Summary:


NtAddAtom(>)  1 
NtUserCallOneParam(>)  1 
NtSetInformationObject(>)  3 
NtQueryInformationProcess(>)  13 

NtAdjustPrivilegesToken(>)  1 
NtUserGetDC(>)  1 
NtFsControlFile(>)  4 
NtUnmapViewOfSection(>)  13 

NtCallbackReturn(>)  1 
NtUserGetThreadDesktop(>)  1 
NtOpenThreadToken(>)  4 
NtCreateSection(>)  16 

NtContinue(>)  1 
NtAccessCheck(>)  2 
NtSetValueKey(>)  4 
NtQuerySystemInformation(>)  18 

NtCreateMutant(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteVirtualMemory(>)  4 
NtReadFile(>)  19 

NtCreateProcessEx(>)  1 
NtEnumerateKey(>)  2 
NtGdiGetStockObject(>)  5 
NtWriteFile(>)  20 

NtCreateThread(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  5 
NtOpenSection(>)  22 

NtDelayExecution(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateKey(>)  6 
NtQueryAttributesFile(>)  22 

NtDuplicateToken(>)  1 
NtOpenEvent(>)  2 
NtOpenProcessToken(>)  6 
NtOpenProcessTokenEx(>)  24 

NtEnumerateValueKey(>)  1 
NtOpenMutant(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtOpenThreadTokenEx(>)  24 

NtGdiCreateBitmap(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtSetInformationProcess(>)  6 
NtProtectVirtualMemory(>)  27 

NtGdiInit(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserSystemParametersInfo(>)  6 
NtUserUnregisterClass(>)  27 

NtGdiQueryFontAssocInfo(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQuerySection(>)  7 
NtUserGetClassInfo(>)  28 

NtGdiSelectBitmap(>)  1 
NtQueryVirtualMemory(>)  2 
NtSetInformationThread(>)  7 
NtOpenFile(>)  29 

NtOpenKeyedEvent(>)  1 
NtReadVirtualMemory(>)  2 
NtCreateEvent(>)  8 
NtQueryInformationToken(>)  30 

NtQueryInformationJobObject(>)  1 
NtReleaseMutant(>)  2 
NtRequestWaitReplyPort(>)  8 
NtMapViewOfSection(>)  33 

NtQueryObject(>)  1 
NtTerminateProcess(>)  2 
NtSetInformationFile(>)  9 
NtUserFindExistingCursorIcon(>)  33 

NtQuerySystemTime(>)  1 
NtUserRegisterWindowMessage(>)  2 
NtQueryDebugFilterState(>)  10 
NtAllocateVirtualMemory(>)  35 

NtRegisterThreadTerminatePort(>)  1 
NtUserWaitForInputIdle(>)  2 
NtQueryDirectoryFile(>)  10 
NtUserRegisterClassExWOW(>)  43 

NtResumeThread(>)  1 
NtWaitForSingleObject(>)  2 
NtCreateFile(>)  11 
NtQueryValueKey(>)  50 

NtSecureConnectPort(>)  1 
NtDuplicateObject(>)  3 
NtFlushInstructionCache(>)  13 
NtOpenKey(>)  108 

NtTestAlert(>)  1 
NtFreeVirtualMemory(>)  3 
NtQueryDefaultLocale(>)  13 
NtClose(>)  157 

NtUserCallNoParam(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryInformationFile(>)  13 

