Summary:





NtAccessCheck(>)  1 
NtUserCallMsgFilter(>)  1 
NtUserGetObjectInformation(>)  3 
NtSetValueKey(>)  8 


NtCallbackReturn(>)  1 
NtUserDrawIconEx(>)  1 
NtUserSetWindowPos(>)  3 
NtUserCallNoParam(>)  9 


NtConnectPort(>)  1 
NtUserGetCursorFrameInfo(>)  1 
NtCreateFile(>)  4 
NtUserPeekMessage(>)  9 


NtContinue(>)  1 
NtUserGetDC(>)  1 
NtOpenProcessToken(>)  4 
NtRequestWaitReplyPort(>)  10 


NtCreateEvent(>)  1 
NtUserGetGUIThreadInfo(>)  1 
NtQueryDefaultLocale(>)  4 
NtUnmapViewOfSection(>)  10 


NtDuplicateObject(>)  1 
NtUserGetIconSize(>)  1 
NtQuerySection(>)  4 
NtUserCreateWindowEx(>)  10 


NtEnumerateValueKey(>)  1 
NtUserGetProcessWindowStation(>)  1 
NtUserCalcMenuBar(>)  4 
NtUserSystemParametersInfo(>)  11 


NtFreeVirtualMemory(>)  1 
NtUserModifyUserStartupInfoFlags(>)  1 
NtUserCallHwndLock(>)  4 
NtCreateSection(>)  12 


NtFsControlFile(>)  1 
NtUserUnregisterClass(>)  1 
NtUserFillWindow(>)  4 
NtGdiExtSelectClipRgn(>)  12 


NtGdiCreateBitmap(>)  1 
NtGdiCreatePatternBrushInternal(>)  2 
NtUserGetClassName(>)  4 
NtGdiGetRandomRgn(>)  12 


NtGdiExtCreateRegion(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtUserGetDCEx(>)  4 
NtQueryInformationToken(>)  12 


NtGdiExtGetObjectW(>)  1 
NtGdiGetWidthTable(>)  2 
NtUserGetTitleBarInfo(>)  4 
NtDeviceIoControlFile(>)  16 


NtGdiGetDCDword(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserQueryWindow(>)  4 
NtGdiIntersectClipRect(>)  16 


NtGdiGetTextExtent(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserRemoveProp(>)  4 
NtFlushInstructionCache(>)  17 


NtGdiInit(>)  1 
NtQueryVirtualMemory(>)  2 
NtUserSetWindowFNID(>)  4 
NtOpenFile(>)  17 


NtGdiOffsetRgn(>)  1 
NtUserDestroyWindow(>)  2 
NtUserThunkedMenuItemInfo(>)  4 
NtGdiDrawStream(>)  18 


NtGdiQueryFontAssocInfo(>)  1 
NtUserGetForegroundWindow(>)  2 
NtUserWaitMessage(>)  4 
NtOpenSection(>)  18 


NtOpenEvent(>)  1 
NtUserGetThreadDesktop(>)  2 
NtGdiGetStockObject(>)  5 
NtQueryAttributesFile(>)  19 


NtOpenKeyedEvent(>)  1 
NtUserSetCursor(>)  2 
NtUserGetAncestor(>)  5 
NtUserGetWindowDC(>)  24 


NtOpenMutant(>)  1 
NtUserSetFocus(>)  2 
NtUserGetAtomName(>)  5 
NtQueryValueKey(>)  26 


NtOpenProcess(>)  1 
NtUserSetWindowRgn(>)  2 
NtUserRegisterWindowMessage(>)  5 
NtAllocateVirtualMemory(>)  29 


NtOpenSymbolicLinkObject(>)  1 
NtUserShowWindow(>)  2 
NtUserSetProp(>)  5 
NtMapViewOfSection(>)  29 


NtQueryInformationProcess(>)  1 
NtAddAtom(>)  3 
NtUserSetWindowLong(>)  5 
NtUserCallOneParam(>)  30 


NtQueryObject(>)  1 
NtGdiBitBlt(>)  3 
NtGdiCombineRgn(>)  6 
NtProtectVirtualMemory(>)  34 


NtQueryPerformanceCounter(>)  1 
NtGdiCreateCompatibleBitmap(>)  3 
NtGdiCreateRectRgn(>)  6 
NtUserGetClassInfo(>)  37 


NtQuerySymbolicLinkObject(>)  1 
NtGdiExcludeClipRect(>)  3 
NtQueryDefaultUILanguage(>)  6 
NtOpenKey(>)  42 


NtQueryVolumeInformationFile(>)  1 
NtGdiGetCharSet(>)  3 
NtUserBeginPaint(>)  6 
NtUserFindExistingCursorIcon(>)  53 


NtRegisterThreadTerminatePort(>)  1 
NtGdiGetTextCharsetInfo(>)  3 
NtGdiCreateCompatibleDC(>)  7 
NtUserMessageCall(>)  63 


NtSecureConnectPort(>)  1 
NtGdiGetTextMetricsW(>)  3 
NtGdiSelectBitmap(>)  7 
NtUserRegisterClassExWOW(>)  64 


NtSetInformationFile(>)  1 
NtGdiHfontCreate(>)  3 
NtUserInternalGetWindowText(>)  7 
NtQuerySystemInformation(>)  73 


NtSetInformationThread(>)  1 
NtGdiSetupPublicCFONT(>)  3 
NtCreateKey(>)  8 
NtReadFile(>)  74 


NtTestAlert(>)  1 
NtQueryInformationFile(>)  3 
NtGdiDeleteObjectApp(>)  8 
NtClose(>)  92 


NtUserBuildHwndList(>)  1 
NtSetInformationObject(>)  3 
NtOpenProcessTokenEx(>)  8 


NtUserCallHwnd(>)  1 
NtUserEndPaint(>)  3 
NtOpenThreadTokenEx(>)  8 


NtUserCallHwndParam(>)  1 



Trace:

