Summary:


NtAdjustPrivilegesToken(>)  1 
NtDeleteAtom(>)  2 
NtGdiBitBlt(>)  7 
NtQueryInformationProcess(>)  15 

NtCallbackReturn(>)  1 
NtEnumerateKey(>)  2 
NtGdiCreateDIBitmapInternal(>)  7 
NtCreateSection(>)  17 

NtCreateMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetDCObject(>)  7 
NtGdiDeleteObjectApp(>)  18 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtGdiGetDCforBitmap(>)  7 
NtReadFile(>)  19 

NtCreateThread(>)  1 
NtOpenEvent(>)  2 
NtGdiGetStockObject(>)  7 
NtContinue(>)  20 

NtDelayExecution(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtGdiRestoreDC(>)  7 
NtQuerySystemInformation(>)  20 

NtDuplicateToken(>)  1 
NtQueryInstallUILanguage(>)  2 
NtGdiSaveDC(>)  7 
NtUserCallOneParam(>)  20 

NtEnumerateValueKey(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtGdiSetDIBitsToDeviceInternal(>)  7 
NtWaitForSingleObject(>)  21 

NtGdiCreatePaletteInternal(>)  1 
NtReadVirtualMemory(>)  2 
NtOpenProcessToken(>)  7 
NtFlushInstructionCache(>)  23 

NtGdiInit(>)  1 
NtTerminateProcess(>)  2 
NtUserDestroyCursor(>)  7 
NtWriteFile(>)  23 

NtGdiQueryFontAssocInfo(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserSetCursorIconData(>)  7 
NtOpenProcessTokenEx(>)  24 

NtNotifyChangeKey(>)  1 
NtAddAtom(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenThreadTokenEx(>)  24 

NtOpenKeyedEvent(>)  1 
NtCreateSemaphore(>)  3 
NtQuerySection(>)  8 
NtOpenSection(>)  25 

NtOpenProcess(>)  1 
NtDuplicateObject(>)  3 
NtRequestWaitReplyPort(>)  8 
NtOpenFile(>)  30 

NtQueryInformationJobObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtSetInformationThread(>)  8 
NtQueryAttributesFile(>)  31 

NtQueryObject(>)  1 
NtGdiHfontCreate(>)  3 
NtQueryDebugFilterState(>)  9 
NtQueryInformationToken(>)  31 

NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtSetInformationFile(>)  9 
NtMapViewOfSection(>)  37 

NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 
NtCreateEvent(>)  10 
NtReleaseMutant(>)  40 

NtResumeThread(>)  1 
NtFsControlFile(>)  4 
NtGdiCreateCompatibleDC(>)  10 
NtAllocateVirtualMemory(>)  41 

NtSecureConnectPort(>)  1 
NtOpenThreadToken(>)  4 
NtGdiExtGetObjectW(>)  10 
NtProtectVirtualMemory(>)  45 

NtTestAlert(>)  1 
NtSetValueKey(>)  4 
NtQueryDirectoryFile(>)  10 
NtUserUnregisterClass(>)  45 

NtUserCallNoParam(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  11 
NtQueryValueKey(>)  51 

NtUserEnumDisplayMonitors(>)  1 
NtUserRegisterWindowMessage(>)  5 
NtUserGetDC(>)  11 
NtGdiSelectBitmap(>)  57 

NtUserGetKeyboardLayoutList(>)  1 
NtCreateKey(>)  6 
NtUnmapViewOfSection(>)  12 
NtUserRegisterClassExWOW(>)  63 

NtUserGetThreadDesktop(>)  1 
NtQueryDefaultUILanguage(>)  6 
NtQueryDefaultLocale(>)  13 
NtUserGetClassInfo(>)  64 

NtUserSetWindowsHookEx(>)  1 
NtQueryVirtualMemory(>)  6 
NtQueryInformationFile(>)  13 
NtUserFindExistingCursorIcon(>)  72 

NtAccessCheck(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtUserSystemParametersInfo(>)  13 
NtOpenKey(>)  112 

NtCreateIoCompletion(>)  2 
NtSetInformationProcess(>)  6 
NtUserSelectPalette(>)  14 
NtClose(>)  165 