Trace:
 00001   508   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   508   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   508   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   508   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   508   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   508   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   508   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   508   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   508   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   508   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   508   NtClose  (12, ... ) == 0x0
 00014   508   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   508   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   508   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   508   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   508   NtClose  (16, ... ) == 0x0
 00021   508   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   508   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   508   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   508   NtClose  (16, ... ) == 0x0
 00026   508   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   508   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   508   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   508   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   508   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 504, 508, 1535, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ... {28, 56, reply, 0, 504, 508, 1535, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 504, 508, 1535, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ) == 0x0
 00032   508   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   508   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   508   NtClose  (16, ... ) == 0x0
 00036   508   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   508   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   508   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   508   NtClose  (28, ... ) == 0x0
 00041   508   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   508   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   508   NtClose  (28, ... ) == 0x0
 00045   508   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   508   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   508   NtClose  (28, ... ) == 0x0
 00049   508   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   508   NtClose  (28, ... ) == 0x0
 00052   508   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   508   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   508   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   508   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 504, 508, 1546, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ... {28, 56, reply, 0, 504, 508, 1546, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 504, 508, 1546, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ) == 0x0
 00056   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 128, ) == 0x0
 00057   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 128, ... (0x31428000), 8192, 4, ) == 0x0
 00058   508   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00059   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   508   NtClose  (28, ... ) == 0x0
 00062   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   508   NtClose  (28, ... ) == 0x0
 00065   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00066   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00067   508   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00068   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   508   NtClose  (28, ... ) == 0x0
 00071   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00072   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00073   508   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00074   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   508   NtClose  (28, ... ) == 0x0
 00077   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   508   NtClose  (28, ... ) == 0x0
 00080   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00081   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00082   508   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00083   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   508   NtClose  (28, ... ) == 0x0
 00086   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   508   NtClose  (28, ... ) == 0x0
 00089   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   508   NtClose  (28, ... ) == 0x0
 00092   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   508   NtClose  (28, ... ) == 0x0
 00095   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   508   NtClose  (28, ... ) == 0x0
 00098   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   508   NtClose  (28, ... ) == 0x0
 00101   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00102   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00103   508   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00104   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   508   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   508   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   508   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   508   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   508   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   508   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   508   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   508   NtClose  (40, ... ) == 0x0
 00118   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   508   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   508   NtClose  (40, ... ) == 0x0
 00122   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   508   NtClose  (36, ... ) == 0x0
 00124   508   NtClose  (28, ... ) == 0x0
 00125   508   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   508   NtClose  (32, ... ) == 0x0
 00127   508   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   508   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   508   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   508   NtClose  (32, ... ) == 0x0
 00135   508   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   508   NtClose  (28, ... ) == 0x0
 00137   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 4, ... (0x31428000), 8192, 64, ) == 0x0
 00138   508   NtProtectVirtualMemory  (-1, (0x31428000), 8192, 64, ... (0x31428000), 8192, 4, ) == 0x0
 00139   508   NtFlushInstructionCache  (-1, 826441728, 8192, ... ) == 0x0
 00140   508   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   508   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   508   NtClose  (28, ... ) == 0x0
 00143   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   508   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   508   NtClose  (28, ... ) == 0x0
 00146   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   508   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   508   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   508   NtClose  (28, ... ) == 0x0
 00150   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   508   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   508   NtClose  (28, ... ) == 0x0
 00153   508   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   508   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   508   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   508   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   508   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   508   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   508   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   508   NtClose  (32, ... ) == 0x0
 00163   508   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   508   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\36\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 504, 508, 1575, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\36\1$\1\0\0" )  ... {28, 56, reply, 0, 504, 508, 1575, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\36\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\36\1$\1\0\0" ... {28, 56, reply, 0, 504, 508, 1575, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\36\1$\1\0\0" )  ) == 0x0
 00166   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   508   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   508   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   508   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   508   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00171   508   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   508   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   508   NtClose  (-2147482020, ... ) == 0x0
 00174   508   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   508   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   508   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   508   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   508   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   508   NtClose  (-2147482020, ... ) == 0x0
 00180   508   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00181   508   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   508   NtClose  (-2147482020, ... ) == 0x0
 00183   508   NtQueryDefaultLocale  (0, -136148468, ... ) == 0x0
 00184   508   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   508   NtUserCallNoParam  (24, ... ) == 0x0
 00186   508   NtGdiCreateCompatibleDC  (0, ...
 00187   508   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   508   NtGdiCreateCompatibleDC  ... ) == 0xf010451
 00188   508   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   508   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   508   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00191   508   NtGdiCreateSolidBrush  (0, 0, ...
 00192   508   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   508   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00193   508   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   508   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00195   508   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00196   508   NtUserGetThreadDesktop  (508, 0, ... ) == 0x2c
 00197   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   508   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   508   NtClose  (52, ... ) == 0x0
 00200   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00202   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00204   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00206   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00208   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00210   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00212   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00214   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00216   508   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   508   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00218   508   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00219   508   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00220   508   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00221   508   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00222   508   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00223   508   NtAllocateVirtualMemory  (-1, 5550080, 0, 4096, 4096, 32, ... 5550080, 4096, ) == 0x0