 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 400, 408, 1487, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 400, 408, 1487, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 400, 408, 1487, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 400, 408, 1490, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 400, 408, 1490, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 400, 408, 1490, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00057   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00058   408   NtClose  (28, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   408   NtClose  (28, ... ) == 0x0
 00068   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00072   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00073   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00074   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00076   408   NtClose  (28, ... ) == 0x0
 00077   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00078   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00079   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00080   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00081   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00082   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00083   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00084   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00085   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00086   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00087   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00088   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00089   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00090   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00091   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00092   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00094   408   NtClose  (28, ... ) == 0x0
 00095   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00097   408   NtClose  (28, ... ) == 0x0
 00098   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00099   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00100   408   NtClose  (28, ... ) == 0x0
 00101   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00102   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00103   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00104   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00106   408   NtClose  (28, ... ) == 0x0
 00107   408   NtProtectVirtualMemory  (-1, (0x408000), 672, 4, ... (0x408000), 4096, 2, ) == 0x0
 00108   408   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00109   408   NtFlushInstructionCache  (-1, 4227072, 672, ... ) == 0x0
 00110   408   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00111   408   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00112   408   NtClose  (28, ... ) == 0x0
 00113   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00114   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00115   408   NtClose  (28, ... ) == 0x0
 00116   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00117   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0Ck\314\235\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 400, 408, 1493, 0} "XQ\26\0\0\0\0\0\0\0\0\0Ck\314\235\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 400, 408, 1493, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4\23\0Ck\314\235\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 400, 408, 1493, 0} "XQ\26\0\0\0\0\0\0\0\0\0Ck\314\235\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00118   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00120   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00121   408   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00122   408   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00123   408   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00124   408   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00125   408   NtClose  (-2147482208, ... ) == 0x0
 00126   408   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00127   408   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00128   408   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00129   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00130   408   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   408   NtClose  (-2147482208, ... ) == 0x0
 00132   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00133   408   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00134   408   NtClose  (-2147482208, ... ) == 0x0
 00135   408   NtQueryDefaultLocale  (0, -130577908, ... ) == 0x0
 00136   408   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00137   408   NtUserCallNoParam  (24, ... ) == 0x0
 00138   408   NtGdiCreateCompatibleDC  (0, ...
 00139   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00138   408   NtGdiCreateCompatibleDC  ... ) == 0x16010322
 00140   408   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00141   408   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00142   408   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x14050321
 00143   408   NtGdiCreateSolidBrush  (0, 0, ...
 00144   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00143   408   NtGdiCreateSolidBrush  ... ) == 0x1410031d
 00145   408   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00146   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00147   408   NtGdiSelectBitmap  (1040253964, 335872801, ... ) == 0x185000f
 00148   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x28
 00149   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00150   408   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00151   408   NtClose  (48, ... ) == 0x0
 00152   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00153   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00154   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00155   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00156   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00157   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00158   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00159   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00160   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00161   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00162   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00163   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00164   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00165   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00166   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00167   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ...
 00168   408   NtAllocateVirtualMemory  (-1, 5599232, 0, 4096, 4096, 32, ... 5599232, 4096, ) == 0x0
 00167   408   NtUserRegisterClassExWOW  ... ) == 0x810dc026
 00169   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00170   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00171   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00172   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00173   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00174   408   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00175   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00176   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00177   408   NtCallbackReturn  (0, 0, 0, ...
 00178   408   NtGdiInit  (... ) == 0x1
 00179   408   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00180   408   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00181   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00182   408   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00183   408   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00184   408   NtClose  (48, ... ) == 0x0
 00185   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00186   408   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   408   NtClose  (48, ... ) == 0x0
 00188   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00189   408   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00190   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00191   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00192   408   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   408   NtClose  (52, ... ) == 0x0
 00194   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {400, 0}, ... 52, ) == 0x0
 00195   408   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00196   408   NtClose  (52, ... ) == 0x0
 00197   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00198   408   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00199   408   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00200   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00201   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00202   408   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00203   408   NtClose  (52, ... ) == 0x0
 00204   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00205   408   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00206   408   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00207   408   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   408   NtClose  (56, ... ) == 0x0
 00209   408   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00210   408   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00211   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00212   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00213   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03b
 00214   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00215   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03d
 00216   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00217   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00218   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc03f
 00219   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00220   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00221   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc041
 00222   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00223   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00224   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc043
 00225   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00226   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc045
 00227   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00228   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00229   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc047
 00230   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00231   408   NtUserFindExistingCursorIcon  (1242920, 1242936, 1243504, ... ) == 0x10011
 00232   408   NtUserRegisterClassExWOW  (1243372, 1243452, 1243436, 1243468, 0, 384, 0, ... ) == 0x810dc049
 00233   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00234   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00235   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04b
 00236   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00237   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00238   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04d
 00239   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00240   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00241   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc04f
 00242   408   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0x0
 00243   408   NtUserRegisterClassExWOW  (1243380, 1243460, 1243444, 1243476, 0, 384, 0, ... ) == 0x810dc051
 00244   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00245   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00246   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc053
 00247   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00248   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00249   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc055
 00250   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc057
 00251   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00252   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00253   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc059
 00254   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00255   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10013
 00256   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05b
 00257   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00258   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00259   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05d
 00260   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00261   408   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00262   408   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810dc05f
 00263   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00264   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8716288, 65536, ) == 0x0
 00265   408   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ... 8716288, 4096, ) == 0x0
 00266   408   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ... 8720384, 8192, ) == 0x0
 00267   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 56, ) }, ... 56, ) == 0x0
 00268   408   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x860000), 0x0, 12288, ) == 0x0
 00269   408   NtClose  (56, ... ) == 0x0
 00270   408   NtAllocateVirtualMemory  (-1, 8728576, 0, 4096, 4096, 4, ... 8728576, 4096, ) == 0x0
 00271   408   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00273   408   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00274   408   NtClose  (56, ... ) == 0x0
 00275   408   NtQueryDefaultUILanguage  (1241756, ...
 00276   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00277   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00278   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00279   408   NtClose  (-2147482208, ... ) == 0x0
 00280   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00281   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00283   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   408   NtClose  (-2147482196, ... ) == 0x0
 00285   408   NtClose  (-2147482208, ... ) == 0x0
 00275   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00286   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00287   408   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00288   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00289   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00290   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x870000), 0x0, 8323072, ) == 0x0
 00291   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   408   NtQueryDefaultUILanguage  (2013024600, ...
 00293   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00294   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00295   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00296   408   NtClose  (-2147482208, ... ) == 0x0
 00297   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00298   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00300   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   408   NtClose  (-2147482196, ... ) == 0x0
 00302   408   NtClose  (-2147482208, ... ) == 0x0
 00292   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00303   408   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00304   408   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00305   408   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00306   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1503, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 400, 408, 1503, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1503, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\18\0\0\0\377\377\377\377\0\0\0\0\20\311\276\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00308   408   NtClose  (56, ... ) == 0x0
 00309   408   NtClose  (60, ... ) == 0x0
 00310   408   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00311   408   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00312   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   408   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00314   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00315   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00318   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00319   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00321   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00322   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00323   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00324   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00325   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00326   408   NtClose  (56, ... ) == 0x0
 00327   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x870000), 0x0, 921600, ) == 0x0
 00328   408   NtClose  (64, ... ) == 0x0
 00329   408   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00330   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00331   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00332   408   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00333   408   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00334   408   NtQueryInformationToken  (68, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00335   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00336   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 72, ) }, ... 72, ) == 0x0
 00337   408   NtQueryValueKey  (72,  (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (72, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00338   408   NtClose  (72, ... ) == 0x0
 00339   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00340   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00341   408   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00342   408   NtClose  (72, ... ) == 0x0
 00343   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00344   408   NtClose  (68, ... ) == 0x0
 00345   408   NtClose  (64, ... ) == 0x0
 00346   408   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00347   408   NtClose  (56, ... ) == 0x0
 00348   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00352   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00353   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00354   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00355   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00356   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00357   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00358   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00359   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00360   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00361   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00362   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00363   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00364   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00365   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00366   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00367   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00368   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00369   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00370   408   NtQueryDefaultUILanguage  (1239368, ...
 00371   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00372   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00373   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00374   408   NtClose  (-2147482208, ... ) == 0x0
