Summary:


NtAdjustPrivilegesToken(>)  1 
NtDeleteAtom(>)  2 
NtGdiBitBlt(>)  7 
NtQueryInformationProcess(>)  15 

NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateSection(>)  17 

NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtGdiDeleteObjectApp(>)  18 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtReadFile(>)  19 

NtCreateThread(>)  1 
NtOpenEvent(>)  2 
NtGdiGetStockObject(>)  7 
NtContinue(>)  20 

NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiRestoreDC(>)  7 
NtQuerySystemInformation(>)  20 

NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 

NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWaitForSingleObject(>)  21 

NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtFlushInstructionCache(>)  23 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtWriteFile(>)  23 

NtGdiQueryFontAssocInfo(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  24 

NtNotifyChangeKey(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenThreadTokenEx(>)  24 

NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  8 
NtOpenSection(>)  25 

NtOpenProcess(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  8 
NtOpenFile(>)  30 

NtQueryInformationJobObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  8 
NtQueryAttributesFile(>)  31 

NtQueryObject(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  31 

NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtSetInformationFile(>)  9 
NtMapViewOfSection(>)  37 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtCreateEvent(>)  10 
NtReleaseMutant(>)  40 

NtResumeThread(>)  1 
NtFsControlFile(>)  4 
NtGdiCreateCompatibleDC(>)  10 
NtAllocateVirtualMemory(>)  41 

NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  4 
NtGdiExtGetObjectW(>)  10 
NtProtectVirtualMemory(>)  45 

NtTestAlert(>)  1 
NtSetValueKey(>)  4 
NtQueryDirectoryFile(>)  10 
NtUserUnregisterClass(>)  45 

NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  11 
NtQueryValueKey(>)  50 

NtUserEnumDisplayMonitors(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetDC(>)  11 
NtGdiSelectBitmap(>)  57 

NtUserGetKeyboardLayoutList(>)  1 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  12 
NtUserRegisterClassExWOW(>)  63 

NtUserGetThreadDesktop(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtQueryDefaultLocale(>)  13 
NtUserGetClassInfo(>)  64 

NtUserSetWindowsHookEx(>)  1 
NtQueryVirtualMemory(>)  6 
NtQueryInformationFile(>)  13 
NtUserFindExistingCursorIcon(>)  72 

NtAccessCheck(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserSystemParametersInfo(>)  13 
NtOpenKey(>)  111 

NtCreateIoCompletion(>)  2 
NtSetInformationProcess(>)  6 
NtUserSelectPalette(>)  14 
NtClose(>)  164 