 00222   508   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00224   508   NtCallbackReturn  (0, 0, 0, ...
 00225   508   NtGdiInit  (... ) == 0x1
 00226   508   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   508   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   508   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   508   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   508   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   508   NtClose  (52, ... ) == 0x0
 00234   508   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   508   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   508   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   508   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   508   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   508   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   508   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   508   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   508   NtClose  (60, ... ) == 0x0
 00245   508   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   508   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   508   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   508   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   508   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   508   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   508   NtClose  (60, ... ) == 0x0
 00255   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   508   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   508   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   508   NtClose  (60, ... ) == 0x0
 00259   508   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   508   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   508   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   508   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   508   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   508   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   508   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   508   NtClose  (60, ... ) == 0x0
 00269   508   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   508   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   508   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   508   NtQueryDefaultUILanguage  (1241768, ...
 00273   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00275   508   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   508   NtClose  (-2147482020, ... ) == 0x0
 00277   508   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00278   508   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   508   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00280   508   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   508   NtClose  (-2147482032, ... ) == 0x0
 00282   508   NtClose  (-2147482020, ... ) == 0x0
 00272   508   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   508   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   508   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   508   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   508   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   508   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   508   NtQueryDefaultUILanguage  (2013024600, ...
 00290   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00292   508   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   508   NtClose  (-2147482020, ... ) == 0x0
 00294   508   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00295   508   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   508   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00297   508   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   508   NtClose  (-2147482032, ... ) == 0x0
 00299   508   NtClose  (-2147482020, ... ) == 0x0
 00289   508   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   508   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   508   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   508   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   508   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   508   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\36\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 504, 508, 1576, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 504, 508, 1576, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\36\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 504, 508, 1576, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\36\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\36\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   508   NtClose  (68, ... ) == 0x0
 00306   508   NtClose  (72, ... ) == 0x0
 00307   508   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   508   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   508   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   508   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   508   NtClose  (68, ... ) == 0x0
 00323   508   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   508   NtClose  (76, ... ) == 0x0
 00325   508   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   508   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   508   NtClose  (76, ... ) == 0x0
 00330   508   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   508   NtClose  (68, ... ) == 0x0
 00332   508   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   508   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   508   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   508   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   508   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   508   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   508   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   508   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   508   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   508   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   508   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   508   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   508   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   508   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   508   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   508   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   508   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   508   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   508   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   508   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   508   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   508   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   508   NtQueryDefaultUILanguage  (1238836, ...
 00355   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00357   508   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   508   NtClose  (-2147482020, ... ) == 0x0
 00359   508   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00360   508   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   508   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00362   508   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   508   NtClose  (-2147482032, ... ) == 0x0
 00364   508   NtClose  (-2147482020, ... ) == 0x0
 00354   508   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   508   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   508   NtClose  (68, ... ) == 0x0
 00370   508   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   508   NtClose  (76, ... ) == 0x0
 00372   508   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   508   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   508   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   508   NtClose  (76, ... ) == 0x0
 00377   508   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   508   NtClose  (68, ... ) == 0x0
 00379   508   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   508   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   508   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   508   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   508   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   508   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   508   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\36\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 504, 508, 1577, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 504, 508, 1577, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\36\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 504, 508, 1577, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\36\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\36\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   508   NtClose  (68, ... ) == 0x0
 00387   508   NtClose  (76, ... ) == 0x0
 00388   508   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   508   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   508   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   508   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   508   NtUserGetDC  (0, ... ) == 0x1010051
 00394   508   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00395   508   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   508   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   508   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   508   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   508   NtClose  (76, ... ) == 0x0
 00400   508   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   508   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   508   NtClose  (76, ... ) == 0x0
 00403   508   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   508   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   508   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   508   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   508   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   508   NtClose  (68, ... ) == 0x0
 00409   508   NtClose  (76, ... ) == 0x0
 00410   508   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   508   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   508   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   508   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   508   NtClose  (76, ... ) == 0x0
 00415   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03b
 00417   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc03d
 00418   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc03f
 00420   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc041
