\374\254Z/\221\223\200\323Y\13\366D#+ \\242\344\370\221\271\236\222`m\257\3\34\265P\306\256\301\374mwsC8c}\242N", ) \253X\204\337\307 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "o\14\224N\312xc\221\260\17\262\262)@qE\354r\367\346\232n4\314 \351:\341\343\331C\0\3012\205\20\215X\31K\347G\13\305\253\353\1\367\355\325&I\254i\20>\303\12\315\252\336$6\346*c\370\205\253Q\7\325X;\201\3\256\212\367T\257\360\315:\334\36\32\7\37\371\254<\367w\254/*\274/\372\201\33x\357p|\367<\260E\14\334\351\337\254"\253X\204\337\307"\23\246c0\251\260\5M\330\200%(\20\230\225\232E\36(\244\300\6T\341\276\330\254A \347\246wFm\25\226\11\31\355\254F*\263\213?\3621\236m\200\236K&f\2503sb\327\340\300f\225s*\214\363\17V\365\263\272\352\254\223(\270s\315\200F@a~\32\\265g\320B-'\204O\22\6\2\202-'\37/\321\307\360u\246  L\357\363\33\32\201\360[V\300\313 \240\250\177\24\216\350\257\262v\265\30KIf\275\257b\241g\30l\271\10\7\205;Pud\245\346_zJ}\212\343\330\306\211\11Q,\327)\7\235\276\16\232\17\353ygx\30p\265\351\220\363\331g\301\236)\361\20{\344\207O.\25\375\252\301\270\340Dv'1\316\0\36\3465\232\243\213/\241e\33d\321\260Y\35\32)\2$\265x\10\316\375\334Q\334\201\260\22\5\214\177\14v\265\26\266\266\337g\30C\26#Pf\351Ga\242\240\353[\231\370\246\22M\367 \270\27\227\205\12t\357\334\232\254\322A[U\33h~'Qn\370E\317y|\24M\232\261y\217\237\307n\277`\222\236uK\237\3\334Z\316,\257\369n\354\247\326\307\371@\204]\256\3001\336M\345\341n\374\254Z/\221\223\200\323Y\13\366D#+ \\242\344\370\221\271\236\222`m\257\3\34\265P\306\256\301\374mwsC8c}\242N", ) , ) == 0x0
 00506   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00507   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\251\231\30\20C\350\332/\15\277|\346\242\330\237\240\317\16\204\206M\250{\345\241.\332\45\2400\350|R\35\177:\213D}"\247]\356z\17DF:\25"\316\326\36\15\34\254\25\3483"\217\310\0\223\226{\200\354f3a\257\353\36\267\362\14~\244`\25\242\250\3378ql\17\333 u\24\360`\257?\5\255 D\370Czh\11\304\344\30\267\304`?\23q\213(\271\250-1Q\236\273\10\275\377\321\351\233\347IQ\234"\337\3577fE\347\341#/\373\343SV\3523z\2340\244\247'i\216\320=_\262@%\323\1\254,\220Wd\2434\343\20\244\254\20fF\2700l\225\352m\332\270\215\216@_\372\217\351\200i~k&n\340\330\361\372\311\202;\332\30%\273\377\13\222Y\353\3|p@\336\32~B\221\370\371nDLUZ!\356,p\234\177x#\26\1\251\320\235\357\243\372\35\267\311\343K\370\321\207\250\26\274bE\377]w\330\225?\31\263\262\316\234\31#\364>\211\222ZA*\220\7J\3\2231\252Lz\314\210|a\251o\373\376ed\267\247\277\343!\332OX\5\214\177m\32E\207tbq\2610\30g\3706\364\347\335\26\254\344(\26\10\10,\241\265\254\366\353\16\250\340\177\243\314\205]\25\206\3206dJ\317!\365\236\353CD\25\33\366\353Y*\2748V$\23\344\212g\35y\23\211S\364\352\3509\24\332\272\321\222N-\300\4\246\317(`\237y\225\00\247/\211\214=^\375j\213\53\21}\20\14L\254\237\256x\2bsf\206\234a\255\377\3268y\226\245\302\237\264h\307\237\371\177\217.\201jsb\253\313\350O,\250f\366q7\276\223\244\37\14\10R\242\4\205\275\342Pe\254m\3>\207*=?\242+S&\214\354\214\335>\323Do\212J\353", ) \247]\356z\17DF:\25 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\251\231\30\20C\350\332/\15\277|\346\242\330\237\240\317\16\204\206M\250{\345\241.\332\45\2400\350|R\35\177:\213D}"\247]\356z\17DF:\25"\316\326\36\15\34\254\25\3483"\217\310\0\223\226{\200\354f3a\257\353\36\267\362\14~\244`\25\242\250\3378ql\17\333 u\24\360`\257?\5\255 D\370Czh\11\304\344\30\267\304`?\23q\213(\271\250-1Q\236\273\10\275\377\321\351\233\347IQ\234"\337\3577fE\347\341#/\373\343SV\3523z\2340\244\247'i\216\320=_\262@%\323\1\254,\220Wd\2434\343\20\244\254\20fF\2700l\225\352m\332\270\215\216@_\372\217\351\200i~k&n\340\330\361\372\311\202;\332\30%\273\377\13\222Y\353\3|p@\336\32~B\221\370\371nDLUZ!\356,p\234\177x#\26\1\251\320\235\357\243\372\35\267\311\343K\370\321\207\250\26\274bE\377]w\330\225?\31\263\262\316\234\31#\364>\211\222ZA*\220\7J\3\2231\252Lz\314\210|a\251o\373\376ed\267\247\277\343!\332OX\5\214\177m\32E\207tbq\2610\30g\3706\364\347\335\26\254\344(\26\10\10,\241\265\254\366\353\16\250\340\177\243\314\205]\25\206\3206dJ\317!\365\236\353CD\25\33\366\353Y*\2748V$\23\344\212g\35y\23\211S\364\352\3509\24\332\272\321\222N-\300\4\246\317(`\237y\225\00\247/\211\214=^\375j\213\53\21}\20\14L\254\237\256x\2bsf\206\234a\255\377\3268y\226\245\302\237\264h\307\237\371\177\217.\201jsb\253\313\350O,\250f\366q7\276\223\244\37\14\10R\242\4\205\275\342Pe\254m\3>\207*=?\242+S&\214\354\214\335>\323Do\212J\353", ) \217\310\0\223\226{\200\354f3a\257\353\36\267\362\14~\244`\25\242\250\3378ql\17\333 u\24\360`\257?\5\255 D\370Czh\11\304\344\30\267\304`?\23q\213(\271\250-1Q\236\273\10\275\377\321\351\233\347IQ\234 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\4\251\231\30\20C\350\332/\15\277|\346\242\330\237\240\317\16\204\206M\250{\345\241.\332\45\2400\350|R\35\177:\213D}"\247]\356z\17DF:\25"\316\326\36\15\34\254\25\3483"\217\310\0\223\226{\200\354f3a\257\353\36\267\362\14~\244`\25\242\250\3378ql\17\333 u\24\360`\257?\5\255 D\370Czh\11\304\344\30\267\304`?\23q\213(\271\250-1Q\236\273\10\275\377\321\351\233\347IQ\234"\337\3577fE\347\341#/\373\343SV\3523z\2340\244\247'i\216\320=_\262@%\323\1\254,\220Wd\2434\343\20\244\254\20fF\2700l\225\352m\332\270\215\216@_\372\217\351\200i~k&n\340\330\361\372\311\202;\332\30%\273\377\13\222Y\353\3|p@\336\32~B\221\370\371nDLUZ!\356,p\234\177x#\26\1\251\320\235\357\243\372\35\267\311\343K\370\321\207\250\26\274bE\377]w\330\225?\31\263\262\316\234\31#\364>\211\222ZA*\220\7J\3\2231\252Lz\314\210|a\251o\373\376ed\267\247\277\343!\332OX\5\214\177m\32E\207tbq\2610\30g\3706\364\347\335\26\254\344(\26\10\10,\241\265\254\366\353\16\250\340\177\243\314\205]\25\206\3206dJ\317!\365\236\353CD\25\33\366\353Y*\2748V$\23\344\212g\35y\23\211S\364\352\3509\24\332\272\321\222N-\300\4\246\317(`\237y\225\00\247/\211\214=^\375j\213\53\21}\20\14L\254\237\256x\2bsf\206\234a\255\377\3268y\226\245\302\237\264h\307\237\371\177\217.\201jsb\253\313\350O,\250f\366q7\276\223\244\37\14\10R\242\4\205\275\342Pe\254m\3>\207*=?\242+S&\214\354\214\335>\323Do\212J\353", ) , ) == 0x0
 00508   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00509   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "}\212x\223\25\2047\15\224E\24\3a\354\316\240\3\300\253+W\211\267?'\27F\335\300]\11\2153\203\251\10\225\245\36\323Z`\34\367\243\212H\363\201\356\2704#\263q$N\376Kw\230n-O\314y7\273\205`\335\306zU0\373%\227\237\212H-\227+\20\251Fu\262\237\217\271\363\33\275.\306\354-0?T\247\232\333\316:^='\35\214\250\327\340-5\273\224[\205%\310\303\221\323\343\12\250\266\27\147q\224M\266\323\0\245\224\330\235\353cRf\261\255I\25\22\205\354\271cu;CCp\246 \21\216\323Z}\334\263\313\212\332\246\0\271h\7\36\353p0a\27O\366\261\25>Nd\262\246_\347M\4\275>.\320\245XF\307\371#\322teM\3038\376p\371B\301\206O\301\7m\343\202\345F\10\330R}\16u\10N\364l\220muL\313\234\240\244\370\254Fh3z\35\32L\15\226k\323f\3.\304\255C\320\201\33\267\202D.@\265\203\331?\7m{M\350&i\336kl\223\20\23D\236\227\206\200\264\370\267L\2411&t\227\333C&\1\13\261\13\33\330\2676\266\202\365\376\231\350\261\317\26A\32\244\261\273\200U\264u\210 \20\3\221@t\202J6\341D{H\267\300\206\251\353\344a\313n\360\203\32\2610^L\12\353\m\301\213\212\256\26\10\27\14\215\3403_\351;\23\241P\4\226\323\220\27\24\277\30'X\226h5\34\210\255Dh\255$xcS\212n\221Jl\22W\332\206\353q\313\254\245_\255\12\13\1\35\334^\321?O\31N\15\232\333U\15\3\360uU\15\301\204\307\342\7~M\223\3\346\376i\303/di\340\303\257R\310eg\26\2015<\177\373\27\252\35\367\266.\261\12\356\0[\12\10\246&|\226[Pzj\321t\277`\354F!", ) , ) == 0x0
 00510   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00511   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "^\214C\336\370\241\200'x\256=\15\350S\374\254c\261|\213\261\226\200u\2548}\13D\23\256\237\202\213_7d\364\253Z5}\220\213\1Y@\240\6\31l \256!\4\25\236j\4Q\306\246w0\274\322\255*\3703\273o\323\263\31.\35n)\326\351\17\20\37N]\353\370\247\340\377mc*\304\30\206Y\27Ub\226)x\255\322\266\363\213\177A\324\330\272(\314(\245\213\205-=\24|\5\27748\207S\331\352Fgn=\355\333F\222\266P\373\33(\277\221\307\373\304YM\360\342\30\363\223\266\236h\204\352\306Z,\215L342;y~\323GP\317P\254\242\316x$\356\224h\350nC\312\272&Z\220_o3\345_;E\210`\4\333\253\276\337\251$he\3709uq\325n\315H\352o$7\257\207\24\31\333\2600\267-I\243\202%cR*\251P\270\217!6\350\200\256\256\211\233&vTy\267\25N\205\374\231s\341C\34\14\262\200G\200m\333P\31\31\226Pc\306\327\363\333\350$n\24b\333Pb\355\20Gt8\337\356\12\251x\12\234\324\250.\250\366\242\264\251\214i\304\2526\330\314QW\350\4k\257\10\324\31`\244k\360o\351{\344x\254V\334f\240\305[\321=\313\105}\340\352\357/\5[\277Hk\376m\241\352\302[6\20\233c,\211\16\250\224/(\202\3154T\377h.\213[c\342\216L\315W\316\20\21\335\335\4\316\220\217\30\247\266;\25\245\322/a\272\267\213kR\35\369\275@\3739\34vv\320\376\253B\313Fb6K\244\341\317`\24\327\210\234\264]&E\30\230\241\357K\242\20\212\233_\235\205\256$\310\247\314\266F\230\206mA\352\225\275m\1\222w$\35\256\340\4UB\30\214", ) == 0x0