Trace:
 00001   412   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   412   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   412   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   412   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   412   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   412   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   412   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   412   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   412   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   412   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   412   NtClose  (12, ... ) == 0x0
 00014   412   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   412   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   412   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   412   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   412   NtClose  (16, ... ) == 0x0
 00021   412   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   412   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   412   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   412   NtClose  (16, ... ) == 0x0
 00026   412   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   412   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   412   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   412   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   412   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 408, 412, 1479, 0} "x-\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 408, 412, 1479, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 408, 412, 1479, 0} "x-\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   412   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   412   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   412   NtClose  (16, ... ) == 0x0
 00036   412   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   412   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   412   NtClose  (28, ... ) == 0x0
 00041   412   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   412   NtClose  (28, ... ) == 0x0
 00045   412   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   412   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   412   NtClose  (28, ... ) == 0x0
 00049   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   412   NtClose  (28, ... ) == 0x0
 00052   412   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   412   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 408, 412, 1482, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 408, 412, 1482, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 408, 412, 1482, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 128, ) == 0x0
 00057   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 128, ... (0x31509000), 8192, 4, ) == 0x0
 00058   412   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00059   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   412   NtClose  (28, ... ) == 0x0
 00062   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   412   NtClose  (28, ... ) == 0x0
 00065   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00066   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00067   412   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00068   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   412   NtClose  (28, ... ) == 0x0
 00071   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00072   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00073   412   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00074   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   412   NtClose  (28, ... ) == 0x0
 00077   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   412   NtClose  (28, ... ) == 0x0
 00080   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00081   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00082   412   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00083   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   412   NtClose  (28, ... ) == 0x0
 00086   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   412   NtClose  (28, ... ) == 0x0
 00089   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   412   NtClose  (28, ... ) == 0x0
 00092   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   412   NtClose  (28, ... ) == 0x0
 00095   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   412   NtClose  (28, ... ) == 0x0
 00098   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   412   NtClose  (28, ... ) == 0x0
 00101   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00102   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00103   412   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00104   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   412   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   412   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   412   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   412   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   412   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   412   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   412   NtClose  (40, ... ) == 0x0
 00118   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   412   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   412   NtClose  (40, ... ) == 0x0
 00122   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   412   NtClose  (36, ... ) == 0x0
 00124   412   NtClose  (28, ... ) == 0x0
 00125   412   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   412   NtClose  (32, ... ) == 0x0
 00127   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   412   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   412   NtClose  (32, ... ) == 0x0
 00135   412   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   412   NtClose  (28, ... ) == 0x0
 00137   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 4, ... (0x31509000), 8192, 64, ) == 0x0
 00138   412   NtProtectVirtualMemory  (-1, (0x31509000), 8192, 64, ... (0x31509000), 8192, 4, ) == 0x0
 00139   412   NtFlushInstructionCache  (-1, 827363328, 8192, ... ) == 0x0
 00140   412   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   412   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   412   NtClose  (28, ... ) == 0x0
 00143   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   412   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   412   NtClose  (28, ... ) == 0x0
 00146   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   412   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   412   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   412   NtClose  (28, ... ) == 0x0
 00150   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   412   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   412   NtClose  (28, ... ) == 0x0
 00153   412   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   412   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   412   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   412   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   412   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   412   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   412   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   412   NtClose  (32, ... ) == 0x0
 00163   412   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   412   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 408, 412, 1494, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 408, 412, 1494, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 408, 412, 1494, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00166   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   412   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   412   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   412   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00171   412   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   412   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   412   NtClose  (-2147482208, ... ) == 0x0
 00174   412   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   412   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   412   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   412   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00178   412   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   412   NtClose  (-2147482208, ... ) == 0x0
 00180   412   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00181   412   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   412   NtClose  (-2147482208, ... ) == 0x0
 00183   412   NtQueryDefaultLocale  (0, -130971124, ... ) == 0x0
 00184   412   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   412   NtUserCallNoParam  (24, ... ) == 0x0
 00186   412   NtGdiCreateCompatibleDC  (0, ...
 00187   412   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   412   NtGdiCreateCompatibleDC  ... ) == 0x150103c2
 00188   412   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   412   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   412   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xf0503d3
 00191   412   NtGdiCreateSolidBrush  (0, 0, ...
 00192   412   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   412   NtGdiCreateSolidBrush  ... ) == 0xf1003d4
 00193   412   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   412   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00195   412   NtGdiSelectBitmap  (1040253964, 251986899, ... ) == 0x185000f
 00196   412   NtUserGetThreadDesktop  (412, 0, ... ) == 0x2c
 00197   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   412   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   412   NtClose  (52, ... ) == 0x0
 00200   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00202   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00204   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00206   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00208   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00210   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00212   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00214   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00216   412   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   412   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00218   412   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00219   412   NtAllocateVirtualMemory  (-1, 5533696, 0, 4096, 4096, 32, ... 5533696, 4096, ) == 0x0
 00218   412   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00220   412   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00221   412   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00222   412   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00223   412   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00224   412   NtCallbackReturn  (0, 0, 0, ...
 00225   412   NtGdiInit  (... ) == 0x1
 00226   412   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   412   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   412   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   412   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   412   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   412   NtClose  (52, ... ) == 0x0
 00234   412   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   412   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   412   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   412   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   412   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   412   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   412   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   412   NtClose  (60, ... ) == 0x0
 00245   412   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   412   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   412   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   412   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   412   NtClose  (60, ... ) == 0x0
 00255   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   412   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   412   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   412   NtClose  (60, ... ) == 0x0
 00259   412   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   412   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   412   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   412   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   412   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   412   NtClose  (60, ... ) == 0x0
 00269   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   412   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   412   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   412   NtQueryDefaultUILanguage  (1241768, ...
 00273   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00275   412   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   412   NtClose  (-2147482208, ... ) == 0x0
 00277   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00278   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   412   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00280   412   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   412   NtClose  (-2147482196, ... ) == 0x0
 00282   412   NtClose  (-2147482208, ... ) == 0x0
 00272   412   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   412   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   412   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   412   NtQueryDefaultUILanguage  (2013024600, ...
 00290   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00292   412   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   412   NtClose  (-2147482208, ... ) == 0x0
 00294   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00295   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   412   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00297   412   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   412   NtClose  (-2147482196, ... ) == 0x0
 00299   412   NtClose  (-2147482208, ... ) == 0x0
 00289   412   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   412   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   412   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   412   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   412   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1495, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 412, 1495, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1495, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   412   NtClose  (68, ... ) == 0x0
 00306   412   NtClose  (72, ... ) == 0x0
 00307   412   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   412   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   412   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   412   NtClose  (68, ... ) == 0x0
 00323   412   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   412   NtClose  (76, ... ) == 0x0
 00325   412   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   412   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   412   NtClose  (76, ... ) == 0x0
 00330   412   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   412   NtClose  (68, ... ) == 0x0
 00332   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   412   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   412   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   412   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   412   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   412   NtQueryDefaultUILanguage  (1238836, ...
 00355   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00357   412   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   412   NtClose  (-2147482208, ... ) == 0x0
 00359   412   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00360   412   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   412   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00362   412   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   412   NtClose  (-2147482196, ... ) == 0x0
 00364   412   NtClose  (-2147482208, ... ) == 0x0
 00354   412   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   412   NtClose  (68, ... ) == 0x0
 00370   412   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   412   NtClose  (76, ... ) == 0x0
 00372   412   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   412   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   412   NtClose  (76, ... ) == 0x0
 00377   412   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   412   NtClose  (68, ... ) == 0x0
 00379   412   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   412   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   412   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   412   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 408, 412, 1496, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 408, 412, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   412   NtClose  (68, ... ) == 0x0
 00387   412   NtClose  (76, ... ) == 0x0
 00388   412   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   412   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   412   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   412   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   412   NtUserGetDC  (0, ... ) == 0x1010053
 00394   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00395   412   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   412   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   412   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   412   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   412   NtClose  (76, ... ) == 0x0
 00400   412   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   412   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   412   NtClose  (76, ... ) == 0x0
 00403   412   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   412   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   412   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   412   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   412   NtClose  (68, ... ) == 0x0
 00409   412   NtClose  (76, ... ) == 0x0
 00410   412   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   412   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   412   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   412   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   412   NtClose  (76, ... ) == 0x0
 00415   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03b
 00417   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03d
 00418   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc03f
 00420   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc041
 00422   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc043
 00424   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc045
 00425   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc047
 00427   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc049
 00429   412   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04b
 00432   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04d
 00434   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04f
 00436   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc051
 00437   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc053
 00439   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc055
 00441   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc057
 00442   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc059
 00444   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05b
 00446   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05d
 00448   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05f
 00450   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc017
 00452   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc019
 00454   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc018
 00456   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc01a
 00458   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   412   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc01c
 00460   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00461   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ...
 00462   412   NtAllocateVirtualMemory  (-1, 5537792, 0, 4096, 4096, 32, ... 5537792, 4096, ) == 0x0
 00461   412   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00463   412   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00464   412   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810dc01b