 00375   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00376   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00378   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379   408   NtClose  (-2147482196, ... ) == 0x0
 00380   408   NtClose  (-2147482208, ... ) == 0x0
 00370   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00381   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00383   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00384   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00385   408   NtClose  (56, ... ) == 0x0
 00386   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x870000), 0x0, 4096, ) == 0x0
 00387   408   NtClose  (64, ... ) == 0x0
 00388   408   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00389   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00390   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00391   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00392   408   NtClose  (64, ... ) == 0x0
 00393   408   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x870000), {0, 0}, 4096, ) == 0x0
 00394   408   NtClose  (56, ... ) == 0x0
 00395   408   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00396   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00397   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00398   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x870000), 0x0, 4096, ) == 0x0
 00399   408   NtQueryInformationFile  (56, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00400   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1504, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 400, 408, 1504, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 400, 408, 1504, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00402   408   NtClose  (56, ... ) == 0x0
 00403   408   NtClose  (64, ... ) == 0x0
 00404   408   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 00405   408   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00406   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00407   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00408   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00409   408   NtUserGetDC  (0, ... ) == 0x1010051
 00410   408   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00411   408   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00412   408   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00413   408   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00414   408   NtAccessCheck  (1329728, 64, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00415   408   NtClose  (64, ... ) == 0x0
 00416   408   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00417   408   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   408   NtClose  (64, ... ) == 0x0
 00419   408   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00420   408   NtOpenKey  (0x1, {24, 52, 0x40, 0, 0,  (0x1, {24, 52, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00421   408   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00422   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00423   408   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00424   408   NtClose  (56, ... ) == 0x0
 00425   408   NtClose  (64, ... ) == 0x0
 00426   408   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00427   408   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00428   408   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 64, ) }, ... 64, ) == 0x0
 00429   408   NtEnumerateValueKey  (64, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00430   408   NtClose  (64, ... ) == 0x0
 00431   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00432   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00433   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00434   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00435   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00436   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00437   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00438   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00440   408   NtAllocateVirtualMemory  (-1, 5603328, 0, 4096, 4096, 32, ... 5603328, 4096, ) == 0x0
 00439   408   NtUserRegisterClassExWOW  ... ) == 0x810dc043
 00441   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00442   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00443   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00444   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00445   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00446   408   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00447   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00448   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00449   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00450   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00451   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00452   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00453   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00454   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00455   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00456   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00457   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00458   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00459   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00460   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00461   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00462   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00463   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00464   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00465   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00466   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00467   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00468   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00469   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00470   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00471   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00472   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00473   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00474   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00475   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00476   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00477   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00478   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00479   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00480   408   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00481   408   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00482   408   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00483   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00484   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00485   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00486   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00487   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00488   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00489   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00490   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00491   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00492   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00493   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00494   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00495   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00496   408   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00497   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00498   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00499   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00500   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00501   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00502   408   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00503   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00504   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00505   408   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00506   408   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00507   408   NtClose  (64, ... ) == 0x0
 00508   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00509   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00510   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00511   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00512   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00513   408   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   408   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   408   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   408   NtClose  (64, ... ) == 0x0
 00517   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00518   408   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00519   408   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   408   NtClose  (64, ... ) == 0x0
 00521   408   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 64, ) }, ... 64, ) == 0x0
 00522   408   NtOpenEvent  (0x1f0003, {24, 64, 0x0, 0, 0,  (0x1f0003, {24, 64, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   408   NtTestAlert  (... ) == 0x0
 00524   408   NtContinue  (1244464, 1, ...
 00525   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403aea,}, 4, ... ) == 0x0
 00526   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242644, ... ) }, 1242644, ... ) == 0x0
 00527   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00528   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 68, ) == 0x0
 00529   408   NtClose  (56, ... ) == 0x0
 00530   408   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 262144, ) == 0x0
 00531   408   NtClose  (68, ... ) == 0x0
 00532   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00533   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00534   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00535   408   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00536   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00537   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 68, {status=0x0, info=0}, ) }, 7, 16, ... 68, {status=0x0, info=0}, ) == 0x0
 00538   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220J\311\201\242P\331\323\373N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00539   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00540   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00541   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00542   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00543   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00544   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00545   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00546   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00547   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "!\310\264\372\211\204\255|\367\217N\217\361\25\337\344-\220\214\332JBj\37\313, \344\327t\203\213\205\353\22\213\253o\307\260l\36\31\234\352%)\215u\33RYG\24\231/\23\224\2277\26\373\314\351\324\343\31B\310\206\341\317|\224\302\251\264\352\317\25", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "!\310\264\372\211\204\255|\367\217N\217\361\25\337\344-\220\214\332JBj\37\313, \344\327t\203\213\205\353\22\213\253o\307\260l\36\31\234\352%)\215u\33RYG\24\231/\23\224\2277\26\373\314\351\324\343\31B\310\206\341\317|\224\302\251\264\352\317\25", 80, ... ) , 80, ... ) == 0x0
 00548   408   NtClose  (-2147482208, ... ) == 0x0
 00538   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\345\233-\371\347\264\274>&d'w\5\311\256\3138\6*b\220\324$6\31-\275\325\207\235?*k\371\223anK\200\10\212\240\10J\311VrA'\213\275\374\253\273e\305[[8?!\333\265\220S#c\204\244<\351\317\376\314\264\350\305sx\375\301\265\200\206\337\23>Cu&,\335L\245\307\13\312\210\335\335\237\37\25Q\262\302~\333\351\276\305\261:\207Q\2762\235cS\314=\33j\325\311\34B*\343B\211\237r\243\276\320\236% \320.\36`M\30\271l\267y\22\261\335\220\12\7\345>S\3232\335]\360\216\20\371\310\2733\377\314\213\277\334\11R\15\342s,\204\341\212"m\341\351\213\375\334\267\263]\21\347\32M\341:\3745\220\207\375!\16\3240J\257_\343\315\20\307\17Q\377^y\20\376\355\16\351pVL2\23\363n\345p\275\12\250pl\202W\234$f\273\273*\367(i\303\332x-", ) m\341\351\213\375\334\267\263]\21\347\32M\341:\3745\220\207\375!\16\3240J\257_\343\315\20\307\17Q\377^y\20\376\355\16\351pVL2\23\363n\345p\275\12\250pl\202W\234$f\273\273*\367(i\303\332x-", ) == 0x0
 00549   408   NtAllocateVirtualMemory  (-1, 1335296, 0, 16384, 4096, 4, ... 1335296, 16384, ) == 0x0
 00550   408   NtUserRegisterClassExWOW  (1244728, 1244808, 1244792, 1244824, 0, 384, 0, ... ) == 0x810dc038
 00551   408   NtUserGetAtomName  (49208, 1243492, ... ) == 0x15
 00552   408   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00553   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00554   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00555   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 72, ) == 0x0
 00556   408   NtClose  (56, ... ) == 0x0
 00557   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 204800, ) == 0x0
 00558   408   NtClose  (72, ... ) == 0x0
 00559   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00560   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1241332, ... ) }, 1241332, ... ) == 0x0
 00561   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00562   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 72, ... 56, ) == 0x0
 00563   408   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00564   408   NtClose  (72, ... ) == 0x0
 00565   408   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00566   408   NtClose  (56, ... ) == 0x0
 00567   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00568   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00569   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00570   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00571   408   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00572   408   NtClose  (56, ... ) == 0x0
 00573   408   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00574   408   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 72, ) }, ... 72, ) == 0x0
 00575   408   NtQueryValueKey  (72,  (72, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   408   NtClose  (72, ... ) == 0x0
 00577   408   NtClose  (56, ... ) == 0x0
 00578   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00579   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00580   408   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00581   408   NtClose  (56, ... ) == 0x0
 00582   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00583   408   NtOpenKey  (0x1, {24, 56, 0x40, 0, 0,  (0x1, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0
 00584   408   NtQueryValueKey  (72,  (72, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   408   NtClose  (72, ... ) == 0x0
 00586   408   NtClose  (56, ... ) == 0x0
 00587   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240832, ... ) }, 1240832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240832, ... ) }, 1240832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240832, ... ) }, 1240832, ... ) == 0x0
 00590   408   NtUserGetProcessWindowStation  (... ) == 0x24
 00591   408   NtUserGetObjectInformation  (36, 2, 0, 0, 1243128, ... ) == 0x0
 00592   408   NtUserGetObjectInformation  (36, 2, 1350080, 16, 1243128, ... ) == 0x1
 00593   408   NtUserGetGUIThreadInfo  (408, 1243084, ... ) == 0x1
 00594   408   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242904, 64, ... 56, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242904, 64, ... 56, 0x0, 0x0, 0x0, 64, ) == 0x0
 00595   408   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 400, 408, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 400, 408, 1506, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 400, 408, 1506, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00596   408   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 400, 408, 1507, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 400, 408, 1507, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 400, 408, 1507, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00597   408   NtUserCallNoParam  (29, ...
 00598   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240376, ... ) }, 1240376, ... ) == 0x0
 00597   408   NtUserCallNoParam  ... ) == 0x0
 00599   408   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00600   408   NtGdiHfontCreate  (1242456, 356, 0, 0, 1329800, ... ) == 0x170a040b
 00601   408   NtGdiHfontCreate  (1242456, 356, 0, 0, 1329792, ... ) == 0x80a03d6
 00602   408   NtRequestWaitReplyPort  (56, {32, 56, new_msg, 0, 0, 0, 0, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 400, 408, 1508, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 400, 408, 1508, 0}  (56, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 400, 408, 1508, 0} "\0\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00603   408   NtMapViewOfSection  (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x890000), {0, 0}, 331776, ) == 0x0
 00604   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00605   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00606   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00607   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00608   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00609   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00610   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00611   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00612   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00613   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00614   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00615   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00616   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00617   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00618   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00619   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00620   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00621   408   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2b10040d
 00622   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00623   408   NtUserCallNoParam  (29, ...
 00624   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239820, ... ) }, 1239820, ... ) == 0x0
 00623   408   NtUserCallNoParam  ... ) == 0x0
 00625   408   NtUserCallNoParam  (29, ...
 00626   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239816, ... ) }, 1239816, ... ) == 0x0
 00625   408   NtUserCallNoParam  ... ) == 0x0
 00627   408   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12f910, 0, 670, 0, ... ) == 0x1
 00628   408   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12f938, 0, 670, 0, ... ) == 0x0
 00629   408   NtUserSetProp  (131250, 43288, -1, ... ) == 0x1
 00552   408   NtUserCreateWindowEx  ... ) == 0x200b2