 00512   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00513   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "}\200\340\274\355\227U\334\223\230&\15d$j\241hq\255\0`\324\27\364\10fA\263\321"<\2\271\250\376\32\251\244\257\231\364\214c\17\352>L\353E\350\217\35>\206o\202\2277v\257>D\26\217f\375z0\374\264\35\11f#\377c1\216K \321b?p\366\37\245\207\35;\17\177\370\321\247-\346\361\335;\352Hu\0\257\345>|\305\225o\270\231\356F\17\12\371)\0Nn\204T_\273t\20\272\276\305\265$\253\314~d\2420\25"\314ttS\304\271\253\3\365\366>P\304-i\22\311+\320\220\26\263[\310\12\332`\230\227\15\342\312?\3003L\257g\375\320d\252\334S\303\257\233Zf\26\24\331N\5\376\202j\254\262\233/pX\213\244:\364#E-\224\260O\226\225rO\331F\375w\257\23\255C\212E7\202\300\6\261p\221\227\261\222\242-\257\15\221\374\177'"<\212\236\35H\340\325\275;\212\216Z\251\374#\360\15\253\226\32\4\231\343\341|\374h\352i\213il\201\3|\310\260\332\3\252`\4$rn\10f\241\375e7;L\20z\263s\347;\16Y{\215O\14F\346n\277+\247\240$\330\243\350/\245\15\255\323Q\5md\252\262[\315Bd\13\346\252\225\312\334\315/\27\221\270\5\257\33\36\340\205\10\242\274\363\10\6\364\26[r\357\360\237\253$\222=\224\374\234\3\346w\221&\26\14ET\354\367F]&\21\2L.\250m\330F\213\263\373\246\1b\267\243\1n,5\340\331`\211\200", ) <\2\271\250\376\32\251\244\257\231\364\214c\17\352>L\353E\350\217\35>\206o\202\2277v\257>D\26\217f\375z0\374\264\35\11f#\377c1\216K \321b?p\366\37\245\207\35;\17\177\370\321\247-\346\361\335;\352Hu\0\257\345>|\305\225o\270\231\356F\17\12\371)\0Nn\204T_\273t\20\272\276\305\265$\253\314~d\2420\25 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "}\200\340\274\355\227U\334\223\230&\15d$j\241hq\255\0`\324\27\364\10fA\263\321"<\2\271\250\376\32\251\244\257\231\364\214c\17\352>L\353E\350\217\35>\206o\202\2277v\257>D\26\217f\375z0\374\264\35\11f#\377c1\216K \321b?p\366\37\245\207\35;\17\177\370\321\247-\346\361\335;\352Hu\0\257\345>|\305\225o\270\231\356F\17\12\371)\0Nn\204T_\273t\20\272\276\305\265$\253\314~d\2420\25"\314ttS\304\271\253\3\365\366>P\304-i\22\311+\320\220\26\263[\310\12\332`\230\227\15\342\312?\3003L\257g\375\320d\252\334S\303\257\233Zf\26\24\331N\5\376\202j\254\262\233/pX\213\244:\364#E-\224\260O\226\225rO\331F\375w\257\23\255C\212E7\202\300\6\261p\221\227\261\222\242-\257\15\221\374\177'"<\212\236\35H\340\325\275;\212\216Z\251\374#\360\15\253\226\32\4\231\343\341|\374h\352i\213il\201\3|\310\260\332\3\252`\4$rn\10f\241\375e7;L\20z\263s\347;\16Y{\215O\14F\346n\277+\247\240$\330\243\350/\245\15\255\323Q\5md\252\262[\315Bd\13\346\252\225\312\334\315/\27\221\270\5\257\33\36\340\205\10\242\274\363\10\6\364\26[r\357\360\237\253$\222=\224\374\234\3\346w\221&\26\14ET\354\367F]&\21\2L.\250m\330F\213\263\373\246\1b\267\243\1n,5\340\331`\211\200", ) <\212\236\35H\340\325\275;\212\216Z\251\374#\360\15\253\226\32\4\231\343\341|\374h\352i\213il\201\3|\310\260\332\3\252`\4$rn\10f\241\375e7;L\20z\263s\347;\16Y{\215O\14F\346n\277+\247\240$\330\243\350/\245\15\255\323Q\5md\252\262[\315Bd\13\346\252\225\312\334\315/\27\221\270\5\257\33\36\340\205\10\242\274\363\10\6\364\26[r\357\360\237\253$\222=\224\374\234\3\346w\221&\26\14ET\354\367F]&\21\2L.\250m\330F\213\263\373\246\1b\267\243\1n,5\340\331`\211\200", ) == 0x0
 00514   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00515   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "MX~\205\10\353\227\6u\331\340\22kvcsAv\365\242\0\231QC\360\257\211\6\177Bk2\332\337\205/\303WP\373\31\17\26\31\336\274v\353\225\333\204\377\2Rl\16N\17\376\12U\340\223\177\376\256S\0n\34\36\213\332\377\220x\247\365\2460\262\312*`\205\\265\5f\32F\227\212+\367\231\313E\273\16\252\265\335\375\226\252\203\13\32\205rW{\360\300\200y\351\346_j\343\321\24\216\233A\32\244\370s\24\247\264\323?\\226\|\204\302\304\330\211,\353\14\266\275\213\202\16|\371\330\225\307m\304b\31\215o\217\300\374\267\355R\206h/\320n\5\326\367m\15\224\364\316\32\226Dy\17\345\2365N*/\362\3507\\223\226\377-\337\36\336I\333\17D-\34\30}.\27\223\241\373\10\201,\322\202t(\255v\247F-\352\21\315x`\14\25\200\260\213v\374<\341P\350t\2378j\270\364Q\234\300w\331<<\3JRf~\273hs_]\206?\224\322\220U\301\370\242\350%\322\317\365\360H)*\13o\347\362\3|\255\2426zU:n\311\5\372\12$\302\226\336)\36i\316}\20f\22~\265Q\237\320\200H\367\33f\204\363\313\347\4\370&\27\376\34\315\242\232ks\17zm\362Y:\303\1\257n\346r\3758a!]\353n\36PB\376\314T{\1\244\377*\301\220a\302"\16\274\223\273\352\314k,\346>h\370\33\234\231\2433\375:\351\305\315\250\202}\311S\213\244\27sOf\265j\3467\365?2\356\4\245\370:\37\273\262|\25\271\22y\231|(y\206\233\323\212\364\253c8\251\10\17h\236\374D\255\31`\260\306+3x=\270;\376\265\254\352{\371 w\224+\252j\1\23\273\366|J\201\203\0\32&Y]\4\261-\354\177YA\361\265\356\254k\201\333h\", ) \16\274\223\273\352\314k,\346>h\370\33\234\231\2433\375:\351\305\315\250\202}\311S\213\244\27sOf\265j\3467\365?2\356\4\245\370:\37\273\262|\25\271\22y\231|(y\206\233\323\212\364\253c8\251\10\17h\236\374D\255\31`\260\306+3x=\270;\376\265\254\352{\371 w\224+\252j\1\23\273\366|J\201\203\0\32&Y]\4\261-\354\177YA\361\265\356\254k\201\333h\", ) == 0x0
 00516   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00517   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\15\343s!B\226H\264\364\256\35B/\371`Dz\254\10t.\343\17tz\312*\14\246\310\246\4z\225H\220\302\346\374<\355\2117\310Q\345\202^\171\343\233,\365H\364-d\16(\22\344g\240\306\363?\5\35\262\243\3o\6!Dk\356s\316id\240Ho\256\16\30n\223O\313\314\207\263\7\276\177\341AD-\373\204*Wo\231\356fb:N\350=\7\267FEMB\332o\306eI'\201-\355\\3\230e1+-!`|\6\355%\232z\254\367\254\376:\232Ji\342\315\357?\360\275*\25\202:\274\235:h%\336\301kO\321\342J\233\16r/\24*\231cKhA\16\13*\275H8\335\272\242\215\352\356y\24*I\270\14\26\251yS+\245\320\11W8\367S[\350S\35\254\375\263Sr\302\233b:V\204\372\362\240E\306\362?a\322e\35/;\245\230E\266\302\272\267\242\331>\303\341\242_tA\224\372_+Q-\30\19!\232C, ) , ) == 0x0
 00518   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00519   368   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\364\355{\214l\261{\205\345\374p\27\256\226'8?\214\216R\3\12=\210\236\23h|\244\301\365\11N\363\373\346um\256h\230\242F\330~\234\333F\205Q'\15\12\246\20\301b\255\263\17R\247-\21\252\2737k\224\215\15As\254\277k&>a\345\215K\343a\1u`+e\301\335\214L\23{\201l\17\200\301\321\254\15@\322t@v\340\243\263\262N\355d\21\336\235\363\315$\237&\263\202\210\360@\26\243\355\14\247`y\226F\345e\13J\355\250@~\350\341\2617\266\352|\12\247b\221Y6n\20\311\2748\360\323n\331\11'\2467B\251\256u\357\331\241\255\217\220\357;\261\352\2077\203\17l)\20\344VM\364f/\301\211T\34\7\26\312#y\14H\336Z\353\371\257\360\11\0\211{s\257\203\21\266W\360EY\342\237\14\20\265\331;\5\335\247B\370\334\244\240\352y\31\244:b\211pB>\247?\20f\273oMh\374G\2ji\24dk\306\177\6(\11\373\11x\246\351\242\5\213u#7\260i=\206a\363\5\2178\2108~\266r\263k\342\37\242\204\277\375\260}\204^\26U\265m\2348\310P;\252\317'\20\342\276\310\10\16\36S$\302\212zI&5\0\4`\235\33\232C\326zncE\13\300\355\314[\211A\201\262\214\267\335\177\2\222\243H\250vo3\3372d\365-a\330\11\236+\373:\21j\263d\22,\241-@\21\377\331C\244\247\331\14\263\23c\322\336\178\344\3\251\7Y\255\6-\16\354\264\330%\363\242\311\336]\331\240F\277\301c6b\315\364)LP\321Ab\365\253\340\17\221*\315B:\326\2\14\374Wsz\251\232N\226\377\235h%73\237\177\224\231\1F\317\326\11\211\232\370\226\243qg\224g\360\263\222\257\37\17\20\231\2751x\330W}\4", ) , ) == 0x0
 00520   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00521   368   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, ".\346k\0>\346k\0\12\366k\0\32\366k\0\212\304k\0\232\304k\0j\307k\0b\307k\0z\307k\0r\307k\0J\307k\0B\307k\0Z\307k\0R\307k\0*\307k\0"\307k\0\316\307k\0\332\307k\0\266\307k\0r\306k\0>\306k\0\306\306k\0\276\306k\0~\301k\0\376\301k\0\206\301k\0\352\303k\0\236\302k\0^\335k\0z\334k\0\316\334k\0\32\336k\0\22\330k\0*\332k\0F\325k\0\246\325k\0&\324k\0\346\324k\0\22\327k\0\362\327k\0\256\327k\0\236\327k\0\366\356n\0\216\356n\0\271\204l\0\205\204l\0l\207l\0t\207l\0Z\207l\0 \207l\0\7\207l\0\352\207l\0\316\207l\0\327\207l\0\272\207l\0\206\207l\0\220\207l\0|\206l\0F\206l\0/\206l\0>\206l\0\23\206l\0\370\206l\0\331\206l\0\277\206l\0\226\206l\0u\201l\0$\201l\0\1\201l\0\374\201l\0\257\201l\0\217\201l\0j\200l\0W\200l\0\11\200l\0\22\200l\0\374\200l\0\304\200l\0\256\200l\0\270\200l\0\202\200l\0o\203l\0t\203l\0A\203l\0*\203l\00\203l\0\27\203l\0\352\203l\0\344\203l\0\375\203l\0\361\203l\0r\255}\0y\255r\0z\255s\0{\255q\0j\255h\0f\255l\0h\255n\0E\255p\0s\255u\0J\255K\0F\255A\0G\255J\0M\255I\0q\255N\0H\255L\0}\255z\0|\255g\0~\255e\0a\255f\0e\255a\0g\255G\0n\255i\0o\255E\0C\255k\0n\255k\0n\255k\0n\255k@J\325\33$_\237%m\33\311\33@:\343&U*\375k@J\325\33$_\230%m", ) \307k\0\316\307k\0\332\307k\0\266\307k\0r\306k\0>\306k\0\306\306k\0\276\306k\0~\301k\0\376\301k\0\206\301k\0\352\303k\0\236\302k\0^\335k\0z\334k\0\316\334k\0\32\336k\0\22\330k\0*\332k\0F\325k\0\246\325k\0&\324k\0\346\324k\0\22\327k\0\362\327k\0\256\327k\0\236\327k\0\366\356n\0\216\356n\0\271\204l\0\205\204l\0l\207l\0t\207l\0Z\207l\0 \207l\0\7\207l\0\352\207l\0\316\207l\0\327\207l\0\272\207l\0\206\207l\0\220\207l\0|\206l\0F\206l\0/\206l\0>\206l\0\23\206l\0\370\206l\0\331\206l\0\277\206l\0\226\206l\0u\201l\0$\201l\0\1\201l\0\374\201l\0\257\201l\0\217\201l\0j\200l\0W\200l\0\11\200l\0\22\200l\0\374\200l\0\304\200l\0\256\200l\0\270\200l\0\202\200l\0o\203l\0t\203l\0A\203l\0*\203l\00\203l\0\27\203l\0\352\203l\0\344\203l\0\375\203l\0\361\203l\0r\255}\0y\255r\0z\255s\0{\255q\0j\255h\0f\255l\0h\255n\0E\255p\0s\255u\0J\255K\0F\255A\0G\255J\0M\255I\0q\255N\0H\255L\0}\255z\0|\255g\0~\255e\0a\255f\0e\255a\0g\255G\0n\255i\0o\255E\0C\255k\0n\255k\0n\255k\0n\255k@J\325\33$_\237%m\33\311\33@:\343&U*\375k@J\325\33$_\230%m", ) == 0x0
 00522   368   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00523   368   NtClose  (80, ... ) == 0x0
 00524   368   NtClose  (68, ... ) == 0x0
 00525   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00526   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00528   368   NtClose  (68, ... ) == 0x0
 00529   368   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00530   368   NtClose  (80, ... ) == 0x0