Trace:
 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 400, 408, 1477, 0} "(\264\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 400, 408, 1477, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 400, 408, 1477, 0} "(\264\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 400, 408, 1479, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 400, 408, 1479, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 400, 408, 1479, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 128, ) == 0x0
 00057   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 128, ... (0x31438000), 8192, 4, ) == 0x0
 00058   408   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00066   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00067   408   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00068   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00072   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00073   408   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00074   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   408   NtClose  (28, ... ) == 0x0
 00077   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   408   NtClose  (28, ... ) == 0x0
 00080   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00081   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00082   408   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00083   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   408   NtClose  (28, ... ) == 0x0
 00086   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   408   NtClose  (28, ... ) == 0x0
 00089   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   408   NtClose  (28, ... ) == 0x0
 00092   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   408   NtClose  (28, ... ) == 0x0
 00095   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   408   NtClose  (28, ... ) == 0x0
 00098   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   408   NtClose  (28, ... ) == 0x0
 00101   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00102   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00103   408   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00104   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   408   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   408   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   408   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   408   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   408   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   408   NtClose  (40, ... ) == 0x0
 00118   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   408   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   408   NtClose  (40, ... ) == 0x0
 00122   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   408   NtClose  (36, ... ) == 0x0
 00124   408   NtClose  (28, ... ) == 0x0
 00125   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   408   NtClose  (32, ... ) == 0x0
 00127   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   408   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   408   NtClose  (32, ... ) == 0x0
 00135   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   408   NtClose  (28, ... ) == 0x0
 00137   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 4, ... (0x31438000), 8192, 64, ) == 0x0
 00138   408   NtProtectVirtualMemory  (-1, (0x31438000), 8192, 64, ... (0x31438000), 8192, 4, ) == 0x0
 00139   408   NtFlushInstructionCache  (-1, 826507264, 8192, ... ) == 0x0
 00140   408   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   408   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   408   NtClose  (28, ... ) == 0x0
 00143   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   408   NtClose  (28, ... ) == 0x0
 00146   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   408   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   408   NtClose  (28, ... ) == 0x0
 00150   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   408   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   408   NtClose  (28, ... ) == 0x0
 00153   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   408   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   408   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   408   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   408   NtClose  (32, ... ) == 0x0
 00163   408   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 400, 408, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 400, 408, 1491, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 400, 408, 1491, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00166   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   408   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   408   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00171   408   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   408   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   408   NtClose  (-2147482020, ... ) == 0x0
 00174   408   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   408   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   408   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00178   408   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   408   NtClose  (-2147482020, ... ) == 0x0
 00180   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00181   408   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   408   NtClose  (-2147482020, ... ) == 0x0
 00183   408   NtQueryDefaultLocale  (0, -131036660, ... ) == 0x0
 00184   408   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   408   NtUserCallNoParam  (24, ... ) == 0x0
 00186   408   NtGdiCreateCompatibleDC  (0, ...
 00187   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   408   NtGdiCreateCompatibleDC  ... ) == 0x150103c7
 00188   408   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   408   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   408   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x10050405
 00191   408   NtGdiCreateSolidBrush  (0, 0, ...
 00192   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   408   NtGdiCreateSolidBrush  ... ) == 0x10100404
 00193   408   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   408   NtGdiCreateCompatibleDC  (0, ... ) == 0xc010409
 00195   408   NtGdiSelectBitmap  (201393161, 268764165, ... ) == 0x185000f
 00196   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x2c
 00197   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   408   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   408   NtClose  (52, ... ) == 0x0
 00200   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00202   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00204   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00206   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00208   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00210   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00212   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00214   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00216   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00218   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00219   408   NtAllocateVirtualMemory  (-1, 5533696, 0, 4096, 4096, 32, ... 5533696, 4096, ) == 0x0
 00218   408   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00220   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00221   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00222   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00223   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00224   408   NtCallbackReturn  (0, 0, 0, ...
 00225   408   NtGdiInit  (... ) == 0x1
 00226   408   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   408   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   408   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   408   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   408   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   408   NtClose  (52, ... ) == 0x0
 00234   408   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   408   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   408   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   408   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   408   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   408   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   408   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   408   NtClose  (60, ... ) == 0x0
 00245   408   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   408   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   408   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   408   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   408   NtClose  (60, ... ) == 0x0
 00255   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   408   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   408   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   408   NtClose  (60, ... ) == 0x0
 00259   408   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   408   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   408   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   408   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   408   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   408   NtClose  (60, ... ) == 0x0
 00269   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   408   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   408   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   408   NtQueryDefaultUILanguage  (1241768, ...
 00273   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00275   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   408   NtClose  (-2147482020, ... ) == 0x0
 00277   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00278   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00280   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   408   NtClose  (-2147482032, ... ) == 0x0
 00282   408   NtClose  (-2147482020, ... ) == 0x0
 00272   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   408   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   408   NtQueryDefaultUILanguage  (2013024600, ...
 00290   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00292   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   408   NtClose  (-2147482020, ... ) == 0x0
 00294   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00295   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00297   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   408   NtClose  (-2147482032, ... ) == 0x0
 00299   408   NtClose  (-2147482020, ... ) == 0x0
 00289   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   408   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   408   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   408   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1492, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 400, 408, 1492, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1492, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   408   NtClose  (68, ... ) == 0x0
 00306   408   NtClose  (72, ... ) == 0x0
 00307   408   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   408   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   408   NtClose  (68, ... ) == 0x0
 00323   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   408   NtClose  (76, ... ) == 0x0
 00325   408   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   408   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   408   NtClose  (76, ... ) == 0x0
 00330   408   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   408   NtClose  (68, ... ) == 0x0
 00332   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   408   NtQueryDefaultUILanguage  (1238836, ...
 00355   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00357   408   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   408   NtClose  (-2147482020, ... ) == 0x0
 00359   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00360   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   408   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00362   408   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   408   NtClose  (-2147482032, ... ) == 0x0
 00364   408   NtClose  (-2147482020, ... ) == 0x0
 00354   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   408   NtClose  (68, ... ) == 0x0
 00370   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   408   NtClose  (76, ... ) == 0x0
 00372   408   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   408   NtClose  (76, ... ) == 0x0
 00377   408   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   408   NtClose  (68, ... ) == 0x0
 00379   408   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   408   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1493, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 400, 408, 1493, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1493, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   408   NtClose  (68, ... ) == 0x0
 00387   408   NtClose  (76, ... ) == 0x0
 00388   408   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   408   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   408   NtUserGetDC  (0, ... ) == 0x1010052
 00394   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00395   408   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   408   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   408   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   408   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   408   NtClose  (76, ... ) == 0x0
 00400   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   408   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   408   NtClose  (76, ... ) == 0x0
 00403   408   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   408   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   408   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   408   NtClose  (68, ... ) == 0x0
 00409   408   NtClose  (76, ... ) == 0x0
 00410   408   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   408   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   408   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   408   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   408   NtClose  (76, ... ) == 0x0
 00415   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03b
 00417   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc03d
 00418   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc03f
 00420   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc041
 00422   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc043
 00424   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc045
 00425   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc047
 00427   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc049
 00429   408   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04b
 00432   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04d
 00434   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc04f
 00436   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc051
 00437   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc053
 00439   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc055
 00441   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc057
 00442   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc059
 00444   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05b
 00446   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05d
 00448   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc05f
 00450   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc017
 00452   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc019
 00454   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc018
 00456   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc01a
 00458   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   408   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810dc01c
 00460   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00461   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ...
 00462   408   NtAllocateVirtualMemory  (-1, 5537792, 0, 4096, 4096, 32, ... 5537792, 4096, ) == 0x0
 00461   408   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00463   408   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00464   408   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810dc01b
 00465   408   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00466   408   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810dc068
 00467   408   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00468   408   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810dc06a
 00469   408   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   408   NtTestAlert  (... ) == 0x0
 00473   408   NtContinue  (1244464, 1, ...
 00474   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3143a000,}, 4, ... ) == 0x0
 00475   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 00476   408   NtQueryValueKey  (68,  (68, "PINF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   408   NtClose  (68, ... ) == 0x0
 00478   408   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00479   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1234112,  (0x80100080, {24, 0, 0x40, 0, 1234112, "\??\u:\work\packed.exe"}, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 1, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00480   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1233828, ... ) }, 1233828, ... ) == 0x0
 00481   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 400, 408, 1494, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 400, 408, 1494, 0}  (24, {20, 48, new_msg, 0, 1354040, 1354584, 1234168, 0} "\0\0\0\0\2\0\1\0\225\0\0\0\0\0\0\0\215\26\365w" ... {20, 48, reply, 0, 400, 408, 1494, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00482   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1233836,  (0x80100080, {24, 0, 0x40, 0, 1233836, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 80, {status=0x0, info=2}, ) == 0x0
 00483   408   NtClose  (80, ... ) == 0x0
 00484   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234112,  (0xc0100080, {24, 0, 0x40, 0, 1234112, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.tmp"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00485   408   NtClose  (-2147482020, ... ) == 0x0
 00484   408   NtCreateFile  ... 80, {status=0x0, info=3}, ) == 0x0
 00486   408   NtSetInformationFile  (68, 1234204, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00487   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\373\207\325\0\264\335\205\0\262\335\212\0I"\205\0\16\335\205\0\266\335\205\0\366\335\237\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\337\205\0\14\315\205\16\251i\214\315\227e\204L{\374\25\220\342\265\354s\226\255\367o\321\257\344m\226\260\360s\302\375\347e\226\257\360n\226\250\353d\323\257\245W\337\263\2662\273\327\2417\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0", ) \205\0\16\335\205\0\266\335\205\0\366\335\237\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\337\205\0\14\315\205\16\251i\214\315\227e\204L{\374\25\220\342\265\354s\226\255\367o\321\257\344m\226\260\360s\302\375\347e\226\257\360n\226\250\353d\323\257\245W\337\263\2662\273\327\2417\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0", ) == 0x0
 00488   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00489   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\343\325\263\34\331\341\310E\331\257\374,\26\260\344\10\206\336\4\7~\25\343\331\324\35\304\304~\236M<\264\221\367\334^,\357D\334\275\324\271\262\306\371\377\220\37\335}3r\213D\355uM\270>\214\372\300\320V\325\1\346K\356g\327\337\305\315\312\342\204\2\10\231\250\325\37\200RC\350\324\21<\4\266e\226m/K\310\265\306,^\177W\305\265\344m\353\350\212Y\200\261Z\5\302a\326\362C\232\314\247\301\247\335\217^\353\241\2138\373L\1\353\306\223\31&M]\225\15o\325\12\32\312\16Q\371\325\341\203&\331\215#z\17\251\210\206\33\376\22\367\323d\311N\233\255IR\353\236\37\262\22uff!13\260\36d\15\207_}4h\261\307\266\346\271uX\210\353W r\357\302W~YM\257\372\363\364P_\231\205(\267\1\5\245\347\257\12\306\330\200\34\335vS\12^\215W<\220\255+\10\340\251\360\310\363[\220\212k\20i\10p\335\342)5\344}\251M\371O\232\364\236\274R\254\235\322\344&\353\264\15=\234\261\324\37tH\\377\310\200-z\371\35\365\366\320\327\314\346N\5\221\33Ok\334/\14\241\370\23\240\320uvV\330\304}\204\23\357:\36-\306\32m1F\346\323d\224\216\25\326\1(u\262\225\220\11\255\217\5n@\223@\347\242\250\27\335;m\331\345\6x\356\260\265\213\2V\317X\233\371\202\220\311\25\245^\257>\256\227\242"z\12\232\245\271\231\227\305\341\360bL\375]\213\363&\261b\270b\354\267\6\211p\274\3vP\321\276M\266\250\237\246\350\3175\2165\337ka&R\205\212\11k\0\265\2\264\275\305\3$\225-\211\364\205\2762\222\206b\324b\216&\172\3147\1Z\3024\22\322\225M\324\261\31\337\274\323tb$\275\326\236a0\21\3[\32-X\17", ) z\12\232\245\271\231\227\305\341\360bL\375]\213\363&\261b\270b\354\267\6\211p\274\3vP\321\276M\266\250\237\246\350\3175\2165\337ka&R\205\212\11k\0\265\2\264\275\305\3$\225-\211\364\205\2762\222\206b\324b\216&\172\3147\1Z\3024\22\322\225M\324\261\31\337\274\323tb$\275\326\236a0\21\3[\32-X\17", ) == 0x0
 00490   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "U\106\34o\301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \301\21\0\12^]|\168M\221\3311]\33\26\31\220\220\330\225\273\262P\12\254\27\213QO\10d\203\220\4\10#\314\322,\2100\306{\22A\16\341\311\370F(I\3446\33\37\4\317\360f\320\374\2643\6\303\341\151\202\3704\336lB\266Pd\360X>6\322 \3042GW\310\204\310\257L.qP\351D\0(\1\334\200\24\203:*\12p\5\5\34k\253\326\12\350P\322<&p\256\10Vtu\310E\206\25\212\335\315\354\10\306\0g)\2039\370\251\373$\312\232BC9R\32@W\344\22061\15\213A4\324\251\251\315\I\25\5-\314$\230\365@\15R\314P\223\200\221\255\222\356\334\231\321$\370\245}Uu\300\213]\304\313Y\226\357\214\303\250\306\254\260\264FP\16\341\2248\310S\1\236\2507\225&\324(\217\263\263\305\223\366:'\250\241\0\276mo8\203xXm0\213\264\213JX-$\7\220\177\310 ^\31\343+\227\24\377\377\12,x<\231!\30d\360\324\221x]=.\243\261\324e\347\354\1\333\14p\12\336\363Pgc\310\266\36B#\350y\350\135i\266\344&\344X\17\11\335\3350\2\2`@\3\222H\250\211BX;2$[\347\324\324S\243\17\204\21\262\1\354\37\261\22dH\310\324\7\304Z\274e\251\347$\13\13\33a\206\314\206[\254\360\335\17", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00491   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "a\37\216X\16\317\220w\207\327\211He\220F\30\374K\311\340\343x7H\266v\27\345\6X2}\256\231\305\221SM\340Z\322\201\335Y\270\206\37\0\344\226\346T\346\271\274d\255\277\2216\322\275\24\345&\270\357!\332\265\324\226\365K\367\14\302\255\251\35\177\275Nz\312\350\375@\234\\35C\246\241\237\301\311X\21\235-\275\342\20\30\255>\363\217v\323%\244U\2119\235Y\225\274\261V\39,\234\11\14>\262\305\323I*\257\276\236W\302\10\214\15\3619@\233>3\34\224P\256.\1\322\4O\261\300]\1\331\3034E\233\232\306\0\237\221\270\301\221\5\272\223\200>\262J\317V\206\253'\310\[\270\366\263\326\5K\366\205F\13$Z\320?\275\255Fk\31\360n\221\129M\257\202\25\204\367\267\363}\27R\233\344l\305Z\353\31R^\326T\304\250\340\1\230\336\15\4\331(\264\322<\215\223D\246\337\262\3043\243\16w\215\354L\212\376\236\301\10J"\307\267\351\335\215\215\303\322\16|\276\332\264\300<\323\276JJ\2502~\27\206\13\\274/\231\16@\36Z\237\377\250go\355vt\371\241\235\241\16\267\344}~kx\342\5\233\31\276\200\216\372\212M\262\206~\302\3049\0\257\331j:\202\302r\14\321\277\274\216\212\361W\257\201F\217k\356W"Z\177mW\335c"W\333\123\206\326o\332\241\233\13\240\305\12\36\273\344q\355\273#\335\326:Z9}!2\0\371\314\235\33\3031h\355\200\3374 !6M?68Z:\0\35h\355\2546g\35<\261\237\221\332\305\307\305$"G\11N:\316uFR&:=\3426\46\342\200\266\353~\202\203g\222\204\267\271/z\255\34j\317\20\314\332{\261\304\326\362\15\271bL\3\374\1/\5\212\32z\3218\7zBSS\274\1", ) \307\267\351\335\215\215\303\322\16|\276\332\264\300<\323\276JJ\2502~\27\206\13\\274/\231\16@\36Z\237\377\250go\355vt\371\241\235\241\16\267\344}~kx\342\5\233\31\276\200\216\372\212M\262\206~\302\3049\0\257\331j:\202\302r\14\321\277\274\216\212\361W\257\201F\217k\356W (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "a\37\216X\16\317\220w\207\327\211He\220F\30\374K\311\340\343x7H\266v\27\345\6X2}\256\231\305\221SM\340Z\322\201\335Y\270\206\37\0\344\226\346T\346\271\274d\255\277\2216\322\275\24\345&\270\357!\332\265\324\226\365K\367\14\302\255\251\35\177\275Nz\312\350\375@\234\\35C\246\241\237\301\311X\21\235-\275\342\20\30\255>\363\217v\323%\244U\2119\235Y\225\274\261V\39,\234\11\14>\262\305\323I*\257\276\236W\302\10\214\15\3619@\233>3\34\224P\256.\1\322\4O\261\300]\1\331\3034E\233\232\306\0\237\221\270\301\221\5\272\223\200>\262J\317V\206\253'\310\[\270\366\263\326\5K\366\205F\13$Z\320?\275\255Fk\31\360n\221\129M\257\202\25\204\367\267\363}\27R\233\344l\305Z\353\31R^\326T\304\250\340\1\230\336\15\4\331(\264\322<\215\223D\246\337\262\3043\243\16w\215\354L\212\376\236\301\10J"\307\267\351\335\215\215\303\322\16|\276\332\264\300<\323\276JJ\2502~\27\206\13\\274/\231\16@\36Z\237\377\250go\355vt\371\241\235\241\16\267\344}~kx\342\5\233\31\276\200\216\372\212M\262\206~\302\3049\0\257\331j:\202\302r\14\321\277\274\216\212\361W\257\201F\217k\356W"Z\177mW\335c"W\333\123\206\326o\332\241\233\13\240\305\12\36\273\344q\355\273#\335\326:Z9}!2\0\371\314\235\33\3031h\355\200\3374 !6M?68Z:\0\35h\355\2546g\35<\261\237\221\332\305\307\305$"G\11N:\316uFR&:=\3426\46\342\200\266\353~\202\203g\222\204\267\271/z\255\34j\317\20\314\332{\261\304\326\362\15\271bL\3\374\1/\5\212\32z\3218\7zBSS\274\1", ) W\333\123\206\326o\332\241\233\13\240\305\12\36\273\344q\355\273#\335\326:Z9}!2\0\371\314\235\33\3031h\355\200\3374 !6M?68Z:\0\35h\355\2546g\35<\261\237\221\332\305\307\305$ (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "a\37\216X\16\317\220w\207\327\211He\220F\30\374K\311\340\343x7H\266v\27\345\6X2}\256\231\305\221SM\340Z\322\201\335Y\270\206\37\0\344\226\346T\346\271\274d\255\277\2216\322\275\24\345&\270\357!\332\265\324\226\365K\367\14\302\255\251\35\177\275Nz\312\350\375@\234\\35C\246\241\237\301\311X\21\235-\275\342\20\30\255>\363\217v\323%\244U\2119\235Y\225\274\261V\39,\234\11\14>\262\305\323I*\257\276\236W\302\10\214\15\3619@\233>3\34\224P\256.\1\322\4O\261\300]\1\331\3034E\233\232\306\0\237\221\270\301\221\5\272\223\200>\262J\317V\206\253'\310\[\270\366\263\326\5K\366\205F\13$Z\320?\275\255Fk\31\360n\221\129M\257\202\25\204\367\267\363}\27R\233\344l\305Z\353\31R^\326T\304\250\340\1\230\336\15\4\331(\264\322<\215\223D\246\337\262\3043\243\16w\215\354L\212\376\236\301\10J"\307\267\351\335\215\215\303\322\16|\276\332\264\300<\323\276JJ\2502~\27\206\13\\274/\231\16@\36Z\237\377\250go\355vt\371\241\235\241\16\267\344}~kx\342\5\233\31\276\200\216\372\212M\262\206~\302\3049\0\257\331j:\202\302r\14\321\277\274\216\212\361W\257\201F\217k\356W"Z\177mW\335c"W\333\123\206\326o\332\241\233\13\240\305\12\36\273\344q\355\273#\335\326:Z9}!2\0\371\314\235\33\3031h\355\200\3374 !6M?68Z:\0\35h\355\2546g\35<\261\237\221\332\305\307\305$"G\11N:\316uFR&:=\3426\46\342\200\266\353~\202\203g\222\204\267\271/z\255\34j\317\20\314\332{\261\304\326\362\15\271bL\3\374\1/\5\212\32z\3218\7zBSS\274\1", ) , ) == 0x0