 00630   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\240P=N\337YQ\16\317~\227\254\214\323(\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00631   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00632   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00633   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00634   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00635   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00636   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00637   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00638   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00639   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "w\367\12\260\250\224\304\226\350`\325\300\267+\272\15\341\355;\214\232\353\315\4%\336\316\307\7\13|\322\207\311\23\326I1r\320\244\257e[6\374&\262\277W\377H)\302\204q\17\274G3\323\17\320F\227%\27\330\276\231\363U\202\252\255\371N\317xH", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "w\367\12\260\250\224\304\226\350`\325\300\267+\272\15\341\355;\214\232\353\315\4%\336\316\307\7\13|\322\207\311\23\326I1r\320\244\257e[6\374&\262\277W\377H)\302\204q\17\274G3\323\17\320F\227%\27\330\276\231\363U\202\252\255\371N\317xH", 80, ... ) , 80, ... ) == 0x0
 00640   408   NtClose  (-2147482208, ... ) == 0x0
 00630   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "gkhbq\303&\336EK0\2201\316V{K\374z\25kr\246\343\261\344`b\340\352\5c\347\20\345\225&d\2513\251\24\16\233n3\5\226\21-\273\351\235)\261PL\247\335\215\257&#\302\312\313\\301\363\6\360\243gs\315E\236G\213@\270\342P1&\364\303K\316\27\347>ahnT\2x.E\216\320\232\343\260\204\366p\347e\24\347\260[q\210}\376Dp{\237f\177\251\27\272\22\31\2\221\376\315\262\254\30v\177EXe\330\33 \266\316/\10T\214\336l\370\31w\210D\331`V\267b;\33\20\6Y\1\333\243\233\335\357\347\361\346\312\277\17\345\275r\256\30\205Q\320\265g\237\260\324\361(\271\301\366[!\225B\22K+7m\350\201T\277z*\352al\267\315\222\31O\236g\323\325\325;|$\35c\252\23[}\2\352\33\367\255\37\364\325d\372`{\253\202\300\234\232\261\357b\225\", ) , ) == 0x0
 00641   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\240P=N\337YQ\344V\302{#\14Q\335[~\227\254\214\323(\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00642   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00643   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00644   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00645   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00646   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00647   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00648   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00649   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00650   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\366"kR\340^\210\345c\366z\10"\214\272\214-\240h\315\17j\224#\302\242\263+a\7\24V\300\265L\350\335\205\207\217\324\212\7\312\267\264\312+\341\242\323\315\323\206MS\255\366\232\356\21\15\24\365\33&\301q\206\207\4Wt\255\267\245(\14\241\307", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\366"kR\340^\210\345c\366z\10"\214\272\214-\240h\315\17j\224#\302\242\263+a\7\24V\300\265L\350\335\205\207\217\324\212\7\312\267\264\312+\341\242\323\315\323\206MS\255\366\232\356\21\15\24\365\33&\301q\206\207\4Wt\255\267\245(\14\241\307", 80, ... ) kR\340^\210\345c\366z\10 (-2147482208, "Seed", 0, 3, "\366"kR\340^\210\345c\366z\10"\214\272\214-\240h\315\17j\224#\302\242\263+a\7\24V\300\265L\350\335\205\207\217\324\212\7\312\267\264\312+\341\242\323\315\323\206MS\255\366\232\356\21\15\24\365\33&\301q\206\207\4Wt\255\267\245(\14\241\307", 80, ... ) , 80, ... ) == 0x0
 00651   408   NtClose  (-2147482208, ... ) == 0x0
 00641   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\225\220\325\201\361\35\270\252\325NH&\347k\300-B\3645\253)H\351$\306\,w\314\17\341\335\2630\310\277\221e\64\3251q\3648R\13_\17Z\11\345\267\322\343\214\236\20p\202\213\330\304e\336t\352x0^%W\355\14\325\2443Lk1@\305\253\207\335v=si5\230\336Y\25.\\245[u\354\3\30D \267\347\362\277G\6a\326\227\323><\356{\35\11/a\323\352\351\324Mz\327\343\251\377E((E\33n\36\324\376\206v\256\333\336]%J\334\277\15\6\11e\\12F\321\240\371\24\207D\3637e\6\201nS\17\13\203GW\372\340\10\20\353\343f\231d-\301\224\262\32\364x_:\3328|\0,\244\343-E\277d\376\16, ) , ) == 0x0
 00652   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\240P=N\337YQ\344V\302{#\14Q7\302\302{#\14Q\335[~\227\254\214\323(\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00653   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00654   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00655   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00656   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00657   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00658   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00659   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00660   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00661   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\260\217\3644\277Z\340\307<2\330\320o-\363, 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\260\217\3644\277Z\340\307<2\330\320o-\363, 80, ... ) , 80, ... ) == 0x0
 00662   408   NtClose  (-2147482208, ... ) == 0x0
 00652   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\324\341\257#\224\320\272\374`\09\13Du\5\235\354\23\273\257R\2\22\226\5M"!\30\234d9\2Z\216\23\242\236\212\221\277\302F\351?\316q\331&q\376i\253^\377\242\347k\21e~\21\277T\275\32]N\2379/\252\11|\220\3357W\262\2\36\331\13\200\23o\355\5\5\312\227\373(s\261~\216\324Z&\343\314+nQ\322|\330\250\341\252q\330>k\360\232@\2160\21\264g6\3A/`\375\231\254\373\347\355\314\200\330\363\356\233\261\377\251p\273+\202\346\330Y*F\255T\273\14\254\326\351\u5\3767\312/\263\26]\360\177c\356v\233\302aGt\355\336 YTP\323{\10\372\324|\303fb\250\32\1\217\305\21\4/\30\24\3624\251&\345EE\273\330\373s\253\262O\\305l'N,r\301\244\301\2601\350?\352c\228\347\312u?\3\365\10P\351)\303\226\3223\33\254\333vm\211", ) !\30\234d9\2Z\216\23\242\236\212\221\277\302F\351?\316q\331&q\376i\253^\377\242\347k\21e~\21\277T\275\32]N\2379/\252\11|\220\3357W\262\2\36\331\13\200\23o\355\5\5\312\227\373(s\261~\216\324Z&\343\314+nQ\322|\330\250\341\252q\330>k\360\232@\2160\21\264g6\3A/`\375\231\254\373\347\355\314\200\330\363\356\233\261\377\251p\273+\202\346\330Y*F\255T\273\14\254\326\351\u5\3767\312/\263\26]\360\177c\356v\233\302aGt\355\336 YTP\323{\10\372\324|\303fb\250\32\1\217\305\21\4/\30\24\3624\251&\345EE\273\330\373s\253\262O\\305l'N,r\301\244\301\2601\350?\352c\228\347\312u?\3\365\10P\351)\303\226\3223\33\254\333vm\211", ) == 0x0
 00663   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\240P=N\337YQ\344V\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q\335[~\227\254\214\323(\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00664   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00665   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00666   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00667   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00668   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00669   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00670   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00671   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00672   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\205z\377HN\16\205\3772\321kSQ\306\311\14\14\246\251Uo\352pm\327\322 \301^\271\30\325>\357G\320w\235t\30\277\4^\302\201\\300\214XJ#h\335\13\243\362p\4\207\320\275\352r\336\213ofz\216\242E\120ju}\6E2\10", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\205z\377HN\16\205\3772\321kSQ\306\311\14\14\246\251Uo\352pm\327\322 \301^\271\30\325>\357G\320w\235t\30\277\4^\302\201\\300\214XJ#h\335\13\243\362p\4\207\320\275\352r\336\213ofz\216\242E\120ju}\6E2\10", 80, ... ) , 80, ... ) == 0x0
 00673   408   NtClose  (-2147482208, ... ) == 0x0
 00663   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\257\335\250\374Z\37\277\246D\252)b\372wh`,U%\357\334\2500\235\335\353\354\325J\321J4`\3155#j\2\347\276UY\312\320\30.\210\230\12H\203\366\251~\255\240\206\311\24\372;:\221\2\204\211/8\37S:;4N(\361\336\224\3\325F\272a\341\373\216\13\11W\312\262\336\372\252\230\341\202,\265@\325\14\366x\\34dTsM\225^\262\322\374\302\304oyX\33\352\271.\23\217(\37\246kXJRe\326l\242\213\327\313\342\246\346\214\347\213\23U\220\350\316R;\365\10\301\224M\307\233\235\241'&\347\331\346\315\257c\273\325\275d(\303\277\242\315\242H\310\340\16\17z\3059\27"Z\255%NB,\267\314\7}\22VX\341\1\231!&\213l\303\271N\317\362wZ?\311\240\26\330\34;\24\337U\255|L\220\211vi( 8\304<\302\22\311\15S\304\1\257\334\227\223\345\347\310b\336", ) Z\255%NB,\267\314\7}\22VX\341\1\231!&\213l\303\271N\317\362wZ?\311\240\26\330\34;\24\337U\255|L\220\211vi( 8\304<\302\22\311\15S\304\1\257\334\227\223\345\347\310b\336", ) == 0x0
 00674   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\240P=N\337YQ\344V\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q\335[~\227\254\214\323(\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00675   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00676   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00677   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00678   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00679   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00680   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00681   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00682   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00683   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\2\227;/NV\13\352rf\276\3103\277\236X-\376\204\273\D\41\350\314\352\216o\334v\375\360\276\220B\367r\242\373\37%\222\237\261\220\11$3\254\254\236\330\204\277\356D\35q\203\331\243\211\232]\220\15\354\202!2\315\4\310[ZJFO\355", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\2\227;/NV\13\352rf\276\3103\277\236X-\376\204\273\D\41\350\314\352\216o\334v\375\360\276\220B\367r\242\373\37%\222\237\261\220\11$3\254\254\236\330\204\277\356D\35q\203\331\243\211\232]\220\15\354\202!2\315\4\310[ZJFO\355", 80, ... ) , 80, ... ) == 0x0
 00684   408   NtClose  (-2147482208, ... ) == 0x0
 00674   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\254\2m\373\205\273\302\256K>c\262\25x`\336\270\2\262m\243\262\2708\336d\253Jn\33\264\277\260|\301\212T\223\200\257\357\232\37\274\22\207\276-\230iO\31L\177\251\273L+\226\230\22\356\300\270\341\353g\217:!\24\16\25G\3163\21\310\204kUfa\377r\244[q\2030\310\214:\320\267.\32l\34\203\302\276]y\370\361\227\221\25\252,\243;\367 \257\210\202fs\341\366L\2635\211\333Pd2\303\367\240\267\364_\203\330\315\233\255%\213z\305\343\341\311\231dQ\372GT\211M\225q\221o\307\351\20E\313As\145\232\260\23<\373\343Q\345>\23\266\274\324X\23\300m2\271\356-\266\325\370\320\344\251?j\343\237\373\362\335\0\305\333\233\14\254\356p6OG\325\264\245\353\222\231c2V\12\233\220/\267$\344\36\337\210\27\350\367\304\233F^\24489\204ie\155\210g\320\364\271", ) , ) == 0x0
 00685   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\240P=N\337YQ\344V\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q\335[~\227\254\214\323(\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00686   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00687   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00688   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00689   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00690   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00691   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00692   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00693   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00694   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "<]B\3768\21\344'\16\35\24O\15\255\302\362\307\225\Y\213\365\361\364\225\3473]`\264\255\323\244:\4\332\0P3\344\306\274\376\256\330]\277\35\317\237A\300\245\273E\354\324f=\235\374\262l\22lH3\221\217#\346\33\302\276R\373?\26{\26", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "<]B\3768\21\344'\16\35\24O\15\255\302\362\307\225\Y\213\365\361\364\225\3473]`\264\255\323\244:\4\332\0P3\344\306\274\376\256\330]\277\35\317\237A\300\245\273E\354\324f=\235\374\262l\22lH3\221\217#\346\33\302\276R\373?\26{\26", 80, ... ) , 80, ... ) == 0x0
 00695   408   NtClose  (-2147482208, ... ) == 0x0
 00685   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "j\330\215\246\303y\332\26G\356\216$\303\251\354<\2\2\207\203\307\1\274_\264\343{\354mi<\363M\277m\12\263\332*P\0\17\344\221?O[\3605\204\301\304\20\362\326\245\260\227\14\243\336\366f\25\208\0\302=\233\276v\353Ot\270.v\222V\352\303y\2\205\333\250\306\266\256\357\344\332;\342\207\31\236/#0\247\311\7\365\316\273\232\362\276\35"(F\370\2k\222J\334\267\314o\336xg\353n\272h\272r\300\6\201\371\271\205\11\345QU\331\244<\261\341\307?\301\370\317DYA\251\265>\374\340\13\241\301\366\7\27\300\302\323\322S\213!\356\335\226&\2257g\354\321q\217\22Ba#\336\227>\15I\234\314~{\232$_\25\213+\215\225k\\244\353)\200\216\376!%]\210\234\20\4J\246hu\23{i\215\346\245\23\357P\300\272\242*\205P^\173\206p\235\2118\223\341\4S\24a\1\177", ) (F\370\2k\222J\334\267\314o\336xg\353n\272h\272r\300\6\201\371\271\205\11\345QU\331\244<\261\341\307?\301\370\317DYA\251\265>\374\340\13\241\301\366\7\27\300\302\323\322S\213!\356\335\226&\2257g\354\321q\217\22Ba#\336\227>\15I\234\314~{\232$_\25\213+\215\225k\\244\353)\200\216\376!%]\210\234\20\4J\246hu\23{i\215\346\245\23\357P\300\272\242*\205P^\173\206p\235\2118\223\341\4S\24a\1\177", ) == 0x0
 00696   408   NtDeviceIoControlFile  (68, 0, 0x0, 0x0, 0x390008,  (68, 0, 0x0, 0x0, 0x390008, "\365\336\37\362\254\343\220\240P=N\337YQ\344V\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q7\302\302{#\14Q\335[~\227\254\214\323(\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00697   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00698   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00699   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00700   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00701   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00702   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00703   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00704   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00705   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\305W\225I\226;g,\32\351M\11\304\266\325EO\276\377\22\26,u\252?\344\362SVR\315\5\177V\301\355C\374\3{\237~\17\322\201\305\35Jo\260\245\254y\223\34\320\313j!\301)\371\306\21\230\310\220=\352\1\334\245;/!vU:\276l", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\305W\225I\226;g,\32\351M\11\304\266\325EO\276\377\22\26,u\252?\344\362SVR\315\5\177V\301\355C\374\3{\237~\17\322\201\305\35Jo\260\245\254y\223\34\320\313j!\301)\371\306\21\230\310\220=\352\1\334\245;/!vU:\276l", 80, ... ) , 80, ... ) == 0x0
 00706   408   NtClose  (-2147482208, ... ) == 0x0
 00696   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "A\336\252\217S)Az3L\7\232\12a\202\310\237\240\235\222\5\314\264\212=\322;\207\332\5YH*\327).'\375\06e\246\366\33\273\212\326\307\26k\304\336\236\364TY\370"\264\343\33\311rM\304{\341\213_\264\240b{\225\300\207\25@\327jS\250\26\302>M$\13}L\336\355\340\27\265\220\32\27EB\355C\247\25\4\302\304g\232\271r+\3548,\34\307\375g3\230\224i\311f2+h\240\344\256V\312\275\267O<\12\205|Bs\30\216#\342\220\314Z\240ufz_5\5\3\366\35\31;=\16\32Z\231\354\264q.2\3475\315\32\321\37>`\3\11=4\246\315\15\302P\313\354\305\31LlH\24<\7\360\236\301\253^\342\21\363S\375\26\224\370\327z4\300\327Fe0_\20\324\322B\361}.b\276\21\11\224\201\23\254\224\354\354"%\204\1\245\261\303\301\222a\22\366:\304\16", ) \264\343\33\311rM\304{\341\213_\264\240b{\225\300\207\25@\327jS\250\26\302>M$\13}L\336\355\340\27\265\220\32\27EB\355C\247\25\4\302\304g\232\271r+\3548,\34\307\375g3\230\224i\311f2+h\240\344\256V\312\275\267O<\12\205|Bs\30\216#\342\220\314Z\240ufz_5\5\3\366\35\31;=\16\32Z\231\354\264q.2\3475\315\32\321\37>`\3\11=4\246\315\15\302P\313\354\305\31LlH\24<\7\360\236\301\253^\342\21\363S\375\26\224\370\327z4\300\327Fe0_\20\324\322B\361}.b\276\21\11\224\201\23\254\224\354\354 ... {status=0x0, info=256}, "A\336\252\217S)Az3L\7\232\12a\202\310\237\240\235\222\5\314\264\212=\322;\207\332\5YH*\327).'\375\06e\246\366\33\273\212\326\307\26k\304\336\236\364TY\370"\264\343\33\311rM\304{\341\213_\264\240b{\225\300\207\25@\327jS\250\26\302>M$\13}L\336\355\340\27\265\220\32\27EB\355C\247\25\4\302\304g\232\271r+\3548,\34\307\375g3\230\224i\311f2+h\240\344\256V\312\275\267O<\12\205|Bs\30\216#\342\220\314Z\240ufz_5\5\3\366\35\31;=\16\32Z\231\354\264q.2\3475\315\32\321\37>`\3\11=4\246\315\15\302P\313\354\305\31LlH\24<\7\360\236\301\253^\342\21\363S\375\26\224\370\327z4\300\327Fe0_\20\324\322B\361}.b\276\21\11\224\201\23\254\224\354\354"%\204\1\245\261\303\301\222a\22\366:\304\16", ) , ) == 0x0
 00707   408   NtUserRegisterWindowMessage  ( ("ObjectLink", ... ) , ... ) == 0xc002
 00708   408   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0I\0n\0t\0e\0r\0f\0a\0c\0e\0", 44, 1244980, ... ) , 44, 1244980, ... ) == 0x0
 00709   408   NtAddAtom  ( ("O\0l\0e\0D\0r\0o\0p\0T\0a\0r\0g\0e\0t\0M\0a\0r\0s\0h\0a\0l\0H\0w\0n\0d\0", 48, 1244980, ... ) , 48, 1244980, ... ) == 0x0
 00710   408   NtUserRegisterWindowMessage  ( ("OM_POST_WM_COMMAND", ... ) , ... ) == 0xc08e
 00711   408   NtUserRegisterWindowMessage  ( ("OLE_MESSAHE", ... ) , ... ) == 0xc08f
 00712   408   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00713   408   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 0x0, 128, 3, 2, 16417, 0, 0, ... ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... ) == STATUS_OBJECT_NAME_COLLISION
 00714   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp"}, 1244636, ... ) }, 1244636, ... ) == 0x0
 00715   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1350480, 1351024, 2012550797, 2147347456}  (24, {20, 48, new_msg, 0, 1350480, 1351024, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0R\2\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 400, 408, 1509, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ... {20, 48, reply, 0, 400, 408, 1509, 0}  (24, {20, 48, new_msg, 0, 1350480, 1351024, 2012550797, 2147347456} "\0\0\0\0\2\0\1\0R\2\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 400, 408, 1509, 0} "\0\0\0\0\2\0\1\0\1\0\0\0\0\0\0\0\1\0\0\0" )  ) == 0x0
 00716   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244644,  (0x80100080, {24, 0, 0x40, 0, 1244644, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsb1.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... 76, {status=0x0, info=2}, ) }, 0x0, 128, 0, 2, 96, 0, 0, ... 76, {status=0x0, info=2}, ) == 0x0
 00717   408   NtClose  (76, ... ) == 0x0
 00718   408   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\nsb1.tmp"}, 7, 2113600, ... 76, {status=0x0, info=1}, ) }, 7, 2113600, ... 76, {status=0x0, info=1}, ) == 0x0
 00719   408   NtQueryInformationFile  (76, 1245016, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 00720   408   NtSetInformationFile  (76, 1245067, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 00721   408   NtClose  (76, ... ) == 0x0
 00722   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1244600, ... ) }, 1244600, ... ) == 0x0
 00723   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244580,  (0x80100080, {24, 0, 0x40, 0, 1244580, "\??\u:\work\packed.exe"}, 0x0, 32, 1, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 32, 1, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00724   408   NtQueryInformationFile  (76, 1244648, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00725   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\16\23\347\222Jr\211\301Jr\211\301Jr\211\301\311z\326\301Kr\211\301\220Q\225\301Kr\211\301Yz\324\301Hr\211\301\311z\324\301@r\211\301\260Q\220\301Or\211\301Jr\210\301\352r\211\301O~\326\301Cr\211\301\246y\327\301Kr\211\301O~\323\301Kr\211\301RichJr\211\301\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\201f\203B\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0f\0\0\0\366\1\0\0\4\0\0\352:\0\0\0\20\0\0\0\200\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\3\0\0\4\0\0\353!\5\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\14\216\0\0\264\0\0\0\0\360\2\0\0\20\0\0\0\0\0\0\0\0\0\0h\240\4\00\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) , ) == 0x0