 00531   368   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00532   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00533   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00534   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00535   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00536   368   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00537   368   NtClose  (80, ... ) == 0x0
 00538   368   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00539   368   NtMapViewOfSection  (68, -1, (0x860000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00540   368   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00541   368   NtClose  (68, ... ) == 0x0
 00542   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 8, ) == 0x0
 00543   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 8, ... (0x8d2000), 4096, 4, ) == 0x0
 00544   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00545   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00546   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00547   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00548   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00549   368   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00550   368   NtClose  (68, ... ) == 0x0
 00551   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00552   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00553   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00554   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00555   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00556   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00557   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00558   368   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00559   368   NtClose  (68, ... ) == 0x0
 00560   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00561   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00562   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00563   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00564   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00565   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00566   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00567   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00568   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00569   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00570   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00571   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00572   368   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   368   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00576   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00577   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00578   368   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   368   NtClose  (68, ... ) == 0x0
 00580   368   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00581   368   NtClose  (80, ... ) == 0x0
 00582   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00583   368   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00584   368   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00585   368   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 80, ) == 0x0
 00586   368   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00587   368   NtClose  (80, ... ) == 0x0
 00588   368   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00589   368   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00590   368   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00591   368   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00592   368   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   368   NtClose  (80, ... ) == 0x0
 00594   368   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00595   368   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00596   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00597   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00598   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03b
 00599   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00600   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03d
 00601   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00602   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00603   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03f
 00604   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00605   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00606   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc041
 00607   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00608   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00609   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc043
 00610   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00611   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc045
 00612   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00613   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00614   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc047
 00615   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00616   368   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00617   368   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810dc049
 00618   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00619   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00620   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04b
 00621   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00622   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00623   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04d
 00624   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00625   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00626   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04f
 00627   368   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00628   368   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810dc051
 00629   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00630   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00631   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc053
 00632   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00633   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00634   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc055
 00635   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc057
 00636   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00637   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00638   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc059
 00639   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00640   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00641   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05b
 00642   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00643   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00644   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05d
 00645   368   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00646   368   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00647   368   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05f
 00648   368   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00649   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00650   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00651   368   NtNotifyChangeKey  (84, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00652   368   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00653   368   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00654   368   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00655   368   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00656   368   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00657   368   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00658   368   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00659   368   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9371648, 1048576, ) == 0x0
 00660   368   NtAllocateVirtualMemory  (-1, 9371648, 0, 16384, 4096, 4, ... 9371648, 16384, ) == 0x0
 00661   368   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00662   368   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00663   368   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   368   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   368   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00666   368   NtQueryInformationToken  (96, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00667   368   NtClose  (96, ... ) == 0x0
 00668   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00669   368   NtReleaseMutant  (16, ...
 00670   368   NtContinue  (-128868216, 0, ...
 00669   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00671   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\tka1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   368   NtReleaseMutant  (16, ...
 00679   368   NtContinue  (-128868216, 0, ...
 00678   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00681   368   NtReleaseMutant  (16, ...
 00682   368   NtContinue  (-128868216, 0, ...
 00681   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00683   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00684   368   NtReleaseMutant  (16, ...
 00685   368   NtContinue  (-128868216, 0, ...
 00684   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00686   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   368   NtReleaseMutant  (16, ...
 00688   368   NtContinue  (-128868216, 0, ...