 00492   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\327\302\13X\270\22\25w1\12\14H\323M\303\30J\226L\340U\245\262H\0\253\222\345\260\205\267}\30D@\221\345\220eZd\XY\16[\232\0RKcTPd9d\33b\246d`\221\345\220ej!lhQ\226C\226r\14tp,\35\311`\313z|5x@*\201\230C\20|\32\301\177\205\224\235\233`g\20\256p\273\3639\253V%\22\210\149+\204\20\274\7\213\2069\232A\214\14\210o@\323\377\367*\276(\212G\10:\320t9\366F\2733\252I\325\256\230\334W\4\371lE]\267\4F4\363F\37\306\266B\24\270\256\354\24\5\14N\5>\4\227JV0v\242\310\352\206=\366\5\13\200K@X\303\13\222\207U?\13p\303k\257-\353\221\274\344\310\2574\310\1\367\1.\370\27\344Fals\207n\31\344\203STrue\1.\3\210\4o\3651\322\212P\26D\20\27\304\205~\213w;1\311\212HCD\10\374\377B\267_\0\10\215u\17\213|\10\71\300\212\16;J\374u\267~\241[\216\\12\362\34\16\366\303\337\237Iu\342o[\253\361\371\27@$\16\19\370~\335\245g\5-\304;\2008'\17M\4[\373\302r\344\205\257o\267\277\202t\257\211\321\11a\13\212G\212*\201\360R\356\356\341\377\337\177\333\212Xc\224\212^\12\205[Sol|\36\13\26\30\217\36\159\364\355\15\376X\32\200\347\3379\313\374\267\0O\21\30\33u\354\355\3556\2\261 \227\353\310?\200\345\337:\266\300\355\355\32\353\342\35\212l\32\221l\30B\305\222\377\302\11\370\347Ku\360\217\243:\213?\263\4\200?\5\266]\243\7\203\321O\1\267\17\362\377\255\252\267J\20z\7\376\261r\13w\15\17\277\311\3J\334\252\5<\307\377\321\216\332\377B\345\2169\1", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00493   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, " 6x\2656\12)f\345T\0\6\240]\17\265\301\33\0\227\311\323\362\21\320b1\22\343\321\340\211\277}\334\6\5\32\344\35\206a\231\210\2\246\32\240\274\3351\274\321\363\302\263\307\367E0\257\204\364\267\32\207\3162\177\332\271?J\261t\276\207\201\310+Y\23\244\235\3tt\325\206\326\364\343\217\241\361\343\325\327"\361]C5>Q\300\13\376_.\200\30W\211&\237]\264\254\2139n\12\253\326\362\266@[x\13\371W\320\373\241\214\300v\203\273Di\206\a1q\201\363\214\223\245\251\2\274\235\7\322\326}B\21\313\5{\203k\225\31xC\365\353\261\371Q\350\205]\23t5\237\242!\336\204\305{%\337\10\5\242;F\377\233\360iN\320|\22\360\320z\245\364\243[%\266b\327q\364f\27\225\240\224\2155\326\233\4\202CJ\220\352\0\215\215\271/\232\374\246\207\246\252\2718\255\257M\310\212\345\2718\237\374\243\205\21:\312\210\261\6\276w\355\323\21\341\267\321%\346w@\205\233\276\247\203\243\255\337\253,s\32\323\272\34\354\223z@\37\225\360\347P\27`5\313\221\310R\201\27\246\26n\312XF6\231\30\352}.a~n\225\35\205\24\321\17!W\236\011\235\1t\255\\22\24\323F^\211\334w\204\355Z\256\271\343#q\15\3+\201\322\313+\300\376\301\213]\353\234\314\251\332\264\233y\26h\240\266:\212\240\216`"\304\317\33\270G\355O'\231\330\25\276\371\247\16\267\301\304\340\326J\347\364\365W\227\20B\207#\266\260\324\352\21N-)\0\256=\201U\230\324\254*\277\331"\26\276\215\351\253\12)\226\4}U\242\247\364\333\257H^Ev9o\2230jC\333u\354X\266\327\321e\235}\234t\337\261\0\345\252\373\350\311\255\356\330\32\315\232\322N\210\3308", ) \361]C5>Q\300\13\376_.\200\30W\211&\237]\264\254\2139n\12\253\326\362\266@[x\13\371W\320\373\241\214\300v\203\273Di\206\a1q\201\363\214\223\245\251\2\274\235\7\322\326}B\21\313\5{\203k\225\31xC\365\353\261\371Q\350\205]\23t5\237\242!\336\204\305{%\337\10\5\242;F\377\233\360iN\320|\22\360\320z\245\364\243[%\266b\327q\364f\27\225\240\224\2155\326\233\4\202CJ\220\352\0\215\215\271/\232\374\246\207\246\252\2718\255\257M\310\212\345\2718\237\374\243\205\21:\312\210\261\6\276w\355\323\21\341\267\321%\346w@\205\233\276\247\203\243\255\337\253,s\32\323\272\34\354\223z@\37\225\360\347P\27`5\313\221\310R\201\27\246\26n\312XF6\231\30\352}.a~n\225\35\205\24\321\17!W\236\011\235\1t\255\\22\24\323F^\211\334w\204\355Z\256\271\343#q\15\3+\201\322\313+\300\376\301\213]\353\234\314\251\332\264\233y\26h\240\266:\212\240\216` (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, " 6x\2656\12)f\345T\0\6\240]\17\265\301\33\0\227\311\323\362\21\320b1\22\343\321\340\211\277}\334\6\5\32\344\35\206a\231\210\2\246\32\240\274\3351\274\321\363\302\263\307\367E0\257\204\364\267\32\207\3162\177\332\271?J\261t\276\207\201\310+Y\23\244\235\3tt\325\206\326\364\343\217\241\361\343\325\327"\361]C5>Q\300\13\376_.\200\30W\211&\237]\264\254\2139n\12\253\326\362\266@[x\13\371W\320\373\241\214\300v\203\273Di\206\a1q\201\363\214\223\245\251\2\274\235\7\322\326}B\21\313\5{\203k\225\31xC\365\353\261\371Q\350\205]\23t5\237\242!\336\204\305{%\337\10\5\242;F\377\233\360iN\320|\22\360\320z\245\364\243[%\266b\327q\364f\27\225\240\224\2155\326\233\4\202CJ\220\352\0\215\215\271/\232\374\246\207\246\252\2718\255\257M\310\212\345\2718\237\374\243\205\21:\312\210\261\6\276w\355\323\21\341\267\321%\346w@\205\233\276\247\203\243\255\337\253,s\32\323\272\34\354\223z@\37\225\360\347P\27`5\313\221\310R\201\27\246\26n\312XF6\231\30\352}.a~n\225\35\205\24\321\17!W\236\011\235\1t\255\\22\24\323F^\211\334w\204\355Z\256\271\343#q\15\3+\201\322\313+\300\376\301\213]\353\234\314\251\332\264\233y\26h\240\266:\212\240\216`"\304\317\33\270G\355O'\231\330\25\276\371\247\16\267\301\304\340\326J\347\364\365W\227\20B\207#\266\260\324\352\21N-)\0\256=\201U\230\324\254*\277\331"\26\276\215\351\253\12)\226\4}U\242\247\364\333\257H^Ev9o\2230jC\333u\354X\266\327\321e\235}\234t\337\261\0\345\252\373\350\311\255\356\330\32\315\232\322N\210\3308", ) \26\276\215\351\253\12)\226\4}U\242\247\364\333\257H^Ev9o\2230jC\333u\354X\266\327\321e\235}\234t\337\261\0\345\252\373\350\311\255\356\330\32\315\232\322N\210\3308", ) == 0x0
 00494   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240 (80, 0, 0, 0, "\226\353\375\265\200\327\254fS\211\205\6\26\200\212\265w\306\205\227\177\16w\21f\277\264\22U\14e\211\11\240Y\6\263\307a\350\274\34\210\264{\237\240\212\215\225>\12\0\264\274g.G\263q*\3000\31Y\2334\1\307\2\316\204\242_\271\211\2274t\10Z\4\310\235\204\226\244+\336\361tc[S\364UR$\361U\10R"G\200\3065\210\214E\13H\202\253\200\256\212\14&)\2001\254=\344\353\12\35\13w\266\366\206\375\13O\212U\373\27QEv5f\301i0\201\3441\307\v\214%x,\2\12@\202\32\204\13\370B\247\26\200{5\266\20\31\316\236p\353\7$\324\3503\200\226t\203B'!hY@{\223\2\215\5\24\346\303\377--\354Nf\241\227\360f\247 \364\25\206\240\266\324\12\364\364\320\312\20\240"P\260\326-\331\7C\374Mo\0;P\16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \16\1\34A\340`\227b\364C\212\22\20\364Z\246\266\6\11o\21\370\360\254\0\30\340\4U.\11)*\11\4\247\26\10Pl\253\274\364\23\4\313\210'\247B\6*H\350\230\3639\331N\265j\365\6\360\354\356kR\321\323@\370\234\302\24\0Sw~\350\177pk\330\254\20\37\322\370U]8", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00495   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\251\262G#\227\315E\11\16\361W\345\322\322,y\320\37\4\307\366\277\236\341\250\377\7|\267\325\7.\356\313\220&\225vm{\367oF\270\270\321=%\367aT\273?\205\243w`P\365\30\241e4\263q\327\14\34\177\317\370\314\360g\216 \276\213\36\301 u_\233\333\320c{:\335kYl\267\231\334j\365\202\361\303\10(\210\264\331B]\266c\244\264P5\224x\214\273\232a\6\25\345\315B\300y\252\343O\257\262\34\335\320\315\310J\275\322\203\253\240_\302\302\322\307\270\326\207C\223\365\378]\334j\305\24\376\353\5\6\24\363YZ\260\210P\230\200i\271\301\221\375\353\213l?\370\246\251\214Fj\305\353\303\276{\242\25j\303\215D\311Eh\242\325\3750\347v\235<\14\205\234P\222\312\334;v>\374\20\2\23\365\302\257\24\314q\341\216\276\370\5\202\221\237\303\224!;\363]\360>\322\260]C\342\253\261J\342\36\15=\266\327o\4\6\347\245m\214\264>\303\320\24\355*\200\304P\241FR\255\30\203m.\366\204\5\341$(\264\210X\201\37\242h:\356^\265\255]i0\201\24q\246\257\326\155\34z\263\31\200\363\364\265\276\313\225\214\\312\14\342\232\20Xq\336u5$\362h\314\4\266\310\15\367\274\203\325\345\216F\351\362\244\255\300\344\346e\234F,Q\216\2543\275\14\24`]\1\35\334\231\261=\260\275\246FmP#H\30b\11\2\360cn \336\277\22\213:\334\204X\16_ I\272\204b\362\244=\346\2dMai\272\263e\14D\330\200\333\267\307e\262\271Z\30\330\274U\276t\204#;j\274De\340\344q\276\205\13\252#\21\12\3745\177\6\24\23\30\272K\326|\340\177\304\3576l\315i\245\307\222\217\341\17\336\370\337\340\223\311\204\5\27\215\240\21\254\343\275\227\315\7", ) , ) == 0x0
 00496   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\37o\302#!\20\300\11\270,\322\345d\17\251yf\302\201\307@b\33\341\36"\202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \202|\1\10\202.X\26\25&#\253\350{A\262\303\270\16\14\270%A\274\321\273\211X&w\326\215p\30\27\270\261\263\307\12\211\34\311\22}\314F\272\13 \10V\233\301\226\250\332\233m\15\346{\214\0\356Y\332j\34\334\334(\7\361u\325\255\210\2\4\307]\0\276!\264\346\350\21x:f\37a\260\310`\315\364\35\374\252U\222*\262\252\0U\315~\2278\3225v%_t\37W\307\16\13\2C%(\2328\353\1\357\305\242#n\5\260\311vY\354m\15P.]\354\271wLx\353=\261\272\370\20t\11F\334\30n\303\10\246'\25\334\36\10D\177\230\355\242c \265\347\300@\271\143A\325\222|\1\276v\210!\2070\264\316p\302\31\311IqWS;\370\263_\24\237uI\244;E\200u>dm\330CTv4JT\303\210=\0\12\352\4\260: m:i\273\303f\311h*6\31\325\241\360\217(\305\260\253\3662\330d$\236i\15X7\302'h\2143\333\265\33\200\35407\311\364\246\31\13\2105\252\2476\316.q\265\10\26\20\214\352\27\211\342,\315\335qh\250\260$D\265I\4\0\25\210\367\12^P\3458\233l\362\22pE\344P\270\31F\232\214\13\254\205`\211\24\326\200\204\35jD4=\6`#F\333\215\246H\256\277\214\2F\276\353 hb\227\213\214\1\1X\270\202\245I\14Y\347\362\22\340c\2\322\220\344i\14n\340\14\362\5\5\333\1\32\340\262\17\207\235\330\12\210;t2\376\276j\12\231\340\340R\254;\205\275w\246\21\274!\260\177\260\311\226\30\14\226S|V\242A\357\200\261Hi\23\32\27\217W\322[\370i=\26\3112\330\222\215\26\314)\343\13JH\7", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00497   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\204C\325\20q\375\305\12\4\225\271\350h\326\323\34\276\360\240\14\202\17\204\324}\372q\3776\200\223-\262\2728KY\346nJ\335G\256U\302\205\262W\200\375\342\22\265\371\240\21E\351\244%\31I\5\341\363\15\330N,R\340\377R\372\374\336\244\257\13\2523\314\361%\200\25\344\267T\232\3\312X\277u\330\374\333\351\25\265\366\325j0\235hu\350j\37[\243\31\241\13DL\325,{"\226\211\262\33\305,\266\336\240@\333\351\207\324%\361\343\210+\265\341\242\262\14\376~\226=\224\360\311\341b:\354u\377\237@\230\361\371\272\6\310\21\255\307I-\202\15\373\4\3316\251\215\362&\203\205d\240\207\300\235\331\226\353}\213'j\343\300\233\14\302\323\201\217\17\220\250\27\246\366G\263\203\252\362\4\310\333]\344~\366O\15\200\277\251>=\322\330\20\302\3001\205&\234?\0oe\53\3572G\342H\212\304\36\202X\350\200m\346\354t\257-\211P\253\357\214'x\345L;\206]\331\310\266i\265\366\227}\3660\5\322\15\4\12\360\11\204\201\216\275\27?\215\275\2217w\24&\4\336\221\275", ) \223-\262\2728KY\346nJ\335G\256U\302\205\262W\200\375\342\22\265\371\240\21E\351\244%\31I\5\341\363\15\330N,R\340\377R\372\374\336\244\257\13\2523\314\361%\200\25\344\267T\232\3\312X\277u\330\374\333\351\25\265\366\325j0\235hu\350j\37[\243\31\241\13DL\325,{265(O\21\233\223\352\11\5{\354\237n9\311\223\217\261\340\206\377\265\236\3y\335\325\13\325\315\245k\247\303\33\212\20\375m\13\315\202\237\3\374\200\4x\242\31\337\357\230\345\373\23\343\373$'\372k\356'\301\271\321\317\344\333\225S\352\271\316c=\300|J\216\366\351\260aL\237\304\275\323W \343\350\351\24\271\302+\32\242\243];\345\371-\345p|']\263J\306\308\31h\200C\221)#fT\247\306\365\332\0\373}\356l\1g\31\257e\266\234\1\12\340y\356\337\310 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\204C\325\20q\375\305\12\4\225\271\350h\326\323\34\276\360\240\14\202\17\204\324}\372q\3776\200\223-\262\2728KY\346nJ\335G\256U\302\205\262W\200\375\342\22\265\371\240\21E\351\244%\31I\5\341\363\15\330N,R\340\377R\372\374\336\244\257\13\2523\314\361%\200\25\344\267T\232\3\312X\277u\330\374\333\351\25\265\366\325j0\235hu\350j\37[\243\31\241\13DL\325,{"\226\211\262\33\305,\266\336\240@\333\351\207\324%\361\343\210+\265\341\242\262\14\376~\226=\224\360\311\341b:\354u\377\237@\230\361\371\272\6\310\21\255\307I-\202\15\373\4\3316\251\215\362&\203\205d\240\207\300\235\331\226\353}\213'j\343\300\233\14\302\323\201\217\17\220\250\27\246\366G\263\203\252\362\4\310\333]\344~\366O\15\200\277\251>=\322\330\20\302\3001\205&\234?\0oe\53\3572G\342H\212\304\36\202X\350\200m\346\354t\257-\211P\253\357\214'x\345L;\206]\331\310\266i\265\366\227}\3660\5\322\15\4\12\360\11\204\201\216\275\27?\215\275\2217w\24&\4\336\221\275", ) , ) == 0x0
 00498   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211 (80, 0, 0, 0, "2\236P\20\307 @\12\262H<\350\336\13V\34\10-%\144\322\1\324\313'\364\377\200]\271A"\216\233\275\337H\13\250\337&\362+\307^R \34\313\376\342B\265\320R\234\36\213\373\220o\353\22[\27\16\332f\377\26-\4g\275K\357;\353Jk\232+UtX7W6 g\22\3$%\21\3634!%\257\224\200\341E\320]N\232\217e\377\344'y\336\22r\216\252\205\21t%6\310a\267\342G\206\312\356b\360\330J\6l\25\3+Pj\206@\355u^\267\232[\25\304$\1\205\231\311\325\232\246\271t\3\365\312\21-No\11\263\246i\237\330\344L\2239le\206Ih\33\3\317\0P\13c\20 k\21\36\236\212\246 \350\13{_\32\3J]\201x\24\304Z\357.8~\23U&\241'L\266k'wdT\317R\6\20S\dKc\213\35\371J8+l\260\327\221\32\304\13\16\322 U5l\24\17\37\256\32\24~\330;S$\250\345\306\241\242]\5\227C\30\216\304\355\200\365L\254#\320\211"\306C\7\205\373\3133\351\1\321\304*e\0A\204\12V\244k\337~\377\23\211\4\306@,\0\3%@m4\2\324\223,f\210\235hd\242\4\321{~ \340\21\360\177<\347:Z\250z\237\366Et\371\14\333M\21\33\32\314-4\320~\4o\353,\215D\373\6\205\322}\2\300+\4\23\353\313V\242jU\35\36\14t\16\4\217\271M-\27\20+\302\2635ww\4~\6\330\344\310+\312\156b,>\213\17]\20t\35\264\205\220A\272\0\331\270\2003Y\357\302\342\376WA\364\205m\200\333;it\31\360\14P\352\11'\3168\311;0\200\\310\0\2640\366!\240s0\263\17\210\4\274-\214\2047S8\27\211P8\221\201\252\221&\262\3\24\275", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00499   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\264.]H\303w/\277~\234\247\210k^\10\327\345\2025\337\241\35Md\244\204\255`\340\3301a\255\3178\377\240\15f'\16\207\274\212\372\334z\200_\327\13\375l\207=\4\265B\317\215\220\271\261?\261(\10I\366\227\360\336\351\257.\14j\262\207\25\306\321wLU\324\377\4q\243$\4\34~wd\267\370\362\2\225!G2\224\237>\31\3608\3135D\236KW\276\317\361h<>\15N\214\270\354\325\33%\326=\214V\272\355n\377_\370Bk\274\325\252kSY\303\14\230;\232\377\26\335>=\375\0Fw\327*\273\216q-$\3767\215\313% v\334\_0\302\36\15\0\314\324\211\254UZ{ \226\177\224\3T\0[\201\254<\366\36\CJ\223\267~\206}\302\251\353\243\370\353\241]\332\243\327\16b*="\251\200\315\354\276?\307n\275o\204\12\\24\213I\201\353F\3\264UL\26F\303=6\352\15\2740\312)\263\213\12\346\32\220<\304\326\32\362\220x\372\22)\26\3079\317\227D\244\220\246<6\216\221C\267g\25j&\272\26&?\16\304"\310\316pC\276\275\211t\255\360z\257\262_\352\272\244\\306\4<\215\302\351\377\363F\35]\254\212\270NZ\271\344&%}C\262%M\0\304\370}\370\323\35fMN\257, ) \251\200\315\354\276?\307n\275o\204\12\\24\213I\201\353F\3\264UL\26F\303=6\352\15\2740\312)\263\213\12\346\32\220<\304\326\32\362\220x\372\22)\26\3079\317\227D\244\220\246<6\216\221C\267g\25j&\272\26&?\16\304 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\264.]H\303w/\277~\234\247\210k^\10\327\345\2025\337\241\35Md\244\204\255`\340\3301a\255\3178\377\240\15f'\16\207\274\212\372\334z\200_\327\13\375l\207=\4\265B\317\215\220\271\261?\261(\10I\366\227\360\336\351\257.\14j\262\207\25\306\321wLU\324\377\4q\243$\4\34~wd\267\370\362\2\225!G2\224\237>\31\3608\3135D\236KW\276\317\361h<>\15N\214\270\354\325\33%\326=\214V\272\355n\377_\370Bk\274\325\252kSY\303\14\230;\232\377\26\335>=\375\0Fw\327*\273\216q-$\3767\215\313% v\334\_0\302\36\15\0\314\324\211\254UZ{ \226\177\224\3T\0[\201\254<\366\36\CJ\223\267~\206}\302\251\353\243\370\353\241]\332\243\327\16b*="\251\200\315\354\276?\307n\275o\204\12\\24\213I\201\353F\3\264UL\26F\303=6\352\15\2740\312)\263\213\12\346\32\220<\304\326\32\362\220x\372\22)\26\3079\317\227D\244\220\246<6\216\221C\267g\25j&\272\26&?\16\304"\310\316pC\276\275\211t\255\360z\257\262_\352\272\244\\306\4<\215\302\351\377\363F\35]\254\212\270NZ\271\344&%}C\262%M\0\304\370}\370\323\35fMN\257, ) , ) == 0x0
 00500   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022 (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \332\370\364\2669\325\34\266\326Yu\321\35;, (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A (80, 0, 0, 0, "\2\363\330Hu\252\252\277\310A"\210\335\203\215\327S_\260\337\27\300\310d\22Y(`V\5\264a\33\22\275\377\26\320\343'\270Z9\212L\1\377\200\351\12\216\375\332Z\270\4\3\237J\215&d4?\7\365\215I@Ju\336_r\253\14\334o\2\25p\14\362L\343\11z\4\307~\241\4\252\243\362d\1%w\2#\374\3022"B\273\31F\345N5\362C\316W\10\22th\212\343\210N:ei\325\255\370S=:\213?\355\330"\332\370\364\2669\325\34\266\326Yu\321\35;,"\223\335\210\340x\0\360\252R*\15S\364-\222#\262\215}\370\245vj\201\3320t\303\210\0z\11\14\254\343\207\376  \242\21\3\342\335\336\201\32\341s\36\352\236\317\223\1\243\3}ttn\243N6$]l~R\16\324\367\270"\37]H\354\10\342Bn\13\262\1\12\352\311\16I76\303\3\2\210\311\26\360\36\2706\\32090|\3646\213\274;\237\220\212\31S\32DM\375\372\244\364\223\307\217\22\22D\22M#<\200S\24C\1\272\220j\220g\223&\211\323A"~\23\365C\10`\14t\33-\377\257\4\202o\272\22\201C\4\212PG\351I.\303\35\353q\17\270\370\207<\344\220\370\370C\4\370\310\0r%\370\370e\300\343M\370r\271k$\5\205\344&\220\263, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00501   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\316\275\253\230\375\223\352\374\241/\252{\375\316\315S\306\261\354t\340qd,\227\202\310\4\337\215|b\311\204\2S\347\221\322a\236\276\201\2056X\200\323\2\372\207\366\246\220\205\227\262\332\261 \327fI\327\355\325\262\260\355*\36\0\201\277\256z\265\316\266\25\4\371\262\12-\2205\17\265\362\246\340\266\212\16\326\377\311\271\0\336\242\315S\377\231\204\340\273\245\\2204?h\353\246\374NI\14%\335\305\267?\346\262\205\325\34\260\204\241\306\214\242\37\333};\216\204\271\267\236\304\202<\316\247|\303\335\276\200\257_\313`l\310\15\267\265=\215*\263|\214\12\216\330\274\327\34\355\7\216\300\262\212\271\233\270\272\242\24i\270\215\240T,(\246a\230 %\334\21<\3\334AuI]\221\6\243\340\5X\246:\274\242\343\343\207\201\252\335\342\307\224}\202\25T\323\255h\177n)\221\271\214\216\5v\316\377r\331\306'\362B\346\375\4\232"\206\24\215\213\215I\342\316\17|}\332\231\325\32\2770\252\262\11\11\325\263\307\361\364&\362-\11\311&}\207\334\324\324-\256W\15;\36\336\22\200"\204\7'\362\262U\4;\220}\3466\275D\11^\374\215\313\225\322.\252\241\246\21q.\326\247X\262\224\212\244\25]\213\10\203\307\300\22\224\3523\24\342n\346\33\3134\221qze\207\0*\315\212\377z\3158\2\210\220\315u\273\210\0"@ \3348]\340;\16r\3416 \266\31n&\36L\232*\336\310p\205\262M\205|\363\252\257\12\334\3372\252\1p'Gj#\360Gq\207\204\3\264\277\341\236\232\267l\263\321\211\20\246\3117,}o\221\30\256\375\245\313\4\361N$\222\365\255,\232\311\36\0\324\12t\202\346\234\11\355\342\335.S\271(\15f\347b\316\242\225\207\207\213g\336o\11b~ v\3261\211\3", ) \206\24\215\213\215I\342\316\17|}\332\231\325\32\2770\252\262\11\11\325\263\307\361\364&\362-\11\311&}\207\334\324\324-\256W\15;\36\336\22\200 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\316\275\253\230\375\223\352\374\241/\252{\375\316\315S\306\261\354t\340qd,\227\202\310\4\337\215|b\311\204\2S\347\221\322a\236\276\201\2056X\200\323\2\372\207\366\246\220\205\227\262\332\261 \327fI\327\355\325\262\260\355*\36\0\201\277\256z\265\316\266\25\4\371\262\12-\2205\17\265\362\246\340\266\212\16\326\377\311\271\0\336\242\315S\377\231\204\340\273\245\\2204?h\353\246\374NI\14%\335\305\267?\346\262\205\325\34\260\204\241\306\214\242\37\333};\216\204\271\267\236\304\202<\316\247|\303\335\276\200\257_\313`l\310\15\267\265=\215*\263|\214\12\216\330\274\327\34\355\7\216\300\262\212\271\233\270\272\242\24i\270\215\240T,(\246a\230 %\334\21<\3\334AuI]\221\6\243\340\5X\246:\274\242\343\343\207\201\252\335\342\307\224}\202\25T\323\255h\177n)\221\271\214\216\5v\316\377r\331\306'\362B\346\375\4\232"\206\24\215\213\215I\342\316\17|}\332\231\325\32\2770\252\262\11\11\325\263\307\361\364&\362-\11\311&}\207\334\324\324-\256W\15;\36\336\22\200"\204\7'\362\262U\4;\220}\3466\275D\11^\374\215\313\225\322.\252\241\246\21q.\326\247X\262\224\212\244\25]\213\10\203\307\300\22\224\3523\24\342n\346\33\3134\221qze\207\0*\315\212\377z\3158\2\210\220\315u\273\210\0"@ \3348]\340;\16r\3416 \266\31n&\36L\232*\336\310p\205\262M\205|\363\252\257\12\334\3372\252\1p'Gj#\360Gq\207\204\3\264\277\341\236\232\267l\263\321\211\20\246\3117,}o\221\30\256\375\245\313\4\361N$\222\365\255,\232\311\36\0\324\12t\202\346\234\11\355\342\335.S\271(\15f\347b\316\242\225\207\207\213g\336o\11b~ v\3261\211\3", ) @ \3348]\340;\16r\3416 \266\31n&\36L\232*\336\310p\205\262M\205|\363\252\257\12\334\3372\252\1p'Gj#\360Gq\207\204\3\264\277\341\236\232\267l\263\321\211\20\246\3117,}o\221\30\256\375\245\313\4\361N$\222\365\255,\232\311\36\0\324\12t\202\346\234\11\355\342\335.S\271(\15f\347b\316\242\225\207\207\213g\336o\11b~ v\3261\211\3", ) == 0x0
