Summary:


NtAccessCheck(>)  1 
NtOpenMutant(>)  2 
NtUserCalcMenuBar(>)  4 
NtQueryKey(>)  12 

NtCallbackReturn(>)  1 
NtOpenProcess(>)  2 
NtUserFillWindow(>)  4 
NtCreateFile(>)  13 

NtConnectPort(>)  1 
NtQueryDirectoryFile(>)  2 
NtUserGetClassName(>)  4 
NtOpenProcessTokenEx(>)  13 

NtCreateMutant(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserGetDCEx(>)  4 
NtOpenThreadToken(>)  13 

NtEnumerateValueKey(>)  1 
NtQueryPerformanceCounter(>)  2 
NtUserGetTitleBarInfo(>)  4 
NtOpenThreadTokenEx(>)  13 

NtFreeVirtualMemory(>)  1 
NtQueryVirtualMemory(>)  2 
NtUserQueryWindow(>)  4 
NtSetInformationFile(>)  13 

NtGdiCreateBitmap(>)  1 
NtUserDestroyWindow(>)  2 
NtUserRemoveProp(>)  4 
NtSetInformationThread(>)  13 

NtGdiExtCreateRegion(>)  1 
NtUserGetForegroundWindow(>)  2 
NtUserSetWindowFNID(>)  4 
NtQuerySection(>)  14 

NtGdiExtGetObjectW(>)  1 
NtUserGetThreadDesktop(>)  2 
NtUserWaitMessage(>)  4 
NtUnmapViewOfSection(>)  15 

NtGdiGetDCDword(>)  1 
NtUserSetCursor(>)  2 
NtGdiGetStockObject(>)  5 
NtFsControlFile(>)  16 

NtGdiGetTextExtent(>)  1 
NtUserSetFocus(>)  2 
NtUserGetAncestor(>)  5 
NtGdiIntersectClipRect(>)  16 

NtGdiInit(>)  1 
NtUserSetWindowRgn(>)  2 
NtUserGetAtomName(>)  5 
NtDeviceIoControlFile(>)  17 

NtGdiOffsetRgn(>)  1 
NtUserShowWindow(>)  2 
NtUserRegisterWindowMessage(>)  5 
NtQueryInformationToken(>)  17 

NtGdiQueryFontAssocInfo(>)  1 
NtAddAtom(>)  3 
NtUserSetProp(>)  5 
NtGdiDrawStream(>)  18 

NtNotifyChangeKey(>)  1 
NtDuplicateObject(>)  3 
NtUserSetWindowLong(>)  5 
NtFlushInstructionCache(>)  22 

NtOpenKeyedEvent(>)  1 
NtGdiBitBlt(>)  3 
NtCreateSemaphore(>)  6 
NtRaiseException(>)  23 

NtQueryObject(>)  1 
NtGdiCreateCompatibleBitmap(>)  3 
NtGdiCombineRgn(>)  6 
NtContinue(>)  24 

NtQuerySystemTime(>)  1 
NtGdiExcludeClipRect(>)  3 
NtGdiCreateRectRgn(>)  6 
NtReleaseMutant(>)  24 

NtRegisterThreadTerminatePort(>)  1 
NtGdiGetCharSet(>)  3 
NtQueryDefaultUILanguage(>)  6 
NtUserGetWindowDC(>)  24 

NtSecureConnectPort(>)  1 
NtGdiGetTextCharsetInfo(>)  3 
NtUserBeginPaint(>)  6 
NtCreateSection(>)  27 

NtTestAlert(>)  1 
NtGdiGetTextMetricsW(>)  3 
NtWriteFile(>)  6 
NtUserCallOneParam(>)  30 

NtUserBuildHwndList(>)  1 
NtGdiHfontCreate(>)  3 
NtGdiCreateCompatibleDC(>)  7 
NtOpenFile(>)  35 

NtUserCallHwnd(>)  1 
NtGdiSetupPublicCFONT(>)  3 
NtGdiSelectBitmap(>)  7 
NtUserGetClassInfo(>)  37 

NtUserCallHwndParam(>)  1 
NtOpenEvent(>)  3 
NtUserCallNoParam(>)  7 
NtWaitForSingleObject(>)  37 

NtUserCallMsgFilter(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserInternalGetWindowText(>)  7 
NtAllocateVirtualMemory(>)  42 

NtUserDrawIconEx(>)  1 
NtQueryInformationFile(>)  3 
NtGdiDeleteObjectApp(>)  8 
NtMapViewOfSection(>)  46 

NtUserGetCursorFrameInfo(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtQueryDebugFilterState(>)  8 
NtOpenSection(>)  48 

NtUserGetDC(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtUserPeekMessage(>)  9 
NtProtectVirtualMemory(>)  48 

NtUserGetGUIThreadInfo(>)  1 
NtUserCallHwndLock(>)  3 
NtReleaseSemaphore(>)  10 
NtQueryAttributesFile(>)  53 

NtUserGetIconSize(>)  1 
NtUserEndPaint(>)  3 
NtRequestWaitReplyPort(>)  10 
NtUserFindExistingCursorIcon(>)  53 

NtUserGetProcessWindowStation(>)  1 
NtUserGetControlBrush(>)  3 
NtUserCreateWindowEx(>)  10 
NtUserMessageCall(>)  64 

NtUserModifyUserStartupInfoFlags(>)  1 
NtUserGetObjectInformation(>)  3 
NtQueryInformationProcess(>)  11 
NtUserRegisterClassExWOW(>)  64 

NtUserUnregisterClass(>)  1 
NtUserSetWindowPos(>)  3 
NtSetValueKey(>)  11 
NtReadFile(>)  70 

NtCreateIoCompletion(>)  2 
NtEnumerateKey(>)  4 
NtUserSystemParametersInfo(>)  11 
NtQuerySystemInformation(>)  76 

NtGdiCreatePatternBrushInternal(>)  2 
NtOpenProcessToken(>)  4 
NtCreateEvent(>)  12 
NtQueryValueKey(>)  82 

NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultLocale(>)  4 
NtCreateKey(>)  12 
NtOpenKey(>)  104 

NtGdiGetWidthTable(>)  2 
NtQuerySecurityObject(>)  4 
NtGdiExtSelectClipRgn(>)  12 
NtClose(>)  181 

NtOpenDirectoryObject(>)  2 
NtSetInformationObject(>)  4 
NtGdiGetRandomRgn(>)  12 