 00726   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0f\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.rdata\0\0r\34\0\0\0\200\0\0\0\36\0\0\0j\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@.data\0\0\0\224\304\1\0\0\240\0\0\0\2\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300.ndata\0\0\0\200\0\0\0p\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\300.rsrc\0\0\0\0\20\0\0\0\360\2\0\0\10\0\0\0\212\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00727   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "U\213\354\203\354\\203}\14\17t+\203}\14F\213E\24u\15\203H\30\20\213\15\340cB\0\211H\4P\377u\20\377u\14\377u\10\377\25`\202@\0\351B\1\0\0SV\2135\350cB\0W\215E\244P\377u\10\377\25d\202@\0\203e\364\0\211E\14\215E\344P\377u\10\377\25h\202@\0\213}\360\203e\360\0\213\35@\200@\0\351\200\0\0\0\17\266FR\17\266VV\17\257U\350\213\317+M\350\17\257\301\3\302\231\367\3773\322\211M\20\212\360\17\266FQ\17\257\301\17\266NU\17\257M\350\3\301\213\312\231\367\377\17\266VT\17\257U\350\212\310\17\266FP\17\257E\20\3\302\231\367\377\301\341\10\17\266\300\13\310\215E\364P\211M\370\377\25D\200@\0\203E\360\4P\211E\24\215E\344P\377u\14\377\25l\202@\0\377u\24\377\323\203E\350\49}\350\17\214w\377\377\377\203~X\377te\377v4\377\25H\200@\0\205\300\211E\24tU\213}\14j\1W\307E\344\20\0\0\0\307E\350\10\0\0\0\377\25L\200@\0\377vXW\377\25P\200@\0\377u\24\2135X\200@\0W\377\326h \10\0\0\211E\14\215E\344Pj\377h\340[B\0W\377\25p\202@\0\377u\14W\377\326\377u\24\377\323\215E\244P\377u\10\377\25t\202@\0_^3\300[\311\302\20\0\213L$\4\241\10dB\0\213\321i\322\30\4\0\0\213T\2\10\366\302\2tUVW\215q\13\377;5\14dB\0sD\213\316i\311\30\4\0\0\215D\1\10S\213\10\366\301\2t\3G\353\36\366\301\4t\11\213\317O\205\311t \353\20\366\301\20u\13\213\3313\332\203\343\13\331\211\30F\5\30\4\0\0;5\14dB\0r\312[_^\302\4\0U\213\354QQ", ) , ) == 0x0
 00728   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0W\213=\10dB\0\213D>\103\311\250\2\211M\374\211M\370t\159M\14u\10\203\340\276\211D>\10B;\25\14dB\0sD\213\302i\300\30\4\0\0\215\8\10\213\13\366\301\2\215B\1t\12j\0R\350\244\377\377\377\213\13\366\301\4u(\366\301@t\3\377E\374\366\301\1t\5\377E\374\353\3\377E\370;\5\14dB\0\213\320r\2743\300_^[\311\302\10\0\203}\374\0t\363\203}\370\0\215L>\10t\5\203\11@\353\344\213\21\201\342\177\377\377\377\203\312\1\211\21\353\325j\1j\0\350H\377\377\377\303\213L$\4\241\10dB\0V3\366\203\371 s695\14dB\0v.\215P\10W\213\2\250\6u\243\377G\323\347\205z\374t\5\203\310\1\353\3\203\340\376\211\2F\201\302\30\4\0\0;5\14dB\0r\327_^\302\4\0U\213\354\203\354\14\241\350cB\0\203e\374\0SV\5\224\0\0\0W\213=\14dB\0\211E\370\213E\3703\3339\30tK;\337sE\2135\10dB\0\203\306\10\213\26\366\302\6u(\213E\10\205\300t\6\203<\230\0t\33\213M\3743\300@\323\340\213N\374\203\342\1#\310\213\301\213M\374\323\342;\302u\13C\201\306\30\4\0\0;\337r\306;\337t\15\377E\374\203E\370\4\203}\374 r\237\213E\374_^[\311\302\4\0\203=\204\240@\0\0Vu-3\311j\10\213\301^\213\320\200\342\1\366\332\33\322\201\342 \203\270\355\321\3503\302Nu\352\211\4\215\200\240@\0A\201\371\0\1\0\0|\325\213t$\20\205\366\213D$\10\367\320v\36\213L$\143\322\212\213\320\201\342\377\0\0\0\301\350\103\4\225\200\240@\0ANu\346\367\320^\302\14\0U\213\354SVW\213}\10\205\377\17\214", ) , ) == 0x0
 00729   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213\15\20dB\0\213\307\301\340\5\3\301\213\10\203\371\1\17\204\241\0\0\0\205\35DdB\0t\12\203\371\24t\5\203\371>u3P\350\340\1\0\0\213\360\201\376\377\377\377\177\17\204\204\0\0\0\205\35DdB\0u\27\205\366}\25F\301\346\12\270\0pB\0+\306P\350\31K\0\0\213\360\205\366t\21\205\35DdB\0u\11N\213\307\213\376+\360\353\2FG\203}\14\0t7\241\304[B\0\15\314[B\03\311\205\300\17\224\301j\0\3\310Qh0u\0\0\3775\314[B\0\377\25$\201@\0Ph\2\4\0\0\377u\14\377\25x\202@\0\205\377\17\215G\377\377\3773\300_^[]\302\10\0\270\377\377\377\177\353\362\213D$\4\213\15\350cB\0j\0\377t\201l\350\11\377\377\377\302\4\0h\210\250@\0\377t$\10\350\260;\0\0\302\4\0\241\304\300@\0\3774\210j\0\350\266P\0\0P\350mJ\0\0\303\205\366\213\306}\2\367\330\213\25\304\300@\0\213\310\301\370\4W\203\341\17\3774\212\301\340\12\5\210\244@\0P\350\207P\0\0\205\366\213\370}\6W\350\315J\0\0\213\307_\303U\213\354\201\354\14\1\0\0SVW\215E\374Pj\103\333S\377u\14\377u\10\377\25\10\200@\0;\303uM\2135\4\200@\0\277\5\1\0\0\353\319]\20uBS\215\205\364\376\377\377P\377u\374\350\271\377\377\377\205\300u\22W\215\205\364\376\377\377PS\377u\374\377\326\205\300t\325\377u\374\377\25 \200@\0\377u\14\377u\10\377\25\0\200@\0_^[\311\302\14\0\377u\374\377\25 \200@\03\300@\353\353U\213\354\241\304\300@\0\213@\4\205\300VWt\4\213\370\353\14\213=ddB\0\201\307\1\0\0\200\215E\10P\377u\10j\0j"^", ) ^", ) == 0x0
 00730   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\367\330\33\300\367\320#E\10_^]\302\4\0U\213\354\201\354\244\1\0\0\241\340cB\0\203e\364\0\203e\374\0SV\213u\10Wj\10Y\215}\304\363\245\213U\314\213u\310\215M\310\211\15\304\300@\0\213M\304\211E\360\213\332\301\343\12\213\306\301\340\12\203\301\376\201\303\0pB\0\203\371B\215\270\0pB\0\17\207g\33\0\0\377$\215\3441@\0Vh\264\210@\0\350\317J\0\0\213E\310YY\351V\33\0\03\366\350z\376\377\377Ph\244\210@\0\350\263J\0\0YYV\377u\310\350\3739\0\0\351\244\27\0\0\377\5\264[B\0\203}\360\0\17\204\224\27\0\0j\0\377\25\200\201@\0\351\207\27\0\0\205\366}\25\271\0pB\0+\310\201\351\0\4\0\0Q\350\227H\0\0\353\2\213\306\215p\377Vh\230\210@\0\350]J\0\0YYj\0V\350\356\374\377\377\351\337\32\0\0\205\322t)\366\302\10t\17\241\10\240@\0\243@\240@\0\351\274\32\0\0\241@\240@\0\243\10\240@\0\211\25@\240@\0\351\247\32\0\03\366\350\326\375\377\377Ph\210\210@\0\350\17J\0\0YYV\377u\310\350W9\0\0\351\205\32\0\03\311\350\236\375\377\377\213\360Vh|\210@\0\350\353I\0\0\203\376\1YY\177\33\366FV\377\25\260\200@\0\351[\32\0\0hl\210@\0\350\313I\0\0Y\377u\360\377\25$\202@\0\351B\32\0\03\311A\350Z\375\377\377\213M\310\211\4\215`dB\0\351+\32\0\0\213M\320\213U\3243\300\215\14\215`dB\09\1\17\224\300!\21\213D\205\310\351\27\32\0\0\3774\225`dB\0W\351\225\31\0\0\241\300[B\0\205\300\213=(\202@\0t\7RP\377\327\213u\310\241\254[B\0\205\300\17\204\334\31", ) , ) == 0x0
 00731   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\360^\350\1\375\377\377\377u\314\213\360VhL\210@\0\3505I\0\0\203\304\14\377u\314V\377\25\254\200@\0\205\300\17\205\246\31\0\0h0\210@\0\307E\374\1\0\0\0\350\17I\0\0\351i\30\0\0j\360^\350\276\374\377\377\377u\314\213\360Vh\24\210@\0\350\362H\0\0\203\304\14\200>\0t\21V\350\231J\0\0\205\300u\7\307E\374\1\0\0\0\203}\314\0t\36j\346\350a\374\377\377Vh\0\310B\0\350rG\0\0V\377\25\250\200@\0\351;\31\0\0j\365\351\336\16\0\03\366\350c\374\377\377\213\360V\350\273H\0\0\205\300t\26\377u\314Vh\350\207@\0\350\215H\0\0\203\304\14\351]\10\0\0\377u\320Vh\264\207@\0\350wH\0\0\203\304\14\213E\320\351\375\30\0\0j\320^\350 \374\377\377j\337^\211E\10\350\25\374\377\377\377u\10\273\210\250@\0S\213\370\350\372F\0\0W\350\372F\0\0\377u\10\213\360\350\360F\0\0\3\360\201\376\375\3\0\0}\22\2135\244\200@\0h\260\207@\0S\377\326WS\377\326Sh\244\207@\0\350\22H\0\0YYW\377u\10\377\25\240\200@\0\205\300t\7j\343\351+\16\0\0\203}\320\0t'\377u\10\350\11H\0\0\205\300t\33W\377u\10\350\353I\0\0j\344\350n\373\377\377Sh\214\207@\0\351'\27\0\0S\307E\374\1\0\0\0hx\207@\0\351\25\27\0\03\366\350q\373\377\377\213\360\215E\10PS\277\0\4\0\0WV\377\25\234\200@\0\205\300t$\213E\10;\306v'\2008\0t"V\350\247G\0\0\205\300t\16\203\300,P\377u\10\350,F\0\0\353\12\307E\374\1\0\0\0\306\3\0\203}\320\0\17\205\353\27\0\0WSS\377\25\230\200@\0\351\335\27\0", ) V\350\247G\0\0\205\300t\16\203\300,P\377u\10\350,F\0\0\353\12\307E\374\1\0\0\0\306\3\0\203}\320\0\17\205\353\27\0\0WSS\377\25\230\200@\0\351\335\27\0", ) == 0x0
 00732   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "QWh\0\4\0\0j\0Pj\0\377\25\224\200@\0\205\300\17\205\270\27\0\0\307E\374\1\0\0\0\306\7\0\351\251\27\0\0j\357^\350\327\372\377\377PW\350qD\0\0\205\300\17\205\222\27\0\0\307E\374\1\0\0\0\351\206\27\0\0\203\346\7\366\5EdB\0\4\211u\10u\30j1^\350\245\372\377\377\213\330S\211]\360\350\225E\0\0\351\235\0\0\0j6^\350\215\372\377\377\213\330S\211]\360\350}E\0\0\3775\260\1B\0\213\360\350pE\0\0\215L0\1\270\5\1\0\0;\310r\17\3775\260\1B\0\350XE\0\0\215D0\1P\350\6C\0\0\213\370\205\377\211}\364\17\204\213\23\0\0\3775\260\1B\0W\350/E\0\0SW\377\25\244\200@\0W\350'E\0\0\215t8\377\353\17\200>\t\16VW\377\25,\202@\0\213\360;\367w\355W\306\6\0\350\3H\0\0\205\300\17\204G\23\0\0WS\306\6\\350\355D\0\0\213E\310\301\370\3S\203\340\2P\377u\10h<\207@\0\350$F\0\0\203\304\20S\350\265B\0\0\205\300\276\210\244@\0St\10V\350\274D\0\0\353\30h\0\310B\0V\350\257D\0\0P\350RF\0\0P\377\25\244\200@\0V\350\250D\0\0\273\210\250@\0\277\210\254@\0\203}\10\3|1V\350\361E\0\03\311\205\300t\20\215M\324Q\203\300\24P\377\25\220\200@\0\213\310\213E\10\203\300\375\15\0\0\0\200#\301\367\330\33\300@\211E\10\203}\10\0u\22V\377\25\214\200@\0\203\340\376PV\377\25\254\200@\03\300\203}\10\1\17\225\300@Ph\0\0\0@V\350\252B\0\0\203\370\377\211E\370\17\205\267\0\0\0\203}\10\0uoVh \207@\0\350_E\0\0YYh\0pB\0", ) , ) == 0x0
 00733   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\350\370C\0\0\377u\334S\350\251I\0\0Wh\0pB\0\350\344C\0\0\213E\310\301\370\3PS\350SA\0\0\203\350\4u\20h\10\207@\0\350\27E\0\0Y\3510\377\377\377Ht?h\360\206@\0\350\4E\0\0YVj\372\351N\372\377\377\377u\360j\342\350D4\0\0\203}\10\2u\6\377\5hdB\0\377u\10Vh\310\206@\0\350\327D\0\0\203\304\14\351F\25\0\0h\254\206@\0\350\305D\0\0\377\5hdB\0Y\351H\25\0\0\377u\360j\352\350\24\0\0\377\5@\240@\03\333SS\377u\370\377u\320\350y\31\0\0\377\15@\240@\0\213\370VWh\224\206@\0\350\206D\0\0\203\304\14\203}\324\377u\6\203}\330\377t\17\215E\324PSP\377u\370\377\25\210\200@\0\377u\370\377\25\204\200@\0;\373\17\215\316\24\0\0\203\377\376u\24j\351V\350\265H\0\0\377u\360V\377\25\244\200@\0\353\10j\356V\350\241H\0\0Vh\220\206@\0\350+D\0\0YYh\20\0 \0V\350K@\0\0\351\32\21\0\03\366\350\316\367\377\377\213\360Vh\200\206@\0\353Vj1^\350\274\367\377\377\213\360V\377u\310hl\206@\0\350\360C\0\0\203\304\14\377u\310V\350\21@\0\0\205\300\17\204\320\374\377\377;E\320\17\204R\1\0\0;E\330\17\205P\24\0\0\213E\334\351S\24\0\0j\360^\350v\367\377\377\213\360Vh`\206@\0\350\255C\0\0YY\377u\314V\350, ) , ) == 0x0
 00734   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\330\17\210\313\23\0\0;\330~\2\213\330\3\363VW\350\347A\0\0\213u\10\205\366\17\204\261\23\0\0}\21W\350\332A\0\0\3\360y\7\203e\10\0\213u\10\201\376\0\4\0\0\17\215\222\23\0\0\306\4>\0\351\211\23\0\0j ^\350\267\366\377\377j1^\213\370\350\255\366\377\377PW\377\25\200\200@\0\205\300ud\351l\372\377\3773\366F\350\224\366\377\377\203}\320\0h\0\4\0\0WPt\21\377\25|\200@\0\205\300u\15\211u\374\210\7\353\6\377\25x\200@\0\306\207\377\3\0\0\0\351.\23\0\03\311\350G\366\377\3773\311A\213\360\350=\366\377\377\203}\334\0u\14;\360|\14\17\216\23\372\377\377\353\22;\360s\10\213E\324\351\12\23\0\0\17\206\377\371\377\377\213E\330\351\374\22\0\03\333C\213\313\350\7\366\377\377j\2Y\213\360\350\375\365\377\377\213\310\213E\324\203\370\14wh\377$\205\3602@\0\3\361\353]+\361\353Y\17\257\316\213\361\353R\205\311tA\213\306\231\367\371\213\360\353E\13\361\353A#\361\353=3\361\35393\300\205\366\17\224\300\353\347\205\366u\16\353\103\366\353&\205\366t\370\205\311t\364\213\363\353\32\205\311t\11\213\306\231\367\371\213\362\353\153\366\211]\374\353\6\323\346\353\2\323\376V\351`\370\377\3773\366F\350\223\365\377\377j\2Y\213\360\350s\365\377\377PVW\377\250\202@\0\3512\13\0\0\213E\320\205\300\2135\200\244@\0tPH\205\366t\12\205\300\2136u\365\205\366u\24\377u\320hD\206@\0\350\226A\0\0YY\351d\10\0\0\215~\4W\276\210\244@\0V\3501@\0\0\241\200\244@\0\203\300\4PW\350"@\0\0\241\200\244@\0V\203\300\4P\351\373\20\0\0\205\322t+\205\366u\20h0", ) @\0\0\241\200\244@\0V\203\300\4P\351\373\20\0\0\205\322t+\205\366u\20h0", ) == 0x0
 00735   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\377\377\215F\4PW\350\361?\0\0\213\6\243\200\244@\0V\351\263\21\0\0h\4\4\0\0\350\230=\0\0\377u\310\213\360\215F\4P\350\206E\0\0\241\200\244@\0\211\6\2115\200\244@\0\351\217\21\0\0j3^\350\275\364\377\377jD^\211E\364\350\262\364\377\3773\366F\366E\334\1\211E\10u\13\377u\364\350\12?\0\0\211E\364\366E\334\2u\13\377u\10\350\371>\0\0\211E\10\203}\304!uH\213\316\350g\364\377\377j\2Y\213\360\350]\364\377\377\213M\334\301\371\2t\37\215U\370RQj\0\377u\10\377u\364PV\377\254\202@\0\367\330\33\300@\211E\374\353@\377u\10\377u\364PV\377\25x\202@\0\353-\3507\364\377\377j\22^\213\330\350-\364\377\377\212\10\366\331\33\311#\310\212\3\366\330Q\33\300#\303P\377u\10\377u\364\377\258\202@\0\211E\370\203}\310\0\17\214\314\20\0\0\377u\370\351\277\366\377\3773\311\350\335\363\377\377P\377\25<\202@\0\205\300\17\204\264\367\377\377\213E\314\351\261\20\0\0j\2Y\350\276\363\377\3773\311PA\350\265\363\377\377P\377\25@\202@\0\351t\374\377\377\241(dB\0\3\302Pj\3533\311\350\230\363\377\377P\377\25D\202@\0\351l\20\0\0R\377u\360\377\25@\202@\0\213\370\215E\254PW\377\25h\202@\0\213E\270\17\257E\320j\20P\213E\264\17\257E\320P3\333S3\366\350o\363\377\377PS\377\25H\202@\0PShr\1\0\0W\377\25x\202@\0;\303\17\204\33\20\0\0P\377\25@\200@\0\351\17\20\0\0jHjZ\377u\360\377\25L\202@\0P\377\25<\200@\0Pj\2Y\350\22\363\377\377P\377\25$\201@\0j\3\367\330Y\243\210\300@\0\350\374\362", ) , ) == 0x0
 00736   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\330\212\310\200\341\1\210\15\234\300@\0\212\310\200\341\2$\4h\244\300@\0\210\15\235\300@\0\242\236\300@\0\306\5\237\300@\0\1\350\210C\0\0h\210\300@\0\377\25H\200@\0\351~\373\377\3773\311\350\254\362\377\3773\311A\213\360\350\242\362\377\377\203}\320\0\213\370t\13h$\206@\0\350\352>\0\0Y\203}\324\0WVu\13\377\25(\202@\0\351\\17\0\0\377\25P\202@\0\351Q\17\0\03\366\350\200\362\377\377j1^\213\370\350v\362\377\377j"^\213\330\350l\362\377\377SWh\34\206@\0h\210\250@\0\213\360\377\250\202@\0\203\304\20j\354\350'\362\377\377\212\6\377u\324\366\330h\0\310B\0\33\300#\306P\212\7\366\330S\33\300#\307P\377u\360\377\25d\201@\0\203\370!}\26PVSWh\340\205@\0\350[>\0\0\203\304\24\351G\367\377\377VSWh\254\205@\0\350F>\0\0\203\304\20\351\304\16\0\03\366\350\363\361\377\377\213\360Vh\230\205@\0\350*>\0\0YYVj\353\350s-\0\0h\0\310B\0V\350\3129\0\0\205\300\211E\10V\17\204\214\0\0\0h\200\205@\0\350\377=\0\0\203}\320\0YYtrjd\377u\10\377\25t\200@\0\276\2\1\0\0;\306u3\213=T\202@\0\353\12\215E\240P\377\25X\202@\0j\1j\17j\17\215E\240j\0P\377\327\205\300u\344jd\377u\10\377\25t\200@\0;\306t\337\215E\350P\377u\10\377\25p\200@\0\203}\314\0|\13\377u\350S\350\243;\0\0\353\15\203}\350\0t\7\307E\374\1\0\0\0\377u\10\351\336\7\0\0\307E\374\1\0\0\0h\\205@\0\351\305\14\0\0j\2^\350 \361\377\377P\350z=\0\0\213\360\205\366t\21", ) ^\213\330\350l\362\377\377SWh\34\206@\0h\210\250@\0\213\360\377\250\202@\0\203\304\20j\354\350'\362\377\377\212\6\377u\324\366\330h\0\310B\0\33\300#\306P\212\7\366\330S\33\300#\307P\377u\360\377\25d\201@\0\203\370!}\26PVSWh\340\205@\0\350[>\0\0\203\304\24\351G\367\377\377VSWh\254\205@\0\350F>\0\0\203\304\20\351\304\16\0\03\366\350\363\361\377\377\213\360Vh\230\205@\0\350*>\0\0YYVj\353\350s-\0\0h\0\310B\0V\350\3129\0\0\205\300\211E\10V\17\204\214\0\0\0h\200\205@\0\350\377=\0\0\203}\320\0YYtrjd\377u\10\377\25t\200@\0\276\2\1\0\0;\306u3\213=T\202@\0\353\12\215E\240P\377\25X\202@\0j\1j\17j\17\215E\240j\0P\377\327\205\300u\344jd\377u\10\377\25t\200@\0;\306t\337\215E\350P\377u\10\377\25p\200@\0\203}\314\0|\13\377u\350S\350\243;\0\0\353\15\203}\350\0t\7\307E\374\1\0\0\0\377u\10\351\336\7\0\0\307E\374\1\0\0\0h\\205@\0\351\305\14\0\0j\2^\350 \361\377\377P\350z=\0\0\213\360\205\366t\21", ) == 0x0
 00737   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\351\310\363\377\377\306\7\0\306\3\0\3510\366\377\377j\356\215E\254^\211E\10\350\352\360\377\377\215M\300QP\211E\354\350YP\0\0\213\360\205\366\306\7\0\306\3\0\307E\374\1\0\0\0\17\204\220\15\0\0V\350s9\0\0\205\300\211E\350\17\204\177\15\0\0PVj\0\377u\354\350\37P\0\0\205\300t5\215E\354P\215E\10PhX\205@\0\377u\350\350\0P\0\0\205\300t\34\213E\10\377p\10W\350\323:\0\0\213E\10\377p\14S\350\307:\0\0\203e\374\0\377u\350\351,\15\0\03\377Gh\1\200\0\0\211}\374\377\25l\200@\0\203=\220dB\0\0\17\214+\1\0\0j\360^\350B\360\377\377\213\367\211E\10\3508\360\377\377\203}\330\0\211E\370t\20\377u\10\377\25h\200@\0\205\300\211E\364uU\2135d\200@\03\377WW\215E\354Ph\0\4\0\0\377\326\213\35`\200@\0PW\277\0\23\0\0W\377\323\377u\10j\366\350\207+\0\0\377u\354\377u\10h4\205@\0\350$<\0\0\203\304\14\377u\10\377\25\300\200@\0\205\300\211E\364t}3\377G\377u\370\377u\364\377\25,\201@\0\213\3603\333;\363t99]\320\211]\374t\23\377u\320\350\177\357\377\377\377\326\205\300t@\211}\374\353;h\0\240@\0h\200\244@\0h\0pB\0h\0\4\0\0\377u\360\377\326\203\304\24\353\35\377u\370j\367\350\12+\0\0\377u\10\377u\370h\10\205@\0\350\247;\0\0\203\304\149]\324uN\377u\364\377\250\201@\0\353Cj\0j\0\215E\354Ph\0\4\0\0\377\326Pj\0W\377\323j\366\350\15\357\377\377\377u\354\377u\10h\324\204@\0\350h;\0\0\203\304\14\353\22j\347\350\361\356\377\377h\244\204@", ) , ) == 0x0
 00738   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\200@\0\351\312\13\0\0j\360^\350\370\356\377\377j\337^\211E\370\350\355\356\377\377j\2^\213\370\350\343\356\377\377j\315^\211E\300\350\330\356\377\377jE^\211E\350\350\315\356\377\377W\211E\354\350\2427\0\0\205\300u\10j!^\350\270\356\377\377\213E\330\213\310\301\371\20Q\17\266\314Q\276\377\0\0\0#\306P\377u\350\377u\300W\377u\370h`\204@\0\350\323:\0\0\203\304 \215E\10Ph\334\215@\0j\1j\0h\354\215@\0\377\25\230\202@\0\205\300\17\214\323\0\0\0\213E\10\213\10\215U\364Rh\374\215@\0P\377\21\213\330\205\333\17\214\253\0\0\0\213E\10\213\10WP\377QP\213\330\213E\10\213\10h\0\310B\0P\377Q$\213M\330\213\301\301\370\10#\306t\15\213M\10\213\21PQ\377R<\213M\330\213E\10\213\20\301\371\20QP\377R4\213M\350\2009\0t\20\213}\330\213E\10\213\20#\376WQP\377RD\213E\10\377u\300\213\10P\377Q,\213E\10\377u\354\213\10P\377Q\343\300;\330|,h\0\4\0\0\276\210\270@\0Vj\377\377u\370f\243\210\270@\0PP\377\254\201@\0\213E\364\213\10j\1VP\377Q\30\213\330\213E\364\213\10P\377Q\10\213E\10\213\10P\377Q\10\205\333}\13\307E\374\1\0\0\0j\360\353\2j\364\350`\355\377\377\351L\12\0\03\366\350{\355\377\377j\21^\213\330\350q\355\377\377\213\360VShD\204@\0\350\2479\0\0\213E\360\203\304\14S\211E\240\307E\244\2\0\0\0\350H8\0\0V\306D\30\1\0\350=8\0\0j\370\277\210\254@\0W\306D0\1\0\350\337=\0\0VW\377\25\244\200@\0f\213E\320Wj\0\211]\250\211u\254\211}\272f\211E\260", ) , ) == 0x0