 00422   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc043
 00424   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc045
 00425   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc047
 00427   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc049
 00429   508   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04b
 00432   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04d
 00434   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc04f
 00436   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc051
 00437   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc053
 00439   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc055
 00441   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc057
 00442   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc059
 00444   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05b
 00446   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05d
 00448   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc05f
 00450   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc017
 00452   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc019
 00454   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc018
 00456   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01a
 00458   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   508   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810cc01c
 00460   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00461   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc01e
 00462   508   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00463   508   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810cc01b
 00464   508   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00465   508   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810cc068
 00466   508   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00467   508   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810cc06a
 00468   508   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00469   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00470   508   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00471   508   NtTestAlert  (... ) == 0x0
 00472   508   NtContinue  (1244464, 1, ...
 00473   508   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3142a000,}, 4, ... ) == 0x0
 00474   508   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00475   508   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   508   NtClose  (68, ... ) == 0x0
 00477   508   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00478   508   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00479   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00480   508   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 504, 508, 1578, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 504, 508, 1578, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 504, 508, 1578, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00481   508   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00482   508   NtClose  (80, ... ) == 0x0
 00483   508   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00484   508   NtClose  (-2147482020, ... ) == 0x0
 00483   508   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00485   508   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00486   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "y\377q\06\245!\00\245.\0\313Z!\0\214\245!\04\245!\0t\245;\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\247!\0\216\265!\16+\21(\315\25\35 L\371\204\261\220`\315Hs\24\325SoS\327@m\24\310Ts@\205Ce\24\327Tn\24\320OdQ\327\1W]\313\2229\257\574\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\04\245!\0", ) , ) == 0x0
 00487   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00488   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "a\255\27\34[\231lE[\327X,\224\310@\10\4\246\240\7\374mG\331Ve`\304\374\346\351<6\351S\334\334TKD^\305p\2710\276]\377\22gy}\261\12/Do\15\351\270\274\364^\300R.q\1d3JgU\247a\315H\232 \2\212\341\14\32\267g$R\301\220p\21\276|\22e\24\25\213KJ\315b,\334\7\363\3057\234\311\353j\362\375\2003"\241\302\343\256VC\30\264\3\301%\245+^i\331/8y4\3701i\2767\31\2445\371\225\217\27q\12\230\262\252Q{\255E\203\244\241)#\370w\15\210\4cZ\22u\253\300\311\314\343\11I\320\223:\370j\321f\344Y\22532f\300\15\5'\3314\352\311c\266d\301\321X\12\223\363 \360\227fW\374!\351\257x\213PP\335\341!(5y\241\24\267\237\13\12D\240$\34_\16\367\12\334\365\363<\22\325\217\10b\321T\310q#4\212\351h\315\10\362\245F)\267\234\331\251\317\201\353\232v\346\30R.\345v\344\244\223\20\15\277\344\25\324\235\14\354\}\260$-\370\201\271\365t\250s\314d6\241\221\2317\317\334\255t\5\370\221\330tu\364.|\304\377\374\267\357\270f\211\306\230\25\225Fd\253\300\224\14mr\1\252\15\26\225\22q\11\217\207\26\344\223\302\237\6\250\225\245\237m[\235\242xl\310\21\213\200.kX\31\201&\220Km\1^-F\12\227 Z\336\12\30\335\35\231\25\275E\360\3404Y]\11\213\202\261\340\300\306\3545~-p>{\322PS\306\351\266*\347\2\350MM*5]\23\305&\320\375.\11\351x\21\26\305a\3\246\355\211\211v\375\322\20\376\306\324\340\366\202\17\260\264\223\1\330\272\220\22P\355\351\3243a{\274Q\14\306$?\256:a\262i\247[\230U\374\17", ) \241\302\343\256VC\30\264\3\301%\245+^i\331/8y4\3701i\2767\31\2445\371\225\217\27q\12\230\262\252Q{\255E\203\244\241)#\370w\15\210\4cZ\22u\253\300\311\314\343\11I\320\223:\370j\321f\344Y\22532f\300\15\5'\3314\352\311c\266d\301\321X\12\223\363 \360\227fW\374!\351\257x\213PP\335\341!(5y\241\24\267\237\13\12D\240$\34_\16\367\12\334\365\363<\22\325\217\10b\321T\310q#4\212\351h\315\10\362\245F)\267\234\331\251\317\201\353\232v\346\30R.\345v\344\244\223\20\15\277\344\25\324\235\14\354\}\260$-\370\201\271\365t\250s\314d6\241\221\2317\317\334\255t\5\370\221\330tu\364.|\304\377\374\267\357\270f\211\306\230\25\225Fd\253\300\224\14mr\1\252\15\26\225\22q\11\217\207\26\344\223\302\237\6\250\225\245\237m[\235\242xl\310\21\213\200.kX\31\201&\220Km\1^-F\12\227 Z\336\12\30\335\35\231\25\275E\360\3404Y]\11\213\202\261\340\300\306\3545~-p>{\322PS\306\351\266*\347\2\350MM*5]\23\305&\320\375.\11\351x\21\26\305a\3\246\355\211\211v\375\322\20\376\306\324\340\366\202\17\260\264\223\1\330\272\220\22P\355\351\3243a{\274Q\14\306$?\256:a\262i\247[\230U\374\17", ) == 0x0
 00489   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00490   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\343g*X\214\2674w\5\257-H\347\350\342\30~3m\340a\0\223H4\16\263\345\204 \226},\341a\221\3215DZP\371yY:\376\273\0f\356BTd\301\30d/\30756P\305\260\345\244\300K!X\315p\226w3S\14@\325\15\35\375\305\352zH\220Y@\36$\271C$\331;\301K \265\235\257\305F\20\232\325\232\363\15\16w%&--9\37!1\2743.\2479\256\344\255\14\274\312a\323\313R\13\276\34/f\10\16uU9\302\343\2323\236\354\364\256\254yv\4\315\311d]\203\241g4\307\343>\306\202\3475\270\232I5\58\353$>02kV\4\323\203\310\336#\34\3661\256\241Kt\375\342\13\246"t??\325\342k\233\210\312\221\210A\351\257\0m \3675\213\331\27\320\343@lG"O\31\320&rTF\320D\1\32\246\251\4[P\20\322\276\3657D$\247\26\304\261\333\252w\17\224\350\212|\346e\10\310Zc\267k\245)\215A\252\252|<\242\20\300\276\253\32J\310\320\226~\225\376\257\>W=\16\302f\376\237}\320\303oo\16\320\371#\345\5\165\234\331~\351\0F\5\31a\32\200\14\202.M0\376\332\302FA\244\257[\22\236\202@\12\250\321=\304*\212s/\13\201\304\367\317\356\325Z\376\177\357/yc\240/\177\12\261\376roX\331?\13"\275\256\369\234\325\3559[y\32\264B\3769\377Y\226\0{\2649\33AI\314\355\2\247\220 \243N\351?\264@\376:\202e\314\355.N\303\35\276\311;\221X\275c\305\246Z\343\11\314Bju\304*\202:\277\232\222\4\264\232$\266i\6&\203\345\352 \267;W\336\255\236\22k\20N\242\337\261F\256V\15;\32\350\3~y\213\5\10b\336\321\272\177\336B\321+\30\1", ) t??\325\342k\233\210\312\221\210A\351\257\0m \3675\213\331\27\320\343@lG (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\343g*X\214\2674w\5\257-H\347\350\342\30~3m\340a\0\223H4\16\263\345\204 \226},\341a\221\3215DZP\371yY:\376\273\0f\356BTd\301\30d/\30756P\305\260\345\244\300K!X\315p\226w3S\14@\325\15\35\375\305\352zH\220Y@\36$\271C$\331;\301K \265\235\257\305F\20\232\325\232\363\15\16w%&--9\37!1\2743.\2479\256\344\255\14\274\312a\323\313R\13\276\34/f\10\16uU9\302\343\2323\236\354\364\256\254yv\4\315\311d]\203\241g4\307\343>\306\202\3475\270\232I5\58\353$>02kV\4\323\203\310\336#\34\3661\256\241Kt\375\342\13\246"t??\325\342k\233\210\312\221\210A\351\257\0m \3675\213\331\27\320\343@lG"O\31\320&rTF\320D\1\32\246\251\4[P\20\322\276\3657D$\247\26\304\261\333\252w\17\224\350\212|\346e\10\310Zc\267k\245)\215A\252\252|<\242\20\300\276\253\32J\310\320\226~\225\376\257\>W=\16\302f\376\237}\320\303oo\16\320\371#\345\5\165\234\331~\351\0F\5\31a\32\200\14\202.M0\376\332\302FA\244\257[\22\236\202@\12\250\321=\304*\212s/\13\201\304\367\317\356\325Z\376\177\357/yc\240/\177\12\261\376roX\331?\13"\275\256\369\234\325\3559[y\32\264B\3769\377Y\226\0{\2649\33AI\314\355\2\247\220 \243N\351?\264@\376:\202e\314\355.N\303\35\276\311;\221X\275c\305\246Z\343\11\314Bju\304*\202:\277\232\222\4\264\232$\266i\6&\203\345\352 \267;W\336\255\236\22k\20N\242\337\261F\256V\15;\32\350\3~y\213\5\10b\336\321\272\177\336B\321+\30\1", ) \275\256\369\234\325\3559[y\32\264B\3769\377Y\226\0{\2649\33AI\314\355\2\247\220 \243N\351?\264@\376:\202e\314\355.N\303\35\276\311;\221X\275c\305\246Z\343\11\314Bju\304*\202:\277\232\222\4\264\232$\266i\6&\203\345\352 \267;W\336\255\236\22k\20N\242\337\261F\256V\15;\32\350\3~y\213\5\10b\336\321\272\177\336B\321+\30\1", ) == 0x0
 00491   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00492   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\242N\334\265\264r\215fg,\244\6"%\253\265Cc\244\227K\253V\21R\32\225\22a\251D\211=\5x\6\207b@\35\4\31=\210\200\336\276\240\276(\264>>\245\225\274S\213f\263E\217\3410-\374\27245b#\316\260\7~\271\2752\25t<\377%\310\251!\267\244\37{\320tW\376r\364a\367\5\361a\255s"s%\3475\274)d\13|'\212\200\232/-&\35%\20\254\11A\312\12)\256V\266\302#\334\13{/t\373#\364dv\1\303\340i\4$\3051\363\371W\214\21\335\15\2>\345\243\32\260\256\331B\223\263\241{\1\231\31\372;Q\3533\201\365\350\7%\267t\267\347\6!\\374a{\247\247\254\5 C\342\377\31\210\315NR\4\266\360R\2\1\364!#\201\266\340\257\325\364\344o1\240\26\365\221\326\31|&C\310\350N\0\17\365\35/\30\204\2\207$\322\358/\327\351\310\10\235\358\35\204\7\205\223Bn\2103~\32wo\253\265\3415\251\201\346\3658!\233<\337'\243/\247\17,\361bw\272\236\2247z\302g1\360e(\263`\267\2635\310\320\371\263\246\224\26nX\304N=\30h\5\212a\374\261\35\7lu\17\243/:\0\263I9\1\366\325\370\22\226\253\342^\13\244\323\204o"\12\271a[\325\15\201S%\322ISd\376C\363\371\353\36\264\15\3326\343\335\26\352\330\22:\10\330*`\240\274k\33:?IO\245\341|\25<\201\3\165\271`\340T2C\364w/3\20\300\377\207\2662\254N\21\314U\215\0,E%U\32\254\10*=\241\206\26<\365M\253\210Q2\4\377-\6\247v\243\13H\334=\3229\355\353\224j\301\243\321\354\332\316s\321\347\345\331\234\366\247\25\0g\322_\350K\325J\330\230\265>\322\314\360|8", ) %\253\265Cc\244\227K\253V\21R\32\225\22a\251D\211=\5x\6\207b@\35\4\31=\210\200\336\276\240\276(\264>>\245\225\274S\213f\263E\217\3410-\374\27245b#\316\260\7~\271\2752\25t<\377%\310\251!\267\244\37{\320tW\376r\364a\367\5\361a\255s (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\242N\334\265\264r\215fg,\244\6"%\253\265Cc\244\227K\253V\21R\32\225\22a\251D\211=\5x\6\207b@\35\4\31=\210\200\336\276\240\276(\264>>\245\225\274S\213f\263E\217\3410-\374\27245b#\316\260\7~\271\2752\25t<\377%\310\251!\267\244\37{\320tW\376r\364a\367\5\361a\255s"s%\3475\274)d\13|'\212\200\232/-&\35%\20\254\11A\312\12)\256V\266\302#\334\13{/t\373#\364dv\1\303\340i\4$\3051\363\371W\214\21\335\15\2>\345\243\32\260\256\331B\223\263\241{\1\231\31\372;Q\3533\201\365\350\7%\267t\267\347\6!\\374a{\247\247\254\5 C\342\377\31\210\315NR\4\266\360R\2\1\364!#\201\266\340\257\325\364\344o1\240\26\365\221\326\31|&C\310\350N\0\17\365\35/\30\204\2\207$\322\358/\327\351\310\10\235\358\35\204\7\205\223Bn\2103~\32wo\253\265\3415\251\201\346\3658!\233<\337'\243/\247\17,\361bw\272\236\2247z\302g1\360e(\263`\267\2635\310\320\371\263\246\224\26nX\304N=\30h\5\212a\374\261\35\7lu\17\243/:\0\263I9\1\366\325\370\22\226\253\342^\13\244\323\204o"\12\271a[\325\15\201S%\322ISd\376C\363\371\353\36\264\15\3326\343\335\26\352\330\22:\10\330*`\240\274k\33:?IO\245\341|\25<\201\3\165\271`\340T2C\364w/3\20\300\377\207\2662\254N\21\314U\215\0,E%U\32\254\10*=\241\206\26<\365M\253\210Q2\4\377-\6\247v\243\13H\334=\3229\355\353\224j\301\243\321\354\332\316s\321\347\345\331\234\366\247\25\0g\322_\350K\325J\330\230\265>\322\314\360|8", ) \12\271a[\325\15\201S%\322ISd\376C\363\371\353\36\264\15\3326\343\335\26\352\330\22:\10\330*`\240\274k\33:?IO\245\341|\25<\201\3\165\271`\340T2C\364w/3\20\300\377\207\2662\254N\21\314U\215\0,E%U\32\254\10*=\241\206\26<\365M\253\210Q2\4\377-\6\247v\243\13H\334=\3229\355\353\224j\301\243\321\354\332\316s\321\347\345\331\234\366\247\25\0g\322_\350K\325J\330\230\265>\322\314\360|8", ) == 0x0