Trace:
 00001   424   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   424   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   424   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   424   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   424   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   424   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   424   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   424   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   424   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   424   NtClose  (12, ... ) == 0x0
 00014   424   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   424   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   424   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   424   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   424   NtClose  (16, ... ) == 0x0
 00021   424   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   424   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   424   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   424   NtClose  (16, ... ) == 0x0
 00026   424   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   424   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   424   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   424   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 420, 424, 1507, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 420, 424, 1507, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 420, 424, 1507, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   424   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   424   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   424   NtClose  (16, ... ) == 0x0
 00036   424   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   424   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   424   NtClose  (28, ... ) == 0x0
 00041   424   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   424   NtClose  (28, ... ) == 0x0
 00045   424   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   424   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   424   NtClose  (28, ... ) == 0x0
 00049   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   424   NtClose  (28, ... ) == 0x0
 00052   424   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 420, 424, 1512, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 420, 424, 1512, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 420, 424, 1512, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00057   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00058   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00059   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   424   NtClose  (28, ... ) == 0x0
 00062   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   424   NtClose  (28, ... ) == 0x0
 00065   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   424   NtClose  (28, ... ) == 0x0
 00068   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   424   NtClose  (28, ... ) == 0x0
 00071   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00072   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00073   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00074   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00075   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00076   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00077   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00079   424   NtClose  (28, ... ) == 0x0
 00080   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00082   424   NtClose  (28, ... ) == 0x0
 00083   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00085   424   NtClose  (28, ... ) == 0x0
 00086   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00087   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00088   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00089   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00090   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00091   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00092   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00094   424   NtClose  (28, ... ) == 0x0
 00095   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00096   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00097   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00098   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00099   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   424   NtClose  (28, ... ) == 0x0
 00101   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00102   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00103   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00104   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   424   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00106   424   NtClose  (28, ... ) == 0x0
 00107   424   NtProtectVirtualMemory  (-1, (0x407000), 640, 4, ... (0x407000), 4096, 2, ) == 0x0
 00108   424   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00109   424   NtFlushInstructionCache  (-1, 4222976, 640, ... ) == 0x0
 00110   424   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00111   424   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00112   424   NtClose  (28, ... ) == 0x0
 00113   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00114   424   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00115   424   NtClose  (28, ... ) == 0x0
 00116   424   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00117   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00118   424   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00119   424   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00120   424   NtClose  (28, ... ) == 0x0
 00121   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00122   424   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   424   NtClose  (28, ... ) == 0x0
 00124   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00125   424   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00126   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00128   424   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 420, 424, 1518, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 420, 424, 1518, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 420, 424, 1518, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00129   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   424   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00131   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00132   424   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00133   424   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00134   424   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00135   424   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00136   424   NtClose  (-2147482208, ... ) == 0x0
 00137   424   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00138   424   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00139   424   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00140   424   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00141   424   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   424   NtClose  (-2147482208, ... ) == 0x0
 00143   424   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00144   424   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   424   NtClose  (-2147482208, ... ) == 0x0
 00146   424   NtQueryDefaultLocale  (0, -133690868, ... ) == 0x0
 00147   424   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00148   424   NtUserCallNoParam  (24, ... ) == 0x0
 00149   424   NtGdiCreateCompatibleDC  (0, ...
 00150   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00149   424   NtGdiCreateCompatibleDC  ... ) == 0x420103cb
 00151   424   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00152   424   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00153   424   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xe0503f7
 00154   424   NtGdiCreateSolidBrush  (0, 0, ...
 00155   424   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00154   424   NtGdiCreateSolidBrush  ... ) == 0x10100408
 00156   424   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00157   424   NtGdiCreateCompatibleDC  (0, ... ) == 0xa0103e3
 00158   424   NtGdiSelectBitmap  (167838691, 235209719, ... ) == 0x185000f
 00159   424   NtUserGetThreadDesktop  (424, 0, ... ) == 0x2c
 00160   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00161   424   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00162   424   NtClose  (52, ... ) == 0x0
 00163   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00164   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00165   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00166   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00167   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00168   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00169   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00170   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00171   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00172   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00173   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00174   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00175   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00176   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00177   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00178   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00179   424   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00180   424   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00181   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00182   424   NtAllocateVirtualMemory  (-1, 5668864, 0, 4096, 4096, 32, ... 5668864, 4096, ) == 0x0
 00181   424   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00183   424   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00184   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00185   424   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00186   424   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00187   424   NtCallbackReturn  (0, 0, 0, ...
 00188   424   NtGdiInit  (... ) == 0x1
 00189   424   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00190   424   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00191   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00192   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00193   424   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00194   424   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00195   424   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00196   424   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00197   424   NtClose  (52, ... ) == 0x0
 00198   424   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00199   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00200   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00201   424   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00202   424   NtClose  (52, ... ) == 0x0
 00203   424   NtQueryDefaultUILanguage  (1241756, ...
 00204   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00205   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00206   424   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00207   424   NtClose  (-2147482208, ... ) == 0x0
 00208   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00209   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210   424   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00211   424   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212   424   NtClose  (-2147482204, ... ) == 0x0
 00213   424   NtClose  (-2147482208, ... ) == 0x0
 00203   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00214   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   424   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00216   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00217   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00218   424   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 8323072, ) == 0x0
 00219   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   424   NtQueryDefaultUILanguage  (2013024600, ...
 00221   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00222   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00223   424   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00224   424   NtClose  (-2147482208, ... ) == 0x0
 00225   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00226   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00227   424   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00228   424   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   424   NtClose  (-2147482204, ... ) == 0x0
 00230   424   NtClose  (-2147482208, ... ) == 0x0
 00220   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00231   424   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00232   424   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00233   424   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00234   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1519, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 424, 1519, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1519, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00236   424   NtClose  (52, ... ) == 0x0
 00237   424   NtClose  (56, ... ) == 0x0
 00238   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00239   424   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00240   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00241   424   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00242   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00243   424   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244   424   NtClose  (56, ... ) == 0x0
 00245   424   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00247   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00248   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00251   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00252   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00253   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00254   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00255   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00256   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00257   424   NtClose  (52, ... ) == 0x0
 00258   424   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 921600, ) == 0x0
 00259   424   NtClose  (60, ... ) == 0x0
 00260   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00261   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00262   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00263   424   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00264   424   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00265   424   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00266   424   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00268   424   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00269   424   NtClose  (68, ... ) == 0x0
 00270   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00271   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00272   424   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00273   424   NtClose  (68, ... ) == 0x0
 00274   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   424   NtClose  (64, ... ) == 0x0
 00276   424   NtClose  (60, ... ) == 0x0
 00277   424   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00278   424   NtClose  (52, ... ) == 0x0
 00279   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00280   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00281   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00282   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00283   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00284   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00285   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00286   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00287   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00288   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00289   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00290   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00291   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00292   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00293   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00294   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00295   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00296   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00297   424   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00298   424   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00299   424   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00300   424   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00301   424   NtQueryDefaultUILanguage  (1239368, ...
 00302   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00303   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00304   424   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00305   424   NtClose  (-2147482208, ... ) == 0x0
 00306   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00307   424   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   424   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482204, ) }, ... -2147482204, ) == 0x0
 00309   424   NtQueryValueKey  (-2147482204,  (-2147482204, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   424   NtClose  (-2147482204, ... ) == 0x0
 00311   424   NtClose  (-2147482208, ... ) == 0x0
 00301   424   NtQueryDefaultUILanguage  ... ) == 0x0
 00312   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00314   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00315   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00316   424   NtClose  (52, ... ) == 0x0
 00317   424   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 4096, ) == 0x0
 00318   424   NtClose  (60, ... ) == 0x0
 00319   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00320   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00321   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00322   424   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00323   424   NtClose  (60, ... ) == 0x0
 00324   424   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 4096, ) == 0x0
 00325   424   NtClose  (52, ... ) == 0x0
 00326   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00327   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00328   424   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00329   424   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 4096, ) == 0x0
 00330   424   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00331   424   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   424   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1520, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 420, 424, 1520, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 420, 424, 1520, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00333   424   NtClose  (52, ... ) == 0x0
 00334   424   NtClose  (60, ... ) == 0x0
 00335   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00336   424   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00337   424   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00338   424   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00339   424   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00340   424   NtUserGetDC  (0, ... ) == 0x1010050
 00341   424   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00342   424   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00343   424   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00344   424   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00345   424   NtAccessCheck  (1329160, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00346   424   NtClose  (60, ... ) == 0x0
 00347   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00348   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00349   424   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00350   424   NtClose  (60, ... ) == 0x0
 00351   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00352   424   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00353   424   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00354   424   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00355   424   NtClose  (52, ... ) == 0x0
 00356   424   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00357   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00358   424   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00359   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00360   424   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   424   NtClose  (64, ... ) == 0x0
 00362   424   NtClose  (52, ... ) == 0x0
 00363   424   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00364   424   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00365   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00366   424   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00367   424   NtClose  (52, ... ) == 0x0
 00368   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00369   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00370   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00371   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00372   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00373   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00374   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00375   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00376   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00377   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00378   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00379   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00380   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00381   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00382   424   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00383   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00384   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00385   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00386   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00387   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00388   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00389   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00390   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00391   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00392   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00393   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00394   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00395   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00396   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00397   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00398   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00399   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00400   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00401   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00402   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00403   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00404   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00405   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00406   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00407   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00408   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00409   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00410   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00411   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00412   424   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00413   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00414   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00415   424   NtAllocateVirtualMemory  (-1, 5672960, 0, 4096, 4096, 32, ... 5672960, 4096, ) == 0x0
 00414   424   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00416   424   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00417   424   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00418   424   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00419   424   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00420   424   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00421   424   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00422   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00423   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00424   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03b
 00425   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00426   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03d
 00427   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00428   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00429   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03f
 00430   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00431   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00432   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc041
 00433   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00434   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00435   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc043
 00436   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00437   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc045
 00438   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00439   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00440   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc047
 00441   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00442   424   NtUserFindExistingCursorIcon  (1242872, 1242888, 1243456, ... ) == 0x10011
 00443   424   NtUserRegisterClassExWOW  (1243324, 1243404, 1243388, 1243420, 0, 384, 0, ... ) == 0x810dc049
 00444   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00445   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00446   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04b
 00447   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00448   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00449   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04d
 00450   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00451   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00452   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04f
 00453   424   NtUserGetClassInfo  (0, 1243496, 1243448, 1243524, 0, ... ) == 0x0
 00454   424   NtUserRegisterClassExWOW  (1243332, 1243412, 1243396, 1243428, 0, 384, 0, ... ) == 0x810dc051
 00455   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00456   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00457   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc053
 00458   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00459   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00460   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc055
 00461   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc057
 00462   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00463   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00464   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc059
 00465   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00466   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10013
 00467   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05b
 00468   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00469   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00470   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05d
 00471   424   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00472   424   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00473   424   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05f
 00474   424   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {420, 0}, ... 52, ) == 0x0
 00475   424   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00476   424   NtClose  (52, ... ) == 0x0
 00477   424   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00478   424   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00479   424   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00480   424   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00481   424   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   424   NtClose  (52, ... ) == 0x0
 00483   424   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00484   424   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00485   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03b
 00486   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03d
 00487   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03f
 00488   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc041
 00489   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc043
 00490   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc045
 00491   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc047
 00492   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc049
 00493   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04b
 00494   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04d
 00495   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04f
 00496   424   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0xc051
 00497   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc053
 00498   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc055
 00499   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc059
 00500   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05b
 00501   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05d
 00502   424   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05f
 00503   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00504   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00505   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00506   424   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00507   424   NtClose  (52, ... ) == 0x0
 00508   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00509   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00510   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00511   424   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00512   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00513   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   424   NtClose  (52, ... ) == 0x0
 00517   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00518   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   424   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   424   NtClose  (52, ... ) == 0x0
 00521   424   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00522   424   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   424   NtTestAlert  (... ) == 0x0
 00524   424   NtContinue  (1244464, 1, ...
 00525   424   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403166,}, 4, ... ) == 0x0