 00739   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\201@\0\205\300\17\204\307\11\0\0j\0j\371\350\213(\0\0\351'\362\377\377\201\376\15\360\255\13t\24h\20\0 \0j\350j\0\350\210=\0\0P\351\364\364\377\377\377\5tdB\0\351\222\11\0\03\366h<\204@\0\273\210\250@\0S\211u\300\211u\350\211u\10\350\2427\0\0S\277\210\254@\0W\350\2267\0\09u\310t\10\350\227\354\377\377\211E\300\203}\314\0t\13j\21^\350\206\354\377\377\211E\350\203}\330\0t\13j"^\350u\354\377\377\211E\10j\315^\350j\354\377\377\213\360VWSh\210\244@\0h\30\204@\0\350\2328\0\0\203\304\24V\377u\10\377u\350\377u\300\377\258\201@\0\351n\361\377\3773\366F\307E\10!N~\0\350/\354\377\377j\22^\213\330\350%\354\377\377j\335^\211E\354\350\32\354\377\377Ph\377\3\0\0W\215E\10P\377u\354S\377\25@\201@\0\213\7;E\10\351\7\361\377\377\203}\330\0uDj\2\350\255\354\377\377\213\370\205\377\17\204\34\361\377\377j3^\350\334\353\377\377\213\360VW\377\25\20\200@\0Vh\210\254@\0\377u\314\213\330h\374\203@\0\350\18\0\0\203\304\20W\377\25 \200@\0\353"^\350\251\353\377\377\213\360V\377u\314h\350\203@\0\350\3357\0\0\213E\314\203\304\14\205\300u\12\241ddB\0\5\1\0\0\200\213M\330\203\341\2QVP\350\257\353\377\377\213\330\205\333\17\2047\10\0\0\351\240\360\377\3773\333;\363t\5\211u\10\353\15\241ddB\0\5\1\0\0\200\211E\10\213E\330\211E\370\213E\334j\2^\211E\354\350<\353\377\377j\21^\211E\364\3501\353\377\377S\215M\350QSj\2SSSP\377u\10\211E\360\307E\374\1\0\0\0\377\25\24\200", ) ^\350u\354\377\377\211E\10j\315^\350j\354\377\377\213\360VWSh\210\244@\0h\30\204@\0\350\2328\0\0\203\304\24V\377u\10\377u\350\377u\300\377\258\201@\0\351n\361\377\3773\366F\307E\10!N~\0\350/\354\377\377j\22^\213\330\350%\354\377\377j\335^\211E\354\350\32\354\377\377Ph\377\3\0\0W\215E\10P\377u\354S\377\25@\201@\0\213\7;E\10\351\7\361\377\377\203}\330\0uDj\2\350\255\354\377\377\213\370\205\377\17\204\34\361\377\377j3^\350\334\353\377\377\213\360VW\377\25\20\200@\0Vh\210\254@\0\377u\314\213\330h\374\203@\0\350\18\0\0\203\304\20W\377\25 \200@\0\353"\201@\0\205\300\17\204\307\11\0\0j\0j\371\350\213(\0\0\351'\362\377\377\201\376\15\360\255\13t\24h\20\0 \0j\350j\0\350\210=\0\0P\351\364\364\377\377\377\5tdB\0\351\222\11\0\03\366h<\204@\0\273\210\250@\0S\211u\300\211u\350\211u\10\350\2427\0\0S\277\210\254@\0W\350\2267\0\09u\310t\10\350\227\354\377\377\211E\300\203}\314\0t\13j\21^\350\206\354\377\377\211E\350\203}\330\0t\13j"^\350u\354\377\377\211E\10j\315^\350j\354\377\377\213\360VWSh\210\244@\0h\30\204@\0\350\2328\0\0\203\304\24V\377u\10\377u\350\377u\300\377\258\201@\0\351n\361\377\3773\366F\307E\10!N~\0\350/\354\377\377j\22^\213\330\350%\354\377\377j\335^\211E\354\350\32\354\377\377Ph\377\3\0\0W\215E\10P\377u\354S\377\25@\201@\0\213\7;E\10\351\7\361\377\377\203}\330\0uDj\2\350\255\354\377\377\213\370\205\377\17\204\34\361\377\377j3^\350\334\353\377\377\213\360VW\377\25\20\200@\0Vh\210\254@\0\377u\314\213\330h\374\203@\0\350\18\0\0\203\304\20W\377\25 \200@\0\353"^\350\251\353\377\377\213\360V\377u\314h\350\203@\0\350\3357\0\0\213E\314\203\304\14\205\300u\12\241ddB\0\5\1\0\0\200\213M\330\203\341\2QVP\350\257\353\377\377\213\330\205\333\17\2047\10\0\0\351\240\360\377\3773\333;\363t\5\211u\10\353\15\241ddB\0\5\1\0\0\200\211E\10\213E\330\211E\370\213E\334j\2^\211E\354\350<\353\377\377j\21^\211E\364\3501\353\377\377S\215M\350QSj\2SSSP\377u\10\211E\360\307E\374\1\0\0\0\377\25\24\200", ) , ) == 0x0
 00740   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\203}\370\1\277\210\254@\0u(j#^\350\365\352\377\377W\350\3525\0\0W\377u\364\213\360\377u\360F\377u\10h\310\203@\0\350\347\0\0\203\304\24\203}\370\4u'j\3Y\350\261\352\377\377j\4^P\377u\364\243\210\254@\0\377u\360\377u\10h\244\203@\0\350\3576\0\0\203\304\24\203}\370\3u(h\0\14\0\0WS\377u\324\350\266\13\0\0\213\360V\377u\364\377u\360\377u\10h|\203@\0\350\3016\0\0\203\304\24VW\377u\354S\377u\364\377u\350\377\25\30\200@\0\205\300u\3\211]\374\377u\350\351\343\0\0\0\377u\360\377u\10hX\203@\0\350\2156\0\0\203\304\14\351\13\7\0\0h\31\0\2\0\350\366\352\377\377j3^\213\330\350-\352\377\3773\366;\336\306\7\0\17\204X\357\377\377\215M\354QW\215M\10QVPS\307E\354\0\4\0\0\377\25\34\200@\03\311A\205\300u.\203}\10\4t\229M\10t\6\203}\10\2u\359u\330t\36\353\319u\330u\7\307E\374\1\0\0\0\3777W\350'4\0\0\353\6\306\7\0\211M\374S\353Sh\31\0\2\0\350~\352\377\377j\3Y\213\360\350\237\351\377\3773\322;\362\306\7\0\17\204\340\356\377\3779U\330\271\377\3\0\0\211M\10t\14QWPV\377\25\4\200@\0\353\21RRRR\215M\10QWPV\377\25\14\200@\0\306\207\377\3\0\0\0V\377\25 \200@\0\3515\6\0\0\200?\0\17\204,\6\0\0W\350\3103\0\0P\377\25\204\200@\0\351\32\6\0\0j\355^\350H\351\377\377\377u\320\377u\314P\350\2562\0\0\203\370\377\17\205\350\361\377\377\306\7\0\351c\356\377\377\203}\320\0t\223\311A\350\7\351\377\377\242\210\250@\03\300@\353", ) , ) == 0x0
 00741   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "4\0\0\200?\0\17\2044\356\377\377j\0\215M\10QPh\210\250@\0W\350V3\0\0P\377\25D\201@\0\351\16\356\377\377j\2Y3\366\350\276\350\377\377\203\370\1\211E\370\17\214\222\5\0\0\271\377\3\0\0;\301~\3\211M\370\200?\0\17\204\211\0\0\0W\306E\13\0\350\253\0\0\203}\370\0\213\370~wj\0\215E\354Pj\1\215E\347PW\377\25H\201@\0\205\300t`\203}\354\1uZ\203}\324\0u!\200}\13\15t+\200}\13\12t%\212E\347\210\4\36F\204\300\210E\13t:;u\370|\276\3533\17\266E\347PS\350\2452\0\0\351 \5\0\0\212E\3478E\13t\16<\15t\4<\12u\6\210\4\36F\353\15j\1j\0j\377W\377\25L\201@\0\306\4\36\0\205\366\351Q\355\377\377\200?\0\17\204\340\4\0\0\377u\324j\0j\2Y\350\363\347\377\377PW\350n2\0\0P\377\25L\201@\0\203}\314\0\17\214\273\4\0\0\351J\4\0\0\200?\0\17\204\255\4\0\0W\350I2\0\0P\377\25P\201@\0\351\233\4\0\0\200;\0\17\204\332\354\377\377\215\205\\376\377\377PS\350'2\0\0P\377\25T\201@\0\205\300\17\204\276\354\377\377\215\205\210\376\377\377PW\351|\3\0\0j\2^\350\227\347\377\377\215\215\\376\377\377QP\377\25X\201@\0\203\370\377u\10\306\3\0\351I\376\377\377PS\350\3101\0\0\353\3073\366\307E\300f\375\377\377\350e\347\377\377!u\350\366\5EdB\0\4\213=\244\200@\0\211E\10\17\204\247\0\0\0P\350A2\0\0\3775\260\1B\0\213\360\35042\0\0\215L0\1\270\5\1\0\0;\310r\17\3775\260\1B\0\350\342\0\0\215D0\1P\350\312/\0\0\213\330\205", ) , ) == 0x0
 00742   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "S\350\3671\0\0j\\377u\10\350\3033\0\0\205\300t\4@P\353\3\377u\10S\377\327S\350\3371\0\0\215t\30\377\353\17\200>\t\21VS\377\25,\202@\0\213\360;\363\211u\350w\352S\306\6\0\350\2704\0\0\205\300u\12\270\377\377\377\177\351\206\3\0\0S\377u\10\306\6\\350\2321\0\0\377u\10\350{/\0\0\205\300\377u\10\273\210\250@\0t\10S\350\2001\0\0\353\24h\0\304B\0S\350s1\0\0P\350\263\0\0P\377\327S\350p1\0\0j\2h\0\0\0@S\350\324/\0\0\203\370\377\211E\370\17\204\254\0\0\0\241HdB\0P\211E\354\350\373.\0\0\205\300\211E\360\17\204\212\0\0\0j\0\3507\5\0\0\377u\354\377u\360\350\372\4\0\0\377u\320\350\326.\0\0\213\360\205\366\211u\300t9\377u\320Vj\0\377u\314\350/\7\0\0\353\33\213\16\213F\4Q\211M\264\213M\360\203\306\10V\3\301P\350D/\0\0\3u\264\200>\0u\340\377u\300\377\25<\201@\03\366V\215E\234P\377u\354\377u\360\377u\370\377\25D\201@\0\377u\360\377\25<\201@\0VV\377u\370j\377\350\331\6\0\0\211E\300\377u\370\377\25\204\200@\0S\377u\300h8\203@\0\350\3401\0\0\203\304\14\203}\300\0j\363^}\21j\357^S\377\25(\201@\0\307E\374\1\0\0\0V\350R\345\377\377\366\5EdB\0\4\17\204'\2\0\0\213E\350\213u\10h0\203@\0V\306\0\0\377\327\3775\260\1B\0V\377\327h(\203@\0V\377\327\377u\364V\377\327\377u\364V\3504-\0\0\205\300\211E\10Vtuh\10\203@\0\350m1\0\0\213=t\200@\0YYjd\377u\10\377\327\276\2\1\0\0;", ) , ) == 0x0
 00743   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "E\240P\377\25X\202@\0j\1j\17j\17\215E\240j\0P\377\323\205\300u\344jd\377u\10\377\327;\306t\343\215E\354P\377u\10\377\25p\200@\0\203}\354\0t\3\377E\374\377u\10\377\25\204\200@\0\351y\1\0\0\377E\374h\314\202@\0\350\3650\0\0YY\351e\1\0\0\205\366t5Rh\264\202@\0\350\3370\0\0\213E\314Ph\240\202@\0\243x?B\0\350\3140\0\0\203\304\20\203}\314\0\17\204E\1\0\0\350W\20\0\0\351;\1\0\03\366F\350i\344\377\377Ph\220\206@\0\350\2420\0\0YY\351!\1\0\03\311\350:\344\377\377\213\370;=\14dB\0\17\203z\351\377\377\213E\320\213\367i\366\30\4\0\0\35\10dB\0\205\300|\27\213\14\206u\17\203\306\30VS\350\23/\0\0\351\343\0\0\0Q\353u\203\311\377+\310\211M\320t\153\311A\350\356\343\377\377\211E\314\353\20\377u\330\215F\30P\350\2424\0\0\200N\11\1\213E\320\213M\314\211\14\206\203}\324\0\17\204\246\0\0\0W\350K\340\377\377\351\233\0\0\03\311\350\264\343\377\377\203\370 \17\203\371\350\377\3773\3119M\324t!9M\320t\15P\350O\341\377\377\350@\341\377\377\353rQ\350\215\341\377\377PS\350\356-\0\0\353c9M\320t\22\213M\314\213\25\350cB\0\211\214\202\224\0\0\0\353L\213\15\350cB\0\377\264\201\224\0\0\0S\350\364\0\0\3537\241\350)B\0j\0#\306Pj\13\377u\360\377\25x\202@\0\203}\310\0t\34j\0j\0\377u\360\377\25\\202@\0\203}\364\0t\11\377u\364\377\25<\201@\0\213E\374\1\5hdB\03\300_^[\311\302\4\0r\26@\0\207\26@\0\251\26@\0\306\26@\0", ) , ) == 0x0
 00744   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\323\27@\0\377\27@\0B\30@\0\236\30@\0\220\27@\0\247\27@\0\306\27@\0\340\30@\0\220\31@\0\365\31@\0)\32@\0L\32@\03\35@\0D\35@\0\212\35@\0\257\35@\0\303\35@\0I\36@\0l\36@\0\244\36@\0\341\36@\0m\37@\0\215\37@\0C @\0C @\0\16!@\0,!@\0I!@\0f!@\0\303!@\0?"@\0\201"@\0\16#@\0\340#@\0\20$@\0\240$@\0\10&@\0\206'@\0\31(@\0@(@\0\312(@\0\15)@\0\240)@\0\307*@\0?+@\0\235+@\0\270+@\0\335+@\0*,@\0\351,@\0\34-@\07-@\0i-@\0\225-@\0^0@\0\2610@\071@\0\3221@\0\3221@\0\2331@\0\6\37@\0\12\37@\0\16\37@\0\25\37@\0"\37@\0&\37@\0*\37@\0.\37@\07\37@\0A\37@\0M\37@\0a\37@\0e\37@\0\213D$\10=\20\1\0\0U\213l$\10V\276\23\1\0\0u\33j\0h\372\0\0\0j\1U\377\25\210\201@\0\213D$\30\243\224\301A\0\213\306;\306uw\213\15\220\301A\0\241\230\301A\0;\310|\2\213\310SWPjdQ\377\25$\201@\0\213=0\202@\0\213\330\241\224\301A\0\205\300\276\310\300@\0t%SPV\377\327\203\304\14VU\377\25\204\201@\0Vh\6\4\0\0U\350\257)\0\0j\5U\377\25(\202@\0\366\5@\240@\0\1t\24Sh\300\210@\0V\377\327\203\304\14Vj\0\350\321\34\0\0_[^3\300]\302\20\0U\213\354V\213u\14j\0\215E\14PV\377u\10\3775\14\240@\0\377\25H\201@\0", ) @\0\201 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\323\27@\0\377\27@\0B\30@\0\236\30@\0\220\27@\0\247\27@\0\306\27@\0\340\30@\0\220\31@\0\365\31@\0)\32@\0L\32@\03\35@\0D\35@\0\212\35@\0\257\35@\0\303\35@\0I\36@\0l\36@\0\244\36@\0\341\36@\0m\37@\0\215\37@\0C @\0C @\0\16!@\0,!@\0I!@\0f!@\0\303!@\0?"@\0\201"@\0\16#@\0\340#@\0\20$@\0\240$@\0\10&@\0\206'@\0\31(@\0@(@\0\312(@\0\15)@\0\240)@\0\307*@\0?+@\0\235+@\0\270+@\0\335+@\0*,@\0\351,@\0\34-@\07-@\0i-@\0\225-@\0^0@\0\2610@\071@\0\3221@\0\3221@\0\2331@\0\6\37@\0\12\37@\0\16\37@\0\25\37@\0"\37@\0&\37@\0*\37@\0.\37@\07\37@\0A\37@\0M\37@\0a\37@\0e\37@\0\213D$\10=\20\1\0\0U\213l$\10V\276\23\1\0\0u\33j\0h\372\0\0\0j\1U\377\25\210\201@\0\213D$\30\243\224\301A\0\213\306;\306uw\213\15\220\301A\0\241\230\301A\0;\310|\2\213\310SWPjdQ\377\25$\201@\0\213=0\202@\0\213\330\241\224\301A\0\205\300\276\310\300@\0t%SPV\377\327\203\304\14VU\377\25\204\201@\0Vh\6\4\0\0U\350\257)\0\0j\5U\377\25(\202@\0\366\5@\240@\0\1t\24Sh\300\210@\0V\377\327\203\304\14Vj\0\350\321\34\0\0_[^3\300]\302\20\0U\213\354V\213u\14j\0\215E\14PV\377u\10\3775\14\240@\0\377\25H\201@\0", ) \37@\0&\37@\0*\37@\0.\37@\07\37@\0A\37@\0M\37@\0a\37@\0e\37@\0\213D$\10=\20\1\0\0U\213l$\10V\276\23\1\0\0u\33j\0h\372\0\0\0j\1U\377\25\210\201@\0\213D$\30\243\224\301A\0\213\306;\306uw\213\15\220\301A\0\241\230\301A\0;\310|\2\213\310SWPjdQ\377\25$\201@\0\213=0\202@\0\213\330\241\224\301A\0\205\300\276\310\300@\0t%SPV\377\327\203\304\14VU\377\25\204\201@\0Vh\6\4\0\0U\350\257)\0\0j\5U\377\25(\202@\0\366\5@\240@\0\1t\24Sh\300\210@\0V\377\327\203\304\14Vj\0\350\321\34\0\0_[^3\300]\302\20\0U\213\354V\213u\14j\0\215E\14PV\377u\10\3775\14\240@\0\377\25H\201@\0", ) == 0x0
 00745   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\353\23\300^]\302\10\0j\0j\0\377t$\14\3775\14\240@\0\377\25L\201@\0\302\4\0\203\354$SUVW3\377\211|$\20\377\25\264\200@\0\2135\240\1B\0+5\254\1B\0\213\330\3t$8\201\303\364\1\0\0;\367\17\216\276\1\0\0\3775\250\1B\0\350\253\377\377\377WW\3775\254\1B\0\3775\20\240@\0\377\25L\201@\0\2115\230\301A\0\211=\220\301A\0\241\244\1B\0+\5\250\1B\0\275\0@\0\0;\305\177\2\213\350U\276\240\301A\0V\3507\377\377\377\205\300\17\204u\1\0\0\1-\250\1B\0\2115 AA\0\211-$AA\09=\350cB\0\17\204\200\0\0\09=\200dB\0ux9|$\20t?\241\230\301A\0+\5\240\1B\0\2135T\202@\0+D$8\3\5\254\1B\0\243\220\301A\0\353\13\215D$\30P\377\25X\202@\0j\1WW\215D$$WP\377\326\205\300u\345\3533\377\25\264\200@\0;\303v)\241\340cB\0\367\330\33\300\367\320%\314\210@\0Ph$3@\0Wjo\3775\344cB\0\377\25\220\201@\0\211D$\20h\10AA\0\307\5(AA\0\220AA\0\307\5,AA\0\0\200\0\0\350\2334\0\0\205\300Y\17\214\271\0\0\0\2135(AA\0\270\220AA\0+\360t:W\215L$\30QVP\3775\20\240@\0\377\25D\201@\0\205\300\17\204\212\0\0\0;t$\24\17\205\200\0\0\0\15\254\1B\09=$AA\0\17\205\6\377\377\377\353\149=$AA\0uh;\357td\241\240\1B\0\213\310+\15\254\1B\0\3L$8\205\311\17\217\243\376\377\377WWP\3775\20\240@\0\377\25L\201@\0\213t$\20;\367t\37\241\230", ) , ) == 0x0
 00746   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\220\301A\0\377\25x\202@\0V\377\25\214\201@\03\300_^][\203\304$\302\4\0\203\310\377\353\361j\376\353\2j\375X\353\350U\213\354QQ\213E\10VW3\377;\307|\34\213\158dB\0W\3\301WP\3775\20\240@\0\243\240\1B\0\377\25L\201@\0j\4^V\350\300\375\377\377;\307\17\214\350\0\0\0S\213\35H\201@\0W\215E\374PV\215E\10P\3775\20\240@\0\377\323\205\300\17\204\303\0\0\09u\374\17\205\272\0\0\0\377u\10\15\240\1B\0\350\200\375\377\377;\307\211E\370\17\214\244\0\0\09}\20uk9}\10\17\216\216\0\0\0\276\240\301A\0\277\0@\0\09}\10}\3\213}\10j\0\215E\374PWV\3775\20\240@\0\377\323\205\300tm;}\374uhj\0\215E\24P\377u\374V\377u\14\377\25D\201@\0\205\300t\349}\24u\27\213E\374\1E\370)E\10\1\5\240\1B\0\203}\10\0\177\251\3530j\376\3533\213E\10;E\24|\3\213E\24W\215M\374QP\377u\20\3775\20\240@\0\377\323\205\300t\21\213E\374\1\5\240\1B\0\211E\370\213E\370\353\3j\375X[_^\311\302\20\0U\213\354\201\354L\1\0\0SV3\333W\211]\374\377\25\264\200@\0h\0\4\0\0\276\0\314B\0V\3775\344cB\0\5\350\3\0\0\211E\370\211]\364\211]\360\377\25\\201@\0j\3h\0\0\0\200V\350\333&\0\0\213\370\203\377\377\211=\14\240@\0u\12\270\200\212@\0\351\245\2\0\0V\350K*\0\0SW\377\25\274\200@\0;\303\243\230\301A\0\213\360\17\216\36\1\0\0\241HdB\0\367\330\33\300%\0~\0\0\5\0\2\0\0;\360\213\376|\2\213\370Wh\10\301@\0", ) , ) == 0x0
 00747   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\09\35HdB\0u{j\34h\10\301@\0\215E\324P\350A&\0\0\213M\324\367\301\340\377\377\377\17\205\222\0\0\0\201}\330\357\276\255\336\17\205\205\0\0\0\201}\344Instu|\201}\340softus\201}\334Nulluj\213E\354;\306\17\217\233\1\0\0\11M\10\366E\10\10\213\25\220\301A\0\211\25HdB\0u\6\366E\10\4um\377E\360\215p\374;\376v:\213\376\3536\366E\10\2u09]\374\17\205\372\0\0\0\377\25\264\200@\0;E\370v\34hd\212@\0h$3@\0Sjo\3775\344cB\0\377\25\220\201@\0\211E\374;5\230\301A\0}\21Wh\10\301@\0\377u\364\350\256\332\377\377\211E\364\1=\220\301A\0+\367;\363\17\217\360\376\377\3779]\374t\11\377u\374\377\25\214\201@\09\35HdB\0\17\204\371\0\0\09]\360t*\3775\220\301A\0\350\374\372\377\377j\4\215E\370P\350\277\372\377\377\205\300\17\204\326\0\0\0\213E\364;E\370\17\205\312\0\0\0\377u\350\350\207$\0\0h\10AA\0\213\360\350\2330\0\0\215\205\264\376\377\377\307\4$\0\324B\0P\350V%\0\0Sh\0\1\0\4j\2SSh\0\0\0\300\215\205\264\376\377\377P\377\25\270\200@\0\203\370\377\243\20\240@\0u<\270 \212@\0\351\330\0\0\0\215E\270P\377\25X\202@\0j\1SS\215E\270SP\377\25T\202@\0\205\300u\343\351\25\377\377\3779]\374tL\377u\374\377\25\214\201@\0\353A\241HdB\0\203\300\34P\350F\372\377\377\213M\324\377u\350\367\321\203\341\4\243\250\1B\0+\301\213M\354VS\215D\10\344j\377\243\244\1B\0\350A\374\377\377;E\350t\16V\377\25<\201", ) , ) == 0x0
 00748   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\2115\350cB\0t\3\203\16\10\213\6\203\340\30\366E\10\20\243\200dB\0t\4\200N\1\4\366E\324\1\213\6\243DdB\0t\6\377\5@dB\0j\10\215FDY\203\350\10\10Iu\370\241\240\1B\0\211F\243\344cB\0u\12\306D$\20"\276\1\300B\0\377t$\20V\350!"\0\0P\377\25\230\201@\0\213\360\211t$\30\351\21\1\0\0< u\6F\200> t\372\200>"\306D$\20 u\6F\306D$\20"\200>/\17\205\334\0\0\0F\212\6243\344cB\0u\12\306D$\20 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\2115\350cB\0t\3\203\16\10\213\6\203\340\30\366E\10\20\243\200dB\0t\4\200N\1\4\366E\324\1\213\6\243DdB\0t\6\377\5@dB\0j\10\215FDY\203\350\10\10Iu\370\241\240\1B\0\211F\243\344cB\0u\12\306D$\20"\276\1\300B\0\377t$\20V\350!"\0\0P\377\25\230\201@\0\213\360\211t$\30\351\21\1\0\0< u\6F\200> t\372\200>"\306D$\20 u\6F\306D$\20"\200>/\17\205\334\0\0\0F\212\60\0P\377\25\230\201@\0\213\360\211t$\30\351\21\1\0\0< u\6F\200> t\372\200> (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\2115\350cB\0t\3\203\16\10\213\6\203\340\30\366E\10\20\243\200dB\0t\4\200N\1\4\366E\324\1\213\6\243DdB\0t\6\377\5@dB\0j\10\215FDY\203\350\10\10Iu\370\241\240\1B\0\211F\243\344cB\0u\12\306D$\20"\276\1\300B\0\377t$\20V\350!"\0\0P\377\25\230\201@\0\213\360\211t$\30\351\21\1\0\0< u\6F\200> t\372\200>"\306D$\20 u\6F\306D$\20"\200>/\17\205\334\0\0\0F\212\6200>/\17\205\334\0\0\0F\212\616\212N\1\200\311 \200\371 u\3\203\317\2\201", ) == 0x0
 00749   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " \200\371 u\3\203\317\4\201~\376 /D=\17\204\27\1\0\0\211|$\34u\11\210L$\20\203\306\3\353\30\200\371 \17\204\261\0\0\0\204\311\17\204\251\0\0\0\306D$\20 \213\360\377t$\20V\350_!\0\0\205\300\17\204\316\0\0\0+\306@@U\213\370\350"u\1F\212\6\204\300\17\205\345\376\377\377W\350z\372\377\377\213\3303\355;\335\17\205\274\0\0\09-@dB\0\17\204\231\0\0\0\213|$\30UW\350\313 \0\0\213\360\353UU\350\262 \0\0\205\300\243\260\1B\0t\20ht\213@\0P\350\340"\0\0\241\260\1B\0j\0P\377\25\304\200@\0\353\237\306F\376\0\203\306\2Vh\0\304B\0\350\276"\0\0\353\225\273 \213@\0\353\\273\20\213@\0\353U\201> _?=t\5N;\367s\363;\367\273\200\212@\0rd\306\6\0\203\306\4V\350\274$\0\0\205\300t/Vh\0\304B\0\350}"\0\0Vh\0\310B\0\350r"\0\03\333\203\15\214dB\0\377\350\301\34\0\0j\1\211D$\30\350\11#\0\0\350\355\374\377\377\377\25\220\202@\0\205\333\17\204\23\1\0\0h\20\0 \0S\350\267\37\0\0j\2\351\275\1\0\0\211l$\20\277\271\1B\0\276\270\1B\0\275\270\11B\0h\0\324B\0W\306\5\270\1B\0"\350\17"\0\0h\24\240@\0V", ) \211|$\34u\11\210L$\20\203\306\3\353\30\200\371 \17\204\261\0\0\0\204\311\17\204\251\0\0\0\306D$\20 \213\360\377t$\20V\350_!\0\0\205\300\17\204\316\0\0\0+\306@@U\213\370\3500\0\205\300\243\260\1B\0\17\204\274\0\0\0;\375v\2\213\375OWVP\377\323\3775\260\1B\0\350\3%\0\0j\0\3775\260\1B\0\377\25\304\200@\0\213|$\34\306D$\20/\377t$\20V\350\6!\0\0\213\360\200> (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " \200\371 u\3\203\317\4\201~\376 /D=\17\204\27\1\0\0\211|$\34u\11\210L$\20\203\306\3\353\30\200\371 \17\204\261\0\0\0\204\311\17\204\251\0\0\0\306D$\20 \213\360\377t$\20V\350_!\0\0\205\300\17\204\316\0\0\0+\306@@U\213\370\350"u\1F\212\6\204\300\17\205\345\376\377\377W\350z\372\377\377\213\3303\355;\335\17\205\274\0\0\09-@dB\0\17\204\231\0\0\0\213|$\30UW\350\313 \0\0\213\360\353UU\350\262 \0\0\205\300\243\260\1B\0t\20ht\213@\0P\350\340"\0\0\241\260\1B\0j\0P\377\25\304\200@\0\353\237\306F\376\0\203\306\2Vh\0\304B\0\350\276"\0\0\353\225\273 \213@\0\353\\273\20\213@\0\353U\201> _?=t\5N;\367s\363;\367\273\200\212@\0rd\306\6\0\203\306\4V\350\274$\0\0\205\300t/Vh\0\304B\0\350}"\0\0Vh\0\310B\0\350r"\0\03\333\203\15\214dB\0\377\350\301\34\0\0j\1\211D$\30\350\11#\0\0\350\355\374\377\377\377\25\220\202@\0\205\333\17\204\23\1\0\0h\20\0 \0S\350\267\37\0\0j\2\351\275\1\0\0\211l$\20\277\271\1B\0\276\270\1B\0\275\270\11B\0h\0\324B\0W\306\5\270\1B\0"\350\17"\0\0h\24\240@\0V", ) \0\0\241\260\1B\0j\0P\377\25\304\200@\0\353\237\306F\376\0\203\306\2Vh\0\304B\0\350\276 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " \200\371 u\3\203\317\4\201~\376 /D=\17\204\27\1\0\0\211|$\34u\11\210L$\20\203\306\3\353\30\200\371 \17\204\261\0\0\0\204\311\17\204\251\0\0\0\306D$\20 \213\360\377t$\20V\350_!\0\0\205\300\17\204\316\0\0\0+\306@@U\213\370\350"u\1F\212\6\204\300\17\205\345\376\377\377W\350z\372\377\377\213\3303\355;\335\17\205\274\0\0\09-@dB\0\17\204\231\0\0\0\213|$\30UW\350\313 \0\0\213\360\353UU\350\262 \0\0\205\300\243\260\1B\0t\20ht\213@\0P\350\340"\0\0\241\260\1B\0j\0P\377\25\304\200@\0\353\237\306F\376\0\203\306\2Vh\0\304B\0\350\276"\0\0\353\225\273 \213@\0\353\\273\20\213@\0\353U\201> _?=t\5N;\367s\363;\367\273\200\212@\0rd\306\6\0\203\306\4V\350\274$\0\0\205\300t/Vh\0\304B\0\350}"\0\0Vh\0\310B\0\350r"\0\03\333\203\15\214dB\0\377\350\301\34\0\0j\1\211D$\30\350\11#\0\0\350\355\374\377\377\377\25\220\202@\0\205\333\17\204\23\1\0\0h\20\0 \0S\350\267\37\0\0j\2\351\275\1\0\0\211l$\20\277\271\1B\0\276\270\1B\0\275\270\11B\0h\0\324B\0W\306\5\270\1B\0"\350\17"\0\0h\24\240@\0V", ) \0\0Vh\0\310B\0\350r (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " \200\371 u\3\203\317\4\201~\376 /D=\17\204\27\1\0\0\211|$\34u\11\210L$\20\203\306\3\353\30\200\371 \17\204\261\0\0\0\204\311\17\204\251\0\0\0\306D$\20 \213\360\377t$\20V\350_!\0\0\205\300\17\204\316\0\0\0+\306@@U\213\370\350"u\1F\212\6\204\300\17\205\345\376\377\377W\350z\372\377\377\213\3303\355;\335\17\205\274\0\0\09-@dB\0\17\204\231\0\0\0\213|$\30UW\350\313 \0\0\213\360\353UU\350\262 \0\0\205\300\243\260\1B\0t\20ht\213@\0P\350\340"\0\0\241\260\1B\0j\0P\377\25\304\200@\0\353\237\306F\376\0\203\306\2Vh\0\304B\0\350\276"\0\0\353\225\273 \213@\0\353\\273\20\213@\0\353U\201> _?=t\5N;\367s\363;\367\273\200\212@\0rd\306\6\0\203\306\4V\350\274$\0\0\205\300t/Vh\0\304B\0\350}"\0\0Vh\0\310B\0\350r"\0\03\333\203\15\214dB\0\377\350\301\34\0\0j\1\211D$\30\350\11#\0\0\350\355\374\377\377\377\25\220\202@\0\205\333\17\204\23\1\0\0h\20\0 \0S\350\267\37\0\0j\2\351\275\1\0\0\211l$\20\277\271\1B\0\276\270\1B\0\275\270\11B\0h\0\324B\0W\306\5\270\1B\0"\350\17"\0\0h\24\240@\0V", ) \350\17 (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " \200\371 u\3\203\317\4\201~\376 /D=\17\204\27\1\0\0\211|$\34u\11\210L$\20\203\306\3\353\30\200\371 \17\204\261\0\0\0\204\311\17\204\251\0\0\0\306D$\20 \213\360\377t$\20V\350_!\0\0\205\300\17\204\316\0\0\0+\306@@U\213\370\350"u\1F\212\6\204\300\17\205\345\376\377\377W\350z\372\377\377\213\3303\355;\335\17\205\274\0\0\09-@dB\0\17\204\231\0\0\0\213|$\30UW\350\313 \0\0\213\360\353UU\350\262 \0\0\205\300\243\260\1B\0t\20ht\213@\0P\350\340"\0\0\241\260\1B\0j\0P\377\25\304\200@\0\353\237\306F\376\0\203\306\2Vh\0\304B\0\350\276"\0\0\353\225\273 \213@\0\353\\273\20\213@\0\353U\201> _?=t\5N;\367s\363;\367\273\200\212@\0rd\306\6\0\203\306\4V\350\274$\0\0\205\300t/Vh\0\304B\0\350}"\0\0Vh\0\310B\0\350r"\0\03\333\203\15\214dB\0\377\350\301\34\0\0j\1\211D$\30\350\11#\0\0\350\355\374\377\377\377\25\220\202@\0\205\333\17\204\23\1\0\0h\20\0 \0S\350\267\37\0\0j\2\351\275\1\0\0\211l$\20\277\271\1B\0\276\270\1B\0\275\270\11B\0h\0\324B\0W\306\5\270\1B\0"\350\17"\0\0h\24\240@\0V", ) , ) == 0x0