 00493   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00494   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=9000},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=9000}, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=9000}, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", ) , ) == 0x0
 00495   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00496   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00497   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00498   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00499   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00500   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00501   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00502   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00503   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00504   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00505   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00506   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00507   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00508   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00509   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00510   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00511   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00512   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00513   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00514   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00515   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00516   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00517   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00518   508   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00519   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00520   508   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... ) == STATUS_END_OF_FILE
 00521   508   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215 (80, 0, 0, 0, "+\312\343#\25\265\341\11\214\211\363\345P\252\210yRg\240\307t\307:\341*\207\243|5\255\243.l\2634&\27\16\311{u\27\342\270:\251\231%u\31\360\273\275\375\7w\342(Q\30#\35\220\263\363\257\250\34\375\267\\314r\37* <\363\272\301\242\15\373\233Y\250\307{\270\245\317Y\356\317=\334\350\215&\361Ap\214\2106\241\346]4\33\0\264\322M0x\16\303>a\204mA\315\300\270\335\252a7\13\262\236\245t\315J2\31\322\1\323\4_@\272v\307:\256#C\21\215\2738\337\244\316\305\226\206O\5\204lWY\330\310,P\32\370\315\271C\351Y\353\11\24\233\370$\321(F\350\275O\303<\3\6\25\350\273)DK=\314\242W\205\224\347\364\345\230\14\7\344\364\222H\244\237v\274\204\2460\200kQ\302-lhqc\366\32\370\207\3725\237A\354\205;q%T>P\310\371C`\323\25J`f\251=4\257\313\4\204\237\1m\16\314\232\303RlI*\2\274\364\241\304*\11\30\1\25\212\366\6}E$\252\314,X\3g\6h\270\226\372\265/%\3150\3l\325\246-\256\2515\236\2\27\31\2\213P\265<\2631\214\336\262\250\342\30h\374q\\15\221$p\20h\44\260\251\367>\373q\345\14>M\362&\325d\344d\358F\256)*\254\261\305\250\24\342%\245\35^\341\25=2\305\2F\357(\207H\232\32\255\2r\33\312 \\307\266\213\270\244 X\214'\204I8\374\306\362&EB\2\3465\305i8\313\301\14\306\240$\3335\277\301\262;"\274\330>-\32t\6[\237j><\301\340f\11\32\205\211\322\207\21\210\204\221\177\204l\267\3083r|b\7`\357\264\24ii'\2776\217cwz\370]\2307\311\6}\263\215"i\10\343?\357i\7", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) , 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00522   508   NtClose  (80, ... ) == 0x0
 00523   508   NtClose  (68, ... ) == 0x0
 00524   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nka1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00525   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00526   508   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00527   508   NtClose  (68, ... ) == 0x0
 00528   508   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00529   508   NtClose  (80, ... ) == 0x0
 00530   508   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00531   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00532   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00533   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00534   508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00535   508   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00536   508   NtClose  (80, ... ) == 0x0
 00537   508   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00538   508   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00539   508   NtClose  (68, ... ) == 0x0
 00540   508   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00541   508   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00542   508   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm19"}, 1, ... 68, ) }, 1, ... 68, ) == 0x0
 00543   508   NtOpenProcessToken  (-1, 0x20, ... 80, ) == 0x0
 00544   508   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00545   508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 84, ) }, ... 84, ) == 0x0
 00547   508   NtQueryValueKey  (84,  (84, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00548   508   NtClose  (84, ... ) == 0x0
 00549   508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   508   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00551   508   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 88, ) == 0x0
 00552   508   NtQuerySystemTime  (... {1284256440, 29889235}, ) == 0x0
 00553   508   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00554   508   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00555   508   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00556   508   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00557   508   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00558   508   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00559   508   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00560   508   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 100, ) == 0x0
 00561   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 104, ) }, ... 104, ) == 0x0
 00562   508   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "ActiveComputerName"}, ... 108, ) }, ... 108, ) == 0x0
 00563   508   NtQueryValueKey  (108,  (108, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (108, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (108, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00564   508   NtClose  (108, ... ) == 0x0
 00565   508   NtClose  (104, ... ) == 0x0
 00566   508   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 104, ) == 0x0
 00567   508   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 108, ) == 0x0
 00568   508   NtDuplicateObject  (-1, 104, -1, 0x0, 0, 2, ... 112, ) == 0x0
 00569   508   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00570   508   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00571   508   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00572   508   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00573   508   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00574   508   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243244,  (0xc0100080, {24, 0, 0x40, 0, 1243244, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00575   508   NtSetInformationFile  (120, 1243300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00576   508   NtSetInformationFile  (120, 1243292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00577   508   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00578   508   NtWriteFile  (120, 97, 0, 0,  (120, 97, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00579   508   NtReadFile  (120, 97, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (120, 97, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00580   508   NtFsControlFile  (120, 97, 0x0, 0x0, 0x11c017,  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274\36\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00581   508   NtFsControlFile  (120, 97, 0x0, 0x0, 0x11c017,  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\314\3\230\205\306~\334\21\261\310\0\14)\371\246\305 \0"\0`\253\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\314\3\230\205\306~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0`\253\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\314\3\230\205\306~\334\21\261\310\0\14)\371\246\305 \0"\0`\253\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\314\3\230\205\306~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\314\3\230\205\306~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00582   508   NtFsControlFile  (120, 97, 0x0, 0x0, 0x11c017,  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\314\3\230\205\306~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (120, 97, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\314\3\230\205\306~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00583   508   NtClose  (116, ... ) == 0x0
 00584   508   NtClose  (120, ... ) == 0x0
 00585   508   NtAdjustPrivilegesToken  (80, 0, 1245080, 16, 0, 0, ... ) == 0x0
 00586   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00587   508   NtQueryValueKey  (120,  (120, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   508   NtClose  (120, ... ) == 0x0
 00589   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00590   508   NtQueryValueKey  (120,  (120, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   508   NtClose  (120, ... ) == 0x0
 00592   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00593   508   NtQueryValueKey  (120,  (120, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   508   NtClose  (120, ... ) == 0x0