 00526   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242296, ... ) }, 1242296, ... ) == 0x0
 00527   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00528   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 68, ) == 0x0
 00529   424   NtClose  (64, ... ) == 0x0
 00530   424   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 262144, ) == 0x0
 00531   424   NtClose  (68, ... ) == 0x0
 00532   424   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00533   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00534   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00535   424   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00536   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00537   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0
 00538   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247]\353\346b\211\31\365L\365\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00539   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00540   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00541   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00542   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00543   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00544   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00545   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00546   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00547   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\251\213\30\377A\32 \270b\275\342\336\1\314\35be\13\262W\321\32\373\343S\32\257\373J\273e\26\231\263\234\275\14\255\342\347\325\235K\253\6\334'\316E\265\14(7\372\3412:L=\222\15u\363\246e\252\341\378\203!\27x\21m\207+\30\212\277", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\251\213\30\377A\32 \270b\275\342\336\1\314\35be\13\262W\321\32\373\343S\32\257\373J\273e\26\231\263\234\275\14\255\342\347\325\235K\253\6\334'\316E\265\14(7\372\3412:L=\222\15u\363\246e\252\341\378\203!\27x\21m\207+\30\212\277", 80, ... ) , 80, ... ) == 0x0
 00548   424   NtClose  (-2147482208, ... ) == 0x0
 00538   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2\243\25~qM\232\23\357\244\347\3367 \35y`\341\264\1\261t3~c\270r\312-H\252\230\343\24\331\301f\364\356\324\342\343\232&\240.j\330\257\353T\10;\275\216b+>\361\203\307\243\312\315\365\340\373":_\220\265\256\313\203\271[\14\351&\313\323\320\222\0V*\241\31k\344\330\10Y\243\234 \311\357l\307\237\27m\374\327\33\243\342j\372?\37\3330\260n\306\330\360pH\16\36\372\375]\362C\241\350\247O1\17D\23\250\340\33g3\367\25\215\235Y:js;\200\271BJ\352j#\217\33wC\3336j\332\231Q\252\204\253,\323\370\6\2558;~@\260\264\345\264%(;\310\327\21\360\301\207\205E\7\24:\36\24\214\355#!\230G\243\344\275\371\330\244\210\314\22\14P\314)\300\14\236\273\2567\223\300\362\262ub\276\2_\307c\274\30\217\343Zz\10\322\260\360\254\376\300\4z\203\20\257\357\35", ) :_\220\265\256\313\203\271[\14\351&\313\323\320\222\0V*\241\31k\344\330\10Y\243\234 \311\357l\307\237\27m\374\327\33\243\342j\372?\37\3330\260n\306\330\360pH\16\36\372\375]\362C\241\350\247O1\17D\23\250\340\33g3\367\25\215\235Y:js;\200\271BJ\352j#\217\33wC\3336j\332\231Q\252\204\253,\323\370\6\2558;~@\260\264\345\264%(;\310\327\21\360\301\207\205E\7\24:\36\24\214\355#!\230G\243\344\275\371\330\244\210\314\22\14P\314)\300\14\236\273\2567\223\300\362\262ub\276\2_\307c\274\30\217\343Zz\10\322\260\360\254\376\300\4z\203\20\257\357\35", ) == 0x0
 00549   424   NtAllocateVirtualMemory  (-1, 1335296, 0, 16384, 4096, 4, ... 1335296, 16384, ) == 0x0
 00550   424   NtUserRegisterClassExWOW  (1244380, 1244460, 1244444, 1244476, 0, 384, 0, ... ) == 0x810dc038
 00551   424   NtUserGetAtomName  (49208, 1243144, ... ) == 0x15
 00552   424   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00553   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240668, ... ) }, 1240668, ... ) == 0x0
 00554   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00555   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 64, ... 72, ) == 0x0
 00556   424   NtClose  (64, ... ) == 0x0
 00557   424   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 204800, ) == 0x0
 00558   424   NtClose  (72, ... ) == 0x0
 00559   424   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 00560   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240984, ... ) }, 1240984, ... ) == 0x0
 00561   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00562   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 64, ) == 0x0
 00563   424   NtQuerySection  (64, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00564   424   NtClose  (72, ... ) == 0x0
 00565   424   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00566   424   NtClose  (64, ... ) == 0x0
 00567   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00568   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00569   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00570   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00571   424   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00572   424   NtClose  (64, ... ) == 0x0
 00573   424   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00574   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 72, ) }, ... 72, ) == 0x0
 00575   424   NtQueryValueKey  (72,  (72, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   424   NtClose  (72, ... ) == 0x0
 00577   424   NtClose  (64, ... ) == 0x0
 00578   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00579   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00580   424   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00581   424   NtClose  (64, ... ) == 0x0
 00582   424   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00583   424   NtOpenKey  (0x1, {24, 64, 0x40, 0, 0,  (0x1, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00584   424   NtQueryValueKey  (72,  (72, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   424   NtClose  (72, ... ) == 0x0
 00586   424   NtClose  (64, ... ) == 0x0
 00587   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240484, ... ) }, 1240484, ... ) == 0x0
 00590   424   NtUserGetProcessWindowStation  (... ) == 0x28
 00591   424   NtUserGetObjectInformation  (40, 2, 0, 0, 1242780, ... ) == 0x0
 00592   424   NtUserGetObjectInformation  (40, 2, 1350040, 16, 1242780, ... ) == 0x1
 00593   424   NtUserGetGUIThreadInfo  (424, 1242736, ... ) == 0x1
 00594   424   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242556, 64, ... 64, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242556, 64, ... 64, 0x0, 0x0, 0x0, 64, ) == 0x0
 00595   424   NtRequestWaitReplyPort  (64, {32, 56, new_msg, 0, 0, 0, 0, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 420, 424, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 420, 424, 1524, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 420, 424, 1524, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00596   424   NtRequestWaitReplyPort  (64, {32, 56, new_msg, 0, 0, 0, 0, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 420, 424, 1525, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 420, 424, 1525, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 420, 424, 1525, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00597   424   NtUserCallNoParam  (29, ...
 00598   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240028, ... ) }, 1240028, ... ) == 0x0
 00597   424   NtUserCallNoParam  ... ) == 0x0
 00599   424   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00600   424   NtGdiHfontCreate  (1242108, 356, 0, 0, 1329232, ... ) == 0xc0a0405
 00601   424   NtGdiHfontCreate  (1242108, 356, 0, 0, 1329224, ... ) == 0x80a03f6
 00602   424   NtRequestWaitReplyPort  (64, {32, 56, new_msg, 0, 0, 0, 0, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 420, 424, 1526, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 420, 424, 1526, 0}  (64, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 420, 424, 1526, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00603   424   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8a0000), {0, 0}, 331776, ) == 0x0
 00604   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00605   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00606   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00607   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00608   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00609   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00610   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00611   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00612   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00613   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00614   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00615   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00616   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00617   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00618   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00619   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00620   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00621   424   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x61003ef
 00622   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00623   424   NtUserCallNoParam  (29, ...
 00624   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239472, ... ) }, 1239472, ... ) == 0x0
 00623   424   NtUserCallNoParam  ... ) == 0x0
 00625   424   NtUserCallNoParam  (29, ...
 00626   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00625   424   NtUserCallNoParam  ... ) == 0x0
 00627   424   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12f7b4, 0, 670, 0, ... ) == 0x1
 00628   424   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12f7dc, 0, 670, 0, ... ) == 0x0
 00629   424   NtUserSetProp  (131250, 43288, -1, ... ) == 0x1
 00552   424   NtUserCreateWindowEx  ... ) == 0x200b2
 00630   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247N\340k\233\355\217\3032\351\211\224\330\11\7\263\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00631   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00632   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00633   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00634   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00635   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00636   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00637   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00638   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00639   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "cz\14\30H\337\13\266\340Eu/\246\342\203N\232\347\215{\340\256.O\214_\374\353.\335\345K'\377\364\2428\21NEb\264\257d\263\244\305\25\356Ny\146\301\200,,\267\346\246\204@\4\326\5\264\304\255\332*n\242\254\366k\271*?\217)", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "cz\14\30H\337\13\266\340Eu/\246\342\203N\232\347\215{\340\256.O\214_\374\353.\335\345K'\377\364\2428\21NEb\264\257d\263\244\305\25\356Ny\146\301\200,,\267\346\246\204@\4\326\5\264\304\255\332*n\242\254\366k\271*?\217)", 80, ... ) , 80, ... ) == 0x0
 00640   424   NtClose  (-2147482208, ... ) == 0x0
 00630   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\260\366\301\322}B~O\225\303qK\236p:\316t\360\314\240\363\5\205f\177\367\205\242\251\311\220\17QY\345F\340\4}\311\214\233'\320\252%d\201\15\309rN\353\334\326\267\3678\246\305\232\276\252\307R\356\374-\366\7c\323\305\2750\22\374\272-\357\26\315\263\223\34\365H`kZ\253\344\31\30\20\310\226\\250\336q\\321w\P\304X\324P0\354\325\374\20$\250\300?\350\353DV\\233I\245\242\355\254\234"\216\251Z\32\354\35\333\32\301E\2240\250)$\354\245h\260\233h]h\31\214\363\361S\354\325\314\210\247\300\207\203T\245Z\32\347?V\373[\322\323\375)m7\356\237\321\341@\14\315Jqw\13Bs\23\356=\360\36\316\334\245\342\3\265\371D}\35Xd\211\2625w\322\347D\351\261L\252Q3\371\0l\177\13\247\0\225\351\335a\352\215\312i\236\304\377\13\217E\333\320\34:\326\244\337\24", ) \216\251Z\32\354\35\333\32\301E\2240\250)$\354\245h\260\233h]h\31\214\363\361S\354\325\314\210\247\300\207\203T\245Z\32\347?V\373[\322\323\375)m7\356\237\321\341@\14\315Jqw\13Bs\23\356=\360\36\316\334\245\342\3\265\371D}\35Xd\211\2625w\322\347D\351\261L\252Q3\371\0l\177\13\247\0\225\351\335a\352\215\312i\236\304\377\13\217E\333\320\34:\326\244\337\24", ) == 0x0
 00641   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247N\340k\233\355\217\303!\342\4m\274\2371\315\326\211\224\330\11\7\263\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00642   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00643   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00644   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00645   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00646   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00647   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00648   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00649   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00650   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\222~\254\25\303\220\340{\5\16\213\361\354E\364\237\25\30n*q\362\0\212\341\220\232\265\221\33\350\207\337\2076\222\343e\377\255\270g\4#&\346\2175.\37\201\341\230u\6$Q\354\274=2Xir\16[\26\210\\206%f?\321~\26\224\333Z\377", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\222~\254\25\303\220\340{\5\16\213\361\354E\364\237\25\30n*q\362\0\212\341\220\232\265\221\33\350\207\337\2076\222\343e\377\255\270g\4#&\346\2175.\37\201\341\230u\6$Q\354\274=2Xir\16[\26\210\\206%f?\321~\26\224\333Z\377", 80, ... ) , 80, ... ) == 0x0
 00651   424   NtClose  (-2147482208, ... ) == 0x0
 00641   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\263jo]zf\256.oq\271\202\22#\22j\35\220\3422\316\211W\26\301_\224\73\204\346\36\257\305\202\6\37\323\36\203g\262\21\274\206:53\270@\6\234^\274\36\353P\0!\270\316\332\25\200X\205~lI\214\312O\25\261\25=\316\233B]\201\235\366\224\361\304\346\11\252j\330m*v\252P\3212\357\257\226\263Z\342A\233\222r\341iJO\351\325\344\302zm1\326\366\246y\303\322zGhI\371R^\204\250\266&%-#\202|\374~)\11\266\353!W\276\363\222\24Kl\340o\374\332\2\3049\340\356\30:\205\360g\300\334\371m\311U\264r\241: xd\327P\366yqn9\330\307\252\17[\356\177\347f\350VCo&g\3106\210\222i&1\244""c\203M\305Z\1\247b\356;\225\357\356\30%Nb\356\374\257\217\25\342\7\346\222\323T\314", )  ... {status=0x0, info=256}, "\263jo]zf\256.oq\271\202\22#\22j\35\220\3422\316\211W\26\301_\224\73\204\346\36\257\305\202\6\37\323\36\203g\262\21\274\206:53\270@\6\234^\274\36\353P\0!\270\316\332\25\200X\205~lI\214\312O\25\261\25=\316\233B]\201\235\366\224\361\304\346\11\252j\330m*v\252P\3212\357\257\226\263Z\342A\233\222r\341iJO\351\325\344\302zm1\326\366\246y\303\322zGhI\371R^\204\250\266&%-#\202|\374~)\11\266\353!W\276\363\222\24Kl\340o\374\332\2\3049\340\356\30:\205\360g\300\334\371m\311U\264r\241: xd\327P\366yqn9\330\307\252\17[\356\177\347f\350VCo&g\3106\210\222i&1\244""c\203M\305Z\1\247b\356;\225\357\356\30%Nb\356\374\257\217\25\342\7\346\222\323T\314", ) \346\222\323T\314", ) == 0x0
 00652   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247N\340k\233\355\217\303!\342\4m\274\2371\336\335\4m\274\2371\315\326\211\224\330\11\7\263\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00653   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00654   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00655   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00656   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00657   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00658   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00659   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00660   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00661   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\235\354\267kd)G\352\265\20\311+k&T\270\301\2715\216\205PZ\256\317\251\345\230\320\2710\373\271\251I\336\371\354\22HI\372i\320S\375,NE\344/\27\314\17J\311\276X\2\341* \322\234\202\255\347\2462z1\273\6\234(\366\7&Z\330", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\235\354\267kd)G\352\265\20\311+k&T\270\301\2715\216\205PZ\256\317\251\345\230\320\2710\373\271\251I\336\371\354\22HI\372i\320S\375,NE\344/\27\314\17J\311\276X\2\341* \322\234\202\255\347\2462z1\273\6\234(\366\7&Z\330", 80, ... ) , 80, ... ) == 0x0
 00662   424   NtClose  (-2147482208, ... ) == 0x0
 00652   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\1r\211\256\337\226\336&\230v\333\3213\362\277\366\371\15\251\321\22\250\262q\10\321[x\260\371\336 \231\357t4\246qQ0>\255+x\262\311\257\306\323Z(;r|\235\225\324q\246,?\177y\10>\316\331\204\205\273\227\255\0\310\206\218\304\340^O\217\376\261v\325j\345Z\250\346\240Q\322\3610\350Bf\11S\251@\241\231DU\357\177"f"\373:k\336R\336\10\3273\245\374\23\321\370\6\342\1*\270\270\211\245\353o\350\224+\344\275\222\16\3372Q\327 \350\264M+\206R\302\34\344\243|?X\376\322\377y\377\22\310\222\356G\331\13u\377`\20\232\272\377\3358\201\325^J\217\224,\32*\375\202\177\3\362K\362\217B\351\2207\0\364\350\267\6\205\250\306\322\302b\274\204\276F\315\251\345Y&,=O\15T\21Z+{\206O"\11~\112\300\310S].(\207\260\227\315\261\3472\321o\226", ) f ... {status=0x0, info=256}, "\1r\211\256\337\226\336&\230v\333\3213\362\277\366\371\15\251\321\22\250\262q\10\321[x\260\371\336 \231\357t4\246qQ0>\255+x\262\311\257\306\323Z(;r|\235\225\324q\246,?\177y\10>\316\331\204\205\273\227\255\0\310\206\218\304\340^O\217\376\261v\325j\345Z\250\346\240Q\322\3610\350Bf\11S\251@\241\231DU\357\177"f"\373:k\336R\336\10\3273\245\374\23\321\370\6\342\1*\270\270\211\245\353o\350\224+\344\275\222\16\3372Q\327 \350\264M+\206R\302\34\344\243|?X\376\322\377y\377\22\310\222\356G\331\13u\377`\20\232\272\377\3358\201\325^J\217\224,\32*\375\202\177\3\362K\362\217B\351\2207\0\364\350\267\6\205\250\306\322\302b\274\204\276F\315\251\345Y&,=O\15T\21Z+{\206O"\11~\112\300\310S].(\207\260\227\315\261\3472\321o\226", ) \11~\112\300\310S].(\207\260\227\315\261\3472\321o\226", ) == 0x0
 00663   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247N\340k\233\355\217\303!\342\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\315\326\211\224\330\11\7\263\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00664   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00665   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00666   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00667   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00668   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00669   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00670   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00671   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00672   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, ")\337\230\20B\252\31!\226\236yX\220\341\256UV'*\353\215\351\225\24>\247\177o\2527\227\376\10\24W\313lZ\223|&}\6\3749\26/J\372"\215\314\235\36\212\225\340\327\225\207q\22\246\251\371\3vL*\341-Px\231S\323o\306\243\22", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, ")\337\230\20B\252\31!\226\236yX\220\341\256UV'*\353\215\351\225\24>\247\177o\2527\227\376\10\24W\313lZ\223|&}\6\3749\26/J\372"\215\314\235\36\212\225\340\327\225\207q\22\246\251\371\3vL*\341-Px\231S\323o\306\243\22", 80, ... ) \215\314\235\36\212\225\340\327\225\207q\22\246\251\371\3vL*\341-Px\231S\323o\306\243\22", 80, ... ) == 0x0
 00673   424   NtClose  (-2147482208, ... ) == 0x0
 00663   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\307\364\\344\373\337\31\241\355n\333\323\25|\315\353~\16\253\12\364\202=E\227'$\361^\251~\24\\274\377\340\24L.\262\21T6K\272\34\322\232#8Udvs\244\317\354'\366m\2\225\27\365\216\261Y\241\,\247[\227h\327u)\301\350M\233\223\303\205\232V\7Q^\316\200\203T\256V\306/\227\323\21U|Yu\260`xvdv=!9T\26<\357o\17\344h\353\246_\205\351\337\333\354\370\324\235t\337?$\233\365Bx\7-\312 =\372`'\362\252%Yc\266\22\265\246\333]T\332f/\361\273j\235\3313\245A\225\334\330*\5\344\316\371Wi\246t\353\315v\277L\204\31\345Y\260\311\240\223\301\22\326\202\210\31\323\353l\201\310\244\2411\35\36\220\1\277\235\240mA1\211 b\200\4\265\11_\371*\24\335\255\252p\250\245\237\331k_==?\227O\247\257\326\216-)x\304!\222", ) , ) == 0x0
 00674   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247N\340k\233\355\217\303!\342\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\315\326\211\224\330\11\7\263\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00675   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00676   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00677   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00678   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00679   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00680   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00681   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00682   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00683   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\352\246\234\346\12\246\300\4B\201c\274\225\345D\250\32\255f\13\10\236S\23~\271P\310X\17\213Q\306\346K\246X\215?\304\32\240 \272\213\241\15R\224\321\206\305\306y\303\5\363\327\373\6\362\310\305\206\330\203W\313\4{\336\252$\M\372\347\320\252", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\352\246\234\346\12\246\300\4B\201c\274\225\345D\250\32\255f\13\10\236S\23~\271P\310X\17\213Q\306\346K\246X\215?\304\32\240 \272\213\241\15R\224\321\206\305\306y\303\5\363\327\373\6\362\310\305\206\330\203W\313\4{\336\252$\M\372\347\320\252", 80, ... ) , 80, ... ) == 0x0
 00684   424   NtClose  (-2147482208, ... ) == 0x0
 00674   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\203\201v?\242\217ZO\334L\7\300\327,-\261P\3173oiF\227\333\244\11:\337\\322ja\300\347Uu#\261\201T\11\374?\1\206&u\0T\350\13\315Q\246\271b\351\1\214N\243\362\265\2760\240\245\256\221\236\16];\205\335H\15"\301\212K\371\264\335\16\376Tf\341\345\204\305\236\311F\301\227@\221,:\27\35?\314G\201]\370\3212'\305\360\233\217\217\236.e\265x\4\214,\356\217`8%NG\226\211\336\34r\261\17\363\205uS)\271)\365\226\324\247F\273\244\21\33`<\206\17\301\0\360\352]\3576\362FL\2739\12\351\253.G\233\331\311`+\353\1107\252\332\316\216[\244\11KV\260\31E#\263\275\27[;@\344\27tmed\201J;\266rv\306\256\201\215\5ts2\266"\254\270\21\224\234\325\376yF*\245o\301\210YZ\262\340\324\336\320\2639\273\236\310;O\200", ) \301\212K\371\264\335\16\376Tf\341\345\204\305\236\311F\301\227@\221,:\27\35?\314G\201]\370\3212'\305\360\233\217\217\236.e\265x\4\214,\356\217`8%NG\226\211\336\34r\261\17\363\205uS)\271)\365\226\324\247F\273\244\21\33`<\206\17\301\0\360\352]\3576\362FL\2739\12\351\253.G\233\331\311`+\353\1107\252\332\316\216[\244\11KV\260\31E#\263\275\27[;@\344\27tmed\201J;\266rv\306\256\201\215\5ts2\266 ... {status=0x0, info=256}, "\203\201v?\242\217ZO\334L\7\300\327,-\261P\3173oiF\227\333\244\11:\337\\322ja\300\347Uu#\261\201T\11\374?\1\206&u\0T\350\13\315Q\246\271b\351\1\214N\243\362\265\2760\240\245\256\221\236\16];\205\335H\15"\301\212K\371\264\335\16\376Tf\341\345\204\305\236\311F\301\227@\221,:\27\35?\314G\201]\370\3212'\305\360\233\217\217\236.e\265x\4\214,\356\217`8%NG\226\211\336\34r\261\17\363\205uS)\271)\365\226\324\247F\273\244\21\33`<\206\17\301\0\360\352]\3576\362FL\2739\12\351\253.G\233\331\311`+\353\1107\252\332\316\216[\244\11KV\260\31E#\263\275\27[;@\344\27tmed\201J;\266rv\306\256\201\215\5ts2\266"\254\270\21\224\234\325\376yF*\245o\301\210YZ\262\340\324\336\320\2639\273\236\310;O\200", ) , ) == 0x0
 00685   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247N\340k\233\355\217\303!\342\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\315\326\211\224\330\11\7\263\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00686   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00687   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00688   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00689   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00690   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00691   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00692   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00693   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00694   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\326\276N\342\336\350x;\253\245\327Bz\373\270tV\17\220\341\266W\26\372\235\300\217\235\212g\24\207\351\336\24B\222\302u\305\257\312\234\343E\226\25\351\347\177\12\375\264\204\211\233b\}\15\216b\376\0f\254\254\36\16%\327\353\260G`y\357(\334\320", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\326\276N\342\336\350x;\253\245\327Bz\373\270tV\17\220\341\266W\26\372\235\300\217\235\212g\24\207\351\336\24B\222\302u\305\257\312\234\343E\226\25\351\347\177\12\375\264\204\211\233b\}\15\216b\376\0f\254\254\36\16%\327\353\260G`y\357(\334\320", 80, ... ) , 80, ... ) == 0x0
 00695   424   NtClose  (-2147482208, ... ) == 0x0
 00685   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ")H,\314ykt\220\240 \233\270W\314\277(\330\343ap\206w\214\246/t;Of\363\267\370H\307\342Z\5\311\334Oe\262M\363\227\375I1\12L\367\251\232\3610\216\270^\10\315a\267\300\1\317Mm\314v\306\326,\35\3\274\360\261*2\377\3071\245\7\24y\264\27\335\331v\21\213\306U\336Xwh\375\311v~\109"\332\37\234\224\77L\211`\374<\221\273\4a\211\22\20^\351R\346\351\324\212\231\362E\16q\245\35\217\335F\375\16y\20\333\2578e\22\353O\223\347"\33WF\233\255S\213\306\347\13\3756\310g\245\13.(\275-\315\354N\5\316\374\23\216\351\307,$\327\327\352\345M\315\34\376o-\370\323\371%!\324o&v\37V\230h\204?\233\\216$\276\240\212\270\336#X\322\332\236/T\235K\306\357\303l\304\213h\361-\223?\16\321y*\237A\356\306\315\373\376*\332\250&", ) \332\37\234\224\77L\211`\374<\221\273\4a\211\22\20^\351R\346\351\324\212\231\362E\16q\245\35\217\335F\375\16y\20\333\2578e\22\353O\223\347 ... {status=0x0, info=256}, ")H,\314ykt\220\240 \233\270W\314\277(\330\343ap\206w\214\246/t;Of\363\267\370H\307\342Z\5\311\334Oe\262M\363\227\375I1\12L\367\251\232\3610\216\270^\10\315a\267\300\1\317Mm\314v\306\326,\35\3\274\360\261*2\377\3071\245\7\24y\264\27\335\331v\21\213\306U\336Xwh\375\311v~\109"\332\37\234\224\77L\211`\374<\221\273\4a\211\22\20^\351R\346\351\324\212\231\362E\16q\245\35\217\335F\375\16y\20\333\2578e\22\353O\223\347"\33WF\233\255S\213\306\347\13\3756\310g\245\13.(\275-\315\354N\5\316\374\23\216\351\307,$\327\327\352\345M\315\34\376o-\370\323\371%!\324o&v\37V\230h\204?\233\\216$\276\240\212\270\336#X\322\332\236/T\235K\306\357\303l\304\213h\361-\223?\16\321y*\237A\356\306\315\373\376*\332\250&", ) , ) == 0x0
 00696   424   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\220g\333\372v\252\247N\340k\233\355\217\303!\342\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\336\335\4m\274\2371\315\326\211\224\330\11\7\263\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00697   424   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00698   424   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00699   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00700   424   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00701   424   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00702   424   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00703   424   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00704   424   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00705   424   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\32D\250\226\264PWR\275.B\1\356\27#\212_ \350\300bO\26\333\4\242H,\374\0\371\300s\37\327\230\252\341\334\355\277\243\35\30056DX\330)\312\365\334D&\213;Rx\314\306\31\7;\253\310HfY\362\227Q\201;\374M+^U\314", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\32D\250\226\264PWR\275.B\1\356\27#\212_ \350\300bO\26\333\4\242H,\374\0\371\300s\37\327\230\252\341\334\355\277\243\35\30056DX\330)\312\365\334D&\213;Rx\314\306\31\7;\253\310HfY\362\227Q\201;\374M+^U\314", 80, ... ) , 80, ... ) == 0x0
 00706   424   NtClose  (-2147482208, ... ) == 0x0
 00696   424   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3K\227B\320\210\372k_\313\232\203O\251\300 %>\316\26O\370\241\373yf\370\25\252Kj\204@\342@\210\361\374*\206\201\33\363\241k\373\203\5G{8\206\324HX\15\316\354\2\223wl\15"\15m\177\313i\221\3220\314\206\357"\225\222\330\233k<\373\16\227\253\357JF5\264\6\322\264p0\360\3676\264D\346\227\326\306\362\261)|D\312y\323+:\222}g\363\267\370S\315\245\262@\300\12q0\360_\227\337\332\207\210\327\2614\210\330\254\3467\231\234[Y\364/\210\303\251H\344\247u\333\375\346xQ_\4\16\340\320\350\22\33\0f]3\313\210\251w\241V\374S)\15Z\24\335\15\374,'O\321>\372\234\334\246\7\314\10\227\201Or\16\366\236\266o\270N\14\246\16\274\326=\257,\2003\333\222\350\371\203\221\231\343o\253'\271\15\12f\10{\220\330\217\16x=\245\11{3\340C\237#\207c", ) \15m\177\313i\221\3220\314\206\357 ... {status=0x0, info=256}, "\3K\227B\320\210\372k_\313\232\203O\251\300 %>\316\26O\370\241\373yf\370\25\252Kj\204@\342@\210\361\374*\206\201\33\363\241k\373\203\5G{8\206\324HX\15\316\354\2\223wl\15"\15m\177\313i\221\3220\314\206\357"\225\222\330\233k<\373\16\227\253\357JF5\264\6\322\264p0\360\3676\264D\346\227\326\306\362\261)|D\312y\323+:\222}g\363\267\370S\315\245\262@\300\12q0\360_\227\337\332\207\210\327\2614\210\330\254\3467\231\234[Y\364/\210\303\251H\344\247u\333\375\346xQ_\4\16\340\320\350\22\33\0f]3\313\210\251w\241V\374S)\15Z\24\335\15\374,'O\321>\372\234\334\246\7\314\10\227\201Or\16\366\236\266o\270N\14\246\16\274\326=\257,\2003\333\222\350\371\203\221\231\343o\253'\271\15\12f\10{\220\330\217\16x=\245\11{3\340C\237#\207c", ) , ) == 0x0
 00707   424   NtUserRegisterWindowMessage  ( ("ObjectLink", ... ) , ... ) == 0xc002
 00708   424   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0I\0n\0t\0e\0r\0f\0a\0c\0e\0", 44, 1244632, ... ) , 44, 1244632, ... ) == 0x0
 00709   424   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0M\0a\0r\0s\0h\0a\0l\0H\0w\0n\0d\0", 48, 1244632, ... ) , 48, 1244632, ... ) == 0x0
 00710   424   NtUserRegisterWindowMessage  ( ("OM_POST_WM_COMMAND", ... ) , ... ) == 0xc08e
 00711   424   NtUserRegisterWindowMessage  ( ("OLE_MESSAHE", ... ) , ... ) == 0xc08f
 00712   424   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1350648, 0,  (0x1f0003, {24, 52, 0x80, 1350648, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 76, ) }, 0, 2147483647, ... 76, ) == STATUS_OBJECT_NAME_EXISTS
 00713   424   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00714   424   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00715   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00716   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00717   424   NtQueryValueKey  (80,  (80, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   424   NtClose  (80, ... ) == 0x0
 00719   424   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00720   424   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00721   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00722   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00723   424   NtQueryValueKey  (80,  (80, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   424   NtClose  (80, ... ) == 0x0
 00725   424   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00726   424   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00727   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00729   424   NtQueryValueKey  (80,  (80, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   424   NtClose  (80, ... ) == 0x0