 00465   412   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00466   412   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810dc068
 00467   412   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00468   412   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc06a
 00469   412   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   412   NtTestAlert  (... ) == 0x0
 00473   412   NtContinue  (1244464, 1, ...
 00474   412   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3150b000,}, 4, ... ) == 0x0
 00475   412   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00476   412   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   412   NtClose  (68, ... ) == 0x0
 00478   412   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00479   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00480   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00481   412   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 408, 412, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 408, 412, 1497, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 408, 412, 1497, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00482   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00483   412   NtClose  (80, ... ) == 0x0
 00484   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00485   412   NtClose  (-2147482208, ... ) == 0x0
 00484   412   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00486   412   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00487   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\24\25t\0[O$\0]O+\0\246\260$\0\341O$\0YO$\0\31O>\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YM$\0\343_$\16F\373-\315x\367%L\224n\264\220\15'Msy?Vo>=Emy"Qs-oFey=Qny:Jd<=\4W0!\272TE\07YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0", ) Qs-oFey=Qny:Jd<=\4W0!\272TE\07YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0YO$\0", ) == 0x0
 00488   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00489   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\14G\22\346siE6=],\371"E\10iL\245\7\221\207B\331;\217e\304\221\14\354<[\3V\334\261\276ND3/u\271]TX\377\177\215|}\334\340*D\2\347\354\270\321\36[\300?\304t\1\11\331Og8Md\315%p%\2\347\13\11\32\332\215!R\254zu\21\323\226\27ey\377\216K''g,\261\355\366\305Zv\314\353\7\30\370\200^\310\244\302\216DSCu^\6\301HO.^\43*8\24\336\3751\4T2\31\311\337\374\225\342\375t\12\365X\257Q\26G@\203\311K,#\225\235\10\210i\211_\22\30A\305\311\241\11\14I\275y?\37]\200\324f\211\263\2203_\214\305\15h\315\3344\207#f\266\11+\324Xgy\366 \235}cW\221\313\354\257\25aUP\260\13$(X\223\244\24\332u\16\12)J!\342\344\362\12\261\37\366<\177?\212\10\17;Q\310\34\3111\212\204\202\310\10\237OC)\332v\334\251\242k\356\232\33\14\35RC\17s\344\311y\25\15\322\16\20\324\360\346\351\\20Z!-\225k\274\365\31Bv\314\11\334\244\221\364\335\312\334\300\236\0\370\3742qu\231\304y\304\222\26\262\357\325\214\214\306\365\377\220F\11A\305\224a\207w\1\307\347\23\225\177\233\14\217\352\374\341\223\257u\3\250\370O\232m6w\247x\1"\24\213\355\304nXtk#\220&\207\4^@\254\17\227M\260\333\12u7\30\231xW@\360\215\336\]da\207\261\215*\303\354X\224(pS\221\327P>,\354\266G\15\7\350 \247/50\371\300&\275\27+\11\204\222\24\2[/d\3\313\7\214\211\33\27\372}\24\303\324\215\34\207\17\335^\226\1\265P\225\22=\7\354\324^\213~\274<\346\303$RD?a\337\203\242[\365\277\371\17", ) E\10iL\245\7\221\207B\331;\217e\304\221\14\354<[\3V\334\261\276ND3/u\271]TX\377\177\215|}\334\340*D\2\347\354\270\321\36[\300?\304t\1\11\331Og8Md\315%p%\2\347\13\11\32\332\215!R\254zu\21\323\226\27ey\377\216K''g,\261\355\366\305Zv\314\353\7\30\370\200^\310\244\302\216DSCu^\6\301HO.^\43*8\24\336\3751\4T2\31\311\337\374\225\342\375t\12\365X\257Q\26G@\203\311K,#\225\235\10\210i\211_\22\30A\305\311\241\11\14I\275y?\37]\200\324f\211\263\2203_\214\305\15h\315\3344\207#f\266\11+\324Xgy\366 \235}cW\221\313\354\257\25aUP\260\13$(X\223\244\24\332u\16\12)J!\342\344\362\12\261\37\366<\177?\212\10\17;Q\310\34\3111\212\204\202\310\10\237OC)\332v\334\251\242k\356\232\33\14\35RC\17s\344\311y\25\15\322\16\20\324\360\346\351\\20Z!-\225k\274\365\31Bv\314\11\334\244\221\364\335\312\334\300\236\0\370\3742qu\231\304y\304\222\26\262\357\325\214\214\306\365\377\220F\11A\305\224a\207w\1\307\347\23\225\177\233\14\217\352\374\341\223\257u\3\250\370O\232m6w\247x\1 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\14G\22\346siE6=],\371"E\10iL\245\7\221\207B\331;\217e\304\221\14\354<[\3V\334\261\276ND3/u\271]TX\377\177\215|}\334\340*D\2\347\354\270\321\36[\300?\304t\1\11\331Og8Md\315%p%\2\347\13\11\32\332\215!R\254zu\21\323\226\27ey\377\216K''g,\261\355\366\305Zv\314\353\7\30\370\200^\310\244\302\216DSCu^\6\301HO.^\43*8\24\336\3751\4T2\31\311\337\374\225\342\375t\12\365X\257Q\26G@\203\311K,#\225\235\10\210i\211_\22\30A\305\311\241\11\14I\275y?\37]\200\324f\211\263\2203_\214\305\15h\315\3344\207#f\266\11+\324Xgy\366 \235}cW\221\313\354\257\25aUP\260\13$(X\223\244\24\332u\16\12)J!\342\344\362\12\261\37\366<\177?\212\10\17;Q\310\34\3111\212\204\202\310\10\237OC)\332v\334\251\242k\356\232\33\14\35RC\17s\344\311y\25\15\322\16\20\324\360\346\351\\20Z!-\225k\274\365\31Bv\314\11\334\244\221\364\335\312\334\300\236\0\370\3742qu\231\304y\304\222\26\262\357\325\214\214\306\365\377\220F\11A\305\224a\207w\1\307\347\23\225\177\233\14\217\352\374\341\223\257u\3\250\370O\232m6w\247x\1"\24\213\355\304nXtk#\220&\207\4^@\254\17\227M\260\333\12u7\30\231xW@\360\215\336\]da\207\261\215*\303\354X\224(pS\221\327P>,\354\266G\15\7\350 \247/50\371\300&\275\27+\11\204\222\24\2[/d\3\313\7\214\211\33\27\372}\24\303\324\215\34\207\17\335^\226\1\265P\225\22=\7\354\324^\213~\274<\346\303$RD?a\337\203\242[\365\277\371\17", ) , ) == 0x0
 00490   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00491   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\216\215/X\341]1whE(H\212\2\347\30\23\331h\340\14\352\226HY\344\266\345\351\312\223}A\13d\221\274\337AZ=\23|YW\24\276\0\13\4GT\11+\35dB-06=/\265\345\311*N!5'u\226\32\331V\14-?\10\35\220/\357z%z\@s\316\274CI3>\301&\312\260\235\302/C\20\367?\237\363`\344r%K\307(9r\3134\274^\304\2429\303\16\250\14\321 d\323\246\270\16\276q\305c\10c\237P9\257\11\2373\363\6\361\256\301\223s\4\240#a]\356Kb4\252\11;\306\357\150\270\367\2430\5U\1!>]\330nVi9\206\310\263\311\31\366\D\244K\31\27\347\13\313\310q?R?\347k\366b\317\221\345\253\354\257m\207%\367Xa\334\27\275\11El*\310J\31\275\314wT+:A\1wL\254\46\272\25\322\323\372DIM\23\304\3341\257wb~\355\212\21\14`\10\245\260f\267\6O,\215,@\257|QH\25\300\323A\37J\245:\223~\370\24\252\S\2758\16\257\214\373\237\20:\306o\2\344\325\371N\17\0\16Xv\334~\204\352C\5t\213\37\200ah+M]\24\337\302+\253\241\2576\370\233\202-\340\255\321P./\212\36\305\16\201\251\35\312\356\270\260\373\177\202\305|c\315\305z\12\334\24wo53:\13OW\253\36Tv\320\355T\261|\32\331\250\3739\222\263\223\0\26^<\33,\243\311\355oM\225 \316\244\354?\331\252\373:\357\217\311\355C\244\306\35\323#>\2215Wf\305\313\260\346\11\241\250ou\251\300\207:\322p\227\4\331p!\266\4\354#\203\210\0%\267V\275\333\255\363\370n\20#H\332\261+DS\15V\360\355\3\23\223\216\5e\210\333\321\327\225\333B\274\301\35\1", ) , ) == 0x0
 00492   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00493   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\317\244\331\265\331\230\210f\12\306\241\6O\317\256\265.\211\241\227&AS\21?\360\220\22\14CA\211P\357}\6\352\210E\35i\3638\210\3554\273\240\323\302\261>SO\220\274>ac\263(e\3440@\26\2774X\210&\316\335\355{\271\320\330\20tQ\25 \310\304\313\262\244r\221\325t:\24w\364\14\35\0\361\14Gv"\36\317\3425\321\303a\13\21\315\217\200\367\305(&p\317\25\254d\253\317\12DDS\266\257\311\331\13\26\305q\373N\36avl)\345ii\316\3001\236\23R\214|7\10\2S\17\246\32\335D\334B\376Y\244{l\3714\31\227\321T\353^k\360\350j\317\262t\332\15\3!1\26d{\312M\251\5M\251\347\377tb\310N?\356\263\360?\350\4\364L\311\204\266\215E\320\364\211\2054\240{\37\224\326t\226#C\245\2K\0b\37\30/un\7\207I8\308B=\354\310ew\308pn\2\205\376\250k\210^\224\37w\2A\260\341XC\204\346\230\322$\233Q5"\243BM\12,\234\210r\272\363~2z\257\2154\360\10\302\266`\332Y0\310\275\23\266\246\371\374kX\251\2448\30\5\357\217a\221\3744\35j\206p\17\316\305?\0\336\243<\1\233?\375\22\373A\347^fN\326\204\2\310\17\271\14\261\320\15\354\271 \322$\271a\376.\31\374\353s^\10\332[\11\330\26\2072\27:e2/`\315Vn\33W\325LO\310\13y\25Qk\6\16XSe\3409\330F\364\32\3056\20\255\25\202\266_FK\21\241\277\210\0A\257 UwF\15*PK\203\26Q\37H\253\345\2737\4\222\307\3\247\33I\16H\261\327\3279\200\1\221j\254I\324\354\267$v\321\212\17\334\234\233M\20\0\128Z\350&?O\330\365_;\322\241\32y8", ) \36\317\3425\321\303a\13\21\315\217\200\367\305(&p\317\25\254d\253\317\12DDS\266\257\311\331\13\26\305q\373N\36avl)\345ii\316\3001\236\23R\214|7\10\2S\17\246\32\335D\334B\376Y\244{l\3714\31\227\321T\353^k\360\350j\317\262t\332\15\3!1\26d{\312M\251\5M\251\347\377tb\310N?\356\263\360?\350\4\364L\311\204\266\215E\320\364\211\2054\240{\37\224\326t\226#C\245\2K\0b\37\30/un\7\207I8\308B=\354\310ew\308pn\2\205\376\250k\210^\224\37w\2A\260\341XC\204\346\230\322$\233Q5 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\317\244\331\265\331\230\210f\12\306\241\6O\317\256\265.\211\241\227&AS\21?\360\220\22\14CA\211P\357}\6\352\210E\35i\3638\210\3554\273\240\323\302\261>SO\220\274>ac\263(e\3440@\26\2774X\210&\316\335\355{\271\320\330\20tQ\25 \310\304\313\262\244r\221\325t:\24w\364\14\35\0\361\14Gv"\36\317\3425\321\303a\13\21\315\217\200\367\305(&p\317\25\254d\253\317\12DDS\266\257\311\331\13\26\305q\373N\36avl)\345ii\316\3001\236\23R\214|7\10\2S\17\246\32\335D\334B\376Y\244{l\3714\31\227\321T\353^k\360\350j\317\262t\332\15\3!1\26d{\312M\251\5M\251\347\377tb\310N?\356\263\360?\350\4\364L\311\204\266\215E\320\364\211\2054\240{\37\224\326t\226#C\245\2K\0b\37\30/un\7\207I8\308B=\354\310ew\308pn\2\205\376\250k\210^\224\37w\2A\260\341XC\204\346\230\322$\233Q5"\243BM\12,\234\210r\272\363~2z\257\2154\360\10\302\266`\332Y0\310\275\23\266\246\371\374kX\251\2448\30\5\357\217a\221\3744\35j\206p\17\316\305?\0\336\243<\1\233?\375\22\373A\347^fN\326\204\2\310\17\271\14\261\320\15\354\271 \322$\271a\376.\31\374\353s^\10\332[\11\330\26\2072\27:e2/`\315Vn\33W\325LO\310\13y\25Qk\6\16XSe\3409\330F\364\32\3056\20\255\25\202\266_FK\21\241\277\210\0A\257 UwF\15*PK\203\26Q\37H\253\345\2737\4\222\307\3\247\33I\16H\261\327\3279\200\1\221j\254I\324\354\267$v\321\212\17\334\234\233M\20\0\128Z\350&?O\330\365_;\322\241\32y8", ) , ) == 0x0
 00494   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00495   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "F \346#x_\344\11\341c\366\345=@\215y?\215\245\307\31-?\341Gm\246|XG\246.\1Y1&z\344\314{\30\375\347\270WC\234%\30\363\365\273\320\27\2w\217\302T\30N\367\225\263\236E\255\34\220]Y\314\37\365/ Q\31\277\301\317\347\376\2334B\302{\325O\312Y\203%8\334\205g#\361,\232\211\210[K\343]Y\361\5\264\277\2475xc);a\351\207D\315\255R\330\252\14\335\16\262\363Oq\315'\330\34\322l9\1_-Ps\307WD&C|g\2768\262N\313\305\373lJ\5\351\206RY\265")Pw\22\310\271.\3\\353d\376\236\370I;-F\205WJ\303Q\351\3\25\205Q,D&\327\311\242:o\221\347\231\17\235\14j\16\361\222%N\232v\321n\2430\355\201T\302@\206mq\16\34\37\370\352\200\237,\6\200;\34\317Q>="\374C\159\20J\15\214\254=YE\316\4\351u\4mc&\237\303?\206L*oV\361\241\251\300\14\30l\377\217\366k\227@$\307&)Xn\215\3h\325|\377\265B\317\3100n\206\320\246@D\2545\363\350\22\31oaU\265QY4\214\263X\255\342u\202\371q1\347\224$\35\372m\4YZ\254\367S\21t\345a\324H\362K?a\344\11\367=F\303\303/\254\334/\255\24\217\317\240\353\13\20=_/\7F\202\302\202H\367\360\250\2\37\361\317 1-\263\213\325N%X\341\315\201IU\26\303\362K\257G\2\213\337\300iU!\304\14\253J!\333XU\304\262V\310\271\330S\307\37tk\261\232jS\326\304\340\13\343\37\205\3448\202\21\345n\224\177\351\206\262\30U\331w|\17\355e\357\331\376liJU3\217\16\235\177\3700r2\311k\227\266\215O\203\15\343R\5l\7", ) )Pw\22\310\271.\3\\353d\376\236\370I;-F\205WJ\303Q\351\3\25\205Q,D&\327\311\242:o\221\347\231\17\235\14j\16\361\222%N\232v\321n\2430\355\201T\302@\206mq\16\34\37\370\352\200\237,\6\200;\34\317Q>= (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "F \346#x_\344\11\341c\366\345=@\215y?\215\245\307\31-?\341Gm\246|XG\246.\1Y1&z\344\314{\30\375\347\270WC\234%\30\363\365\273\320\27\2w\217\302T\30N\367\225\263\236E\255\34\220]Y\314\37\365/ Q\31\277\301\317\347\376\2334B\302{\325O\312Y\203%8\334\205g#\361,\232\211\210[K\343]Y\361\5\264\277\2475xc);a\351\207D\315\255R\330\252\14\335\16\262\363Oq\315'\330\34\322l9\1_-Ps\307WD&C|g\2768\262N\313\305\373lJ\5\351\206RY\265")Pw\22\310\271.\3\\353d\376\236\370I;-F\205WJ\303Q\351\3\25\205Q,D&\327\311\242:o\221\347\231\17\235\14j\16\361\222%N\232v\321n\2430\355\201T\302@\206mq\16\34\37\370\352\200\237,\6\200;\34\317Q>="\374C\159\20J\15\214\254=YE\316\4\351u\4mc&\237\303?\206L*oV\361\241\251\300\14\30l\377\217\366k\227@$\307&)Xn\215\3h\325|\377\265B\317\3100n\206\320\246@D\2545\363\350\22\31oaU\265QY4\214\263X\255\342u\202\371q1\347\224$\35\372m\4YZ\254\367S\21t\345a\324H\362K?a\344\11\367=F\303\303/\254\334/\255\24\217\317\240\353\13\20=_/\7F\202\302\202H\367\360\250\2\37\361\317 1-\263\213\325N%X\341\315\201IU\26\303\362K\257G\2\213\337\300iU!\304\14\253J!\333XU\304\262V\310\271\330S\307\37tk\261\232jS\326\304\340\13\343\37\205\3448\202\21\345n\224\177\351\206\262\30U\331w|\17\355e\357\331\376liJU3\217\16\235\177\3700r2\311k\227\266\215O\203\15\343R\5l\7", ) , ) == 0x0
 00496   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00497   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "k\321t\20\236od\12\353\7\30\350\207Dr\34Qb\1\14m\235%\324\222h\320\377\331\22\235A{\301\277\275\206\7/\250\206i\326+\236\21v E\204\332\342\33\372\364R\305Q\257\373\311 \317\22\2X*\332?\2602-](\231K\266t\317J2\325\17U-\27\23WooC\22Zk\1\21\252{\5%\366\333\244\341\34\237yN\303\300A\377\275h]\336K=\252\252\334^P%o\207E\267\273\10\242\312\267-\324\330\23IH\25Zdtj\337\17\311u\7\370\276[L\213\0\1\334\326\355\325\303\351\235tZ\272\356\21t\1K\11\352\351M\237\201\253h\223`#A\206\20'?\3\226Ot\13:_\4kHQ\272\212\377o\314\13"\20>\3\23\22\245xM\213~\357wwZ\23\14i\205'\25\371O'.+p\317\13I4S\5+oc\322R\335JadH\260\216\336>\304RA\366 \14zH\24VP\212\32M1\374;\12k\214\345\237\356\206]\\330g\30\327\213\311\200\254\3\210#\211\306\6\306\32H\241\373\222|\315\1\210\213\16eY\16\240\12\17\353O\337'\2607\211]\211d,YL\1@4{&\324\312cB\210\304'@\242]\236_~y\2575\360&s\303:\3\347^\237\257\12P\371U\224i\21BU\350-m\237Z\46\244\10\215\35\264"\205\2132&\300rK7\353\222\31\206j\14R:\14-A \217\340\2\11\27Id\346\263l8S\4'I\374\344\221d\356\15o-\10>\322@y\20-R\220\205\311\16\236\0\200\367\2443\0\240\346\342\247\30e\36m\312I\200\202tMt@\277(PD}-'\227w\355;i\317x\310Y\373\24\366x\357W0\352@\254\4\345b\250\204n\34\34\27\320\37\34\221\330\345\265&\353L0\275", ) \20>\3\23\22\245xM\213~\357wwZ\23\14i\205'\25\371O'.+p\317\13I4S\5+oc\322R\335JadH\260\216\336>\304RA\366 \14zH\24VP\212\32M1\374;\12k\214\345\237\356\206]\\330g\30\327\213\311\200\254\3\210#\211\306\6\306\32H\241\373\222|\315\1\210\213\16eY\16\240\12\17\353O\337'\2607\211]\211d,YL\1@4{&\324\312cB\210\304'@\242]\236_~y\2575\360&s\303:\3\347^\237\257\12P\371U\224i\21BU\350-m\237Z\46\244\10\215\35\264 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "k\321t\20\236od\12\353\7\30\350\207Dr\34Qb\1\14m\235%\324\222h\320\377\331\22\235A{\301\277\275\206\7/\250\206i\326+\236\21v E\204\332\342\33\372\364R\305Q\257\373\311 \317\22\2X*\332?\2602-](\231K\266t\317J2\325\17U-\27\23WooC\22Zk\1\21\252{\5%\366\333\244\341\34\237yN\303\300A\377\275h]\336K=\252\252\334^P%o\207E\267\273\10\242\312\267-\324\330\23IH\25Zdtj\337\17\311u\7\370\276[L\213\0\1\334\326\355\325\303\351\235tZ\272\356\21t\1K\11\352\351M\237\201\253h\223`#A\206\20'?\3\226Ot\13:_\4kHQ\272\212\377o\314\13"\20>\3\23\22\245xM\213~\357wwZ\23\14i\205'\25\371O'.+p\317\13I4S\5+oc\322R\335JadH\260\216\336>\304RA\366 \14zH\24VP\212\32M1\374;\12k\214\345\237\356\206]\\330g\30\327\213\311\200\254\3\210#\211\306\6\306\32H\241\373\222|\315\1\210\213\16eY\16\240\12\17\353O\337'\2607\211]\211d,YL\1@4{&\324\312cB\210\304'@\242]\236_~y\2575\360&s\303:\3\347^\237\257\12P\371U\224i\21BU\350-m\237Z\46\244\10\215\35\264"\205\2132&\300rK7\353\222\31\206j\14R:\14-A \217\340\2\11\27Id\346\263l8S\4'I\374\344\221d\356\15o-\10>\322@y\20-R\220\205\311\16\236\0\200\367\2443\0\240\346\342\247\30e\36m\312I\200\202tMt@\277(PD}-'\227w\355;i\317x\310Y\373\24\366x\357W0\352@\254\4\345b\250\204n\34\34\27\320\37\34\221\330\345\265&\353L0\275", ) , ) == 0x0
 00498   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00499   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "[\274\374H,\345\216\277\221\16\6\210\204\314\251\327\12\20\224\337N\217\354dK\26\14`\17J\220aB]\231\377O\237\307'\341\25\35\212\25N\333\200\260E\252\375\203\25\234\4Z\320n\215\177+\20?^\272\251I\31\5Q\336\6=\217\14\205 &\25)C\326L\272F^\4\2361\205\4\363\354\326dXjS\2z\263\3462{\15\237\31\37\252j5\253\14\352WQ]Ph\323\254\254Nc*M\325\364\267w=c\304\33\355\201m\376\370\255\371\35\325E\371\362Y,\2369;um\267\335\321\257\\0\251\345v*T\34\320-\313l\226\215$\267\201v3\316\3760-\214\254\0#F(\254\272\310\332 y\3555\3\273\222\372\201C\256W\36\263\321\353\223X\354'}-;J\243\27y\0]51v\16\215\270\234"F\22l\354Q\255fnR\375%\12\263\206*Iny\347\3[\307\355\26\251Q\2346\5\237\350%\273\22\213\345t\273\220\323Vw\32\35\2\331\372\375\273\267\307\326]6DK\2\7<\331\340CX\365\264j\311(\267&\320\234e"'\\321CQ/(tBb\333\257]\315K\272K\316g\4\323\37c\351\20a\347\35\262>+\270\241\310\30\344\311\267\334C]\267\354\0+j\334\370<\217\307M\241=\235k}J\241\344\177\337\227<.C\256\343\257\367\340\2249\17\345p\202\304\345 %\17\340\30\275i\3657}v\217\362A\324\256S\36\310*\16Y\353(\353`\2751H\\374&(Q\314v\362\M\3\350E\305{R\30\377\235h-9\354\246\333\216\254m\311\366L\214\237ee\24\21\234\267T\251\212\31402M$\311J\206\3\357[g+a__\231oY\0|a\10\236FHIh\217\360i\333@\24eOb`\232gl`~W\25\30", ) F\22l\354Q\255fnR\375%\12\263\206*Iny\347\3[\307\355\26\251Q\2346\5\237\350%\273\22\213\345t\273\220\323Vw\32\35\2\331\372\375\273\267\307\326]6DK\2\7<\331\340CX\365\264j\311(\267&\320\234e (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "[\274\374H,\345\216\277\221\16\6\210\204\314\251\327\12\20\224\337N\217\354dK\26\14`\17J\220aB]\231\377O\237\307'\341\25\35\212\25N\333\200\260E\252\375\203\25\234\4Z\320n\215\177+\20?^\272\251I\31\5Q\336\6=\217\14\205 &\25)C\326L\272F^\4\2361\205\4\363\354\326dXjS\2z\263\3462{\15\237\31\37\252j5\253\14\352WQ]Ph\323\254\254Nc*M\325\364\267w=c\304\33\355\201m\376\370\255\371\35\325E\371\362Y,\2369;um\267\335\321\257\\0\251\345v*T\34\320-\313l\226\215$\267\201v3\316\3760-\214\254\0#F(\254\272\310\332 y\3555\3\273\222\372\201C\256W\36\263\321\353\223X\354'}-;J\243\27y\0]51v\16\215\270\234"F\22l\354Q\255fnR\375%\12\263\206*Iny\347\3[\307\355\26\251Q\2346\5\237\350%\273\22\213\345t\273\220\323Vw\32\35\2\331\372\375\273\267\307\326]6DK\2\7<\331\340CX\365\264j\311(\267&\320\234e"'\\321CQ/(tBb\333\257]\315K\272K\316g\4\323\37c\351\20a\347\35\262>+\270\241\310\30\344\311\267\334C]\267\354\0+j\334\370<\217\307M\241=\235k}J\241\344\177\337\227<.C\256\343\257\367\340\2249\17\345p\202\304\345 %\17\340\30\275i\3657}v\217\362A\324\256S\36\310*\16Y\353(\353`\2751H\\374&(Q\314v\362\M\3\350E\305{R\30\377\235h-9\354\246\333\216\254m\311\366L\214\237ee\24\21\234\267T\251\212\31402M$\311J\206\3\357[g+a__\231oY\0|a\10\236FHIh\217\360i\333@\24eOb`\232gl`~W\25\30", ) , ) == 0x0
 00500   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00501   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "!/\12\230\22\1K\374N\275\13{\22\lS)#Mt\17\343\305,x\20i\40\37\335b&\26\243S\10\3saq, \205\331\312!\323\355h&\366I\2$\227]H\20 8\364\350\327\2G\23\260\2\270\277\0n-\17zZ\\27\25\353k\23\12\302\2\224\17Z`\7\340Y\30\257\326\20[\30\010lS\20\13%\340T7\375\220\333\255\311\353In\357I\343\267|\305X\255G\262jG\275\260k3g\214M\215z}\324\34%\271X\14e\202\323\\6|,O\37\200@\315j`\203Z\254\267Z\257,*\\356-\12aJ\35\327\363\177\246\216/ +\271t*\33\242\373\373\31\215O\306\215(I\3639 \312N\260<\354N\340u\246\3170\6Lr\244XI\250\35\242\14q&\201EOC\307{\357#\25\273A\14h\220\374\210\221V\36/\5\231\^r6T\206\362\255t\\4u\260'\24b\31,I\15\\256|\222H8\325\365-\221\252]\233\250\325\UP\364\311`\214\11&\264\334\2073Fu-A\305\254;\361L\263\200\315\26\246'\35 \364\4\324\2\334\346\331/\345\11\261n,\313z@\217\252N4\260q\301D\6X]\6+\244\372\317*\10lUa\22{x\222\24\15\374G\33$\2460q\225\367&\0\305_+\377\225_\231\2g\2luT\32\241"\257\262}8\262r\232\16\235s\227 Y\213\317&\361\336;*1Z\321\205]\337$|\348\16\123M\223\252\356\342\206G\205\261QG\236\25%\3[-@\236u\204\226l\C(\20I[\226,\222\3750\30Ao\4\313\353c\357$}g\14,u[\277\0;\230\325\202\11\16\250\355\15O\217SV\272\254f\10\360o\242z\25&\213\210L\316\11\215\354\201v9\243(\3", ) \257\262}8\262r\232\16\235s\227 Y\213\317&\361\336;*1Z\321\205]\337$|\348\16\123M\223\252\356\342\206G\205\261QG\236\25%\3[-@\236u\204\226l\C(\20I[\226,\222\3750\30Ao\4\313\353c\357$}g\14,u[\277\0;\230\325\202\11\16\250\355\15O\217SV\272\254f\10\360o\242z\25&\213\210L\316\11\215\354\201v9\243(\3", ) == 0x0