 00595   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00596   508   NtQueryValueKey  (120,  (120, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   508   NtClose  (120, ... ) == 0x0
 00598   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00599   508   NtQueryValueKey  (120,  (120, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   508   NtClose  (120, ... ) == 0x0
 00601   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00602   508   NtQueryValueKey  (120,  (120, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   508   NtClose  (120, ... ) == 0x0
 00604   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00605   508   NtQueryValueKey  (120,  (120, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   508   NtClose  (120, ... ) == 0x0
 00607   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00608   508   NtQueryValueKey  (120,  (120, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   508   NtClose  (120, ... ) == 0x0
 00610   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00611   508   NtQueryValueKey  (120,  (120, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00612   508   NtClose  (120, ... ) == 0x0
 00613   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00614   508   NtQueryValueKey  (120,  (120, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   508   NtClose  (120, ... ) == 0x0
 00616   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00617   508   NtQueryValueKey  (120,  (120, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618   508   NtClose  (120, ... ) == 0x0
 00619   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   508   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00621   508   NtSetInformationFile  (-2147482808, -136149980, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00622   508   NtSetInformationFile  (-2147482808, -136150452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00620   508   NtCreateKey  ... 120, 1, ) == 0x0
 00623   508   NtSetValueKey  (120,  (120, "ID", 0, 1, "w\0f\0i\0s\0j\0j\0d\0w\0b\0r\0g\0z\0c\0c\0h\0h\0n\0v\0\0\0", 38, ... ) , 0, 1,  (120, "ID", 0, 1, "w\0f\0i\0s\0j\0j\0d\0w\0b\0r\0g\0z\0c\0c\0h\0h\0n\0v\0\0\0", 38, ... ) , 38, ... ) == 0x0
 00624   508   NtClose  (120, ... ) == 0x0
 00625   508   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 120, ) }, ... 120, ) == 0x0
 00626   508   NtQueryValueKey  (120,  (120, "Cryptographic Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00627   508   NtClose  (120, ... ) == 0x0
 00628   508   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 120, 2, ) }, 0, 0x0, 0, ... 120, 2, ) == 0x0
 00629   508   NtSetValueKey  (120,  (120, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (120, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00630   508   NtClose  (120, ... ) == 0x0
 00631   508   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243516,  (0x80100080, {24, 0, 0x40, 0, 1243516, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 00632   508   NtQueryInformationFile  (120, 1244452, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00633   508   NtQueryInformationFile  (120, 1244424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00634   508   NtQueryInformationFile  (120, 1244376, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00635   508   NtAllocateVirtualMemory  (-1, 1363968, 0, 8192, 4096, 4, ... 1363968, 8192, ) == 0x0
 00636   508   NtQueryInformationFile  (120, 1362376, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00637   508   NtQueryInformationFile  (120, 1242920, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00638   508   NtQueryInformationFile  (120, 1242764, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00639   508   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242772,  (0x40110080, {24, 0, 0x40, 0, 1242772, "\??\C:\WINDOWS\System32\zvxrms.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00640   508   NtClose  (-2147482020, ... ) == 0x0
 00639   508   NtCreateFile  ... 116, {status=0x0, info=2}, ) == 0x0
 00641   508   NtQueryVolumeInformationFile  (116, 1242144, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00642   508   NtQueryInformationFile  (116, 1242104, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00643   508   NtQueryVolumeInformationFile  (120, 1242144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00644   508   NtSetInformationFile  (116, 1241932, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00645   508   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 120, ... 124, ) == 0x0
 00646   508   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 61440, ) == 0x0
 00647   508   NtClose  (124, ... ) == 0x0
 00648   508   NtWriteFile  (116, 0, 0, 0,  (116, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\310Y\330@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 61188, 0x0, 0, ... {status=0x0, info=61188}, ) , 61188, 0x0, 0, ... {status=0x0, info=61188}, ) == 0x0
 00649   508   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00650   508   NtSetInformationFile  (116, 1244376, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00651   508   NtClose  (120, ... ) == 0x0
 00652   508   NtClose  (116, ... ) == 0x0
 00653   508   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00654   508   NtSetValueKey  (116,  (116, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0z\0v\0x\0r\0m\0s\0.\0e\0x\0e\0\0\0", 62, ... , 0, 1,  (116, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0z\0v\0x\0r\0m\0s\0.\0e\0x\0e\0\0\0", 62, ... , 62, ...
 00655   508   NtSetInformationFile  (-2147482808, -136149196, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00656   508   NtSetInformationFile  (-2147482808, -136149288, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00654   508   NtSetValueKey  ... ) == 0x0
 00657   508   NtClose  (116, ... ) == 0x0
 00658   508   NtClose  (68, ... ) == 0x0
 00659   508   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00660   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\zvxrms.exe"}, 1241008, ... ) }, 1241008, ... ) == 0x0
 00661   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\zvxrms.exe"}, 1241700, ... ) }, 1241700, ... ) == 0x0
 00662   508   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\zvxrms.exe"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00663   508   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 68, ... 116, ) == 0x0
 00664   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 120, ) }, ... 120, ) == 0x0
 00666   508   NtQueryValueKey  (120,  (120, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   508   NtClose  (120, ... ) == 0x0
 00668   508   NtQueryVolumeInformationFile  (68, 1241008, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00669   508   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 120, ) }, ... 120, ) == 0x0
 00670   508   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 00671   508   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 124, ) }, ... 124, ) == 0x0
 00672   508   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x840000), {0, 0}, 57344, ) == 0x0
 00673   508   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00674   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238992, ... ) }, 1238992, ... ) == 0x0
 00675   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00676   508   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 128, ... 132, ) == 0x0
 00677   508   NtClose  (128, ... ) == 0x0
 00678   508   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 106496, ) == 0x0
 00679   508   NtClose  (132, ... ) == 0x0
 00680   508   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00681   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239308, ... ) }, 1239308, ... ) == 0x0
 00682   508   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00683   508   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 128, ) == 0x0
 00684   508   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00685   508   NtClose  (132, ... ) == 0x0
 00686   508   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00687   508   NtClose  (128, ... ) == 0x0
 00688   508   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 00689   508   NtQueryInformationFile  (128, 1239596, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00690   508   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 128, ... 132, ) == 0x0
 00691   508   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8f0000), 0x0, 1028096, ) == 0x0
 00692   508   NtQueryInformationFile  (128, 1239692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00693   508   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00694   508   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00695   508   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00696   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00697   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1237256, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237256, 616, BothDirectory, 1, "zvxrms.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00698   508   NtClose  (136, ... ) == 0x0
 00699   508   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00700   508   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00701   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\zvxrms.exe"}, 1236644, ... ) }, 1236644, ... ) == 0x0
 00702   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00703   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236004, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00704   508   NtClose  (136, ... ) == 0x0
 00705   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00706   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236004, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00707   508   NtClose  (136, ... ) == 0x0
 00708   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00709   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236004, 616, BothDirectory, 1, "zvxrms.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00710   508   NtClose  (136, ... ) == 0x0
 00711   508   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00712   508   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00713   508   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00714   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00715   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00716   508   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00717   508   NtClose  (136, ... ) == 0x0
 00718   508   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719   508   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\zvxrms.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00720   508   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00721   508   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00722   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\zvxrms.exe"}, 1238924, ... ) }, 1238924, ... ) == 0x0
 00723   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00724   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (136, 0, 0, 0, 1238284, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00725   508   NtClose  (136, ... ) == 0x0