 00731   424   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   424   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00733   424   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00734   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00735   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00736   424   NtQueryValueKey  (80,  (80, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00737   424   NtClose  (80, ... ) == 0x0
 00738   424   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00739   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00740   424   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00741   424   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00742   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00743   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00744   424   NtQueryValueKey  (80,  (80, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00745   424   NtClose  (80, ... ) == 0x0
 00746   424   NtReleaseSemaphore  (76, 1, ... 0, ) == 0x0
 00747   424   NtWaitForSingleObject  (76, 0, {0, 0}, ... ) == 0x0
 00748   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749   424   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 00750   424   NtQueryValueKey  (80,  (80, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751   424   NtClose  (80, ... ) == 0x0
 00752   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00753   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00754   424   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00755   424   NtClose  (80, ... ) == 0x0
 00756   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00757   424   NtSetInformationObject  (82, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00758   424   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00759   424   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00760   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 84, ) }, ... 84, ) == 0x0
 00761   424   NtQueryKey  (86, Name, 392, ... {Name= (86, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 00762   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00763   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00764   424   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00765   424   NtClose  (88, ... ) == 0x0
 00766   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00767   424   NtQueryValueKey  (86, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (86, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00768   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1238300, ... ) }, 1238300, ... ) == 0x0
 00769   424   NtClose  (86, ... ) == 0x0
 00770   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00771   424   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 84, {status=0x0, info=1}, ) }, 3, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00772   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 88, ) }, ... 88, ) == 0x0
 00773   424   NtQuerySymbolicLinkObject  (88, ...  (88, ... "\Device\WinDfs\U:00000000000091df", 66, ) , 66, ) == 0x0
 00774   424   NtClose  (88, ... ) == 0x0
 00775   424   NtQueryVolumeInformationFile  (84, 1241652, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00776   424   NtClose  (84, ... ) == 0x0
 00777   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00778   424   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00779   424   NtClose  (84, ... ) == 0x0
 00780   424   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 84, ) == 0x0
 00781   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 88, ) == 0x0
 00782   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 92, ) }, ... 92, ) == 0x0
 00783   424   NtNotifyChangeKey  (92, 88, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00784   424   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00785   424   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00786   424   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 100, ) == 0x0
 00787   424   NtWaitForSingleObject  (88, 0, {0, 0}, ... ) == 0x102
 00788   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet"}, ... 104, ) }, ... 104, ) == 0x0
 00789   424   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 108, ) }, ... 108, ) == 0x0
 00790   424   NtQueryValueKey  (108,  (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 00791   424   NtQueryValueKey  (108,  (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 00792   424   NtClose  (108, ... ) == 0x0
 00793   424   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00794   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 00795   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 00796   424   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00797   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00798   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00799   424   NtClose  (108, ... ) == 0x0
 00800   424   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00801   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 00802   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 00803   424   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 00805   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 00806   424   NtClose  (108, ... ) == 0x0
 00807   424   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00808   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 00809   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 00810   424   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00811   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00812   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00813   424   NtClose  (108, ... ) == 0x0
 00814   424   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 108, ) }, ... 108, ) == 0x0
 00815   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00816   424   NtQueryValueKey  (108,  (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00817   424   NtQueryValueKey  (108,  (108, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 00819   424   NtQueryValueKey  (108,  (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (108, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="s\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\01\0.\0d\0l\0l\0\0\0"}, 50, ) }, 50, ) == 0x0
 00820   424   NtClose  (108, ... ) == 0x0
 00821   424   NtClose  (104, ... ) == 0x0
 00822   424   NtQueryDefaultLocale  (1, 1241204, ... ) == 0x0
 00823   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00824   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00825   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0
 00826   424   NtClose  (104, ... ) == 0x0
 00827   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 12288, ) == 0x0
 00828   424   NtClose  (108, ... ) == 0x0
 00829   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00830   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0
 00831   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00832   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00833   424   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00834   424   NtClose  (108, ... ) == 0x0
 00835   424   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 24576, ) == 0x0
 00836   424   NtClose  (104, ... ) == 0x0
 00837   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 104, ) }, ... 104, ) == 0x0
 00838   424   NtQueryValueKey  (104,  (104, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 00839   424   NtClose  (104, ... ) == 0x0
 00840   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00841   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00842   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0
 00843   424   NtClose  (104, ... ) == 0x0
 00844   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 40960, ) == 0x0
 00845   424   NtClose  (108, ... ) == 0x0
 00846   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00847   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0
 00848   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00849   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00850   424   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00851   424   NtClose  (108, ... ) == 0x0
 00852   424   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 53248, ) == 0x0
 00853   424   NtClose  (104, ... ) == 0x0
 00854   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1238720, ... ) }, 1238720, ... ) == 0x0
 00856   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00857   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00858   424   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00859   424   NtClose  (104, ... ) == 0x0
 00860   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 90112, ) == 0x0
 00861   424   NtClose  (108, ... ) == 0x0
 00862   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1238720, ... ) }, 1238720, ... ) == 0x0
 00864   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00865   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00866   424   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00867   424   NtClose  (108, ... ) == 0x0
 00868   424   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 245760, ) == 0x0
 00869   424   NtClose  (104, ... ) == 0x0
 00870   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0
 00872   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00873   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00874   424   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00875   424   NtClose  (104, ... ) == 0x0
 00876   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00877   424   NtClose  (108, ... ) == 0x0
 00878   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0
 00880   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00881   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00882   424   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00883   424   NtClose  (108, ... ) == 0x0
 00884   424   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 24576, ) == 0x0
 00885   424   NtClose  (104, ... ) == 0x0
 00886   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00887   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1237916, ... ) }, 1237916, ... ) == 0x0
 00888   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00889   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00890   424   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00891   424   NtClose  (104, ... ) == 0x0
 00892   424   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 00893   424   NtClose  (108, ... ) == 0x0
 00894   424   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00895   424   NtOpenKey  (0x80000000, {24, 0, 0xc0, 0, 0,  (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 108, ) }, ... 108, ) == 0x0
 00896   424   NtQueryValueKey  (108,  (108, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   424   NtOpenProcessToken  (-1, 0x8, ... 104, ) == 0x0
 00898   424   NtQueryInformationToken  (104, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00899   424   NtClose  (104, ... ) == 0x0
 00900   424   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00901   424   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 104, ) == 0x0
 00902   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00903   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00904   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0
 00905   424   NtClose  (112, ... ) == 0x0
 00906   424   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 24576, ) == 0x0
 00907   424   NtClose  (116, ... ) == 0x0
 00908   424   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00909   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239532, ... ) }, 1239532, ... ) == 0x0
 00910   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00911   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 00912   424   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00913   424   NtClose  (116, ... ) == 0x0
 00914   424   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0
 00915   424   NtClose  (112, ... ) == 0x0
 00916   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 112, ) }, ... 112, ) == 0x0
 00917   424   NtQueryValueKey  (112,  (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (112, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0
 00918   424   NtClose  (112, ... ) == 0x0
 00919   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00920   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00921   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00922   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00923   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239208, ... ) }, 1239208, ... ) == 0x0
 00924   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00925   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 112, ... 116, ) == 0x0
 00926   424   NtClose  (112, ... ) == 0x0
 00927   424   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 122880, ) == 0x0
 00928   424   NtClose  (116, ... ) == 0x0
 00929   424   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00930   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00931   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00932   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00933   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 00934   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239524, ... ) }, 1239524, ... ) == 0x0
 00935   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00936   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 112, ) == 0x0
 00937   424   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00938   424   NtClose  (116, ... ) == 0x0
 00939   424   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 131072, ) == 0x0
 00940   424   NtClose  (112, ... ) == 0x0
 00941   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00942   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00943   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00944   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00945   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00946   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00947   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00948   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00949   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00950   424   NtProtectVirtualMemory  (-1, (0x10015000), 416, 4, ... (0x10015000), 4096, 2, ) == 0x0
 00951   424   NtProtectVirtualMemory  (-1, (0x10015000), 4096, 2, ... (0x10015000), 4096, 4, ) == 0x0
 00952   424   NtFlushInstructionCache  (-1, 268521472, 416, ... ) == 0x0
 00953   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00954   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8912896, 65536, ) == 0x0
 00955   424   NtAllocateVirtualMemory  (-1, 8912896, 0, 4096, 4096, 4, ... 8912896, 4096, ) == 0x0
 00956   424   NtAllocateVirtualMemory  (-1, 8916992, 0, 8192, 4096, 4, ... 8916992, 8192, ) == 0x0
 00957   424   NtAllocateVirtualMemory  (-1, 8925184, 0, 4096, 4096, 4, ... 8925184, 4096, ) == 0x0
 00958   424   NtQueryPerformanceCounter  (... {105938799, 0}, {3579545, 0}, ) == 0x0
 00959   424   NtRaiseException  (1239016, 1238276, 1, ...
 00960   424   NtContinue  (1237072, 0, ...
 00961   424   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 112, ) }, ... 112, ) == 0x0
 00962   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00963   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00965   424   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00966   424   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00967   424   NtRaiseException  (1228992, 1228252, 1, ...
 00968   424   NtContinue  (1227048, 0, ...
 00969   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00970   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00972   424   NtRaiseException  (1230752, 1230012, 1, ...
 00973   424   NtContinue  (1228808, 0, ...
 00974   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00975   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00977   424   NtRaiseException  (1230756, 1230016, 1, ...
 00978   424   NtContinue  (1228812, 0, ...
 00979   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00980   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00982   424   NtRaiseException  (1230752, 1230012, 1, ...
 00983   424   NtContinue  (1228808, 0, ...
 00984   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00985   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00987   424   NtRaiseException  (1230756, 1230016, 1, ...
 00988   424   NtContinue  (1228812, 0, ...
 00989   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00990   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00992   424   NtRaiseException  (1230752, 1230012, 1, ...
 00993   424   NtContinue  (1228808, 0, ...
 00994   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 00995   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 00997   424   NtRaiseException  (1230756, 1230016, 1, ...
 00998   424   NtContinue  (1228812, 0, ...
 00999   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01000   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01002   424   NtRaiseException  (1230752, 1230012, 1, ...
 01003   424   NtContinue  (1228808, 0, ...
 01004   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01005   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01006   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01007   424   NtRaiseException  (1230756, 1230016, 1, ...
 01008   424   NtContinue  (1228812, 0, ...
 01009   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01010   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01012   424   NtRaiseException  (1230752, 1230012, 1, ...
 01013   424   NtContinue  (1228808, 0, ...
 01014   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01015   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01016   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01017   424   NtRaiseException  (1230756, 1230016, 1, ...
 01018   424   NtContinue  (1228812, 0, ...
 01019   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01020   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01022   424   NtRaiseException  (1230752, 1230012, 1, ...
 01023   424   NtContinue  (1228808, 0, ...
 01024   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01025   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01027   424   NtRaiseException  (1230756, 1230016, 1, ...
 01028   424   NtContinue  (1228812, 0, ...
 01029   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01030   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01031   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01032   424   NtRaiseException  (1230752, 1230012, 1, ...
 01033   424   NtContinue  (1228808, 0, ...
 01034   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01035   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01037   424   NtRaiseException  (1230756, 1230016, 1, ...
 01038   424   NtContinue  (1228812, 0, ...
 01039   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01040   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01042   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0
 01043   424   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {420, 0}, ... 116, ) == 0x0
 01044   424   NtQueryInformationProcess  (116, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01045   424   NtClose  (116, ... ) == 0x0
 01046   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0
 01047   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01048   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 01050   424   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   424   NtClose  (116, ... ) == 0x0
 01052   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01054   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01055   424   NtQuerySystemTime  (... {10777400, 29869975}, ) == 0x0
 01056   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01057   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01058   424   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01059   424   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01060   424   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01061   424   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01062   424   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01063   424   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01064   424   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01065   424   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01066   424   NtClose  (140, ... ) == 0x0
 01067   424   NtClose  (136, ... ) == 0x0
 01068   424   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 01069   424   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 01070   424   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01071   424   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01072   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01073   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01074   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01075   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01076   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238232,  (0xc0100080, {24, 0, 0x40, 0, 1238232, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01077   424   NtSetInformationFile  (152, 1238288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01078   424   NtSetInformationFile  (152, 1238280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01079   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01080   424   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01081   424   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01082   424   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01083   424   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\08\0\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01084   424   NtClose  (148, ... ) == 0x0
 01085   424   NtClose  (152, ... ) == 0x0
 01086   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01087   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01088   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01089   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01090   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238232,  (0xc0100080, {24, 0, 0x40, 0, 1238232, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01091   424   NtSetInformationFile  (148, 1238288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01092   424   NtSetInformationFile  (148, 1238280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01093   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01094   424   NtWriteFile  (148, 129, 0, 0,  (148, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01095   424   NtReadFile  (148, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01096   424   NtFsControlFile  (148, 129, 0x0, 0x0, 0x11c017,  (148, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (148, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01097   424   NtClose  (152, ... ) == 0x0
 01098   424   NtClose  (148, ... ) == 0x0
 01099   424   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider"}, ... 148, ) }, ... 148, ) == 0x0
 01100   424   NtQueryKey  (148, Full, 176, ... {LastWrite={0xf49de34e,0x1c73998}, TitleIdx=0, Subkeys=0, Values=3, Class=""}, 44, ) == 0x0
 01101   424   NtQuerySecurityObject  (148, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01102   424   NtQuerySecurityObject  (148, 15, 0, ... ) == STATUS_ACCESS_DENIED
 01103   424   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9437184, 524288, ) == 0x0
 01104   424   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 01105   424   NtQueryValueKey  (148,  (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (148, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0
 01106   424   NtClose  (148, ... ) == 0x0
 01107   424   NtCreateFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01108   424   NtFsControlFile  (148, 0, 0x0, 0x0, 0x600bc,  (148, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x0, info=1024},  (148, 0, 0x0, 0x0, 0x600bc, "M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0", 52, 1024, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\302\3\0\0\232\3\0\0\0\0\0\0\310\3\0\0\1\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0`\3\0\08\3\0\0\0\0\0\0f\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01109   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01110   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01111   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01112   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01113   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239672,  (0xc0100080, {24, 0, 0x40, 0, 1239672, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01114   424   NtSetInformationFile  (156, 1239728, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01115   424   NtSetInformationFile  (156, 1239720, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01116   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01117   424   NtWriteFile  (156, 129, 0, 0,  (156, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01118   424   NtReadFile  (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01119   424   NtFsControlFile  (156, 129, 0x0, 0x0, 0x11c017,  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\340\360\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\13\0\0\0\0\0\1\0\0\0\1\0\0\0\340\360\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01120   424   NtClose  (152, ... ) == 0x0
 01121   424   NtClose  (156, ... ) == 0x0
 01122   424   NtWaitForSingleObject  (104, 0, {-70000000, -1}, ... ) == 0x0
 01123   424   NtReleaseSemaphore  (104, 1, ... 0x0, ) == 0x0
 01124   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1239184, ... ) }, 1239184, ... ) == 0x0
 01125   424   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 156, ) }, ... 156, ) == 0x0
 01126   424   NtWaitForSingleObject  (156, 0, {-1800000000, -1}, ... ) == 0x0
 01127   424   NtClose  (156, ... ) == 0x0
 01128   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01129   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01130   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01131   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01132   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239708,  (0xc0100080, {24, 0, 0x40, 0, 1239708, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01133   424   NtSetInformationFile  (152, 1239764, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01134   424   NtSetInformationFile  (152, 1239756, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01135   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01136   424   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01137   424   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\4"\0\0\15\0\PIPE\ntsvcs\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01138   424   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\4"\0\0\15\0\PIPE\ntsvcs\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\4"\0\0\15\0\PIPE\ntsvcs\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\14\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01139   424   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\223\340\3239\2123\334\21\261\306\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\223\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\223\340\3239\2123\334\21\261\306\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\223\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01140   424   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\224\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\224\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\224\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\224\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01141   424   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\223\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\223\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01142   424   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\224\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\224\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01143   424   NtClose  (156, ... ) == 0x0
 01144   424   NtClose  (152, ... ) == 0x0
 01145   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01146   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01147   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01148   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01149   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hgfs1.dll"}, 1239176, ... ) }, 1239176, ... ) == 0x0
 01150   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 152, ) }, ... 152, ) == 0x0
 01151   424   NtQueryValueKey  (152,  (152, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "ServerName", Partial, 144, ... TitleIdx=0, Type=1, Data=".\0h\0o\0s\0t\0\0\0"}, 24, ) }, 24, ) == 0x0
 01152   424   NtClose  (152, ... ) == 0x0
 01153   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\parameters"}, ... 152, ) }, ... 152, ) == 0x0
 01154   424   NtQueryValueKey  (152,  (152, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "ShareName", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 42, ) }, 42, ) == 0x0
 01155   424   NtClose  (152, ... ) == 0x0
 01156   424   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\hgfs\NetworkProvider"}, ... 152, ) }, ... 152, ) == 0x0
 01157   424   NtQueryValueKey  (152,  (152, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (152, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01158   424   NtClose  (152, ... ) == 0x0
 01159   424   NtRaiseException  (1229676, 1228936, 1, ...
 01160   424   NtContinue  (1227732, 0, ...
 01161   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01162   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01164   424   NtRaiseException  (1229672, 1228932, 1, ...
 01165   424   NtContinue  (1227728, 0, ...
 01166   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01167   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01169   424   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1240340, 0,  (0x1f0001, {24, 52, 0x80, 1240340, 0, "HGFSMUTEX"}, 1, ... 152, ) }, 1, ... 152, ) == 0x0
 01170   424   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shfolder.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   424   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 1237360, ... ) }, 1237360, ... ) == 0x0
 01174   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\shfolder.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01175   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 160, ) == 0x0
 01176   424   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01177   424   NtClose  (156, ... ) == 0x0
 01178   424   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76780000), 0x0, 32768, ) == 0x0
 01179   424   NtClose  (160, ... ) == 0x0
 01180   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01181   424   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1350648, 0,  (0x1f0003, {24, 52, 0x80, 1350648, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 160, ) }, 0, 2147483647, ... 160, ) == STATUS_OBJECT_NAME_EXISTS