 00687   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   368   NtReleaseMutant  (16, ...
 00691   368   NtContinue  (-128868216, 0, ...
 00690   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   368   NtReleaseMutant  (16, ...
 00694   368   NtContinue  (-128868216, 0, ...
 00693   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   368   NtReleaseMutant  (16, ...
 00697   368   NtContinue  (-128868216, 0, ...
 00696   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   368   NtReleaseMutant  (16, ...
 00700   368   NtContinue  (-128868216, 0, ...
 00699   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   368   NtReleaseMutant  (16, ...
 00703   368   NtContinue  (-128868216, 0, ...
 00702   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   368   NtReleaseMutant  (16, ...
 00706   368   NtContinue  (-128868216, 0, ...
 00705   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   368   NtReleaseMutant  (16, ...
 00709   368   NtContinue  (-128868216, 0, ...
 00708   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   368   NtReleaseMutant  (16, ...
 00712   368   NtContinue  (-128868216, 0, ...
 00711   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   368   NtReleaseMutant  (16, ...
 00715   368   NtContinue  (-128868216, 0, ...
 00714   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   368   NtReleaseMutant  (16, ...
 00718   368   NtContinue  (-128868216, 0, ...
 00717   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   368   NtReleaseMutant  (16, ...
 00721   368   NtContinue  (-128868216, 0, ...
 00720   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   368   NtReleaseMutant  (16, ...
 00724   368   NtContinue  (-128868216, 0, ...
 00723   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   368   NtReleaseMutant  (16, ...
 00727   368   NtContinue  (-128868216, 0, ...
 00726   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   368   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   368   NtReleaseMutant  (16, ...
 00730   368   NtContinue  (-128868216, 0, ...
 00729   368   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   368   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 96, ) == 0x0
 00732   368   NtUserGetDC  (0, ... ) == 0x1010052
 00733   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00734   368   NtUserGetDC  (0, ... ) == 0x1010052
 00735   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00736   368   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x3b080404
 00737   368   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00738   368   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00739   368   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00740   368   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\03\0C\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00741   368   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\08\06\00\00\00\00\00\00\00\00\00\01\07\00\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00742   368   NtUserSystemParametersInfo  (104, 0, 9376892, 0, ... ) == 0x1
 00743   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00744   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00745   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00746   368   NtUserGetDC  (0, ... ) == 0x1010052
 00747   368   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x80503f8
 00748   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00749   368   NtGdiSelectBitmap  (268501972, 134546424, ... ) == 0x185000f
 00750   368   NtGdiGetDCforBitmap  (134546424, ... ) == 0x100103d4
 00751   368   NtGdiSaveDC  (268501972, ... ) == 0x1
 00752   368   NtGdiSelectBitmap  (268501972, 134546424, ... ) == 0x80503f8
 00753   368   NtGdiGetDCObject  (268501972, 524288, ... ) == 0x188000b
 00754   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00755   368   NtGdiSetDIBitsToDeviceInternal  (268501972, 0, 0, 32, 64, 0, 0, 0, 64, 9188876, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00756   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00757   368   NtGdiSelectBitmap  (268501972, 134546424, ... ) == 0x80503f8
 00758   368   NtGdiRestoreDC  (268501972, -1, ... ) == 0x1
 00759   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x80503f8
 00760   368   NtGdiCreateCompatibleDC  (268501972, ... ) == 0x180103fe
 00761   368   NtGdiExtGetObjectW  (134546424, 24, 1241324, ... ) == 0x18
 00762   368   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x70503f9
 00763   368   NtGdiSelectBitmap  (268501972, 134546424, ... ) == 0x185000f
 00764   368   NtGdiSelectBitmap  (402719742, 117769209, ... ) == 0x185000f
 00765   368   NtGdiBitBlt  (402719742, 0, 0, 32, 64, 268501972, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00766   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x80503f8
 00767   368   NtGdiSelectBitmap  (402719742, 25493519, ... ) == 0x70503f9
 00768   368   NtGdiDeleteObjectApp  (134546424, ... ) == 0x1
 00769   368   NtGdiDeleteObjectApp  (402719742, ... ) == 0x1
 00770   368   NtUserCallOneParam  (0, 33, ... ) == 0x20075
 00771   368   NtUserSetCursorIconData  (131189, 1241432, 1241448, 1242028, ... ) == 0x1
 00772   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00773   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00774   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00775   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00776   368   NtUserGetDC  (0, ... ) == 0x1010052
 00777   368   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xe0503d7
 00778   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00779   368   NtGdiSelectBitmap  (268501972, 235209687, ... ) == 0x185000f
 00780   368   NtGdiGetDCforBitmap  (235209687, ... ) == 0x100103d4
 00781   368   NtGdiSaveDC  (268501972, ... ) == 0x1
 00782   368   NtGdiSelectBitmap  (268501972, 235209687, ... ) == 0xe0503d7
 00783   368   NtGdiGetDCObject  (268501972, 524288, ... ) == 0x188000b
 00784   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00785   368   NtGdiSetDIBitsToDeviceInternal  (268501972, 0, 0, 32, 64, 0, 0, 0, 64, 9189184, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00786   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00787   368   NtGdiSelectBitmap  (268501972, 235209687, ... ) == 0xe0503d7
 00788   368   NtGdiRestoreDC  (268501972, -1, ... ) == 0x1
 00789   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0xe0503d7
 00790   368   NtGdiCreateCompatibleDC  (268501972, ... ) == 0xa0103f8
 00791   368   NtGdiExtGetObjectW  (235209687, 24, 1241324, ... ) == 0x18
 00792   368   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x80503f3
 00793   368   NtGdiSelectBitmap  (268501972, 235209687, ... ) == 0x185000f
 00794   368   NtGdiSelectBitmap  (167838712, 134546419, ... ) == 0x185000f
 00795   368   NtGdiBitBlt  (167838712, 0, 0, 32, 64, 268501972, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00796   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0xe0503d7
 00797   368   NtGdiSelectBitmap  (167838712, 25493519, ... ) == 0x80503f3
 00798   368   NtGdiDeleteObjectApp  (235209687, ... ) == 0x1
 00799   368   NtGdiDeleteObjectApp  (167838712, ... ) == 0x1
 00800   368   NtUserCallOneParam  (0, 33, ... ) == 0x3006d
 00801   368   NtUserSetCursorIconData  (196717, 1241432, 1241448, 1242028, ... ) == 0x1
 00802   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00803   368   NtUserGetDC  (0, ... ) == 0x1010052
 00804   368   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1a0503fe
 00805   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00806   368   NtGdiSelectBitmap  (268501972, 436536318, ... ) == 0x185000f
 00807   368   NtGdiGetDCforBitmap  (436536318, ... ) == 0x100103d4
 00808   368   NtGdiSaveDC  (268501972, ... ) == 0x1
 00809   368   NtGdiSelectBitmap  (268501972, 436536318, ... ) == 0x1a0503fe
 00810   368   NtGdiGetDCObject  (268501972, 524288, ... ) == 0x188000b
 00811   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00812   368   NtGdiSetDIBitsToDeviceInternal  (268501972, 0, 0, 32, 64, 0, 0, 0, 64, 9189492, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00813   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00814   368   NtGdiSelectBitmap  (268501972, 436536318, ... ) == 0x1a0503fe
 00815   368   NtGdiRestoreDC  (268501972, -1, ... ) == 0x1
 00816   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x1a0503fe
 00817   368   NtGdiCreateCompatibleDC  (268501972, ... ) == 0x100103d7
 00818   368   NtGdiExtGetObjectW  (436536318, 24, 1241324, ... ) == 0x18
 00819   368   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xf050382
 00820   368   NtGdiSelectBitmap  (268501972, 436536318, ... ) == 0x185000f
 00821   368   NtGdiSelectBitmap  (268501975, 251986818, ... ) == 0x185000f
 00822   368   NtGdiBitBlt  (268501975, 0, 0, 32, 64, 268501972, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00823   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x1a0503fe
 00824   368   NtGdiSelectBitmap  (268501975, 25493519, ... ) == 0xf050382
 00825   368   NtGdiDeleteObjectApp  (436536318, ... ) == 0x1
 00826   368   NtGdiDeleteObjectApp  (268501975, ... ) == 0x1
 00827   368   NtUserCallOneParam  (0, 33, ... ) == 0x3006b
 00828   368   NtUserSetCursorIconData  (196715, 1241432, 1241448, 1242028, ... ) == 0x1
 00829   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00830   368   NtUserGetDC  (0, ... ) == 0x1010052
 00831   368   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xc0503f8
 00832   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00833   368   NtGdiSelectBitmap  (268501972, 201655288, ... ) == 0x185000f
 00834   368   NtGdiGetDCforBitmap  (201655288, ... ) == 0x100103d4
 00835   368   NtGdiSaveDC  (268501972, ... ) == 0x1
 00836   368   NtGdiSelectBitmap  (268501972, 201655288, ... ) == 0xc0503f8
 00837   368   NtGdiGetDCObject  (268501972, 524288, ... ) == 0x188000b
 00838   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00839   368   NtGdiSetDIBitsToDeviceInternal  (268501972, 0, 0, 32, 64, 0, 0, 0, 64, 9189800, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00840   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00841   368   NtGdiSelectBitmap  (268501972, 201655288, ... ) == 0xc0503f8
 00842   368   NtGdiRestoreDC  (268501972, -1, ... ) == 0x1
 00843   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0xc0503f8
 00844   368   NtGdiCreateCompatibleDC  (268501972, ... ) == 0x1c0103fe
 00845   368   NtGdiExtGetObjectW  (201655288, 24, 1241324, ... ) == 0x18
 00846   368   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503f5
 00847   368   NtGdiSelectBitmap  (268501972, 201655288, ... ) == 0x185000f
 00848   368   NtGdiSelectBitmap  (469828606, 151323637, ... ) == 0x185000f
 00849   368   NtGdiBitBlt  (469828606, 0, 0, 32, 64, 268501972, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00850   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0xc0503f8
 00851   368   NtGdiSelectBitmap  (469828606, 25493519, ... ) == 0x90503f5
 00852   368   NtGdiDeleteObjectApp  (201655288, ... ) == 0x1
 00853   368   NtGdiDeleteObjectApp  (469828606, ... ) == 0x1
 00854   368   NtUserCallOneParam  (0, 33, ... ) == 0x300a5
 00855   368   NtUserSetCursorIconData  (196773, 1241432, 1241448, 1242028, ... ) == 0x1
 00856   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00857   368   NtUserGetDC  (0, ... ) == 0x1010052
 00858   368   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x120503d7
 00859   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00860   368   NtGdiSelectBitmap  (268501972, 302318551, ... ) == 0x185000f
 00861   368   NtGdiGetDCforBitmap  (302318551, ... ) == 0x100103d4