 00502   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) |u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) X\4I\17\244\243\200\16\105\32E\22 (80, 0, 0, 0, "x`.\230KNo\374\27\362/{K\23HSplitV\254\341,!_M\4iP\371b\177Y\207SQLWa(c\4\205\200\205\5\323\264'\2\366\20M\0\227\4\74 a\273\314\327[\107\260[\367\233\07b+z\3\233\25\262$7\12\233M\260\17\3/#\340\0W\213\326I\24<\0h\177HSID\1\340\15x\331\220\202\342\355\353\20!\313I\272\370X\305\1\342c\2623\10\231\2602|C\214\24\302^}\215S\1\271\1CA\202\212\23"|u\0;\200\31\202N`\332\25\210\267\3\340\10*\5\241\11\128\59\327\2520\202\216vo\17\271-e?\242\242\264=\215\26\211\251(\20\274\35 \223\1\224<\265\1\304u\377\200\24\6\25=\200X\20\3479\242U>\2\201\34\0g\307"\240\7\25\342\16(h\311\263\254\221\17Q\13\5\300\23zro\33\242\362\364;x\4,\377\3\24;V\10IT\23\212|\313\7\34\325\254b\265\252\4\324\214\325\5\32t\364\220/\250\11\177\373\370\207j\11Q-\30\212\210;\250\3\227\200\224Y\202'Do\320\4\215M\370\346\200`\301\11\350!\10\313#\17\253\252\27{\224q\230\13"X\4I\17\244\243\200\16\105\32E\22"7\266\24T\263c\33}\351\24q\314\270\2\0\234\20\17\377\314\20\275\2>MHu\15U\205"\366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \366\375Y8\353=\276\16\304<\263 \0\304\353&\250\221\37*h\25\365\205\4\220\0|Ew*\12j\2\267\252\267\255\242G\334\376uG\307Z\1\3\2bd\236,\313\262l\5\14\14\20\20\24\262,\313\262\24\30\30  \313\262,\313$$((,,\24\233\0b\327\361\202PA\214\355T\0\253S\17\365\210fQ\277K\242#Z\2\213\321\3\352\11\324\243\245v`\354\14\3", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00503   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\243:Jo3\377\2241m6\205\314\252\211\226\32\331\253\344'e\360!P\252uu\354\231\247\321\36y\205\334>\303\3\227\234T\324\351\1\262b\311 \0\211\211\360\207\332\177\17\374\221/~\226\306\36l\357\245lP\375\301\213\212i\27\314\25JA\277P\347\256R\16\247\334\207\2169\224\220\4\25\376\375\203\243\335"\322*\365\2060\225\276\216|\252[\2128x\332\225\213\363-\5\0\232C\3566\246\240QH\310\30\230 \343-_\25'\357?d\315\235\233\325\320\17qY\276\337\25C\270\344\206\4\263\226/`\304\356E\303\3201\236\311c\2605h\22\321\220<$\210[\222T\315\235Im\23\363\116\34\257\336\333\177 _\6\305\245\206\272\225\301\3>\24\216\211\340\344S\23\365\247\3271&T\310\354}\245i\205fN\15\`\307\302`\3622\2041\255O\327\350"\355iE\330\6\245\1\261\243\376\321\372\334\353z\16\354a\27\307\277\301K\301\10\15L\257\331\265\37B\375\245\200J\337R\25\376\34g\262d\237\321\27\270\315\221h\343\364\305\0}\353p$\240s\16\1d-qzw\306\216\200\361\331 9\244\325e%\233-a\200\302\314!\344a\301\2411\327P\256\364q\257$\322\6s\257{\257\334\324E\244\217\10H\347\361|\332n\326\276\203\343\336\376.\361>\362\24 \325\235`i\272P#\277\245\17\206q\2T4\332\12]\22I\16\317\333\356\336\216\372\236\230\177\232\27\302*\300\227\2537\3\276\326\215$\230\221\375\24\301\307\234\177p\205\211\11u0r\336\20u\1\n\231*5\347\361\36\220D\310\23552\363W\251\14kK?2\366\231E\313\314\307P[\233\362uC\332\276\271\10\337\307\242\277w\5\200\12\211j\2\267\265\222\13\237\207t=N\07\375<\214\3\2461H\35\14", ) \322*\365\2060\225\276\216|\252[\2128x\332\225\213\363-\5\0\232C\3566\246\240QH\310\30\230 \343-_\25'\357?d\315\235\233\325\320\17qY\276\337\25C\270\344\206\4\263\226/`\304\356E\303\3201\236\311c\2605h\22\321\220<$\210[\222T\315\235Im\23\363\116\34\257\336\333\177 _\6\305\245\206\272\225\301\3>\24\216\211\340\344S\23\365\247\3271&T\310\354}\245i\205fN\15\`\307\302`\3622\2041\255O\327\350 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\243:Jo3\377\2241m6\205\314\252\211\226\32\331\253\344'e\360!P\252uu\354\231\247\321\36y\205\334>\303\3\227\234T\324\351\1\262b\311 \0\211\211\360\207\332\177\17\374\221/~\226\306\36l\357\245lP\375\301\213\212i\27\314\25JA\277P\347\256R\16\247\334\207\2169\224\220\4\25\376\375\203\243\335"\322*\365\2060\225\276\216|\252[\2128x\332\225\213\363-\5\0\232C\3566\246\240QH\310\30\230 \343-_\25'\357?d\315\235\233\325\320\17qY\276\337\25C\270\344\206\4\263\226/`\304\356E\303\3201\236\311c\2605h\22\321\220<$\210[\222T\315\235Im\23\363\116\34\257\336\333\177 _\6\305\245\206\272\225\301\3>\24\216\211\340\344S\23\365\247\3271&T\310\354}\245i\205fN\15\`\307\302`\3622\2041\255O\327\350"\355iE\330\6\245\1\261\243\376\321\372\334\353z\16\354a\27\307\277\301K\301\10\15L\257\331\265\37B\375\245\200J\337R\25\376\34g\262d\237\321\27\270\315\221h\343\364\305\0}\353p$\240s\16\1d-qzw\306\216\200\361\331 9\244\325e%\233-a\200\302\314!\344a\301\2411\327P\256\364q\257$\322\6s\257{\257\334\324E\244\217\10H\347\361|\332n\326\276\203\343\336\376.\361>\362\24 \325\235`i\272P#\277\245\17\206q\2T4\332\12]\22I\16\317\333\356\336\216\372\236\230\177\232\27\302*\300\227\2537\3\276\326\215$\230\221\375\24\301\307\234\177p\205\211\11u0r\336\20u\1\n\231*5\347\361\36\220D\310\23552\363W\251\14kK?2\366\231E\313\314\307P[\233\362uC\332\276\271\10\337\307\242\277w\5\200\12\211j\2\267\265\222\13\237\207t=N\07\375<\214\3\2461H\35\14", ) , ) == 0x0
 00504   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\25\347\317o\205"\211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \211\333\353\0\314\34T\23\32ova'\323-\244P\34\250\360\354/zT\36\317XY>u\336\22\234\342\11l\1\4\277L \266T\14\3601\7\372\17JL\252~ \33\233lYx\351PK\34\16\212\337\312I\25\374\234:PQs\327\16\21\1\2\216\217I\25\4\243#x\203\25\0\247\322\234(\30#c\13|\34\206\178\316\7\20\213E\360\200\0,\236k6\20}\324H~\305\35 U\360\332\25\2212\272d{@\36\325f\322\364Y\10\2\220C\169\3\4\5K\252`r3\300\303f\354\33\311\325m\260h\244\14\25<\222U\336\222\342\20\30I\333\316v\11\200\301*\336m\242\245_\260\30 \206\14HD\3\210\311\13\211V9\326\23CzR1\220\211M\354\313x\354\205\320\223\210\\326\32G`D\357\11\33\222R\350\2240\354En\333 \1\7~{\321L\1nz\2701\344\27qbDKw\325\210L\31\40\37\364  \200\374\2\327\25H\301\342\262\322BT\27\16\20\24hU)@\0\3136\365$\26\256\213\1\322\360\364z\301\33\13\200G\4\2459\22\10\340%-\360\344\200t\21\244\344\327\34$1a\215+\364\307r\241\322\260\256*{\31\1QE\22R\215HQ,\371\332\330\13;\203U\3{.G\343w\24\226\10\30`\337g\325#\11x\212\206\307\337\3214l\327\330\22\377\323J\333X\3\13\372(E\372\232\241\37\257\300!v\262\3\10\13\10$.Lx\24w\32\31\177\306X\14\11\303\355\367\336\246\250\204\\330D\2575Q,\233\220\362\25\305\204.\322\251\272\266\316?\204+\34E}\21BP\355Fwu\365\7;\271\276\2B\242\11\252\200\200\274T\357\2\1h\27\13)Z\361=\370\335\262\375\212Q\206\246\207\225\230\14", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00505   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\267|zN\22\10\215\22\351\300\341\262jY\256q\235\234\234\367>\352\2004\24P\7:9\2237C\330\261\334\205\310\375\266\31\223\227\251\13\35\333\5\1/\235;&\221\334\207\20\346\263\344\315r\256\3126>Z\215\370]\333\277\7\15(\325\201\333\336d\367\214\337\36\315\342\254\360\32\337o\27\254\344\207\231\254\367ZR/"\361\365x7\0\222\367\344\300\253\14\4\2311\254\372\333\266\204\7\267\314\23~\23\336\251hu\243\330XU\306\20@\345tE\306XJ\300\336$\17\276\0\334\257 ?\326\231F\265ex\11\301\235BF\362\303e?*ApmX\356\245&\276\330\335s\272\247\16\300\276\345\235*T\203\341V-\303T\352t\343\306\270\253\275nF\230\21\220\32\204\305\211\320\232]\311\204\227b\350\2Z]\311\37\367\241)\360\255\326\316 \224\237\35\33\302\361\36[\216\260% x\330\221\24V\230A\262\256\305\366K\221\26S\257\272\321\211\30\264\311\346\7]K\276u\274\325\10_\242:\223\212;\250(\211\321!\302\327\361ws\276\326\352\341\353\241\27\226\30\250\305\7\220+\251\211\301FY\37\20\243\224iO\366e\23\252\31\310\16D\256W\337\31\356p\360\346\355\352M\213\367\321\213\33\274\241^Y\305j\307\2\374\305\226\10\26\2152Q\4\361^\22\335\374\221\14\256\305\370\266n\257\211\30\233f\315P\276\231\251az\320\5[A\210H\22\225\207\316\270\317\347k\12\254\2372\232t\242\257[\215k\206~\377!\200\370\235\277\227|\314=t\261\241\377q\307\266\317\216\222F\5\245\237\333\254\264\316\364\337\3609\266\234I\326\37\211\256\204\205\336.1\6=\13\341\266\214BZ\367\341}\200\13)\345\366\234S\305 \204\322\12\370I\311p\222\270\35A\3\304\305\276\306v\261\22m\257\3\2558\273\15LN", ) \361\365x7\0\222\367\344\300\253\14\4\2311\254\372\333\266\204\7\267\314\23~\23\336\251hu\243\330XU\306\20@\345tE\306XJ\300\336$\17\276\0\334\257 ?\326\231F\265ex\11\301\235BF\362\303e?*ApmX\356\245&\276\330\335s\272\247\16\300\276\345\235*T\203\341V-\303T\352t\343\306\270\253\275nF\230\21\220\32\204\305\211\320\232]\311\204\227b\350\2Z]\311\37\367\241)\360\255\326\316 \224\237\35\33\302\361\36[\216\260% x\330\221\24V\230A\262\256\305\366K\221\26S\257\272\321\211\30\264\311\346\7]K\276u\274\325\10_\242:\223\212;\250(\211\321!\302\327\361ws\276\326\352\341\353\241\27\226\30\250\305\7\220+\251\211\301FY\37\20\243\224iO\366e\23\252\31\310\16D\256W\337\31\356p\360\346\355\352M\213\367\321\213\33\274\241^Y\305j\307\2\374\305\226\10\26\2152Q\4\361^\22\335\374\221\14\256\305\370\266n\257\211\30\233f\315P\276\231\251az\320\5[A\210H\22\225\207\316\270\317\347k\12\254\2372\232t\242\257[\215k\206~\377!\200\370\235\277\227|\314=t\261\241\377q\307\266\317\216\222F\5\245\237\333\254\264\316\364\337\3609\266\234I\326\37\211\256\204\205\336.1\6=\13\341\266\214BZ\367\341}\200\13)\345\366\234S\305 \204\322\12\370I\311p\222\270\35A\3\304\305\276\306v\261\22m\257\3\2558\273\15LN", ) == 0x0
 00506   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27 (80, 0, 0, 0, "\1\241\377N\244\325\10\22_\35d\262\334\204+q+A\31\367\2107\54\242\215\202:\217N\262CnlY\205~ 3\31%J,\13\253\6\200\1\231@\276&'\1\2\20Pna\315\304sO6\210\207\10\370\353\6:\7\273\365P\201m\3\341\367:\2\233\315Tqu\32i\262\222\254RZ\34\254A\207\327/\224,px\201\335\27\367R\35.\14\262D\264\254L\63\204\261jI\23\310\316[\251\336\250&\330\356\210C\20\3668\361Ep\205\317\300h\371\212\276\266\1* \211\13\34F\3\270\375\11w@\307FD\36\340?\234\234\365m\3563 &\10\5Xs\14z\213\300\108\30*\342^dV\233\36\321\352\302>C\270\35`\353F.\314\25\322\30\14\320,\200L\204!\277m\2\354\200L\37A|\254\360\33\13K "B\230\33t,\233[8m\240 \316\5\24\24\340E\304\262\30\30sK'\313\326\257\14\14\14\30\2\24c\7\353\226;u\12\10\215_\24\347\26\212\215u\255\211g\374G\327G\252\366\276`7d\353\27\312\23\30\36\30\202\220\235t\14\301\360\204\232\20\25I\354O@\270\226\252\257\25\213D\30\212Z\31X\255u\346[7\310\213A\14\16\33\12|\333Ys\267B\2J\30\23\10\240P\267Q\262,\333\22k!\24\14\30\30}\266\330r\14\30-\273HP\10D,a\314\15\200[\367U\315\22#ZK\270y:\356\12\32B\267\232\302\177*[;\266\3~I\374\5\370+b\22|z\340\361\261\27"\364\307\0\22\13\222\360\330 \237mq1\316B\2u9\0A\314\326\251T+\2043\3\2531\260\340\216\341\0Q\307ZA<\370\200\275\364`\366*\216@ 2\17\217\370\377\24\365\222\16\300\304\3r\30;\306\300l\227m\31\336(8\15\320\311N", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00507   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\334\331w\30\3103\6\332\367}Q|>\3226\237x\277\340\204^=F{=\321\300\332\334EN00\14\274\35\247JeD\245RI]6\12\341D\236J\373"\26\246\360\15\304\334\373\34\340C\314\217\20p}\226\243\360\2f\353\21A\353\306\307\34\14\246\324\216\25z\33018\251\34\341\333\370\5\372\360\270\337\321\5uP\252\370\233\12\206\11\34\224\366\267\34\20\321\23\251\373\306\271p]\337QF\313\346\275'\241\7\233?9\277\234\372\257\17\2765\11\341\373_\25\343\213&\43\242\354\336\244\177W\207\216\10M\261\262\230U=\1t\~W\274\323\332\343\310\324B\20\2766V0\264\345\4m\2\310c\216\230/\24\2171\360\207~\263V\200\340\0\201\24\311ZK4\30\375\313\21\13J)\5\3\244\0\256\336\302\16\254\221 \211\200D\224%\264!6\\236\234\247\10\315\26\331\331>\2357\323\24\35o\271\15K \241i\250\316\314\214E'-\231\330MO\367\263j\276r\31\373\204\320\211J*\257*Hw\244\3KADL\242\274f|\271\331\201\373&\25\212\267\177\317\15!\2?\266\5T\17\203\32\235\367\232b\251\301\336\30\277\210\330\364?\255\370\254"L\4]\315\14P\275\334\203\3\346\367\304=\347\322\305S\376\374\2\214\5N=D\267\372\244\353", ) \26\246\360\15\304\334\373\34\340C\314\217\20p}\226\243\360\2f\353\21A\353\306\307\34\14\246\324\216\25z\33018\251\34\341\333\370\5\372\360\270\337\321\5uP\252\370\233\12\206\11\34\224\366\267\34\20\321\23\251\373\306\271p]\337QF\313\346\275'\241\7\233?9\277\234\372\257\17\2765\11\341\373_\25\343\213&\43\242\354\336\244\177W\207\216\10M\261\262\230U=\1t\~W\274\323\332\343\310\324B\20\2766V0\264\345\4m\2\310c\216\230/\24\2171\360\207~\263V\200\340\0\201\24\311ZK4\30\375\313\21\13J)\5\3\244\0\256\336\302\16\254\221 \211\200D\224%\264!6\\236\234\247\10\315\26\331\331>\2357\323\24\35o\271\15K \241i\250\316\314\214E'-\231\330MO\367\263j\276r\31\373\204\320\211J*\257*Hw\244\3KADL\242\274f|\271\331\201\373&\25\212\267\177\317\15!\2?\266\5T\17\203\32\235\367\232b\251\301\336\30\277\210\330\364?\255\370\254370\10\320\O\265t\206\5\16p\220\221\243\24\365\263\25^\240\330d\222\277\317\365F\233\255D\315k\30\353\201ZR8\216T\375\344R\27\363y\313\371\275\3642\230\327\24\2\312?\222\226].\4~\277\306`G\11{\0\350\327\301\211TM\260\375\262\373\3533\311\15\376\14\224\334q\256\240r\214s\276\366rau\21788\241\346K\302G\304\206\307G\211\221\217\366\361\204s\272\333%\350\227\Ff.\1\331\276K\324\361\14\320 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\334\331w\30\3103\6\332\367}Q|>\3226\237x\277\340\204^=F{=\321\300\332\334EN00\14\274\35\247JeD\245RI]6\12\341D\236J\373"\26\246\360\15\304\334\373\34\340C\314\217\20p}\226\243\360\2f\353\21A\353\306\307\34\14\246\324\216\25z\33018\251\34\341\333\370\5\372\360\270\337\321\5uP\252\370\233\12\206\11\34\224\366\267\34\20\321\23\251\373\306\271p]\337QF\313\346\275'\241\7\233?9\277\234\372\257\17\2765\11\341\373_\25\343\213&\43\242\354\336\244\177W\207\216\10M\261\262\230U=\1t\~W\274\323\332\343\310\324B\20\2766V0\264\345\4m\2\310c\216\230/\24\2171\360\207~\263V\200\340\0\201\24\311ZK4\30\375\313\21\13J)\5\3\244\0\256\336\302\16\254\221 \211\200D\224%\264!6\\236\234\247\10\315\26\331\331>\2357\323\24\35o\271\15K \241i\250\316\314\214E'-\231\330MO\367\263j\276r\31\373\204\320\211J*\257*Hw\244\3KADL\242\274f|\271\331\201\373&\25\212\267\177\317\15!\2?\266\5T\17\203\32\235\367\232b\251\301\336\30\277\210\330\364?\255\370\254"L\4]\315\14P\275\334\203\3\346\367\304=\347\322\305S\376\374\2\214\5N=D\267\372\244\353", ) , ) == 0x0
 00508   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D (80, 0, 0, 0, "j\4\362\30~\356\203\332A\240\324|\210\17\263\237\316be\204\350\340\303{\213\14E\332j\230\3130\206\3219\35\21\227\340D\23\217\314]\200\327dD(\227~"\240{u\15r\1~\34V\236I\217\246\255\370\226\25-\207f]\314\304\353p\32\231\14\20\11\13\25\314\5\2648\37\301d\333N\330\177\360\16\2T\5\303\215/\370-\327\3\11\252Is\267\252\315T\23\37&C\271\306\200ZQ\360\26c\275\221|\202\233\211\344:\234Lr\2047\10\350\214\341M\202\220\343=\373\2013\241[\244\311\212\2\216\276\2204\262.\210\270\1\302\201\373W\12\16_\343~\11\307\20\10\353\3230\28\201m\264\25\346\216.\362\221\217\207-\2~\5\213\5\340\266\\221\311\354\226\261\30K\26\224\13\374\364\200\3\22\335+\336t\323)\221\226T\5D"\3701!\200\201\33\234\21\325H\26o\4\273\235\201\16\221\35\331d\210K\226|\354\250x\21\11E\221\360\34\330\373\222r\263\334c\367\31MYU\211\374\367**\376\252!\3\375\234\301L\24a\343|\17\4\4\373\220\310\17\267\311\22\210!\264\3423\5\342\322\6\32+*\37b\37\34[\30\11U]\364\211p}\254\212\205}\10f\201\312\265\302[\200\16\306M\24\243\242(6\25\350}]d$bJ\365\360F(D{\266\235\3537\207\32788\211x\344\344\312vy}$8\364\204ER\24\264\27\272\222 \200\253\4\310bC`\361\324\376\0^\12D\211\342\2205\375\4&n3\177\320{\14"\1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \1\364\256\26\257\11s\10+\367a\303R\2758\27;\316\302\361\31\3\307\361T\24\217@,\1s\14\6\240\350!\201\303f\230\334\\276\375\11t\14f\377\311\4\353\20\211P\13\1\6\3P*A=Q\17@SH!\207\214\263\223\270D\1'!\353", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00509   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\245\372\226\223\315\364\331\15L5\372\3\271\234 \240\333\260E+\217\371Y?\377g\250\335\30-\347\215\353\363G\10M\325\360\323\202\20\362\367{\372\246\363Y\236V4\373\303\237$\226\216\245w@\36\303O\24\11\331\273]\203\306\242%\336\373\375\347q\212\220]y+\310\331\250uj\357a\271+kS.\36\234\3030\347$I\232\3\276\324^\345W\363\214p\247\16-\355\313z[]U&\303I\243\15\12p\306\371\14\357\1zMn\243\356\245L\250s\353\273"\210\261u9\373\22]\234Wc\255K\255C\250\326\316\21V\243\264}\4\303%\212\2\326\356\271\260w\360\353\250@\217\27\227\206_\25\346>\212\262~/\11M\334\315\320.\10\325\266F\37\211\315\322\254\25\243\303\340\216\236\371\232\261hO\31w\203\343Z\225\250\10\0"\223\16\255x\240\364\264\340\203u\224\273r\240|\210BF\260C\224\35\302<\343\226\263\243\210\3\366\264CC\10\361\365\267Z4\300@m\3637?\337\35\225M0V\207\336\263\34}\20\3134p\227^\360Z\370o\216\207\303\367\24\207\340\33\337\274\310\275\27\370\201\355L\221\373\317\332\363\367n^_\126p\265\12\320\326\310|N+\276z\262\241\232\277\270\234\250!", ) \210\261u9\373\22]\234Wc\255K\255C\250\326\316\21V\243\264}\4\303%\212\2\326\356\271\260w\360\353\250@\217\27\227\206_\25\346>\212\262~/\11M\334\315\320.\10\325\266F\37\211\315\322\254\25\243\303\340\216\236\371\232\261hO\31w\203\343Z\225\250\10\0 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\245\372\226\223\315\364\331\15L5\372\3\271\234 \240\333\260E+\217\371Y?\377g\250\335\30-\347\215\353\363G\10M\325\360\323\202\20\362\367{\372\246\363Y\236V4\373\303\237$\226\216\245w@\36\303O\24\11\331\273]\203\306\242%\336\373\375\347q\212\220]y+\310\331\250uj\357a\271+kS.\36\234\3030\347$I\232\3\276\324^\345W\363\214p\247\16-\355\313z[]U&\303I\243\15\12p\306\371\14\357\1zMn\243\356\245L\250s\353\273"\210\261u9\373\22]\234Wc\255K\255C\250\326\316\21V\243\264}\4\303%\212\2\326\356\271\260w\360\353\250@\217\27\227\206_\25\346>\212\262~/\11M\334\315\320.\10\325\266F\37\211\315\322\254\25\243\303\340\216\236\371\232\261hO\31w\203\343Z\225\250\10\0"\223\16\255x\240\364\264\340\203u\224\273r\240|\210BF\260C\224\35\302<\343\226\263\243\210\3\366\264CC\10\361\365\267Z4\300@m\3637?\337\35\225M0V\207\336\263\34}\20\3134p\227^\360Z\370o\216\207\303\367\24\207\340\33\337\274\310\275\27\370\201\355L\221\373\317\332\363\367n^_\126p\265\12\320\326\310|N+\276z\262\241\232\277\270\234\250!", ) , ) == 0x0
 00510   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23'\23\223{)\\15\372\350\177\3\17A\245\240mm\300+9$\334?I\272-\335\256\360b\215].\302\10\373\10u\3234\315w\367\315'#\363\357C\3234M\36\32$ S w\366\303FO\242\324\\273\353\315\266\306\24\370[\373K:\364\212&\200\374+~\4-u\3342\344\271\235\266\326.\250AF0Q\371\314\232\265cQ^S\212v\214\306z\213-[\26\377[\353\210\243\303\377~\210\12\306\33|\14Y\334\377M\330~k\245\372u\366\353\15\377\15\261\303\344~\22\353A\322c\33\226(C\36\13K\21\340~1}\262\36\240\212\264\13k\271\6\252u\353\36\235\12\27![\332\25P\343\17\262\310\362\214Mj\20U.\276\103F\251TH\322\32\310&\303VS\33\371,l\355O\257\252\6\343\354H-\10\266\377\26\16\33\245%\364\2=\6u"f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) f\367\240\312U\307F\6\236\21\35t\341f\226\5~\15\3@i\306C\276,p\267\354\351E@\333.\262?i\300\20M\206\213\2\336\5\301\370\20}\351\365\227\350-\337\370\331\341\3121H\331\374\333-\213j\13\337\246p\330\331\233\335\202\233S\362\350\337b}At\11\332\273\356\370\337u\346\215{\3\377\355\37\202$\233\212D\25\345\334\300\350\4\200\344\17f\5\360\355\267\33200\341a\3532\300\252\213\344\3}\10y\241\346\340]\362\202;}\14;\4\370~\373\27z\22s'6;\35r%\306D\6\0Ox\15\376\341n\377\347\7\229w\355\353\37f\307\2451\0a\13o\260\267^\277\222$\31 \240\361\333;\240h\360\33\370f\301\352j\211\7\20\340\370\3\210S\2\303A\311\2\340\255\29\310\13\312}\201[\221\24\373y\7v\367\330\203\332\12\200\2550\12f\13M|\370\366;z\4|\37\277\16A-!", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00511   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\206\374\255\336 \321n'\240\336\323\150#\22\254\273\301\222\213i\346nutH\223\13\234c@\237Z\373\2617\274\204EZ\355\15~\213\331)\256\240\204F\367l\370\336\317\4\315\356\204\4\211\266Hw\350\314<\255\362\210\335\273\267\243]\31\366m\200)\16\231\341\20\307>\263\353 \327\16\377\265\23\304\304\300\366\267\27\215\22x)\240\335<\266+\373\221A\14\250T(\24XK\213]]\323\24\244uQ4\340\367\275\33126\211n\345\2355FJ\306\276\373\303XQ\221\37\213*Y\225\200\14\30+\343X\236\260\364\4\306\202\c<\217\335\237\1\206\302\235Uw\317\324V\372<\322Q\213%\14;\241\16=G\210\277\276\254z\276\226$6\344\206\350\2663$\272\376*~_\267C\13_\3435f`\334\253E\276\7\331\312h\275\210\327u\251\245\200\315\220\232\201$\357\337i\24\301\253^0o]\247\243ZU\215R\362\331\276\270WQ\330\350X\336@\211CV\230T\241\307\373N]\214ws93\362\14j\360\251\200\265\253\276\31\301\346\276c\36\247\35\3330T\200\24\272\253\276b5`\251t\340\257\0\12q\10\344\234\14\330\300\250.\322Z\251T\31*\252\356\250"Q\217\230\352kwx:\31\270\324\205\360\267\231\225\344\240\334\270\334\276\320+[\11M%\10\355\15\16\3527_\353[g8\205\376\265\321\4\302\203F\376\233\273\g\16p\344\301(Z\275\332T'\30\300\213\203\23\14\216\224\275\271\316\310a3\335\334\276~\217\300\327X;\315\325"\363\36\341\315\256\373\341l\230v\10\216EB\236\2146\223\324\17\317\270d9\210D\304\263&\235hv\2417;L\20R\353\261\235]\336\312\310\177\274XF@\366\203A2\345Sm\331\342\231$\305\336\16\4\2152\366\214", ) Q\217\230\352kwx:\31\270\324\205\360\267\231\225\344\240\334\270\334\276\320+[\11M%\10\355\15\16\3527_\353[g8\205\376\265\321\4\302\203F\376\233\273\g\16p\344\301(Z\275\332T'\30\300\213\203\23\14\216\224\275\271\316\310a3\335\334\276~\217\300\327X;\315\325271\312Y\213\263 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\206\374\255\336 \321n'\240\336\323\150#\22\254\273\301\222\213i\346nutH\223\13\234c@\237Z\373\2617\274\204EZ\355\15~\213\331)\256\240\204F\367l\370\336\317\4\315\356\204\4\211\266Hw\350\314<\255\362\210\335\273\267\243]\31\366m\200)\16\231\341\20\307>\263\353 \327\16\377\265\23\304\304\300\366\267\27\215\22x)\240\335<\266+\373\221A\14\250T(\24XK\213]]\323\24\244uQ4\340\367\275\33126\211n\345\2355FJ\306\276\373\303XQ\221\37\213*Y\225\200\14\30+\343X\236\260\364\4\306\202\c<\217\335\237\1\206\302\235Uw\317\324V\372<\322Q\213%\14;\241\16=G\210\277\276\254z\276\226$6\344\206\350\2663$\272\376*~_\267C\13_\3435f`\334\253E\276\7\331\312h\275\210\327u\251\245\200\315\220\232\201$\357\337i\24\301\253^0o]\247\243ZU\215R\362\331\276\270WQ\330\350X\336@\211CV\230T\241\307\373N]\214ws93\362\14j\360\251\200\265\253\276\31\301\346\276c\36\247\35\3330T\200\24\272\253\276b5`\251t\340\257\0\12q\10\344\234\14\330\300\250.\322Z\251T\31*\252\356\250"Q\217\230\352kwx:\31\270\324\205\360\267\231\225\344\240\334\270\334\276\320+[\11M%\10\355\15\16\3527_\353[g8\205\376\265\321\4\302\203F\376\233\273\g\16p\344\301(Z\275\332T'\30\300\213\203\23\14\216\224\275\271\316\310a3\335\334\276~\217\300\327X;\315\325"\363\36\341\315\256\373\341l\230v\10\216EB\236\2146\223\324\17\317\270d9\210D\304\263&\235hv\2417;L\20R\353\261\235]\336\312\310\177\274XF@\366\203A2\345Sm\331\342\231$\305\336\16\4\2152\366\214", ) , ) == 0x0
 00512   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216 (80, 0, 0, 0, "0!(\336\226\14\353'\26\3V\15\206\376\227\254\15\34\27\213\337;\353u\302\225\26\13*\276\305\237\354&47\12Y\300Z[\320\373\213o\364+\2402\233rlN\3J\4{3\1\4?k\315w^\21\271\255DUX\273\1~\330\31@\260\5)\270Dd\20q\3436\353\226\12\213\377\3\316A\304v+2\27;\317\375)\26\0\271\266\235&\24A\272u\321(\242\205\316\213\353\200V\24\22\250\3244V*8\331\204\353\14nS@\260F\374\33;\373u\205\324\221\251V\257Y#]\211\30\235>\335\236\6)\201\3064\201\346<9\0\32\10\37\30U\301\22QVL\341WQ=\370\211;\27\323\270G>b;\254\314c\23$\2009\3\350\0\356\241\272H\367\373_\1\236\216_U\350\343`jv\300\276\261\4Oh\13URu\37x\5\315&G\4$Y\2\354\24wv\3330\331\200"\243\354\210\10RD\4;\270\341\214]\350\356\3\305\211\365\213\35T\27\32~N\353Q\362s\217\356w\14\334-,\200\3v;\31w;;c\250z\230\333\206\211\5\24\14v;b\203\275,tVr\205\12\307\325a\234\272\5E\250\230\17\337\251\342\304\257\252Xu\247Q9Eok\301\245\277\31\16\11\0\360\1D\20\344\26\1=\334\10\15\256[\277\220\240\10[\320\213\352\201\202n[\321\345\0\376\3\14\201\3025\233{\233\15\201\342\16\3069D(\354`_T\221\305E\2135\316\211\216"`<\316~\274\266\335jc\373\217v\12\335;{\10\271/\17\27\334\213\5\377v\36W\20+\373W\261\35v\276S\300B\245\353\116%\11\212\317\16\271\274\210\362\316&+\265\363\241\201\346\311\20\34464\235\353\3O\310\311a\335F\366+\6A\2048\326mo?\34$s\3\213\4;\357s\214", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00513   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\245\360\16\2745\347\273\334K\350\310\15\274T\204\241\260\1C\0\270\244\371\364\320\26\257\263\11R\322\2a\330\20\32q\324A\231,\374\215\172N\242\353\235\230a\35\346\366\201\202OG\230\257\3464\370\217\276\215\2240$\304\363\11\276S\21c\351\376\245 \11\22\321p.oK\207\305K\341\177 \241I->\2013;28\233\0w\225\320|\35\345\201\270A\236\250\17\322\211\307\0\226\36jT\207\313\232\20b\316+\265\374\333"~\274\322\336\25\372\274\232t\213\264\322Pv\313\342\34\371x.\255$!)D\257\351\375\353\344\212\326\246\373\250\361_\341\335\221\360\256\345;\240\206P\365\30Ay\326\300\366\234@\261l\255\210\211\274_n.\257O\316+\12M-\222\277\344\317\320\36\204\204d\322M-\33*\344\2655\245\32\346\227\346\311E\3-\206\320P\34]\207\22\21[>\220\316\303\265\310\322\252\216\230O}\14\312\347\260\335Lw\27\23\320\274\3322S\33\337uZ\276f\372\331\226u\20\202\262\334\\233\367\0\266\213|J\32#\235]z\260\227\346{r\227\251\250\375\257\337\375\255\233\372\2537Z\260\350\261\250\341y\261J\322\303\257\325\341\22\177\377R\322\212Fm\246\340\15\315\325\212V*G\374\373\200\343\253Nj\352\231;\221\222\374\260\232\207\213\261\34o\3\244\270^\332\333\332\216\4\374\2\200\10\276\321\23e\357K\242\20\242\303\235\34\357K\340Y\243\375\241\14\236\226\200\277\363\327\3720\374\250M\350\367\325\343\255\13!\353m\274\332\[\252\212\13>\332{\312\4\275\301\27I\310\353\257\303n\16\205\320\322R\363\320v\32\2\356+\234\357(\357E$JMz\374Ds\10wIV\370\14\235$\2\367\236-\310\21\332<\300\250\265\250\250\213k\213H\1\272\307M\1\266\\333\340\1\20g\200", ) ~\274\322\336\25\372\274\232t\213\264\322Pv\313\342\34\371x.\255$!)D\257\351\375\353\344\212\326\246\373\250\361_\341\335\221\360\256\345;\240\206P\365\30Ay\326\300\366\234@\261l\255\210\211\274_n.\257O\316+\12M-\222\277\344\317\320\36\204\204d\322M-\33*\344\2655\245\32\346\227\346\311E\3-\206\320P\34]\207\22\21[>\220\316\303\265\310\322\252\216\230O}\14\312\347\260\335Lw\27\23\320\274\3322S\33\337uZ\276f\372\331\226u\20\202\262\334\\233\367\0\266\213|J\32#\235]z\260\227\346{r\227\251\250\375\257\337\375\255\233\372\2537Z\260\350\261\250\341y\261J\322\303\257\325\341\22\177\377R\322\212Fm\246\340\15\315\325\212V*G\374\373\200\343\253Nj\352\231;\221\222\374\260\232\207\213\261\34o\3\244\270^\332\333\332\216\4\374\2\200\10\276\321\23e\357K\242\20\242\303\235\34\357K\340Y\243\375\241\14\236\226\200\277\363\327\3720\374\250M\350\367\325\343\255\13!\353m\274\332\[\252\212\13>\332{\312\4\275\301\27I\310\353\257\303n\16\205\320\322R\363\320v\32\2\356+\234\357(\357E$JMz\374Ds\10wIV\370\14\235$\2\367\236-\310\21\332<\300\250\265\250\250\213k\213H\1\272\307M\1\266\\333\340\1\20g\200", ) == 0x0