 00726   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00727   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (136, 0, 0, 0, 1238284, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00728   508   NtClose  (136, ... ) == 0x0
 00729   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00730   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (136, 0, 0, 0, 1238284, 616, BothDirectory, 1, "zvxrms.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00731   508   NtClose  (136, ... ) == 0x0
 00732   508   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00733   508   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00734   508   NtWaitForSingleObject  (120, 0, {-1000000, -1}, ... ) == 0x0
 00735   508   NtQueryVolumeInformationFile  (68, 1239568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00736   508   NtQueryInformationFile  (68, 1239548, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00737   508   NtQueryInformationFile  (68, 1239588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00738   508   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00739   508   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00740   508   NtClose  (132, ... ) == 0x0
 00741   508   NtClose  (128, ... ) == 0x0
 00742   508   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00743   508   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zvxrms.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00744   508   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00745   508   NtOpenProcessToken  (-1, 0xa, ... 128, ) == 0x0
 00746   508   NtQueryInformationToken  (128, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00747   508   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00749   508   NtQueryValueKey  (132,  (132, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (132, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00750   508   NtQueryValueKey  (132,  (132, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (132, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00751   508   NtClose  (132, ... ) == 0x0
 00752   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00753   508   NtQueryValueKey  (132,  (132, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00754   508   NtQueryValueKey  (132,  (132, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (132, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00755   508   NtClose  (132, ... ) == 0x0
 00756   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00757   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00758   508   NtQueryValueKey  (132,  (132, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759   508   NtClose  (132, ... ) == 0x0
 00760   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00761   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00762   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00763   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00764   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00765   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00766   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00767   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00768   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00769   508   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 00770   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 132, ) }, ... 132, ) == 0x0
 00771   508   NtEnumerateKey  (132, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (132, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00772   508   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 136, ) }, ... 136, ) == 0x0
 00773   508   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00774   508   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00775   508   NtClose  (136, ... ) == 0x0
 00776   508   NtEnumerateKey  (132, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00777   508   NtClose  (132, ... ) == 0x0
 00778   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00781   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00783   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00786   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00787   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00788   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00793   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00794   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00795   508   NtClose  (132, ... ) == 0x0
 00796   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00797   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00798   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00799   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00800   508   NtClose  (132, ... ) == 0x0
 00801   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00802   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00803   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00804   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00805   508   NtClose  (132, ... ) == 0x0
 00806   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00808   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00809   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00810   508   NtClose  (132, ... ) == 0x0
 00811   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00813   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00814   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00815   508   NtClose  (132, ... ) == 0x0
 00816   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00817   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00818   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00819   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00820   508   NtClose  (132, ... ) == 0x0
 00821   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00822   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00823   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00824   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00825   508   NtClose  (132, ... ) == 0x0
 00826   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00827   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00828   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00829   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00830   508   NtClose  (132, ... ) == 0x0
 00831   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00833   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00834   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00835   508   NtClose  (132, ... ) == 0x0
 00836   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00838   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00839   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00840   508   NtClose  (132, ... ) == 0x0
 00841   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00842   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00843   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00844   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00845   508   NtClose  (132, ... ) == 0x0
 00846   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00848   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00849   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00850   508   NtClose  (132, ... ) == 0x0
 00851   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00853   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00854   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00855   508   NtClose  (132, ... ) == 0x0
 00856   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00858   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00859   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00860   508   NtClose  (132, ... ) == 0x0
 00861   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00863   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00864   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00865   508   NtClose  (132, ... ) == 0x0
 00866   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00868   508   NtQueryValueKey  (132,  (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00869   508   NtClose  (132, ... ) == 0x0
 00870   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00871   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 00872   508   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00873   508   NtClose  (132, ... ) == 0x0
 00874   508   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   508   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00876   508   NtOpenProcessToken  (-1, 0xa, ... 132, ) == 0x0
 00877   508   NtDuplicateToken  (132, 0xc, {24, 0, 0x0, 0, 1240900, 0x0}, 0, 2, ... 136, ) == 0x0
 00878   508   NtClose  (132, ... ) == 0x0
 00879   508   NtAccessCheck  (1369904, 136, 0x1, 1241028, 1240972, 56, 1241056, ... (0x1), ) == 0x0
 00880   508   NtClose  (136, ... ) == 0x0
 00881   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 00882   508   NtQueryValueKey  (136,  (136, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (136, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00883   508   NtClose  (136, ... ) == 0x0
 00884   508   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 136, ) }, ... 136, ) == 0x0
 00885   508   NtQuerySymbolicLinkObject  (136, ...  (136, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00886   508   NtClose  (136, ... ) == 0x0
 00887   508   NtQueryInformationFile  (68, 1239360, 528, Name, ... {status=0x0, info=60}, ) == 0x0
 00888   508   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00889   508   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00890   508   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\zvxrms.exe"}, 1238040, ... ) }, 1238040, ... ) == 0x0
 00891   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00892   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237400, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 00893   508   NtClose  (136, ... ) == 0x0
 00894   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00895   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237400, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 00896   508   NtClose  (136, ... ) == 0x0
 00897   508   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 00898   508   NtQueryDirectoryFile  (136, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (136, 0, 0, 0, 1237400, 616, BothDirectory, 1, "zvxrms.exe", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 00899   508   NtClose  (136, ... ) == 0x0
 00900   508   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00901   508   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00902   508   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00903   508   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00904   508   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00905   508   NtClose  (136, ... ) == 0x0
 00906   508   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 136, ) }, ... 136, ) == 0x0
 00907   508   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 132, ) }, ... 132, ) == 0x0