 01182   424   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 01183   424   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 01184   424   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01185   424   NtQueryValueKey  (156,  (156, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Local AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 104, ) }, 104, ) == 0x0
 01186   424   NtClose  (156, ... ) == 0x0
 01187   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data"}, 1237892, ... ) }, 1237892, ... ) == 0x0
 01188   424   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01189   424   NtSetValueKey  (156,  (156, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 0, 1,  (156, "Local AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 134, ... ) , 134, ... ) == 0x0
 01190   424   NtClose  (156, ... ) == 0x0
 01191   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\"}, 3, 16417, ... 156, {status=0x0, info=1}, ) }, 3, 16417, ... 156, {status=0x0, info=1}, ) == 0x0
 01192   424   NtQueryDirectoryFile  (156, 0, 0, 0, 1238032, 616, BothDirectory, 1,  (156, 0, 0, 0, 1238032, 616, BothDirectory, 1, "VMware", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 01193   424   NtUnmapViewOfSection  (-1, 0x76780000, ... ) == 0x0
 01194   424   NtRaiseException  (1229312, 1228572, 1, ...
 01195   424   NtContinue  (1227368, 0, ...
 01196   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01197   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01199   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1240340, 1239916,  (0xc0100080, {24, 0, 0x40, 1240340, 1239916, "\??\C:\Documents and Settings\SRI-user\Local Settings\Application Data\VMware\hgfs.dat"}, 0x0, 128, 0, 3, 96, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 128, 0, 3, 96, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01200   424   NtRaiseException  (1229312, 1228572, 1, ...
 01201   424   NtContinue  (1227368, 0, ...
 01202   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01203   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01205   424   NtCreateSection  (0xf0007, {24, 52, 0x80, 1240340, 0,  (0xf0007, {24, 52, 0x80, 1240340, 0, "HGFSMEMORY"}, {27876, 0}, 4, 134217728, 164, ... 168, ) }, {27876, 0}, 4, 134217728, 164, ... 168, ) == 0x0
 01206   424   NtMapViewOfSection  (168, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x980000), {0, 0}, 28672, ) == 0x0
 01207   424   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01208   424   NtRaiseException  (1230728, 1229988, 1, ...
 01209   424   NtContinue  (1228784, 0, ...
 01210   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01211   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01213   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1241384, 1240972,  (0xc0100080, {24, 0, 0x40, 1241384, 1240972, "\??\Global\HGFS"}, 0x0, 0, 3, 1, 96, 0, 0, ... 172, {status=0x0, info=0}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 172, {status=0x0, info=0}, ) == 0x0
 01214   424   NtDeviceIoControlFile  (172, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1},  (172, 0, 0x0, 0x0, 0x84002020, 0x0, 0, 1, ... {status=0x0, info=1}, "\0", ) , ) == 0x0
 01215   424   NtClose  (172, ... ) == 0x0
 01216   424   NtRaiseException  (1230708, 1229968, 1, ...
 01217   424   NtContinue  (1228764, 0, ...
 01218   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01219   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01221   424   NtRaiseException  (1230728, 1229988, 1, ...
 01222   424   NtContinue  (1228784, 0, ...
 01223   424   NtWaitForSingleObject  (112, 0, 0x0, ... ) == 0x0
 01224   424   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   424   NtReleaseMutant  (112, ... 0x0, ) == 0x0
 01226   424   NtAllocateVirtualMemory  (-1, 1368064, 0, 20480, 4096, 4, ... 1368064, 20480, ) == 0x0
 01227   424   NtAllocateVirtualMemory  (-1, 1388544, 0, 20480, 4096, 4, ... 1388544, 20480, ) == 0x0
 01228   424   NtWaitForSingleObject  (104, 0, {-70000000, -1}, ... ) == 0x0
 01229   424   NtReleaseSemaphore  (104, 1, ... 0x0, ) == 0x0
 01230   424   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 172, ) }, ... 172, ) == 0x0
 01231   424   NtWaitForSingleObject  (172, 0, {-1800000000, -1}, ... ) == 0x0
 01232   424   NtClose  (172, ... ) == 0x0
 01233   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01234   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01235   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01236   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01237   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239648,  (0xc0100080, {24, 0, 0x40, 0, 1239648, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01238   424   NtSetInformationFile  (176, 1239704, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01239   424   NtSetInformationFile  (176, 1239696, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01240   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01241   424   NtWriteFile  (176, 129, 0, 0,  (176, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01242   424   NtReadFile  (176, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (176, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\5"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01243   424   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\5"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\1\0\0\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\5"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01244   424   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\225\340\3239\2123\334\21\261\306\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\225\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 80, 1024, ... {status=0x103, info=48},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0P\0\0\0\2\0\0\08\0\0\0\0\0\20\0\0\0\0\0\225\340\3239\2123\334\21\261\306\0\14)\371\246\305\12\0\0\0\0\0\0\0\12\0\0\0W\0e\0b\0C\0l\0i\0e\0n\0t\0\0\0\4\0\0\0", 80, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\225\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01245   424   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\226\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\226\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\226\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\226\340\3239\2123\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01246   424   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\225\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\225\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01247   424   NtFsControlFile  (176, 129, 0x0, 0x0, 0x11c017,  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\226\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (176, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\226\340\3239\2123\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01248   424   NtClose  (172, ... ) == 0x0
 01249   424   NtClose  (176, ... ) == 0x0
 01250   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01251   424   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 01252   424   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01253   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01254   424   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239740,  (0xc0100080, {24, 0, 0x40, 0, 1239740, "\??\PIPE\DAV RPC SERVICE"}, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0
 01255   424   NtSetInformationFile  (172, 1239796, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01256   424   NtSetInformationFile  (172, 1239788, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01257   424   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01258   424   NtWriteFile  (172, 129, 0, 0,  (172, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\207v\313\310\323\346\322\21\251X\0\300Oh.\26\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01259   424   NtReadFile  (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76},  (172, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\224&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01260   424   NtFsControlFile  (172, 129, 0x0, 0x0, 0x11c017,  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\224&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 59, 1024, ... {status=0x103, info=76},  (172, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0;\0\0\0\1\0\0\0#\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\300\1\0\0\0\0\0\0\0\1\0\0\0\0\0\0", 59, 1024, ... {status=0x103, info=76}, "\5\0\14\3\20\0\0\0L\0\0\0\1\0\0\0\270\20\270\20\224&\0\0\26\0\PIPE\DAV RPC SERVICE\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01261   424   NtClose  (176, ... ) == 0x0
 01262   424   NtClose  (172, ... ) == 0x0
 01263   424   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01264   424   NtSetValueKey  (172,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01265   424   NtClose  (172, ... ) == 0x0
 01266   424   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 172, ) }, ... 172, ) == 0x0
 01267   424   NtQueryValueKey  (172,  (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01268   424   NtClose  (172, ... ) == 0x0
 01269   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   424   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01271   424   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01274   424   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01275   424   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\F\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   424   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01278   424   NtSetValueKey  (172,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (172, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01279   424   NtClose  (172, ... ) == 0x0
 01280   424   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##missouri#binaries"}, ... 172, ) }, ... 172, ) == 0x0
 01281   424   NtQueryValueKey  (172,  (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "_CommentFromDesktopINI", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01282   424   NtClose  (172, ... ) == 0x0
 01283   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   424   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01285   424   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   424   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01288   424   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01289   424   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\U\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   424   NtWaitForSingleObject  (104, 0, {-70000000, -1}, ... ) == 0x0
 01292   424   NtReleaseSemaphore  (104, 1, ... 0x0, ) == 0x0
 01293   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01294   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01295   424   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01296   424   NtClose  (172, ... ) == 0x0
 01297   424   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 172, ) }, ... 172, ) == 0x0
 01298   424   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "Network"}, ... 176, ) }, ... 176, ) == 0x0
 01299   424   NtClose  (172, ... ) == 0x0
 01300   424   NtQueryKey  (176, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class= (176, Full, 176, ... {LastWrite={0x5122c09c,0x1c7a3ae}, TitleIdx=0, Subkeys=2, Values=0, Class="GenericClass"}, 68, ) }, 68, ) == 0x0
 01301   424   NtQuerySecurityObject  (176, 7, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01302   424   NtQuerySecurityObject  (176, 15, 0, ... ) == STATUS_ACCESS_DENIED
 01303   424   NtWaitForSingleObject  (88, 0, {0, 0}, ... ) == 0x102
 01304   424   NtEnumerateKey  (176, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name= (176, 0, Basic, 288, ... {LastWrite={0x8ac9a296,0x1c7a3ab}, TitleIdx=0, Name="f"}, 18, ) }, 18, ) == 0x0
 01305   424   NtOpenKey  (0x2001f, {24, 176, 0x40, 0, 0,  (0x2001f, {24, 176, 0x40, 0, 0, "f"}, ... 172, ) }, ... 172, ) == 0x0
 01306   424   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01307   424   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01308   424   NtQueryValueKey  (172,  (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01309   424   NtQueryValueKey  (172,  (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 01310   424   NtQueryValueKey  (172,  (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01311   424   NtQueryValueKey  (172,  (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01312   424   NtQueryValueKey  (172,  (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01313   424   NtClose  (172, ... ) == 0x0
 01314   424   NtEnumerateKey  (176, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name= (176, 1, Basic, 288, ... {LastWrite={0xd0d8f568,0x1c7a3ae}, TitleIdx=0, Name="u"}, 18, ) }, 18, ) == 0x0
 01315   424   NtOpenKey  (0x2001f, {24, 176, 0x40, 0, 0,  (0x2001f, {24, 176, 0x40, 0, 0, "u"}, ... 172, ) }, ... 172, ) == 0x0
 01316   424   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01317   424   NtQueryValueKey  (172,  (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "RemotePath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0"}, 52, ) }, 52, ) == 0x0
 01318   424   NtQueryValueKey  (172,  (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UserName", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01319   424   NtQueryValueKey  (172,  (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderType", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\2\0"}, 16, ) }, 16, ) == 0x0
 01320   424   NtQueryValueKey  (172,  (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ProviderFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01321   424   NtQueryValueKey  (172,  (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DeferFlags", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01322   424   NtQueryValueKey  (172,  (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ConnectionType", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01323   424   NtClose  (172, ... ) == 0x0
 01324   424   NtClose  (176, ... ) == 0x0
 01325   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01326   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01327   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01328   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01329   424   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01330   424   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 176, ) }, ... 176, ) == 0x0
 01332   424   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01333   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01334   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01335   424   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01336   424   NtClose  (172, ... ) == 0x0
 01337   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01338   424   NtEnumerateKey  (178, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (178, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01339   424   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01340   424   NtOpenKey  (0x1, {24, 82, 0x40, 0, 0,  (0x1, {24, 82, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01341   424   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 172, ) }, ... 172, ) == 0x0
 01342   424   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01343   424   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01344   424   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01345   424   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01346   424   NtClose  (180, ... ) == 0x0
 01347   424   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   424   NtQueryValueKey  (174,  (174, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (174, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01349   424   NtClose  (174, ... ) == 0x0
 01350   424   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01351   424   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 172, {status=0x0, info=1}, ) }, 3, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01352   424   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 180, ) }, ... 180, ) == 0x0
 01353   424   NtQuerySymbolicLinkObject  (180, ...  (180, ... "\Device\WinDfs\U:00000000000091df", 66, ) , 66, ) == 0x0
 01354   424   NtClose  (180, ... ) == 0x0
 01355   424   NtQueryVolumeInformationFile  (172, 1241060, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01356   424   NtClose  (172, ... ) == 0x0
 01357   424   NtEnumerateKey  (178, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01358   424   NtClose  (178, ... ) == 0x0
 01359   424   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 176, {status=0x0, info=1}, ) }, 3, 16417, ... 176, {status=0x0, info=1}, ) == 0x0
 01360   424   NtQueryDirectoryFile  (176, 0, 0, 0, 1239848, 616, BothDirectory, 1,  (176, 0, 0, 0, 1239848, 616, BothDirectory, 1, "startupscripts", 0, ... {status=0x0, info=128}, ) , 0, ... {status=0x0, info=128}, ) == 0x0
 01361   424   NtClose  (176, ... ) == 0x0
 01362   424   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 01363   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1244288, ... ) }, 1244288, ... ) == 0x0
 01364   424   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456}  (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 420, 424, 1528, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 420, 424, 1528, 0}  (24, {20, 48, new_msg, 0, 2012550769, 1315704, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 420, 424, 1528, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 01365   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244296,  (0x80100080, {24, 0, 0x40, 0, 1244296, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 176, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 176, {status=0x0, info=2}, ) == 0x0
 01366   424   NtClose  (176, ... ) == 0x0
 01367   424   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsc1.tmp"}, 7, 2113600, ... 176, {status=0x0, info=1}, ) }, 7, 2113600, ... 176, {status=0x0, info=1}, ) == 0x0
 01368   424   NtQueryInformationFile  (176, 1244668, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 01369   424   NtSetInformationFile  (176, 1244719, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 01370   424   NtClose  (176, ... ) == 0x0
 01371   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1244540, ... ) }, 1244540, ... ) == 0x0
 01372   424   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244520,  (0x80100080, {24, 0, 0x40, 0, 1244520, "\??\u:\work\packed.exe"}, 0x0, 32, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 32, 1, 1, 96, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01373   424   NtQueryInformationFile  (176, 1244588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01374   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345lJ\250\241\15$\373\241\15$\373\241\15$\373/\5{\373\243\15$\373\241\15%\3739\15$\373"\5y\373\260\15$\373\365.\24\373\250\15$\373f\13"\373\240\15$\373Rich\241\15$\373\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\206\271\246D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\212\2\0\0\4\0\0f1\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0Pt\0\0\264\0\0\0\0\200\3\0\310\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\376[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) \5y\373\260\15$\373\365.\24\373\250\15$\373f\13 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345lJ\250\241\15$\373\241\15$\373\241\15$\373/\5{\373\243\15$\373\241\15%\3739\15$\373"\5y\373\260\15$\373\365.\24\373\250\15$\373f\13"\373\240\15$\373Rich\241\15$\373\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\206\271\246D\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\\0\0\0\212\2\0\0\4\0\0f1\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\3\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0Pt\0\0\264\0\0\0\0\200\3\0\310\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\376[\0\0\0\20\0\0\0\\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01375   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\376\21\0\0\0p\0\0\0\22\0\0\0`\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.data\0\0\0\324d\2\0\0\220\0\0\0\4\0\0\0r\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ndata\0\0\0\200\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\310\6\0\0\0\200\3\0\0\10\0\0\0v\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01376   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "U\213\354\203\354\\203}\14\17t+\203}\14F\213E\24u\15\203H\30\20\213\15$\364B\0\211H\4P\377u\20\377u\14\377u\10\377\25@r@\0\351B\1\0\0SV\2135(\364B\0\215E\244WP\377u\10\377\25Dr@\0\203e\364\0\211E\14\215E\344P\377u\10\377\25Hr@\0\213}\360\203e\360\0\213\35Dp@\0\351\200\0\0\0\17\266FR\17\266VV\17\257U\350\213\317+M\350\17\257\301\3\302\211M\20\231\367\3773\322\212\360\17\266FQ\17\257\301\17\266NU\17\257M\350\3\301\213\312\231\367\377\17\266VT\17\257U\350\212\310\17\266FP\17\257E\20\3\302\231\367\377\301\341\10\17\266\300\13\310\215E\364P\211M\370\377\25Hp@\0\203E\360\4\211E\24P\215E\344P\377u\14\377\25Lr@\0\377u\24\377\323\203E\350\49}\350\17\214w\377\377\377\203~X\377te\377v4\377\25Lp@\0\205\300\211E\24tU\213}\14j\1W\307E\344\20\0\0\0\307E\350\10\0\0\0\377\25Pp@\0\377vXW\377\25Tp@\0\377u\24\2135Xp@\0W\377\326\211E\14\215E\344h \10\0\0Pj\377h \354B\0W\377\25Pr@\0\377u\14W\377\326\377u\24\377\323\215E\244P\377u\10\377\25Tr@\0_^3\300[\311\302\20\0\213L$\4\241H\364B\0\213\321Si\322\30\4\0\0VW\213T\2\10\366\302\2tO\215q\13\377;5L\364B\0sB\213\316i\311\30\4\0\0\215D\1\10\213\10\366\301\2t\3G\353\36\366\301\4t\11\213\317O\205\311t \353\20\366\301\20u\13\213\3313\332\203\343\13\331\211\30F\5\30\4\0\0;5L\364B\0r\312_^[\302\4\0U\213\354QQ", ) , ) == 0x0
 01377   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\213\35H\364B\03\311\3\363W\211M\374\211M\370\213F\10\250\2t\139M\14t\6$\276B\211F\10;\25L\364B\0sD\213\302i\300\30\4\0\0\215|\30\10\215B\1\213\17\366\301\2t\12j\1R\350\245\377\377\377\213\17\366\301\4u(\366\301@t\3\377E\374\366\301\1t\5\377E\374\353\3\377E\370;\5L\364B\0\213\320r\2743\300_^[\311\302\10\0\203}\374\0t\363\203}\370\0t\6\203N\10@\353\347\213N\10\200\341\177\203\311\1\211N\10\353\331\213L$\4\241H\364B\0V3\366\203\371 s495L\364B\0v,\215P\10W\213\2\250\6u\223\377G\323\347\205z\374t\4\14\1\353\2$\376\211\2F\201\302\30\4\0\0;5L\364B\0r\331_^\302\4\0U\213\354\203\354\14\241(\364B\0\203e\374\0SV\5\224\0\0\0W\213=L\364B\0\211E\370\213E\3703\3339\30tK;\337sE\2135H\364B\0\203\306\10\213\26\366\302\6u(\213E\10\205\300t\6\203<\230\0t\33\213M\3743\300@\203\342\1\323\340\213N\374#\310\213\301\213M\374\323\342;\302u\13C\201\306\30\4\0\0;\337r\306;\337t\15\377E\374\203E\370\4\203}\374 r\237\213E\374_^[\311\302\4\0V\213t$\10\351\204\0\0\0\213\306\213\15P\364B\0k\300\34\3\301\2038\1tzP\350\252\0\0\0=\377\377\377\177ts\205\300}\23@\271\0\0C\0\301\340\12+\310Q\350\247E\0\0\205\300u\63\300@F\353\7H\213\316\213\360+\301\203|$\14\0t8\1\5\14\354B\0\241\364\353B\03\311j\0\205\300\17\224\301\3\310Qh0u\0\0\3775\14\354B\0\377\25,q@\0Ph\2\4\0\0\377t$", ) , ) == 0x0
 01378   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\377\377\3773\300^\302\10\0\270\377\377\377\177\353\365\213D$\4\213\15(\364B\0j\0\377t\201l\350H\377\377\377\302\4\0h@\240@\0\377t$\10\350H9\0\0\302\4\0U\213\354\201\354\244\1\0\0\241$\364B\0SV\213u\10Wj\7Y\215}\330\211E\3703\333\363\245\213E\334\213}\340\213\360\271\0\0C\0\301\346\12\301\347\12\3\361\3\371\215M\334\211]\374\211\15<\224@\0\213M\330\203\301\376\203\371A\17\207\243\24\0\0\377$\215A)@\0SP\350\3448\0\0\351\364\15\0\0\377\5\354\353B\09]\370\17\204\345\15\0\0S\377\25\354q@\0\351\331\15\0\0;\303}\21@\271\0\0C\0\301\340\12+\310Q\350\203D\0\0HSP\350\226\376\377\377\351^\24\0\0\213M\340;\313t)\366\301\10t\17\241\14\220@\0\243\240\222@\0\3518\24\0\0\241\240\222@\0\211\15\240\222@\0\243\14\220@\0\351#\24\0\0SP\350k8\0\0\351\27\24\0\0S\350_\25\0\0\203\370\1\177\33\300@P\377\25\220p@\0\351\375\23\0\0\377u\370\377\25\360q@\0\351\357\23\0\0j\1\3506\25\0\0\213M\334\211\4\215\240\364B\0\351\331\23\0\0\213E\344\2154\205\240\364B\03\300\213\16;\313\17\224\300#M\350\213D\205\334\211\16\351\303\23\0\0\213E\340\3774\205\240\364B\0V\351P\23\0\0\213\15\360\353B\0\2135Xr@\0;\313t\11\377u\340Q\377\326\213E\334\213\15\4\354B\0;\313\17\204\201\23\0\0PQ\377\326\351x\23\0\0j\360\350\334\24\0\0\377u\340P\377\25\214p@\0\205\300\17\205_\23\0\0\351\5\21\0\0j\360\350\276\24\0\0\213\370W\350\227?\0\08\37\213\360tF;\363tBj\V\350\35?", ) , ) == 0x0
 01379   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\13\377\25\210p@\0\205\300u\33\377\25\204p@\0=\267\0\0\0u\13W\377\25\200p@\0\250\20u\3\377E\374\212E\13\210\6F:\303u\2769]\340t\36j\346\350\354\375\377\377Wh\0XC\0\350\224C\0\0W\377\25|p@\0\351\334\22\0\0j\365\351\216\13\0\0S\350:\24\0\0P\350JF\0\0\351}\6\0\0j\320\350(\24\0\0j\337\211E\10\350\36\24\0\0\377u\10\276@\240@\0\211E\370V\350NC\0\0\377u\370\350\C\0\0\377u\10\213\370\350RC\0\0\3\370\201\377\375\3\0\0}\24h\34\220@\0V\350CC\0\0\377u\370V\350:C\0\0\377u\370\377u\10\377\25xp@\0\205\300t\7j\343\351\24\13\0\09]\344\17\204\375\17\0\0\377u\10\350\313E\0\0\205\300\17\204\355\17\0\0\377u\370\377u\10\350+@\0\0j\344\351\351\12\0\0S\350\225\23\0\0\213\360\215E\10PWh\0\4\0\0V\377\25tp@\0\205\300t#\213E\10;\306v%8\30t!V\350\203E\0\0;\303t\16\203\300,P\377u\10\350\236B\0\0\353\11\307E\374\1\0\0\0\210\379]\344\17\205\336\21\0\0h\0\4\0\0WW\377\25pp@\0\351\314\21\0\0j\377\3500\23\0\0\215M\10QVh\0\4\0\0SPS\377\25lp@\0\205\300\17\205\252\21\0\0\351$\17\0\0j\357\350\11\23\0\0PV\350C?\0\0\351+\376\377\377j1\350\366\22\0\0\213\360\213E\334\203\340\7V\211u\314\211E\10\350\234=\0\0V\276@\234@\0\205\300t\10V\350\23B\0\0\353\27h\0XC\0V\350\6B\0\0P\350\15=\0\0P\350\26B\0\0V\3500D\0\0\277@\244@\0\203}\10\3|1V\350", ) , ) == 0x0
 01380   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\350\203\300\24QP\377\25hp@\0\213\310\213E\10\203\300\375\15\0\0\0\200#\301\367\330\33\300@\211E\109]\10u\21V\377\25\200p@\0$\376PV\377\25\214p@\03\300\203}\10\1\17\225\300@Ph\0\0\0@V\350]>\0\0\203\370\377\211E\370uv9]\10uSh\0\0C\0W\350tA\0\0Vh\0\0C\0\350iA\0\0\377u\360h@\240@\0\350~A\0\0Wh\0\0C\0\350QA\0\0\213E\334\301\370\3Ph@\240@\0\350@:\0\0\203\350\4\17\204H\377\377\377Ht\33Vj\372\351\346\373\377\377\377u\314j\342\350\3054\0\0\203}\10\2\351\10\375\377\377\377\5\250\364B\0\351k\20\0\0\377u\314j\352\350\2474\0\0\377\5\240\222@\0SS\377u\370\377u\344\350\323\25\0\0\377\15\240\222@\0\203}\350\377\213\370u\6\203}\354\377t\22\215E\350P\215E\350SP\377u\370\377\25dp@\0\377u\370\377\25`p@\0;\373\17\215\16\20\0\0\203\377\376u\23j\351V\350\317@\0\0\377u\314V\350\300@\0\0\353\10j\356V\350\274@\0\0h\20\0 \0V\351B\11\0\0S\3534j1\350D\21\0\0\377u\334P\350|9\0\0;\303\17\204s\15\0\0;E\344\17\204A\1\0\0;E\354\17\205\266\17\0\0\213E\360\351\271\17\0\0j\360\350\22\21\0\0\377u\340P\350\2149\0\0\351\231\17\0\0j\1\350\375\20\0\0P\350N@\0\0\351\216\13\0\0j\2\350\316\20\0\0j\3\211E\10\350\304\20\0\0j\1\213\370\350\330\20\0\09]\344\211E\324\210\36t\119]\10\17\204Z\17\0\0P\350\26@\0\0;\373}\10\3\370\17\210H\17\0\0;\370~\2\213\370\213E\324\3\307PV", ) , ) == 0x0
 01381   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\17\0\0}\17V\350\345?\0\0\3\370y\5\211]\10\213\373\201\377\0\4\0\0\17\215\16\17\0\0\210\347\351\6\17\0\0j \350j\20\0\0j1\213\360\350a\20\0\09]\354PVu\22\377\25\244p@\0\205\300ug\213E\344\351\350\16\0\0\377\25\350p@\0\353\3543\377GW\3507\20\0\09]\344h\0\4\0\0VPt\10\377\25\354p@\0\353\6\377\25\360p@\0\205\300u\5\211}\374\210\36\210\236\377\3\0\0\351\236\16\0\0S\350\346\17\0\0j\1\213\360\350\335\17\0\09]\360u\10;\360|\10~\237\353\16;\360s\10\213E\350\351\201\16\0\0v\217\213E\354\351w\16\0\0j\1\350\263\17\0\0j\2\213\370\350\252\17\0\0\213\310\213E\350\203\370\14wm\377$\205I*@\0\3\371\353b+\371\353^\17\257\317\213\371\353W;\313tB\213\307\231\367\371\213\370\353J\13\371\353F#\371\353B3\371\353>3\300;\373\17\224\300\353\347;\373u\16\353\103\377\353+;\373t\370;\313t\3643\377G\353\36;\313t\11\213\307\231\367\371\213\372\353\213\377\307E\374\1\0\0\0\353\6\323\347\353\2\323\377W\3511\372\377\377j\1\350C\17\0\0j\2\213\370\350\35\17\0\0PWV\377\25\364q@\0\203\304\14\351\276\15\0\0\213E\344\213=@\260@\0;\303tDH;\373\17\204\371\6\0\0\213?;\303u\361;\373\17\204\353\6\0\0\203\307\4\276@\234@\0WV\3507>\0\0\241@\260@\0\203\300\4PW\350(>\0\0\241@\260@\0V\203\300\4P\351\223\14\0\09]\340t%;\373\17\204\13\13\0\0\215G\4PV\350\2>\0\0\213\7W\243@\260@\0\377\25\364p@\0\351C\15\0\0h\4\4\0\0j@\377", ) , ) == 0x0
 01382   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4P\350\366=\0\0\241@\260@\0\211\6\2115@\260@\0\351\26\15\0\0j3\350z\16\0\0jD\211E\370\350p\16\0\0\366E\360\1\211E\10u\13\377u\370\350\27=\0\0\211E\370\366E\360\2u\13\377u\10\350\6=\0\0\211E\10\203}\330!j\1uD\350!\16\0\0j\2\213\370\350\30\16\0\0\213M\360\301\371\2t\36\215U\314RQS\377u\10\377u\370PW\377\25\370q@\0\367\330\33\300@\211E\374\353?\377u\10\377u\370PW\377\25, ) , ) == 0x0
 01383   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "p@\0\351.\7\0\0S\350o\14\0\0j\1\213\360\350f\14\0\09]\350PVu\13\377\25Xr@\0\351\6\13\0\0\377\254r@\0\351\373\12\0\0S\350`\14\0\0j1\213\360\350W\14\0\0j"\213\330\350N\14\0\0SVh\24\220@\0h@\240@\0\213\370\377\25\364q@\0\203\304\20j\354\350\276\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\230\12\0\0\351>\10\0\0S\350\370\13\0\0\213\360Vj\353\350\322.\0\0h\0XC\0V\350\2543\0\0;\303\211E\10\17\204\30\10\0\09]\344tF\2135\374p@\0\353\7j\17\350B>\0\0jd\377u\10\377\326=\2\1\0\0t\353\215E\314P\377u\10\377\25\0q@\09]\340|\13\377u\314W\350::\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25`p@\0\351\24\12\0\0j\2\350x\13\0\0P\350\210=\0\0;\303\211E\10t\23\213\330\377s\24W\350\3779\0\0\377s\30\351?\366\377\377\210\36\210\37\351\217\7\0\0\215E\250j\356\211E\10\350B\13\0\0\215M\320\211E\324QP\350\223L\0\0\210\36;\303\211E\370\210\37\307E\374\1\0\0\0\17\204\264\11\0\0Pj@\377\25\370p@\0;\303\211E\314\17\204\240\11\0\0P\377u\370S\377u\324\350VL\0\0\205\300t4\215E\274P\215E\10Ph\20\220@\0\377u\314\3507L\0\0\205\300t\33\213E\10\377p\10V\350t9\0\0\213E\10\377p\14W\350h9\0\0\211]\374\377u\314\351\5\374\377\3773\377h\1\200\0\0G\211}\374\377\25\4q@\09\35\320\364B\0\17", ) \213\330\350N\14\0\0SVh\24\220@\0h@\240@\0\213\370\377\25\364q@\0\203\304\20j\354\350\276\365\377\377\212\7\377u\350\366\330\33\300h\0XC\0#\307P\212\6\366\330\33\300S#\306P\377u\370\377\25\q@\0\203\370!\17\215\230\12\0\0\351>\10\0\0S\350\370\13\0\0\213\360Vj\353\350\322.\0\0h\0XC\0V\350\2543\0\0;\303\211E\10\17\204\30\10\0\09]\344tF\2135\374p@\0\353\7j\17\350B>\0\0jd\377u\10\377\326=\2\1\0\0t\353\215E\314P\377u\10\377\25\0q@\09]\340|\13\377u\314W\350::\0\0\353\149]\314t\7\307E\374\1\0\0\0\377u\10\377\25`p@\0\351\24\12\0\0j\2\350x\13\0\0P\350\210=\0\0;\303\211E\10t\23\213\330\377s\24W\350\3779\0\0\377s\30\351?\366\377\377\210\36\210\37\351\217\7\0\0\215E\250j\356\211E\10\350B\13\0\0\215M\320\211E\324QP\350\223L\0\0\210\36;\303\211E\370\210\37\307E\374\1\0\0\0\17\204\264\11\0\0Pj@\377\25\370p@\0;\303\211E\314\17\204\240\11\0\0P\377u\370S\377u\324\350VL\0\0\205\300t4\215E\274P\215E\10Ph\20\220@\0\377u\314\3507L\0\0\205\300t\33\213E\10\377p\10V\350t9\0\0\213E\10\377p\14W\350h9\0\0\211]\374\377u\314\351\5\374\377\3773\377h\1\200\0\0G\211}\374\377\25\4q@\09\35\320\364B\0\17", ) == 0x0