 00514   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\23-\213\274\203:>\334\3755M\15\12\211\1\241\6\334\306\0\16y|\364f\313*\263\277\217W\2\327\5\225\32\307\11\304\231\232!\10\17\204\223'\353+E\344\35P+\4\202\371\232\35\257P\351}\217\10P\210\222\31v\11\10\216\224c_#  \277\317Tp\230\262\316\207s\226d\177\226|\314-\210\\266;\204\345\36\0\301HU|\2538\4\270\367C-\17dTB\0 \303\357T1\26\37\20\324\23\256\265J\6\247~\12\17[\25La\37t=iWP\300\26g\34O\245\253\255\222\374\254D\314x\353RWS\246Mut_W\0\24\360\308\276\2400\215p\30\367\244S\300@A\305\261\332p\15\211\12\202\353.\31\222K+\274\220\250\222\119J\320\250Y\1dd\220\250\33\234905\23\307c\227P\24\300\3\233[UP\252\200\2\22\247\206\273\220x\360\310dw\13\230\371\240\211\312QmXL\301\312\226\320\12\7\267S\255\2\360Z\10\273\177\331 \250\225\202\4\1\331\233A\3353\213\312\227\237#+\200\377\260!;\376r!t-\375\31\2x\255-'.7\354mm\261\36<\374\261\374\17F\257c<\227\177I\217W\212\360\260#\340\273\20P\212\340\367\302\374M]f\253\370\267o\231\215L\27\374\6G\2\213\7\301\352\3\22e\333\332m\7\13\4J\337\5\10\10\14\226eY\226'\20\24\36\30\34Y\226eY\25 $\14(K\5\277E\12\1770Ju\310\350A\10f\255\275\374nm\12\7\331[\243\357\17\13\210\7\376\312\262`D\27\377\25n\257u\263\213\205f\17\327\363f\253\237\2X\366\31\357\2362\300$\374\220\377\374\362\256\215w\377\213}\14+\371\207\367(\360M\21l\341E\250\3u-\213\335V\315\1\14\32\310\1\0\201^\340\267\315\342\200", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00515   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\225(\220\205\320\233y\6\255\251\16\22\263\6\215s\231\6\33\242\330\351\277C(\337g\6\2472\2052\2\257k/\33'\276\373\301\177\370\31\6\314\230\353M\253j\377\332"\202\16\226\177\20\12\215\220}\177&\336\275\0\266l\360\213\2\217~x\177\205H0j\272\304`],[\5\276j\250\227R[\31\231\235U\16r\3053\375N\332m\13\302\365\234W\243\200.\200\241\231\10_\262\223?\24V\353\257\32|\210\235\24\177\304=?\204\346\262|\\262*\330Q\\5\14n\315e\202\326\14\27\330M\267\203\304\272icoW\260\22\2675"hh\367\240\200\5\16\207\203\15L\204 \32N4\227\17=\356\333N\362_\34\350\357,}\226']1\36\695\17\234]\362\30\245^\371\223y\213\346\201\364\242lt\360\335\230\247\236]\4\21\25\10\216\14\315\360^\213\256\214\322\341\210\230\232\237\340\32V\364\211\354.w\1L\322\3\222"\210~c\30\235_\205\366\321\224\12\340\273\301 \322\6%\12\277\33\360\220Y\304\13\267\227\34\3\244\335L6\242%\324n\21u\24\12\374\262x\336\361n\207\316\245`\210\22\246\305\277\237\10\360\246\367\303\26j\363\23\227\352\370\376g\20\34\25\322tk\253\177\224m*)\324\303\331\337\200\346\252\215\326a\371-\5n\306 \254\376\24$\225\1|\217\304\301H\21,"\326\314}\2732\274\205,>N\206\370\303\354w\243\353\215\324\351\35\275F\202\245\271\275\213|g\235O\276\305\204\346\357\205\32126tK\370\342oU\262\244eW\22\241\351\222(\241\366u\323R\204Ec\340\331\346\17\260\356\22Dui\216\260\36[\335x\345\310\325\376m\334\4{!P\231\224\363\332\204\1\313\313\30|\222\361m\0\302V\267]\334\301\303\354\247)\257\361m\236BkY\253\206\", ) \202\16\226\177\20\12\215\220}\177&\336\275\0\266l\360\213\2\217~x\177\205H0j\272\304`],[\5\276j\250\227R[\31\231\235U\16r\3053\375N\332m\13\302\365\234W\243\200.\200\241\231\10_\262\223?\24V\353\257\32|\210\235\24\177\304=?\204\346\262|\\262*\330Q\\5\14n\315e\202\326\14\27\330M\267\203\304\272icoW\260\22\2675 (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\225(\220\205\320\233y\6\255\251\16\22\263\6\215s\231\6\33\242\330\351\277C(\337g\6\2472\2052\2\257k/\33'\276\373\301\177\370\31\6\314\230\353M\253j\377\332"\202\16\226\177\20\12\215\220}\177&\336\275\0\266l\360\213\2\217~x\177\205H0j\272\304`],[\5\276j\250\227R[\31\231\235U\16r\3053\375N\332m\13\302\365\234W\243\200.\200\241\231\10_\262\223?\24V\353\257\32|\210\235\24\177\304=?\204\346\262|\\262*\330Q\\5\14n\315e\202\326\14\27\330M\267\203\304\272icoW\260\22\2675"hh\367\240\200\5\16\207\203\15L\204 \32N4\227\17=\356\333N\362_\34\350\357,}\226']1\36\695\17\234]\362\30\245^\371\223y\213\346\201\364\242lt\360\335\230\247\236]\4\21\25\10\216\14\315\360^\213\256\214\322\341\210\230\232\237\340\32V\364\211\354.w\1L\322\3\222"\210~c\30\235_\205\366\321\224\12\340\273\301 \322\6%\12\277\33\360\220Y\304\13\267\227\34\3\244\335L6\242%\324n\21u\24\12\374\262x\336\361n\207\316\245`\210\22\246\305\277\237\10\360\246\367\303\26j\363\23\227\352\370\376g\20\34\25\322tk\253\177\224m*)\324\303\331\337\200\346\252\215\326a\371-\5n\306 \254\376\24$\225\1|\217\304\301H\21,"\326\314}\2732\274\205,>N\206\370\303\354w\243\353\215\324\351\35\275F\202\245\271\275\213|g\235O\276\305\204\346\357\205\32126tK\370\342oU\262\244eW\22\241\351\222(\241\366u\323R\204Ec\340\331\346\17\260\356\22Dui\216\260\36[\335x\345\310\325\376m\334\4{!P\231\224\363\332\204\1\313\313\30|\222\361m\0\302V\267]\334\301\303\354\247)\257\361m\236BkY\253\206\", ) \210~c\30\235_\205\366\321\224\12\340\273\301 \322\6%\12\277\33\360\220Y\304\13\267\227\34\3\244\335L6\242%\324n\21u\24\12\374\262x\336\361n\207\316\245`\210\22\246\305\277\237\10\360\246\367\303\26j\363\23\227\352\370\376g\20\34\25\322tk\253\177\224m*)\324\303\331\337\200\346\252\215\326a\371-\5n\306 \254\376\24$\225\1|\217\304\301H\21, (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\225(\220\205\320\233y\6\255\251\16\22\263\6\215s\231\6\33\242\330\351\277C(\337g\6\2472\2052\2\257k/\33'\276\373\301\177\370\31\6\314\230\353M\253j\377\332"\202\16\226\177\20\12\215\220}\177&\336\275\0\266l\360\213\2\217~x\177\205H0j\272\304`],[\5\276j\250\227R[\31\231\235U\16r\3053\375N\332m\13\302\365\234W\243\200.\200\241\231\10_\262\223?\24V\353\257\32|\210\235\24\177\304=?\204\346\262|\\262*\330Q\\5\14n\315e\202\326\14\27\330M\267\203\304\272icoW\260\22\2675"hh\367\240\200\5\16\207\203\15L\204 \32N4\227\17=\356\333N\362_\34\350\357,}\226']1\36\695\17\234]\362\30\245^\371\223y\213\346\201\364\242lt\360\335\230\247\236]\4\21\25\10\216\14\315\360^\213\256\214\322\341\210\230\232\237\340\32V\364\211\354.w\1L\322\3\222"\210~c\30\235_\205\366\321\224\12\340\273\301 \322\6%\12\277\33\360\220Y\304\13\267\227\34\3\244\335L6\242%\324n\21u\24\12\374\262x\336\361n\207\316\245`\210\22\246\305\277\237\10\360\246\367\303\26j\363\23\227\352\370\376g\20\34\25\322tk\253\177\224m*)\324\303\331\337\200\346\252\215\326a\371-\5n\306 \254\376\24$\225\1|\217\304\301H\21,"\326\314}\2732\274\205,>N\206\370\303\354w\243\353\215\324\351\35\275F\202\245\271\275\213|g\235O\276\305\204\346\357\205\32126tK\370\342oU\262\244eW\22\241\351\222(\241\366u\323R\204Ec\340\331\346\17\260\356\22Dui\216\260\36[\335x\345\310\325\376m\334\4{!P\231\224\363\332\204\1\313\313\30|\222\361m\0\302V\267]\334\301\303\354\247)\257\361m\236BkY\253\206\", ) , ) == 0x0
 00516   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "#\365\25\205fF\374\6\33t\213\22\5\333\10s/\333\236\242n4:C\236\2\342\6\21\357\02\264r\356/\255\372;\373w\242}\31\260\21\35\353\373v\357\377l\377\7\16 \242\225\12;M\370\177\220\38\0\0\261u\213\264R\373x\311X\3150\334gA`\353\361\336\5\10\267-\227\344\206\234\231\245\350\320\16\304\30\266\375\370\7\350\13t(\31W\25]\253\200\27D\215_\4N\272\24\3406*\32\312U\30\24\311\31\270?2;7|\352o\257\330\347\201\200\14\330\20\340\202`\321\222\330\373j\6\304\14\264\346o\341m\227\267\203\377\355hA}\5\5\270Z\6\15\372Y\245\32\370\351\22\17\2133^ND\202\231\350Y\361\370\226\221\200\264\36\260\344\260\17*\200w\30\23\203|\223\317Vc\201B\177\351tF\0\35\247(\200\201\21\243\325\13\14{-\333\213\30QW\341>E\37\237V\307\323\364?1\253w\267\221W\3$\377\15~\325\305\30_3+T\224\274=>\301\226\17\203%\274b\236\360&\204A\13\1J\231\3\22\0\3116\24\370Qn\247\250\221\12Jo\375\336G\263\2\316\23\275\15\22\20\30:\237\276-#\367u\313\357\363\245Jo\370H\272\225\34\243\17\361k\35\242\21m\234\364Q\303o\2\5\346\34PSaO\360\200np\375)\376\242\371\20\1\312RA\301\376\314\251"`\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) `\21\370\273\204a\0,\210\223\3\370u1\362\243]PQ\351\253`\303\202\23d8\213\312\272\30O\10\30\1\346YXT2\200\251\316\370T\262\320\262\22\270\322\22\274\27(\27+\360\323\344Y\300cV\4c\17\63\227D\303\264\13\260\250\206XxS\25P\376\333\1\201{\227\215\34\224E\7\1\1}\26\235|$,\350\0t\2132]j\34F\354\21\364*\361\333C\307k\357v\3\", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00517   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, "\325\223\235!\232\346\246\264,\336\363B\367\211\216D\242\334\346t\366\223\341t\242\272\304\14~\270H\4\242\345\246\220\32\226\22<5\371\331\310\211\225l^\327A\15\233\364\205\246\364\365\24\340(\312\224\211\240\36\203\321\5\305\302M\3\267v\317D\263\236\235\316\261\24NH\267\336\340\30\266\343\241\313\24\367]\7f\17\17A\234]\25\204\362'\201\2316\26\214:\226\230\323\7o6\253M\232\252\201\306\2759\311\201\365\235\262\3@\25\337+\365Q\216|\336\235\313\232\242\334\31\254&JtJ\261\222#\357\347\200S*\315\362\324\274EJ\206%\6\261\205O\11\222\244\233\326\2\301\24\362\351\215K\2601\340\13\362\315\2468\5\312L\2152\236\227\24\3629V\14\316\331\227S\363\325>\11\217H\31S\203\230\275\35t\215]S\252\262\3753\272J\270\204"\202NE\36\202\321a\12\25\363/\343\325vEn\262T\267z\251\320\3039\322\261t\231\344\24_\363!\303\30\331I\317\232\233L\246H\16Z\5\220\255\261\206wXg\310p-\212\302\30\265\272\202\246\326\375<\14\372\204\271\336\336| O\335\2264\266\212\275\217K\333a\0\347=\207i\4\215\367\3\343\271\343T\242\22\365T\266\375\7*\16\4+\27\344\345\225\344\301\213L&\261\305\223P\247\252\323\1\3\23\224\27M\256E\354\32\327\270\347\211\216\345\20\246O\204E\206I\325TV#\272S~\314\352\351\141\1\346\275\211\327\2i\201N\30\226l\23\334m\336\13p\267\317n\2}\2329\367\234$\371\4\266\232]H\242\376\317.\365\224=8\357\25\203\244\274\305\331\242\262&\211\2\373\250\225\257\376\336\341\2\24{\335h\3358\342p\255\304a\3\31\361L\360\217*\201\4\245M\207\3d\320\201\266\272\335\205\10\252\336O\226\202\336\305 \245`\0M", ) \202NE\36\202\321a\12\25\363/\343\325vEn\262T\267z\251\320\3039\322\261t\231\344\24_\363!\303\30\331I\317\232\233L\246H\16Z\5\220\255\261\206wXg\310p-\212\302\30\265\272\202\246\326\375<\14\372\204\271\336\336| O\335\2264\266\212\275\217K\333a\0\347=\207i\4\215\367\3\343\271\343T\242\22\365T\266\375\7*\16\4+\27\344\345\225\344\301\213L&\261\305\223P\247\252\323\1\3\23\224\27M\256E\354\32\327\270\347\211\216\345\20\246O\204E\206I\325TV#\272S~\314\352\351\141\1\346\275\211\327\2i\201N\30\226l\23\334m\336\13p\267\317n\2}\2329\367\234$\371\4\266\232]H\242\376\317.\365\224=8\357\25\203\244\274\305\331\242\262&\211\2\373\250\225\257\376\336\341\2\24{\335h\3358\342p\255\304a\3\31\361L\360\217*\201\4\245M\207\3d\320\201\266\272\335\205\10\252\336O\226\202\336\305 \245`\0M", ) == 0x0
 00518   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "cN\30!,;#\264\232\3vBAT\13D\24\1ct@Ndt\24gA\14\310e\315\4\248#\220\254K\227<\203$\\310?H\351^a\234\210\233BX#\364C\311e(|I\14\240\250^T\5s\37\310\3\1\253JD\5C\30\316\7\311\313H\1\3e\30\0>$\313\242*\330\7\320\322\212A*\200\220\204D\372\4\231\200\313\11: EV\7\331\353.M,w\4\306\13\344L\201C@7\3\366\310Z+C\214\13|h@N\232\24\1\234\254\220\227\361J\7O\246\357Q]\326*{/Q\274\363\227\3%\260l\0O\277O!\233`\337D\24D4\10K\6\354e\13D\20#8\263\27\311\215\204C\22\24D\344\323\14x\4\22SE\10\273\119\225\234S5E8\35\302P\330S\34ox3\14\227=\204\224_\313E\250_Ta\274\310v/U\10\363E\330o\321\267\314tU\303\217\174t/9\221_E\374F\30o\224J\232-\221#H\270\207\200\220\33l\3w\356\272Mp\233WG\30\3g\7\246` \271\1\202'\1\271h\3\371 \371\0\234\0W8\217\375\6\344\0Q\340\2i\262Pr\3UdfT\24\317pT\0 \202*\270\331\256\27R8\20\344wV\311&\7\30\26P\21wV\1\265\316\21\27\373s\300\354\254\12=\347?S`\20\20\222\1E0\224PT\340\376?S\310\21o\351\272\354\204\346\13TR\2\337\\313\30 \261\226\334\333\3\216p\1\22\353\2\313G\274\367*\371|\4\0G\330H\24#J.CI\2708Y\310\6\244\12\30\\242\4\373\14\2Mu\20\257H\3d\2\242\246Xhk\345gp\33\31\344\3\257,\311\3609\367\4\4\23\220\2\3\322\15\4\266\14\0\0\10\34\3\312\2264\3@ \23\275\205M", 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00519   408   NtReadFile  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240},  (68, 0, 0, 0, 10240, 0x0, 0, ... {status=0x0, info=10240}, ",\235\225\214\264\301\225\205=\214\236\27v\346\3118\347\374`R\333z\323\210Fc\206||\261\33\11\226\203\25\346\255\35@h@\322\250\330\246\3545F]!\311\15\322\326\376\301\272\335]\17\212\327\303\21r\313\331kL\375\343A\253\334Qk\376N\217\345U;\15a\331\5\216+\275\2613\214\224c\225\201\264\177n\301\11\334\343@\12\4\256v8\323]\262\226\235\212\21\6\355\35\315\374\357\310\263Z\370\36@\316\323\3\14\177\20\227\226\236\225\213\13\222\235F@\246\230\17\261\357\306\4|\322\327\214\221\201F\200\20\21\314\326\360\13\367\11\377\326\331Bq\336\233\357\1\321C\217H\237\325\2612\367\331\203\327\34\307\20<&\243\364\276_/\211\214l\351\26\22S\227\14\220\256\264\353!\337\36\11\330\371\225sw\363\377\266\217\200\253Y:\357\342\20m\251\325\5\5\327\254\370\4\324N\352\241iJ:\272\371\236B\346\327\321\20\276\313\201M\260\214\251\2\262\31\372d\263\266\221\6\360y\25\11\240\326\7\242\335\373\233#\357\300\207=^\21\35\5WHf8\246\306\234\263\263\222\361\242\\317\23\260\245\364\260\26\215\305\203\234\340\270\276;r\277\311\20:\316&\10\326n\275$\32\372\224I\376E\356\4\270\355\365\232\233\246\224n\2735\345\3005\274\265\211\231\361\\214o\255\221\2J\323\246\250\256\37\335\337\352\24\33-\271\250\347\236\363\213\324\21\262\303\212\22\364\321\303@\311\2177C|\3277\14kc\215\322\6\177\326\344\333\331\351Yuv\303\164\3046%+\322'\336\205\251NFg\261\2156\272\275\32)\224 ?A\272\205E\340\327\341\304\315\232J8\2\324\214\271s\242\331tNN\217sh\375G\335\237\247\344w\1\236\2778\11Q\352\26\226{\1\211\224\277\200]\222wo\341\20A\315\337x\0'\223\4", ) , ) == 0x0
 00520   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) \276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237) (80, 0, 0, 0, "\232@\20\214\2\34\20\205\213Q\33\27\300;L8Q!\345Rm\247V\210\360\276\3|\312l\236\11 ^\220\346\33\300\305h\366\17-\330\201\260F\353\374L\15d\13{\301\14\0\330\17<\12F\21\304\26\k\372 fA\35\1\324kH\223\12\345\343\346\210ao\330\13+\13l\266\214"\276\20\201\2\242\353\301\277\1f@\274\331+v\216\16\330\262 @\17\21\2600\230\315J2M\263\354%\233@x\16\206\14\311\315\22\226(H\16\13$@\303@\20E\212\261Y\33\201|d\12\11\2217\233\5\20\247\21S\360\275\303\262\11I\13\B\307\3\36\357\267\14\306\217\376BP\261\204*\\203a\301B\20\212\373&\364\10\202\252\211:\261l\26\244\216\22\14&s1\353\227\2\233\11n$\20s\301.z\2669].Y\2142g\20\333tP\5\263\12)\370\262\11\313\352\27\264\317:\14$\33BP\12T\20\10\26\4M\6Q,\2\4\304\177d\5k\24\6F\244\220\11\26\13\202\242k&\36#Y\35\2=\350\314\230\5\341\225\3438\20\33\31\263\5Ot\242\352\22\226\260\23)5\26;\30\6\234Ve;;\304bL\20\214\23\243\10`\2638$\254'\21IH\230k\4\160p\232-{\21n\15\350`\300\203a0\211/,\331\214\331p\24\2\374\16#\250\30\302X\337\\311\236-\17ub\236EVQ\21\4\36\17\22B\14F@\177R\262C\312\12\262\14\335\276\10\322\260\242S\344m\4lY\303\253F\16\202\31\263%\235\17\242\3363t\313F\321l\106\14`\237)"\375\272A\14X\300\340a, 10240, 0x0, 0, ... {status=0x0, info=10240}, ) , 10240, 0x0, 0, ... {status=0x0, info=10240}, ) == 0x0
 00521   408   NtReadFile  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048},  (68, 0, 0, 0, 2048, 0x0, 0, ... {status=0x0, info=2048}, "\366\226\205\0\346\226\205\0\322\206\205\0\302\206\205\0R\264\205\0B\264\205\0\262\267\205\0\272\267\205\0\242\267\205\0\252\267\205\0\222\267\205\0\232\267\205\0\202\267\205\0\212\267\205\0\362\267\205\0\372\267\205\0\26\267\205\0\2\267\205\0n\267\205\0\252\266\205\0\346\266\205\0\36\266\205\0f\266\205\0\246\261\205\0&\261\205\0^\261\205\02\263\205\0F\262\205\0\206\255\205\0\242\254\205\0\26\254\205\0\302\256\205\0\312\250\205\0\362\252\205\0\236\245\205\0~\245\205\0\376\244\205\0>\244\205\0\312\247\205\0*\247\205\0v\247\205\0F\247\205\0.\236\200\0V\236\200\0a\364\202\0]\364\202\0\264\367\202\0\254\367\202\0\202\367\202\0\370\367\202\0\337\367\202\02\367\202\0\26\367\202\0\17\367\202\0b\367\202\0^\367\202\0H\367\202\0\244\366\202\0\236\366\202\0\367\366\202\0\346\366\202\0\313\366\202\0 \366\202\0\1\366\202\0g\366\202\0N\366\202\0\255\361\202\0\374\361\202\0\331\361\202\0$\361\202\0w\361\202\0W\361\202\0\262\360\202\0\217\360\202\0\321\360\202\0\312\360\202\0$\360\202\0\34\360\202\0v\360\202\0`\360\202\0Z\360\202\0\267\363\202\0\254\363\202\0\231\363\202\0\362\363\202\0\350\363\202\0\317\363\202\02\363\202\0<\363\202\0%\363\202\0)\363\202\0\252\335\223\0\241\335\234\0\242\335\235\0\243\335\237\0\262\335\206\0\276\335\202\0\260\335\200\0\235\335\236\0\253\335\233\0\222\335\245\0\236\335\257\0\237\335\244\0\225\335\247\0\251\335\240\0\220\335\242\0\245\335\224\0\244\335\211\0\246\335\213\0\271\335\210\0\275\335\217\0\277\335\251\0\266\335\207\0\267\335\253\0\233\335\205\0\266\335\205\0\266\335\205\0\266\335\205@\222\245\365$\207\357\313m\303\271\365@\342\223\310U\362\215\205@\222\245\365$\207\350\313m", ) , ) == 0x0
 00522   408   NtWriteFile  (80, 0, 0, 0,  (80, 0, 0, 0, "@K\0\0PK\0\0d[\0\0t[\0\0\344i\0\0\364i\0\0\4j\0\0\14j\0\0\24j\0\0\34j\0\0$j\0\0,j\0\04j\0\0\0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) \0\37\0%\0&\0'\0\23\0\21\0\22\0\14\0\20\0\16\0\17\0\15\0\13\0\12\0\11\0,\0\0\0\2\0\1\0.\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0@$xp$12Nmudp@TNMUDP\0@$xp$15Nm", 2048, 0x0, 0, ... {status=0x0, info=2048}, ) == 0x0
 00523   408   NtClose  (80, ... ) == 0x0
 00524   408   NtClose  (68, ... ) == 0x0
 00525   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.tmp"}, 1242420, ... ) }, 1242420, ... ) == 0x0
 00526   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.tmp"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00527   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00528   408   NtClose  (68, ... ) == 0x0
 00529   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 176128, ) == 0x0
 00530   408   NtClose  (80, ... ) == 0x0
 00531   408   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00532   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00533   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.tmp"}, 1242736, ... ) }, 1242736, ... ) == 0x0
 00534   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.tmp"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00535   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00536   408   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00537   408   NtClose  (80, ... ) == 0x0
 00538   408   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x860000), 0x0, 471040, ) == STATUS_IMAGE_NOT_AT_BASE
 00539   408   NtMapViewOfSection  (68, -1, (0x860000), 0, 0, 0x0, 471040, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES
 00540   408   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0
 00541   408   NtClose  (68, ... ) == 0x0
 00542   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 8, ) == 0x0
 00543   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 8, ... (0x8d2000), 4096, 4, ) == 0x0
 00544   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00545   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00546   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00547   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00548   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00549   408   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00550   408   NtClose  (68, ... ) == 0x0
 00551   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00552   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00553   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00554   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00555   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00556   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00557   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.DLL"}, ... 68, ) }, ... 68, ) == 0x0
 00558   408   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00559   408   NtClose  (68, ... ) == 0x0
 00560   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00561   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00562   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00563   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00564   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00565   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00566   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00567   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00568   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00569   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00570   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00571   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00572   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 1241952, ... ) }, 1241952, ... ) == 0x0
 00576   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00577   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00578   408   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   408   NtClose  (68, ... ) == 0x0
 00580   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00581   408   NtClose  (80, ... ) == 0x0
 00582   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00583   408   NtProtectVirtualMemory  (-1, (0x8d2000), 4096, 4, ... (0x8d2000), 4096, 4, ) == 0x0
 00584   408   NtFlushInstructionCache  (-1, 9248768, 4096, ... ) == 0x0
 00585   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {400, 0}, ... 80, ) == 0x0
 00586   408   NtQueryInformationProcess  (80, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00587   408   NtClose  (80, ... ) == 0x0
 00588   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00589   408   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00590   408   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00591   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00592   408   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   408   NtClose  (80, ... ) == 0x0
 00594   408   NtUserSystemParametersInfo  (41, 500, 1242460, 0, ... ) == 0x1
 00595   408   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00596   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00597   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00598   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03b
 00599   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00600   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03d
 00601   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00602   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00603   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc03f
 00604   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00605   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00606   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc041
 00607   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00608   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00609   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc043
 00610   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00611   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc045
 00612   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00613   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00614   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc047
 00615   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00616   408   NtUserFindExistingCursorIcon  (1242248, 1242264, 1242832, ... ) == 0x10011
 00617   408   NtUserRegisterClassExWOW  (1242700, 1242780, 1242764, 1242796, 0, 384, 0, ... ) == 0x810dc049
 00618   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00619   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00620   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04b
 00621   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00622   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00623   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04d