 00862   368   NtGdiSaveDC  (268501972, ... ) == 0x1
 00863   368   NtGdiSelectBitmap  (268501972, 302318551, ... ) == 0x120503d7
 00864   368   NtGdiGetDCObject  (268501972, 524288, ... ) == 0x188000b
 00865   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00866   368   NtGdiSetDIBitsToDeviceInternal  (268501972, 0, 0, 32, 64, 0, 0, 0, 64, 9190108, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00867   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00868   368   NtGdiSelectBitmap  (268501972, 302318551, ... ) == 0x120503d7
 00869   368   NtGdiRestoreDC  (268501972, -1, ... ) == 0x1
 00870   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x120503d7
 00871   368   NtGdiCreateCompatibleDC  (268501972, ... ) == 0xe0103f8
 00872   368   NtGdiExtGetObjectW  (302318551, 24, 1241324, ... ) == 0x18
 00873   368   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x10050383
 00874   368   NtGdiSelectBitmap  (268501972, 302318551, ... ) == 0x185000f
 00875   368   NtGdiSelectBitmap  (234947576, 268764035, ... ) == 0x185000f
 00876   368   NtGdiBitBlt  (234947576, 0, 0, 32, 64, 268501972, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00877   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x120503d7
 00878   368   NtGdiSelectBitmap  (234947576, 25493519, ... ) == 0x10050383
 00879   368   NtGdiDeleteObjectApp  (302318551, ... ) == 0x1
 00880   368   NtGdiDeleteObjectApp  (234947576, ... ) == 0x1
 00881   368   NtUserCallOneParam  (0, 33, ... ) == 0x300a3
 00882   368   NtUserSetCursorIconData  (196771, 1241432, 1241448, 1242028, ... ) == 0x1
 00883   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00884   368   NtUserGetDC  (0, ... ) == 0x1010052
 00885   368   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x1e0503fe
 00886   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00887   368   NtGdiSelectBitmap  (268501972, 503645182, ... ) == 0x185000f
 00888   368   NtGdiGetDCforBitmap  (503645182, ... ) == 0x100103d4
 00889   368   NtGdiSaveDC  (268501972, ... ) == 0x1
 00890   368   NtGdiSelectBitmap  (268501972, 503645182, ... ) == 0x1e0503fe
 00891   368   NtGdiGetDCObject  (268501972, 524288, ... ) == 0x188000b
 00892   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00893   368   NtGdiSetDIBitsToDeviceInternal  (268501972, 0, 0, 32, 64, 0, 0, 0, 64, 9190724, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00894   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00895   368   NtGdiSelectBitmap  (268501972, 503645182, ... ) == 0x1e0503fe
 00896   368   NtGdiRestoreDC  (268501972, -1, ... ) == 0x1
 00897   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x1e0503fe
 00898   368   NtGdiCreateCompatibleDC  (268501972, ... ) == 0x140103d7
 00899   368   NtGdiExtGetObjectW  (503645182, 24, 1241324, ... ) == 0x18
 00900   368   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x50503f6
 00901   368   NtGdiSelectBitmap  (268501972, 503645182, ... ) == 0x185000f
 00902   368   NtGdiSelectBitmap  (335610839, 84214774, ... ) == 0x185000f
 00903   368   NtGdiBitBlt  (335610839, 0, 0, 32, 64, 268501972, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00904   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x1e0503fe
 00905   368   NtGdiSelectBitmap  (335610839, 25493519, ... ) == 0x50503f6
 00906   368   NtGdiDeleteObjectApp  (503645182, ... ) == 0x1
 00907   368   NtGdiDeleteObjectApp  (335610839, ... ) == 0x1
 00908   368   NtUserCallOneParam  (0, 33, ... ) == 0x300a1
 00909   368   NtUserSetCursorIconData  (196769, 1241432, 1241448, 1242028, ... ) == 0x1
 00910   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00911   368   NtUserGetDC  (0, ... ) == 0x1010052
 00912   368   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x100503f8
 00913   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00914   368   NtGdiSelectBitmap  (268501972, 268764152, ... ) == 0x185000f
 00915   368   NtGdiGetDCforBitmap  (268764152, ... ) == 0x100103d4
 00916   368   NtGdiSaveDC  (268501972, ... ) == 0x1
 00917   368   NtGdiSelectBitmap  (268501972, 268764152, ... ) == 0x100503f8
 00918   368   NtGdiGetDCObject  (268501972, 524288, ... ) == 0x188000b
 00919   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00920   368   NtGdiSetDIBitsToDeviceInternal  (268501972, 0, 0, 32, 64, 0, 0, 0, 64, 9190416, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00921   368   NtUserSelectPalette  (268501972, 25690123, 0, ... ) == 0x188000b
 00922   368   NtGdiSelectBitmap  (268501972, 268764152, ... ) == 0x100503f8
 00923   368   NtGdiRestoreDC  (268501972, -1, ... ) == 0x1
 00924   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x100503f8
 00925   368   NtGdiCreateCompatibleDC  (268501972, ... ) == 0x200103fe
 00926   368   NtGdiExtGetObjectW  (268764152, 24, 1241324, ... ) == 0x18
 00927   368   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x130503f2
 00928   368   NtGdiSelectBitmap  (268501972, 268764152, ... ) == 0x185000f
 00929   368   NtGdiSelectBitmap  (536937470, 319095794, ... ) == 0x185000f
 00930   368   NtGdiBitBlt  (536937470, 0, 0, 32, 64, 268501972, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00931   368   NtGdiSelectBitmap  (268501972, 25493519, ... ) == 0x100503f8
 00932   368   NtGdiSelectBitmap  (536937470, 25493519, ... ) == 0x130503f2
 00933   368   NtGdiDeleteObjectApp  (268764152, ... ) == 0x1
 00934   368   NtGdiDeleteObjectApp  (536937470, ... ) == 0x1
 00935   368   NtUserCallOneParam  (0, 33, ... ) == 0x3009f
 00936   368   NtUserSetCursorIconData  (196767, 1241432, 1241448, 1242028, ... ) == 0x1
 00937   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00938   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00939   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00940   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00941   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00942   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00943   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00944   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00945   368   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00946   368   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00947   368   NtUserGetDC  (0, ... ) == 0x1010052
 00948   368   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00949   368   NtUserEnumDisplayMonitors  (0, 0, 8913508, 9377472, ... ) == 0x1
 00950   368   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00951   368   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344496, ... ) == 0x210a03fe
 00952   368   NtGdiExtGetObjectW  (554304510, 420, 1241808, ... ) == 0x164
 00953   368   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00954   368   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344488, ... ) == 0x160a03d7
 00955   368   NtGdiExtGetObjectW  (369755095, 420, 1241808, ... ) == 0x164
 00956   368   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344480, ... ) == 0x110a03f8
 00957   368   NtGdiExtGetObjectW  (285869048, 420, 1241808, ... ) == 0x164
 00958   368   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00959   368   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 8650752, 4096, ) == 0x0
 00960   368   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00961   368   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00962   368   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00963   368   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00964   368   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   368   NtUserSetWindowsHookEx  (8781824, 1243796, 0, 4, 8789692, 2, ... ) == 0x3009d
 00966   368   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   368   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm13.2i"}, 1, ... 100, ) }, 1, ... 100, ) == 0x0
 00968   368   NtOpenProcessToken  (-1, 0x20, ... 104, ) == 0x0
 00969   368   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 108, ) }, ... 108, ) == 0x0
 00972   368   NtQueryValueKey  (108,  (108, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   368   NtClose  (108, ... ) == 0x0
 00974   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00976   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00977   368   NtQuerySystemTime  (... {-1577898406, 29882035}, ) == 0x0
 00978   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00979   368   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   368   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00981   368   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00982   368   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00983   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00984   368   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00985   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 128, ) }, ... 128, ) == 0x0
 00986   368   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00987   368   NtQueryValueKey  (132,  (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00988   368   NtClose  (132, ... ) == 0x0
 00989   368   NtClose  (128, ... ) == 0x0
 00990   368   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 128, ) == 0x0
 00991   368   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 132, ) == 0x0
 00992   368   NtDuplicateObject  (-1, 128, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00993   368   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00994   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   368   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00996   368   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00997   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00998   368   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243248,  (0xc0100080, {24, 0, 0x40, 0, 1243248, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00999   368   NtSetInformationFile  (144, 1243304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01000   368   NtSetInformationFile  (144, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01001   368   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01002   368   NtWriteFile  (144, 121, 0, 0,  (144, 121, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01003   368   NtReadFile  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20C\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01004   368   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20C\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20C\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01005   368   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\27\267\221\334\246b\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\27\267\221\334\246b\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\27\267\221\334\246b\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\27\267\221\334\246b\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\27\267\221\334\246b\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01006   368   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\27\267\221\334\246b\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\27\267\221\334\246b\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01007   368   NtClose  (140, ... ) == 0x0
 01008   368   NtClose  (144, ... ) == 0x0
 01009   368   NtAdjustPrivilegesToken  (104, 0, 1245084, 16, 0, 0, ... ) == 0x0
 01010   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01011   368   NtQueryValueKey  (144,  (144, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   368   NtClose  (144, ... ) == 0x0
 01013   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01014   368   NtQueryValueKey  (144,  (144, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   368   NtClose  (144, ... ) == 0x0