 01384   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "W\213\360\350\222\12\0\09]\354\211E\10t\15V\377\25\10q@\0\213\370;\373u\15V\377\25\14q@\0\213\370;\373te\377u\10W\377\25\20q@\0\213\360;\363t=9]\344\211]\374t\27\377u\344\350\336\363\377\377\377\326\205\300t1\307E\374\1\0\0\0\353(h\0\220@\0h@\260@\0h\0\0C\0h\0\4\0\0\377u\370\377\326\203\304\24\353\12\377u\10j\367\350\375,\0\09]\350u\24W\377\25\24q@\0\353\13j\366\353\2j\347\350\216\363\377\377S\377\25\4q@\0\351\211\10\0\0j\360\350\355\11\0\0j\337\211E\320\350\343\11\0\0j\2\213\360\350\332\11\0\0j\315\211E\324\350\320\11\0\0jE\211E\314\350\306\11\0\0V\211E\274\350w4\0\0\205\300u\7j!\350\262\11\0\0\215E\10Ph t@\0j\1Sh0t@\0\377\25xr@\0;\303\17\214\330\0\0\0\213E\10\215U\370Rh@t@\0\213\10P\377\21\213\370;\373\17\214\260\0\0\0\213E\10VP\213\10\377QP\213\370\213E\10h\0XC\0P\213\10\377Q$\213M\354\276\377\0\0\0\213\301\301\370\10#\306t\15\213M\10PQ\213\21\377R<\213M\354\213E\10\301\371\20\213\20QP\377R4\213E\3148\30t\22\213U\354\213E\10#\326\213\10R\377u\314P\377QD\213E\10\377u\324\213\10P\377Q,\213E\10\377u\274\213\10P\377Q\34;\373|-\276@\224@\0h\0\4\0\0Vj\377\377u\320f\211\35@\224@\0SS\377\25\30q@\0\213E\370j\1VP\213\10\377Q\30\213\370\213E\370P\213\10\377Q\10\213E\10P\213\10\377Q\10;\373}\23\307E\374\1\0\0\0j\360\350;\362\377\377\351=\7\0\0j\364", ) , ) == 0x0
 01385   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\211}\10\350\222\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3247\0\0V\210\8\1\350\3127\0\0\277@\244@\0j\370W\210\0\1\350\3057\0\0VW\350\2707\0\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350$+\0\0\215E\234P\377\25`q@\0\205\300\17\204\303\6\0\0Sj\371\350\12+\0\0\351a\4\0\0=\15\360\255\13t\35h\20\0 \0j\350S\350p7\0\0P\350H0\0\0\270\377\377\377\177\351\235\6\0\0\377\5\264\364B\0\351\207\6\0\03\3663\377;\303t\10S\350\344\7\0\0\213\3609]\340t\11j\21\350\326\7\0\0\213\3709]\354t\11j"\350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j"\3509\7\0\0\213M\354\203\341\2QP\377u\340\350\360\7\0\0P\350c\7\0\0\213\370;\373\17\204\256\5\0\0\351T\3\0\0P\350\325\7\0\0\213u\354\213\370\213E\360j\2\211E\320\350\374\6\0\0j\21\211E\274\350\362\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25 p@\0\205\300\17\205e\5\0\0\203\376\1\277@\244@\0u\16j#\350\277\6\0\0W\350\206\0\0@\203\376\4u\16j\3\350\217\6\0\0V\243@\244@\0", ) \350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\211}\10\350\222\10\0\0\213\360\213E\370W\211E\234\307E\240\2\0\0\0\350\3247\0\0V\210\8\1\350\3127\0\0\277@\244@\0j\370W\210\0\1\350\3057\0\0VW\350\2707\0\0\213E\10W\211E\244f\213E\344S\211u\250\211}\266f\211E\254\350$+\0\0\215E\234P\377\25`q@\0\205\300\17\204\303\6\0\0Sj\371\350\12+\0\0\351a\4\0\0=\15\360\255\13t\35h\20\0 \0j\350S\350p7\0\0P\350H0\0\0\270\377\377\377\177\351\235\6\0\0\377\5\264\364B\0\351\207\6\0\03\3663\377;\303t\10S\350\344\7\0\0\213\3609]\340t\11j\21\350\326\7\0\0\213\3709]\354t\11j"\350\310\7\0\0\213\330j\315\350\277\7\0\0PSWV\377\25\34q@\0\351\336\362\377\377j\1\307E\10!N~\0\350\242\7\0\0j\22\213\370\350\231\7\0\0j\335\211E\320\350\217\7\0\0Ph\377\3\0\0\215E\10VP\377u\320W\377\25 q@\0\213\6;E\10\351U\364\377\3779]\354u+j\2\350@\10\0\0\213\360;\363\17\204\232\3\0\0j3\350S\7\0\0PV\377\25\30p@\0V\213\370\377\25\34p@\0\353\37j"\3509\7\0\0\213M\354\203\341\2QP\377u\340\350\360\7\0\0P\350c\7\0\0\213\370;\373\17\204\256\5\0\0\351T\3\0\0P\350\325\7\0\0\213u\354\213\370\213E\360j\2\211E\320\350\374\6\0\0j\21\211E\274\350\362\6\0\0\215M\10SQSj\2SSSPW\307E\374\1\0\0\0\377\25 p@\0\205\300\17\205e\5\0\0\203\376\1\277@\244@\0u\16j#\350\277\6\0\0W\350\206\0\0@\203\376\4u\16j\3\350\217\6\0\0V\243@\244@\0", ) , ) == 0x0
 01386   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "S\377u\350\350\264\12\0\0PW\377u\320S\377u\274\377u\10\377\25\4p@\0\205\300u\3\211]\374\377u\10\351\321\0\0\0h\31\0\2\0\350B\7\0\0j3\213\370\350]\6\0\0;\373\210\36\17\204\223\2\0\0\215M\314\307E\314\377\3\0\0Q\215M\10VQSPW\377\25\0p@\03\311A\205\300u7\203}\10\4t\339M\10t\6\203}\10\2u&9]\354t\3\211M\374\213E\314\210\340\353r9]\354u\7\307E\374\1\0\0\0\3776V\350\2354\0\0\353\\210\36\211M\374\353Uh\31\0\2\0\350\307\6\0\0j\3\213\370\350\305\5\0\0;\373\210\36\17\204\30\2\0\09]\354\271\377\3\0\0\211M\10t\14QVPW\377\25\10p@\0\353\31SSS\215M\10SQVPW\377\25\14p@\0\205\300\17\205\346\1\0\0\210\236\377\3\0\0W\377\25\34p@\0\351)\4\0\08\36\17\204!\4\0\0V\350>4\0\0P\351\366\371\377\377j\355\350y\5\0\0\377u\344\377u\340P\350\1771\0\0\203\370\377\17\204\242\1\0\0P\351E\360\377\3779]\344t\21j\1\3505\5\0\0\242@\240@\03\300@\353\15j\21\350A\5\0\0P\350\2224\0\08\36\17\204s\1\0\0\215M\10SQPh@\240@\0V\350\3323\0\0P\377\25$q@\0\351D\360\377\377j\2\211]\324\350\357\4\0\0\203\370\1\211E\370\17\214\225\3\0\0\271\377\3\0\0;\301~\3\211M\3708\36\17\204\216\0\0\0V\210]\13\350\2333\0\09]\370\211E\314~}\213u\324\215E\320SP\215E\367j\1P\377u\314\377\25(q@\0\205\300te\203}\320\1u_9]\350u!\200}\13\15t+\200}\13\12t%\212E\367", ) , ) == 0x0
 01387   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\370|\276\3539\17\266E\367PW\350(3\0\0\351"\3\0\0\212E\3678E\13t\16<\15t\4<\12u\6\210\4>F\353\23j\1Sj\377\377u\314\377\250q@\0\353\3\213u\324\210\34>;\363\351\201\357\377\3778\36\17\204\336\2\0\0\377u\350Sj\2\350!\4\0\0PV\350\3572\0\0P\377\250q@\09]\340\17\214\274\2\0\0\351]\2\0\08\36\17\204\257\2\0\0V\350\3142\0\0P\377\254q@\0\351\235\2\0\08\37t\30\215\205\\376\377\377PW\350\2572\0\0P\377\258q@\0\205\300u?\307E\374\1\0\0\0\210\36\351s\2\0\0j\2\350\327\3\0\0\215\215\\376\377\377QP\377\253\0\0\212E\3678E\13t\16<\15t\4<\12u\6\210\4>F\353\23j\1Sj\377\377u\314\377\250q@\0\353\3\213u\324\210\34>;\363\351\201\357\377\3778\36\17\204\336\2\0\0\377u\350Sj\2\350!\4\0\0PV\350\3572\0\0P\377\250q@\09]\340\17\214\274\2\0\0\351]\2\0\08\36\17\204\257\2\0\0V\350\3142\0\0P\377\254q@\0\351\235\2\0\08\37t\30\215\205\\376\377\377PW\350\2572\0\0P\377\258q@\0\205\300u?\307E\374\1\0\0\0\210\36\351s\2\0\0j\2\350\327\3\0\0\215\215\\376\377\377QP\377\250\203\370\377u\20\210\37\210\36\307E\374\1\0\0\0\351I\2\0\0PW\350L2\0\0\215\205\210\376\377\377PV\351[\1\0\0S\307E\314f\375\377\377\350\223\3\0\0\213\360V\350E.\0\0\205\300Vt\15\276@\240@\0V\350\2742\0\0\353 h\0TC\0h@\240@\0\350\2532\0\0P\350\262-\0\0P\350\2732\0\0\276@\240@\0V\350\3204\0\0j\2h\0\0\0@V\350X/\0\0\203\370\377\211E\10\17\204\242\0\0\0\241,\364B\0\2135\370p@\0Pj@\211E\324\377\326\213\370;\373t{S\350\234\11\0\0\377u\324W\350a\11\0\0\377u\344j@\377\326\213\360;\363\211u\320t4\377u\344VS\377u\340\350\30\7\0\0\353\30\213\16\213F\4\203\306\10Q\3\307VP\211M\310\350\320.\0\0\3u\3108\36u\344\377u\320\377\25\364p@\0\215E\274SP\377u\324W\377u\10\377\25$q@\0W\377\25\364p@\0SS\377u\10j\377\350\314\6\0\0\211E\314", ) == 0x0
 01388   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\09]\314j\363_}\21j\357_V\377\25@q@\0\307E\374\1\0\0\0W\351\307\371\377\377S\350V\2\0\0;\5L\364B\0\211E\10\17\203\244\376\377\377\213\360\213E\344i\366\30\4\0\0\35H\364B\0;\303|\27\213\14\206u\17\203\306\30VW\350\2011\0\0\351\320\0\0\0Q\353t\203\311\377+\310\211M\344t\14j\1\350\12\2\0\0\211E\340\353\20\377u\354\215F\30P\350y1\0\0\200N\11\1\213E\344\213M\340\211\14\2069]\350\17\204\225\0\0\0\377u\10\350\333\350\377\377\351\210\0\0\0S\350\320\1\0\0\203\370 \17\203$\376\377\3779]\350t#9]\344t\17P\350\323\351\377\377SS\350"\351\377\377\353`S\350\15\352\377\377PW\350]0\0\0\353Q9]\344t\22\213\25(\364B\0\213M\340\211\214\202\224\0\0\0\353:\213\15(\364B\0\377\264\201\224\0\0\0W\350\3650\0\0\353%\213\15\240\270B\0S#\310Qj\13\377u\370\377\25351\377\377\353`S\350\15\352\377\377PW\350]0\0\0\353Q9]\344t\22\213\25(\364B\0\213M\340\211\214\202\224\0\0\0\353:\213\15(\364B\0\377\264\201\224\0\0\0W\350\3650\0\0\353%\213\15\240\270B\0S#\310Qj\13\377u\370\377\2509]\334t\13SS\377u\370\377\258r@\0\213E\374\1\5\250\364B\03\300_^[\311\302\4\0:)@\0\223\24@\0\237\24@\0\272\24@\0\334\24@\0\30\25@\02\25@\0\207\25@\0\267\25@\0\325\25@\0Z\26@\0@\25@\0V\25@\0w\25@\0k\26@\0\377\26@\0c\27@\0\212\27@\0\235\27@\0L\31@\0O\31@\0\201\31@\0\226\31@\0\250\31@\0)\32@\0Z\32@\0\221\32@\0\303\32@\0P\33@\0q\33@\0\31\34@\0\31\34@\0\333\34@\0\370\34@\0\23\35@\02\35@\0\216\35@\0\10\36@\04\36@\0\234\36@\0\33\37@\0K\37@\0\334\37@\0\246 @\0\366!@", ) == 0x0
 01389   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0*#@\0\206#@\0*$@\0\245$@\0\6%@\0\32%@\0<%@\0\204%@\0I&@\0x&@\0\222&@\0\274&@\0\372&@\0!(@\0\247(@\0/)@\0/)@\0\12)@\0\344\32@\0\350\32@\0\354\32@\0\363\32@\0\0\33@\0\4\33@\0\10\33@\0\14\33@\0\25\33@\0\37\33@\0,\33@\0D\33@\0H\33@\0\213D$\4\213\15<\224@\0\3774\201j\0\350l/\0\0P\350\273.\0\0\302\4\0V\213t$\10\205\366W\213\306}\2\367\330\213\25<\224@\0\213\310\203\341\17\301\370\4\3774\212\301\340\12\5@\234@\0P\3506/\0\0\205\366\213\370}\6W\350D1\0\0\213\307_^\302\4\0U\213\354\201\354\14\1\0\0SV\215E\374WP3\333j\10S\377u\14\377u\10\377\25\20p@\0;\303uM\2135\10p@\0\277\5\1\0\0\353\319]\20uB\215\205\364\376\377\377SP\377u\374\350\271\377\377\377\205\300u\22\215\205\364\376\377\377WPS\377u\374\377\326\205\300t\325\377u\374\377\25\34p@\0\377u\14\377u\10\377\25\24p@\0_^[\311\302\14\0\377u\374\377\25\34p@\03\300@\353\353\213D$\4\205\300u\12\241\244\364B\0\5\1\0\0\200\302\4\0U\213\354\215E\10P\377u\10j\0j"\350\21\377\377\377P\241<\224@\0\377p\4\350\312\377\377\377P\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\344q@\0\213E\24\211u\14\243H\260@\09u\14uN\213\15PLA\0\241X\214B\0;\310|\2\213\310Pj", ) \350\21\377\377\377P\241<\224@\0\377p\4\350\312\377\377\377P\377\25\20p@\0\367\330\33\300\367\320#E\10]\302\4\0U\213\354\201}\14\20\1\0\0VW\213}\10\276\23\1\0\0u\33j\0h\372\0\0\0j\1W\377\25\344q@\0\213E\24\211u\14\243H\260@\09u\14uN\213\15PLA\0\241X\214B\0;\310|\2\213\310Pj", ) == 0x0
 01390   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "A\0\3775H\260@\0V\377\25\364q@\0\203\304\14VW\377\25\350q@\0Vh\6\4\0\0W\350\223&\0\0j\5W\377\25Xr@\0_3\300^]\302\20\0U\213\354\203\354,SV3\366W\211u\374\377\25\234p@\0\211u\364\211u\370\276\0\C\0h\0\4\0\0V\213\370\3775 \364B\0\201\307\350\3\0\0\377\25\230p@\0j\3h\0\0\0\200V\350/*\0\0\213\330\203\373\377\211]\360\211\35 \220@\0u\12\270x\221@\0\351\37\2\0\0V\350\222(\0\0j\0S\377\25\224p@\0\205\300\243X\214B\0\213\360\17\216)\1\0\0\241,\364B\0\213\336\367\330\33\300%\0~\0\0\5\0\2\0\0;\360|\2\213\330ShX\14B\0\350\16\4\0\0\205\300\17\204f\1\0\03\3009\5,\364B\0u\177j\34\215E\324hX\14B\0P\350\217)\0\0\213M\324\367\301\360\377\377\377\17\205\232\0\0\0\201}\330\357\276\255\336\17\205\215\0\0\0\201}\344Inst\17\205\200\0\0\0\201}\340softuw\201}\334Nullun\213E\354;\306\17\217\377\0\0\0\11M\10\213\25PLA\0\366E\10\10\211\25,\364B\0u\6\366E\10\4uq\377E\370\215p\374;\336v>\213\336\353:\366E\10\2u49E\374t\10P\350\233/\0\0\353'\377\25\234p@\0;\307v\35h\\221@\0h\253+@\0j\0jo\3775 \364B\0\377\25\334q@\0\211E\374;5X\214B\0}\21ShX\14B\0\377u\364\350\217/\0\0\211E\364\1\35PLA\0+\363\205\366\17\217\346\376\377\377\203}\374\0t\11\377u\374\377\25\340q@\03\3779=,\364B\0tZ9}\370t"\3775PLA\0\350", ) \3775PLA\0\350", ) == 0x0
 01391   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\205\300t;\213E\364;E\370u3\377u\350j@\377\25\370p@\0\213\360\241,\364B\0\203\300\34P\350\361\2\0\0\377u\350VWj\377\350\207\0\0\0;E\350t\37V\377\25\364p@\0\270(\220@\0\353m\203}\374\0t\363\377u\374\377\25\340q@\0\353\350\366E\10\2\2115(\364B\0t\3\203\16\10\213\6\203\340\30\366E\324\1\243\300\364B\0\213\6\2430\364B\0t\6\377\54\364B\0j\10\215FDY\203\350\10\10Iu\370j\1WW\377u\360\377\250q@\0\211F<\203\306\4j@Vh@\364B\0\350\330'\0\03\300_^[\311\302\4\0U\213\354\203\354XSV\213u\24W\213}\20\211u\370\205\377u\7\307E\370\0\200\0\0\203e\374\0\211}\364\205\377u\7\307E\364X\214A\0\213E\10\205\300|\16\213\15x\364B\0\3\310Q\350\32\2\0\0\215E\24j\4P\350\335\1\0\0\205\300\17\204\200\1\0\0\366E\27\200\17\204_\1\0\0\213\35\234p@\0\377\323\203%|\265@\0\0\203%x\265@\0\0\201e\24\377\377\377\177\211E\360\270\0\314@\0\307\5`\260@\0\10\0\0\0\243\10LA\0\243\4LA\0\213E\24\307\5\0LA\0\0LA\0\211E\10\17\216r\1\0\0\276\0@\0\09u\24}\3\213u\24\277XLA\0VW\350c\1\0\0\205\300\17\204\6\1\0\0)u\24\211=P\260@\0\2115T\260@\0\213}\364\213E\370hP\260@\0\211=X\260@\0\243\\260@\0\350\1.\0\0\205\300\211E\350\17\214\262\0\0\0\2135X\260@\0+\367\377\323\366\5\240\222@\0\1\213\370tC+E\360=\310\0\0\0w\6\203}\24\0u3\213E\10\377u\10+E\24jdP", ) , ) == 0x0
 01392   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\221@\0P\377\25\364q@\0\203\304\14\215E\250Pj\0\350f\35\0\0\211}\3603\300;\360tI9E\20u P\215E\354PV\377u\364\377u\14\377\25$q@\0\205\300t=9u\354u8\1u\374\353\30)u\370\1u\374\241X\260@\0\203}\370\1\211E\364\17\214\201\0\0\0\203}\350\1\17\2055\377\377\377\353u9E\24\17\217\372\376\377\377\353jj\374\353\35j\376\353\31\205\377tS9u\24}\3\213u\24VW\350Y\0\0\0\205\300uHj\375X\353I\213u\3709u\24}\3\213u\24\277XLA\0VW\3509\0\0\0\205\300t\340\215E\20j\0PVW\377u\14\377\25$q@\0\205\300t\260;u\20u\253\1u\374)u\24\203}\24\0\177\277\353\3\211u\374\213E\374_^[\311\302\20\0U\213\354V\213u\14\215E\14j\0PV\377u\10\3775 \220@\0\377\25(q@\0\205\300t\129u\14u\53\300@\353\23\300^]\302\10\0j\0j\0\377t$\14\3775 \220@\0\377\250q@\0\302\4\0V\276\0dC\0V\350\331*\0\0V\350\20$\0\0\205\300u\2^\303V\350\230#\0\0j\0V\377\25\210p@\0Vh\0PC\0\350w%\0\0^\303\201\354|\1\0\0SUV3\366W\211t$\30\275@\222@\0\306D$\20 \377\250p@\0V\377\25pr@\0\243\320\364B\0V\215D$0h`\1\0\0PVh`\230B\0\377\25Xq@\0h0\222@\0h \354B\0\350#(\0\0\273\0dC\0Sh\0\4\0\0\377\25\264p@\0\350d\377\377\377\205\300u$h\373\3\0\0S\377\25\260p@\0h(\222@\0S\350\16(\0\0\350D\377\377\377\205\300\17\204<\1", ) , ) == 0x0
 01393   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \243 \364B\0\213\307u\12\306D$\20 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) \0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0 (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0\377\25\254p@\0PW\350\314'\0\0j\0\377\25\10q@\0\200=\0PC\0"\243 \364B\0\213\307u\12\306D$\20"\270\1PC\0\377t$\20P\350\330"\0\0P\377\25\24r@\0\211D$\24\353c\200\371 u\6@\2008 t\372\2008"\306D$\20 u\6@\306D$\20"\2008/u3@\2008Su\16\212H\1\200\311 \200\371 u\3\203\316\2\2018NCRCu\16\212H\4\200\311 \200\371 u\3\203\316\4\201x\376 /D=t\30\377t$\20P\350n"\0\0\2008"u\1@\212\10\204\311u\227\353\22\200`\376\0\203\300\2Ph\0TC\0\350\26'\0\0V\350l\371\377\377\213\350\205\355ua9\54\364B\0tIPW\3503"\0\0\213\360\353\11\201> _?=t\5N;\367s\363;\367\275x\221@\0r^\200&\0\203\306\4V\350\302"\0\0\205\300t(Vh\0TC\0\350\306&\0\0Vh\0XC\0\350\273&\0\03\355\203\15\314\364B\0\377\350\24\2\0\0\211D$\30\350\346\1\0\0\377\25tr@\0\205\355\17\204%\1\0\0h\20\0 \0U\350\213\37\0\0j\2\377\25\250p@\0h\34\222@\0S\350\224&\0\0j\0S\377\25\210p@\0\203d$\20\0\276`\214B\0\277`\224B\0SVf\307\5`\214B\0"\0\350l&\0\0h\240\221@\0V\350a&\0\0ha\214B\0\377\25@q@\0\205\355\17\204\247\0\0\0h\0\4\0\0W\3775 \364B\0\377\25\230p@\0\215\200Z\224B\0h\241\221@\0P\377\25\244p@\0\205\300\17\204]\377\377\377j\0ha\214B\0W\377\25Dq@\0\205\300tij\0ha\214B\0\3500#\0\0\200", ) , ) == 0x0
 01394   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0W\350\324%\0\0\353\6W\350 !\0\0h\30\222@\0V\350\335%\0\0\377t$\24V\350\323%\0\0h\20\222@\0V\350\310%\0\0WV\350\301%\0\0V\350\254 \0\0SV\350 \36\0\0\205\300t\11P\377\25`p@\03\355\376\5\240\221@\0\377D$\20\203|$\20\32\17\214\26\377\377\377\351\310\376\377\377\203=\264\364B\0\0\17\204\216\0\0\0\276\0\222@\0h\354\221@\0V\350g(\0\0h\324\221@\0V\213\350\350Z(\0\0h\274\221@\0V\213\370\350M(\0\03\366\213\330;\356tH;\376tD;\336t@\215D$\24Pj(\377\25\240p@\0P\377\325\205\300t,\215D$ Ph\250\221@\0V\377\327VV\215D$$VPV\377t$(\307D$4\1\0\0\0\307D$@\2\0\0\0\377\323Vj\2\377\25\34r@\0\205\300u\7j\11\350\13\337\377\377\241\314\364B\0\203\370\377t\4\211D$\30\377t$\30\377\25\250p@\0\241 \220@\0\203\370\377t\16P\377\25`p@\0\203\15 \220@\0\377j\7h\0hC\0\350\334\35\0\0\303\203\354\24SUV\2135(\364B\0Wh\364r@\0h\310\222@\0\350\220'\0\03\333;\303t\22\377\320\17\267\300Ph\0`C\0\350\305#\0\0\353H\277\240\250B\0\307\5\0`C\00x\0\0WSh\314r@\0h\1\0\0\200\3509#\0\08\35\240\250B\0u\25Wh\304r@\0h\234r@\0h\3\0\0\200\350\34#\0\0Wh\0`C\0\3509$\0\0\350K\2\0\0\2410\364B\0\275\0TC\0\203\340 U\243\240\364B\0\350\355\37\0\0\205\300\17\205\200\0\0\0\213NH;\313ty\213VL\241X\364B\0\277\300", ) , ) == 0x0
 01395   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "D\350\311"\0\0\240\300\343B\0:\303tT<"u\17\277\301\343B\0j"W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) \0\0\240\300\343B\0:\303tT< (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "D\350\311"\0\0\240\300\343B\0:\303tT<"u\17\277\301\343B\0j"W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) W\350\363\36\0\0\210\30W\350\311#\0\0\215D8\374;\307v&h\300\222@\0P\377\25\244p@\0\205\300u\26W\377\25\200p@\0\203\370\377t\4\250\20u\6W\350\331\36\0\0W\350\214\36\0\0PU\350x#\0\0U\350_\37\0\0\205\300u\14\377\266\30\1\0\0U\350\204#\0\0h@\200\0\0SSj\1jg\3775 \364B\0\377\25,r@\0\243\10\354B\0\203~P\377\277\300\353B\0\17\204\211\0\0\0\213\15 \364B\0\243\324\353B\0\215D$\20W\307D$\24_Nb\0\307\5\304\353B\0\0\20@\0\211\15\320\353B\0\243\344\353B\0\377\25\0r@\0f\205\300\17\204$\1\0\0\215D$\24SPSj0\377\25\4r@\0S\3775 \364B\0\213D$(+D$ SSP\213D$0+D$(P\215D$(\377t$0\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10r@\0\243\200\250B\0S\350\335\334\377\377\205\300t\10j\2X\351\307\0\0\0\350\312\0\0\09\35\300\364B\0\17\205\213\0\0\0j\5\3775\200\250B\0\377\25Xr@\0\2135\14q@\0\275\260\222@\0U\377\326\205\300u\14Uf\307\5\266\222@\032\377\326\213-\14r@\0\276\244\222@\0WVS\377\325\205\300u\37WVS\210\35\254\222@\0\377\325W\2115\344\353B\0\306\5\254\222@\02\377\25\0r@\0\241\0\354B\0S\203\300ih\3338@\0\17\267\300SP\3775 \364B\0\377\25\20r@\0j\5\213\360\3509\334\377\377\213\306\353+S\350o\26\0\0\205\300t\309\35\354\353B\0\17\205F\377\377\377j\2\350", ) == 0x0
 01396   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\14\334\377\3773\300_^][\203\304\24\303SUVW\277\0`C\0\273\377\377\0\0W\3500!\0\0\2135d\364B\0\205\366tE\213\15(\364B\0\213Id\213\321\17\257\316\367\332\3\15`\364B\0\3\312Nf\213)f3\350#\353f\205\355t\6\205\366u\354\353\31\213Q\2\211\25\0\354B\0\213Q\6\211\25\310\364B\0\215Q\12\205\322u\22f\201\373\377\377u\7\273\377\3\0\0\353\2433\333\353\237\211\25\374\353B\0\17\267\1PW\350\246 \0\0j\376h \354B\0\350^!\0\0P\3775\200\250B\0\377\25\350q@\0\241L\364B\0\2135H\364B\0\205\300t\33\213\370\213\6\205\300t\12P\215F\30P\3500!\0\0\201\306\30\4\0\0Ou\347_^][\303\203\354\20\271\20\1\0\0SU\213l$ V;\351W\17\204s\1\0\0\201\375\10\4\0\0\17\204g\1\0\0\213\$$\203\375Gu\253\300j\23PPPPS\3775\200\250B\0\377\25|q@\0\203\375\5u\30\213D$,H\367\330\33\300#\305P\3775\200\250B\0\377\25Xr@\0\201\375\15\4\0\0u\32\3775\370\353B\0\377\25\340q@\0\213D$,\243\370\353B\0\351\17\4\0\0\203\375\21u\23j\0j\0S\377\25(r@\03\300@\351\36\4\0\0\203\375\20u3\241D\364B\0H9\5\204\222@\0\17\205\310\0\0\0\3775h\230B\0\377\25xq@\0\205\300\17\205\264\0\0\0\275\21\1\0\0\307D$,\1\0\0\0\201\375\21\1\0\0\17\205\233\0\0\0\17\267t$,VS\377\25$r@\0\213\35, ) , ) == 0x0
 01397   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0~:j\377\353\34\203\376\2u1\203=\254\364B\0\0t\25V\350\364\331\377\377\2115p\234B\0jx\350s\3\0\0\353(j\3\350\336\331\377\377\205\300u\35\211=p\234B\0\353\344\377t$0\377t$0h\21\1\0\0\3775\370\353B\0\377\323\377t$0\377t$0U\350\311\3\0\0\351,\3\0\0\213D$,\213\$$;\351\243\214\250B\0uM\2135$r@\0j\1S\211\35$\364B\0\377\326j\2S\243\234\250B\0\377\326j\377j\34S\243h\230B\0\350"\3\0\0\3775\10\354B\0j\362S\377\25tq@\0j\4\350Y\331\377\377\243\354\353B\03\300@\243\214\250B\0\213\15\204\222@\03\377\213\361\301\346\6\35@\364B\0;\317|>\203\370\1u1W\377v\20\350\204\330\377\377\205\300t$j\1Wh\17\4\0\0\3775\370\353B\0\377\25\17\204w\2\0\0h\13\4\0\0\350\354\2\0\0\241\214\250B\0\1\5\204\222@\0\301\340\6\3\360\241\204\222@\0;\5D\364B\0u\7j\1\350\311\330\377\377\203=\354\353B\0\0\17\205\367\1\0\0\241D\364B\09\5\204\222@\0\17\203\346\1\0\0\377v$\213~\24h\0pC\0\350\210\36\0\0\377v h\31\374\377\377S\350@\2\0\0\377v\34h\33\374\377\377S\3502\2\0\0\377v(h\32\374\377\377S\350$\2\0\0j\3S\377\25$r@\0\203=\254\364B\0\0\213\350t\10f\201\347\375\376\203\317\4\213\307\203\340\10PU\377\25Xr@\0\213\307%\0\1\0\0PU\377\254r@\0\213\307\203\340\2P\350\3\2\0\0\203\347\4W\3775h\230B\0\377\254r@\03\377", ) \3\0\0\3775\10\354B\0j\362S\377\25tq@\0j\4\350Y\331\377\377\243\354\353B\03\300@\243\214\250B\0\213\15\204\222@\03\377\213\361\301\346\6\35@\364B\0;\317|>\203\370\1u1W\377v\20\350\204\330\377\377\205\300t$j\1Wh\17\4\0\0\3775\370\353B\0\377\2503\3009=\354\353B\0\17\224\300\351\201\2\0\09>\17\204w\2\0\0h\13\4\0\0\350\354\2\0\0\241\214\250B\0\1\5\204\222@\0\301\340\6\3\360\241\204\222@\0;\5D\364B\0u\7j\1\350\311\330\377\377\203=\354\353B\0\0\17\205\367\1\0\0\241D\364B\09\5\204\222@\0\17\203\346\1\0\0\377v$\213~\24h\0pC\0\350\210\36\0\0\377v h\31\374\377\377S\350@\2\0\0\377v\34h\33\374\377\377S\3502\2\0\0\377v(h\32\374\377\377S\350$\2\0\0j\3S\377\25$r@\0\203=\254\364B\0\0\213\350t\10f\201\347\375\376\203\317\4\213\307\203\340\10PU\377\25Xr@\0\213\307%\0\1\0\0PU\377\254r@\0\213\307\203\340\2P\350\3\2\0\0\203\347\4W\3775h\230B\0\377\254r@\03\377", ) == 0x0
 01398   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "r@\0\377\3259=\254\364B\0t\23Wj\2h\1\4\0\0S\377\325\3775h\230B\0\353\6\3775\234\250B\0\350\315\1\0\0\275\240\250B\0h \354B\0U\350\240\35\0\0\377v\30U\350\255\35\0\0\3\305P\350\261\35\0\0US\377\25\350q@\0W\377v\10\350\20\327\377\377\205\300\17\205\276\376\377\3779\6\17\204\266\376\377\377\203~\4\5u\359\5\254\364B\0\17\205\21\1\0\09\5\240\364B\0\17\205\230\376\377\377\351\0\1\0\0\3775\370\353B\0\377\25\340q@\0\2115x\240B\0\203>\0\17\216\300\0\0\0\213F\4V\3774\205\210\222@\0f\213\6f\3\5\0\354B\0S\17\267\300P\3775 \364B\0\377\25\334q@\0\205\300\243\370\353B\0\17\204\215\0\0\0\377v,j\6P\350\332\0\0\0\215D$\20Ph\372\3\0\0S\377\25$r@\0P\377\25pq@\0\215D$\20PS\377\25lq@\03\377j\25WW\377t$ \377t$ W\3775\370\353B\0\377\25|q@\0W\377v\14\350<\326\377\377j\10\3775\370\353B\0\377\25Xr@\0h\5\4\0\0\350\306\0\0\0\353 \3775\370\353B\0\377\25\340q@\0\3775p\234B\0\203%$\364B\0\0S\377\25\264q@\0\203=\240\270B\0\0u\34\203=\370\353B\0\0t\23j\12S\377\25Xr@\0\307\5\240\270B\0\1\0\0\03\300_^][\203\304\20\302\20\0\203|$\4xu\6\377\5\354\353B\0j\0\377t$\10h\10\4\0\0\3775$\364B\0\377\25, ) , ) == 0x0
 01399   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\3775$\364B\0\377\25\17\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\327>@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\220q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25$r@\0\213\330S\350@\376\377\377\213517\276\7\211E\24\213C\24\377u\10\203e\370\0\213\360G\367\326\301\356\5\203\346\1\203\340\1\211}\364\307E\374\327>@\0\13\360\350L\376\377\377\377s8j#\377u\10\350?\376\377\3773\300j\1\205\366\17\224\300\5\12\4\0\0P\377u\10\377\25\220q@\0V\350C\376\377\377h\350\3\0\0\377u\10\377\25$r@\0\213\330S\350@\376\377\377\21354\0\0S\377\326\241(\364B\0\213@h\205\300}\11\367\330P\377\25\200q@\0Pj\0hC\4\0\0S\377\326h\0\0\1\4j\0hE\4", ) == 0x0
 01400   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "W\350\353\31\0\0Pj\0h5\4\0\0S\377\326\215E\364P\377u\24hI\4\0\0S\377\326\203%\210\250B\0\03\300\351a\1\0\0\201}\14\21\1\0\0\213\35$r@\0\2135, ) , ) == 0x0
 01401   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0U\213\354\203\354H\241x\240B\0SV\211E\340\213p<\213@8\301\346\12\201\306\0\0C\0\201}\14\13\4\0\0W\211E\370\273\373\3\0\0u\15VS\350\206\20\0\0V\350\330\31\0\0\201}\14\20\1\0\0uxS\377u\10\377\25$r@\0V\213\370\350\372\22\0\0\205\300t\20V\350\27\23\0\0\205\300u\6V\350z\22\0\0\213E\10VW\243\370\353B\0\377\25\350q@\0\213E\24\377p4j\1\377u\10\3505\373\377\377\213E\24\377p0j\24\377u\10\350%\373\377\377W\350T\373\377\377h\214r@\0h\200r@\0\350;\32\0\0\205\300\17\204+\2\0\0j\1W\377\320\201}\14\21\1\0\0\17\205\306\0\0\0\17\267E\20;\303u\30\213M\20\301\351\20f\201\371\0\3\17\205\0\2\0\0\307E\14\17\4\0\0=\351\3\0\0\17\205\233\0\0\0j\73\300Y\215}\274\377u\370\363\253\213E\10\277\240\250B\0hx\234B\0\211E\270\211}\300\307E\314\373D@\0\211u\320\350\326\26\0\0\211E\304\215E\270P\307E\310A\0\0\0\377\25Tq@\0\205\300tMP\350\363\16\0\0V\350\235\21\0\0\241(\364B\0\213\200\34\1\0\0\205\300t Pj\0\350\233\26\0\0W\277\300\343B\0W\377\25\244p@\0\205\300t\7WV\350}\26\0\0\377\5\220\250B\0VS\377u\10\350/\17\0\0\353\7\307E\14\17\4\0\0\201}\14\17\4\0\0t\15\201}\14\5\4\0\0\17\205=\1\0\0\203e\374\0\203e\370\0VS\203\317\377\350\4\17\0\0V\350\7\22\0\0\205\300u\7\307E\374\1\0\0\0V\276p\230B\0V\350\3\26\0\0V\350\235\21\0\0\205\300t\3\200 \0h\340\222@\0h\310\222@\0\350\372\30\0\0", ) , ) == 0x0
 01402   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "Q\215M\354Q\215M\330QV\377\320\205\300t\17\213}\330\213E\334\17\254\307\12\301\350\12\353/\215E\334P\215E\364P\215E\350P\215E\360PV\377\25\274p@\0\205\300t\33\213E\360S\17\257E\350\377u\364P\377\25,q@\0\213\370\307E\370\1\0\0\0j\5\350\272\1\0\0;\370s\7\307E\374\2\0\0\0\213\15\374\353B\03\3669q\20t+Pj\373h\377\3\0\0\350\340\0\0\09u\370t\13Wj\374S\350\322\0\0\0\353\16h`\230B\0S\377u\10\350\32\16\0\0\213E\374;\306\243\304\364B\0u\12j\7\350^\317\377\377\211E\374\213E\340\205X\24t\3\211u\3743\3009u\374\17\224\300P\350\27\371\377\3779u\374u\1595\220\250B\0u\5\350\266\374\377\377\2115\220\250B\0\377u\24\377u\20\377u\14\3506\371\377\377_^[\311\302\20\0U\213\354\203}\14\1V\2135, ) , ) == 0x0
 01403   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "V\377u\10\3775\370\353B\0\350\252\14\0\0_^[\311\302\14\0\213\25L\364B\0\213\15H\364B\03\300\205\322t\30V\366A\10\1t\7\213t$\10\3\4\261\201\301\30\4\0\0Ju\352^\302\4\0U\213\354\203\3548V\2135, ) , ) == 0x0
 01404   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2370j\25\377u\10\350\267\365\377\377\377t\2374j\26\377u\10\350\251\365\377\3773\3773\3339=L\364B\0\17\216\304\0\0\0\213E\344\215P\10\211U\354\215B\20\2008\0\17\204\220\0\0\0\211E\310\213\2j \213\320Y\211]\260#\321\307E\264\2\0\377\377\250\2\307E\270\15\0\0\0\211M\304\211}\334\211U\300t8\215E\260\307E\270M\0\0\0Pj\0h\0\21\0\0\307E\330\1\0\0\0\377u\374\377\326\213\15\230\250B\0\307E\350\1\0\0\0\211\4\271\241\230\250B\0\213\34\270\353.\250\4t\21Sj\3h\12\21\0\0\377u\374\377\326\213\330\353\31\215E\260Pj\0h\0\21\0\0\377u\374\377\326\213\15\230\250B\0\211\4\271\213U\354G\201\302\30\4\0\0;=L\364B\0\211U\354\17\214K\377\377\377\203}\350\0u\31j\360\377u\374\377\25\204q@\0$\373Pj\360\377u\374\377\25(r@\0\203}\364\0u\30j\5\377u\370\377\25Xr@\0\377u\370\350\330\364\377\377\351\203\3\0\0\377u\374\350\313\364\377\377\213]\3443\377\201}\14\5\4\0\0u\223\311\211}\20A\307E\14\17\4\0\0\211M\24\353\3\213M\24\203}\14N\270\23\4\0\0t\119E\14\17\205\347\0\0\09E\14\211M\364t\15\201y\4\10\4\0\0\17\205\322\0\0\0\366\51\364B\0\2uv9E\14t\11\213M\24\203y\10\376uh3\3119E\14\17\225\301Q\377u\374\350\242\374\377\377;\307|S\213\310i\311\30\4\0\0\215T\31\10\213\12\366\301\20u@\366\301@t\24\201\361\200\0\0\0\204\311y\5\203\311\1\353\10\203\341\376\353\3\203\361\1P\211\12\350\241\307\377\377\2410\364B\03\311\367\320A\307E\14\17\4\0\0\301\350\10#\301\211M", ) , ) == 0x0
 01405   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\201x\10n\376\377\377u\16\377p\Wh\31\4\0\0\377u\374\377\326\213E\364\201x\10j\376\377\377u(\203x\14\2u\22\213@\i\300\30\4\0\0\215D\30\10\203\10 \353\20\213@\i\300\30\4\0\0\215\\30\10\203#\337\201}\14\21\1\0\0urf\201}\20\371\3\17\205H\2\0\0\213E\20\301\350\20f=\1\0\17\2058\2\0\0WWhG\1\0\0\377u\370\377\326\203\370\377\17\204#\2\0\0WPhP\1\0\0\377u\370\377\326\213\330\203\373\377t\10\213E\3609<\230u\3j [S\350\360\307\377\377SWh \4\0\0\377u\10\377\326\307E\20\1\0\0\0\211}\24\307E\14\17\4\0\0\201}\14\0\2\0\0u\14WWh\0\2\0\0\377u\374\377\326\201}\14\13\4\0\0u2\241\204\250B\0;\307t\7P\377\25,p@\0\241\230\250B\0;\307t\7P\377\25\364p@\0\211=\204\250B\0\211=\230\250B\0\211=\200\364B\0\201}\14\17\4\0\0\17\205G\1\0\0WW\350\305\306\377\3779}\20t\7j\10\350\332\310\377\3779}\24t?\3775\230\250B\0\350\234\307\377\377\213\330S\350K\307\377\3773\3003\311;\337~\16\213U\3609<\202t\1A@;\303|\362WQhN\1\0\0\377u\370\377\326\211]\24\307E\14 \4\0\0WW\350n\306\377\377\241\230\250B\09=L\364B\0\211E\344\241H\364B\0\307E\3100\360\0\0\211}\364\17\216\234\0\0\0\215X\10\213E\344\213M\364\213\4\210;\307tt\213\13\211E\300\366\305\1\307E\274\10\0\0\0t\21\215C\20\307E\274\11\0\0\0\211E\314\200c\1\376\366\301@t\5j\3X\353\16\213\301\203\340\1@\366\301\20t\3\203\300\3\213\321\377u\300\301", ) , ) == 0x0
 01406   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\3\300\203\342 \203\341\1\13\302A\211E\304Qh\2\21\0\0\377u\374\377\326\215E\274PWh\15\21\0\0\377u\374\377\326\377E\364\201\303\30\4\0\0\213E\364;\5L\364B\0\17\214g\377\377\377j\1W\377u\374\377\258r@\0\241\374\353B\09x\20t\24j\5\350\271\371\377\377Pj\373h\377\3\0\0\350\367\370\377\377\201}\14 \4\0\0u5\366\51\364B\0\1t,3\300\203}\24 \2135Xr@\0\17\224\300\301\340\3\213\370W\377u\374\377\326Wh\376\3\0\0\377u\10\377\25$r@\0P\377\326\377u\24\377u\20\377u\14\350t\361\377\377_^[\311\302\20\0U\213\354\201}\14\2\1\0\0SVu\33\203}\20 \17\205\212\0\0\0h\23\4\0\0\3500\361\377\3773\300\351\222\0\0\0\203}\14\2u\7\203\15\234\222@\0\377\201}\14\0\2\0\0\276\31\4\0\0u\36\377u\10\377\25\240q@\0\205\300tQj\1\377u\10\350+\371\377\377\213\330\211u\14\353\3\213]\249u\14u;9\35\234\222@\0t3W\276\0\0C\0\277\240\250B\0VW\211\35\234\222@\0\350\224\14\0\0SV\350\353\13\0\0j\6\350\273\306\377\377WV\350\177\14\0\0_\353\3\213]\24S\377u\20\377u\14\377u\10\3775\224\250B\0\377\25\234q@\0^[]\302\20\0U\213\354\203\3540\241\4\354B\0S3\333V;\303W\211E\374\17\204\260\0\0\0\241\240\222@\0\276\200\240B\0\213\370\211E\370\203\347\1u\11\377u\10V\350G\14\0\0V\3505\14\0\09]\14\211E\10t\33\377u\14\350%\14\0\0\3E\10=\0\10\0\0ss\377u\14V\350\30\14\0\0\366E\370\4t\15V\3775\350\353B\0\377\25\350q@\0\366E", ) , ) == 0x0
 01407   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\344\377u\374\2135, ) , ) == 0x0
 01408   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\364B\0\2u\15j\10\377u\374\377\25Xr@\0\353\6\211\35\360\353B\0h\354\3\0\0\377u\10\377\327h\0\00u\213\370Sh\1\4\0\0W\377\326\366\50\364B\0\4\17\204\361\1\0\0\377u\20Sh\11\4\0\0W\377\326\377u\14Sh\1 \0\0W\377\326\351\324\1\0\0\201}\14\5\4\0\0u(\215E\10PSh\354\3\0\0\377u\10\377\25$r@\0PhPN@\0SS\377\25\310p@\0P\377\25`p@\0\201}\14\21\1\0\0\2135Xr@\0u\33f\201}\20\3\4u5S\3775\360\353B\0\377\326j\10W\377\326\350\336\360\377\377\201}\14\4\4\0\0uU9\35\354\353B\0t&jx\307\5p\234B\0\2\0\0\0\350\302\354\377\377\377u\24\377u\20\377u\14\350B\355\377\377_^[\311\302\20\0j\10\3775$\364B\0\377\3269\35\254\364B\0u\16\241x\240B\0S\377p4\350o\374\377\377j\1\350\206\354\377\377\203}\14{u\2769}\20u\271SSh\4\20\0\0W\377\25, ) , ) == 0x0
 01409   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "@\0V\350\351\7\0\0\3\360f\307\6\15\12FFC;]\14|\331\377u\10\377\25\300p@\0\377u\10j\1\377\25\250q@\0\377\25\244q@\03\300\351\260\376\377\377U\213\354Q\215E\374P\377\25Lq@\0\213E\374\205\300t\22\377u\10\213\10P\377Q\24\213E\374P\213\10\377Q\10\311\302\4\0U\213\354\203\354\20\377u\14\307\5\250\310B\0D\0\0\0\377\25\200p@\03\311\203\370\377t\4\250\20u\3\211M\14\215E\360Ph\250\310B\0\377u\14QQQQQ\377u\10Q\377\25\314p@\0\205\300t\14\377u\364\377\25`p@\0\213E\360\311\302\10\0\377%\304q@\0h\0\4\0\0\377t$\14\377t$\14\3775\370\353B\0\377\25\310q@\0\302\10\0\213D$\10\213\310\201\341\377\377\37\0\203=\300\364B\0\0t\5\301\350\25u%\203=\310\364B\0\0t\6\201\361\0\0\30\0Qh \354B\0\377t$\14\3775$\364B\0\377\25\314q@\0\302\10\0U\213\354\201\354H\1\0\0VW\213}\10W\350\227\2\0\0\366E\14\10\211E\370t\27W\377\25@q@\0\367\330\33\300@\1\5\250\364B\0\351\221\1\0\0S\213]\14\203\343\1\211]\374t\22\205\300\17\204"\1\0\0\366E\14\2\17\204\30\1\0\0\276\250\270B\0WV\350`\6\0\0\205\333t\15h\0\223@\0V\350m\6\0\0\353\6W\350\235\1\0\0h\20\220@\0W\350Z\6\0\0W\350N\6\0\0\213\330\215\205\270\376\377\377PV\3\337\377\25\1\0\0\2008\0t\11\200}\350\0t\3\215u\350\200>.u\21\212F\1\204\300tm<.u\6\200", ) \1\0\0\366E\14\2\17\204\30\1\0\0\276\250\270B\0WV\350`\6\0\0\205\333t\15h\0\223@\0V\350m\6\0\0\353\6W\350\235\1\0\0h\20\220@\0W\350Z\6\0\0W\350N\6\0\0\213\330\215\205\270\376\377\377PV\3\337\377\250\203\370\377\211E\10\17\204\274\0\0\0\215\205\344\376\377\377j?P\215\265\344\376\377\377\350>\1\0\0\2008\0t\11\200}\350\0t\3\215u\350\200>.u\21\212F\1\204\300tm<.u\6\200", ) == 0x0