 00750   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\205\333\17\204\247\0\0\0h\0\4\0\0U\3775\344cB\0\377\25\\201@\0h\25\240@\0\215\200\255\11B\0P\377\25\200\200@\0\205\300\17\204o\377\377\377j\0WU\377\25\320\200@\0\205\300tmj\0W\350\14%\0\0\200=\0\304B\0\0t\15h\0\304B\0U\350\236!\0\0\353\6U\350\240#\0\0h\14\213@\0V\377\25\244\200@\0\377t$\30V\377\25\244\200@\0h\4\213@\0V\377\25\244\200@\0UV\377\25\244\200@\0V\350\16#\0\0h\0\324B\0V\350^\36\0\0\205\300t\11P\377\25\204\200@\03\333\376\5\24\240@\0\377D$\20\203|$\20\32\17\214\27\377\377\377\351\332\376\377\377\203=tdB\0\0\17\204\235\0\0\0h\364\212@\0\377\25h\200@\0\213\3703\333;\373tv\2135,\201@\0h\340\212@\0W\377\326h\310\212@\0W\211D$ \377\326h\260\212@\0W\213\350\377\3269\$\30\213\360tJ;\353tF;\363tB\215D$\34Pj(\377\25\314\200@\0P\377T$$\205\300t,\215D$$Ph\234\212@\0S\377\325SSS\215D$,PS\377t$0\307D$8\1\0\0\0\307D$D\2\0\0\0\377\326Sj\2\377\25\224\201@\0\205\300u\7j\11\350U\325\377\377\241\214dB\0\203\370\377t\4\211D$\24\377t$\24\377\25\310\200@\0\314\203|$\4xu\6\377\5\264[B\0j\0\377t$\10h\10\4\0\0\3775\340cB\0\377\25x\202@\0\302\4\0\377t$\14j\0\350\370%\0\0P\213D$\14\5\350\3\0\0P\377t$\14\350\204\35\0\0\302\14\0\203=ldB\0\0\241\310\21B\0u\5\241\330)B\0j\1j\1h\364\0\0\0P\377", ) , ) == 0x0
 00751   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\330)B\0\377\25P\202@\0\302\4\0j\1\377t$\10j(\3775\340cB\0\377\25x\202@\0\302\4\0\241\250[B\0\205\300t\17j\0j\0\377t$\14P\377\25x\202@\0\302\4\0U\213\354\203\354\14\5\315\376\377\377\203\370\5V\17\207\216\0\0\0j\353\377u\14\377\25\240\201@\0\213\360\205\366t}\366F\24\2\213\6W\213=\234\201@\0t\3P\377\327\366F\24\1t\12P\377u\10\377\25P\200@\0\377v\20\377u\10\377\25L\200@\0\366F\24\10\213F\4\211E\370t\6P\377\327\211E\370\366F\24\4_t\12P\377u\10\377\25T\200@\0\366F\24\20t!\213F\10\211E\364\213F\14\205\300t\7P\377\25@\200@\0\215E\364P\377\25D\200@\0\211F\14\213F\14\353\23\300^\311\302\10\0h\240\213@\0h\0\304B\0h\200WB\0\350\0\37\0\0P\350\243 \0\0P\377\25\244\200@\0\303\200=\0\320B\0\0SUVW\277\377\377\0\0\273\0\320B\0t\10S\350L\36\0\0\353\6\377\25\344\200@\03\311\2135$dB\0\205\366tI\213\15\350cB\0\213Id\213\321\17\257\316\367\332\3\15 dB\03\355\3\312f\213)f3\350N#\357f\205\355t\6\205\366u\352\353\33\213Q\2\211\25\274[B\0\213Q\6\211\25\210dB\0\215Q\12\211\25\310[B\0\203=\310[B\0\0u\22f\201\377\377\377u\7\277\377\3\0\0\353\2263\377\353\222\17\267\1PS\350\261\35\0\0j\376h\340[B\0\350\1$\0\0P\3775\324\21B\0\377\25\204\201@\0\241\14dB\0\205\300\2135\10dB\0t\33\213\370\213\6\205\300t\12P\215F\30P\350\323#\0\0\201\306\30\4\0\0Ou\347_^][\303U\213", ) , ) == 0x0
 00752   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "u\34\377u\24h\373\3\0\0\350N\33\0\0\377u\24j\1hf\4\0\0\377u\10\377\326\203}\14\2u-\377u\24\377u\20\377\25x\201@\0\205\300t\16j\7\350\216\322\377\377\205\300u\3@\353\23\300Pj\0he\4\0\0\377u\10\377\3263\300^]\302\20\0U\213\354\377u\20\213E\10\213\15\270\15B\0\3\310Q\377u\14\377\25\324\200@\0\377u\14\350\210\35\0\0\213M\24\1\5\270\15B\0\211\13\300]\302\20\0U\213\354\203\354\14\201}\14\20\1\0\0SVW\17\205\12\1\0\0\213]\24\213{0\205\377}\21\213\15\310[B\0\215\4\275\4\0\0\0+\310\2139\241\30dB\0\377s4\3\370\17\276\7\203e\370\0\211E\24\213C\24\213\360\301\356\5\367\326j"\377u\10\13\360G\211}\364\307E\374XB@\0\203\346\1\350\277\374\377\377\377s8j#\377u\10\350\262\374\377\3773\300\205\366\17\224\300j\1\5\12\4\0\0P\377u\10\377\25\254\201@\0V\350\332\374\377\377h\350\3\0\0\377u\10\377\25@\202@\0\213\330S\350\327\374\377\377\2135x\202@\0j\0j\1h[\4\0\0S\377\326\241\350cB\0\213@h\205\300}\11\367\330P\377\25\234\201@\0Pj\0hC\4\0\0S\377\326h\0\0\1\4j\0hE\4\0\0S\377\326\203%\270\15B\0\0W\350\177\34\0\0Pj\0h5\4\0\0S\377\326\215E\364P\377u\24hI\4\0\0S\377\326\203%\344)B\0\03\300\351~\1\0\0\201}\14\21\1\0\0\213=@\202@\0\213\35x\202@\0uZ\213E\20\301\350\20f\205\300\17\205K\1\0\03\3009\5\344)B\0\17\205=\1\0\0\2135\334)B\0\203\306\24\366\6 \17\204+\1\0\0PPh\360", ) \377u\10\13\360G\211}\364\307E\374XB@\0\203\346\1\350\277\374\377\377\377s8j#\377u\10\350\262\374\377\3773\300\205\366\17\224\300j\1\5\12\4\0\0P\377u\10\377\25\254\201@\0V\350\332\374\377\377h\350\3\0\0\377u\10\377\25@\202@\0\213\330S\350\327\374\377\377\2135x\202@\0j\0j\1h[\4\0\0S\377\326\241\350cB\0\213@h\205\300}\11\367\330P\377\25\234\201@\0Pj\0hC\4\0\0S\377\326h\0\0\1\4j\0hE\4\0\0S\377\326\203%\270\15B\0\0W\350\177\34\0\0Pj\0h5\4\0\0S\377\326\215E\364P\377u\24hI\4\0\0S\377\326\203%\344)B\0\03\300\351~\1\0\0\201}\14\21\1\0\0\213=@\202@\0\213\35x\202@\0uZ\213E\20\301\350\20f\205\300\17\205K\1\0\03\3009\5\344)B\0\17\205=\1\0\0\2135\334)B\0\203\306\24\366\6 \17\204+\1\0\0PPh\360", ) == 0x0
 00753   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\327P\377\323\213\16\203\340\1\203\341\376\13\310P\211\16\350\344\373\377\377\350\273\373\377\377\203}\14N\17\205\347\0\0\0h\350\3\0\0\377u\10\377\327\213M\24\201y\10\13\7\0\0\17\205\210\0\0\0\201y\14\1\2\0\0\2135\250\201@\0\213=\244\201@\0u^\213Q\30\211U\364\213Q\34\211U\370+U\364\307E\374\200OB\0\201\372\0\10\0\0s@\215M\364Qj\0hK\4\0\0P\377\323h\2\177\0\0j\0\377\327P\377\326j\1j\0j\0\377u\374h\254\213@\0\377u\10\377\25d\201@\0h\0\177\0\0j\0\377\327P\377\326\213M\24\203y\14 u\17h\211\177\0\0j\0\377\327P\377\326\213M\24\201y\10\0\7\0\0uN\201y\14\0\1\0\0uE\203y\20\15u\24j\0j\1h\21\1\0\0\3775\340cB\0\377\323\213M\24\203y\20\33u\16j\0j\0j\20\3775\340cB\0\377\3233\300@\353\36\201}\14\13\4\0\0u\6\377\5\344)B\0\213M\24\213E\14Q\377u\20\350\25\373\377\377_^[\311\302\20\0U\213\354\201}\14\20\1\0\0V\213u\24u&\377v0j\35\377u\10\350f\372\377\377\213F<\301\340\12\5\0pB\0Ph\350\3\0\0\377u\10\350\360\27\0\0\213E\14V\377u\20\350\314\372\377\377^]\302\20\0U\213\354\203\354@SVWj\24_\213\360\201\376\0\4\0\0j\334[s\63\377j\336\353\15\201\376\0\0\20\0s\6j\12_j\335[j\337\215E\340P\350\7 \0\0PS\215E\300P\350\374\37\0\0P\215\4\266j\12\321\340\213\317\323\350Y3\322\367\361\213\317\323\356RVh\264\213@\0\377u\14\276\330\31B\0V\350\322\37\0\0V\213\370\350\26\32\0\0\3\370W\377\250\202", ) , ) == 0x0
 00754   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "[B\0\350O\27\0\0_^[\311\302\10\0\213\25\14dB\0\213\15\10dB\03\300\205\322t\30V\366A\10\1t\7\213t$\10\3\4\261\201\301\30\4\0\0Ju\352^\302\4\0U\213\354\203\354H\241\334)B\0SV\213p<\301\346\12\211E\340\213@8\201\306\0pB\0\201}\14\13\4\0\0W\211E\374\273\373\3\0\0u%VS\350\351\26\0\0V\350\217\31\0\0\350j\372\377\377h\360\3\0\0\377u\10\377\25\264\201@\0\243x?B\0\201}\14\20\1\0\0\17\205\206\0\0\0j\20\377\25\260\201@\0\204\344\213=@\202@\0y$h\360\3\0\0\377u\10\377\327j\340j\10\377u\10\211E\370\350\352\370\377\377j\10\377u\370\377\25(\202@\0V\350\13\27\0\0\205\300t\20V\350(\27\0\0\205\300u\6V\350\267\32\0\0VS\377u\10\350^\26\0\0\213E\24\377p4j\1\377u\10\350\253\370\377\377\213E\24\377p0j\24\377u\10\350\233\370\377\377S\377u\10\377\327P\350\350\370\377\377\201}\14\21\1\0\0\17\205\273\0\0\0\17\267E\20;\303u\30\213M\20\301\351\20f\201\371\0\3\17\205\1\2\0\0\307E\14\17\4\0\0=\351\3\0\0\17\205\220\0\0\0j\7Y\377u\3743\300\215}\274\363\253\213E\10\277\330\31B\0j\0\211E\270\211}\300\307E\314\362A@\0\211u\320\350.\36\0\0\211E\304\215E\270P\307E\310A\0\0\0\377\25h\201@\0\205\300tLP\350/\25\0\0\241\350cB\0\213\200\34\1\0\0\205\300t'Pj\0\350\371\35\0\0W\277\200OB\0W\377\25\200\200@\0\205\300t\16WV\350\320\31\0\0P\377\25\244\200@\0\377\5\304\15B\0VS\377u\10\350j\25\0\0\201}\14\17\4\0\0", ) , ) == 0x0
 00755   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\1\0\0\203e\374\0\203e\370\0VS\203\317\377\350H\25\0\0V\350\22\32\0\0\205\300u\7\307E\374\1\0\0\0V\276\310\15B\0V\350\313\27\0\0V\350\325\25\0\0\205\300t\3\306\0\0h\324\213@\0\377\25h\200@\0\205\300\273\0\4\0\0t2h\300\213@\0P\377\25,\201@\0\205\300t"\215M\344Q\215M\354Q\215M\330QV\377\320\205\300t\17\213}\330\213E\334\17\254\307\12\301\350\12\353/\215E\334P\215E\364P\215E\350P\215E\360PV\377\25\350\200@\0\205\300t\33\213E\360\17\257E\350S\377u\364P\377\25$\201@\0\213\370\307E\370\1\0\0\0j\5\350M\375\377\377;\370s\7\307E\374\2\0\0\0\213\15\310[B\03\3669q\20t+j\373h\377\3\0\0\350\222\374\377\3779u\370t\14j\374S\213\307\350\203\374\377\377\353\16h\276\213@\0S\377u\10\350R\24\0\0\213E\374;\306\243\204dB\0u\12j\7\350\261\313\377\377\211E\374\213E\340\205X\24t\3\211u\3743\3009u\374\17\224\300P\350\306\366\377\3779u\374u\1595\304\15B\0u\5\350\220\366\377\377\2115\304\15B\0\377u\24\213E\14\377u\20\350\345\366\377\377_^[\311\302\20\0U\213\354\203\354\20\377\25\274\201@\0\17\277\310\301\350\20\17\277\300\211E\364\215E\360P\377u\10\211M\360\377\25\270\201@\0\215E\360Pj\0h\21\21\0\0\377u\10\377\25x\202@\0\212E\370$f\366\330\33\300#E\374\311\302\4\0U\213\354\203\354(\201}\14\2\1\0\0VWu\33\203}\20 \17\205\255\0\0\0h\23\4\0\0\350R\366\377\3773\300\351\265\0\0\0\203\317\377\203}\14\2u\6\211=<\240@\0\201}\14\0\2\0\0\276\31\4\0\0", ) \215M\344Q\215M\354Q\215M\330QV\377\320\205\300t\17\213}\330\213E\334\17\254\307\12\301\350\12\353/\215E\334P\215E\364P\215E\350P\215E\360PV\377\25\350\200@\0\205\300t\33\213E\360\17\257E\350S\377u\364P\377\25$\201@\0\213\370\307E\370\1\0\0\0j\5\350M\375\377\377;\370s\7\307E\374\2\0\0\0\213\15\310[B\03\3669q\20t+j\373h\377\3\0\0\350\222\374\377\3779u\370t\14j\374S\213\307\350\203\374\377\377\353\16h\276\213@\0S\377u\10\350R\24\0\0\213E\374;\306\243\204dB\0u\12j\7\350\261\313\377\377\211E\374\213E\340\205X\24t\3\211u\3743\3009u\374\17\224\300P\350\306\366\377\3779u\374u\1595\304\15B\0u\5\350\220\366\377\377\2115\304\15B\0\377u\24\213E\14\377u\20\350\345\366\377\377_^[\311\302\20\0U\213\354\203\354\20\377\25\274\201@\0\17\277\310\301\350\20\17\277\300\211E\364\215E\360P\377u\10\211M\360\377\25\270\201@\0\215E\360Pj\0h\21\21\0\0\377u\10\377\25x\202@\0\212E\370$f\366\330\33\300#E\374\311\302\4\0U\213\354\203\354(\201}\14\2\1\0\0VWu\33\203}\20 \17\205\255\0\0\0h\23\4\0\0\350R\366\377\3773\300\351\265\0\0\0\203\317\377\203}\14\2u\6\211=<\240@\0\201}\14\0\2\0\0\276\31\4\0\0", ) == 0x0
 00756   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\300tr\377u\10\350V\377\377\377\205\300\211E\334t\36\215E\330Pj\0h\14\21\0\0\377u\10\307E\330\4\0\0\0\377\25x\202@\0\213}\374\211u\14\353\3\213}\249u\14u;9=<\240@\0t3S\276\0pB\0V\273\330\31B\0S\211=<\240@\0\350\240\25\0\0WV\350\367\24\0\0j\6\350^\312\377\377SV\350\213\25\0\0[\353\3\213}\24W\377u\20\377u\14\377u\10\3775\300\15B\0\377\25\300\201@\0_^\311\302\20\0U\213\354\203\354TSV\2135@\202@\0Wh\371\3\0\0\377u\10\377\326h\10\4\0\0\377u\10\211E\370\377\326\2135x\202@\0\211E\374\241\10dB\0\211E\350\241\350cB\0\5\224\0\0\03\333\201}\14\20\1\0\0j\20\211E\344_\17\205\32\2\0\0\213E\10\243LdB\0\241\14dB\0\301\340\2P\211]\340\307E\354\2\0\0\0\350\261\22\0\0jn\3775\344cB\0\243\320\21B\0\377\25\310\201@\0h\255I@\0j\374\377u\374\211E\360\377\25D\202@\0Sj\6j!WW\243\300\15B\0\377\254\200@\0h\377\0\377\0\377u\360\243\314\21B\0P\377\25,\200@\0\3775\314\21B\0j\2h\11\21\0\0\377u\374\377\326SSh\34\21\0\0\377u\374\377\326;\307}\14SWh\33\21\0\0\377u\374\377\326\377u\360\377\25@\200@\03\377\213E\344\213\4\270;\303t'\203\377 t\3\211]\354PS\350\17\32\0\0PShC\1\0\0\377u\370\377\326WPhQ\1\0\0\377u\370\377\326G\203\377!|\311\213E\354\213}\24\377t\2070j\25\377u\10\350\332\363\377\377\213E\354\377t\2074j\26\377u\10\350\311\363\377\3773\3779\35\14dB\0\211", ) , ) == 0x0
 00757   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\300\10\211E\360\273\0\21\0\0\213U\360\215B\20\2008\0\17\204\204\0\0\0\213M\364\211E\304\213\2j \211M\254Y\213\320#\321\250\2\307E\260\2\0\377\377\307E\264\15\0\0\0\211M\300\211}\330\211U\274t&\215E\254Pj\0S\377u\374\307E\264M\0\0\0\307E\324\1\0\0\0\377\326\211E\364\307E\340\1\0\0\0\353(\213E\360\366\0\4t\24\377u\364j\3h\12\21\0\0\377u\374\377\326\211E\364\353\25\215E\254Pj\0S\377u\374\377\326\213\15\320\21B\0\211\4\271\201E\360\30\4\0\0G;=\14dB\0\17\214Y\377\377\3773\3339]\340u\32j\360\377u\374\377\25\240\201@\0\203\340\373Pj\360\377u\374\377\25D\202@\0Sj\6h\25\1\0\0\377u\374\377\3269]\354u\30j\5\377u\370\377\25(\202@\0\377u\370\350\26\363\377\377\351\216\3\0\0\377u\374\350\11\363\377\377\201}\14\5\4\0\0u\223\377G\211]\20\211}\24\307E\14\17\4\0\0\353\3\213}\24\203}\14N\270\23\4\0\0t\119E\14\17\205\376\0\0\09E\14t\15\201\177\4\10\4\0\0\17\205\354\0\0\0\366\5EdB\0\2\17\205\235\0\0\09E\14t\24\203\177\10\376\17\205\216\0\0\0\377u\374\350\365\373\377\377\353\15Sj\11h\12\21\0\0\377u\374\377\326;\303\211E\274tp\215E\270PSh\14\21\0\0\377u\374\307E\270\4\0\0\0\377\326\205\300tV\213E\334\213M\350i\300\30\4\0\0\215L\10\10\213\1\250\20u@\250@t\235\200\0\0\0\204\300y\5\203\310\1\353\10\203\340\376\353\3\203\360\1\211\1\377u\334\350\247\303\377\377\241DdB\03\311\301\350\10A\367\320#\301\211M\20\211E\24\307E\14\17\4\0\0;\373", ) , ) == 0x0
 00758   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "w\Sh\31\4\0\0\377u\374\377\326\201\177\10j\376\377\377u\36\213G\\213M\350i\300\30\4\0\0\203\177\14\2\215D\10\10u\5\203\10 \353\3\203 \337\201}\14\21\1\0\0urf\201}\20\371\3\17\205A\2\0\0\213E\20\301\350\20f=\1\0\17\2051\2\0\0SShG\1\0\0\377u\370\377\326\203\370\377\17\204\34\2\0\0SPhP\1\0\0\377u\370\377\326\213\370\203\377\377t\10\213E\3449\34\270u\3j _W\350\26\304\377\377WSh \4\0\0\377u\10\377\326\307E\20\1\0\0\0\211]\24\307E\14\17\4\0\0\201}\14\0\2\0\0u\14SSh\0\2\0\0\377u\374\377\326\201}\14\13\4\0\0u2\241\314\21B\0;\303t\7P\377\250\200@\0\241\320\21B\0;\303t\7P\377\25<\201@\0\211\35\314\21B\0\211\35\320\21B\0\211\35LdB\0\201}\14\17\4\0\0\17\205@\1\0\0\350\215\303\377\3779]\20t\7j\10\350\254\305\377\3779]\24t?\3775\320\21B\0\350\306\303\377\377\213\370W\350s\303\377\3773\3003\311;\373~\16\213U\3449\34\202t\1A@;\307|\362SQhN\1\0\0\377u\370\377\326\211}\24\307E\14 \4\0\0\3508\303\377\3779\35\14dB\0\241\320\21B\0\213=\10dB\0\211E\340\307E\3040\360\0\0\211]\354\17\216\245\0\0\0\203\307\10\213E\340\213M\354\213\4\210;\303t}\213\27j\10\211E\274X\213\312#\310\211U\350\203e\350 \321\341\13M\350\366\306\1\211E\270\211M\300t\24\215G\20\307E\270\11\0\0\0\211E\310\200g\1\376\213M\300\366\302@t\5j\3X\353\16\213\302\203\340\1@\366\302\20t\3\203\300\3\377u\274\301\340\14\13\3103\3009", ) , ) == 0x0
 00759   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\21\0\0\377u\374\377\326\215E\270PSh\15\21\0\0\377u\374\377\326\377E\354\213E\354\201\307\30\4\0\0;\5\14dB\0\17\214^\377\377\377\241\310[B\09X\20t\23j\5\350\317\365\377\377j\373h\377\3\0\0\350,\365\377\377\201}\14 \4\0\0u5\366\5EdB\0\1t,\2135(\202@\03\300\203}\24 \17\224\300\301\340\3\213\370W\377u\374\377\326Wh\376\3\0\0\377u\10\377\25@\202@\0P\377\326\377u\24\213E\14\377u\20\350\247\357\377\377_^[\311\302\20\0U\213\354\203\3540\241\254[B\0W3\377;\307\211E\370\17\204\272\0\0\0S\213\35@\240@\0\211]\374\203e\374\1V\276\330\21B\0u\11\377u\10V\350\340\24\0\0V\350&\17\0\09}\14\211E\10t\34\377u\14\350\26\17\0\0\3E\10=\0\10\0\0sy\377u\14V\377\25\244\200@\0\366\303\4t\15V\3775\270[B\0\377\25\204\201@\0\366\303\2tIWWh\4\20\0\0\377u\370\211u\344\2135x\202@\0\307E\320\1\0\0\0\377\326+E\374\367\323\211E\324\215E\320PW\203\343\1\201\313\6\20\0\0S\377u\370\211}\330\377\326W\377u\324h\23\20\0\0\377u\370\377\3269}\374t\12\213E\10\306\200\330\21B\0\0^[_\311\302\10\0V\2135\10dB\0W\213=\14dB\0j\0\377\25\224\202@\0\11\5\220dB\0\205\377tQ\203\306\30O\366F\360\1u\30\366\5EdB\0\4u\17Vh\364\213@\0\350\227\17\0\0YY\353\35Vh\344\213@\0\350\210\17\0\0YY\377t$\14\377v\364\350\25\302\377\377\205\300u\14\201\306\30\4\0\0\205\377u\272\353\6\377\5ldB\0h\4\4\0\0\3502\356\377\377\377\25", ) , ) == 0x0
 00760   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4\0U\213\354\203\354, ) , ) == 0x0
 00761   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "}\20\3\4u5S\3775\300[B\0\377\327j\10V\377\327\350\275\353\377\377\201}\14\4\4\0\0uU9\35\264[B\0t&jx\307\5\340)B\0\2\0\0\0\350R\353\377\377\377u\24\213E\14\377u\20\350\366\353\377\377_^[\311\302\20\0j\10\3775\340cB\0\377\3279\35ldB\0u\16\241\334)B\0S\377p4\350/\374\377\377j\1\350\26\353\377\377\203}\14{u\2769u\20u\271SSh\4\20\0\0V\377\25x\202@\0;\303\211E\10\17\216\365\0\0\0\377\25\350\201@\0j\341S\213\370\350\14\21\0\0Pj\1SW\377\25\344\201@\0\213E\24\203\370\377u\23\215E\354PV\377\25\340\201@\0\213M\354\213E\360\353\11\17\277\310\301\350\20\17\277\300SVSPQh\200\1\0\0W\377\25\334\201@\03\377G;\307\17\205\232\0\0\0\213u\10\211]\314\307E\330\330\31B\0\307E\334\377\17\0\0\215E\304PNVh-\20\0\0\377u\374\377\25x\202@\0;\363\215|\7\2u\344S\377\25\330\201@\0\377\25\324\201@\0WjB\377\25\364\200@\0P\211E\14\377\25\360\200@\0\213\360\215E\304PSh-\20\0\0\377u\374\211u\330\211}\334\377\25x\202@\0V\350\234\12\0\0\3\360f\307\6\15\12FFC;]\10|\322\377u\14\377\25\354\200@\0\377u\14j\1\377\25\320\201@\0\377\25\314\201@\03\300\351\262\376\377\377\203\354\20SU\213l$ \271\20\1\0\0;\351VW\17\204t\1\0\0\201\375\10\4\0\0\17\204h\1\0\0\203\375G\213\$$u\25j\233\300PPPPS\3775\324\21B\0\377\25\374\201@\0\203\375\5u\30\213D$,H\367\330\33\300#\305P\3775\324\21B\0\377\25(\202", ) , ) == 0x0
 00762   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\250[B\0\377\25\214\201@\0\213D$,\243\250[B\0\351\21\4\0\0\203\375\21u\23j\0j\0S\377\25D\202@\03\300@\351 \4\0\0\203\375\20u3\241\4dB\0H9\5$\240@\0\17\205\310\0\0\0\3775\310\21B\0\377\25\370\201@\0\205\300\17\205\264\0\0\0\275\21\1\0\0\307D$,\1\0\0\0\201\375\21\1\0\0\17\205\233\0\0\0\17\267t$,VS\377\25@\202@\0\213\35x\202@\0\213\370\205\377t\33j\0j\0h\363\0\0\0W\377\323W\377\25\370\201@\0\205\300\17\204\246\3\0\03\377G;\367u\3W\353A\203\376\3u\15\203=$\240@\0\0~:j\377\353/\203\376\2u1\203=ldB\0\0t\16V\350\361\275\377\377\2115\340)B\0\353\21j\3\350\342\275\377\377\205\300u$\211=\340)B\0jx\350\225\350\377\377\353\25\377t$0\377t$0h\21\1\0\0\3775\250[B\0\377\323\377t$0\213\305\377t$0\350!\351\377\377\351-\3\0\0;\351\213D$,\213\$$\243\274\15B\0uM\2135@\202@\0j\1S\211\35\340cB\0\377\326j\2S\243\330)B\0\377\326j\377j\34S\243\310\21B\0\350V\350\377\377\3775\260[B\0j\362S\377\25\364\201@\0j\4\350U\275\377\377\243\264[B\03\300@\243\274\15B\0\213\15$\240@\0\213\361\301\346\6\35\0dB\03\377;\317|>\203\370\1u1W\377v\20\350A\274\377\377\205\300t$j\1Wh\17\4\0\0\3775\250[B\0\377\25x\202@\03\3009=\264[B\0\17\224\300\351\202\2\0\09>\17\204x\2\0\0h\13\4\0\0\350D\350\377\377\241\274\15B\0\1\5$\240@\0\301\340\6\3\360\241$\240@", ) , ) == 0x0