 00502   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00503   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "L\250\353o\334m51\202\244$\314E\337\3269E'\212b\200PE\347\324\354v5p\36\226\27}>,\2216\234\273FH\1]\360h \357\33(\360hH\336\17\23\3\216~yT\277l\07\315P\22S*\212\206\205m\25\245\323\36P\10<\363\16HN&\216\326\61\4\372l\\203LO\203\322\305g'0z,/|E\311+8\227H4\213\34\277\244\0u\321O6I2\360H'\2129 \14\277\376\25\310}\236d"\17:\325?\235\320YQM\264CWv'\4\\4\216`+|\344\303?\243?\311\214"\224h\375C1<\313\32\372\222\273_, ) \17:\325?\235\320YQM\264CWv'\4\\4\216`+|\344\303?\243?\311\214 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "L\250\353o\334m51\202\244$\314E\337\3269E'\212b\200PE\347\324\354v5p\36\226\27}>,\2216\234\273FH\1]\360h \357\33(\360hH\336\17\23\3\216~yT\277l\07\315P\22S*\212\206\205m\25\245\323\36P\10<\363\16HN&\216\326\61\4\372l\\203LO\203\322\305g'0z,/|E\311+8\227H4\213\34\277\244\0u\321O6I2\360H'\2129 \14\277\376\25\310}\236d"\17:\325?\235\320YQM\264CWv'\4\\4\216`+|\344\303?\243?\311\214"\224h\375C1<\313\32\372\222\273_, ) , ) == 0x0
 00504   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00505   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "X\356\333N\375\232,\22\6R@\262\205\313\17qr\16=\367\321x!4\373\302\246:\326\1\226C7#}\205'o\27\31|\5\10\13\362I\244\1\300\17\232&~N&\20\11!E\315\235Q\320\375\266\254\13\258\254\30\310\363/\315cTx\330\2223\367\13R\12\14\353\13\220\254\25I\27\204\350%m\23\221\201\177\251\207\347\2\330\267\307g\20\257w\325E)\312\353\3001\266\256\276\357N\16 \320D8FZ\367\331\11.\17\343F\35Q\304?\305\323\321m\267|\4&QJ|sU5\257\300Qw<*\273\21@V\302Q\365\352\233qg\270D/\317Fw\2031\32kW(\320u\317h\204x\360I\2\265\317h\37\303\210\360BDo {\15\274\33-c\277[a"\204 \227J0\24\271\12\340\262AWWK~\204\362\257UC(\30[[G\7\262\331\37uSG\251_M\2502\212\324:\211\211>\263c\327\36\345\322\2769x@\353N\2057\30GW\246\220\304;(\301\251\313\276\20L\6\310O\31\367\262\252\366Z\257DA\305~\31\1\342Q\346\2x\354\213\30C*\33S3\377Y*\370f\2\23W7\10\371\37\223Q\353c\377\222n0\14AWY\266\201=(\30t\364lPQ\13\10a\225B\244[\256\32\351\22z\25o\270 u\312\12C\15\223\232\2330\16[b\371'~\20\263!\370r-6|#\257\325\261Nm\320\307Y]/\222\251\227\4\2374>\25\316\33MQ9Y\16\350\326\360\33\17\204jL\2171\351\257\252\341Y\36\343Z\30s\334\200\344\273D\366s\301d k@\253\370\246[\321\222W\217\340\3+W\37\306\231#\263m@\221\148T\237\355N", ) \204 \227J0\24\271\12\340\262AWWK~\204\362\257UC(\30[[G\7\262\331\37uSG\251_M\2502\212\324:\211\211>\263c\327\36\345\322\2769x@\353N\2057\30GW\246\220\304;(\301\251\313\276\20L\6\310O\31\367\262\252\366Z\257DA\305~\31\1\342Q\346\2x\354\213\30C*\33S3\377Y*\370f\2\23W7\10\371\37\223Q\353c\377\222n0\14AWY\266\201=(\30t\364lPQ\13\10a\225B\244[\256\32\351\22z\25o\270 u\312\12C\15\223\232\2330\16[b\371'~\20\263!\370r-6|#\257\325\261Nm\320\307Y]/\222\251\227\4\2374>\25\316\33MQ9Y\16\350\326\360\33\17\204jL\2171\351\257\252\341Y\36\343Z\30s\334\200\344\273D\366s\301d k@\253\370\246[\321\222W\217\340\3+W\37\306\231#\263m@\221\148T\237\355N", ) == 0x0
 00506   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00507   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "3K\326\30'\241\247\332\30\357\360|\321@\227\237\227-A\204\261\257\347{\322Ca\3323\327\3570\337\236\35\35H\330\304DJ\300\350]\331\230@Dq\330Z"\3714Q\15+NZ\34\17\321m\217\377\342\334\226Lb\243f\4\203\340\353)U\275\14IF/\25\225J\2208F\216@\333\27\227[\360WMp\5\232\302\13\370t\230'\11\363\6W\267\363\202p\23Fig\271\237\317~Q\251YG\275\3103\246\233\320\253\36\234\25=\2407Q\247\250\341\24\315\264\343d\264\2453M~\177\244\220\305&\216\347\337\20\262w\307\234\1\233\316\337WSA{\343'F\343\20Q\244\3670[w\245m\355Z\302\216w\275\265\217\336b&~\\304!\340\357\23\265\311\265\331\225\30\22Y\260\13\245\273\244\3K\222\17\336-\234\15\221\317\33!D{\267\25!\331\316?\234H\232l\266K\237\235\330A\265\35\200+\254K\3173\310\250!^-E\310\2778\330\242\335V\263\205,\323\31\24\26q\211\245\270\16*\247\345\5\3\244\323\345LM.\307|VK \373\311\207+\267\220]\254!\355\255\27\5\273\235"\32re;bFS\177\30P\32y\364\320?Y\254\323\312Y\10?\316\356\265\233\24\244\16\237\20\243\373g\22\25\2612yd}-n\365\251\11\14D"\371\271\353n\310\3638a\306\\344\275\205Ry$k\34\364\335\12v\24\355X\236\222y\317\217\4\221-g`\250\233\332\0\7E`\211\273\337\21\375]iJ3&\237_\14{N\320\256O\340-sQd\323a\232\35\2318Nt\352\302\250V'\307\250\330\217\31c%sUI\204\350x\316\347f\301\223x\276\244FP\14?\260\355\4\262_\255PRN"\3\11ee=\10@dS\21n\243\214\352\334\234DXh\5\353", ) \3714Q\15+NZ\34\17\321m\217\377\342\334\226Lb\243f\4\203\340\353)U\275\14IF/\25\225J\2208F\216@\333\27\227[\360WMp\5\232\302\13\370t\230'\11\363\6W\267\363\202p\23Fig\271\237\317~Q\251YG\275\3103\246\233\320\253\36\234\25=\2407Q\247\250\341\24\315\264\343d\264\2453M~\177\244\220\305&\216\347\337\20\262w\307\234\1\233\316\337WSA{\343'F\343\20Q\244\3670[w\245m\355Z\302\216w\275\265\217\336b&~\\304!\340\357\23\265\311\265\331\225\30\22Y\260\13\245\273\244\3K\222\17\336-\234\15\221\317\33!D{\267\25!\331\316?\234H\232l\266K\237\235\330A\265\35\200+\254K\3173\310\250!^-E\310\2778\330\242\335V\263\205,\323\31\24\26q\211\245\270\16*\247\345\5\3\244\323\345LM.\307|VK \373\311\207+\267\220]\254!\355\255\27\5\273\235 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "3K\326\30'\241\247\332\30\357\360|\321@\227\237\227-A\204\261\257\347{\322Ca\3323\327\3570\337\236\35\35H\330\304DJ\300\350]\331\230@Dq\330Z"\3714Q\15+NZ\34\17\321m\217\377\342\334\226Lb\243f\4\203\340\353)U\275\14IF/\25\225J\2208F\216@\333\27\227[\360WMp\5\232\302\13\370t\230'\11\363\6W\267\363\202p\23Fig\271\237\317~Q\251YG\275\3103\246\233\320\253\36\234\25=\2407Q\247\250\341\24\315\264\343d\264\2453M~\177\244\220\305&\216\347\337\20\262w\307\234\1\233\316\337WSA{\343'F\343\20Q\244\3670[w\245m\355Z\302\216w\275\265\217\336b&~\\304!\340\357\23\265\311\265\331\225\30\22Y\260\13\245\273\244\3K\222\17\336-\234\15\221\317\33!D{\267\25!\331\316?\234H\232l\266K\237\235\330A\265\35\200+\254K\3173\310\250!^-E\310\2778\330\242\335V\263\205,\323\31\24\26q\211\245\270\16*\247\345\5\3\244\323\345LM.\307|VK \373\311\207+\267\220]\254!\355\255\27\5\273\235"\32re;bFS\177\30P\32y\364\320?Y\254\323\312Y\10?\316\356\265\233\24\244\16\237\20\243\373g\22\25\2612yd}-n\365\251\11\14D"\371\271\353n\310\3638a\306\\344\275\205Ry$k\34\364\335\12v\24\355X\236\222y\317\217\4\221-g`\250\233\332\0\7E`\211\273\337\21\375]iJ3&\237_\14{N\320\256O\340-sQd\323a\232\35\2318Nt\352\302\250V'\307\250\330\217\31c%sUI\204\350x\316\347f\301\223x\276\244FP\14?\260\355\4\262_\255PRN"\3\11ee=\10@dS\21n\243\214\352\334\234DXh\5\353", ) \371\271\353n\310\3638a\306\\344\275\205Ry$k\34\364\335\12v\24\355X\236\222y\317\217\4\221-g`\250\233\332\0\7E`\211\273\337\21\375]iJ3&\237_\14{N\320\256O\340-sQd\323a\232\35\2318Nt\352\302\250V'\307\250\330\217\31c%sUI\204\350x\316\347f\301\223x\276\244FP\14?\260\355\4\262_\255PRN (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "3K\326\30'\241\247\332\30\357\360|\321@\227\237\227-A\204\261\257\347{\322Ca\3323\327\3570\337\236\35\35H\330\304DJ\300\350]\331\230@Dq\330Z"\3714Q\15+NZ\34\17\321m\217\377\342\334\226Lb\243f\4\203\340\353)U\275\14IF/\25\225J\2208F\216@\333\27\227[\360WMp\5\232\302\13\370t\230'\11\363\6W\267\363\202p\23Fig\271\237\317~Q\251YG\275\3103\246\233\320\253\36\234\25=\2407Q\247\250\341\24\315\264\343d\264\2453M~\177\244\220\305&\216\347\337\20\262w\307\234\1\233\316\337WSA{\343'F\343\20Q\244\3670[w\245m\355Z\302\216w\275\265\217\336b&~\\304!\340\357\23\265\311\265\331\225\30\22Y\260\13\245\273\244\3K\222\17\336-\234\15\221\317\33!D{\267\25!\331\316?\234H\232l\266K\237\235\330A\265\35\200+\254K\3173\310\250!^-E\310\2778\330\242\335V\263\205,\323\31\24\26q\211\245\270\16*\247\345\5\3\244\323\345LM.\307|VK \373\311\207+\267\220]\254!\355\255\27\5\273\235"\32re;bFS\177\30P\32y\364\320?Y\254\323\312Y\10?\316\356\265\233\24\244\16\237\20\243\373g\22\25\2612yd}-n\365\251\11\14D"\371\271\353n\310\3638a\306\\344\275\205Ry$k\34\364\335\12v\24\355X\236\222y\317\217\4\221-g`\250\233\332\0\7E`\211\273\337\21\375]iJ3&\237_\14{N\320\256O\340-sQd\323a\232\35\2318Nt\352\302\250V'\307\250\330\217\31c%sUI\204\350x\316\347f\301\223x\276\244FP\14?\260\355\4\262_\255PRN"\3\11ee=\10@dS\21n\243\214\352\334\234DXh\5\353", ) , ) == 0x0
 00508   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00509   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Jh7\223"fx\15\243\247[\3V\16\201\2404"\344+`k\370?\20\365\11\335\367\277F\215\4a\346\10\242GQ\323m\202S\367\224h\7\363\266\14\3674\24Q>$y\34\4w\257\214bO\373\233x\273\262\202\222\306M\267\177\373\22u\320\212\177\317\330+'K\11u\205}\300\271\304\371\362.\361\16b0\10\266\350\232\354,u^\12\305R\214\2375\257-\2Y\333[\262\307\207\303\2461\254\12\237TX\14\0\223\333M\2011O\245\243:\322\353T\260)\261\232\253Z\22\262\16\366cB\331\14CGDo\21\2711\25}\353Q\204\212\355DO\271_\345Q\353G\322.\27x\24\376\25\11\254+\262\221\275\250M3_q.\347G\27F\360\33l\322C\207\2\303\17\34?\371u#\311O\366\345"\343\265\7\11\10\357\2602\16B\352\1\364[r"u{)\323\240\223\32\343F_\3215\35-\256B\226\1)\3\31&\342C\347cT\267\265\246a@\202a\226?0\2174M\337\304&\336\\216\334\20$\246\321\227\261b\373\370\200\256\3561\21\226\330\333t\304N\13\206\351T\330\200\324\371\202\302\34\326\350\206-YA-F\376\273\267\267\373u\277\302_\3\246\242;\202}\324\256DL\252\370\300\261K\244\344V)!\360\264\370\3760i\256E\353k\217\216\213\275LY\10 \356\302\340\4\275\246;$C\37\4\2411\337\27#]W'ot'5+j\342D_OkxT\261\305n\246\250#\22`8\311\353F)\343\245hOE\136\377\223^\346\335\0\31y\357\325\333b\357L\360B\267B\301\263%\255\7I\257\334\3\321\34&\303\30\206&\340\364M\35\310R\205Y\201\2\3360\373 HR\367\201\314\376\12\331\342\24\12?Di|\241\271\37z]3;\277W\16\11!", ) fx\15\243\247[\3V\16\201\2404 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Jh7\223"fx\15\243\247[\3V\16\201\2404"\344+`k\370?\20\365\11\335\367\277F\215\4a\346\10\242GQ\323m\202S\367\224h\7\363\266\14\3674\24Q>$y\34\4w\257\214bO\373\233x\273\262\202\222\306M\267\177\373\22u\320\212\177\317\330+'K\11u\205}\300\271\304\371\362.\361\16b0\10\266\350\232\354,u^\12\305R\214\2375\257-\2Y\333[\262\307\207\303\2461\254\12\237TX\14\0\223\333M\2011O\245\243:\322\353T\260)\261\232\253Z\22\262\16\366cB\331\14CGDo\21\2711\25}\353Q\204\212\355DO\271_\345Q\353G\322.\27x\24\376\25\11\254+\262\221\275\250M3_q.\347G\27F\360\33l\322C\207\2\303\17\34?\371u#\311O\366\345"\343\265\7\11\10\357\2602\16B\352\1\364[r"u{)\323\240\223\32\343F_\3215\35-\256B\226\1)\3\31&\342C\347cT\267\265\246a@\202a\226?0\2174M\337\304&\336\\216\334\20$\246\321\227\261b\373\370\200\256\3561\21\226\330\333t\304N\13\206\351T\330\200\324\371\202\302\34\326\350\206-YA-F\376\273\267\267\373u\277\302_\3\246\242;\202}\324\256DL\252\370\300\261K\244\344V)!\360\264\370\3760i\256E\353k\217\216\213\275LY\10 \356\302\340\4\275\246;$C\37\4\2411\337\27#]W'ot'5+j\342D_OkxT\261\305n\246\250#\22`8\311\353F)\343\245hOE\136\377\223^\346\335\0\31y\357\325\333b\357L\360B\267B\301\263%\255\7I\257\334\3\321\34&\303\30\206&\340\364M\35\310R\205Y\201\2\3360\373 HR\367\201\314\376\12\331\342\24\12?Di|\241\271\37z]3;\277W\16\11!", ) \343\265\7\11\10\357\2602\16B\352\1\364[r (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Jh7\223"fx\15\243\247[\3V\16\201\2404"\344+`k\370?\20\365\11\335\367\277F\215\4a\346\10\242GQ\323m\202S\367\224h\7\363\266\14\3674\24Q>$y\34\4w\257\214bO\373\233x\273\262\202\222\306M\267\177\373\22u\320\212\177\317\330+'K\11u\205}\300\271\304\371\362.\361\16b0\10\266\350\232\354,u^\12\305R\214\2375\257-\2Y\333[\262\307\207\303\2461\254\12\237TX\14\0\223\333M\2011O\245\243:\322\353T\260)\261\232\253Z\22\262\16\366cB\331\14CGDo\21\2711\25}\353Q\204\212\355DO\271_\345Q\353G\322.\27x\24\376\25\11\254+\262\221\275\250M3_q.\347G\27F\360\33l\322C\207\2\303\17\34?\371u#\311O\366\345"\343\265\7\11\10\357\2602\16B\352\1\364[r"u{)\323\240\223\32\343F_\3215\35-\256B\226\1)\3\31&\342C\347cT\267\265\246a@\202a\226?0\2174M\337\304&\336\\216\334\20$\246\321\227\261b\373\370\200\256\3561\21\226\330\333t\304N\13\206\351T\330\200\324\371\202\302\34\326\350\206-YA-F\376\273\267\267\373u\277\302_\3\246\242;\202}\324\256DL\252\370\300\261K\244\344V)!\360\264\370\3760i\256E\353k\217\216\213\275LY\10 \356\302\340\4\275\246;$C\37\4\2411\337\27#]W'ot'5+j\342D_OkxT\261\305n\246\250#\22`8\311\353F)\343\245hOE\136\377\223^\346\335\0\31y\357\325\333b\357L\360B\267B\301\263%\255\7I\257\334\3\321\34&\303\30\206&\340\364M\35\310R\205Y\201\2\3360\373 HR\367\201\314\376\12\331\342\24\12?Di|\241\271\37z]3;\277W\16\11!", ) , ) == 0x0
 00510   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00511   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "in\14\336\317C\317'OLr\15\337\261\263\254TS3\213\206t\317u\233\3322\13s\361\341\237\265i\207S\26\344Z\2\237\337\2136\273\17\240k\324Vl\27Ln\4"|%\4f$\351w\7^\235\255\35\32|\273X1\374\31\31\377!)\341\13@\20(\254\22\353\317E\257\377Z\201e\304/d\26\27b\200\331)OO\235\266\304i0A\343:\365(\373\312\352\213\262\317r\24K\347\3604\17e\34\331\335\244(n\12\17\224F\245T\37\373,\312\360\221\360\31\213Yz\22\255\30\304q\371\236_f\245\306m\316\302<`O>\1iP"G\235/VX\370\213\\260R\36\16_\17\373\16\3769v\347\34\344B\374\244-6|F\256\317W\366\230\210\253V\22&r\372\327\241\330\251\355\20\275y\20\235\262Lk\310\220.\371F\257d"A\335w\362m6p8$*L\257\4b\240W\214", ) |%\4f$\351w\7^\235\255\35\32|\273X1\374\31\31\377!)\341\13@\20(\254\22\353\317E\257\377Z\201e\304/d\26\27b\200\331)OO\235\266\304i0A\343:\365(\373\312\352\213\262\317r\24K\347\3604\17e\34\331\335\244(n\12\17\224F\245T\37\373,\312\360\221\360\31\213Yz\22\255\30\304q\371\236_f\245\306m\316\302<`O>\1iP230]uV\25\256sQd\267\255;N\234\234Gg-\37\254\225,7$\331v'\350Y\241\205\272\21\270\337_X\321\252_\14\247\307`39\344\276\350KkhR\32vuF7!\315\177\10 $\0M\310\24.9\3770\200\317\6\243\265\307,R\35K\37\270\270\303y\350\267L\341\211\254\3049TNUZN\262\36\326s\326\241S\14\205b\10\200Z9\37\31.t\37c\3615\274\333\337\306!\24U9\37b\332\362\10t\17=\241\12\236\232E\234\343Ja\250\301@\373\251\273\213\213\252\1:\203Q`\12Kk\230\352\233\31WF$\360X\134\344ON\31\334QB\212[\346\337\204\10\2\237\257\352\330\315J[\210\252$\376ZC\245\302l\324_\233T\316\306\16\237v`(\265/{T\310\212a\213l\201\255\216{/\30\316'\363\222\3353,\337\217/E\371; (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "in\14\336\317C\317'OLr\15\337\261\263\254TS3\213\206t\317u\233\3322\13s\361\341\237\265i\207S\26\344Z\2\237\337\2136\273\17\240k\324Vl\27Ln\4"|%\4f$\351w\7^\235\255\35\32|\273X1\374\31\31\377!)\341\13@\20(\254\22\353\317E\257\377Z\201e\304/d\26\27b\200\331)OO\235\266\304i0A\343:\365(\373\312\352\213\262\317r\24K\347\3604\17e\34\331\335\244(n\12\17\224F\245T\37\373,\312\360\221\360\31\213Yz\22\255\30\304q\371\236_f\245\306m\316\302<`O>\1iP"G\235/VX\370\213\\260R\36\16_\17\373\16\3769v\347\34\344B\374\244-6|F\256\317W\366\230\210\253V\22&r\372\327\241\330\251\355\20\275y\20\235\262Lk\310\220.\371F\257d"A\335w\362m6p8$*L\257\4b\240W\214", ) A\335w\362m6p8$*L\257\4b\240W\214", ) == 0x0
 00512   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00513   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Jb\257\274\332u\32\334\244zi\15S\306%\241_\223\342\0W6X\364?\204\16\263\346\300s\2\216J\261\32\236F\340\231\303n,\17\335\334\3\353r\12\300\35\11d \202\240\3259\257\11\246Y\217Q\3750\313VR\11Q\301\260c\6l\4 \346\200pp\301\375\352\207*\331@\177\3173\350-\321\23\222;\335\252:\0\230\7q|\362w \270\256\14\11\17=\33f\0y\214\313ThY;\20\215\\212\265\23I\203~S@\177\25\25.;td&sP\231YC\34\26\352\217\255\313\263\210D@{\\353\13\30w\246\24:P_\16O0\360Aw\232\240i\302T\30\256\353w\300\31\16\341\261\203?)\211S\315\317.@\335o+\345\337\214\222Pvn\320\361\26%d=\337\214\33\305v\245J\210G\227\11[\344\3\302\24qP\363\317&\22\376\311\237\220!Q\24\310=8/\230\240\357\255\312\10"|L\230\205\262\320SH\223S\364M\324ZQ\364[\331y\347\261\202]N\375\233\30\222\27\213\223\330\273#r\317\333\260xt\332rx;\11\375@M\\255th\127\265"I\261Gs\330\261\245@b\257:s\263\177\20\300s\212\251\377\7\340\342_t\212\271\270\346\374\24\22B\253\241\370K\231\324\33\374_\10&\213^\216\316\3K*\377\3324H/\4\23\220!\10QC\262e\0\331\3\20MQ<\34\0\331AYLo\0\14q\4!\277\34E[0\23:\354\350\30GB\255\344\263JmSH\375[\372\240+\13\321H\332\312\353/`\27\246ZJ\257,\374\257\205?@\363\363?\344\273\2\1\271=\357\307}\344$\245\337\333\374\253\341\251w\246\304Y\14r\266\243\367q\277i\215\256a\250Z:\11\213\204\31\351\1UU\354\1Y\316z\340\356\202\306\200", ) |L\230\205\262\320SH\223S\364M\324ZQ\364[\331y\347\261\202]N\375\233\30\222\27\213\223\330\273#r\317\333\260xt\332rx;\11\375@M\\255th\127\265 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "Jb\257\274\332u\32\334\244zi\15S\306%\241_\223\342\0W6X\364?\204\16\263\346\300s\2\216J\261\32\236F\340\231\303n,\17\335\334\3\353r\12\300\35\11d \202\240\3259\257\11\246Y\217Q\3750\313VR\11Q\301\260c\6l\4 \346\200pp\301\375\352\207*\331@\177\3173\350-\321\23\222;\335\252:\0\230\7q|\362w \270\256\14\11\17=\33f\0y\214\313ThY;\20\215\\212\265\23I\203~S@\177\25\25.;td&sP\231YC\34\26\352\217\255\313\263\210D@{\\353\13\30w\246\24:P_\16O0\360Aw\232\240i\302T\30\256\353w\300\31\16\341\261\203?)\211S\315\317.@\335o+\345\337\214\222Pvn\320\361\26%d=\337\214\33\305v\245J\210G\227\11[\344\3\302\24qP\363\317&\22\376\311\237\220!Q\24\310=8/\230\240\357\255\312\10"|L\230\205\262\320SH\223S\364M\324ZQ\364[\331y\347\261\202]N\375\233\30\222\27\213\223\330\273#r\317\333\260xt\332rx;\11\375@M\\255th\127\265"I\261Gs\330\261\245@b\257:s\263\177\20\300s\212\251\377\7\340\342_t\212\271\270\346\374\24\22B\253\241\370K\231\324\33\374_\10&\213^\216\316\3K*\377\3324H/\4\23\220!\10QC\262e\0\331\3\20MQ<\34\0\331AYLo\0\14q\4!\277\34E[0\23:\354\350\30GB\255\344\263JmSH\375[\372\240+\13\321H\332\312\353/`\27\246ZJ\257,\374\257\205?@\363\363?\344\273\2\1\271=\357\307}\344$\245\337\333\374\253\341\251w\246\304Y\14r\266\243\367q\277i\215\256a\250Z:\11\213\204\31\351\1UU\354\1Y\316z\340\356\202\306\200", ) , ) == 0x0
 00514   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00515   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "z\2721\205?\11\330\6B;\257\22\\224,sv\224\272\2427{\36C\307M\306\6H\240$2\355=\312/\364\265\37\373.\355Y\31\351^9\353\2429\313\3775\260#\16y\355\261\12b\2\334\177\311L\34\0Y\376Q\213\355\35\337x\220\27\3510\205(e`\262\276\372\5Q\370\11\227\275\311\270\231\374\247\364\16\235W\222\375\241H\314\13-g=WL\22\217\200N\13\251_]\1\236\24\271y\16\32\223\32<\24\220V\234?kt\23|\263 \213\330\276\316\244\14\201_\304\2029\236\266\330\242%"\304U\373\302o\270"\263\267\332\260\311h\302!\5\341\25"\15\243\26\201\32\241\2466\17\322|zN\35\315\275\350\0\276\334\226\310\317\220\36\351\253\224\17s\317S\30J\314X\223\226\31G\201\330\315t\37O9\247q\317\245\21\372\232/\14"b\377\213A\36s\341g\12;\237\17\210\367\364f~\217w\356\336s\3}\260)~\214\212<_jdp\224\345r\32\301\317@\247%\345-\272\360\177\313e\13X\5\275\3KO\3556M\267un\376\347\265\12\23 \331\336\36\374&\316J\362)\22IW\36\237\347b\7\367,\204\313\363\374\5K\370\21\365\261\34\372@\325kD\3555m\305\273u\3036M!\346E\37wa\26\277\244n)\262\15\376\373\2664\1\223\35e\301\247\203\215"9^\334\273\335.$,\321\334'\370,~\326\243\4\37u\351\362/\347\202J+\34\213\223\365373\302o\270 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "z\2721\205?\11\330\6B;\257\22\\224,sv\224\272\2427{\36C\307M\306\6H\240$2\355=\312/\364\265\37\373.\355Y\31\351^9\353\2429\313\3775\260#\16y\355\261\12b\2\334\177\311L\34\0Y\376Q\213\355\35\337x\220\27\3510\205(e`\262\276\372\5Q\370\11\227\275\311\270\231\374\247\364\16\235W\222\375\241H\314\13-g=WL\22\217\200N\13\251_]\1\236\24\271y\16\32\223\32<\24\220V\234?kt\23|\263 \213\330\276\316\244\14\201_\304\2029\236\266\330\242%"\304U\373\302o\270"\263\267\332\260\311h\302!\5\341\25"\15\243\26\201\32\241\2466\17\322|zN\35\315\275\350\0\276\334\226\310\317\220\36\351\253\224\17s\317S\30J\314X\223\226\31G\201\330\315t\37O9\247q\317\245\21\372\232/\14"b\377\213A\36s\341g\12;\237\17\210\367\364f~\217w\356\336s\3}\260)~\214\212<_jdp\224\345r\32\301\317@\247%\345-\272\360\177\313e\13X\5\275\3KO\3556M\267un\376\347\265\12\23 \331\336\36\374&\316J\362)\22IW\36\237\347b\7\367,\204\313\363\374\5K\370\21\365\261\34\372@\325kD\3555m\305\273u\3036M!\346E\37wa\26\277\244n)\262\15\376\373\2664\1\223\35e\301\247\203\215"9^\334\273\335.$,\321\334'\370,~\326\243\4\37u\351\362/\347\202J+\34\213\223\36515\243\26\201\32\241\2466\17\322|zN\35\315\275\350\0\276\334\226\310\317\220\36\351\253\224\17s\317S\30J\314X\223\226\31G\201\330\315t\37O9\247q\317\245\21\372\232/\14 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "z\2721\205?\11\330\6B;\257\22\\224,sv\224\272\2427{\36C\307M\306\6H\240$2\355=\312/\364\265\37\373.\355Y\31\351^9\353\2429\313\3775\260#\16y\355\261\12b\2\334\177\311L\34\0Y\376Q\213\355\35\337x\220\27\3510\205(e`\262\276\372\5Q\370\11\227\275\311\270\231\374\247\364\16\235W\222\375\241H\314\13-g=WL\22\217\200N\13\251_]\1\236\24\271y\16\32\223\32<\24\220V\234?kt\23|\263 \213\330\276\316\244\14\201_\304\2029\236\266\330\242%"\304U\373\302o\270"\263\267\332\260\311h\302!\5\341\25"\15\243\26\201\32\241\2466\17\322|zN\35\315\275\350\0\276\334\226\310\317\220\36\351\253\224\17s\317S\30J\314X\223\226\31G\201\330\315t\37O9\247q\317\245\21\372\232/\14"b\377\213A\36s\341g\12;\237\17\210\367\364f~\217w\356\336s\3}\260)~\214\212<_jdp\224\345r\32\301\317@\247%\345-\272\360\177\313e\13X\5\275\3KO\3556M\267un\376\347\265\12\23 \331\336\36\374&\316J\362)\22IW\36\237\347b\7\367,\204\313\363\374\5K\370\21\365\261\34\372@\325kD\3555m\305\273u\3036M!\346E\37wa\26\277\244n)\262\15\376\373\2664\1\223\35e\301\247\203\215"9^\334\273\335.$,\321\334'\370,~\326\243\4\37u\351\362/\347\202J+\34\213\223\3659^\334\273\335.$,\321\334'\370,~\326\243\4\37u\351\362/\347\202J+\34\213\223\365346\0\27p2\331\346\352\370\15\375\364\262K\367\366\22N{3(Nd\324\323\275\26\344c\17KG\17_|\263D\232\373/\260\361\311|x\12Zt\376\202N\245{\316\3028\224\34H%\1$Y\271|}c\314\0-\304\26]3Sb\354H\273\16\361\202\14\343k\2669'\", ) == 0x0