 00624   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00625   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00626   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc04f
 00627   408   NtUserGetClassInfo  (1999896576, 1242872, 1242824, 1242900, 0, ... ) == 0x0
 00628   408   NtUserRegisterClassExWOW  (1242708, 1242788, 1242772, 1242804, 0, 384, 0, ... ) == 0x810dc051
 00629   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00630   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00631   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc053
 00632   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00633   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00634   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc055
 00635   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc057
 00636   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00637   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00638   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc059
 00639   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00640   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10013
 00641   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05b
 00642   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00643   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00644   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05d
 00645   408   NtUserGetClassInfo  (1999896576, 1242868, 1242820, 1242896, 0, ... ) == 0x0
 00646   408   NtUserFindExistingCursorIcon  (1242252, 1242268, 1242836, ... ) == 0x10011
 00647   408   NtUserRegisterClassExWOW  (1242704, 1242784, 1242768, 1242800, 0, 384, 0, ... ) == 0x810dc05f
 00648   408   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00649   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00650   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00651   408   NtNotifyChangeKey  (84, 68, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00652   408   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00653   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00654   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00655   408   NtUserCallOneParam  (0, 40, ... ) == 0x4
 00656   408   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00657   408   NtQueryVirtualMemory  (-1, 0x12f674, Basic, 28, ... {BaseAddress=0x12f000,AllocationBase=0x30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00658   408   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00659   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 1, ... 9371648, 1048576, ) == 0x0
 00660   408   NtAllocateVirtualMemory  (-1, 9371648, 0, 16384, 4096, 4, ... 9371648, 16384, ) == 0x0
 00661   408   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00662   408   NtQuerySystemInformation  (TimeZone, 172, ... {system info, class 44, size 172}, 0x0, ) == 0x0
 00663   408   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   408   NtOpenKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   408   NtOpenProcessToken  (-1, 0x8, ... 96, ) == 0x0
 00666   408   NtQueryInformationToken  (96, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00667   408   NtClose  (96, ... ) == 0x0
 00668   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00669   408   NtReleaseMutant  (16, ...
 00670   408   NtContinue  (-131039096, 0, ...
 00669   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00671   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.ENU"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.ENU"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00673   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.ENU.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.EN"}, 1241184, ... ) }, 1241184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.EN"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\oka1.EN.DLL"}, 1240824, ... ) }, 1240824, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00678   408   NtReleaseMutant  (16, ...
 00679   408   NtContinue  (-131039096, 0, ...
 00678   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00680   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00681   408   NtReleaseMutant  (16, ...
 00682   408   NtContinue  (-131039096, 0, ...
 00681   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00683   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00684   408   NtReleaseMutant  (16, ...
 00685   408   NtContinue  (-131039096, 0, ...
 00684   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00686   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00687   408   NtReleaseMutant  (16, ...
 00688   408   NtContinue  (-131039096, 0, ...
 00687   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00689   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00690   408   NtReleaseMutant  (16, ...
 00691   408   NtContinue  (-131039096, 0, ...
 00690   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00692   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00693   408   NtReleaseMutant  (16, ...
 00694   408   NtContinue  (-131039096, 0, ...
 00693   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00695   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00696   408   NtReleaseMutant  (16, ...
 00697   408   NtContinue  (-131039096, 0, ...
 00696   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00698   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00699   408   NtReleaseMutant  (16, ...
 00700   408   NtContinue  (-131039096, 0, ...
 00699   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00701   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00702   408   NtReleaseMutant  (16, ...
 00703   408   NtContinue  (-131039096, 0, ...
 00702   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00704   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00705   408   NtReleaseMutant  (16, ...
 00706   408   NtContinue  (-131039096, 0, ...
 00705   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00707   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00708   408   NtReleaseMutant  (16, ...
 00709   408   NtContinue  (-131039096, 0, ...
 00708   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00710   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00711   408   NtReleaseMutant  (16, ...
 00712   408   NtContinue  (-131039096, 0, ...
 00711   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00713   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00714   408   NtReleaseMutant  (16, ...
 00715   408   NtContinue  (-131039096, 0, ...
 00714   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00716   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00717   408   NtReleaseMutant  (16, ...
 00718   408   NtContinue  (-131039096, 0, ...
 00717   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00719   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00720   408   NtReleaseMutant  (16, ...
 00721   408   NtContinue  (-131039096, 0, ...
 00720   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00722   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00723   408   NtReleaseMutant  (16, ...
 00724   408   NtContinue  (-131039096, 0, ...
 00723   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00725   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00726   408   NtReleaseMutant  (16, ...
 00727   408   NtContinue  (-131039096, 0, ...
 00726   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00728   408   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00729   408   NtReleaseMutant  (16, ...
 00730   408   NtContinue  (-131039096, 0, ...
 00729   408   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00731   408   NtCreateEvent  (0x1f0003, 0x0, 0, -1, ... 96, ) == 0x0
 00732   408   NtUserGetDC  (0, ... ) == 0x1010052
 00733   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00734   408   NtUserGetDC  (0, ... ) == 0x1010052
 00735   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00736   408   NtGdiCreatePaletteInternal  (1241872, 16, ... ) == 0x120803fd
 00737   408   NtGdiGetStockObject  (7, ... ) == 0x1b00017
 00738   408   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00739   408   NtUserFindExistingCursorIcon  (1242268, 1242284, 1242852, ... ) == 0x10003
 00740   408   NtAddAtom  ( ("D\0e\0l\0p\0h\0i\00\00\00\00\00\01\09\00\0", 28, 1242804, ... ) , 28, 1242804, ... ) == 0x0
 00741   408   NtAddAtom  ( ("C\0o\0n\0t\0r\0o\0l\0O\0f\0s\00\00\08\06\00\00\00\00\00\00\00\00\00\01\09\08\0", 52, 1242804, ... ) , 52, 1242804, ... ) == 0x0
 00742   408   NtUserSystemParametersInfo  (104, 0, 9376892, 0, ... ) == 0x1
 00743   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00744   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10023
 00745   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00746   408   NtUserGetDC  (0, ... ) == 0x1010052
 00747   408   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x27050382
 00748   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00749   408   NtGdiSelectBitmap  (352388039, 654640002, ... ) == 0x185000f
 00750   408   NtGdiGetDCforBitmap  (654640002, ... ) == 0x150103c7
 00751   408   NtGdiSaveDC  (352388039, ... ) == 0x1
 00752   408   NtGdiSelectBitmap  (352388039, 654640002, ... ) == 0x27050382
 00753   408   NtGdiGetDCObject  (352388039, 524288, ... ) == 0x188000b
 00754   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00755   408   NtGdiSetDIBitsToDeviceInternal  (352388039, 0, 0, 32, 64, 0, 0, 0, 64, 9188876, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00756   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00757   408   NtGdiSelectBitmap  (352388039, 654640002, ... ) == 0x27050382
 00758   408   NtGdiRestoreDC  (352388039, -1, ... ) == 0x1
 00759   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x27050382
 00760   408   NtGdiCreateCompatibleDC  (352388039, ... ) == 0x3e0103e8
 00761   408   NtGdiExtGetObjectW  (654640002, 24, 1241324, ... ) == 0x18
 00762   408   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x120503fe
 00763   408   NtGdiSelectBitmap  (352388039, 654640002, ... ) == 0x185000f
 00764   408   NtGdiSelectBitmap  (1040253928, 302318590, ... ) == 0x185000f
 00765   408   NtGdiBitBlt  (1040253928, 0, 0, 32, 64, 352388039, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00766   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x27050382
 00767   408   NtGdiSelectBitmap  (1040253928, 25493519, ... ) == 0x120503fe
 00768   408   NtGdiDeleteObjectApp  (654640002, ... ) == 0x1
 00769   408   NtGdiDeleteObjectApp  (1040253928, ... ) == 0x1
 00770   408   NtUserCallOneParam  (0, 33, ... ) == 0x20091
 00771   408   NtUserSetCursorIconData  (131217, 1241432, 1241448, 1242028, ... ) == 0x1
 00772   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10029
 00773   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10027
 00774   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10025
 00775   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00776   408   NtUserGetDC  (0, ... ) == 0x1010052
 00777   408   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x3a050406
 00778   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00779   408   NtGdiSelectBitmap  (352388039, 973407238, ... ) == 0x185000f
 00780   408   NtGdiGetDCforBitmap  (973407238, ... ) == 0x150103c7
 00781   408   NtGdiSaveDC  (352388039, ... ) == 0x1
 00782   408   NtGdiSelectBitmap  (352388039, 973407238, ... ) == 0x3a050406
 00783   408   NtGdiGetDCObject  (352388039, 524288, ... ) == 0x188000b
 00784   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00785   408   NtGdiSetDIBitsToDeviceInternal  (352388039, 0, 0, 32, 64, 0, 0, 0, 64, 9189184, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00786   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00787   408   NtGdiSelectBitmap  (352388039, 973407238, ... ) == 0x3a050406
 00788   408   NtGdiRestoreDC  (352388039, -1, ... ) == 0x1
 00789   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x3a050406
 00790   408   NtGdiCreateCompatibleDC  (352388039, ... ) == 0x29010382
 00791   408   NtGdiExtGetObjectW  (973407238, 24, 1241324, ... ) == 0x18
 00792   408   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503ff
 00793   408   NtGdiSelectBitmap  (352388039, 973407238, ... ) == 0x185000f
 00794   408   NtGdiSelectBitmap  (687932290, 151323647, ... ) == 0x185000f
 00795   408   NtGdiBitBlt  (687932290, 0, 0, 32, 64, 352388039, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00796   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x3a050406
 00797   408   NtGdiSelectBitmap  (687932290, 25493519, ... ) == 0x90503ff
 00798   408   NtGdiDeleteObjectApp  (973407238, ... ) == 0x1
 00799   408   NtGdiDeleteObjectApp  (687932290, ... ) == 0x1
 00800   408   NtUserCallOneParam  (0, 33, ... ) == 0x400a5
 00801   408   NtUserSetCursorIconData  (262309, 1241432, 1241448, 1242028, ... ) == 0x1
 00802   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00803   408   NtUserGetDC  (0, ... ) == 0x1010052
 00804   408   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x400503e8
 00805   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00806   408   NtGdiSelectBitmap  (352388039, 1074070504, ... ) == 0x185000f
 00807   408   NtGdiGetDCforBitmap  (1074070504, ... ) == 0x150103c7
 00808   408   NtGdiSaveDC  (352388039, ... ) == 0x1
 00809   408   NtGdiSelectBitmap  (352388039, 1074070504, ... ) == 0x400503e8
 00810   408   NtGdiGetDCObject  (352388039, 524288, ... ) == 0x188000b
 00811   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00812   408   NtGdiSetDIBitsToDeviceInternal  (352388039, 0, 0, 32, 64, 0, 0, 0, 64, 9189492, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00813   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00814   408   NtGdiSelectBitmap  (352388039, 1074070504, ... ) == 0x400503e8
 00815   408   NtGdiRestoreDC  (352388039, -1, ... ) == 0x1
 00816   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x400503e8
 00817   408   NtGdiCreateCompatibleDC  (352388039, ... ) == 0x3c010406
 00818   408   NtGdiExtGetObjectW  (1074070504, 24, 1241324, ... ) == 0x18
 00819   408   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503f9
 00820   408   NtGdiSelectBitmap  (352388039, 1074070504, ... ) == 0x185000f
 00821   408   NtGdiSelectBitmap  (1006699526, 151323641, ... ) == 0x185000f
 00822   408   NtGdiBitBlt  (1006699526, 0, 0, 32, 64, 352388039, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00823   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x400503e8
 00824   408   NtGdiSelectBitmap  (1006699526, 25493519, ... ) == 0x90503f9
 00825   408   NtGdiDeleteObjectApp  (1074070504, ... ) == 0x1
 00826   408   NtGdiDeleteObjectApp  (1006699526, ... ) == 0x1
 00827   408   NtUserCallOneParam  (0, 33, ... ) == 0x400a3
 00828   408   NtUserSetCursorIconData  (262307, 1241432, 1241448, 1242028, ... ) == 0x1
 00829   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00830   408   NtUserGetDC  (0, ... ) == 0x1010052
 00831   408   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x2b050382
 00832   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00833   408   NtGdiSelectBitmap  (352388039, 721748866, ... ) == 0x185000f
 00834   408   NtGdiGetDCforBitmap  (721748866, ... ) == 0x150103c7
 00835   408   NtGdiSaveDC  (352388039, ... ) == 0x1
 00836   408   NtGdiSelectBitmap  (352388039, 721748866, ... ) == 0x2b050382
 00837   408   NtGdiGetDCObject  (352388039, 524288, ... ) == 0x188000b
 00838   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00839   408   NtGdiSetDIBitsToDeviceInternal  (352388039, 0, 0, 32, 64, 0, 0, 0, 64, 9189800, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00840   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00841   408   NtGdiSelectBitmap  (352388039, 721748866, ... ) == 0x2b050382
 00842   408   NtGdiRestoreDC  (352388039, -1, ... ) == 0x1
 00843   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x2b050382
 00844   408   NtGdiCreateCompatibleDC  (352388039, ... ) == 0x420103e8
 00845   408   NtGdiExtGetObjectW  (721748866, 24, 1241324, ... ) == 0x18
 00846   408   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x1b0503e7
 00847   408   NtGdiSelectBitmap  (352388039, 721748866, ... ) == 0x185000f
 00848   408   NtGdiSelectBitmap  (1107362792, 453313511, ... ) == 0x185000f
 00849   408   NtGdiBitBlt  (1107362792, 0, 0, 32, 64, 352388039, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00850   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x2b050382
 00851   408   NtGdiSelectBitmap  (1107362792, 25493519, ... ) == 0x1b0503e7
 00852   408   NtGdiDeleteObjectApp  (721748866, ... ) == 0x1
 00853   408   NtGdiDeleteObjectApp  (1107362792, ... ) == 0x1
 00854   408   NtUserCallOneParam  (0, 33, ... ) == 0x300a1
 00855   408   NtUserSetCursorIconData  (196769, 1241432, 1241448, 1242028, ... ) == 0x1
 00856   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00857   408   NtUserGetDC  (0, ... ) == 0x1010052
 00858   408   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x3e050406
 00859   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00860   408   NtGdiSelectBitmap  (352388039, 1040516102, ... ) == 0x185000f
 00861   408   NtGdiGetDCforBitmap  (1040516102, ... ) == 0x150103c7
 00862   408   NtGdiSaveDC  (352388039, ... ) == 0x1
 00863   408   NtGdiSelectBitmap  (352388039, 1040516102, ... ) == 0x3e050406
 00864   408   NtGdiGetDCObject  (352388039, 524288, ... ) == 0x188000b
 00865   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00866   408   NtGdiSetDIBitsToDeviceInternal  (352388039, 0, 0, 32, 64, 0, 0, 0, 64, 9190108, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00867   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00868   408   NtGdiSelectBitmap  (352388039, 1040516102, ... ) == 0x3e050406
 00869   408   NtGdiRestoreDC  (352388039, -1, ... ) == 0x1
 00870   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x3e050406
 00871   408   NtGdiCreateCompatibleDC  (352388039, ... ) == 0x2d010382
 00872   408   NtGdiExtGetObjectW  (1040516102, 24, 1241324, ... ) == 0x18
 00873   408   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0xc0503f3
 00874   408   NtGdiSelectBitmap  (352388039, 1040516102, ... ) == 0x185000f
 00875   408   NtGdiSelectBitmap  (755041154, 201655283, ... ) == 0x185000f
 00876   408   NtGdiBitBlt  (755041154, 0, 0, 32, 64, 352388039, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00877   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x3e050406
 00878   408   NtGdiSelectBitmap  (755041154, 25493519, ... ) == 0xc0503f3
 00879   408   NtGdiDeleteObjectApp  (1040516102, ... ) == 0x1
 00880   408   NtGdiDeleteObjectApp  (755041154, ... ) == 0x1
 00881   408   NtUserCallOneParam  (0, 33, ... ) == 0x2009f
 00882   408   NtUserSetCursorIconData  (131231, 1241432, 1241448, 1242028, ... ) == 0x1
 00883   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00884   408   NtUserGetDC  (0, ... ) == 0x1010052
 00885   408   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x440503e8
 00886   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00887   408   NtGdiSelectBitmap  (352388039, 1141179368, ... ) == 0x185000f
 00888   408   NtGdiGetDCforBitmap  (1141179368, ... ) == 0x150103c7
 00889   408   NtGdiSaveDC  (352388039, ... ) == 0x1
 00890   408   NtGdiSelectBitmap  (352388039, 1141179368, ... ) == 0x440503e8
 00891   408   NtGdiGetDCObject  (352388039, 524288, ... ) == 0x188000b
 00892   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00893   408   NtGdiSetDIBitsToDeviceInternal  (352388039, 0, 0, 32, 64, 0, 0, 0, 64, 9190724, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00894   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00895   408   NtGdiSelectBitmap  (352388039, 1141179368, ... ) == 0x440503e8
 00896   408   NtGdiRestoreDC  (352388039, -1, ... ) == 0x1
 00897   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x440503e8
 00898   408   NtGdiCreateCompatibleDC  (352388039, ... ) == 0x40010406
 00899   408   NtGdiExtGetObjectW  (1141179368, 24, 1241324, ... ) == 0x18
 00900   408   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x90503fb
 00901   408   NtGdiSelectBitmap  (352388039, 1141179368, ... ) == 0x185000f
 00902   408   NtGdiSelectBitmap  (1073808390, 151323643, ... ) == 0x185000f
 00903   408   NtGdiBitBlt  (1073808390, 0, 0, 32, 64, 352388039, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00904   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x440503e8
 00905   408   NtGdiSelectBitmap  (1073808390, 25493519, ... ) == 0x90503fb
 00906   408   NtGdiDeleteObjectApp  (1141179368, ... ) == 0x1
 00907   408   NtGdiDeleteObjectApp  (1073808390, ... ) == 0x1
 00908   408   NtUserCallOneParam  (0, 33, ... ) == 0x3009d
 00909   408   NtUserSetCursorIconData  (196765, 1241432, 1241448, 1242028, ... ) == 0x1
 00910   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x0
 00911   408   NtUserGetDC  (0, ... ) == 0x1010052
 00912   408   NtGdiCreateDIBitmapInternal  (16842834, 32, 64, 2, 0, 2010764464, 0, 48, 0, 0, 0, ... ) == 0x2f050382
 00913   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00914   408   NtGdiSelectBitmap  (352388039, 788857730, ... ) == 0x185000f
 00915   408   NtGdiGetDCforBitmap  (788857730, ... ) == 0x150103c7
 00916   408   NtGdiSaveDC  (352388039, ... ) == 0x1
 00917   408   NtGdiSelectBitmap  (352388039, 788857730, ... ) == 0x2f050382
 00918   408   NtGdiGetDCObject  (352388039, 524288, ... ) == 0x188000b
 00919   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00920   408   NtGdiSetDIBitsToDeviceInternal  (352388039, 0, 0, 32, 64, 0, 0, 0, 64, 9190416, 1344632, 0, 256, 48, 1, 0, ... ) == 0x40
 00921   408   NtUserSelectPalette  (352388039, 25690123, 0, ... ) == 0x188000b
 00922   408   NtGdiSelectBitmap  (352388039, 788857730, ... ) == 0x2f050382
 00923   408   NtGdiRestoreDC  (352388039, -1, ... ) == 0x1
 00924   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x2f050382
 00925   408   NtGdiCreateCompatibleDC  (352388039, ... ) == 0x460103e8
 00926   408   NtGdiExtGetObjectW  (788857730, 24, 1241324, ... ) == 0x18
 00927   408   NtGdiCreateBitmap  (32, 64, 1, 1, 0, ... ) == 0x60503f8
 00928   408   NtGdiSelectBitmap  (352388039, 788857730, ... ) == 0x185000f
 00929   408   NtGdiSelectBitmap  (1174471656, 100991992, ... ) == 0x185000f
 00930   408   NtGdiBitBlt  (1174471656, 0, 0, 32, 64, 352388039, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00931   408   NtGdiSelectBitmap  (352388039, 25493519, ... ) == 0x2f050382
 00932   408   NtGdiSelectBitmap  (1174471656, 25493519, ... ) == 0x60503f8
 00933   408   NtGdiDeleteObjectApp  (788857730, ... ) == 0x1
 00934   408   NtGdiDeleteObjectApp  (1174471656, ... ) == 0x1
 00935   408   NtUserCallOneParam  (0, 33, ... ) == 0x3009b
 00936   408   NtUserSetCursorIconData  (196763, 1241432, 1241448, 1242028, ... ) == 0x1
 00937   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10015
 00938   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10019
 00939   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001f
 00940   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001b
 00941   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10021
 00942   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x1001d
 00943   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10013
 00944   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10017
 00945   408   NtUserFindExistingCursorIcon  (1242152, 1242168, 1242736, ... ) == 0x10011
 00946   408   NtUserCallOneParam  (0, 39, ... ) == 0x4090409
 00947   408   NtUserGetDC  (0, ... ) == 0x1010052
 00948   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00949   408   NtUserEnumDisplayMonitors  (0, 0, 8913508, 9377472, ... ) == 0x1
 00950   408   NtUserSystemParametersInfo  (31, 60, 1241588, 0, ... ) == 0x1
 00951   408   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344496, ... ) == 0x470a03e8
 00952   408   NtGdiExtGetObjectW  (1191838696, 420, 1241808, ... ) == 0x164
 00953   408   NtUserSystemParametersInfo  (41, 0, 1241788, 0, ... ) == 0x1
 00954   408   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344488, ... ) == 0x420a0406
 00955   408   NtGdiExtGetObjectW  (1107952646, 420, 1241808, ... ) == 0x164
 00956   408   NtGdiHfontCreate  (1241984, 356, 0, 0, 1344480, ... ) == 0x300a0382
 00957   408   NtGdiExtGetObjectW  (805962626, 420, 1241808, ... ) == 0x164
 00958   408   NtUserFindExistingCursorIcon  (1241896, 1241912, 1242480, ... ) == 0x0