 00908   508   NtClose  (136, ... ) == 0x0
 00909   508   NtQueryValueKey  (132,  (132, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00910   508   NtQueryValueKey  (132,  (132, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (132, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00911   508   NtClose  (132, ... ) == 0x0
 00912   508   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 8781824, 4096, ) == 0x0
 00913   508   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00914   508   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 00915   508   NtQueryValueKey  (132,  (132, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   508   NtClose  (132, ... ) == 0x0
 00917   508   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   508   NtQueryInformationToken  (128, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00919   508   NtQueryInformationToken  (128, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00920   508   NtClose  (128, ... ) == 0x0
 00921   508   NtCreateProcessEx  (1243636, 2035711, 0, -1, 0, 116, 0, 0, 0, ... ) == 0x0
 00922   508   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=504,}, 0x0, ) == 0x0
 00923   508   NtReadVirtualMemory  (128, 0x7ffdf008, 4, ...  (128, 0x7ffdf008, 4, ... "\0\0B1", 0x0, ) , 0x0, ) == 0x0
 00924   508   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\zvxrms.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   508   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 00926   508   NtReadVirtualMemory  (128, 0x31420000, 4096, ...  (128, 0x31420000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\310Y\330@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 00927   508   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00928   508   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=504,}, 0x0, ) == 0x0
 00929   508   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 8847360, 4096, ) == 0x0
 00930   508   NtAllocateVirtualMemory  (128, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00931   508   NtWriteVirtualMemory  (128, 0x10000,  (128, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00932   508   NtAllocateVirtualMemory  (128, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 00933   508   NtWriteVirtualMemory  (128, 0x20000,  (128, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0<\0>\0\230\5\0\0<\0>\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0<\0>\0\30\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 00934   508   NtWriteVirtualMemory  (128, 0x7ffdf010,  (128, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00935   508   NtWriteVirtualMemory  (128, 0x7ffdf1e8,  (128, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00936   508   NtFreeVirtualMemory  (-1, (0x870000), 0, 32768, ... (0x870000), 4096, ) == 0x0
 00937   508   NtAllocateVirtualMemory  (128, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 00938   508   NtAllocateVirtualMemory  (128, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 00939   508   NtProtectVirtualMemory  (128, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 00940   508   NtCreateThread  (0x1f03ff, 0x0, 128, 1241900, 1242620, 1, ... 132, {916, 920}, ) == 0x0
 00941   508   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1358952, 1243720}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1358952, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\203\0\0\0\204\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 504, 508, 1579, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\200\0\0\0\204\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 504, 508, 1579, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1358952, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\203\0\0\0\204\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 504, 508, 1579, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\200\0\0\0\204\0\0\0\224\3\0\0\230\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 00942   508   NtResumeThread  (132, ... 1, ) == 0x0
 00943   508   NtClose  (68, ... ) == 0x0
 00944   508   NtClose  (116, ... ) == 0x0
 00945   508   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=916,ParentPid=504,}, 0x0, ) == 0x0
 00946   508   NtUserWaitForInputIdle  (916, 30000, 0, ...
 00947   508   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00948   508   NtClose  (116, ... ) == 0x0
 00946   508   NtUserWaitForInputIdle  ... ) == 0x0
 00949   508   NtClose  (128, ... ) == 0x0
 00950   508   NtClose  (132, ... ) == 0x0
 00951   508   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 00952   508   NtTerminateProcess  (0, 0, ... ) == 0x0
 00953   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 00954   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00955   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 00956   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00957   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 00958   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00959   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 00960   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00961   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 00962   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00963   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 00964   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00965   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 00966   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00967   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 00968   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00969   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 00970   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00971   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 00972   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00973   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 00974   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00975   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 00976   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00977   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 00978   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00979   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 00980   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00981   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 00982   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00983   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 00984   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00985   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 00986   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00987   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 00988   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00989   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc017
 00990   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00991   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc019
 00992   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00993   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc018
 00994   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00995   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01a
 00996   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00997   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01c
 00998   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 00999   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01e
 01000   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01001   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01b
 01002   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01003   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc068
 01004   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01005   508   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc06a
 01006   508   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01007   508   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01008   508   NtClose  (76, ... ) == 0x0
 01009   508   NtClose  (64, ... ) == 0x0
 01010   508   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01011   508   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01012   508   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01013   508   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01014   508   NtFreeVirtualMemory  (-1, (0x860000), 4096, 32768, ... (0x860000), 4096, ) == 0x0
 01015   508   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 504, 508, 3177, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 504, 508, 3177, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 504, 508, 3177, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01016   508   NtTerminateProcess  (-1, 0, ...
 01017   508   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtUserCallOneParam(>)	1	NtSetInformationObject(>)	3	NtQueryInformationProcess(>)	13
NtAdjustPrivilegesToken(>)	1	NtUserGetDC(>)	1	NtFsControlFile(>)	4	NtUnmapViewOfSection(>)	13
NtCallbackReturn(>)	1	NtUserGetThreadDesktop(>)	1	NtOpenThreadToken(>)	4	NtCreateSection(>)	16
NtContinue(>)	1	NtAccessCheck(>)	2	NtSetValueKey(>)	4	NtQuerySystemInformation(>)	18
NtCreateMutant(>)	1	NtCreateIoCompletion(>)	2	NtWriteVirtualMemory(>)	4	NtReadFile(>)	19
NtCreateProcessEx(>)	1	NtEnumerateKey(>)	2	NtGdiGetStockObject(>)	5	NtWriteFile(>)	20
NtCreateThread(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryVolumeInformationFile(>)	5	NtOpenSection(>)	22
NtDelayExecution(>)	1	NtOpenDirectoryObject(>)	2	NtCreateKey(>)	6	NtQueryAttributesFile(>)	22
NtDuplicateToken(>)	1	NtOpenEvent(>)	2	NtOpenProcessToken(>)	6	NtOpenProcessTokenEx(>)	24
NtEnumerateValueKey(>)	1	NtOpenMutant(>)	2	NtQueryDefaultUILanguage(>)	6	NtOpenThreadTokenEx(>)	24
NtGdiCreateBitmap(>)	1	NtOpenSymbolicLinkObject(>)	2	NtSetInformationProcess(>)	6	NtProtectVirtualMemory(>)	27
NtGdiInit(>)	1	NtQueryInstallUILanguage(>)	2	NtUserSystemParametersInfo(>)	6	NtUserUnregisterClass(>)	27
NtGdiQueryFontAssocInfo(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQuerySection(>)	7	NtUserGetClassInfo(>)	28
NtGdiSelectBitmap(>)	1	NtQueryVirtualMemory(>)	2	NtSetInformationThread(>)	7	NtOpenFile(>)	29
NtOpenKeyedEvent(>)	1	NtReadVirtualMemory(>)	2	NtCreateEvent(>)	8	NtQueryInformationToken(>)	30
NtQueryInformationJobObject(>)	1	NtReleaseMutant(>)	2	NtRequestWaitReplyPort(>)	8	NtMapViewOfSection(>)	33
NtQueryObject(>)	1	NtTerminateProcess(>)	2	NtSetInformationFile(>)	9	NtUserFindExistingCursorIcon(>)	33
NtQuerySystemTime(>)	1	NtUserRegisterWindowMessage(>)	2	NtQueryDebugFilterState(>)	10	NtAllocateVirtualMemory(>)	35
NtRegisterThreadTerminatePort(>)	1	NtUserWaitForInputIdle(>)	2	NtQueryDirectoryFile(>)	10	NtUserRegisterClassExWOW(>)	43
NtResumeThread(>)	1	NtWaitForSingleObject(>)	2	NtCreateFile(>)	11	NtQueryValueKey(>)	50
NtSecureConnectPort(>)	1	NtDuplicateObject(>)	3	NtFlushInstructionCache(>)	13	NtOpenKey(>)	108
NtTestAlert(>)	1	NtFreeVirtualMemory(>)	3	NtQueryDefaultLocale(>)	13	NtClose(>)	157
NtUserCallNoParam(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryInformationFile(>)	13