 00516   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00517   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ":\1`u\274\252\330'%\351#$O\346\0\5\2339\220`\24\35{,K_\243A\13\35_\78\352X\355\215\335\146\24\35\253\367\14!K6S\34G\237\11`\332\270Sl\12\34\35\233\37\374SE \3U\330\31\204\315\20\357E\361\20pa\345\207R/\14G\327E\201 \365\267\225;q\303\326@\20tvv\265_\34\263b\306\333n\232t\336\7H\341\310\244\220B#'w\267\365ip\302\30c\30Z(#\2469o\235\1\333h%\2711L\335 \240O74Y\30\34\217\244I\300\0\10\257&i\353\37V\3\14+BTM\200TTYo\246*\341\226\212\27\13w4\344.\31\355&^W2PH8r\1\354\2015\27\242<\344\354\365E\31\347f\34D\20I\335%Ei\333tT\271\261\33S\221^K\351\343\243\240\346R\33v\2\206\23\357\30y\376\262\334\202L\252pX]\317\2\222\10\230\367s\266X\4Y\10\374HMln.\32\6\2348\0\207"\244SWx\242]\264(\2\24:4\257\21L@\2\373\351|h2\252CpBV\300\3\366c\355\360`\270 \4J\337&\3\213B \266UO$\10EL\356\226mLd J\362\241M", ) `u\274\252\330'%\351#$O\346\0\5\2339\220`\24\35{,K_\243A\13\35_\78\352X\355\215\335\146\24\35\253\367\14!K6S\34G\237\11`\332\270Sl\12\34\35\233\37\374SE \3U\330\31\204\315\20\357E\361\20pa\345\207R/\14G\327E\201 \365\267\225;q\303\326@\20tvv\265_\34\263b\306\333n\232t\336\7H\341\310\244\220B#'w\267\365ip\302\30c\30Z(#\2469o\235\1\333h%\2711L\335 \240O74Y\30\34\217\244I\300\0\10\257&i\353\37V\3\14+BTM\200TTYo\246*\341\226\212\27\13w4\344.\31\355&^W2PH8r\1\354\2015\27\242<\344\354\365E\31\347f\34D\20I\335%Ei\333tT\271\261\33S\221^K\351\343\243\240\346R\33v\2\206\23\357\30y\376\262\334\202L\252pX]\317\2\222\10\230\367s\266X\4Y\10\374HMln.\32\6\2348\0\207 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ":\1`u\274\252\330'%\351#$O\346\0\5\2339\220`\24\35{,K_\243A\13\35_\78\352X\355\215\335\146\24\35\253\367\14!K6S\34G\237\11`\332\270Sl\12\34\35\233\37\374SE \3U\330\31\204\315\20\357E\361\20pa\345\207R/\14G\327E\201 \365\267\225;q\303\326@\20tvv\265_\34\263b\306\333n\232t\336\7H\341\310\244\220B#'w\267\365ip\302\30c\30Z(#\2469o\235\1\333h%\2711L\335 \240O74Y\30\34\217\244I\300\0\10\257&i\353\37V\3\14+BTM\200TTYo\246*\341\226\212\27\13w4\344.\31\355&^W2PH8r\1\354\2015\27\242<\344\354\365E\31\347f\34D\20I\335%Ei\333tT\271\261\33S\221^K\351\343\243\240\346R\33v\2\206\23\357\30y\376\262\334\202L\252pX]\317\2\222\10\230\367s\266X\4Y\10\374HMln.\32\6\2348\0\207"\244SWx\242]\264(\2\24:4\257\21L@\2\373\351|h2\252CpBV\300\3\366c\355\360`\270 \4J\337&\3\213B \266UO$\10EL\356\226mLd J\362\241M", ) , ) == 0x0
 00518   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00519   412   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\303\174\214[S4\205\322\36?\27\231th8\10n\301R4\350r\210\251\361'|\223#\272\11y\21\264\346B\217\341h\257@\11\330I~\224F\262\263h\15=D_\301UO\374\17eEb\21\235Yxk\243oBADN\360k\21\334.\345\272\251\254a6\227/+R#\222\214{\3614\201[\355\317\301\346NB@\345\226\17v\327A\374\262y\17+\21\351\177\274\315\23}i\263\265j\277@!A\242\14\220\2026\226q\7*\13}\17\347@I\12\256\261\0T\245|=E-\221n\324!\20\376^w\360\344\214\226\11\20DxB\236L:\357\356C\342\217\247\15t\261\335ex\2038\216f\20\323\264\2\364Q\315\216\211c\376H\26\375\3016\14\177<\25\353\316M\277\117k4s\230a^\266`\22\12Y\325}C\20\202;t\5\352E\15\370\353F\357\352N\373\353:Uk?B\11Ep\20QY M_\36\10\2]\213[d\$0\6\37\353\264\11OD\246\2422i:#\0R&=\261\203\274\5\270\332\3078IT=\263\\0P\242\263]\262\260Jf\21\26bW"\234\17*\37;\235-h\20\325\\207\109\374\34$\365h5I\21\327O\4W\177T\232t45nT\247D\300\332.\24\211vc\375\214\200?0\2\245A\7\250A\215|\337\5\206\272-V:F\236\34\31u\21]Q+\22\33Cb@&\35\226C\223E\226\14\204\361,\322\351\355w\3444KHY\232\344b\16\333V\227%\304@\206\336j;\357F\210#,6U/\273){\262\236AU\27\344\3408se\315u\330\231\2;\36\30sMK\325N\241\35\322h\22\325|\237Hv\326\1q-\231\11\276x\267\226\224\223(\224P\22\374\222\230\375@\20\256_~x\357\2652\4", ) \234\17*\37;\235-h\20\325\\207\109\374\34$\365h5I\21\327O\4W\177T\232t45nT\247D\300\332.\24\211vc\375\214\200?0\2\245A\7\250A\215|\337\5\206\272-V:F\236\34\31u\21]Q+\22\33Cb@&\35\226C\223E\226\14\204\361,\322\351\355w\3444KHY\232\344b\16\333V\227%\304@\206\336j;\357F\210#,6U/\273){\262\236AU\27\344\3408se\315u\330\231\2;\36\30sMK\325N\241\35\322h\22\325|\237Hv\326\1q-\231\11\276x\267\226\224\223(\224P\22\374\222\230\375@\20\256_~x\357\2652\4", ) == 0x0
 00520   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00521   412   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\31\4$\0\11\4$\0=\24$\0-\24$\0\275&$\0\255&$\0]%$\0U%$\0M%$\0E%$\0}%$\0u%$\0m%$\0e%$\0\35%$\0\25%$\0\371%$\0\355%$\0\201%$\0E$$\0\11$$\0\361$$\0\211$$\0I#$\0\311#$\0\261#$\0\335!$\0\251 $\0i?$\0M>$\0\371>$\0-<$\0%:$\0\358$\0q7$\0\2217$\0\216$\0\3216$\0%5$\0\3055$\0\2315$\0\2515$\0\301\14!\0\271\14!\0\216f#\0\262f#\0[e#\0Ce#\0me#\0\27e#\00e#\0\335e#\0\371e#\0\340e#\0\215e#\0\261e#\0\247e#\0Kd#\0qd#\0\30d#\0\11d#\0$d#\0\317d#\0\356d#\0\210d#\0\241d#\0Bc#\0\23c#\06c#\0\313c#\0\230c#\0\270c#\0]b#\0`b#\0>b#\0%b#\0\313b#\0\363b#\0\231b#\0\217b#\0\265b#\0Xa#\0Ca#\0va#\0\35a#\0\7a#\0 a#\0\335a#\0\323a#\0\312a#\0\306a#\0EO2\0NO=\0MO<\0LO>\0]O'\0QO#\0_O!\0rO?\0DO:\0}O\4\0qO\16\0pO\5\0zO\6\0FO\1\0\177O\3\0JO5\0KO(\0IO*\0VO)\0RO.\0PO\10\0YO&\0XO\12\0tO$\0YO$\0YO$\0YO$@}7T$h}jm,+T@\15\1iU\35\37$@}7T$hzjm", ) , ) == 0x0
 00522   412   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00523   412   NtClose  (80, ... ) == 0x0
 00524   412   NtClose  (68, ... ) == 0x0
 00525   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00526   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00528   412   NtClose  (68, ... ) == 0x0
 00529   412   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00530   412   NtClose  (80, ... ) == 0x0
 00531   412   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00532   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00533   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00534   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00535   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00536   412   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00537   412   NtClose  (80, ... ) == 0x0
 00538   412   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00539   412   NtMapViewOfSection  (68, -1, (0x860000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00540   412   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00541   412   NtClose  (68, ... ) == 0x0
 00542   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 8, ) == 0x0
 00543   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 8, ... (0x8d2000), 4096, 4, ) == 0x0
 00544   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00545   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00546   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00547   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00548   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00549   412   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00550   412   NtClose  (68, ... ) == 0x0
 00551   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00552   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00553   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00554   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00555   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00556   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00557   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00558   412   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00559   412   NtClose  (68, ... ) == 0x0
 00560   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00561   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00562   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00563   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00564   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00565   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00566   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00567   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00568   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00569   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00570   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00571   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00572   412   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   412   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00576   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00577   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00578   412   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   412   NtClose  (68, ... ) == 0x0
 00580   412   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00581   412   NtClose  (80, ... ) == 0x0
 00582   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00583   412   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00584   412   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00585   412   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {408, 0}, ... 80, ) == 0x0
 00586   412   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00587   412   NtClose  (80, ... ) == 0x0
 00588   412   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00589   412   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00590   412   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00591   412   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00592   412   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   412   NtClose  (80, ... ) == 0x0
 00594   412   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00595   412   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00596   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00597   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00598   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03b
 00599   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00600   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03d
 00601   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00602   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00603   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03f
 00604   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00605   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00606   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc041
 00607   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00608   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00609   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc043
 00610   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00611   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc045
 00612   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00613   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00614   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc047
 00615   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00616   412   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00617   412   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810dc049
 00618   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00619   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00620   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04b
 00621   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00622   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00623   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04d
 00624   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00625   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00626   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04f
 00627   412   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00628   412   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810dc051
 00629   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00630   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00631   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc053
 00632   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00633   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00634   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc055
 00635   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc057
 00636   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00637   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00638   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc059
 00639   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00640   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00641   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05b
 00642   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00643   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00644   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05d
 00645   412   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00646   412   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00647   412   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05f
 00648   412   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00649   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00650   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00651   412   NtNotifyChangeKey  (84, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00652   412   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00653   412   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00654   412   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00655   412   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00656   412   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00657   412   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00658   412   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00659   412   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9371648, 1048576, ) == 0x0
 00660   412   NtAllocateVirtualMemory  (-1, 9371648, 0, 16384, 4096, 4, ... 9371648, 16384, ) == 0x0
 00661   412   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00662   412   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00663   412   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   412   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   412   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00666   412   NtQueryInformationToken  (96, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00667   412   NtClose  (96, ... ) == 0x0
 00668   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00669   412   NtReleaseMutant  (16, ...
 00670   412   NtContinue  (-130973560, 0, ...
 00669   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00671   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\hka1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   412   NtReleaseMutant  (16, ...
 00679   412   NtContinue  (-130973560, 0, ...
 00678   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00681   412   NtReleaseMutant  (16, ...
 00682   412   NtContinue  (-130973560, 0, ...
 00681   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00683   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00684   412   NtReleaseMutant  (16, ...
 00685   412   NtContinue  (-130973560, 0, ...
 00684   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00686   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   412   NtReleaseMutant  (16, ...
 00688   412   NtContinue  (-130973560, 0, ...
 00687   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   412   NtReleaseMutant  (16, ...
 00691   412   NtContinue  (-130973560, 0, ...
 00690   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   412   NtReleaseMutant  (16, ...
 00694   412   NtContinue  (-130973560, 0, ...
 00693   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   412   NtReleaseMutant  (16, ...
 00697   412   NtContinue  (-130973560, 0, ...
 00696   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   412   NtReleaseMutant  (16, ...
 00700   412   NtContinue  (-130973560, 0, ...
 00699   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   412   NtReleaseMutant  (16, ...
 00703   412   NtContinue  (-130973560, 0, ...
 00702   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   412   NtReleaseMutant  (16, ...
 00706   412   NtContinue  (-130973560, 0, ...
 00705   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   412   NtReleaseMutant  (16, ...
 00709   412   NtContinue  (-130973560, 0, ...
 00708   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   412   NtReleaseMutant  (16, ...
 00712   412   NtContinue  (-130973560, 0, ...
 00711   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   412   NtReleaseMutant  (16, ...
 00715   412   NtContinue  (-130973560, 0, ...
 00714   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   412   NtReleaseMutant  (16, ...
 00718   412   NtContinue  (-130973560, 0, ...
 00717   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   412   NtReleaseMutant  (16, ...
 00721   412   NtContinue  (-130973560, 0, ...
 00720   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   412   NtReleaseMutant  (16, ...
 00724   412   NtContinue  (-130973560, 0, ...
 00723   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   412   NtReleaseMutant  (16, ...
 00727   412   NtContinue  (-130973560, 0, ...
 00726   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   412   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   412   NtReleaseMutant  (16, ...
 00730   412   NtContinue  (-130973560, 0, ...
 00729   412   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   412   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 96, ) == 0x0
 00732   412   NtUserGetDC  (0, ... ) == 0x1010053
 00733   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00734   412   NtUserGetDC  (0, ... ) == 0x1010053
 00735   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00736   412   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x1608040b
 00737   412   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00738   412   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00739   412   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00740   412   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\09\08\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00741   412   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\08\06\00\00\00\00\00\00\00\00\00\01\09\0C\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00742   412   NtUserSystemParametersInfo  (104, 0, 9376892, 0, ... ) == 0x1
 00743   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00744   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00745   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00746   412   NtUserGetDC  (0, ... ) == 0x1010053
 00747   412   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x80503d6
 00748   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00749   412   NtGdiSelectBitmap  (352388034, 134546390, ... ) == 0x185000f
 00750   412   NtGdiGetDCforBitmap  (134546390, ... ) == 0x150103c2
 00751   412   NtGdiSaveDC  (352388034, ... ) == 0x1
 00752   412   NtGdiSelectBitmap  (352388034, 134546390, ... ) == 0x80503d6
 00753   412   NtGdiGetDCObject  (352388034, 524288, ... ) == 0x188000b
 00754   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00755   412   NtGdiSetDIBitsToDeviceInternal  (352388034, 0, 0, 32, 64, 0, 0, 0, 64, 9188876, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00756   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00757   412   NtGdiSelectBitmap  (352388034, 134546390, ... ) == 0x80503d6
 00758   412   NtGdiRestoreDC  (352388034, -1, ... ) == 0x1
 00759   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x80503d6
 00760   412   NtGdiCreateCompatibleDC  (352388034, ... ) == 0x2c01040d
 00761   412   NtGdiExtGetObjectW  (134546390, 24, 1241324, ... ) == 0x18
 00762   412   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x1505040a