 00959   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 4096, 64, ... 8650752, 4096, ) == 0x0
 00960   408   NtUserGetKeyboardLayoutList  (64, 1242468, ... ) == 0x1
 00961   408   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00962   408   NtUserRegisterWindowMessage  ( ("Delphi Picture", ... ) , ... ) == 0xc0cc
 00963   408   NtUserRegisterWindowMessage  ( ("Delphi Component", ... ) , ... ) == 0xc0cd
 00964   408   NtOpenMutant  (0x1f0001, {24, 52, 0x0, 0, 0,  (0x1f0001, {24, 52, 0x0, 0, 0, "Residented"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   408   NtUserSetWindowsHookEx  (8781824, 1243796, 0, 4, 8789692, 2, ... ) == 0x30099
 00966   408   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   408   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm20"}, 1, ... 100, ) }, 1, ... 100, ) == 0x0
 00968   408   NtOpenProcessToken  (-1, 0x20, ... 104, ) == 0x0
 00969   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00970   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 108, ) }, ... 108, ) == 0x0
 00972   408   NtQueryValueKey  (108,  (108, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   408   NtClose  (108, ... ) == 0x0
 00974   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0
 00976   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00977   408   NtQuerySystemTime  (... {91181120, 29873155}, ) == 0x0
 00978   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00979   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00981   408   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00982   408   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00983   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00984   408   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 124, ) == 0x0
 00985   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 128, ) }, ... 128, ) == 0x0
 00986   408   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "ActiveComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00987   408   NtQueryValueKey  (132,  (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (132, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00988   408   NtClose  (132, ... ) == 0x0
 00989   408   NtClose  (128, ... ) == 0x0
 00990   408   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 128, ) == 0x0
 00991   408   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 132, ) == 0x0
 00992   408   NtDuplicateObject  (-1, 128, -1, 0x0, 0, 2, ... 136, ) == 0x0
 00993   408   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00994   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00996   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00997   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00998   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243244,  (0xc0100080, {24, 0, 0x40, 0, 1243244, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00999   408   NtSetInformationFile  (144, 1243300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01000   408   NtSetInformationFile  (144, 1243292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01001   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01002   408   NtWriteFile  (144, 121, 0, 0,  (144, 121, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01003   408   NtReadFile  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (144, 121, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\334\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01004   408   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\334\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\334\33\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01005   408   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\202\10\304?\366?\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\202\10\304?\366?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\202\10\304?\366?\334\21\261\310\0\14)\371\246\305 \0"\0 \320\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\202\10\304?\366?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\202\10\304?\366?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01006   408   NtFsControlFile  (144, 121, 0x0, 0x0, 0x11c017,  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\202\10\304?\366?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (144, 121, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\202\10\304?\366?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01007   408   NtClose  (140, ... ) == 0x0
 01008   408   NtClose  (144, ... ) == 0x0
 01009   408   NtAdjustPrivilegesToken  (104, 0, 1245080, 16, 0, 0, ... ) == 0x0
 01010   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01011   408   NtQueryValueKey  (144,  (144, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   408   NtClose  (144, ... ) == 0x0
 01013   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01014   408   NtQueryValueKey  (144,  (144, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   408   NtClose  (144, ... ) == 0x0
 01016   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01017   408   NtQueryValueKey  (144,  (144, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   408   NtClose  (144, ... ) == 0x0
 01019   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01020   408   NtQueryValueKey  (144,  (144, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   408   NtClose  (144, ... ) == 0x0
 01022   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01023   408   NtQueryValueKey  (144,  (144, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024   408   NtClose  (144, ... ) == 0x0
 01025   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01026   408   NtQueryValueKey  (144,  (144, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   408   NtClose  (144, ... ) == 0x0
 01028   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01029   408   NtQueryValueKey  (144,  (144, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01030   408   NtClose  (144, ... ) == 0x0
 01031   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01032   408   NtQueryValueKey  (144,  (144, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   408   NtClose  (144, ... ) == 0x0
 01034   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01035   408   NtQueryValueKey  (144,  (144, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   408   NtClose  (144, ... ) == 0x0
 01037   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01038   408   NtQueryValueKey  (144,  (144, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   408   NtClose  (144, ... ) == 0x0
 01040   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01041   408   NtQueryValueKey  (144,  (144, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   408   NtClose  (144, ... ) == 0x0
 01043   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   408   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01045   408   NtSetInformationFile  (-2147482808, -131038172, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01046   408   NtSetInformationFile  (-2147482808, -131038644, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01044   408   NtCreateKey  ... 144, 1, ) == 0x0
 01047   408   NtSetValueKey  (144,  (144, "ID", 0, 1, "y\0r\0a\0s\0v\0x\0j\0e\0x\0j\0s\0q\0z\0i\0s\0f\0k\0i\0\0\0", 38, ... ) , 0, 1,  (144, "ID", 0, 1, "y\0r\0a\0s\0v\0x\0j\0e\0x\0j\0s\0q\0z\0i\0s\0f\0k\0i\0\0\0", 38, ... ) , 38, ... ) == 0x0
 01048   408   NtClose  (144, ... ) == 0x0
 01049   408   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 144, ) }, ... 144, ) == 0x0
 01050   408   NtQueryValueKey  (144,  (144, "Cryptographic Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   408   NtClose  (144, ... ) == 0x0
 01052   408   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 144, 2, ) }, 0, 0x0, 0, ... 144, 2, ) == 0x0
 01053   408   NtSetValueKey  (144,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (144, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01054   408   NtClose  (144, ... ) == 0x0
 01055   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243516,  (0x80100080, {24, 0, 0x40, 0, 1243516, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 01056   408   NtQueryInformationFile  (144, 1244452, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01057   408   NtQueryInformationFile  (144, 1244424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01058   408   NtQueryInformationFile  (144, 1244376, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01059   408   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 01060   408   NtQueryInformationFile  (144, 1371664, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01061   408   NtQueryInformationFile  (144, 1242920, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01062   408   NtQueryInformationFile  (144, 1242764, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01063   408   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242772,  (0x40110080, {24, 0, 0x40, 0, 1242772, "\??\C:\WINDOWS\System32\eosctbb.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01064   408   NtClose  (-2147482020, ... ) == 0x0
 01063   408   NtCreateFile  ... 140, {status=0x0, info=2}, ) == 0x0
 01065   408   NtQueryVolumeInformationFile  (140, 1242144, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01066   408   NtQueryInformationFile  (140, 1242104, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01067   408   NtQueryVolumeInformationFile  (144, 1242144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01068   408   NtQueryVolumeInformationFile  (144, 1241828, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01069   408   NtSetInformationFile  (140, 1241932, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01070   408   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 144, ... 148, ) == 0x0
 01071   408   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9f0000), {0, 0}, 188416, ) == 0x0
 01072   408   NtClose  (148, ... ) == 0x0
 01073   408   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\11\3538\210M\212V\333M\212V\333M\212V\333\316\226X\333O\212V\333\245\225R\333O\212V\333M\212V\333J\212V\333M\212W\333\32\212V\333/\225E\333D\212V\333\245\225]\333G\212V\333RichM\212V\333\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\322~\340@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0C1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\340UPX1", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01074   408   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\335;\343\1\361\37\273\314\247.\32\240\361\277\224\275\355\122\312\7\370\252\255uX`\200\342\242N\303\31mD\34\3512\336n\345B\273\177\213*\311\240\346\326\241v\17\24i%y\242Y\230\305\344J\216B\320{\267"`\266\202\236\3412Ur\257\216\332\246r7&\35\250\313*\16\360vIA'<\300\353\350\320*C\4\205\178Uc]N\1\277\325\2014\225\20\315\1\276\337\225\20\246w]\212\231\317\15\260\265\235X\16\264\301\376-\27WZSt\3719{\375ugX\17\200\315_\326\200\325\227\302\346\365\366\360\204\303\266n\315\5\216\276\314\201\22'\270\341\31\264\334\215\2WO\371\227\246\331\5H\226\335\214y\323\315b\302du\335\242x\306\241\5e\355\200c\246\232\337\357\30M\2710>1G\331\267\300\206`\2616\207\0n}\213\27D*\247\34%\32G\263\65.\240\227\355\206a\31\314\205\332\267WkX\316u\377\311u\240G\340D\354\307\5\212}\227\235\343F\14b\226kq.yN\236\362?\201q\262\322\315\245d\247\250\315\3032\220\215&\347\362/\377\247\234\247\213\234(\262\242\336\323^\210\361\305\343\271\346\335_\272\246q\312\12|\34QL\267)C\261\271\311E[\263Z\302\34\267\376\302n\31\350\227\6\366\331\271\14\236=\363s\247F\232,\267\336\301\1\353\210\217\13\253\333\17\204\362\330h@\251\351#\23\252>\212\362\267G\5*=#\17W\252qI\340\322\304\366\20(\324E\14\266\333\215z}\255\343\351\233~\245\32e\361A\257\236\277\34_\256\335``\317\237^\306\226\374\3233Q\377_\323\69?\347\366\37\376K\262\331\326V\275J;}\325\261\277Gh\211\17C\375\37\367\12\232\337q\355\31\337\13<]\236\223K\265\251\227\321Y#\323\231s\325\247C\347W", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) `\266\202\236\3412Ur\257\216\332\246r7&\35\250\313*\16\360vIA'<\300\353\350\320*C\4\205\178Uc]N\1\277\325\2014\225\20\315\1\276\337\225\20\246w]\212\231\317\15\260\265\235X\16\264\301\376-\27WZSt\3719{\375ugX\17\200\315_\326\200\325\227\302\346\365\366\360\204\303\266n\315\5\216\276\314\201\22'\270\341\31\264\334\215\2WO\371\227\246\331\5H\226\335\214y\323\315b\302du\335\242x\306\241\5e\355\200c\246\232\337\357\30M\2710>1G\331\267\300\206`\2616\207\0n}\213\27D*\247\34%\32G\263\65.\240\227\355\206a\31\314\205\332\267WkX\316u\377\311u\240G\340D\354\307\5\212}\227\235\343F\14b\226kq.yN\236\362?\201q\262\322\315\245d\247\250\315\3032\220\215&\347\362/\377\247\234\247\213\234(\262\242\336\323^\210\361\305\343\271\346\335_\272\246q\312\12|\34QL\267)C\261\271\311E[\263Z\302\34\267\376\302n\31\350\227\6\366\331\271\14\236=\363s\247F\232,\267\336\301\1\353\210\217\13\253\333\17\204\362\330h@\251\351#\23\252>\212\362\267G\5*=#\17W\252qI\340\322\304\366\20(\324E\14\266\333\215z}\255\343\351\233~\245\32e\361A\257\236\277\34_\256\335``\317\237^\306\226\374\3233Q\377_\323\69?\347\366\37\376K\262\331\326V\275J;}\325\261\277Gh\211\17C\375\37\367\12\232\337q\355\31\337\13<]\236\223K\265\251\227\321Y#\323\231s\325\247C\347W", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01075   408   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\241[M\261\334\11\271\276R\346\226\323'\264\257\234\324$\233\374\245j\353m\224\129\336%\370\33\264\32s\346\274\346k\221\350\300S\247\14\341\10\265\362u\377\17\345\225'\366\253\277k\275\3\277@\211\316\16F\370\234\255jC~\313\235Z\301\371D\263B\357\331\16\177\5\371s\373\17\342\213V\370\5\347nY^\207\324\227~\244T\325\3010\6o\270\271\232a\20\200\254\23*w)\215\373Z\3743\22\273]A\211\275\360\362[Q\377\31:\305\237M\27Q\341\10\342I^X\264\377q\371\271\357.!\353\225P\360\347\271k\362\33\262\214\234 \302\331\201w\277\277\226\264\244\211\260\354\264n\336\24\2\200\350\24+\366b\264\235\373\220@\331V\336^\351>\270\310\23\6\224J\265qm\373q\217\2673+\316=\265m\265NuZ\306t\277\360/\27\36\2674\303\332\226\243\322\215\353\364\373I\220\211\177\251^|\375\312\307\216\311\311\301\243\2526\306\305\240\231?^;\367\206/\367o\322v\252]\301\23wZ2>B\361\251\234\252T%\202\25<=\247f\35\320\255Q\312\6\202#N\364\216\344\331k\221\321#\221\256a\262\2534\355Z\356\17%\236V\355I\246\2371+\11\240\376\333\273\325\361\4\304\337\251\260\363W\330\345\11\210aJ\34\6(\253^\327^u\10\327\302}\260{rn\355\240~\332]\333\217\344\6WA\252$\356Y\30A\350:\333H\306\231`6\37\265\210\245\236\314\13b04\351\375W\206\252\215\36\352b@\1\360\370\356\257\32\203L\317\367\5\14\5Pe`d\325\2636\323\333y#\262\3521 DH\5\336s\363<\1\306\215\377\251\342\335[*\210K\303)HZ\34\305n\352r\307{\343k\243s\273\277\345\317t\272\234\360\371\234\227\360\367u\233\17\35q\233\15\320\253\205", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 01076   408   NtWriteFile  (140, 0, 0, 0,  (140, 0, 0, 0, "\302+\266\335\205\0\266\335\204\0\266\335\205\0\366\331\205\0\202\201\203\0\335\334\205\0\266\335\205\0\266\335\205\0\266\335\205\0\17\224\302+\266\335\205\0\266\335\202\0O\242\205\0.\331\205\200L\242\205\0v\331\205\200M\242\205\0^\331\205\200J\242\205\0\246\330\205\200K\242\205\0\216\330\205\200H\242\205\0\326\330\205\200I\242\205\0>\330\205\200\266\335\205\0\17\224\302+\266\335\205\0\266\335\204\0\266\335\205\0\6\331\205\0\26\200\203\0\242\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\17\224\302+\266\335\205\0\266\335\204\0\266\335\205\0n\331\205\0\2\200\203\0\242\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\17\224\302+\266\335\205\0\266\335\204\0\266\335\205\0\266\330\205\0~\200\203\0\242\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\17\224\302+\266\335\205\0\266\335\204\0\266\335\205\0\236\330\205\0j\200\203\0\242\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\17\224\302+\266\335\205\0\266\335\204\0\266\335\205\0\346\330\205\0F\200\203\0\242\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\17\224\302+\266\335\205\0\266\335\204\0\266\335\205\0\316\330\205\0\262\203\203\0\242\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0\17\224\302+\266\335\205\0\266\335\204\0\266\335\205\0\26\330\205\0\256\203\203\0\242\335\205\0\266\335\205\0\266\335\205\0\260\335\301\0\340\335\306\0\372\335\304\0\372\335\216\0\342\335\303\0\343\335\313\0\365\335\310\0\371\335\301\0\343\335\311\0\363\335\205\0\266\335\205\0\266\335\205\0\266\335\205\0Z\373\202\0\26\373\202\0\266\335\205\0\266\335\205\0\266\335\205\0O\373\202\0\32\373\202\0\266\335\205\0\266\335\205\0\266\335\205\0\260\372\202\0\2\373\202\0\266\335\205\0\266\335\205\0\266\335\205\0\245\372", 3026, 0x0, 0, ... {status=0x0, info=3026}, ) , 3026, 0x0, 0, ... {status=0x0, info=3026}, ) == 0x0
 01077   408   NtUnmapViewOfSection  (-1, 0x9f0000, ... ) == 0x0
 01078   408   NtSetInformationFile  (140, 1244376, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01079   408   NtClose  (144, ... ) == 0x0
 01080   408   NtClose  (140, ... ) == 0x0
 01081   408   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01082   408   NtSetValueKey  (140,  (140, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0e\0o\0s\0c\0t\0b\0b\0.\0e\0x\0e\0\0\0", 64, ... , 0, 1,  (140, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0e\0o\0s\0c\0t\0b\0b\0.\0e\0x\0e\0\0\0", 64, ... , 64, ...
 01083   408   NtSetInformationFile  (-2147482808, -131037388, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01084   408   NtSetInformationFile  (-2147482808, -131037480, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01082   408   NtSetValueKey  ... ) == 0x0
 01085   408   NtClose  (140, ... ) == 0x0
 01086   408   NtClose  (100, ... ) == 0x0
 01087   408   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01088   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eosctbb.exe"}, 1241008, ... ) }, 1241008, ... ) == 0x0
 01089   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eosctbb.exe"}, 1241700, ... ) }, 1241700, ... ) == 0x0
 01090   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eosctbb.exe"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 01091   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 100, ... 140, ) == 0x0
 01092   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01093   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 144, ) }, ... 144, ) == 0x0
 01094   408   NtQueryValueKey  (144,  (144, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   408   NtClose  (144, ... ) == 0x0
 01096   408   NtQueryVolumeInformationFile  (100, 1241008, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01097   408   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 144, ) }, ... 144, ) == 0x0
 01098   408   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01099   408   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 148, ) }, ... 148, ) == 0x0
 01100   408   NtMapViewOfSection  (148, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 57344, ) == 0x0
 01101   408   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01102   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238992, ... ) }, 1238992, ... ) == 0x0
 01103   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01104   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 152, ... 156, ) == 0x0
 01105   408   NtClose  (152, ... ) == 0x0
 01106   408   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 106496, ) == 0x0
 01107   408   NtClose  (156, ... ) == 0x0
 01108   408   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01109   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239308, ... ) }, 1239308, ... ) == 0x0
 01110   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 156, {status=0x0, info=1}, ) }, 5, 96, ... 156, {status=0x0, info=1}, ) == 0x0
 01111   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 156, ... 152, ) == 0x0
 01112   408   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01113   408   NtClose  (156, ... ) == 0x0
 01114   408   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01115   408   NtClose  (152, ... ) == 0x0
 01116   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01117   408   NtQueryInformationFile  (152, 1239596, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01118   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 152, ... 156, ) == 0x0
 01119   408   NtMapViewOfSection  (156, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa00000), 0x0, 1028096, ) == 0x0
 01120   408   NtQueryInformationFile  (152, 1239692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01121   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01123   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01124   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01125   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1237256, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237256, 616, BothDirectory, 1, "eosctbb.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01126   408   NtClose  (160, ... ) == 0x0
 01127   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01128   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01129   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eosctbb.exe"}, 1236644, ... ) }, 1236644, ... ) == 0x0
 01130   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01131   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01132   408   NtClose  (160, ... ) == 0x0
 01133   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01134   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01135   408   NtClose  (160, ... ) == 0x0
 01136   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01137   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (160, 0, 0, 0, 1236004, 616, BothDirectory, 1, "eosctbb.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01138   408   NtClose  (160, ... ) == 0x0
 01139   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01140   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01141   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01142   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01143   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01144   408   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01145   408   NtClose  (160, ... ) == 0x0
 01146   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eosctbb.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01149   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01150   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eosctbb.exe"}, 1238924, ... ) }, 1238924, ... ) == 0x0
 01151   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01152   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01153   408   NtClose  (160, ... ) == 0x0
 01154   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01155   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01156   408   NtClose  (160, ... ) == 0x0
 01157   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01158   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (160, 0, 0, 0, 1238284, 616, BothDirectory, 1, "eosctbb.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01159   408   NtClose  (160, ... ) == 0x0
 01160   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01161   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01162   408   NtWaitForSingleObject  (144, 0, {-1000000, -1}, ... ) == 0x0
 01163   408   NtQueryVolumeInformationFile  (100, 1239568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01164   408   NtQueryInformationFile  (100, 1239548, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01165   408   NtQueryInformationFile  (100, 1239588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01166   408   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01167   408   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01168   408   NtClose  (156, ... ) == 0x0
 01169   408   NtClose  (152, ... ) == 0x0
 01170   408   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01171   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eosctbb.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   408   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01173   408   NtOpenProcessToken  (-1, 0xa, ... 152, ) == 0x0
 01174   408   NtQueryInformationToken  (152, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01175   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01177   408   NtQueryValueKey  (156,  (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01178   408   NtQueryValueKey  (156,  (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (156, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01179   408   NtClose  (156, ... ) == 0x0