 01016   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01017   368   NtQueryValueKey  (144,  (144, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   368   NtClose  (144, ... ) == 0x0
 01019   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01020   368   NtQueryValueKey  (144,  (144, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   368   NtClose  (144, ... ) == 0x0
 01022   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01023   368   NtQueryValueKey  (144,  (144, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   368   NtClose  (144, ... ) == 0x0
 01025   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01026   368   NtQueryValueKey  (144,  (144, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   368   NtClose  (144, ... ) == 0x0
 01028   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01029   368   NtQueryValueKey  (144,  (144, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   368   NtClose  (144, ... ) == 0x0
 01031   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01032   368   NtQueryValueKey  (144,  (144, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   368   NtClose  (144, ... ) == 0x0
 01034   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01035   368   NtQueryValueKey  (144,  (144, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   368   NtClose  (144, ... ) == 0x0
 01037   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01038   368   NtQueryValueKey  (144,  (144, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   368   NtClose  (144, ... ) == 0x0
 01040   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   368   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01042   368   NtSetInformationFile  (-2147482808, -128867292, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01043   368   NtSetInformationFile  (-2147482808, -128867764, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01041   368   NtCreateKey  ... 144, 1, ) == 0x0
 01044   368   NtSetValueKey  (144,  (144, "ID", 0, 1, "n\0j\0r\0j\0j\0g\0l\0m\0b\0y\0t\0e\0y\0\0\0", 28, ... ) , 0, 1,  (144, "ID", 0, 1, "n\0j\0r\0j\0j\0g\0l\0m\0b\0y\0t\0e\0y\0\0\0", 28, ... ) , 28, ... ) == 0x0
 01045   368   NtClose  (144, ... ) == 0x0
 01046   368   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01047   368   NtQueryValueKey  (144,  (144, "System Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   368   NtClose  (144, ... ) == 0x0
 01049   368   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 01050   368   NtSetValueKey  (144,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01051   368   NtClose  (144, ... ) == 0x0
 01052   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243520,  (0x80100080, {24, 0, 0x40, 0, 1243520, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01053   368   NtQueryInformationFile  (144, 1244456, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01054   368   NtQueryInformationFile  (144, 1244428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01055   368   NtQueryInformationFile  (144, 1244380, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01056   368   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01057   368   NtQueryInformationFile  (144, 1371664, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01058   368   NtQueryInformationFile  (144, 1242924, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01059   368   NtQueryInformationFile  (144, 1242768, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01060   368   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242776,  (0x40110080, {24, 0, 0x40, 0, 1242776, "\??\C:\WINDOWS\System32\hqogby.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01061   368   NtClose  (-2147482020, ... ) == 0x0
 01060   368   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01062   368   NtQueryVolumeInformationFile  (140, 1242148, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01063   368   NtQueryInformationFile  (140, 1242108, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01064   368   NtQueryVolumeInformationFile  (144, 1242148, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01065   368   NtQueryVolumeInformationFile  (144, 1241832, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01066   368   NtSetInformationFile  (140, 1241936, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01067   368   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 01068   368   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9f0000), {0, 0}, 192512, ) == 0x0
 01069   368   NtClose  (148, ... ) == 0x0
 01070   368   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01071   368   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\322\2455!q< \1\264\271\263\30\345=\314Bow\267!\356\354\243\331J\336G\6(\260\262H\304\352#\266\352\335\302\30M\242\217Q\377\221\12\330M\12\303\10\230\235\212\6:\270h\7b\311{\332\37\262\\14U\372[Cf(I1~\361N\23N\274yr\373\261\353\23z\2108\311;\270}E\9g\27v\251\243\21\246\264q\1\246\251\243\33r\255\243\21\246\260u\K\372\242\37N\214\243T\8I#O\376\242\4J\210KGN\276M'N\252K\7F\204K\7N\252A+N\256K\7B\200\377LK\256E/o\237or^\234k2o\237Y3k\337j2Z\230>rj\337]7jeo\310V\224\201\277feQ\17\336Md\11'\240c\34Z\13\241\311J'\227\377m\310\307\18\337\325\253\373\371\272\21\361\30D\20\322\177\364\261b\242cI!m{,\2Tt\364\257Li\315\264\377\315*J20\20\355\34Sr\3\335P+P\34_\10\10\360a\10#\351}\250D\354'\11gP\351\340\253\247D\205\17\324H\202\301\34\317T\230\352\353\267a\301s\201n\345\27\14\320\317{\305\14\304\303\337deDX\277\241\301\12\17\325\243\333\315gm7)em\14kl\234\16\35\254+_\216\212\103\246fi]iqo\257kLap\1\272\366\12\230K\371=}\275b3\315\301\22\21~3\223\235&\16z\16\36~\16c\15\270\276\222\342\242-k\35\330X\3w\242*M\370GeE\327t{A\203}\311\17\245\274\374\262\26\236\25\300|\357\343\373\334\331bd\3\357hp\257\373b\333 \250\206\260\230\337\22\12g\367g\12\256\235\235bd\241$\310)\326Y\226J\256 \2\252\253\352\232\305\236.\346\326\375\00C\25\334\35d\216g\16A*-\34", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01072   368   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\374\16\301\346\215%\372<\321\246j\0v\247]ND\335\26~\230\270"\376dLh\322'l\23\212h\375\324G\21\275^\14{D\201\236\211T\371\325j\265w JeST\277\236\272\227e\244\322d\320k\177\14\10\305\3720\223;\372\275h\373\273,\371]K\5#c\360\321O\301n\305d\36\213\356\1;\371\227\274uz,H]Hz\351\236\0\370!\361\31$n\216\270\234\342[\343\10kW\313)\1:g \210\243\271x#*\343|\377=b\224"\27i0n\253O\234c\11\313K\362\13D\233\363o}\270?\210\357\270v\34Hp\326\0\36\330\366\350w0\4B\270\243\346\32\372@\201\13js\7\373.\262\255.\1@ \331npWT\337\37\252\255\357\200{l\373\220G#\207H\320\214\377\230~13V}-\200I\16\220{(\245y\260T\370\27&\301\230\11\353\270_ESvNM\275)%\341\37M\262\240\203\335_\234\353\14(\205\322/\202\263\340 \342u\333\4\17ys\222+\261\235\330q\245\212@\201\251A\15\317\350h"\354\370\335\223\225\323\237f\230&\234\353e\27\255\5X\254\34\344Ky\230\306\356\254\32\324\214\35Ib\352$l\30/m\216\17)\310\37T\365%Ig/\255\243fw6\364\256\206\215\276x\14\342=\250\245\3\253S\221\277\236\255K\15\252\310A~\350\302\332\333\24S~\370ytz\347\37\25$\247\30\24\204\305o\210i\240U\11.\241\375\210b\250\215\361.\3508Gh:\365\20^TI\207\355\275\266\212f\377\266\225\15\336R\354^\327\260\233b!\201N\234e\15#\270\241\243\260le<\325\365\267\245\215\246\263^\36\251.\213\3\3\362?\324\237\210Y$k\241\236Y\305\373\261\364\336\226h~F\250@\5\215\246\201\260LE|o", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \376dLh\322'l\23\212h\375\324G\21\275^\14{D\201\236\211T\371\325j\265w JeST\277\236\272\227e\244\322d\320k\177\14\10\305\3720\223;\372\275h\373\273,\371]K\5#c\360\321O\301n\305d\36\213\356\1;\371\227\274uz,H]Hz\351\236\0\370!\361\31$n\216\270\234\342[\343\10kW\313)\1:g \210\243\271x#*\343|\377=b\224 (140, 0, 0, 0, "\374\16\301\346\215%\372<\321\246j\0v\247]ND\335\26~\230\270"\376dLh\322'l\23\212h\375\324G\21\275^\14{D\201\236\211T\371\325j\265w JeST\277\236\272\227e\244\322d\320k\177\14\10\305\3720\223;\372\275h\373\273,\371]K\5#c\360\321O\301n\305d\36\213\356\1;\371\227\274uz,H]Hz\351\236\0\370!\361\31$n\216\270\234\342[\343\10kW\313)\1:g \210\243\271x#*\343|\377=b\224"\27i0n\253O\234c\11\313K\362\13D\233\363o}\270?\210\357\270v\34Hp\326\0\36\330\366\350w0\4B\270\243\346\32\372@\201\13js\7\373.\262\255.\1@ \331npWT\337\37\252\255\357\200{l\373\220G#\207H\320\214\377\230~13V}-\200I\16\220{(\245y\260T\370\27&\301\230\11\353\270_ESvNM\275)%\341\37M\262\240\203\335_\234\353\14(\205\322/\202\263\340 \342u\333\4\17ys\222+\261\235\330q\245\212@\201\251A\15\317\350h"\354\370\335\223\225\323\237f\230&\234\353e\27\255\5X\254\34\344Ky\230\306\356\254\32\324\214\35Ib\352$l\30/m\216\17)\310\37T\365%Ig/\255\243fw6\364\256\206\215\276x\14\342=\250\245\3\253S\221\277\236\255K\15\252\310A~\350\302\332\333\24S~\370ytz\347\37\25$\247\30\24\204\305o\210i\240U\11.\241\375\210b\250\215\361.\3508Gh:\365\20^TI\207\355\275\266\212f\377\266\225\15\336R\354^\327\260\233b!\201N\234e\15#\270\241\243\260le<\325\365\267\245\215\246\263^\36\251.\213\3\3\362?\324\237\210Y$k\241\236Y\305\373\261\364\336\226h~F\250@\5\215\246\201\260LE|o", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \354\370\335\223\225\323\237f\230&\234\353e\27\255\5X\254\34\344Ky\230\306\356\254\32\324\214\35Ib\352$l\30/m\216\17)\310\37T\365%Ig/\255\243fw6\364\256\206\215\276x\14\342=\250\245\3\253S\221\277\236\255K\15\252\310A~\350\302\332\333\24S~\370ytz\347\37\25$\247\30\24\204\305o\210i\240U\11.\241\375\210b\250\215\361.\3508Gh:\365\20^TI\207\355\275\266\212f\377\266\225\15\336R\354^\327\260\233b!\201N\234e\15#\270\241\243\260le<\325\365\267\245\215\246\263^\36\251.\213\3\3\362?\324\237\210Y$k\241\236Y\305\373\261\364\336\226h~F\250@\5\215\246\201\260LE|o", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01073   368   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "g\252\373\310i\240.\220\343\260\177\6j\255\276A\220RkP+\255kLo\252kN\302\22P\0\216\255\333nE\34\362\13\30\245[\3\316\271\203\354s\301{\3.\250o\13l\3213\22nAl\0\256\253f .\31mU~RG\337\365\236b'NN\233\5nxN\214dg^0b=?`\325\254\13\276\255k\261w\351\277.\300N^\27\270\320\373(i\253\26 @\354\321Cj\344\220\240\0\303\251\2760\221n'.X$l\35\255\2\272\247q\213'l!_\335y\301\2P\205]L&\340\217g\362\372\355Ee~\206\341\1\312tL\10\332\337j!8\15\220\307-\375\311\16\336\21Le\305\220\16\3\274\376\13\354I\375k\260\356[\22\273u\235\226\27\305km\353\234\253k\0n\255k\0.\257\224\0n\255k\0n\255k\0\356\321O\10o\242\356\206o\255k`\320\203\353Dn \325\322\341V\224W\355`\224\353c=\373\220\344\253-\210i\352j\333\33\252\340\36\355C\227\21\265\337\206\270o\255k\0ov\36\7\345\263\350\356\222\274\260\21\256\254\260s\201\330b\213p.\205\374\177v\30\344_d\350\350m\337f\301\216\245\341\6(.\233\377\32\331\342\305ov\36\7\345\263\350\356\222\274\260\21\247\254\260ui&u\203\200Qz\333\177d\36 /\254\260ui&u\203\200Qz\333\177dj\333\35B\36\11\345\263\350\356\222\274\260s\212.\252\2\357Pk\363\221R\350\321o \177/\355P\227va'iB\346\252,I\33Z\202c\221R\224\220\345\257\350\302j$l\203\251\251\350\351j\332\232\1\241D'\377\221R5\211\231\24\325'n\255\341\7)\201\203, 5084, 0x0, 0, ... {status=0x0, info=5084}, ) , 5084, 0x0, 0, ... {status=0x0, info=5084}, ) == 0x0
 01074   368   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 01075   368   NtSetInformationFile  (140, 1244380, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01076   368   NtClose  (144, ... ) == 0x0
 01077   368   NtClose  (140, ... ) == 0x0
 01078   368   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01079   368   NtSetValueKey  (140,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0h\0q\0o\0g\0b\0y\0.\0e\0x\0e\0\0\0", 62, ... , 0, 1,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0h\0q\0o\0g\0b\0y\0.\0e\0x\0e\0\0\0", 62, ... , 62, ...