 00763   412   NtGdiSelectBitmap  (352388034, 134546390, ... ) == 0x185000f
 00764   412   NtGdiSelectBitmap  (738264077, 352650250, ... ) == 0x185000f
 00765   412   NtGdiBitBlt  (738264077, 0, 0, 32, 64, 352388034, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00766   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x80503d6
 00767   412   NtGdiSelectBitmap  (738264077, 25493519, ... ) == 0x1505040a
 00768   412   NtGdiDeleteObjectApp  (134546390, ... ) == 0x1
 00769   412   NtGdiDeleteObjectApp  (738264077, ... ) == 0x1
 00770   412   NtUserCallOneParam  (0, 33, ... ) == 0x3004d
 00771   412   NtUserSetCursorIconData  (196685, 1241432, 1241448, 1242028, ... ) == 0x1
 00772   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00773   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00774   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00775   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00776   412   NtUserGetDC  (0, ... ) == 0x1010053
 00777   412   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xc0503cb
 00778   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00779   412   NtGdiSelectBitmap  (352388034, 201655243, ... ) == 0x185000f
 00780   412   NtGdiGetDCforBitmap  (201655243, ... ) == 0x150103c2
 00781   412   NtGdiSaveDC  (352388034, ... ) == 0x1
 00782   412   NtGdiSelectBitmap  (352388034, 201655243, ... ) == 0xc0503cb
 00783   412   NtGdiGetDCObject  (352388034, 524288, ... ) == 0x188000b
 00784   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00785   412   NtGdiSetDIBitsToDeviceInternal  (352388034, 0, 0, 32, 64, 0, 0, 0, 64, 9189184, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00786   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00787   412   NtGdiSelectBitmap  (352388034, 201655243, ... ) == 0xc0503cb
 00788   412   NtGdiRestoreDC  (352388034, -1, ... ) == 0x1
 00789   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0xc0503cb
 00790   412   NtGdiCreateCompatibleDC  (352388034, ... ) == 0xa0103d6
 00791   412   NtGdiExtGetObjectW  (201655243, 24, 1241324, ... ) == 0x18
 00792   412   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x1b050404
 00793   412   NtGdiSelectBitmap  (352388034, 201655243, ... ) == 0x185000f
 00794   412   NtGdiSelectBitmap  (167838678, 453313540, ... ) == 0x185000f
 00795   412   NtGdiBitBlt  (167838678, 0, 0, 32, 64, 352388034, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00796   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0xc0503cb
 00797   412   NtGdiSelectBitmap  (167838678, 25493519, ... ) == 0x1b050404
 00798   412   NtGdiDeleteObjectApp  (201655243, ... ) == 0x1
 00799   412   NtGdiDeleteObjectApp  (167838678, ... ) == 0x1
 00800   412   NtUserCallOneParam  (0, 33, ... ) == 0x2006b
 00801   412   NtUserSetCursorIconData  (131179, 1241432, 1241448, 1242028, ... ) == 0x1
 00802   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00803   412   NtUserGetDC  (0, ... ) == 0x1010053
 00804   412   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x2e05040d
 00805   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00806   412   NtGdiSelectBitmap  (352388034, 772080653, ... ) == 0x185000f
 00807   412   NtGdiGetDCforBitmap  (772080653, ... ) == 0x150103c2
 00808   412   NtGdiSaveDC  (352388034, ... ) == 0x1
 00809   412   NtGdiSelectBitmap  (352388034, 772080653, ... ) == 0x2e05040d
 00810   412   NtGdiGetDCObject  (352388034, 524288, ... ) == 0x188000b
 00811   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00812   412   NtGdiSetDIBitsToDeviceInternal  (352388034, 0, 0, 32, 64, 0, 0, 0, 64, 9189492, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00813   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00814   412   NtGdiSelectBitmap  (352388034, 772080653, ... ) == 0x2e05040d
 00815   412   NtGdiRestoreDC  (352388034, -1, ... ) == 0x1
 00816   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x2e05040d
 00817   412   NtGdiCreateCompatibleDC  (352388034, ... ) == 0xe0103cb
 00818   412   NtGdiExtGetObjectW  (772080653, 24, 1241324, ... ) == 0x18
 00819   412   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xe0503ff
 00820   412   NtGdiSelectBitmap  (352388034, 772080653, ... ) == 0x185000f
 00821   412   NtGdiSelectBitmap  (234947531, 235209727, ... ) == 0x185000f
 00822   412   NtGdiBitBlt  (234947531, 0, 0, 32, 64, 352388034, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00823   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x2e05040d
 00824   412   NtGdiSelectBitmap  (234947531, 25493519, ... ) == 0xe0503ff
 00825   412   NtGdiDeleteObjectApp  (772080653, ... ) == 0x1
 00826   412   NtGdiDeleteObjectApp  (234947531, ... ) == 0x1
 00827   412   NtUserCallOneParam  (0, 33, ... ) == 0x2006d
 00828   412   NtUserSetCursorIconData  (131181, 1241432, 1241448, 1242028, ... ) == 0x1
 00829   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00830   412   NtUserGetDC  (0, ... ) == 0x1010053
 00831   412   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0xc0503d6
 00832   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00833   412   NtGdiSelectBitmap  (352388034, 201655254, ... ) == 0x185000f
 00834   412   NtGdiGetDCforBitmap  (201655254, ... ) == 0x150103c2
 00835   412   NtGdiSaveDC  (352388034, ... ) == 0x1
 00836   412   NtGdiSelectBitmap  (352388034, 201655254, ... ) == 0xc0503d6
 00837   412   NtGdiGetDCObject  (352388034, 524288, ... ) == 0x188000b
 00838   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00839   412   NtGdiSetDIBitsToDeviceInternal  (352388034, 0, 0, 32, 64, 0, 0, 0, 64, 9189800, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00840   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00841   412   NtGdiSelectBitmap  (352388034, 201655254, ... ) == 0xc0503d6
 00842   412   NtGdiRestoreDC  (352388034, -1, ... ) == 0x1
 00843   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0xc0503d6
 00844   412   NtGdiCreateCompatibleDC  (352388034, ... ) == 0x3001040d
 00845   412   NtGdiExtGetObjectW  (201655254, 24, 1241324, ... ) == 0x18
 00846   412   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xa050407
 00847   412   NtGdiSelectBitmap  (352388034, 201655254, ... ) == 0x185000f
 00848   412   NtGdiSelectBitmap  (805372941, 168100871, ... ) == 0x185000f
 00849   412   NtGdiBitBlt  (805372941, 0, 0, 32, 64, 352388034, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00850   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0xc0503d6
 00851   412   NtGdiSelectBitmap  (805372941, 25493519, ... ) == 0xa050407
 00852   412   NtGdiDeleteObjectApp  (201655254, ... ) == 0x1
 00853   412   NtGdiDeleteObjectApp  (805372941, ... ) == 0x1
 00854   412   NtUserCallOneParam  (0, 33, ... ) == 0x40067
 00855   412   NtUserSetCursorIconData  (262247, 1241432, 1241448, 1242028, ... ) == 0x1
 00856   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00857   412   NtUserGetDC  (0, ... ) == 0x1010053
 00858   412   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x100503cb
 00859   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00860   412   NtGdiSelectBitmap  (352388034, 268764107, ... ) == 0x185000f
 00861   412   NtGdiGetDCforBitmap  (268764107, ... ) == 0x150103c2
 00862   412   NtGdiSaveDC  (352388034, ... ) == 0x1
 00863   412   NtGdiSelectBitmap  (352388034, 268764107, ... ) == 0x100503cb
 00864   412   NtGdiGetDCObject  (352388034, 524288, ... ) == 0x188000b
 00865   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00866   412   NtGdiSetDIBitsToDeviceInternal  (352388034, 0, 0, 32, 64, 0, 0, 0, 64, 9190108, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00867   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00868   412   NtGdiSelectBitmap  (352388034, 268764107, ... ) == 0x100503cb
 00869   412   NtGdiRestoreDC  (352388034, -1, ... ) == 0x1
 00870   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x100503cb
 00871   412   NtGdiCreateCompatibleDC  (352388034, ... ) == 0xe0103d6
 00872   412   NtGdiExtGetObjectW  (268764107, 24, 1241324, ... ) == 0x18
 00873   412   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xb050408
 00874   412   NtGdiSelectBitmap  (352388034, 268764107, ... ) == 0x185000f
 00875   412   NtGdiSelectBitmap  (234947542, 184878088, ... ) == 0x185000f
 00876   412   NtGdiBitBlt  (234947542, 0, 0, 32, 64, 352388034, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00877   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x100503cb
 00878   412   NtGdiSelectBitmap  (234947542, 25493519, ... ) == 0xb050408
 00879   412   NtGdiDeleteObjectApp  (268764107, ... ) == 0x1
 00880   412   NtGdiDeleteObjectApp  (234947542, ... ) == 0x1
 00881   412   NtUserCallOneParam  (0, 33, ... ) == 0x400a7
 00882   412   NtUserSetCursorIconData  (262311, 1241432, 1241448, 1242028, ... ) == 0x1
 00883   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00884   412   NtUserGetDC  (0, ... ) == 0x1010053
 00885   412   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x3205040d
 00886   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00887   412   NtGdiSelectBitmap  (352388034, 839189517, ... ) == 0x185000f
 00888   412   NtGdiGetDCforBitmap  (839189517, ... ) == 0x150103c2
 00889   412   NtGdiSaveDC  (352388034, ... ) == 0x1
 00890   412   NtGdiSelectBitmap  (352388034, 839189517, ... ) == 0x3205040d
 00891   412   NtGdiGetDCObject  (352388034, 524288, ... ) == 0x188000b
 00892   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00893   412   NtGdiSetDIBitsToDeviceInternal  (352388034, 0, 0, 32, 64, 0, 0, 0, 64, 9190724, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00894   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00895   412   NtGdiSelectBitmap  (352388034, 839189517, ... ) == 0x3205040d
 00896   412   NtGdiRestoreDC  (352388034, -1, ... ) == 0x1
 00897   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x3205040d
 00898   412   NtGdiCreateCompatibleDC  (352388034, ... ) == 0x120103cb
 00899   412   NtGdiExtGetObjectW  (839189517, 24, 1241324, ... ) == 0x18
 00900   412   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050405
 00901   412   NtGdiSelectBitmap  (352388034, 839189517, ... ) == 0x185000f
 00902   412   NtGdiSelectBitmap  (302056395, 134546437, ... ) == 0x185000f
 00903   412   NtGdiBitBlt  (302056395, 0, 0, 32, 64, 352388034, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00904   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x3205040d
 00905   412   NtGdiSelectBitmap  (302056395, 25493519, ... ) == 0x8050405
 00906   412   NtGdiDeleteObjectApp  (839189517, ... ) == 0x1
 00907   412   NtGdiDeleteObjectApp  (302056395, ... ) == 0x1
 00908   412   NtUserCallOneParam  (0, 33, ... ) == 0x300a5
 00909   412   NtUserSetCursorIconData  (196773, 1241432, 1241448, 1242028, ... ) == 0x1
 00910   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00911   412   NtUserGetDC  (0, ... ) == 0x1010053
 00912   412   NtGdiCreateDIBitmapInternal  (16842835, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x100503d6
 00913   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00914   412   NtGdiSelectBitmap  (352388034, 268764118, ... ) == 0x185000f
 00915   412   NtGdiGetDCforBitmap  (268764118, ... ) == 0x150103c2
 00916   412   NtGdiSaveDC  (352388034, ... ) == 0x1
 00917   412   NtGdiSelectBitmap  (352388034, 268764118, ... ) == 0x100503d6
 00918   412   NtGdiGetDCObject  (352388034, 524288, ... ) == 0x188000b
 00919   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00920   412   NtGdiSetDIBitsToDeviceInternal  (352388034, 0, 0, 32, 64, 0, 0, 0, 64, 9190416, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00921   412   NtUserSelectPalette  (352388034, 25690123, 0, ... ) == 0x188000b
 00922   412   NtGdiSelectBitmap  (352388034, 268764118, ... ) == 0x100503d6
 00923   412   NtGdiRestoreDC  (352388034, -1, ... ) == 0x1
 00924   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x100503d6
 00925   412   NtGdiCreateCompatibleDC  (352388034, ... ) == 0x3401040d
 00926   412   NtGdiExtGetObjectW  (268764118, 24, 1241324, ... ) == 0x18
 00927   412   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x8050406
 00928   412   NtGdiSelectBitmap  (352388034, 268764118, ... ) == 0x185000f
 00929   412   NtGdiSelectBitmap  (872481805, 134546438, ... ) == 0x185000f
 00930   412   NtGdiBitBlt  (872481805, 0, 0, 32, 64, 352388034, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00931   412   NtGdiSelectBitmap  (352388034, 25493519, ... ) == 0x100503d6
 00932   412   NtGdiSelectBitmap  (872481805, 25493519, ... ) == 0x8050406
 00933   412   NtGdiDeleteObjectApp  (268764118, ... ) == 0x1
 00934   412   NtGdiDeleteObjectApp  (872481805, ... ) == 0x1
 00935   412   NtUserCallOneParam  (0, 33, ... ) == 0x300a3
 00936   412   NtUserSetCursorIconData  (196771, 1241432, 1241448, 1242028, ... ) == 0x1
 00937   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00938   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00939   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00940   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00941   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00942   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00943   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00944   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00945   412   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00946   412   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00947   412   NtUserGetDC  (0, ... ) == 0x1010053
 00948   412   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00949   412   NtUserEnumDisplayMonitors  (0, 0, 8913508, 9377472, ... ) == 0x1
 00950   412   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00951   412   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344496, ... ) == 0x350a040d
 00952   412   NtGdiExtGetObjectW  (889848845, 420, 1241808, ... ) == 0x164
 00953   412   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00954   412   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344488, ... ) == 0x140a03cb
 00955   412   NtGdiExtGetObjectW  (336200651, 420, 1241808, ... ) == 0x164
 00956   412   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344480, ... ) == 0x110a03d6
 00957   412   NtGdiExtGetObjectW  (285869014, 420, 1241808, ... ) == 0x164
 00958   412   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00959   412   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 8650752, 4096, ) == 0x0
 00960   412   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00961   412   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00962   412   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00963   412   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00964   412   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   412   NtUserSetWindowsHookEx  (8781824, 1243796, 0, 4, 8789692, 2, ... ) == 0x200a1
 00966   412   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   412   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm13.2i"}, 1, ... 100, ) }, 1, ... 100, ) == 0x0
 00968   412   NtOpenProcessToken  (-1, 0x20, ... 104, ) == 0x0
 00969   412   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 108, ) }, ... 108, ) == 0x0
 00972   412   NtQueryValueKey  (108,  (108, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   412   NtClose  (108, ... ) == 0x0
 00974   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00976   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00977   412   NtQuerySystemTime  (... {2011338294, 29868086}, ) == 0x0
 00978   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00979   412   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   412   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00981   412   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00982   412   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00983   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00984   412   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00985   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 128, ) }, ... 128, ) == 0x0
 00986   412   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00987   412   NtQueryValueKey  (132,  (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00988   412   NtClose  (132, ... ) == 0x0
 00989   412   NtClose  (128, ... ) == 0x0
 00990   412   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 128, ) == 0x0
 00991   412   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 132, ) == 0x0
 00992   412   NtDuplicateObject  (-1, 128, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00993   412   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00994   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   412   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00996   412   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00997   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00998   412   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243248,  (0xc0100080, {24, 0, 0x40, 0, 1243248, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00999   412   NtSetInformationFile  (144, 1243304, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01000   412   NtSetInformationFile  (144, 1243296, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01001   412   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01002   412   NtWriteFile  (144, 121, 0, 0,  (144, 121, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01003   412   NtReadFile  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\207\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01004   412   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\207\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\207\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01005   412   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\240k\256\262),\334\21\261\306\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\240k\256\262),\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\240k\256\262),\334\21\261\306\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\240k\256\262),\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\240k\256\262),\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01006   412   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240k\256\262),\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240k\256\262),\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01007   412   NtClose  (140, ... ) == 0x0
 01008   412   NtClose  (144, ... ) == 0x0
 01009   412   NtAdjustPrivilegesToken  (104, 0, 1245084, 16, 0, 0, ... ) == 0x0
 01010   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01011   412   NtQueryValueKey  (144,  (144, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   412   NtClose  (144, ... ) == 0x0
 01013   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01014   412   NtQueryValueKey  (144,  (144, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   412   NtClose  (144, ... ) == 0x0
 01016   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01017   412   NtQueryValueKey  (144,  (144, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   412   NtClose  (144, ... ) == 0x0
 01019   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01020   412   NtQueryValueKey  (144,  (144, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   412   NtClose  (144, ... ) == 0x0
 01022   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01023   412   NtQueryValueKey  (144,  (144, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   412   NtClose  (144, ... ) == 0x0
 01025   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01026   412   NtQueryValueKey  (144,  (144, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   412   NtClose  (144, ... ) == 0x0
 01028   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01029   412   NtQueryValueKey  (144,  (144, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   412   NtClose  (144, ... ) == 0x0
 01031   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01032   412   NtQueryValueKey  (144,  (144, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   412   NtClose  (144, ... ) == 0x0
 01034   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01035   412   NtQueryValueKey  (144,  (144, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   412   NtClose  (144, ... ) == 0x0
 01037   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01038   412   NtQueryValueKey  (144,  (144, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   412   NtClose  (144, ... ) == 0x0
 01040   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   412   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01042   412   NtSetInformationFile  (-2147482808, -130972636, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01043   412   NtSetInformationFile  (-2147482808, -130973108, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01041   412   NtCreateKey  ... 144, 1, ) == 0x0