 01410   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\205\270\376\377\377\250\20t\25\213E\14\203\340\3<\3uH\377u\14W\350\0\377\377\377\353=$\376PW\377\25\214p@\0W\377\25@q@\0\205\300u \366E\14\4t\22Wj\361\350<\371\377\377j\0W\350\331\2\0\0\353\20\377\5\250\364B\0\353\10Wj\362\350"\371\377\377\215\205\270\376\377\377P\377u\10\377\258q@\0\205\300\17\205M\377\377\377\377u\10\377\254q@\0\203}\374\0t\4\200c\377\03\366[9u\374tS9u\370u\10\377\5\250\364B\0\353FW\350\16\10\0\0\205\300t371\377\377\215\205\270\376\377\377P\377u\10\377\258q@\0\205\300\17\205M\377\377\377\377u\10\377\254q@\0\203}\374\0t\4\200c\377\03\366[9u\374tS9u\370u\10\377\5\250\364B\0\353FW\350\16\10\0\0\205\300t350<\0\0\0h\200\0\0\0W\377\25\214p@\0W\377\25\320p@\0\205\300u\27\366E\14\4t\313Wj\361\350\255\370\377\377VW\350K\2\0\0\353\10Wj\345\350\234\370\377\377_^\311\302\10\0V\213t$\10V\350\376\4\0\0\3\306PV\377\25\320q@\0\2008\t\13h\20\220@\0V\350\352\4\0\0\213\306^\302\4\0\213D$\4\353\15:L$\10t\15P\377\25\24r@\0\212\10\204\311u\355\302\10\0V\213t$\10V\350\267\4\0\0\3\306\2008\t\14PV\377\25\320q@\0;\306w\357\200 \0^\302\4\0\213L$\4\212\1\14 f\2019\\t\2212177\6\200y\1:t\43\300\353\33\300@\302\4\0SV\2135\24r@\0W\213|$\20W\377\326\213\330S\377\326\200?\0t\14f\201;:\u\5P\377\326\353!f\201?\\u\30j\2^j\PN\350_\377\377\377\2008\0t\7@\205\366u\355\353\23\300_^[\302\4\0VW\377t$\14\276\250\274B\0V\350\2\4\0\0V\350\234\377\377\377\213\370\205\377u\43\300\353RW\350(\6\0\0\366\50\364B", ) == 0x0
 01411   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "t\343+\376\353\24\350\245\6\0\0\205\300t\5\366\0\20t\321V\350\25\377\377\377V\350\321\3\0\0;\307V\177\341\350\276\376\377\377V\377\25\200p@\03\311\203\370\377\17\225\301\213\301_^\302\4\0SVW\377t$\24\350\245\3\0\0\213\370\213t$\20\353"\377t$\24\212\347\200$7\0V\377\25\244p@\0\205\300\210\347t\33V\377\25\24r@\0\213\360V\350u\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25\200p@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\324p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\234p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\330p@\0\205\300u\15\205\377u\320\200&\0_^]\302\10\0\213\306\353\366SUVWh0\223@\0h\310\222@\0\350\270\5\0\0\205\300\213t$\30t\21j\5V\377t$\34\377\320\205\300\17\205F\1\0\0\213\35pp@\0\307\50\312B\0NUL\0\205\366\277\0\4\0\0\2750\312B\0t&j\1j\0V\3505\377\377\377P\377\25`p@\0WUV\377\323\205\300\17\204\20\1\0\0;\307\17\217\10\1\0\0\276\250\304B\0WV\377t$\34\377\323\205\300\17\204\363\0\0\0;\307\17\217\353\0\0\0VUh(\223@\0h\250\300B\0\377\25\364q@\0\203\304\20\213\330h\360\3\0\0V\377\25\260p@\0h\30\223@\0V\350\31\2\0\03\300Ph\200\0\0\10j\4PPh\0\0\0\300V\377\25\324p", ) \377t$\24\212\347\200$7\0V\377\25\244p@\0\205\300\210\347t\33V\377\25\24r@\0\213\360V\350u\3\0\0;\307}\3243\300_^[\302\10\0\213\306\353\366\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25\200p@\0\213\310j\0A\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\324p@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\234p@\0j\323\322Y\367\361V\215E\10j\0P\377u\14\0U\12\377\25\330p@\0\205\300u\15\205\377u\320\200&\0_^]\302\10\0\213\306\353\366SUVWh0\223@\0h\310\222@\0\350\270\5\0\0\205\300\213t$\30t\21j\5V\377t$\34\377\320\205\300\17\205F\1\0\0\213\35pp@\0\307\50\312B\0NUL\0\205\366\277\0\4\0\0\2750\312B\0t&j\1j\0V\3505\377\377\377P\377\25`p@\0WUV\377\323\205\300\17\204\20\1\0\0;\307\17\217\10\1\0\0\276\250\304B\0WV\377t$\34\377\323\205\300\17\204\363\0\0\0;\307\17\217\353\0\0\0VUh(\223@\0h\250\300B\0\377\25\364q@\0\203\304\20\213\330h\360\3\0\0V\377\25\260p@\0h\30\223@\0V\350\31\2\0\03\300Ph\200\0\0\10j\4PPh\0\0\0\300V\377\25\324p", ) == 0x0
 01412   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0j\0U\377\25\224p@\0\213\370\215D\37\12Pj@\377\25\370p@\0\213\360\205\366to\215D$\30j\0PWVU\377\25(q@\0\205\300t[;|$\30uUh\14\223@\0V\350\374\375\377\377\205\300uZ\215\4>h\14\223@\0P\350\205\1\0\0\203\307\12\213\307S\3\306h\250\300B\0P\350#\376\377\3773\300PPPU\377\250q@\0\215D$\30j\0\3\373PWVU\377\25$q@\0V\377\25\364p@\0U\377\25`p@\0\377\5\260\364B\0_^][\302\10\0\203\300\12h\10\223@\0P\350\220\375\377\377\205\300t\245@\215\24>;\302\213\310s\15\212\21\210\24\31A\215\24>;\312r\363+\306\353\214U\213\354S\215E\14V\213u\243\333Ph\31\0\2\0S\377u\14\210\36\377u\10\377\25\20p@\0\205\300u>\215E\10\307E\10\0\4\0\0P\215E\24VPS\377u\20\377u\14\377\25\0p@\0\205\300u\14\203}\24\1t\10\203}\24\2t\2\210\36\377u\14\210\236\377\3\0\0\377\25\34p@\0^[]\302\20\0\377t$\10h\20s@\0\377t$\14\377\25\364q@\0\203\304\14\302\10\0U\213\354Q\213M\10SVW3\377\2009-\307E\374\1\0\0\0\260\12\2639u\5A\203M\374\377\20090u\34A\212\21\200\3720|\11\200\3727\177\4\260\10\2637\200\342\337\200\372Xu\3\260\20A\17\276\21A\203\3720|\14\17\276\363;\326\177\5\203\3520\353\31<\20u!\213\362\203\346\337\203\376A|\27\203\376F\177\22\203\342\7\203\302\11\17\276\360\17\257\367\3\362\213\376\353\306\213E\374\17\257\307_^[\311\302\4\0h\0\4\0\0\377t$\14\377t$\14\377\25\270p@\0\302\10\0\377%\334", ) , ) == 0x0
 01413   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\203\354\30S\213]\14VW\205\333}\21\213\15\374\353B\0\215\4\235\4\0\0\0+\310\213\31\241X\364B\0\213M\10\3\330\270\300\343B\0+\310\213\370\201\371\0\10\0\0\17\203\264\1\0\0\213}\10\203e\10\0\351\250\1\0\0\213\327+\320\201\372\0\4\0\0\17\215\245\1\0\0C\200\371\374\17\206\201\1\0\0\17\276C\1\17\276\13\213\360\213\321\203\346\177\203\342\177\301\346\7\13\362\272\0\200\0\0\211M\350\211E\360\13\312\13\302C\211M\354C\200}\17\376\211E\364\17\205\365\0\0\0\203e\14\0\200'\0j\4^9u\360u\11\307E\14\234\223@\0\353x\213E\350\203\370+u\27Wh\214\223@\0h`\223@\0h\2\0\0\200\350\0\376\377\377\353T\203\370&u+WhP\223@\0h`\223@\0h\2\0\0\200\350\344\375\377\377\200?\0\17\205\223\0\0\0h<\223@\0W\350\334\376\377\377\353$\203\370%u\16h\0\4\0\0W\377\25\344p@\0\353\21\203\370$u\21h\0\4\0\0W\377\25\260p@\0\200?\0u]\203=\244\364B\0\0u\3j\2^\215E\374NP\377t\265\350\3775$\364B\0\377\25dq@\0\205\300u\35W\377u\374\377\25Pq@\0\377u\374\211E\370\350\324\366\377\377\203}\370\0u\11\353\3\200'\0\205\366u\303\200?\0t\17\203}\14\0t\11\377u\14W\350p\376\377\377W\350\212\0\0\0\353F\200}\17\375u.\203\376\33u\16\3775$\364B\0W\350\223\375\377\377\353\21\213\306\301\340\12\5\0\0C\0PW\350"\376\377\377\203\306\353\203\376\6s\24\353\304\200}\17\377u\14\203\310\377+\306PW\350(\376\377\377W\350\26\376\377\377\3\370\270\300\343B\0\353\15u\10\212\13\210\17GC\353\3\210\17G\212\13\204", ) \376\377\377\203\306\353\203\376\6s\24\353\304\200}\17\377u\14\203\310\377+\306PW\350(\376\377\377W\350\26\376\377\377\3\370\270\300\343B\0\353\15u\10\212\13\210\17GC\353\3\210\17G\212\13\204", ) == 0x0
 01414   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\203}\10\0_^[t\11P\377u\10\350\310\375\377\377\311\302\10\0SV\213t$\14W\200>\u\25\200~\1\u\17\200~\2?u\11\200~\3\u\3\203\306\4\200>\0t\14V\350\21\371\377\377\205\300t\2FF\212\6\213\336\204\300\213\376t9U\213-\24r@\0<\37v"Ph\310\223@\0\350\252\370\377\377\2008\0u\22V\377\325+\306PVW\350\21\372\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317]\200'\0WS\377\25\320q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^[\302\4\0SV\2135\4q@\0Wh\1\200\0\0\377\326\277\360\310B\0W\377t$\24\377\25310\223@\0\350\252\370\377\377\2008\0u\22V\377\325+\306PVW\350\21\372\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317]\200'\0WS\377\25\320q@\0\213\370\212\7< t\4<\u\7\200'\0;\337r\345_^[\302\4\0SV\2135\4q@\0Wh\1\200\0\0\377\326\277\360\310B\0W\377t$\24\377\250\213\330\377\326\203\373\377t\13S\377\254q@\0\213\307\353\23\300_^[\302\4\0\377t$\4\377\25\10q@\0\205\300u\16\377t$\4\377\25\14q@\0\205\300t\13\377t$\10P\377\25\20q@\0\302\10\0U\213\354\203\354\34V\213u\10W\213=\330q@\0\353\12\215E\344P\377\25\324q@\0j\1VV\215E\344j\0P\377\327\205\300u\346_^\311\302\4\0\203=4\316B\0\0Vu-3\311j\10\213\301^\213\320\200\342\1\366\332\33\322\201\342 \203\270\355\321\3503\302Nu\352\211\4\2150\316B\0A\201\371\0\1\0\0|\325\213T$\20\213D$\10\205\322\367\320v#\213L$\14W\17\2669\213\360\201\346\377\0\0\03\367\301\350\10\2134\2650\316B\03\306AJu\343_\367\320^\302\14\0U\213\354\203\354D\213E\10SVW\213\10\215p\20\213@\4\211M\310\213\216\250\233\0\0\213\236\30\5\0\0\211E\314\213\206\34\5\0\0\211E\300\213\206\244\233\0\0;\310\211M\320s", ) == 0x0
 01415   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "+\301\211E\324\351\303\11\0\0\377$\205\10h@\0\203}\314\0\17\204\302\11\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213E\300\203\353\3\301m\300\3\203\340\7\213\310\200\341\1\366\331\33\311\203\341\7\321\350\203\301\10\203\350\0\211\216\24\5\0\0\17\204.\1\0\0HtVHtHH\17\205]\11\0\0\203\317\377\307\6\21\0\0\0\213E\300\213M\10\211\206\34\5\0\0\213E\314\211\236\30\5\0\0\211A\4\213E\10\213M\310P\211\10\213M\320\211\216\250\233\0\0\350\240\11\0\0\213\307_^[\311\302\4\0\307\6\13\0\0\0\351\21\11\0\0\200=\270\343B\0\0\17\205\240\0\0\0\203e\370\0\2708\322B\0=t\324B\0\261\10~\24=8\326B\0}\4\376\301\353\11=\230\326B\0}\2\261\7\17\276\311\211\10\203\300\4=\270\326B\0|\324\215E\370\2778\322B\0Ph8\333B\0h\370\223@\0h4\322B\0hhs@\0h(s@\0h\1\1\0\0h \1\0\0W\350\200\11\0\0j\36Yj\5X\363\253\215E\370Ph8\333B\0h\374\223@\0h0\322B\0h\344s@\0h\250s@\0j\0j\36h8\322B\0\350M\11\0\0\376\5\270\343B\0\240\370\223@\0\210F\20\240\374\223@\0\210F\21\2414\322B\0\211F\24\2410\322B\0\211F\30\203&\0\351<\10\0\0\213\313\307\6\11\0\0\0\203\341\7\323m\300+\331\351'\10\0\0\203}\314\0\17\204-\10\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\20r\333\213E\3003\333%\377\377\0\0\211]\300;\303\211F\4\17\204\351\0\0\0j\12X\351\347\0\0\0\203}\314\0\17\204\350\7\0", ) , ) == 0x0
 01416   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\216\240\233\0\0\213U\320;\321u)\213\206\244\233\0\0\215\276\240\33\0\0;\307t\31\213\327;\320\211U\320s\5+\302H\353\4+\312\213\301\205\300\211E\324ub\377u\10\211\226\250\233\0\0\350\4\10\0\0\213\226\250\233\0\0\213\216\244\233\0\0;\321\211U\320s\7\213\301+\302H\353\10\213\206\240\233\0\0+\302\213\276\240\233\0\0\211E\324;\327u\35\215\226\240\33\0\0;\321t\23\211U\320s\7+\312I\213\301\353\4+\372\213\307\211E\324\205\300\17\204a\7\0\0;E\314r\3\213E\314\213N\4;\310\213\371r\2\213\370W\377u\310\377u\320\350\325\365\377\377\1}\310)}\314\1}\320)}\324)~\4\17\205\1\7\0\0\213\206\24\5\0\0\211\6\351\364\6\0\0\203}\314\0\17\204\372\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\16r\333\213E\300%\377?\0\0\213\310\211F\4\203\341\37\200\371\35\17\207Y\375\377\377%\340\3\0\0=\240\3\0\0\17\207I\375\377\377\301m\300\16\203\353\16\203f\10\0\307\6\14\0\0\0\213F\4\301\350\12\203\300\49F\10si\353 \203}\314\0\17\204\213\6\0\0\213E\310\377M\314\213\313\17\266\0\323\340\11E\300\377E\310\203\303\10\203\373\3r\333\213N\10\213E\300\203\340\7\203\353\3\17\276\211\24s@\0\301m\300\3\211D\216\14\213N\4\377F\10\213F\10\301\351\12\203\301\4;\301r\315\353\22\213F\10\17\276\200\24s@\0\203d\206\14\0\377F\10\203~\10\23r\350\215M\370\215\276\14\5\0\0Q\215\216 \5\0\0Q\215\216\20\5\0\03\300WQP\211E\370Pj\23\215F\14j\23P\307\7\7\0\0\0\350\310\6\0\0\205\300u\229\7t\16!F\10\307", ) , ) == 0x0
 01417   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\21\0\0\0\351\304\5\0\0\213\206\14\5\0\0\353 \203}\314\0\17\204\302\5\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213\216\20\5\0\0\215\4\201\17\266P\1\17\267@\2\203\370\20\211E\354s\26\213\312+\332\323m\300\213N\10\211D\216\14\377F\10\351\254\0\0\0\203\370\22u\14j\7\307E\370\13\0\0\0X\353,\203\300\362\307E\370\3\0\0\0\353 \203}\314\0\17\204G\5\0\0\213M\310\377M\314\17\2669\213\313\323\347\11}\300\377E\310\203\303\10\215\14\20;\331r\331\213\312+\332\323m\300\17\267\14E\324\223@\0#M\300\213U\370+\330\3\321\213\310\213F\4\323m\300\213N\10\213\370\301\357\5\203\347\37\203\340\37\215\204\7\2\1\0\0\215<\12;\370\17\207|\373\377\377\203}\354\20u\17\203\371\1\17\202m\373\377\377\213|\216\10\353\23\377\215D\216\14\2118A\203\300\4Ju\367\211N\10\213F\4\213N\10\213\320\203\340\37\301\352\5\203\342\37\215\204\2\2\1\0\0;\310\17\202\316\376\377\377\213F\4\203\246\20\5\0\0\0\203e\364\0\213\370\301\350\5\203\347\37\271\1\1\0\0\203\340\37\3\371@\215U\364\211E\354\215\206 \5\0\0RP\215E\374\307E\374\11\0\0\0P\215E\350Phhs@\0h(s@\0Q\215F\14WP\307E\360\6\0\0\0\350\33\5\0\0\203}\374\0u\3\203\310\377\205\300\17\205\312\372\377\377\215E\364P\215\206 \5\0\0P\215E\360P\215E\344Ph\344s@\0h\250s@\0j\0\377u\354\215D\276\14P\350\336\4\0\0\205\300\17\205\226\372\377\377\213E\360\205\300u\14\201\377\1\1\0\0\17\217\203\372\377\377\212M\374\203&\0\210", ) , ) == 0x0
 01418   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "N\20\211F\30\17\266F\20\211F\14\213F\24\211F\10\307\6\1\0\0\0\213F\14\353 \203}\314\0\17\204\266\3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\205\311u\22\17\267@\2\211F\10\307\6\6\0\0\0\351Y\3\0\0\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\4\307\6\2\0\0\0\351<\3\0\0\366\301@\17\204\321\0\0\0\366\301 \17\204\315\371\377\377\307\6\7\0\0\0\351\37\3\0\0\213F\10\353 \203}\314\0\17\204 \3\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\4\213\310\323m\300+\330\17\266F\21\211F\14\213F\30\211F\10\307\6\3\0\0\0\213F\14\353 \203}\314\0\17\204\317\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\4E\324\223@\0#E\300\213N\10\215\4\201\17\266H\1\323m\300+\331\17\266\10\366\301\20t\30\203\341\17\211N\10\17\267@\2\211F\14\307\6\4\0\0\0\351k\2\0\0\366\301@\17\205\5\371\377\377\211N\14\17\267H\2\215\4\210\211F\10\351P\2\0\0\213F\10\353 \203}\314\0\17\204Q\2\0\0\213M\310\377M\314\17\266\21\213\313\323\342\11U\300\377E\310\203\303\10;\330r\334\17\267\14E\324\223@\0#M\300\1N\14\213\310\323m\300+\330\307\6\5\0\0\0\213E\320\213V\14\213\310+\316\201\351\240\33\0\0;\312s\23\213\216\240\233\0\0+\312+\316\215\214\1`\344\377\377\353\4\213\310+\312\203~\4\0\211M\340\17", ) , ) == 0x0
 01419   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\221\0\0\0\213\276\240\233\0\0;\307u#\213\216\244\233\0\0\215\226\240\33\0\0;\312t\23\213\302;\301s\7+\310I\213\371\353\2+\370\205\377ud\377u\10\211\206\250\233\0\0\350\11\2\0\0\213\206\250\233\0\0\213\216\244\233\0\0;\301\211E\320s\7\213\371+\370O\353\10\213\276\240\233\0\0+\370\213\226\240\233\0\0;\302\211U\370u\37\215\226\240\33\0\0;\312t\25\213\302;\301\211E\320s\7+\310I\213\371\353\5\213}\370+\370\205\377\17\204d\1\0\0\213M\340\212\21\210\20@AO;\216\240\233\0\0\211E\320\211M\340\211}\324u\11\215\216\240\33\0\0\211M\340\377N\4\17\205:\377\377\377\351\302\370\377\377\213E\324\213}\320\205\300\17\205\221\0\0\0\213\216\240\233\0\0;\371u#\213\206\244\233\0\0\215\226\240\33\0\0;\302t\23\213\372;\370s\5+\307H\353\4+\317\213\301\205\300ud\377u\10\211\276\250\233\0\0\3508\1\0\0\213\276\250\233\0\0\213\216\244\233\0\0;\371\211}\320s\7\213\301+\307H\353\10\213\206\240\233\0\0+\307\213\226\240\233\0\0;\372\211U\370u\37\215\226\240\33\0\0;\312t\25\213\372;\371\211}\320s\7+\317I\213\301\353\5\213E\370+\307\205\300\17\204\223\0\0\0\212N\10\210\17GH\211}\320\211E\324\351\21\370\377\377\203\373\7v\11\203\353\10\377E\314\377M\310\213E\320\377u\10\211\206\250\233\0\0\350\261\0\0\0\213\216\250\233\0\0\213\226\244\233\0\0;\312\211M\320s\7\213\302+\301H\353\10\213\206\240\233\0\0+\301;\312\211E\324u9\213\206\24\5\0\0\203\370\10\211\6u3\213\6\203\370\17\17\2062\366\377\377\351\223\366\377\377\213E\3003\377\211\206\34\5\0\0\213E\10\211\236\30\5\0\0\211x\4", ) , ) == 0x0
 01420   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "3\377G\351q\366\377\377\5d@\0\30d@\0\256d@\0\377d@\0}e@\0\301e@\0\307f@\0xg@\01^@\0\306_@\0\353_@\0\371`@\08a@\0\33c@\0p^@\0\206g@\0SV\213t$\14W\213\276\264\233\0\0\213\236\270\233\0\0;\373v\6\213\236\260\233\0\0\213F\14+\337;\330r\2\213\330SW\377v\10+\303\211F\14\350\15\356\377\377\1^\10\213\206\260\233\0\0\3\373;\370u\269\206\270\233\0\0\215\276\260\33\0\0u\271\211\276\270\233\0\0\353\261\211\276\264\233\0\0_^[\302\4\0U\213\354\201\354\354\0\0\0SV\213u\14Wj\203\300Y\215}\220\363\253\213M\10\213\326\213\1\203\301\4\215D\205\220\377\0Ju\3629u\220u\23\213E\34\203 \0\213E \203 \03\300\351\360\2\0\0\213u 3\333Cj\17\213>\213\313\211} Z3\3009D\215\220u\5A;\312v\363;\371\211M\374s\3\211M 9D\225\220u\3Ju\3679U \211U\350v\3\211U \213} \211>\323\343\353\15+\\215\220\17\210\237\2\0\0A\3\333;\312r\357\213\362\301\346\2\215L5\220\2139+\337\211]\320\17\210\202\2\0\0\3\373\211\205T\377\377\377\21193\311Jt\233\377\3L=\224\203\307\4J\211\214=T\377\377\377u\357\213]\103\377\213\13\203\303\4;\310t\23\215\214\215P\377\377\377\213\21\211<\225\270\326B\0B\211\21G;}\14r\336\213\2145P\377\377\377\213] \203M\364\377\203e\334\0\211M\14\213M\374\367\333;M\350\211E\370\211\205P\377\377\377\307E\340\270\326B\0\211\205\24\377\377\377\17\217\363\1\0\0\215Q\377\215L\215\220\211U\330\211M\344\213M\344\2131\205", ) , ) == 0x0
 01421   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213M N\3\313\211u\3249M\374\211M\354\17\216\314\0\0\0F\211u\360\213u\350\377E\364+u\354;u v\3\213u \213M\3743\322+M\354B\323\342;U\360v#\213}\344\203\310\377+E\324\3\320;\316s\24\353\15\203\307\4\3\322\213\7;\320v\7+\320A;\316r\356\213U(3\300@\213\22\323\340\211E\334\215<\2\201\377\240\5\0\0\17\207h\1\0\0\213E$\215\4\220\213U\364\215\264\225\24\377\377\377\213U(\211:\213U\364\205\322\211\6t1\213}\370\213v\374\211\274\225P\377\377\377\212U \210U\11\210M\10\213\327\213\313\323\352\213\310+\316\301\371\2+\312f\211M\12\213M\10\211\14\226\353\5\213M\34\211\1\213M\354\213\331\3M 9M\374\211M\354\17\2178\377\377\377\212M\374\213u\340*\313\210M\11\213M\14\215\14\215\270\326B\0;\361r\6\306E\10\300\353C\213\16;M\20s\34\201\371\0\1\0\0\17\222\301\376\311\203\341`\210M\10f\213\16\203\306\4\211u\340\353\34+M\20\213U\30\3\311\212\24\21\200\302P\203E\340\4\210U\10\213U\24f\213\14\21f\211M\12\213M\374\213U\3703\377+\313G\213\367\323\346\213\313\323\352\353\10\213M\10\211\14\220\3\326;U\334r\363\213M\330\213u\370\213\327\323\342\353\43\362\321\352\205\326u\370\213\3173\362\211M\360\213\313\213\327\211u\370\323\342J#\326\213\312\213U\364;\214\225P\377\377\377t\32+] \213\367J\213\313\323\346N#u\370;\264\225P\377\377\377u\351\211U\364\203}\324\0\17\205?\376\377\377\377E\374\203E\344\4\213M\374\377E\330;M\350\17\216\32\376\377\3773\3009E\320t\11\203}\350\1t\3\203\310\377_^[\311\302$\0\314\377%hr@\0\377%", ) , ) == 0x0
 01422   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\236\200\0\0\262\200\0\0\220\200\0\0\200\200\0\0\6\201\0\0\366\200\0\0\344\200\0\0\326\200\0\0\304\200\0\0\0\0\0\08\201\0\0$\201\0\0\21\0\0\200N\201\0\0\0\0\0\0\314\177\0\0\274\177\0\0\254\177\0\0\226\177\0\0\200\177\0\0t\177\0\0d\177\0\0T\177\0\0\0\0\0\0.y\0\0y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0\340x\0\0\322x\0\0\304x\0\0\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0", ) == 0x0
 01423   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0shlwapi.dll\0SHAutoComplete\0\0.DEFAULT\Control Panel\International\0\0\0\0Locale\0\0Control Panel\Desktop\ResourceLocale\0\0\0\0GetUserDefaultUILanguage\0\0\0\0%d\0\0\20\21\22\0\10\7\11\6\12\5\13\4\14\3\15\2\16\1\17\0\3\0\4\0\5\0\6\0\7\0\10\0\11\0\12\0\13\0\15\0\17\0\21\0\23\0\27\0\33\0\37\0#\0+\03\0;\0C\0S\0c\0s\0\203\0\243\0\303\0\343\0\2\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\1\0\1\0\2\0\2\0\2\0\2\0\3\0\3\0\3\0\3\0\4\0\4\0\4\0\4\0\5\0\5\0\5\0\5\0\0\0p\0p\0\0\0\1\0\2\0\3\0\4\0\5\0\7\0\11\0\15\0\21\0\31\0!\01\0A\0a\0\201\0\301\0\1\1\201\1\1\2\1\3\1\4\1\6\1\10\1\14\1\20\1\30\1 \10\1@\1`\0\0\0\0\0\0\0\0\1\0\1\0\2\0\2\0", ) , ) == 0x0
 01424   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\6\0\6\0\7\0\7\0\10\0\10\0\11\0\11\0\12\0\12\0\13\0\13\0\14\0\14\0\15\0\15\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\13\1\0\0\0\0\0\0\300\0\0\0\0\0\0Fdu\0\0\0\0\0\0\0\0\0\0n{\0\0`p\0\0pv\0\0\0\0\0\0\0\0\0\0H\177\0\0lq\0\0@u\0\0\0\0\0\0\0\0\0\0\332\177\0\0y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) y\0\0bz\0\0pz\0\0\202z\0\0\232z\0\0\252z\0\0\266z\0\0\312z\0\0\332z\0\0\350z\0\0\370z\0\0\12{\0\0\36{\0\0,{\0\0@{\0\0L{\0\0X{\0\0\26y\0\0\374x\0\0", ) == 0x0
 01425   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\256x\0\0\230x\0\0\210x\0\0tx\0\0dx\0\0Rx\0\0Dx\0\0.x\0\0\20x\0\0\364w\0\0\350w\0\0\334w\0\0\204w\0\0\312w\0\0\276w\0\0\256w\0\0\234w\0\0\216w\0\0Vz\0\0\0\0\0\0H\200\0\00\200\0\0\32\200\0\0\10\200\0\0\370\177\0\0\344\177\0\0V\200\0\0\0\0\0\0v}\0\0\210}\0\0\230}\0\0\250}\0\0\272}\0\0\312}\0\0\330}\0\0\352}\0\0\366}\0\0\4~\0\0\26~\0\0&~\0\04~\0\0F~\0\0X~\0\0j~\0\0~~\0\0\220~\0\0j}\0\0\262~\0\0\300~\0\0\322~\0\0\346~\0\0\370~\0\0\12\177\0\0\30\177\0\0$\177\0\08\177\0\0\332|\0\0\312|\0\0\276|\0\0\254|\0\0\232|\0\0\204|\0\0j|\0\0T|\0\0D|\0\0X}\0\0@}\0\0.}\0\0\36}\0\0\14}\0\0\0}\0\0\240~\0\0\360|\0\08|\0\0*|\0\0\30|\0\0\12|\0\0\2|\0\0\362{\0\0\340{\0\0\320{\0\0\276{\0\0\260{\0\0\240{\0\0\224{\0\0\210{\0\0|{\0\0v|\0\0\0\0\0\0\330\201\0\0\302\201\0\0\260\201\0\0\0\0\0\0\226\201\0\0\204\201\0\0p\201\0\0\0\0\0\0j\2MulDiv\0\0|\0DeleteFileA\0\311\0FindFirstFileA\0\0\323\0FindNextFileA\0\305\0FindClose\0\20\3SetFilePointer\0\0\253\2ReadFile\0\0\227\3WriteFile\0", ) , ) == 0x0
 01426   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ProfileStringA\0\0\234\3WritePrivateProfileStringA\0\0k\2MultiByteToWideChar\0\357\0FreeLibrary\0\230\1GetProcAddress\0\0H\2LoadLibraryA\0\0w\1GetModuleHandleA\0\0\12\3SetErrorMode\0\0R\1GetExitCodeProcess\0\0\205\3WaitForSingleObject\0\356\1GlobalAlloc\0\365\1GlobalFree\0\0\262\0ExpandEnvironmentStringsA\0P\1GetEnvironmentVariableA\0\263\3lstrcmpA\0\0\266\3lstrcmpiA\0.\0CloseHandle\0\24\3SetFileTime\03\0CompareFileTime\0\320\2SearchPathA\0\255\1GetShortPathNameA\0a\1GetFullPathNameA\0\0d\2MoveFileA\0\377\2SetCurrentDirectoryA\0\0V\1GetFileAttributesA\0\0i\1GetLastError\0\0E\0CreateDirectoryA\0\0\16\3Se", ) , ) == 0x0
 01427   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tesA\0\0I\3Sleep\0[\1GetFileSize\0u\1GetModuleFileNameA\0\0\325\1GetTickCount\0\0:\1GetCurrentProcess\0=\0CopyFileA\0\257\0ExitProcess\0\10\1GetCommandLineA\0\351\1GetWindowsDirectoryA\0\0\313\1GetTempPathA\0\0\274\3lstrcpynA\0E\1GetDiskFreeSpaceA\0\0\2GlobalUnlock\0\0\371\1GlobalLock\0\0i\0CreateThread\0\0`\0CreateProcessA\0\0\272\2RemoveDirectoryA\0\0M\0CreateFileA\0\311\1GetTempFileNameA\0\0\277\3lstrlenA\0\0\260\3lstrcatA\0\0\271\1GetSystemDirectoryA\0KERNEL32.dll\0\0\310\0EndPaint\0\0\274\0DrawTextA\0\342\0FillRect\0\0\377\0GetClientRect\0\15\0BeginPaint\0\0\216\0DefWindowProcA\0\0:\2SendMessageA\0\0\223\1InvalidateRect\0\0\304\0", ) , ) == 0x0
 01428   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\14\1GetDC\0\277\1LoadImageA\0\0\177\2SetWindowLongA\0\0\21\1GetDlgItem\0\0\255\1IsWindow\0\0\344\0FindWindowExA\0=\2SendMessageTimeoutA\0\325\2wsprintfA\0\221\2ShowWindow\0\0V\2SetForegroundWindow\0\3\2PostQuitMessage\0\205\2SetWindowTextA\0\0y\2SetTimer\0\0\231\0DestroyWindow\0U\0CreateDialogParamA\0\0\341\0ExitWindowsEx\0*\0CharNextA\0\236\0DialogBoxParamA\0\366\0GetClassInfoA\0`\0CreateWindowExA\0\230\2SystemParametersInfoA\0\25\2RegisterClassA\0\0\306\0EndDialog\00\2ScreenToClient\0\0t\1GetWindowRect\0F\2SetClassLongA\0\256\1IsWindowEnabled\0\202\2SetWindowPos\0\0Z\1GetSysColor\0n\1GetWindowLongA\0\0L\2SetCurso", ) , ) == 0x0
 01429   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "orA\08\0CheckDlgButton\0\0<\1GetMessagePos\0\267\1LoadBitmapA\0\33\0CallWindowProcA\0\261\1IsWindowVisible\0B\0CloseClipboard\0\0I\2SetClipboardData\0\0\301\0EmptyClipboard\0\0\365\1OpenClipboard\0\243\2TrackPopupMenu\0\0\10\0AppendMenuA\0^\0CreatePopupMenu\0]\1GetSystemMetrics\0\0R\2SetDlgItemTextA\0\23\1GetDlgItemTextA\0\336\1MessageBoxA\0-\0CharPrevA\0\241\0DispatchMessageA\0\0\377\1PeekMessageA\0\0USER32.dll\0\0\16\2SelectObject\0\0<\2SetTextColor\0\0\26\2SetBkMode\0:\0CreateFontIndirectA\0)\0CreateBrushIndirect\0\217\0DeleteObject\0\0k\1GetDeviceCaps\0\25\2SetBkColor\0\0GDI32.dll\0\232\0SHFileOperatio", ) , ) == 0x0
 01430   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "xecuteA\0\254\0SHGetFileInfoA\0\0y\0SHBrowseForFolderA\0\0\274\0SHGetPathFromIDListA\0\0\267\0SHGetMalloc\0\303\0SHGetSpecialFolderLocation\0\0SHELL32.dll\0\331\1RegEnumValueA\0\325\1RegEnumKeyA\0\354\1RegQueryValueExA\0\0\371\1RegSetValueExA\0\0\315\1RegCreateKeyExA\0\311\1RegCloseKey\0\322\1RegDeleteValueA\0\320\1RegDeleteKeyA\0\342\1RegOpenKeyExA\0ADVAPI32.dll\0\08\0ImageList_Destroy\04\0ImageList_AddMasked\07\0ImageList_Create\0\0COMCTL32.dll\0\0\20\0CoCreateInstance\0\0\4\1OleUninitialize\0\355\0OleInitialize\0ole32.dll\0\12\0VerQueryValueA\0\0\0\0GetFileVersionInfoA\0\1\0GetFileVersionInfoSizeA\0VE", ) , ) == 0x0
 01431   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\240\364B\0m\23@\0\27\@\0\6\0\0\0\\0\0\0%s %s\0\0\0->\0\0\377\377\377\377\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC command line switch\12(NOT RECOMMENDED).\0verifying installer: %d%%\0\0\0Error launching installer\0\0\0... %d%%\0\0\0\0Au_.exe\0SeShutdownPrivilege\0AdjustTokenPrivileges\0\0\0LookupPrivilegeValueA\0\0\0OpenProc", ) , ) == 0x0
 01432   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", )  \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/ (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0~nsu.tmp\\0\0\0\Temp\0\0\0NSIS Error\0\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0\377\377\377\377\13?@\0\303F@\0\1B@\0\274N@\0\272A@\0\377\377\377\377\6\0\0\0RichEdit20A\0RichEd20.dll\0\0\0\0.exe\0\0\0\0KERNEL32.dll\0\0\0\0open\0\0\0\0GetDiskFreeSpaceExA\0%u.%u%s%s\0\0\0\*.*\0\0\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0*?|<>/":\0\0\0\0\0\0\1\0\3\0\7\0\17\0\37\0?\0\177\0\377\0\377\1\377\3\377\7\377\17\377\37\377?\377\177", ) , ) == 0x0
 01433   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\3\0\0\0(\0\0\200\5\0\0\0@\0\0\200\16\0\0\0h\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\200\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0i\0\0\0\230\0\0\200j\0\0\0\260\0\0\200o\0\0\0\310\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0g\0\0\0\340\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\370\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0(\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\08\1\0\0H\201\3\0\350\2\0\0\0\0\0\0\0\0\0\00\204\3\0\0\1\0\0\0\0\0\0\0\0\0\00\205\3\0\34\1\0\0\0\0\0\0\0\0\0\0P\206\3\0`\0\0\0\0\0\0\0\0\0\0\0\260\206\3\0\24\0\0\0\0\0\0\0\0\0\0\0(\0\0\0 \0\0\0@\0\0\0\1\0\4\0\0\0\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\200\0\0\0\200\200\0\0\0\0\200\0\0\200\200\0\200\0\200\0\200\200\200\0\300\300\300\0\0\377\0\0\377\0\0\0\377\377\0\0\0\0\377\0\0\377\377\0\377\0\377\0\377\377\377\0\0\0\0\0\0\0\0\7w\0\0\0\0\0\0\0\0\0\0\0\0\0\7x\215\335\220\0\0\0\0\0\0x\370\360\0\0\177\217\210\335\231\220\0\0\0\0\0\177\217\200p\7\207\370\375\331\231\210\0\0\0\0\0x\370\360", ) , ) == 0x0
 01434   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\177\217\200xw\207\207\370\331\210\213\260\0\0\0\0x\370\360\207xxxp\11\213\273\260\0\0\0\0\177\217\200xw\207\207\0\0\273\270\200\0\0\0\0x\370\360\207x\210\273\0\0xxp\0\0\0\0\177\217\200xx\273\211\260\7\207\207\200\0\0\0\0\177\377\360\207{\270\233\275\377xxp\0\0\0\0\177\377\360xw\211\273\275\370\367\207\0\0\0\0\0\177\377\360\207\207\233\273\335\217\217x\10\210\210\0\0\177\377\360\210\210{\275\335\210\370\360\0\0\210p\0\177\377\360\210\210\7}\335\210\200\7ww\210p\0\177\377\360\210\210\17\367ww\177\377\377\377\377p\0wwp\210\210\7wwwwwwwxp\0wwp\210\210\0\0\0\0\0\0\0\0\0\200\7\377\377\367\10\210\7\210\210\210\210\210\210\210\207\0wwwwp\210\7\377\377\377\377\377\377\377\207\0\0\0\7ww\10\7\360\0\0\0\0\0\17\207\0\0\0\0wwp\7\360\0\0\0\0\0\17\207\0\0\0\0\7\377\377\7\360\0\0\360\17\0\17\207\0\0\0\0\0wwp\360\0\0\360\17\0\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\17\377\360\0\0\17\207\0\0\0\0\0\0\0\7\360\0\377\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\377\377\377\377\377\377\377\207\0\0\0\0\0\0\0\0wwwwwwww\0\377\376\7\377\300\370\1\377\300p\0\377\300 \0\177\300\0\0\177\300\0\0?\300\0\0?\300\0`?\300\0`?\300\0\0?\300\0\0?\300\0\0\3\300\0\0\1\300\0\0\0\300\0\0\0\300\0\0\0\300\0\0\0", ) , ) == 0x0
 01435   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\370\0\0\1\374\0\0\1\376\0\0\1\377\0\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\374\0\3\1\0\377\377\0\0\0\0\0\0\0\0H\10\312\200\6\0\0\0\0\0\30\1\242\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\3@\253\0\216\02\0\16\0\3\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\337\0\216\02\0\16\0\1\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1P\7\0\216\02\0\16\0\2\0\0\0\377\377\200\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\2P\7\0\212\0\13\1\1\0\377\377\377\377\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\2@\7\0\6\0\12\1\202\0\372\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\2X;\0\221\0l\0\10\0\4\4\0\0\377\377\202\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0H\4\0@\5\0\0\0\0\0\12\1\202\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\0\0\200P\30\0\12\0\361\0\13\0\354\3\0\0m\0s\0c\0t\0l\0s\0_\0p\0r\0o\0g\0r\0e\0s\0s\03\02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\0\0P\30\0\0\0\361\0\10\0\356\3\0\0\377\377\202\0\0\0\0\0\0\0\0\0\0\0\0\0\5@\201@\0\0\31\0\11\1h\0\370\3\0\0S\0y\0s\0L\0i\0s\0", ) , ) == 0x0
 01436   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0P\0\0\0\0\26\0\24\0\7\4\0\0\377\377\202\0\377\377g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\0\0\34\0<\0\16\0\3\4\0\0\377\377\200\0\0\0\0\0\0\0\0\0\1\0\377\377\0\0\0\0\0\0\0\0\310\10\0\200\1\0\0\0\0\0\242\0\26\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\1\0\2P\7\0\7\0\224\0\10\0\6\4\0\0\377\377\202\0\0\0\0\0\0\0\1\0\1\0  \20\0\1\0\4\0\350\2\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01437   424   NtReadFile  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (176, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\360\10\0\0\370-\1\0C\2\0\200\355T1\213\23Q\20\236\23\357\270\313\31T\320\306\352\35x\210r\204;\5\11i$\354\255\30\3416\301DTH\341Kv\222[nw\337\343\355[\223t\301F+Q\301\306F\260\260\25+\261\260\272\342j\253\3m\374\11j#\26g\234\315f\2755\230\323\316\302|0\373\315\233\331\371fv\31\336}\0`30D\304\221\233\237\5\310\20W\346\342\2705\37\307?\315\303\371H!\16\0<'\372<\370{\300?\306{\232a\364K`v\304\311y\201\354\25L1\305\24\3773\26\311\216\247\356\205\361\334\311\11uG\310\226 \276_\17\217\345N\220=\246+'\237\4n\337x\350=};\363\201\356\243$g\20\227\17\321\343u\361\353\366\275\235_r\26q\347\34=>\276{p\372Y\\27\315rk\302\234I\35\22_Y\2447^\34\335\355l\307\232g)\26N\370\206\231\203~\314\367\345e\330(\226\254\252i\324Je\13\366\236\364\301(\324k\350\311zC\251\264_\257p\245=\231sE\336\252%\313\254\345\326\315J\342\212&O\334\262q3\322\2557V/^\266\257#\214xm5\177!\207]L\347\352\3439+t\335@\2644+\371\201\346\256\313\252\275@\243\307\356\234\317\255\345ap\267\317\252\250C\11\6\367\317h\326Q\216\306\2\3C!\327\310Z\302\265Q\321\331TJ(fcSxRa\208~\233\331\\363%f\10\245B\251\321fN\334\0\325%0\273\330\14\207BfW+\336\324i\17\207ZQ\247HE\13\326r\dP\16\265\14\365~\313\352\226#%\332\3210B\366\330:j\356\270\1\253\11f\270\216l\10\256\354\321XB\242\37I\15uZ\373\332\5\226", ) , ) == 0x0
 01438   424   NtClose  (176, ... ) == 0x0
 01439   424   NtUserDestroyWindow  (131250, ...