 01180   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01181   408   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01182   408   NtQueryValueKey  (156,  (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (156, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01183   408   NtClose  (156, ... ) == 0x0
 01184   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01186   408   NtQueryValueKey  (156,  (156, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   408   NtClose  (156, ... ) == 0x0
 01188   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01189   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01190   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01191   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01192   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01193   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01194   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01195   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01196   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01197   408   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01198   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01199   408   NtEnumerateKey  (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (156, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01200   408   NtOpenKey  (0x20019, {24, 156, 0x40, 0, 0,  (0x20019, {24, 156, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 160, ) }, ... 160, ) == 0x0
 01201   408   NtQueryValueKey  (160,  (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (160, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01202   408   NtQueryValueKey  (160,  (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (160, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01203   408   NtClose  (160, ... ) == 0x0
 01204   408   NtEnumerateKey  (156, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01205   408   NtClose  (156, ... ) == 0x0
 01206   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01218   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01221   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01222   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01223   408   NtClose  (156, ... ) == 0x0
 01224   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01226   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01227   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01228   408   NtClose  (156, ... ) == 0x0
 01229   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01231   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01232   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01233   408   NtClose  (156, ... ) == 0x0
 01234   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01236   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01237   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01238   408   NtClose  (156, ... ) == 0x0
 01239   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01241   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01242   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01243   408   NtClose  (156, ... ) == 0x0
 01244   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01246   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01247   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01248   408   NtClose  (156, ... ) == 0x0
 01249   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01251   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01252   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01253   408   NtClose  (156, ... ) == 0x0
 01254   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01256   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01257   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01258   408   NtClose  (156, ... ) == 0x0
 01259   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01261   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01262   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01263   408   NtClose  (156, ... ) == 0x0
 01264   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01266   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01267   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01268   408   NtClose  (156, ... ) == 0x0
 01269   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01270   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01271   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01272   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01273   408   NtClose  (156, ... ) == 0x0
 01274   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01276   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01277   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01278   408   NtClose  (156, ... ) == 0x0
 01279   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01281   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01282   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01283   408   NtClose  (156, ... ) == 0x0
 01284   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01286   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01287   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01288   408   NtClose  (156, ... ) == 0x0
 01289   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01291   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01292   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01293   408   NtClose  (156, ... ) == 0x0
 01294   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01296   408   NtQueryValueKey  (156,  (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (156, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01297   408   NtClose  (156, ... ) == 0x0
 01298   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01299   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01300   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01301   408   NtClose  (156, ... ) == 0x0
 01302   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   408   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01304   408   NtOpenProcessToken  (-1, 0xa, ... 156, ) == 0x0
 01305   408   NtDuplicateToken  (156, 0xc, {24, 0, 0x0, 0, 1240900, 0x0}, 0, 2, ... 160, ) == 0x0
 01306   408   NtClose  (156, ... ) == 0x0
 01307   408   NtAccessCheck  (1378928, 160, 0x1, 1241028, 1240972, 56, 1241056, ... (0x1), ) == 0x0
 01308   408   NtClose  (160, ... ) == 0x0
 01309   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 160, ) }, ... 160, ) == 0x0
 01310   408   NtQueryValueKey  (160,  (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (160, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01311   408   NtClose  (160, ... ) == 0x0
 01312   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 160, ) }, ... 160, ) == 0x0
 01313   408   NtQuerySymbolicLinkObject  (160, ...  (160, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01314   408   NtClose  (160, ... ) == 0x0
 01315   408   NtQueryInformationFile  (100, 1239360, 528, Name, ... {status=0x0, info=62}, ) == 0x0
 01316   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01317   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01318   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eosctbb.exe"}, 1238040, ... ) }, 1238040, ... ) == 0x0
 01319   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01320   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01321   408   NtClose  (160, ... ) == 0x0
 01322   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01323   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01324   408   NtClose  (160, ... ) == 0x0
 01325   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 160, {status=0x0, info=1}, ) }, 3, 16417, ... 160, {status=0x0, info=1}, ) == 0x0
 01326   408   NtQueryDirectoryFile  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (160, 0, 0, 0, 1237400, 616, BothDirectory, 1, "eosctbb.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01327   408   NtClose  (160, ... ) == 0x0
 01328   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01329   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01330   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01331   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01332   408   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01333   408   NtClose  (160, ... ) == 0x0
 01334   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 160, ) }, ... 160, ) == 0x0
 01335   408   NtOpenKey  (0x20019, {24, 160, 0x40, 0, 0,  (0x20019, {24, 160, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01336   408   NtClose  (160, ... ) == 0x0
 01337   408   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01338   408   NtQueryValueKey  (156,  (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (156, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01339   408   NtClose  (156, ... ) == 0x0
 01340   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10485760, 4096, ) == 0x0
 01341   408   NtAllocateVirtualMemory  (-1, 10485760, 0, 4096, 4096, 4, ... 10485760, 4096, ) == 0x0
 01342   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 156, ) }, ... 156, ) == 0x0
 01343   408   NtQueryValueKey  (156,  (156, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   408   NtClose  (156, ... ) == 0x0
 01345   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   408   NtQueryInformationToken  (152, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01347   408   NtQueryInformationToken  (152, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01348   408   NtClose  (152, ... ) == 0x0
 01349   408   NtCreateProcessEx  (1243636, 2035711, 0, -1, 0, 140, 0, 0, 0, ... ) == 0x0
 01350   408   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=560,ParentPid=400,}, 0x0, ) == 0x0
 01351   408   NtReadVirtualMemory  (152, 0x7ffdf008, 4, ...  (152, 0x7ffdf008, 4, ... "\0\0C1", 0x0, ) , 0x0, ) == 0x0
 01352   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eosctbb.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   408   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 01354   408   NtReadVirtualMemory  (152, 0x31430000, 4096, ...  (152, 0x31430000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\11\3538\210M\212V\333M\212V\333M\212V\333\316\226X\333O\212V\333\245\225R\333O\212V\333M\212V\333J\212V\333M\212W\333\32\212V\333/\225E\333D\212V\333\245\225]\333G\212V\333RichM\212V\333\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\322~\340@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0P\0\0\0\240\0\0\0`\0\0\0\200\0\0\0\0C1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\340UPX1", 4096, ) , 4096, ) == 0x0
 01355   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01356   408   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=560,ParentPid=400,}, 0x0, ) == 0x0
 01357   408   NtAllocateVirtualMemory  (-1, 0, 0, 1660, 4096, 4, ... 10551296, 4096, ) == 0x0
 01358   408   NtAllocateVirtualMemory  (152, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01359   408   NtWriteVirtualMemory  (152, 0x10000,  (152, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01360   408   NtAllocateVirtualMemory  (152, 0, 0, 1660, 4096, 4, ... 131072, 4096, ) == 0x0
 01361   408   NtWriteVirtualMemory  (152, 0x20000,  (152, 0x20000, "\0\20\0\0|\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0>\0@\0\230\5\0\0>\0@\0\330\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0>\0@\0\30\6\0\0\36\0 \0X\6\0\0\0\0\2\0x\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1660, ... 0x0, ) , 1660, ... 0x0, ) == 0x0
 01362   408   NtWriteVirtualMemory  (152, 0x7ffdf010,  (152, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01363   408   NtWriteVirtualMemory  (152, 0x7ffdf1e8,  (152, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01364   408   NtFreeVirtualMemory  (-1, (0xa10000), 0, 32768, ... (0xa10000), 4096, ) == 0x0
 01365   408   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01366   408   NtAllocateVirtualMemory  (152, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01367   408   NtProtectVirtualMemory  (152, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01368   408   NtCreateThread  (0x1f03ff, 0x0, 152, 1241900, 1242620, 1, ... 156, {560, 364}, ) == 0x0
 01369   408   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\00\2\0\0l\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 400, 408, 1495, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\00\2\0\0l\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ... {168, 196, reply, 0, 400, 408, 1495, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1368240, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\233\0\0\0\234\0\0\00\2\0\0l\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" ... {168, 196, reply, 0, 400, 408, 1495, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\230\0\0\0\234\0\0\00\2\0\0l\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\24\0\0\0\0\0" )  ) == 0x0
 01370   408   NtResumeThread  (156, ... 1, ) == 0x0
 01371   408   NtClose  (100, ... ) == 0x0
 01372   408   NtClose  (140, ... ) == 0x0
 01373   408   NtQueryInformationProcess  (152, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=560,ParentPid=400,}, 0x0, ) == 0x0
 01374   408   NtUserWaitForInputIdle  (560, 30000, 0, ...
 01375   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01376   408   NtClose  (140, ... ) == 0x0
 01374   408   NtUserWaitForInputIdle  ... ) == 0x0
 01377   408   NtClose  (152, ... ) == 0x0
 01378   408   NtClose  (156, ... ) == 0x0
 01379   408   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01380   408   NtTerminateProcess  (0, 0, ... ) == 0x0
 01381   408   NtQueryVirtualMemory  (-1, 0x896d20, Basic, 28, ... {BaseAddress=0x896000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x12000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01382   408   NtQueryVirtualMemory  (-1, 0x89762c, Basic, 28, ... {BaseAddress=0x897000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x11000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01383   408   NtQueryVirtualMemory  (-1, 0x86cef4, Basic, 28, ... {BaseAddress=0x86c000,AllocationBase=0x860000,AllocationProtect=0x80,RegionSize=0x3c000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 01384   408   NtGdiDeleteObjectApp  (1107952646, ... ) == 0x1
 01385   408   NtGdiDeleteObjectApp  (805962626, ... ) == 0x1
 01386   408   NtGdiDeleteObjectApp  (1191838696, ... ) == 0x1
 01387   408   NtUserDestroyCursor  (196763, 1, ... ) == 0x1
 01388   408   NtUserDestroyCursor  (196765, 1, ... ) == 0x1
 01389   408   NtUserDestroyCursor  (131231, 1, ... ) == 0x1
 01390   408   NtUserDestroyCursor  (196769, 1, ... ) == 0x1
 01391   408   NtUserDestroyCursor  (262307, 1, ... ) == 0x1
 01392   408   NtUserDestroyCursor  (262309, 1, ... ) == 0x1
 01393   408   NtUserDestroyCursor  (131217, 1, ... ) == 0x1
 01394   408   NtUserFindExistingCursorIcon  (1243472, 1243488, 1244056, ... ) == 0x10011
 01395   408   NtDeleteAtom  (49180, ... ) == 0x0
 01396   408   NtDeleteAtom  (49181, ... ) == 0x0
 01397   408   NtGdiDeleteObjectApp  (302515197, ... ) == 0x1
 01398   408   NtClose  (96, ... ) == 0x0
 01399   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01400   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 01401   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01402   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 01403   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01404   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 01405   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01406   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 01407   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01408   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 01409   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01410   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 01411   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01412   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 01413   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01414   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 01415   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01416   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 01417   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01418   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 01419   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01420   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 01421   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01422   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 01423   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01424   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 01425   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01426   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 01427   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01428   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 01429   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01430   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 01431   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01432   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 01433   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01434   408   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 01435   408   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01436   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 01437   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01438   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 01439   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01440   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 01441   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01442   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 01443   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01444   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 01445   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01446   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 01447   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01448   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 01449   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01450   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 01451   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01452   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 01453   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01454   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 01455   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01456   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 01457   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01458   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 01459   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01460   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 01461   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01462   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 01463   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01464   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 01465   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01466   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 01467   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01468   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 01469   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01470   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 01471   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01472   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc017
 01473   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01474   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc019
 01475   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01476   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc018
 01477   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01478   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01a
 01479   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01480   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01c
 01481   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01482   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01e
 01483   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01484   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01b
 01485   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01486   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc068
 01487   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01488   408   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc06a
 01489   408   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 01490   408   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01491   408   NtClose  (76, ... ) == 0x0
 01492   408   NtClose  (64, ... ) == 0x0
 01493   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01494   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01495   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01496   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01497   408   NtFreeVirtualMemory  (-1, (0xa00000), 4096, 32768, ... (0xa00000), 4096, ) == 0x0
 01498   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 400, 408, 3205, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 400, 408, 3205, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 400, 408, 3205, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01499   408   NtTerminateProcess  (-1, 0, ...
 01500   408   NtClose  (44, ... ) == 0x0
NtAdjustPrivilegesToken(>)	1	NtDeleteAtom(>)	2	NtGdiBitBlt(>)	7	NtQueryInformationProcess(>)	15
NtCallbackReturn(>)	1	NtEnumerateKey(>)	2	NtGdiCreateDIBitmapInternal(>)	7	NtCreateSection(>)	17
NtCreateMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtGdiGetDCObject(>)	7	NtGdiDeleteObjectApp(>)	18
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtGdiGetDCforBitmap(>)	7	NtReadFile(>)	19
NtCreateThread(>)	1	NtOpenEvent(>)	2	NtGdiGetStockObject(>)	7	NtContinue(>)	20
NtDelayExecution(>)	1	NtOpenSymbolicLinkObject(>)	2	NtGdiRestoreDC(>)	7	NtQuerySystemInformation(>)	20
NtDuplicateToken(>)	1	NtQueryInstallUILanguage(>)	2	NtGdiSaveDC(>)	7	NtUserCallOneParam(>)	20
NtEnumerateValueKey(>)	1	NtQuerySymbolicLinkObject(>)	2	NtGdiSetDIBitsToDeviceInternal(>)	7	NtWaitForSingleObject(>)	21
NtGdiCreatePaletteInternal(>)	1	NtReadVirtualMemory(>)	2	NtOpenProcessToken(>)	7	NtFlushInstructionCache(>)	23
NtGdiInit(>)	1	NtTerminateProcess(>)	2	NtUserDestroyCursor(>)	7	NtWriteFile(>)	23
NtGdiQueryFontAssocInfo(>)	1	NtUserWaitForInputIdle(>)	2	NtUserSetCursorIconData(>)	7	NtOpenProcessTokenEx(>)	24
NtNotifyChangeKey(>)	1	NtAddAtom(>)	3	NtGdiCreateBitmap(>)	8	NtOpenThreadTokenEx(>)	24
NtOpenKeyedEvent(>)	1	NtCreateSemaphore(>)	3	NtQuerySection(>)	8	NtOpenSection(>)	25
NtOpenProcess(>)	1	NtDuplicateObject(>)	3	NtRequestWaitReplyPort(>)	8	NtOpenFile(>)	30
NtQueryInformationJobObject(>)	1	NtFreeVirtualMemory(>)	3	NtSetInformationThread(>)	8	NtQueryAttributesFile(>)	31
NtQueryObject(>)	1	NtGdiHfontCreate(>)	3	NtQueryDebugFilterState(>)	9	NtQueryInformationToken(>)	31
NtQuerySystemTime(>)	1	NtOpenMutant(>)	3	NtSetInformationFile(>)	9	NtMapViewOfSection(>)	37
NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3	NtCreateEvent(>)	10	NtReleaseMutant(>)	40
NtResumeThread(>)	1	NtFsControlFile(>)	4	NtGdiCreateCompatibleDC(>)	10	NtAllocateVirtualMemory(>)	41
NtSecureConnectPort(>)	1	NtOpenThreadToken(>)	4	NtGdiExtGetObjectW(>)	10	NtProtectVirtualMemory(>)	45
NtTestAlert(>)	1	NtSetValueKey(>)	4	NtQueryDirectoryFile(>)	10	NtUserUnregisterClass(>)	45
NtUserCallNoParam(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	11	NtQueryValueKey(>)	51
NtUserEnumDisplayMonitors(>)	1	NtUserRegisterWindowMessage(>)	5	NtUserGetDC(>)	11	NtGdiSelectBitmap(>)	57
NtUserGetKeyboardLayoutList(>)	1	NtCreateKey(>)	6	NtUnmapViewOfSection(>)	12	NtUserRegisterClassExWOW(>)	63
NtUserGetThreadDesktop(>)	1	NtQueryDefaultUILanguage(>)	6	NtQueryDefaultLocale(>)	13	NtUserGetClassInfo(>)	64
NtUserSetWindowsHookEx(>)	1	NtQueryVirtualMemory(>)	6	NtQueryInformationFile(>)	13	NtUserFindExistingCursorIcon(>)	72
NtAccessCheck(>)	2	NtQueryVolumeInformationFile(>)	6	NtUserSystemParametersInfo(>)	13	NtOpenKey(>)	112
NtCreateIoCompletion(>)	2	NtSetInformationProcess(>)	6	NtUserSelectPalette(>)	14	NtClose(>)	165