 01044   412   NtSetValueKey  (144,  (144, "ID", 0, 1, "i\0r\0s\0p\0b\0o\0v\0u\0a\0b\0l\0d\0v\0r\0i\0k\0m\0\0\0", 36, ... ) , 0, 1,  (144, "ID", 0, 1, "i\0r\0s\0p\0b\0o\0v\0u\0a\0b\0l\0d\0v\0r\0i\0k\0m\0\0\0", 36, ... ) , 36, ... ) == 0x0
 01045   412   NtClose  (144, ... ) == 0x0
 01046   412   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01047   412   NtQueryValueKey  (144,  (144, "System Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   412   NtClose  (144, ... ) == 0x0
 01049   412   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 01050   412   NtSetValueKey  (144,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01051   412   NtClose  (144, ... ) == 0x0
 01052   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243520,  (0x80100080, {24, 0, 0x40, 0, 1243520, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01053   412   NtQueryInformationFile  (144, 1244456, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01054   412   NtQueryInformationFile  (144, 1244428, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01055   412   NtQueryInformationFile  (144, 1244380, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01056   412   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01057   412   NtQueryInformationFile  (144, 1371664, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01058   412   NtQueryInformationFile  (144, 1242924, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01059   412   NtQueryInformationFile  (144, 1242768, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01060   412   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242776,  (0x40110080, {24, 0, 0x40, 0, 1242776, "\??\C:\WINDOWS\System32\blbqgy.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01061   412   NtClose  (-2147482208, ... ) == 0x0
 01060   412   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01062   412   NtQueryVolumeInformationFile  (140, 1242148, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01063   412   NtQueryInformationFile  (140, 1242108, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01064   412   NtQueryVolumeInformationFile  (144, 1242148, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01065   412   NtQueryVolumeInformationFile  (144, 1241832, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01066   412   NtSetInformationFile  (140, 1241936, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01067   412   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 01068   412   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9f0000), {0, 0}, 192512, ) == 0x0
 01069   412   NtClose  (148, ... ) == 0x0
 01070   412   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01071   412   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "z!F\336o\1\203[\374\30\322\337\203BX\225\370!\331\16\354\331}<\10\6\37R\375H\363\10l\266\335?\215\30z@\300Q\310sE\330z\350\214\10\257\177\305\6\15Z'\7U+4\332(P\23\14b\30\24CQ\312\61I\23\1\23y^6r\314S\244\23Mjw\311\14Z2Ek\333(\27AK\354\21\221V>\1\221K\354\33EO\354\21\221R:\|\30\355\37yn\354Tk\332\6#x\34\355\4}j\4Gy\\2'yH\4\7qf\4\7yH\16+yL\4\7ub\260L|L\12/X} ri~$2X}\263\=%2mzqr]=\227]\207 \310av\316\277Q\207\36\17\351\257+\11\20B,\34m\351\356\311}\305\330\377Z*\210\1\17=\232\253\314\33\365\21\306\372\13\20\345\235\273\261U@,I\26\2174,5\266;\364\230\256&\315\203\35\202*}\320\177\20\332\376\34r4?\37+g\376\20\10?\22.\10\24\132\250s\16h\11P\262\246\340\234E\13\20586\7\202\366\376\200T\257\10\244\267V#<\201Y\7X\14\347-4\305;&\214\337S\207\13X\210C\216\1287\354\333\372\205"7\36\207"\14\\216\323\16*Nd_\271hG3\221\204&]^\223 \257\\256.p6X\271\12\257\251\266=J_-3\372#]\21I\321\334\235\21\3545\16)\234Ac:Z\361\222\325@bk*:\27\3@@eM\317\245*E\340\2264A\264\237\206\17\222^\263\262!|Z\300K\15\254\373\353;-d4\15'p\230\31-\333\27J\311\260\257=]\12P\25(\12\231\177\322bSCk\310\364\26\226}Lo\2\235I\245\232\362|a\346\341\37O0t\367\223\35Sl(\16v\310b\34\331\275", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) 7\36\207 (140, 0, 0, 0, "z!F\336o\1\203[\374\30\322\337\203BX\225\370!\331\16\354\331}<\10\6\37R\375H\363\10l\266\335?\215\30z@\300Q\310sE\330z\350\214\10\257\177\305\6\15Z'\7U+4\332(P\23\14b\30\24CQ\312\61I\23\1\23y^6r\314S\244\23Mjw\311\14Z2Ek\333(\27AK\354\21\221V>\1\221K\354\33EO\354\21\221R:\|\30\355\37yn\354Tk\332\6#x\34\355\4}j\4Gy\\2'yH\4\7qf\4\7yH\16+yL\4\7ub\260L|L\12/X} ri~$2X}\263\=%2mzqr]=\227]\207 \310av\316\277Q\207\36\17\351\257+\11\20B,\34m\351\356\311}\305\330\377Z*\210\1\17=\232\253\314\33\365\21\306\372\13\20\345\235\273\261U@,I\26\2174,5\266;\364\230\256&\315\203\35\202*}\320\177\20\332\376\34r4?\37+g\376\20\10?\22.\10\24\132\250s\16h\11P\262\246\340\234E\13\20586\7\202\366\376\200T\257\10\244\267V#<\201Y\7X\14\347-4\305;&\214\337S\207\13X\210C\216\1287\354\333\372\205"7\36\207"\14\\216\323\16*Nd_\271hG3\221\204&]^\223 \257\\256.p6X\271\12\257\251\266=J_-3\372#]\21I\321\334\235\21\3545\16)\234Ac:Z\361\222\325@bk*:\27\3@@eM\317\245*E\340\2264A\264\237\206\17\222^\263\262!|Z\300K\15\254\373\353;-d4\15'p\230\31-\333\27J\311\260\257=]\12P\25(\12\231\177\322bSCk\310\364\26\226}Lo\2\235I\245\232\362|a\346\341\37O0t\367\223\35Sl(\16v\310b\34\331\275", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01072   412   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\216\346\272\307\265<\346D%\0AE\22Ns?Y~\257Zm\376S\256'\322\20\216\\212_\37\233G&_\21\14L\246\316\236\276\266\266\325]W8 }\207\34T\210|\365\227RF\235d\347\2110\14?'\2650\244\331\265\275_\31\364,\316\277\4\5\24\201\277\321x#!\305S\374\304\3566\331\266\227\213\2275,\177\277\7z\336|O\370\26\23V$Yl\367\234\325\271\254\10\\265\204)6\330( \277A\366x\24\310\254|\310\337-\224\25\365&0YI\0\234T\353\204K\305\351\13\233\304\2152\270\10j\240\270A\376\7p\341\342Q\330\301\12803\240\367\243\321\370\265@\266\351%s0\31a\262\232\314N@\27;!p`\266\220\37\235O\240\200L\216\264\220p\301\310H\347n\260\230I\323|VJ\317\317I9r4(\222\233\377T\317\365i\301\257\353\244\270h\247\34vy\257\362)\22\3PM\205B\314\335h~\244\14\37g\235/\265Q\257 \325\227\224\48\233<\222\34S\322\330FG\305@\266K\16\15\370\12'"\333\32\222\223\2421\320f\257\304\323\353R\365\342\5oNS\344|\233\327\306\331NU\324\273\377\6b\335\306#\30\30\217\301\17\36*PT\302\307\6g\30O\354f@\324\273\256\261o\361x;\0r\250\222\341\344S\246]\321\255|\357\345\310v\234\247\302\3559[SI\326tM\5P\25\23EW\24\263' \210^B\32\11\31C\262\210UJ\302\361\31\12wG_\330\272\20i\266\6\207\332_\371\212Q\35\371\225:<\35\354i5\377\233U\303\316N\253\207B#\217C\354\260[\207s\325\302U\352\215\221Q\21\36\236\314\304\34\20p\324\250j\26$\C\321Y\362\31\376\364\351t'~qJ\17\5\272D\316\260{\2473o\347\15", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) \333\32\222\223\2421\320f\257\304\323\353R\365\342\5oNS\344|\233\327\306\331NU\324\273\377\6b\335\306#\30\30\217\301\17\36*PT\302\307\6g\30O\354f@\324\273\256\261o\361x;\0r\250\222\341\344S\246]\321\255|\357\345\310v\234\247\302\3559[SI\326tM\5P\25\23EW\24\263' \210^B\32\11\31C\262\210UJ\302\361\31\12wG_\330\272\20i\266\6\207\332_\371\212Q\35\371\225:<\35\354i5\377\233U\303\316N\253\207B#\217C\354\260[\207s\325\302U\352\215\221Q\21\36\236\314\304\34\20p\324\250j\26$\C\321Y\362\31\376\364\351t'~qJ\17\5\272D\316\260{\2473o\347\15", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01073   412   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\264\310^Ba\220\324R0\6]O\361A\247\260$P\34O$LXH$N\365\360\37\0\271O\224nr\376\275\13/G\24\3\371[\314\354D#4\3\31J \13[3|\22Y\243#\0\231I) \31\373"UI\260\10\337\302|-'y\254\324\5Y\232\1\214S\205\210U\337p`\342ND\27\1O$\261@\13\360.\367\254\21\27\2172\264(^IY w\16\236C]\6\337\2407!\346\276\7s!'\31\272kl*OM\272\220\223\304'[\303\20\335N#MP\262\277\3&\327m(\362\315\17\12eId\256\1\375\226\3\10\355=%!\17\357\337\307\32\37\206\16\351\363\3e\362rA\3\213\34D\354~\37$\260\331\271]\273B\177\331\27\362\211"\353\253I$\0YO$\0\31M\333\0YO$\0YO$\0\3313\0\10X@\241\206XO$`\347a\244DY\302\232\322\326\264\333W\332\202\333\353T\337\264\220\323Ib\210^\10%\333,H\257\36\332\241\330\21\202=\311\270XO$\0X\224Q\7\322Q\247\356\245^\377\21\231N\377s\266:-\213G\314\312\374H\224W\344h\206\247\350Z=)\301\271G\256\6\37\314\324\377-;\255\305X\224Q\7\322Q\247\356\245^\377\21\220N\377u^\304:\203\267\2635\333H\206Q \30N\377u^\304:\203\267\2635\333H\206%\333*\240Q\11\322Q\247\356\245^\377s\275\314\345\2\330\262$\363\246\260\247\321X\3020/\332\262\330vV\305&B\321HcI,\270\315c\246\260\333\220\322M\247\302]\306#\203\236K\247\351]8\325\1\226\246h\377\246\260z\211\256\366\232'YO\256\7\36c\314, 5082, 0x0, 0, ... {status=0x0, info=5082}, ) UI\260\10\337\302|-'y\254\324\5Y\232\1\214S\205\210U\337p`\342ND\27\1O$\261@\13\360.\367\254\21\27\2172\264(^IY w\16\236C]\6\337\2407!\346\276\7s!'\31\272kl*OM\272\220\223\304'[\303\20\335N#MP\262\277\3&\327m(\362\315\17\12eId\256\1\375\226\3\10\355=%!\17\357\337\307\32\37\206\16\351\363\3e\362rA\3\213\34D\354~\37$\260\331\271]\273B\177\331\27\362\211 (140, 0, 0, 0, "\264\310^Ba\220\324R0\6]O\361A\247\260$P\34O$LXH$N\365\360\37\0\271O\224nr\376\275\13/G\24\3\371[\314\354D#4\3\31J \13[3|\22Y\243#\0\231I) \31\373"UI\260\10\337\302|-'y\254\324\5Y\232\1\214S\205\210U\337p`\342ND\27\1O$\261@\13\360.\367\254\21\27\2172\264(^IY w\16\236C]\6\337\2407!\346\276\7s!'\31\272kl*OM\272\220\223\304'[\303\20\335N#MP\262\277\3&\327m(\362\315\17\12eId\256\1\375\226\3\10\355=%!\17\357\337\307\32\37\206\16\351\363\3e\362rA\3\213\34D\354~\37$\260\331\271]\273B\177\331\27\362\211"\353\253I$\0YO$\0\31M\333\0YO$\0YO$\0\3313\0\10X@\241\206XO$`\347a\244DY\302\232\322\326\264\333W\332\202\333\353T\337\264\220\323Ib\210^\10%\333,H\257\36\332\241\330\21\202=\311\270XO$\0X\224Q\7\322Q\247\356\245^\377\21\231N\377s\266:-\213G\314\312\374H\224W\344h\206\247\350Z=)\301\271G\256\6\37\314\324\377-;\255\305X\224Q\7\322Q\247\356\245^\377\21\220N\377u^\304:\203\267\2635\333H\206Q \30N\377u^\304:\203\267\2635\333H\206%\333*\240Q\11\322Q\247\356\245^\377s\275\314\345\2\330\262$\363\246\260\247\321X\3020/\332\262\330vV\305&B\321HcI,\270\315c\246\260\333\220\322M\247\302]\306#\203\236K\247\351]8\325\1\226\246h\377\246\260z\211\256\366\232'YO\256\7\36c\314, 5082, 0x0, 0, ... {status=0x0, info=5082}, ) , 5082, 0x0, 0, ... {status=0x0, info=5082}, ) == 0x0
 01074   412   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 01075   412   NtSetInformationFile  (140, 1244380, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01076   412   NtClose  (144, ... ) == 0x0
 01077   412   NtClose  (140, ... ) == 0x0
 01078   412   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01079   412   NtSetValueKey  (140,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0b\0l\0b\0q\0g\0y\0.\0e\0x\0e\0\0\0", 62, ... , 0, 1,  (140, "System Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0b\0l\0b\0q\0g\0y\0.\0e\0x\0e\0\0\0", 62, ... , 62, ...
 01080   412   NtSetInformationFile  (-2147482808, -130971852, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01081   412   NtSetInformationFile  (-2147482808, -130971944, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01079   412   NtSetValueKey  ... ) == 0x0
 01082   412   NtClose  (140, ... ) == 0x0
 01083   412   NtClose  (100, ... ) == 0x0
 01084   412   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01085   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\blbqgy.exe"}, 1241012, ... ) }, 1241012, ... ) == 0x0
 01086   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\blbqgy.exe"}, 1241704, ... ) }, 1241704, ... ) == 0x0
 01087   412   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\blbqgy.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01088   412   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 140, ) == 0x0
 01089   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 144, ) }, ... 144, ) == 0x0
 01091   412   NtQueryValueKey  (144,  (144, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   412   NtClose  (144, ... ) == 0x0
 01093   412   NtQueryVolumeInformationFile  (100, 1241012, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01094   412   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 144, ) }, ... 144, ) == 0x0
 01095   412   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01096   412   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 148, ) }, ... 148, ) == 0x0
 01097   412   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 57344, ) == 0x0
 01098   412   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01099   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238996, ... ) }, 1238996, ... ) == 0x0
 01100   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01101   412   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 156, ) == 0x0
 01102   412   NtClose  (152, ... ) == 0x0
 01103   412   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 106496, ) == 0x0
 01104   412   NtClose  (156, ... ) == 0x0
 01105   412   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01106   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239312, ... ) }, 1239312, ... ) == 0x0
 01107   412   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01108   412   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 152, ) == 0x0
 01109   412   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01110   412   NtClose  (156, ... ) == 0x0
 01111   412   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01112   412   NtClose  (152, ... ) == 0x0
 01113   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01114   412   NtQueryInformationFile  (152, 1239600, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01115   412   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 152, ... 156, ) == 0x0
 01116   412   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa00000), 0x0, 1028096, ) == 0x0
 01117   412   NtQueryInformationFile  (152, 1239696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01118   412   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   412   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01120   412   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01121   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01122   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237260, 616, BothDirectory, 1, "blbqgy.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01123   412   NtClose  (160, ... ) == 0x0
 01124   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01125   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01126   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\blbqgy.exe"}, 1236648, ... ) }, 1236648, ... ) == 0x0
 01127   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01128   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01129   412   NtClose  (160, ... ) == 0x0
 01130   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01131   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01132   412   NtClose  (160, ... ) == 0x0
 01133   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01134   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236008, 616, BothDirectory, 1, "blbqgy.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01135   412   NtClose  (160, ... ) == 0x0
 01136   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01137   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01138   412   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01139   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01140   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01141   412   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01142   412   NtClose  (160, ... ) == 0x0
 01143   412   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01144   412   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\blbqgy.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01146   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01147   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\blbqgy.exe"}, 1238928, ... ) }, 1238928, ... ) == 0x0
 01148   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01149   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01150   412   NtClose  (160, ... ) == 0x0
 01151   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01152   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01153   412   NtClose  (160, ... ) == 0x0
 01154   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01155   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238288, 616, BothDirectory, 1, "blbqgy.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01156   412   NtClose  (160, ... ) == 0x0
 01157   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01158   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01159   412   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01160   412   NtQueryVolumeInformationFile  (100, 1239572, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01161   412   NtQueryInformationFile  (100, 1239552, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01162   412   NtQueryInformationFile  (100, 1239592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01163   412   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01164   412   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01165   412   NtClose  (156, ... ) == 0x0
 01166   412   NtClose  (152, ... ) == 0x0
 01167   412   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01168   412   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blbqgy.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   412   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01170   412   NtOpenProcessToken  (-1, 0xa, ... 152, ) == 0x0
 01171   412   NtQueryInformationToken  (152, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01172   412   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01174   412   NtQueryValueKey  (156,  (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01175   412   NtQueryValueKey  (156,  (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01176   412   NtClose  (156, ... ) == 0x0
 01177   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01178   412   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01179   412   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01180   412   NtClose  (156, ... ) == 0x0
 01181   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01183   412   NtQueryValueKey  (156,  (156, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   412   NtClose  (156, ... ) == 0x0
 01185   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01186   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01187   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01188   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01189   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01190   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01191   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01192   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01193   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01194   412   NtQueryDefaultLocale  (1, 1240384, ... ) == 0x0
 01195   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01196   412   NtEnumerateKey  (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01197   412   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 160, ) }, ... 160, ) == 0x0
 01198   412   NtQueryValueKey  (160,  (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01199   412   NtQueryValueKey  (160,  (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01200   412   NtClose  (160, ... ) == 0x0
 01201   412   NtEnumerateKey  (156, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01202   412   NtClose  (156, ... ) == 0x0
 01203   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01218   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01219   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01220   412   NtClose  (156, ... ) == 0x0
 01221   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01223   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01224   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01225   412   NtClose  (156, ... ) == 0x0
 01226   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01228   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01229   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01230   412   NtClose  (156, ... ) == 0x0
 01231   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01233   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01234   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01235   412   NtClose  (156, ... ) == 0x0
 01236   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01238   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01239   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01240   412   NtClose  (156, ... ) == 0x0