 01440   424   NtUserRemoveProp  (131250, 43288, ... ) == 0xffffffff
 01441   424   NtUserRemoveProp  (131250, 43282, ... ) == 0x0
 01442   424   NtUserRemoveProp  (131250, 43287, ... ) == 0x0
 01439   424   NtUserDestroyWindow  ... ) == 0x1
 01443   424   NtUserUnregisterClass  (1244636, 1998258176, 1244624, ... ) == 0x1
 01444   424   NtUserModifyUserStartupInfoFlags  (1, 0, ... ) == 0x810d4da8
 01445   424   NtUserGetDCEx  (0, 0, 3, ... ) == 0x1010050
 01446   424   NtGdiSetupPublicCFONT  (16842832, 0, 0, ... ) == 0x100
 01447   424   NtGdiGetTextExtent  (16842832, 1351816, 10, 1244068, 1, ... ) == 0x1
 01448   424   NtUserGetForegroundWindow  (... ) == 0x20064
 01449   424   NtUserQueryWindow  (131172, 0, ... ) == 0x7f4
 01450   424   NtUserQueryWindow  (131172, 1, ... ) == 0x7f8
 01451   424   NtGdiSetupPublicCFONT  (16842832, 0, 0, ... ) == 0x100
 01452   424   NtGdiGetTextMetricsW  (16842832, 1242988, 68, ... ) == 0x1
 01453   424   NtGdiGetTextCharsetInfo  (16842832, 0, 0, ... ) == 0x0
 01454   424   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x60403f0
 01455   424   NtGdiGetRandomRgn  (16842832, 100926448, 1, ... ) == 0x0
 01456   424   NtGdiIntersectClipRect  (16842832, 0, 0, 565, 738, ... ) == 0x3
 01457   424   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x2
 01458   424   NtGdiSetupPublicCFONT  (0, 50987263, 6, ... ) == 0x3
 01459   424   NtGdiGetTextCharsetInfo  (16842832, 0, 0, ... ) == 0x0
 01460   424   NtGdiGetRandomRgn  (16842832, 117703664, 1, ... ) == 0x0
 01461   424   NtGdiIntersectClipRect  (16842832, 0, 0, 355, 738, ... ) == 0x3
 01462   424   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x2
 01463   424   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01464   424   NtUserFindExistingCursorIcon  (1242856, 1242872, 1243440, ... ) == 0x10011
 01465   424   NtUserSetCursor  (65553, ... ) == 0x10015
 01466   424   NtUserCallOneParam  (1, 49, ... ) == 0x1
 01467   424   NtUserFindExistingCursorIcon  (1242808, 1242824, 1243392, ... ) == 0x10015
 01468   424   NtUserSetCursor  (65557, ... ) == 0x10011
 01469   424   NtGdiCreateCompatibleDC  (0, ... ) == 0x70103ea
 01470   424   NtGdiExtGetObjectW  (50987263, 92, 1243136, ... ) == 0x5c
 01471   424   NtGdiHfontCreate  (1242572, 356, 0, 0, 1329216, ... ) == 0x60a03e9
 01472   424   NtGdiGetTextMetricsW  (117507050, 1243076, 68, ... ) == 0x1
 01473   424   NtGdiGetWidthTable  (117507050, 52, 1407432, 308, 1408048, 1406800, 1406816, ... ) == 0x1
 01474   424   NtGdiDeleteObjectApp  (117507050, ... ) == 0x1
 01475   424   NtUserGetForegroundWindow  (... ) == 0x20064
 01476   424   NtUserQueryWindow  (131172, 0, ... ) == 0x7f4
 01477   424   NtUserQueryWindow  (131172, 1, ... ) == 0x7f8
 01478   424   NtUserGetAtomName  (32770, 1242012, ... ) == 0x6
 01479   424   NtUserCreateWindowEx  (65793, 32770, 32770,  (65793, 32770, 32770, "NSIS Error", -2134375995, 300, 306, 431, 185, 0, 0, 2010382336, 0, 1073742848, 0, ... , -2134375995, 300, 306, 431, 185, 0, 0, 2010382336, 0, 1073742848, 0, ...
 01480   424   NtUserSetWindowFNID  (196786, 676, ... ) == 0x1
 01481   424   NtUserCallHwndParam  (196786, 1353564, 78, ... ) == 0x14a75c
 01482   424   NtUserMessageCall  (0x300b2, WM_NCCREATE, 0x0, 0x12f348, 0, 670, 0, ... ) == 0x1
 01483   424   NtUserMessageCall  (0x300b2, WM_NCCALCSIZE, 0x0, 0x12f370, 0, 670, 0, ... ) == 0x0
 01484   424   NtUserGetClassName  (196786, 0, 1241136, ... ) == 0x6
 01485   424   NtUserRemoveProp  (196786, 43282, ... ) == 0x0
 01486   424   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 0, 0, 0, 0}  (24, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0\0\0\250\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 420, 424, 1532, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0\0\0\250\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 420, 424, 1532, 0}  (24, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0\0\0\250\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 420, 424, 1532, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0\0\0\250\1\0\0\0\0\0\0" )  ) == 0x0
 01487   424   NtUserGetThreadDesktop  (424, 0, ... ) == 0x2c
 01488   424   NtUserGetObjectInformation  (44, 2, 1240812, 520, 0, ... ) == 0x1
 01489   424   NtGdiDeleteObjectApp  (101712879, ... ) == 0x1
 01490   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01491   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01492   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01493   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01494   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01495   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01496   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01497   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01498   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01499   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01500   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01501   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01502   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01503   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01504   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01505   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01506   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01507   424   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x71003ef
 01508   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01509   424   NtUserSetProp  (196786, 43288, 8801104, ... ) == 0x1
 01479   424   NtUserCreateWindowEx  ... ) == 0x300b2
 01510   424   NtUserCallHwndLock  (196786, 89, ... ) == 0x1
 01511   424   NtUserGetAtomName  (49175, 1242012, ... ) == 0x6
 01512   424   NtUserCreateWindowEx  (4, 49175, 49175,  (4, 49175, 49175, "OK", 1342373889, 174, 119, 75, 23, 196786, 1, 2010382336, 0, 1073742848, 0, ... , 1342373889, 174, 119, 75, 23, 196786, 1, 2010382336, 0, 1073742848, 0, ...
 01513   424   NtUserSetWindowFNID  (65750, 673, ... ) == 0x1
 01514   424   NtUserSetWindowLong  (65750, 0, 1407580, 0, ... ) == 0x0
 01515   424   NtUserMessageCall  (0x100d6, WM_NCCREATE, 0x0, 0x12f348, 0, 670, 0, ... ) == 0x1
 01516   424   NtUserMessageCall  (0x100d6, WM_NCCALCSIZE, 0x0, 0x12f370, 0, 670, 0, ... ) == 0x0
 01517   424   NtUserSetProp  (65750, 43288, -1, ... ) == 0x1
 01512   424   NtUserCreateWindowEx  ... ) == 0x100d6
 01518   424   NtUserGetAtomName  (49177, 1242012, ... ) == 0x6
 01519   424   NtUserCreateWindowEx  (4, 49177, 49177, "1342308355, 11, 11, 0, 0, 196786, 20, 2010382336, 0, 1073742848, 0, ...
 01520   424   NtUserSetWindowFNID  (65752, 680, ... ) == 0x1
 01521   424   NtUserSetWindowLong  (65752, 0, 1403640, 0, ... ) == 0x0
 01522   424   NtUserMessageCall  (0x100d8, WM_NCCREATE, 0x0, 0x12f348, 0, 670, 0, ... ) == 0x1
 01523   424   NtUserMessageCall  (0x100d8, WM_NCCALCSIZE, 0x0, 0x12f370, 0, 670, 0, ... ) == 0x0
 01524   424   NtUserSetProp  (65752, 43288, -1, ... ) == 0x1
 01525   424   NtUserFindExistingCursorIcon  (1240800, 1240816, 1241384, ... ) == 0x0
 01526   424   NtUserFindExistingCursorIcon  (1240800, 1240816, 1241384, ... ) == 0x0
 01527   424   NtUserFindExistingCursorIcon  (1240800, 1240816, 1241384, ... ) == 0x10009
 01528   424   NtUserGetIconSize  (65545, 0, 1241404, 1241408, ... ) == 0x1
 01529   424   NtUserGetCursorFrameInfo  (65545, 0, 1241440, 1241416, ... ) == 0x10009
 01530   424   NtUserSetWindowPos  (65752, 0, 0, 0, 32, 32, 22, ...
 01531   424   NtUserMessageCall  (0x100d8, WM_WINDOWPOSCHANGING, 0x0, 0x12f0b8, 0, 670, 0, ... ) == 0x0
 01532   424   NtUserMessageCall  (0x100d8, WM_NCCALCSIZE, 0x1, 0x12f08c, 0, 670, 0, ... ) == 0x0
 01530   424   NtUserSetWindowPos  ... ) == 0x1
 01519   424   NtUserCreateWindowEx  ... ) == 0x100d8
 01533   424   NtUserGetAtomName  (49177, 1242012, ... ) == 0x6
 01534   424   NtUserCreateWindowEx  (4, 49177, 49177, "The installer you are trying to use is corrupted or incomplete.
 01535   424   NtUserSetWindowFNID  (65754, 680, ... ) == 0x1
 01536   424   NtUserSetWindowLong  (65754, 0, 1403616, 0, ... ) == 0x0
 01537   424   NtUserMessageCall  (0x100da, WM_NCCREATE, 0x0, 0x12f348, 0, 670, 0, ...
 01538   424   NtAllocateVirtualMemory  (-1, 5677056, 0, 4096, 4096, 32, ... 5677056, 4096, ) == 0x0
 01537   424   NtUserMessageCall  ... ) == 0x1
 01539   424   NtUserMessageCall  (0x100da, WM_NCCALCSIZE, 0x0, 0x12f370, 0, 670, 0, ... ) == 0x0
 01540   424   NtUserSetProp  (65754, 43288, -1, ... ) == 0x1
 01534   424   NtUserCreateWindowEx  ... ) == 0x100da
 01541   424   NtUserSetWindowLong  (196786, -21, 1244512, 0, ... ) == 0x0
 01542   424   NtUserCallHwnd  (196786, 72, ... ) == 0xbc649cb0
 01543   424   NtAllocateVirtualMemory  (-1, 0, 0, 131064, 8192, 4, ... 10027008, 131072, ) == 0x0
 01544   424   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 01545   424   NtUserSetFocus  (65750, ...
 01546   424   NtUserMessageCall  (0x300b2, WM_NCACTIVATE, 0x1, 0xffffffff, 0, 670, 0, ... ) == 0x1
 01547   424   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01548   424   NtUserGetWindowDC  (196786, ... ) == 0x1010051
 01549   424   NtGdiGetTextMetricsW  (16842833, 1241072, 68, ... ) == 0x1
 01550   424   NtGdiGetRandomRgn  (16842833, 134480880, 1, ... ) == 0x0
 01551   424   NtGdiIntersectClipRect  (16842833, 0, 0, 0, 0, ... ) == 0x3
 01552   424   NtGdiGetWidthTable  (16842833, 10, 1334336, 266, 1334868, 1407664, 1407680, ... ) == 0x1
 01553   424   NtGdiExtSelectClipRgn  (16842833, 0, 5, ... ) == 0x1
 01554   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01555   424   NtUserCalcMenuBar  (196786, 3, 3, 29, 8801288, ... ) == 0x0
 01556   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1241040, 690, 0, ...
 01557   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01556   424   NtUserMessageCall  ... ) == 0x0
 01558   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1241040, 690, 0, ...
 01559   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01558   424   NtUserMessageCall  ... ) == 0x0
 01560   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1241040, 690, 0, ...
 01561   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01560   424   NtUserMessageCall  ... ) == 0x0
 01562   424   NtUserGetTitleBarInfo  (196786, 1241668, ... ) == 0x1
 01563   424   NtUserGetDCEx  (196786, 0, 66561, ... ) == 0x1010053
 01564   424   NtGdiExcludeClipRect  (16842835, 3, 29, 428, 182, ... ) == 0x3
 01565   424   NtGdiDrawStream  (16842835, 96, 1241072, ... ) == 0x1
 01566   424   NtGdiDrawStream  (16842835, 96, 1241072, ... ) == 0x1
 01567   424   NtGdiDrawStream  (16842835, 96, 1241072, ... ) == 0x1
 01568   424   NtGdiCreateCompatibleBitmap  (16842835, 431, 29, ... ) == 0xc0503ea
 01569   424   NtGdiCreateCompatibleDC  (16842835, ... ) == 0x70103ec
 01570   424   NtGdiSelectBitmap  (117507052, 201655274, ... ) == 0x185000f
 01571   424   NtGdiDrawStream  (117507052, 96, 1240964, ... ) == 0x1
 01572   424   NtGdiDrawStream  (117507052, 96, 1240920, ... ) == 0x1
 01573   424   NtGdiDrawStream  (117507052, 96, 1240920, ... ) == 0x1
 01574   424   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01575   424   NtGdiGetRandomRgn  (117507052, 151258096, 1, ... ) == 0x0
 01576   424   NtGdiIntersectClipRect  (117507052, 8, 8, 403, 25, ... ) == 0x3
 01577   424   NtGdiExtSelectClipRgn  (117507052, 0, 5, ... ) == 0x2
 01578   424   NtGdiGetRandomRgn  (117507052, 168035312, 1, ... ) == 0x0
 01579   424   NtGdiIntersectClipRect  (117507052, 7, 7, 402, 25, ... ) == 0x3
 01580   424   NtGdiExtSelectClipRgn  (117507052, 0, 5, ... ) == 0x2
 01581   424   NtGdiBitBlt  (16842835, 0, 0, 431, 29, 117507052, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01582   424   NtGdiSelectBitmap  (117507052, 25493519, ... ) == 0xc0503ea
 01583   424   NtGdiDeleteObjectApp  (117507052, ... ) == 0x1
 01584   424   NtGdiDeleteObjectApp  (201655274, ... ) == 0x1
 01585   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01545   424   NtUserSetFocus  ... ) == 0x0
 01586   424   NtUserSetWindowLong  (65750, -12, 2, 0, ... ) == 0x1
 01587   424   NtUserGetClassName  (65750, 0, 1242556, ... ) == 0x6
 01588   424   NtUserGetClassName  (65752, 0, 1242556, ... ) == 0x6
 01589   424   NtUserGetClassName  (65754, 0, 1242556, ... ) == 0x6
 01590   424   NtUserGetAncestor  (196786, 1, ... ) == 0x10014
 01591   424   NtUserSetWindowPos  (196786, 0, 300, 306, 431, 185, 1047, ... ) == 0x1
 01592   424   NtUserMessageCall  (0x300b2, 0x128, 0x30001, 0x0, 0, 670, 0, ...
 01593   424   NtUserMessageCall  (0x100d6, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 01594   424   NtUserMessageCall  (0x100d8, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 01595   424   NtUserMessageCall  (0x100da, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 01592   424   NtUserMessageCall  ... ) == 0x0
 01596   424   NtUserShowWindow  (196786, 1, ...
 01597   424   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01598   424   NtUserGetWindowDC  (196786, ... ) == 0x1010053
 01599   424   NtGdiGetRandomRgn  (16842835, 184812528, 1, ... ) == 0x0
 01600   424   NtGdiIntersectClipRect  (16842835, 0, 0, 0, 0, ... ) == 0x3
 01601   424   NtGdiGetCharSet  (16842835, ... ) == 0x4e4
 01602   424   NtGdiExtSelectClipRgn  (16842835, 0, 5, ... ) == 0x2
 01603   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01604   424   NtUserCalcMenuBar  (196786, 3, 3, 29, 8801288, ... ) == 0x0
 01605   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1241656, 690, 0, ...
 01606   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01605   424   NtUserMessageCall  ... ) == 0x0
 01607   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1241656, 690, 0, ...
 01608   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01607   424   NtUserMessageCall  ... ) == 0x0
 01609   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1241656, 690, 0, ...
 01610   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01609   424   NtUserMessageCall  ... ) == 0x0
 01611   424   NtUserGetTitleBarInfo  (196786, 1242284, ... ) == 0x1
 01612   424   NtUserGetDCEx  (196786, 0, 66561, ... ) == 0x1010051
 01613   424   NtGdiExcludeClipRect  (16842833, 3, 29, 428, 182, ... ) == 0x3
 01614   424   NtGdiDrawStream  (16842833, 96, 1241688, ... ) == 0x1
 01615   424   NtGdiDrawStream  (16842833, 96, 1241688, ... ) == 0x1
 01616   424   NtGdiDrawStream  (16842833, 96, 1241688, ... ) == 0x1
 01617   424   NtGdiCreateCompatibleBitmap  (16842833, 431, 29, ... ) == 0x100503ea
 01618   424   NtGdiCreateCompatibleDC  (16842833, ... ) == 0x70103e7
 01619   424   NtGdiSelectBitmap  (117507047, 268764138, ... ) == 0x185000f
 01620   424   NtGdiDrawStream  (117507047, 96, 1241580, ... ) == 0x1
 01621   424   NtGdiDrawStream  (117507047, 96, 1241536, ... ) == 0x1
 01622   424   NtGdiDrawStream  (117507047, 96, 1241536, ... ) == 0x1
 01623   424   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01624   424   NtGdiGetRandomRgn  (117507047, 201589744, 1, ... ) == 0x0
 01625   424   NtGdiIntersectClipRect  (117507047, 8, 8, 403, 25, ... ) == 0x3
 01626   424   NtGdiExtSelectClipRgn  (117507047, 0, 5, ... ) == 0x2
 01627   424   NtGdiGetRandomRgn  (117507047, 218366960, 1, ... ) == 0x0
 01628   424   NtGdiIntersectClipRect  (117507047, 7, 7, 402, 25, ... ) == 0x3
 01629   424   NtGdiExtSelectClipRgn  (117507047, 0, 5, ... ) == 0x2
 01630   424   NtGdiBitBlt  (16842833, 0, 0, 431, 29, 117507047, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01631   424   NtGdiSelectBitmap  (117507047, 25493519, ... ) == 0x100503ea
 01632   424   NtGdiDeleteObjectApp  (117507047, ... ) == 0x1
 01633   424   NtGdiDeleteObjectApp  (268764138, ... ) == 0x1
 01634   424   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01635   424   NtUserFillWindow  (196786, 196786, 16842834, 4, ...
 01636   424   NtUserGetAncestor  (196786, 1, ... ) == 0x10014
 01637   424   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01635   424   NtUserFillWindow  ... ) == 0x1
 01638   424   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01639   424   NtUserGetWindowDC  (196786, ... ) == 0x1010053
 01640   424   NtGdiGetRandomRgn  (16842835, 235144176, 1, ... ) == 0x0
 01641   424   NtGdiIntersectClipRect  (16842835, 0, 0, 0, 0, ... ) == 0x3
 01642   424   NtGdiGetCharSet  (16842835, ... ) == 0x4e4
 01643   424   NtGdiExtSelectClipRgn  (16842835, 0, 5, ... ) == 0x2
 01644   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01645   424   NtUserCalcMenuBar  (196786, 3, 3, 29, 8801288, ... ) == 0x0
 01646   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1241940, 690, 0, ...
 01647   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01646   424   NtUserMessageCall  ... ) == 0x0
 01648   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1241940, 690, 0, ...
 01649   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01648   424   NtUserMessageCall  ... ) == 0x0
 01650   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1241940, 690, 0, ...
 01651   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01650   424   NtUserMessageCall  ... ) == 0x0
 01652   424   NtUserGetTitleBarInfo  (196786, 1242568, ... ) == 0x1
 01653   424   NtUserBuildHwndList  (0, 196786, 1, 0, 64, ... (0x100d6, 0x100d8, 0x100da, 0x1, ), 4, ) == 0x0
 01654   424   NtUserGetWindowDC  (0, ... ) == 0x1010054
 01655   424   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01656   424   NtGdiExtCreateRegion  (0, 112, 8799840, ... ) == 0x120403ea
 01657   424   NtGdiOffsetRgn  (302253034, 0, 0, ... ) == 0x3
 01658   424   NtGdiCombineRgn  (251921392, 302253034, 251921392, 5, ... ) == 0x3
 01659   424   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x80403e7
 01660   424   NtGdiCombineRgn  (251921392, 134480871, 251921392, 2, ... ) == 0x3
 01661   424   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x30403ed
 01662   424   NtGdiCombineRgn  (251921392, 50594797, 251921392, 2, ... ) == 0x3
 01663   424   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x604040d
 01664   424   NtGdiCombineRgn  (251921392, 100926477, 251921392, 2, ... ) == 0x3
 01665   424   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xa040407
 01666   424   NtGdiCombineRgn  (251921392, 168035335, 251921392, 2, ... ) == 0x3
 01667   424   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x704040f
 01668   424   NtGdiCombineRgn  (117703695, 251921392, 0, 5, ... ) == 0x3
 01669   424   NtUserSetWindowRgn  (196786, 251921392, 1, ...
 01670   424   NtUserMessageCall  (0x300b2, WM_NCCALCSIZE, 0x1, 0x12f50c, 0, 670, 0, ... ) == 0x0
 01671   424   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01672   424   NtUserGetWindowDC  (196786, ... ) == 0x1010053
 01673   424   NtGdiGetRandomRgn  (16842835, 184812551, 1, ... ) == 0x0
 01674   424   NtGdiIntersectClipRect  (16842835, 0, 0, 0, 0, ... ) == 0x3
 01675   424   NtGdiGetCharSet  (16842835, ... ) == 0x4e4
 01676   424   NtGdiExtSelectClipRgn  (16842835, 0, 5, ... ) == 0x3
 01677   424   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01678   424   NtUserCalcMenuBar  (196786, 3, 3, 29, 8801288, ... ) == 0x0
 01679   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1240740, 690, 0, ...
 01680   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01679   424   NtUserMessageCall  ... ) == 0x0
 01681   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1240740, 690, 0, ...
 01682   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01681   424   NtUserMessageCall  ... ) == 0x0
 01683   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1240740, 690, 0, ...
 01684   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01683   424   NtUserMessageCall  ... ) == 0x0
 01685   424   NtUserGetTitleBarInfo  (196786, 1241368, ... ) == 0x1
 01686   424   NtUserGetDCEx  (196786, 0, 66561, ... ) == 0x1010052
 01687   424   NtGdiExcludeClipRect  (16842834, 3, 29, 428, 182, ... ) == 0x3
 01688   424   NtGdiDrawStream  (16842834, 96, 1240772, ... ) == 0x1
 01689   424   NtGdiDrawStream  (16842834, 96, 1240772, ... ) == 0x1
 01690   424   NtGdiDrawStream  (16842834, 96, 1240772, ... ) == 0x1
 01691   424   NtGdiCreateCompatibleBitmap  (16842834, 431, 29, ... ) == 0x60503e4
 01692   424   NtGdiCreateCompatibleDC  (16842834, ... ) == 0x80103bb
 01693   424   NtGdiSelectBitmap  (134284219, 100991972, ... ) == 0x185000f
 01694   424   NtGdiDrawStream  (134284219, 96, 1240664, ... ) == 0x1
 01695   424   NtGdiDrawStream  (134284219, 96, 1240620, ... ) == 0x1
 01696   424   NtGdiDrawStream  (134284219, 96, 1240620, ... ) == 0x1
 01697   424   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01698   424   NtGdiGetRandomRgn  (134284219, 201589767, 1, ... ) == 0x0
 01699   424   NtGdiIntersectClipRect  (134284219, 8, 8, 403, 25, ... ) == 0x3
 01700   424   NtGdiExtSelectClipRgn  (134284219, 0, 5, ... ) == 0x2
 01701   424   NtGdiGetRandomRgn  (134284219, 218366983, 1, ... ) == 0x0
 01702   424   NtGdiIntersectClipRect  (134284219, 7, 7, 402, 25, ... ) == 0x3
 01703   424   NtGdiExtSelectClipRgn  (134284219, 0, 5, ... ) == 0x2
 01704   424   NtGdiBitBlt  (16842834, 0, 0, 431, 29, 134284219, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01705   424   NtGdiSelectBitmap  (134284219, 25493519, ... ) == 0x60503e4
 01706   424   NtGdiDeleteObjectApp  (134284219, ... ) == 0x1
 01707   424   NtGdiDeleteObjectApp  (100991972, ... ) == 0x1
 01708   424   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01709   424   NtUserFillWindow  (196786, 196786, 16842833, 4, ...
 01710   424   NtUserGetAncestor  (196786, 1, ... ) == 0x10014
 01711   424   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01709   424   NtUserFillWindow  ... ) == 0x1
 01669   424   NtUserSetWindowRgn  ... ) == 0x1
 01596   424   NtUserShowWindow  ... ) == 0x0
 01712   424   NtUserCallHwndLock  (196786, 93, ...
 01713   424   NtUserMessageCall  (0x300b2, WM_PAINT, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01714   424   NtUserBeginPaint  (0x100d6, 1242940, ...
 01715   424   NtUserMessageCall  (0x100d6, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01714   424   NtUserBeginPaint  ... ) == 0x1010051
 01716   424   NtUserGetControlBrush  (0x100d6, 16842833, 309, ... ) == 0x1100056
 01717   424   NtGdiIntersectClipRect  (16842833, 0, 0, 75, 23, ... ) == 0x3
 01718   424   NtGdiIntersectClipRect  (16842833, 3, 3, 72, 20, ... ) == 0x3
 01719   424   NtUserEndPaint  (0x100d6, 1242940, ... ) == 0x1
 01720   424   NtUserBeginPaint  (0x100d8, 1242952, ...
 01721   424   NtUserMessageCall  (0x100d8, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01720   424   NtUserBeginPaint  ... ) == 0x1010051
 01722   424   NtGdiIntersectClipRect  (16842833, 0, 0, 32, 32, ... ) == 0x3
 01723   424   NtUserGetControlBrush  (0x100d8, 16842833, 312, ... ) == 0x1100056
 01724   424   NtGdiGetDCDword  (16842833, 7, 1242672, ... ) == 0x1
 01725   424   NtUserDrawIconEx  (16842833, 0, 0, 65545, 32, 32, 0, 17825878, 3, 0, 1242716, ... ) == 0x1
 01726   424   NtUserEndPaint  (0x100d8, 1242952, ... ) == 0x1
 01727   424   NtUserBeginPaint  (0x100da, 1242952, ...
 01728   424   NtUserMessageCall  (0x100da, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01727   424   NtUserBeginPaint  ... ) == 0x1010051
 01729   424   NtGdiIntersectClipRect  (16842833, 0, 0, 357, 93, ... ) == 0x3
 01730   424   NtUserGetControlBrush  (0x100da, 16842833, 312, ... ) == 0x1100056
 01731   424   NtGdiGetTextCharsetInfo  (16842833, 0, 0, ... ) == 0x0
 01732   424   NtUserEndPaint  (0x100da, 1242952, ... ) == 0x1
 01712   424   NtUserCallHwndLock  ... ) == 0x1
 01733   424   NtUserPeekMessage  (0, 0, 0, 1, ...
 01734   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1240804, ... ) }, 1240804, ... ) == 0x0
 01735   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01736   424   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 176, ... 172, ) == 0x0
 01737   424   NtClose  (176, ... ) == 0x0
 01738   424   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 45056, ) == 0x0
 01739   424   NtClose  (172, ... ) == 0x0
 01740   424   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 01741   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241120, ... ) }, 1241120, ... ) == 0x0
 01742   424   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241120, ... ) }, 1241120, ... ) == 0x0
 01743   424   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01744   424   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 176, ) == 0x0
 01745   424   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01746   424   NtClose  (172, ... ) == 0x0
 01747   424   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x9b0000), 0x0, 49152, ) == STATUS_IMAGE_NOT_AT_BASE
 01748   424   NtProtectVirtualMemory  (-1, (0x9b1000), 20480, 4, ... (0x9b1000), 20480, 32, ) == 0x0
 01749   424   NtProtectVirtualMemory  (-1, (0x9b6000), 8192, 4, ... (0x9b6000), 8192, 2, ) == 0x0
 01750   424   NtProtectVirtualMemory  (-1, (0x9bb000), 4096, 4, ... (0x9bb000), 4096, 2, ) == 0x0
 01751   424   NtMapViewOfSection  (176, -1, (0x9b0000), 0, 0, 0x0, 49152, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 01752   424   NtProtectVirtualMemory  (-1, (0x9b1000), 20480, 16, ... (0x9b1000), 20480, 4, ) == 0x0
 01753   424   NtProtectVirtualMemory  (-1, (0x9b6000), 8192, 2, ... (0x9b6000), 8192, 4, ) == 0x0
 01754   424   NtProtectVirtualMemory  (-1, (0x9bb000), 4096, 2, ... (0x9bb000), 4096, 8, ) == 0x0
 01755   424   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 01756   424   NtClose  (176, ... ) == 0x0
 01757   424   NtProtectVirtualMemory  (-1, (0x9b6000), 256, 4, ... (0x9b6000), 4096, 2, ) == 0x0
 01758   424   NtProtectVirtualMemory  (-1, (0x9b6000), 4096, 2, ... (0x9b6000), 4096, 4, ) == 0x0
 01759   424   NtFlushInstructionCache  (-1, 10182656, 256, ... ) == 0x0
 01760   424   NtProtectVirtualMemory  (-1, (0x9b6000), 256, 4, ... (0x9b6000), 4096, 2, ) == 0x0
 01761   424   NtProtectVirtualMemory  (-1, (0x9b6000), 4096, 2, ... (0x9b6000), 4096, 4, ) == 0x0
 01762   424   NtFlushInstructionCache  (-1, 10182656, 256, ... ) == 0x0
 01763   424   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01764   424   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10223616, 65536, ) == 0x0
 01765   424   NtAllocateVirtualMemory  (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0
 01766   424   NtAllocateVirtualMemory  (-1, 10227712, 0, 8192, 4096, 4, ... 10227712, 8192, ) == 0x0
 01767   424   NtQueryPerformanceCounter  (... {106682781, 0}, {3579545, 0}, ) == 0x0
 01768   424   NtUserMessageCall  (0x300b2, WM_SETCURSOR, 0x300b2, 0x2000001, 0, 670, 0, ... ) == 0x0
 01733   424   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6c66, {512, 384}}, ) == 0x1
 01769   424   NtUserCallMsgFilter  (1243308, 0, ... ) == 0x0
 01770   424   NtUserPeekMessage  (0, 0, 0, 1, ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6c66, {512, 384}}, ) == 0x0
 01771   424   NtUserWaitMessage  (... ) == 0x1
 01772   424   NtUserPeekMessage  (0, 0, 0, 1, ...
 01773   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01772   424   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6c66, {512, 384}}, ) == 0x0
 01774   424   NtUserWaitMessage  (... ) == 0x1
 01775   424   NtUserPeekMessage  (0, 0, 0, 1, ...
 01776   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01775   424   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6c66, {512, 384}}, ) == 0x0
 01777   424   NtUserWaitMessage  (... ) == 0x1
 01778   424   NtUserPeekMessage  (0, 0, 0, 1, ...
 01779   424   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01778   424   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6c66, {512, 384}}, ) == 0x0
 01780   424   NtUserWaitMessage  (...
NtAccessCheck(>)	1	NtOpenMutant(>)	2	NtUserCalcMenuBar(>)	4	NtQueryKey(>)	12
NtCallbackReturn(>)	1	NtOpenProcess(>)	2	NtUserFillWindow(>)	4	NtCreateFile(>)	13
NtConnectPort(>)	1	NtQueryDirectoryFile(>)	2	NtUserGetClassName(>)	4	NtOpenProcessTokenEx(>)	13
NtCreateMutant(>)	1	NtQueryInstallUILanguage(>)	2	NtUserGetDCEx(>)	4	NtOpenThreadToken(>)	13
NtEnumerateValueKey(>)	1	NtQueryPerformanceCounter(>)	2	NtUserGetTitleBarInfo(>)	4	NtOpenThreadTokenEx(>)	13
NtFreeVirtualMemory(>)	1	NtQueryVirtualMemory(>)	2	NtUserQueryWindow(>)	4	NtSetInformationFile(>)	13
NtGdiCreateBitmap(>)	1	NtUserDestroyWindow(>)	2	NtUserRemoveProp(>)	4	NtSetInformationThread(>)	13
NtGdiExtCreateRegion(>)	1	NtUserGetForegroundWindow(>)	2	NtUserSetWindowFNID(>)	4	NtQuerySection(>)	14
NtGdiExtGetObjectW(>)	1	NtUserGetThreadDesktop(>)	2	NtUserWaitMessage(>)	4	NtUnmapViewOfSection(>)	15
NtGdiGetDCDword(>)	1	NtUserSetCursor(>)	2	NtGdiGetStockObject(>)	5	NtFsControlFile(>)	16
NtGdiGetTextExtent(>)	1	NtUserSetFocus(>)	2	NtUserGetAncestor(>)	5	NtGdiIntersectClipRect(>)	16
NtGdiInit(>)	1	NtUserSetWindowRgn(>)	2	NtUserGetAtomName(>)	5	NtDeviceIoControlFile(>)	17
NtGdiOffsetRgn(>)	1	NtUserShowWindow(>)	2	NtUserRegisterWindowMessage(>)	5	NtQueryInformationToken(>)	17
NtGdiQueryFontAssocInfo(>)	1	NtAddAtom(>)	3	NtUserSetProp(>)	5	NtGdiDrawStream(>)	18
NtNotifyChangeKey(>)	1	NtDuplicateObject(>)	3	NtUserSetWindowLong(>)	5	NtFlushInstructionCache(>)	22
NtOpenKeyedEvent(>)	1	NtGdiBitBlt(>)	3	NtCreateSemaphore(>)	6	NtRaiseException(>)	23
NtQueryObject(>)	1	NtGdiCreateCompatibleBitmap(>)	3	NtGdiCombineRgn(>)	6	NtContinue(>)	24
NtQuerySystemTime(>)	1	NtGdiExcludeClipRect(>)	3	NtGdiCreateRectRgn(>)	6	NtReleaseMutant(>)	24
NtRegisterThreadTerminatePort(>)	1	NtGdiGetCharSet(>)	3	NtQueryDefaultUILanguage(>)	6	NtUserGetWindowDC(>)	24
NtSecureConnectPort(>)	1	NtGdiGetTextCharsetInfo(>)	3	NtUserBeginPaint(>)	6	NtCreateSection(>)	27
NtTestAlert(>)	1	NtGdiGetTextMetricsW(>)	3	NtWriteFile(>)	6	NtUserCallOneParam(>)	30
NtUserBuildHwndList(>)	1	NtGdiHfontCreate(>)	3	NtGdiCreateCompatibleDC(>)	7	NtOpenFile(>)	35
NtUserCallHwnd(>)	1	NtGdiSetupPublicCFONT(>)	3	NtGdiSelectBitmap(>)	7	NtUserGetClassInfo(>)	37
NtUserCallHwndParam(>)	1	NtOpenEvent(>)	3	NtUserCallNoParam(>)	7	NtWaitForSingleObject(>)	37
NtUserCallMsgFilter(>)	1	NtOpenSymbolicLinkObject(>)	3	NtUserInternalGetWindowText(>)	7	NtAllocateVirtualMemory(>)	42
NtUserDrawIconEx(>)	1	NtQueryInformationFile(>)	3	NtGdiDeleteObjectApp(>)	8	NtMapViewOfSection(>)	46
NtUserGetCursorFrameInfo(>)	1	NtQuerySymbolicLinkObject(>)	3	NtQueryDebugFilterState(>)	8	NtOpenSection(>)	48
NtUserGetDC(>)	1	NtQueryVolumeInformationFile(>)	3	NtUserPeekMessage(>)	9	NtProtectVirtualMemory(>)	48
NtUserGetGUIThreadInfo(>)	1	NtUserCallHwndLock(>)	3	NtReleaseSemaphore(>)	10	NtQueryAttributesFile(>)	53
NtUserGetIconSize(>)	1	NtUserEndPaint(>)	3	NtRequestWaitReplyPort(>)	10	NtUserFindExistingCursorIcon(>)	53
NtUserGetProcessWindowStation(>)	1	NtUserGetControlBrush(>)	3	NtUserCreateWindowEx(>)	10	NtUserMessageCall(>)	64
NtUserModifyUserStartupInfoFlags(>)	1	NtUserGetObjectInformation(>)	3	NtQueryInformationProcess(>)	11	NtUserRegisterClassExWOW(>)	64
NtUserUnregisterClass(>)	1	NtUserSetWindowPos(>)	3	NtSetValueKey(>)	11	NtReadFile(>)	70
NtCreateIoCompletion(>)	2	NtEnumerateKey(>)	4	NtUserSystemParametersInfo(>)	11	NtQuerySystemInformation(>)	76
NtGdiCreatePatternBrushInternal(>)	2	NtOpenProcessToken(>)	4	NtCreateEvent(>)	12	NtQueryValueKey(>)	82
NtGdiCreateSolidBrush(>)	2	NtQueryDefaultLocale(>)	4	NtCreateKey(>)	12	NtOpenKey(>)	104
NtGdiGetWidthTable(>)	2	NtQuerySecurityObject(>)	4	NtGdiExtSelectClipRgn(>)	12	NtClose(>)	181
NtOpenDirectoryObject(>)	2	NtSetInformationObject(>)	4	NtGdiGetRandomRgn(>)	12