 01080   368   NtSetInformationFile  (-2147482808, -128866508, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01081   368   NtSetInformationFile  (-2147482808, -128866600, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01079   368   NtSetValueKey  ... ) == 0x0
 01082   368   NtClose  (140, ... ) == 0x0
 01083   368   NtClose  (100, ... ) == 0x0
 01084   368   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01085   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hqogby.exe"}, 1241012, ... ) }, 1241012, ... ) == 0x0
 01086   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hqogby.exe"}, 1241704, ... ) }, 1241704, ... ) == 0x0
 01087   368   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hqogby.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01088   368   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 140, ) == 0x0
 01089   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 144, ) }, ... 144, ) == 0x0
 01091   368   NtQueryValueKey  (144,  (144, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   368   NtClose  (144, ... ) == 0x0
 01093   368   NtQueryVolumeInformationFile  (100, 1241012, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01094   368   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 144, ) }, ... 144, ) == 0x0
 01095   368   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01096   368   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 148, ) }, ... 148, ) == 0x0
 01097   368   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 57344, ) == 0x0
 01098   368   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01099   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238996, ... ) }, 1238996, ... ) == 0x0
 01100   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01101   368   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 156, ) == 0x0
 01102   368   NtClose  (152, ... ) == 0x0
 01103   368   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 106496, ) == 0x0
 01104   368   NtClose  (156, ... ) == 0x0
 01105   368   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01106   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239312, ... ) }, 1239312, ... ) == 0x0
 01107   368   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01108   368   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 152, ) == 0x0
 01109   368   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01110   368   NtClose  (156, ... ) == 0x0
 01111   368   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01112   368   NtClose  (152, ... ) == 0x0
 01113   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01114   368   NtQueryInformationFile  (152, 1239600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01115   368   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 152, ... 156, ) == 0x0
 01116   368   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa00000), 0x0, 1028096, ) == 0x0
 01117   368   NtQueryInformationFile  (152, 1239696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01118   368   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   368   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01120   368   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01121   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01122   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1, "hqogby.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01123   368   NtClose  (160, ... ) == 0x0
 01124   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01125   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01126   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hqogby.exe"}, 1236648, ... ) }, 1236648, ... ) == 0x0
 01127   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01128   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01129   368   NtClose  (160, ... ) == 0x0
 01130   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01131   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01132   368   NtClose  (160, ... ) == 0x0
 01133   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01134   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "hqogby.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01135   368   NtClose  (160, ... ) == 0x0
 01136   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01137   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01138   368   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01139   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01140   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01141   368   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01142   368   NtClose  (160, ... ) == 0x0
 01143   368   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   368   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\hqogby.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01146   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01147   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hqogby.exe"}, 1238928, ... ) }, 1238928, ... ) == 0x0
 01148   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01149   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01150   368   NtClose  (160, ... ) == 0x0
 01151   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01152   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01153   368   NtClose  (160, ... ) == 0x0
 01154   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01155   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "hqogby.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01156   368   NtClose  (160, ... ) == 0x0
 01157   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01158   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01159   368   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01160   368   NtQueryVolumeInformationFile  (100, 1239572, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01161   368   NtQueryInformationFile  (100, 1239552, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01162   368   NtQueryInformationFile  (100, 1239592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01163   368   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01164   368   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01165   368   NtClose  (156, ... ) == 0x0
 01166   368   NtClose  (152, ... ) == 0x0
 01167   368   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01168   368   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hqogby.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   368   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01170   368   NtOpenProcessToken  (-1, 0xa, ... 152, ) == 0x0
 01171   368   NtQueryInformationToken  (152, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01172   368   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01174   368   NtQueryValueKey  (156,  (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01175   368   NtQueryValueKey  (156,  (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01176   368   NtClose  (156, ... ) == 0x0
 01177   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01178   368   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01179   368   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01180   368   NtClose  (156, ... ) == 0x0
 01181   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01183   368   NtQueryValueKey  (156,  (156, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   368   NtClose  (156, ... ) == 0x0
 01185   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01186   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01187   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01188   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01189   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01190   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01191   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01192   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01193   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01194   368   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01195   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01196   368   NtEnumerateKey  (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01197   368   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 160, ) }, ... 160, ) == 0x0
 01198   368   NtQueryValueKey  (160,  (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01199   368   NtQueryValueKey  (160,  (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01200   368   NtClose  (160, ... ) == 0x0
 01201   368   NtEnumerateKey  (156, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01202   368   NtClose  (156, ... ) == 0x0
 01203   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01218   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01219   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01220   368   NtClose  (156, ... ) == 0x0
 01221   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01223   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01224   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01225   368   NtClose  (156, ... ) == 0x0
 01226   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01228   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01229   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01230   368   NtClose  (156, ... ) == 0x0
 01231   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01233   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01234   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01235   368   NtClose  (156, ... ) == 0x0
 01236   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01238   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01239   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01240   368   NtClose  (156, ... ) == 0x0
 01241   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01243   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01244   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01245   368   NtClose  (156, ... ) == 0x0
 01246   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01248   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01249   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01250   368   NtClose  (156, ... ) == 0x0
 01251   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01253   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01254   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01255   368   NtClose  (156, ... ) == 0x0
 01256   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01258   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01259   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01260   368   NtClose  (156, ... ) == 0x0
 01261   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01263   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01264   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01265   368   NtClose  (156, ... ) == 0x0
 01266   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01268   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01269   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01270   368   NtClose  (156, ... ) == 0x0
 01271   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01273   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01274   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01275   368   NtClose  (156, ... ) == 0x0
 01276   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01278   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01279   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01280   368   NtClose  (156, ... ) == 0x0
 01281   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01283   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01284   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01285   368   NtClose  (156, ... ) == 0x0
 01286   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01288   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01289   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01290   368   NtClose  (156, ... ) == 0x0
 01291   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01293   368   NtQueryValueKey  (156,  (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01294   368   NtClose  (156, ... ) == 0x0
 01295   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01297   368   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   368   NtClose  (156, ... ) == 0x0
 01299   368   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   368   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01301   368   NtOpenProcessToken  (-1, 0xa, ... 156, ) == 0x0
 01302   368   NtDuplicateToken  (156, 0xc, {24, 0, 0x0, 0, 1240904, 0x0}, 0, 2, ... 160, ) == 0x0
 01303   368   NtClose  (156, ... ) == 0x0
 01304   368   NtAccessCheck  (1378928, 160, 0x1, 1241032, 1240976, 56, 1241060, ... (0x1), ) == 0x0
 01305   368   NtClose  (160, ... ) == 0x0
 01306   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 160, ) }, ... 160, ) == 0x0
 01307   368   NtQueryValueKey  (160,  (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01308   368   NtClose  (160, ... ) == 0x0
 01309   368   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 160, ) }, ... 160, ) == 0x0
 01310   368   NtQuerySymbolicLinkObject  (160, ...  (160, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01311   368   NtClose  (160, ... ) == 0x0
 01312   368   NtQueryInformationFile  (100, 1239364, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01313   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01314   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01315   368   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hqogby.exe"}, 1238044, ... ) }, 1238044, ... ) == 0x0
 01316   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01317   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01318   368   NtClose  (160, ... ) == 0x0
 01319   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01320   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01321   368   NtClose  (160, ... ) == 0x0
 01322   368   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01323   368   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "hqogby.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01324   368   NtClose  (160, ... ) == 0x0
 01325   368   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01326   368   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01327   368   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01328   368   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01329   368   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01330   368   NtClose  (160, ... ) == 0x0
 01331   368   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01332   368   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01333   368   NtClose  (160, ... ) == 0x0
 01334   368   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01335   368   NtQueryValueKey  (156,  (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01336   368   NtClose  (156, ... ) == 0x0
 01337   368   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10485760, 4096, ) == 0x0
 01338   368   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01339   368   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01340   368   NtQueryValueKey  (156,  (156, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   368   NtClose  (156, ... ) == 0x0
 01342   368   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   368   NtQueryInformationToken  (152, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01344   368   NtQueryInformationToken  (152, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01345   368   NtClose  (152, ... ) == 0x0
 01346   368   NtCreateProcessEx  (1243640, 2035711, 0, -1, 0, 140, 0, 0, 0, ... ) == 0x0
 01347   368   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=316,}, 0x0, ) == 0x0
 01348   368   NtReadVirtualMemory  (152, 0x7ffdf008, 4, ...  (152, 0x7ffdf008, 4, ... "\0\0P1", 0x0, ) , 0x0, ) == 0x0
 01349   368   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hqogby.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   368   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01351   368   NtReadVirtualMemory  (152, 0x31500000, 4096, ...  (152, 0x31500000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01352   368   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01353   368   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=316,}, 0x0, ) == 0x0
 01354   368   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 10551296, 4096, ) == 0x0
 01355   368   NtAllocateVirtualMemory  (152, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01356   368   NtWriteVirtualMemory  (152, 0x10000,  (152, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01357   368   NtAllocateVirtualMemory  (152, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 01358   368   NtWriteVirtualMemory  (152, 0x20000,  (152, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0<\0>\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0<\0>\0\30\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 01359   368   NtWriteVirtualMemory  (152, 0x7ffdf010,  (152, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01360   368   NtWriteVirtualMemory  (152, 0x7ffdf1e8,  (152, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01361   368   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 01362   368   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01363   368   NtAllocateVirtualMemory  (152, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01364   368   NtProtectVirtualMemory  (152, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01365   368   NtCreateThread  (0x1f03ff, 0x0, 152, 1241904, 1242624, 1, ... 156, {364, 564}, ) == 0x0
 01366   368   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243724}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 316, 368, 1499, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 316, 368, 1499, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 316, 368, 1499, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0l\1\0\04\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 01367   368   NtResumeThread  (156, ... 1, ) == 0x0
 01368   368   NtClose  (100, ... ) == 0x0
 01369   368   NtClose  (140, ... ) == 0x0
 01370   368   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=364,ParentPid=316,}, 0x0, ) == 0x0
 01371   368   NtUserWaitForInputIdle  (364, 30000, 0, ...