 01241   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01243   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01244   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01245   412   NtClose  (156, ... ) == 0x0
 01246   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01248   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01249   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01250   412   NtClose  (156, ... ) == 0x0
 01251   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01253   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01254   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01255   412   NtClose  (156, ... ) == 0x0
 01256   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01258   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01259   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01260   412   NtClose  (156, ... ) == 0x0
 01261   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01263   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01264   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01265   412   NtClose  (156, ... ) == 0x0
 01266   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01268   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01269   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01270   412   NtClose  (156, ... ) == 0x0
 01271   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01273   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01274   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01275   412   NtClose  (156, ... ) == 0x0
 01276   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01278   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01279   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01280   412   NtClose  (156, ... ) == 0x0
 01281   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01283   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01284   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01285   412   NtClose  (156, ... ) == 0x0
 01286   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01288   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01289   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01290   412   NtClose  (156, ... ) == 0x0
 01291   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01293   412   NtQueryValueKey  (156,  (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01294   412   NtClose  (156, ... ) == 0x0
 01295   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01296   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01297   412   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01298   412   NtClose  (156, ... ) == 0x0
 01299   412   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   412   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01301   412   NtOpenProcessToken  (-1, 0xa, ... 156, ) == 0x0
 01302   412   NtDuplicateToken  (156, 0xc, {24, 0, 0x0, 0, 1240904, 0x0}, 0, 2, ... 160, ) == 0x0
 01303   412   NtClose  (156, ... ) == 0x0
 01304   412   NtAccessCheck  (1378928, 160, 0x1, 1241032, 1240976, 56, 1241060, ... (0x1), ) == 0x0
 01305   412   NtClose  (160, ... ) == 0x0
 01306   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 160, ) }, ... 160, ) == 0x0
 01307   412   NtQueryValueKey  (160,  (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01308   412   NtClose  (160, ... ) == 0x0
 01309   412   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 160, ) }, ... 160, ) == 0x0
 01310   412   NtQuerySymbolicLinkObject  (160, ...  (160, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01311   412   NtClose  (160, ... ) == 0x0
 01312   412   NtQueryInformationFile  (100, 1239364, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 01313   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01314   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01315   412   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\blbqgy.exe"}, 1238044, ... ) }, 1238044, ... ) == 0x0
 01316   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01317   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01318   412   NtClose  (160, ... ) == 0x0
 01319   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01320   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01321   412   NtClose  (160, ... ) == 0x0
 01322   412   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01323   412   NtQueryDirectoryFile  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237404, 616, BothDirectory, 1, "blbqgy.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 01324   412   NtClose  (160, ... ) == 0x0
 01325   412   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01326   412   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01327   412   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01328   412   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01329   412   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01330   412   NtClose  (160, ... ) == 0x0
 01331   412   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01332   412   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01333   412   NtClose  (160, ... ) == 0x0
 01334   412   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01335   412   NtQueryValueKey  (156,  (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01336   412   NtClose  (156, ... ) == 0x0
 01337   412   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10485760, 4096, ) == 0x0
 01338   412   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01339   412   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01340   412   NtQueryValueKey  (156,  (156, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   412   NtClose  (156, ... ) == 0x0
 01342   412   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   412   NtQueryInformationToken  (152, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01344   412   NtQueryInformationToken  (152, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01345   412   NtClose  (152, ... ) == 0x0
 01346   412   NtCreateProcessEx  (1243640, 2035711, 0, -1, 0, 140, 0, 0, 0, ... ) == 0x0
 01347   412   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=572,ParentPid=408,}, 0x0, ) == 0x0
 01348   412   NtReadVirtualMemory  (152, 0x7ffdf008, 4, ...  (152, 0x7ffdf008, 4, ... "\0\0P1", 0x0, ) , 0x0, ) == 0x0
 01349   412   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\blbqgy.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   412   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01351   412   NtReadVirtualMemory  (152, 0x31500000, 4096, ...  (152, 0x31500000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\211\3504\210\315\211Z\333\315\211Z\333\315\211Z\333N\225T\333\317\211Z\333%\226^\333\317\211Z\333\315\211Z\333\313\211Z\333\315\211[\333\257\211Z\333\257\226I\333\304\211Z\333%\226Q\333\307\211Z\333Rich\315\211Z\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0]'\323@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\00\0\0\0\20\0\0\0P\0\0\0\260\0\0\0`\0\0\0\220\0\0\0\0P1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\220\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01352   412   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01353   412   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=572,ParentPid=408,}, 0x0, ) == 0x0
 01354   412   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 10551296, 4096, ) == 0x0
 01355   412   NtAllocateVirtualMemory  (152, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01356   412   NtWriteVirtualMemory  (152, 0x10000,  (152, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01357   412   NtAllocateVirtualMemory  (152, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 01358   412   NtWriteVirtualMemory  (152, 0x20000,  (152, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0<\0>\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0<\0>\0\30\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 01359   412   NtWriteVirtualMemory  (152, 0x7ffdf010,  (152, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01360   412   NtWriteVirtualMemory  (152, 0x7ffdf1e8,  (152, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01361   412   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 01362   412   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01363   412   NtAllocateVirtualMemory  (152, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01364   412   NtProtectVirtualMemory  (152, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01365   412   NtCreateThread  (0x1f03ff, 0x0, 152, 1241904, 1242624, 1, ... 156, {572, 588}, ) == 0x0
 01366   412   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243724}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0<\2\0\0L\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 408, 412, 1501, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0<\2\0\0L\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 408, 412, 1501, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243724} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\0<\2\0\0L\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 408, 412, 1501, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\0<\2\0\0L\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 01367   412   NtResumeThread  (156, ... 1, ) == 0x0
 01368   412   NtClose  (100, ... ) == 0x0
 01369   412   NtClose  (140, ... ) == 0x0
 01370   412   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=572,ParentPid=408,}, 0x0, ) == 0x0
 01371   412   NtUserWaitForInputIdle  (572, 30000, 0, ...
 01372   412   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01373   412   NtClose  (140, ... ) == 0x0
 01371   412   NtUserWaitForInputIdle  ... ) == 0x0
 01374   412   NtClose  (152, ... ) == 0x0
 01375   412   NtClose  (156, ... ) == 0x0
 01376   412   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01377   412   NtTerminateProcess  (0, 0, ... ) == 0x0
 01378   412   NtQueryVirtualMemory  (-1, 0x896d20, Basic, 28, ... {BaseAddress=0x896000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01379   412   NtQueryVirtualMemory  (-1, 0x89762c, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x11000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01380   412   NtQueryVirtualMemory  (-1, 0x86cef4, Basic, 28, ... {BaseAddress=0x86c000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01381   412   NtGdiDeleteObjectApp  (336200651, ... ) == 0x1
 01382   412   NtGdiDeleteObjectApp  (285869014, ... ) == 0x1
 01383   412   NtGdiDeleteObjectApp  (889848845, ... ) == 0x1
 01384   412   NtUserDestroyCursor  (196771, 1, ... ) == 0x1
 01385   412   NtUserDestroyCursor  (196773, 1, ... ) == 0x1
 01386   412   NtUserDestroyCursor  (262311, 1, ... ) == 0x1
 01387   412   NtUserDestroyCursor  (262247, 1, ... ) == 0x1
 01388   412   NtUserDestroyCursor  (131181, 1, ... ) == 0x1
 01389   412   NtUserDestroyCursor  (131179, 1, ... ) == 0x1
 01390   412   NtUserDestroyCursor  (196685, 1, ... ) == 0x1
 01391   412   NtUserFindExistingCursorIcon  (1243476, 1243492, 1244060, ... ) == 0x10011
 01392   412   NtDeleteAtom  (49180, ... ) == 0x0
 01393   412   NtDeleteAtom  (49181, ... ) == 0x0
 01394   412   NtGdiDeleteObjectApp  (369624075, ... ) == 0x1
 01395   412   NtClose  (96, ... ) == 0x0
 01396   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01397   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01398   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01399   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01400   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01401   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01402   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01403   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01404   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01405   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01406   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01407   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01408   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01409   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01410   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01411   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01412   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01413   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01414   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01415   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01416   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01417   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01418   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01419   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01420   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01421   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01422   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01423   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01424   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01425   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01426   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01427   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01428   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01429   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01430   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01431   412   NtUserGetClassInfo  (1999896576, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01432   412   NtUserUnregisterClass  (1244180, 1999896576, 1244168, ... ) == 0x1
 01433   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03b
 01434   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01435   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03d
 01436   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01437   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc03f
 01438   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01439   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc041
 01440   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01441   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc043
 01442   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01443   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc045
 01444   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01445   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc047
 01446   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01447   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc049
 01448   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01449   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04b
 01450   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01451   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04d
 01452   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01453   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc04f
 01454   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01455   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc051
 01456   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01457   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc053
 01458   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01459   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc057
 01460   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01461   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc059
 01462   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01463   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05b
 01464   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01465   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05d
 01466   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01467   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc05f
 01468   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01469   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc017
 01470   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01471   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc019
 01472   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01473   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc018
 01474   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01475   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01a
 01476   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01477   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01c
 01478   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01479   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01e
 01480   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01481   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc01b
 01482   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01483   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc068
 01484   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01485   412   NtUserGetClassInfo  (1905590272, 1244176, 1244128, 1244204, 0, ... ) == 0xc06a
 01486   412   NtUserUnregisterClass  (1244180, 1905590272, 1244168, ... ) == 0x1
 01487   412   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01488   412   NtClose  (76, ... ) == 0x0
 01489   412   NtClose  (64, ... ) == 0x0
 01490   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01491   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01492   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01493   412   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01494   412   NtFreeVirtualMemory  (-1, (0xa00000), 4096, 32768, ... (0xa00000), 4096, ) == 0x0
 01495   412   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 408, 412, 1513, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 408, 412, 1513, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 408, 412, 1513, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01496   412   NtTerminateProcess  (-1, 0, ...
 01497   412   NtClose  (44, ... ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtDeleteAtom(>)	2	NtGdiBitBlt(>)	7	NtQueryInformationProcess(>)	15
NtCallbackReturn(>)	1	NtEnumerateKey(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtCreateSection(>)	17
NtCreateMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtGdiGetDCObject(>)	7	NtGdiDeleteObjectApp(>)	18
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetDCforBitmap(>)	7	NtReadFile(>)	19
NtCreateThread(>)	1	NtOpenEvent(>)	2	NtGdiGetStockObject(>)	7	NtContinue(>)	20
NtDelayExecution(>)	1	NtOpenSymbolicLinkObject(>)	2	NtGdiRestoreDC(>)	7	NtQuerySystemInformation(>)	20
NtDuplicateToken(>)	1	NtQueryInstallUILanguage(>)	2	NtGdiSaveDC(>)	7	NtUserCallOneParam(>)	20
NtEnumerateValueKey(>)	1	NtQuerySymbolicLinkObject(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtWaitForSingleObject(>)	21
NtGdiCreatePaletteInternal(>)	1	NtReadVirtualMemory(>)	2	NtOpenProcessToken(>)	7	NtFlushInstructionCache(>)	23
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtUserDestroyCursor(>)	7	NtWriteFile(>)	23
NtGdiQueryFontAssocInfo(>)	1	NtUserWaitForInputIdle(>)	2	NtUserSetCursorIconData(>)	7	NtOpenProcessTokenEx(>)	24
NtNotifyChangeKey(>)	1	NtAddAtom(>)	3	NtGdiCreateBitmap(>)	8	NtOpenThreadTokenEx(>)	24
NtOpenKeyedEvent(>)	1	NtCreateSemaphore(>)	3	NtQuerySection(>)	8	NtOpenSection(>)	25
NtOpenProcess(>)	1	NtDuplicateObject(>)	3	NtRequestWaitReplyPort(>)	8	NtOpenFile(>)	30
NtQueryInformationJobObject(>)	1	NtFreeVirtualMemory(>)	3	NtSetInformationThread(>)	8	NtQueryAttributesFile(>)	31
NtQueryObject(>)	1	NtGdiHfontCreate(>)	3	NtQueryDebugFilterState(>)	9	NtQueryInformationToken(>)	31
NtQuerySystemTime(>)	1	NtOpenMutant(>)	3	NtSetInformationFile(>)	9	NtMapViewOfSection(>)	37
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtCreateEvent(>)	10	NtReleaseMutant(>)	40
NtResumeThread(>)	1	NtFsControlFile(>)	4	NtGdiCreateCompatibleDC(>)	10	NtAllocateVirtualMemory(>)	41
NtSecureConnectPort(>)	1	NtOpenThreadToken(>)	4	NtGdiExtGetObjectW(>)	10	NtProtectVirtualMemory(>)	45
NtTestAlert(>)	1	NtSetValueKey(>)	4	NtQueryDirectoryFile(>)	10	NtUserUnregisterClass(>)	45
NtUserCallNoParam(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	11	NtQueryValueKey(>)	50
NtUserEnumDisplayMonitors(>)	1	NtUserRegisterWindowMessage(>)	5	NtUserGetDC(>)	11	NtGdiSelectBitmap(>)	57
NtUserGetKeyboardLayoutList(>)	1	NtCreateKey(>)	6	NtUnmapViewOfSection(>)	12	NtUserRegisterClassExWOW(>)	63
NtUserGetThreadDesktop(>)	1	NtQueryDefaultUILanguage(>)	6	NtQueryDefaultLocale(>)	13	NtUserGetClassInfo(>)	64
NtUserSetWindowsHookEx(>)	1	NtQueryVirtualMemory(>)	6	NtQueryInformationFile(>)	13	NtUserFindExistingCursorIcon(>)	72
NtAccessCheck(>)	2	NtQueryVolumeInformationFile(>)	6	NtUserSystemParametersInfo(>)	13	NtOpenKey(>)	111
NtCreateIoCompletion(>)	2	NtSetInformationProcess(>)	6	NtUserSelectPalette(>)	14	NtClose(>)	164