 01372   368   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01373   368   NtClose  (140, ... ) == 0x0
 01371   368   NtUserWaitForInputIdle  ... ) == 0x0
 01374   368   NtClose  (152, ... ) == 0x0
 01375   368   NtClose  (156, ... ) == 0x0
 01376   368   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01377   368   NtTerminateProcess  (0, 0, ... ) == 0x0
 01378   368   NtQueryVirtualMemory  (-1, 0x896d20, Basic, 28, ... {BaseAddress=0x896000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01379   368   NtQueryVirtualMemory  (-1, 0x89762c, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x11000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01380   368   NtQueryVirtualMemory  (-1, 0x86cef4, Basic, 28, ... {BaseAddress=0x86c000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01381   368   NtGdiDeleteObjectApp  (369755095, ... ) == 0x1
 01382   368   NtGdiDeleteObjectApp  (285869048, ... ) == 0x1
 01383   368   NtGdiDeleteObjectApp  (554304510, ... ) == 0x1
 01384   368   NtUserDestroyCursor  (196767, 1, ... ) == 0x1
 01385   368   NtUserDestroyCursor  (196769, 1, ... ) == 0x1
 01386   368   NtUserDestroyCursor  (196771, 1, ... ) == 0x1
 01387   368   NtUserDestroyCursor  (196773, 1, ... ) == 0x1
 01388   368   NtUserDestroyCursor  (196715, 1, ... ) == 0x1
 01389   368   NtUserDestroyCursor  (196717, 1, ... ) == 0x1
 01390   368   NtUserDestroyCursor  (131189, 1, ... ) == 0x1
 01391   368   NtUserFindExistingCursorIcon  (1243476, 1243492, 1244060, ... ) == 0x10011
 01392   368   NtDeleteAtom  (49180, ... ) == 0x0
 01393   368   NtDeleteAtom  (49181, ... ) == 0x0
 01394   368   NtGdiDeleteObjectApp  (990381060, ... ) == 0x1
 01395   368   NtClose  (96, ... ) == 0x0
 01396   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01397   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01398   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01399   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01400   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01401   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01402   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01403   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01404   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01405   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01406   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01407   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01408   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01409   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01410   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01411   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01412   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01413   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01414   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01415   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01416   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01417   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01418   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01419   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01420   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01421   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01422   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01423   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01424   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01425   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01426   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01427   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01428   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01429   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01430   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01431   368   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01432   368   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01433   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01434   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01435   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01436   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01437   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01438   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01439   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01440   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01441   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01442   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01443   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01444   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01445   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01446   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01447   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01448   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01449   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01450   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01451   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01452   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01453   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01454   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01455   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01456   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01457   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01458   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01459   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01460   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01461   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01462   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01463   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01464   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01465   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01466   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01467   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01468   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01469   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc017
 01470   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01471   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc019
 01472   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01473   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc018
 01474   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01475   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01a
 01476   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01477   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01c
 01478   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01479   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01e
 01480   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01481   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01b
 01482   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01483   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc068
 01484   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01485   368   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc06a
 01486   368   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01487   368   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01488   368   NtClose  (76, ... ) == 0x0
 01489   368   NtClose  (64, ... ) == 0x0
 01490   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01491   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01492   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01493   368   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01494   368   NtFreeVirtualMemory  (-1, (0xa00000), 4096, 32768, ... (0xa00000), 4096, ) == 0x0
 01495   368   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 368, 1516, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 316, 368, 1516, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 316, 368, 1516, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01496   368   NtTerminateProcess  (-1, 0, ...
 01497   368   NtClose  (44, ... ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtDeleteAtom(>)	2	NtGdiBitBlt(>)	7	NtQueryInformationProcess(>)	15
NtCallbackReturn(>)	1	NtEnumerateKey(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtCreateSection(>)	17
NtCreateMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtGdiGetDCObject(>)	7	NtGdiDeleteObjectApp(>)	18
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetDCforBitmap(>)	7	NtReadFile(>)	19
NtCreateThread(>)	1	NtOpenEvent(>)	2	NtGdiGetStockObject(>)	7	NtContinue(>)	20
NtDelayExecution(>)	1	NtOpenSymbolicLinkObject(>)	2	NtGdiRestoreDC(>)	7	NtQuerySystemInformation(>)	20
NtDuplicateToken(>)	1	NtQueryInstallUILanguage(>)	2	NtGdiSaveDC(>)	7	NtUserCallOneParam(>)	20
NtEnumerateValueKey(>)	1	NtQuerySymbolicLinkObject(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtWaitForSingleObject(>)	21
NtGdiCreatePaletteInternal(>)	1	NtReadVirtualMemory(>)	2	NtOpenProcessToken(>)	7	NtFlushInstructionCache(>)	23
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtUserDestroyCursor(>)	7	NtWriteFile(>)	23
NtGdiQueryFontAssocInfo(>)	1	NtUserWaitForInputIdle(>)	2	NtUserSetCursorIconData(>)	7	NtOpenProcessTokenEx(>)	24
NtNotifyChangeKey(>)	1	NtAddAtom(>)	3	NtGdiCreateBitmap(>)	8	NtOpenThreadTokenEx(>)	24
NtOpenKeyedEvent(>)	1	NtCreateSemaphore(>)	3	NtQuerySection(>)	8	NtOpenSection(>)	25
NtOpenProcess(>)	1	NtDuplicateObject(>)	3	NtRequestWaitReplyPort(>)	8	NtOpenFile(>)	30
NtQueryInformationJobObject(>)	1	NtFreeVirtualMemory(>)	3	NtSetInformationThread(>)	8	NtQueryAttributesFile(>)	31
NtQueryObject(>)	1	NtGdiHfontCreate(>)	3	NtQueryDebugFilterState(>)	9	NtQueryInformationToken(>)	31
NtQuerySystemTime(>)	1	NtOpenMutant(>)	3	NtSetInformationFile(>)	9	NtMapViewOfSection(>)	37
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtCreateEvent(>)	10	NtReleaseMutant(>)	40
NtResumeThread(>)	1	NtFsControlFile(>)	4	NtGdiCreateCompatibleDC(>)	10	NtAllocateVirtualMemory(>)	41
NtSecureConnectPort(>)	1	NtOpenThreadToken(>)	4	NtGdiExtGetObjectW(>)	10	NtProtectVirtualMemory(>)	45
NtTestAlert(>)	1	NtSetValueKey(>)	4	NtQueryDirectoryFile(>)	10	NtUserUnregisterClass(>)	45
NtUserCallNoParam(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	11	NtQueryValueKey(>)	50
NtUserEnumDisplayMonitors(>)	1	NtUserRegisterWindowMessage(>)	5	NtUserGetDC(>)	11	NtGdiSelectBitmap(>)	57
NtUserGetKeyboardLayoutList(>)	1	NtCreateKey(>)	6	NtUnmapViewOfSection(>)	12	NtUserRegisterClassExWOW(>)	63
NtUserGetThreadDesktop(>)	1	NtQueryDefaultUILanguage(>)	6	NtQueryDefaultLocale(>)	13	NtUserGetClassInfo(>)	64
NtUserSetWindowsHookEx(>)	1	NtQueryVirtualMemory(>)	6	NtQueryInformationFile(>)	13	NtUserFindExistingCursorIcon(>)	72
NtAccessCheck(>)	2	NtQueryVolumeInformationFile(>)	6	NtUserSystemParametersInfo(>)	13	NtOpenKey(>)	111
NtCreateIoCompletion(>)	2	NtSetInformationProcess(>)	6	NtUserSelectPalette(>)	14	NtClose(>)	164