 00763   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\305\274\377\377\203=\264[B\0\0\17\205\370\1\0\0\241\4dB\09\5$\240@\0\17\203\347\1\0\0\377v$\213~\24h\0\340B\0\350\205\15\0\0\377v h\31\374\377\377S\350t\347\377\377\377v\34h\33\374\377\377S\350f\347\377\377\377v(h\32\374\377\377S\350X\347\377\377j\3S\377\25@\202@\0\203=ldB\0\0\213\350t\11\201\347\375\376\377\377\203\317\4\213\307\203\340\10PU\377\25(\202@\0\213\307%\0\1\0\0PU\377\25P\202@\0\213\307\203\340\2P\350Z\347\377\377\203\347\4W\3775\310\21B\0\377\25P\202@\0j\13\377Wh\364\0\0\0U\213-x\202@\0\377\3259=ldB\0t\23Wj\2h\1\4\0\0S\377\325\3775\310\21B\0\353\6\3775\330)B\0\350$\347\377\377h\340[B\0\275\330\31B\0U\350\4\7\0\0\377v\30U\350\1\7\0\0\3\305P\350\255\14\0\0US\377\25\204\201@\0W\377v\10\350\314\272\377\377\205\300\17\205\275\376\377\3779\6\17\204\265\376\377\377\203~\4\5u\359\5ldB\0\17\205\21\1\0\09\5`dB\0\17\205\227\376\377\377\351\0\1\0\0\3775\250[B\0\377\25\214\201@\0\203>\0\2115\334)B\0\17\216\300\0\0\0\213F\4V\3774\205(\240@\0f\213\6f\3\5\274[B\0S\17\267\300P\3775\344cB\0\377\25\220\201@\0\205\300\243\250[B\0\17\204\215\0\0\0\377v,j\6P\350\15\346\377\377\215D$\20Ph\372\3\0\0S\377\25@\202@\0P\377\25\340\201@\0\215D$\20PS\377\25\270\201@\0j\253\377WW\377t$ \377t$ W\3775\250[B\0\377\25\374\201@\0W\377v\14\350\370\271\377\377j\10\3775\250", ) , ) == 0x0
 00764   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\350\35\346\377\377\353 \3775\250[B\0\377\25\214\201@\0\3775\340)B\0\203%\340cB\0\0S\377\25\360\201@\0\203=\350)B\0\0u\34\203=\250[B\0\0t\23j\12S\377\25(\202@\0\307\5\350)B\0\1\0\0\03\300_^][\203\304\20\302\20\0\241DdB\0\203\354\24SUV\2135\350cB\0\203\340 W\243`dB\0\350\222\346\377\377\275\0\304B\0U\350\251\7\0\03\333\205\300\17\205\200\0\0\0\213NH;\313ty\241\30dB\0\213VL\277\200OB\0W\3\320R\3\310Q\377vD\350@\4\0\0\240\200OB\0:\303tT<"u\17j"\277\201OB\0W\350\377\2\0\0\210\30W\3500\5\0\0\215D8\374;\307v&h(\214@\0P\377\25\200\200@\0\205\300u\26W\377\25\214\200@\0\203\370\377t\4\250\20u\6W\350\6\7\0\0W\350\237\6\0\0PU\350\357\4\0\0U\350\31\7\0\0\205\300u\14\377\266\30\1\0\0U\350\223\12\0\03\355E\366\5DdB\0\20t\239\35@dB\0u\13\350\254\345\377\377\211-x?B\0h@\200\0\0SSUjg\3775\344cB\0\377\25H\202@\0\243\260[B\0\203~P\377\277\200[B\0\17\204\211\0\0\0\213\15\344cB\0\243\224[B\0\215D$\20W\307D$\24_Nb\0\307\5\204[B\0\0\20@\0\211\15\220[B\0\243\244[B\0\377\25\20\202@\0f\205\300\17\204#\1\0\0S\215D$\30PSj0\377\25\14\202@\0\213D$ +D$\30S\3775\344cB\0SSP\213D$0+D$(P\377t$0\215D$,\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10\202@\0\243\324\21", ) u\17j (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\350\35\346\377\377\353 \3775\250[B\0\377\25\214\201@\0\3775\340)B\0\203%\340cB\0\0S\377\25\360\201@\0\203=\350)B\0\0u\34\203=\250[B\0\0t\23j\12S\377\25(\202@\0\307\5\350)B\0\1\0\0\03\300_^][\203\304\20\302\20\0\241DdB\0\203\354\24SUV\2135\350cB\0\203\340 W\243`dB\0\350\222\346\377\377\275\0\304B\0U\350\251\7\0\03\333\205\300\17\205\200\0\0\0\213NH;\313ty\241\30dB\0\213VL\277\200OB\0W\3\320R\3\310Q\377vD\350@\4\0\0\240\200OB\0:\303tT<"u\17j"\277\201OB\0W\350\377\2\0\0\210\30W\3500\5\0\0\215D8\374;\307v&h(\214@\0P\377\25\200\200@\0\205\300u\26W\377\25\214\200@\0\203\370\377t\4\250\20u\6W\350\6\7\0\0W\350\237\6\0\0PU\350\357\4\0\0U\350\31\7\0\0\205\300u\14\377\266\30\1\0\0U\350\223\12\0\03\355E\366\5DdB\0\20t\239\35@dB\0u\13\350\254\345\377\377\211-x?B\0h@\200\0\0SSUjg\3775\344cB\0\377\25H\202@\0\243\260[B\0\203~P\377\277\200[B\0\17\204\211\0\0\0\213\15\344cB\0\243\224[B\0\215D$\20W\307D$\24_Nb\0\307\5\204[B\0\0\20@\0\211\15\220[B\0\243\244[B\0\377\25\20\202@\0f\205\300\17\204#\1\0\0S\215D$\30PSj0\377\25\14\202@\0\213D$ +D$\30S\3775\344cB\0SSP\213D$0+D$(P\377t$0\215D$,\377t$0h\0\0\0\200SPh\200\0\0\0\377\25\10\202@\0\243\324\21", ) , ) == 0x0
 00765   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "j\2X\351\306\0\0\0\350\376\344\377\3779\35\200dB\0\17\205\213\0\0\0j\5\3775\324\21B\0\377\25(\202@\0\2135\300\200@\0\275P\240@\0U\377\326\205\300u\14Uf\307\5V\240@\032\377\326\213-\4\202@\0W\276D\240@\0VS\377\325\205\300u\37WVS\210\35L\240@\0\377\325W\2115\244[B\0\306\5L\240@\02\377\25\20\202@\0\241\274[B\0Sh\227U@\0\203\300i\17\267\300SP\3775\344cB\0\377\25\0\202@\0j\5\213\360\350)\270\377\377\213\306\353*S\350\315\364\377\377\205\300t\309\35\264[B\0\17\205F\377\377\377j\2\350\10\270\377\377\351:\377\377\377U\350\375\267\377\3773\300_^][\203\304\24\303U\213\354Q\215E\374P\377\25l\201@\0\213E\374\205\300t\22\377u\10\213\10P\377Q\24\213E\374\213\10P\377Q\10\311\302\4\0U\213\354\203\354\20\377u\14\307\5\3601B\0D\0\0\0\377\25\214\200@\03\311\203\370\377t\4\250\20u\3\211M\14\215E\360Ph\3601B\0\377u\14QQQQQ\377u\10Q\377\25\374\200@\0\205\300t\14\377u\364\377\25\204\200@\0\213E\360\311\302\10\0\377%\24\202@\0h\0\4\0\0\377t$\14\377t$\14\3775\250[B\0\377\25\30\202@\0\302\10\0\213D$\10\213\310\201\341\377\377\37\0\203=\200dB\0\0t\5\301\350\25u%\203=\210dB\0\0t\6\201\361\0\0\30\0Qh\340[B\0\377t$\14\3775\340cB\0\377\25\34\202@\0\302\10\0\377t$\4j@\377\25\364\200@\0\302\4\0\213D$\4\353\15:L$\10t\15P\377\25\230\201@\0\212\10\204\311u\355\302\10\0\213L$\4\212\1\14 f\2019\\t", ) , ) == 0x0
 00766   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, ":t\43\300\353\33\300@\302\4\0SV\2135\230\201@\0W\213|$\20W\377\326\213\330S\377\326\200?\0t\14f\201;:\u\5P\377\326\353!f\201?\\u\30j\2^j\PN\350\204\377\377\377\2008\0t\7@\205\366u\355\353\23\300_^[\302\4\0\213L$\4V\213t$\20\205\366~\17\213D$\14+\301\212\24\10\210\21ANu\367^\302\14\0\377t$\4\377\25\214\200@\0\213\310Aj\0\367\331\33\311#\310Q\377t$\24j\0j\1\377t$\34\377t$\34\377\25\270\200@\0\302\14\0U\213\354V\213u\10Wjd_O\307E\10nsa\0\377\25\264\200@\0j\32Y3\322\367\361Vj\0\215E\10P\377u\14\0U\12\377\25\0\201@\0\205\300u\15\205\377u\320\306\6\0_^]\302\10\0\213\306\353\366U\213\354SV\213u\24\215E\14Ph\31\0\2\03\333S\377u\14\210\36\377u\10\377\25\10\200@\0\205\300u>\215E\10PV\215E\24PS\377u\20\307E\10\0\4\0\0\377u\14\377\25\34\200@\0\205\300u\14\203}\24\1t\10\203}\24\2t\2\210\36\377u\14\210\236\377\3\0\0\377\25 \200@\0^[]\302\20\0\377t$\10h0\214@\0\377t$\14\377\250\202@\0\203\304\14\302\10\0U\213\354Q\213M\10SVW3\377\2009-\307E\374\1\0\0\0\260\12\2639u\5A\203M\374\377\20090u\34A\212\21\200\3720|\11\200\3727\177\4\260\10\2637\200\342\337\200\372Xu\3\260\20A\17\276\21A\203\3720|\14\17\276\363;\326\177\5\203\3520\353\31<\20u!\213\362\203\346\337\203\376A|\27\203\376F\177\22\203\342\7\203\302\11\17\276\360\17\257\367\3\362\213\376\353\306\213E\374\17", ) , ) == 0x0
 00767   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\201@\0\377%\10\201@\0SU\213-\230\201@\0V\213t$\20W\353\5V\377\325\213\360\200> t\366\200>\u\25\200~\1\u\17\200~\2?u\11\200~\3\u\3\203\306\4\200>\0t\14V\350\236\375\377\377\205\300t\2FF\213\336\213\3763\300\353+<\37v"Ph4\214@\0\350e\375\377\377\2008\0u\22V\377\325+\306PVW\350\343\375\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317\210\7WS\377\25,\202@\0\213\370\212\7< t\4<\u\7;\337\306\7\0r\345_^]\213\303[\302\4\0U\213\354S3\3339]\10t\32\241`\240@\0\203\370\377t\7P\377\25\204\200@\0\203\15`\240@\0\377\353u9\35x?B\0tm8\35\200WB\0t/\203=`\240@\0\377u/j\4h\0\0\0@h\200WB\0\350~\375\377\377\203\370\377\243`\240@\0tAj\2SSP\377\25L\201@\0\203=`\240@\0\377t-Vh@\214@\0\276\200?B\0V\377\25\244\200@\0S\215E\10PV\377\25\10\201@\0PV\3775`\240@\0\377\25D\201@\0^[]\302\4\0\215D$\10P\377t$\10h\200?B\0\377\25 \202@\0j\0\350F\377\377\377\303SV\2135l\200@\0Wh\1\200\0\0\377\326\2778:B\0W\377t$\24\377\25X\201@\0j\0\213\330\377\326\203\373\377t\13S\377\25P\201@\0\213\307\353\23\300_^[\302\4\0V\213t$\10V\377\25\10\201@\0\3\306PV\377\25,\202@\0\2008\t\14hX\205@\0V\377\25\244\200@\0\213\306^\302\4\0VW\213|$\14W\377\25\10\201@\0\2135,\202@\0\3\307PW\377\326\205\377t\22;\307v\16", ) Ph4\214@\0\350e\375\377\377\2008\0u\22V\377\325+\306PVW\350\343\375\377\377W\377\325\213\370V\377\325\213\360\212\6\204\300u\317\210\7WS\377\25,\202@\0\213\370\212\7< t\4<\u\7;\337\306\7\0r\345_^]\213\303[\302\4\0U\213\354S3\3339]\10t\32\241`\240@\0\203\370\377t\7P\377\25\204\200@\0\203\15`\240@\0\377\353u9\35x?B\0tm8\35\200WB\0t/\203=`\240@\0\377u/j\4h\0\0\0@h\200WB\0\350~\375\377\377\203\370\377\243`\240@\0tAj\2SSP\377\25L\201@\0\203=`\240@\0\377t-Vh@\214@\0\276\200?B\0V\377\25\244\200@\0S\215E\10PV\377\25\10\201@\0PV\3775`\240@\0\377\25D\201@\0^[]\302\4\0\215D$\10P\377t$\10h\200?B\0\377\25 \202@\0j\0\350F\377\377\377\303SV\2135l\200@\0Wh\1\200\0\0\377\326\2778:B\0W\377t$\24\377\25X\201@\0j\0\213\330\377\326\203\373\377t\13S\377\25P\201@\0\213\307\353\23\300_^[\302\4\0V\213t$\10V\377\25\10\201@\0\3\306PV\377\25,\202@\0\2008\t\14hX\205@\0V\377\25\244\200@\0\213\306^\302\4\0VW\213|$\14W\377\25\10\201@\0\2135,\202@\0\3\307PW\377\326\205\377t\22;\307v\16", ) == 0x0
 00768   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\353\356_^\302\10\0V\213t$\10V\377\25\10\201@\0\3\306\2008\t\14PV\377\25,\202@\0;\306w\357\306\0\0^\302\4\0V\377t$\10\27682B\0V\377\25\4\201@\0V\350\311\373\377\377\205\300u\43\300\353W\366\5DdB\0\200t\13\212\10\204\311t\355\200\371\t\350S\213\35\10\201@\0W\213\370+\376\353\25V\350\364\376\377\377\205\300t\5\366\0\20t*V\350\204\377\377\377V\377\323;\307\177\344V\350\26\377\377\377V\377\25\214\200@\03\311\203\370\377\17\225\301\213\301_[^\302\4\03\300\353\366U\213\354QSVW\377u\14\213=\10\201@\0\377\327\213u\10\211E\374\353'\213E\374\377u\14\212\340V\306\40\0\377\25\200\200@\0\205\300\213E\374\210\340t\32V\377\25\230\201@\0\213\360V\377\327;E\374}\3213\300_^[\311\302\10\0\213\306\353\365UVW\213|$\20W\350\377\372\377\377\213\3603\355\205\366t4Sj\V\350\253\372\377\377\213\360\212\36W\306\6\0\350<\376\377\377\205\300u\14PW\377\25\304\200@\0\205\300\353\3\366\0\20u\1E\210\36F\204\333u\316[_3\300\205\355^\17\224\300]\302\4\0\203\354\20SUVWh\324\213@\0\377\25h\200@\0\205\300\213t$(t!hp\214@\0P\377\25,\201@\0\205\300t\21j\5V\377t$,\377\320\205\300\17\205\25\2\0\0\205\366\213-\230\200@\0\307\586B\0NUL\0\277\0\4\0\0t,j\1j\0V\350\305\372\377\377P\377\25\204\200@\0W\27386B\0SV\377\325\205\300\17\204\337\1\0\0;\307~\26\351\326\1\0\0hl\214@\0\27386B\0S\377\25\4\201@\0W\276\360-B\0V\377t$,\377", ) , ) == 0x0
 00769   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\307\17\217\246\1\0\0VShd\214@\0h\360)B\0\377\250\202@\0\203\304\20h\360\3\0\0V\213\330\377\25\334\200@\0hT\214@\0V\377\25\244\200@\0Uh\200\0\0\10j\4UUh\0\0\0\300V\377\25\270\200@\0\213\370\203\377\377\211|$\20\17\204L\1\0\0UW\377\25\274\200@\0\213\3603\311Q\215,\36\215E\12PQj\4QW\211l$4\211D$,\377\25\30\201@\03\311;\301\211D$(\17\204\377\0\0\0QQQj\2P\377\25\24\201@\0\213\370\205\377\17\204\331\0\0\0hH\214@\0W\350\372\375\377\377\205\300u(hH\214@\0\215\47P\377\25\4\201@\0S\203\306\12h\360)B\0\215\47P\350\204\371\377\377\3\363\351\233\0\0\0hD\214@\0\203\300\12P\350\300\375\377\377\205\300tx\377t$\24@j@\211D$ \211D$,\377\25\364\200@\0\213\350\205\355tBh\360)B\0U\377\25\4\201@\0\215\147\213t$\30\3\335+\336\213D$$;\301s\14\212\20\210\24\3@\211D$$\353\354+\306PUV\350\33\371\377\377\213t$\34U\377\25<\201@\0\353,W\377\25\20\201@\0\377t$(\2135\204\200@\0\377\326\377t$\20\377\326\353FSh\360)B\0\215\47P\350\344\370\377\377\213\365W\377\25\20\201@\0\377t$(\377\25\204\200@\0\213|$\203\311QQVW\377\25L\201@\0W\377\25\14\201@\0W\377\25\204\200@\0\377\5pdB\0_^][\203\304\20\302\10\0\203\354\24U\213l$ \205\355V}\21\213\15\310[B\0\215\4\255\4\0\0\0+\310\213)\241\30dB\0\213L$ \3\350\270\200OB\0+\310\201\371\0\10\0\0\213\360s\11\213t$", ) , ) == 0x0
 00770   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\204\277\1\0\0SW\213\316+\310\201\371\0\4\0\0\17\215\253\1\0\0E\200\372\374\17\206\203\1\0\0\17\276E\1\17\276M\0\213\370\203\347\177\213\331\203\343\177\301\347\7\13\373\273\0\200\0\0\211L$\24\13\313\211D$\34\13\303EE\200\372\376\211L$\30\211D$ \17\205\362\0\0\03\377\203|$\34\4\211|$,\306\6\0u\13j\2\307D$0\334\214@\0_\213\$\24\203\373+u\25Vh\314\214@\0h\240\214@\0h\2\0\0\200\350\\370\377\377\203\373&u&Vh\220\214@\0h\240\214@\0h\2\0\0\200\350B\370\377\377\200>\0u}h|\214@\0V\377\25\4\201@\0\203\373%u\14h\0\4\0\0V\377\25\34\201@\0\203\373$u\14h\0\4\0\0V\377\25\334\200@\0\200>\0uJ\203=ddB\0\0j\4_u\5j\2_\3539\215D$\20P\377t\274\24O\3775\340cB\0\377\25p\201@\0\205\300u\34V\377t$\24\377\25x\201@\0\377t$\20\213\330\350\256\365\377\377\205\333u\11\353\3\306\6\0\205\377u\303\200>\0tF\203|$,\0t?\377t$,V\377\25\244\200@\0\3532\200\372\375u>\203\377\33u\16\3775\340cB\0V\350\367\367\377\377\353\22\213\307\301\340\12\5\0pB\0PV\377\25\4\201@\0\203\307\353\203\377\6s\6V\350\203\370\377\377V\377\25\10\201@\0\3\360\353!\200\372\377u\34\203\310\377+\307PV\350\25\376\377\377\353\342u\11\212E\0\210\6FE\353\3\210\26F\212U\0\204\322\270\200OB\0\17\205E\376\377\377_[\203|$ \0\306\6\0^]t\20h\0\4\0\0P\377t$ \377\25\324\200@\0\203\304\24\302\10\0U\213\354\201\354D\1\0\0S\213]\10S", ) , ) == 0x0
 00771   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "E\374t\27S\377\25(\201@\0\367\330\33\300@\1\5hdB\0\351\273\1\0\0\211M\10\203e\10\1Vt\21\205\300\17\204\250\1\0\0\366\301\2\17\2046\1\0\0WS\276x;B\0V\377\25\4\201@\0\203}\10\0\213=\244\200@\0t\12h\324\215@\0V\377\327\353\6S\350\247\371\377\377hX\205@\0S\377\327S\377\25\10\201@\0\213\370\215\205\274\376\377\377PV\3\373\377\25X\201@\0\213\360\203\376\377\17\204\325\0\0\0\200\275\350\376\377\377.u\32\200\275\351\376\377\377.\17\204\242\0\0\0\200\275\351\376\377\377\0\17\204\225\0\0\0\215\205\350\376\377\377PW\377\25\4\201@\0\366\205\274\376\377\377\20t\25\213E\14\203\340\3<\3ut\377u\14S\350\15\377\377\377\353iSh\270\215@\0\350f\370\377\377\213\205\274\376\377\377YY\203\340\376PS\377\25\254\200@\0S\377\25(\201@\0\205\300Su8\366E\14\4t\36h\224\215@\0\3507\370\377\377YYSj\361\350\200\347\377\377j\0S\3500\372\377\377\353\33ht\215@\0\350\31\370\377\377\377\5hdB\0YY\353\7j\362\350[\347\377\377\215\205\274\376\377\377PV\377\25T\201@\0\205\300\17\2052\377\377\377V\377\25P\201@\0\203}\10\0t\4\306G\377\0_3\3669u\374tb9u\10t]S\350(\370\377\377ShT\215@\0\350\303\367\377\377YYS\377\25 \201@\0\205\300Su7\366E\14\4t\35h,\215@\0\350\245\367\377\377YYSj\361\350\356\346\377\377VS\350\237\371\377\377\353\33h\10\215@\0\350\210\367\377\377\377\5hdB\0YY\353\7j\345\350\312\346\377\377^[\311\302\10\0\213D$\4\271\200\0\0\0I\306\4\1\0u\371\203Hx\3773\311A\211H", ) , ) == 0x0
 00772   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\215l$\214\201\354\214\0\0\0V\213u|Wj"Y\215}\354\363\245\203}D\377u\103\300@\351\330\11\0\0\213u S\213]0\213E\354\203\370\34\17\207\301\11\0\0\377$\205\4t@\0\203}\10\0\17\204\241\11\0\0\213E\4\377M\10\212\0\377E\4<\341\17\207\235\11\0\0\17\266\300\231j-Y\367\371j\11Y\213\360\17\266\302\231\367\371\213\316\17\266\3723\322B\323\342\213\310\211}8J\211UX3\322B\323\342\215\147\276\0\3\0\0\323\346J\211U\\201\3066\7\0\0\215<6;}\374t#\203}p\0t\11\377up\377\25<\201@\0W\350\2\363\377\377\205\300\211Ep\17\2045\11\0\0\211}\374\205\366t\14\213EpNf\307\4p\0\4u\364\203e,\0\203e4\0\353$\203}\10\0\17\204\217\10\0\0\213E\4\213M,\17\266\0\377M\10\301\341\3\323\340\11E4\377E\4\377E,\203},\4|\326\213E4;E\0t%\203}l\0\211E\0t\11\377ul\377\25<\201@\0\377u4\350\216\362\377\377\205\300\211El\17\204\301\10\0\0\213El\213M\0\306D\10\377\0\307E,\5\0\0\0\353!\203}\10\0\17\204-\10\0\0\213M\4\213Eh\17\266\11\377M\10\301\340\10\13\301\377E\4\211Eh\213E,\377M,\205\300u\325\213E\24#EX\213M<\301\341\4\3\310\211E(\213Ep\2154H\307E\360\6\0\0\0\351`\6\0\03\3229U4uq\17\266E\30\213u\24#u\3\311\261\10*M8\323\350\213M8\323\346\213Mp\3\306\215\4@\301\340\11\203}<\4\215\204\10l\16\0\0\211E\34}\5\211U<\353\20\203}<\12}\6\203m<\3\353\4\203m<\69U@t\34\213E`+EH", ) Y\215}\354\363\245\203}D\377u\103\300@\351\330\11\0\0\213u S\213]0\213E\354\203\370\34\17\207\301\11\0\0\377$\205\4t@\0\203}\10\0\17\204\241\11\0\0\213E\4\377M\10\212\0\377E\4<\341\17\207\235\11\0\0\17\266\300\231j-Y\367\371j\11Y\213\360\17\266\302\231\367\371\213\316\17\266\3723\322B\323\342\213\310\211}8J\211UX3\322B\323\342\215\147\276\0\3\0\0\323\346J\211U\\201\3066\7\0\0\215<6;}\374t#\203}p\0t\11\377up\377\25<\201@\0W\350\2\363\377\377\205\300\211Ep\17\2045\11\0\0\211}\374\205\366t\14\213EpNf\307\4p\0\4u\364\203e,\0\203e4\0\353$\203}\10\0\17\204\217\10\0\0\213E\4\213M,\17\266\0\377M\10\301\341\3\323\340\11E4\377E\4\377E,\203},\4|\326\213E4;E\0t%\203}l\0\211E\0t\11\377ul\377\25<\201@\0\377u4\350\216\362\377\377\205\300\211El\17\204\301\10\0\0\213El\213M\0\306D\10\377\0\307E,\5\0\0\0\353!\203}\10\0\17\204-\10\0\0\213M\4\213Eh\17\266\11\377M\10\301\340\10\13\301\377E\4\211Eh\213E,\377M,\205\300u\325\213E\24#EX\213M<\301\341\4\3\310\211E(\213Ep\2154H\307E\360\6\0\0\0\351`\6\0\03\3229U4uq\17\266E\30\213u\24#u\3\311\261\10*M8\323\350\213M8\323\346\213Mp\3\306\215\4@\301\340\11\203}<\4\215\204\10l\16\0\0\211E\34}\5\211U<\353\20\203}<\12}\6\203m<\3\353\4\203m<\69U@t\34\213E`+EH", ) == 0x0
 00773   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4\103\333\210E\31C\353e3\333C\351\316\1\0\0\213Ep\213M<\307E@\1\0\0\0\215\264H\200\1\0\0\307E\360\7\0\0\0\351\310\5\0\0\203}\10\0\17\204P\7\0\0\213M\4\213Eh\17\266\11\301ed\10\377M\10\301\340\10\13\301\377E\4\211Eh\213E49E,\17\205\257\0\0\0\201\373\0\1\0\0\17\215\11\1\0\0\17\266E\31\320e\31\213M\34\301\350\7\211E,@\301\340\10\3\303\2154Af\213\6\213Md\17\267\320\301\351\13\17\257\3129Mh\211u s\32\203e4\0\211Md\271\0\10\0\0+\312\301\371\5\3\310f\211\16\321\343\353\37)Md)Mh3\311f\213\310f\301\351\5\307E4\1\0\0\0\215\\33\1+\301f\211\6\201}d\0\0\0\1\211]0\17\203o\377\377\377\351E\377\377\377\203}\10\0\17\204\236\6\0\0\213M\4\213Eh\17\266\11\301ed\10\377M\10\301\340\10\13\301\377E\4\211Eh\201\373\0\1\0\0}^\213E\34\213Md\215\24\33\2154\2f\213\6\17\267\370\301\351\13\17\257\3179Mh\211u s\26\211Md\271\0\10\0\0+\317\301\371\5\3\310f\211\16\321\343\353\27)Md)Mh3\311f\213\310f\301\351\5\215Z\1+\301f\211\6\201}d\0\0\0\1\211]0s\237\351u\377\377\377\203e@\0\212E0\210E\30\203}\20\0\17\204\33\6\0\0\212E\30\213M\14\213Ul\377E\24\377E\14\377M\20\210\1\213M`\210\4\21\215A\13\322\367u\0\351\214\1\0\0\203}\10\0\17\204\341\5\0\0\213M\4\213Eh\17\266\11\301ed\10\377M\10\301\340\10\13\301\377E\4\211Eh\201\373\0\1\0\0}\234\213E\34\213Md\215\24\33\2154\2f\213\6\17\267\370\301\351", ) , ) == 0x0
 00774   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\211Md\271\0\10\0\0+\317\301\371\5\3\310f\211\16\321\343\353\27)Md)Mh3\311f\213\310f\301\351\5\215Z\1+\301f\211\6\201}d\0\0\0\1\211]0s\237\351u\377\377\377\203}4\1u\31\213Ep\213M<\215\264H\230\1\0\0\307E\360\10\0\0\0\351\235\3\0\0\213EP\211ET\213EL\211EP\213EH\211EL3\300\203}<\7\307E\364\26\0\0\0\17\235\300H\203\340\375\203\300\12\211E<\213Ep\5d\6\0\0\211E\34\213u\34\307E\360\22\0\0\0\351W\3\0\0\203}4\0u\36\213E<\213Mp\203\300\17\301\340\4\3E(\307E\360\11\0\0\0\2154A\3513\3\0\0\213Ep\213M<\215\264H\260\1\0\0\307E\360\12\0\0\0\351\32\3\0\0\203}4\0\17\205\253\0\0\0\203}\24\0\17\204\5\5\0\03\300\203}<\7\17\235\300\215D\0\11\211E<\203}\20\0\17\204\242\4\0\0\213E`+EH;E\0r\3\3E\0\213Ul\212\14\20\213E`\210\14\20@3\322\367u\0\377E\24\213E\14\377E\14\377M\20\210M\30\210\10\211U`\307E\354\2\0\0\0\351\336\372\377\377\203}4\0u\5\213EL\3533\213Ep\213M<\215\264H\310\1\0\0\307E\360\13\0\0\0\351\210\2\0\0\203}4\0u\5\213EP\353\11\213MP\213ET\211MT\213ML\211MP\213MH\211ML\211EH\213Ep\5h\12\0\0\211E\34\307E\364\25\0\0\0\351\350\376\377\3773\300\203}<\7\17\235\300H\203\340\375\203\300\13\211E<\351\234\1\0\0\213ED\203\370\4|\3j\3X\213Mp\301\340\7\215\204\10`\3\0\0\211E\34\307E4\6\0\0\0\307E\370\31\0\0\0\351\311\2\0\0\203\373", ) , ) == 0x0
 00775   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "I\203\310\2\323\340\203\373\16\211EH}\24\213Up+\303\215\204B^\5\0\0\211M4\351\201\0\0\03\333\203\301\374\211M,\3533\211]H\351)\1\0\0\203}\10\0\17\204{\3\0\0\213M\4\213Eh\17\266\11\301ed\10\377M\10\301\340\10\13\301\377E\4\211Eh\213EH\377M,\203},\0~'\213Mh\321md\321\343;Md\211]0r\14\213Md)Mh\203\313\1\211]0\201}d\0\0\0\1s\322\353\250\301\343\4\3\303\211EH\213Ep\5D\6\0\0\307E4\4\0\0\03\333\211E\34\307E$\1\0\0\0\211]0\211],\353(\203}\10\0\17\204\1\3\0\0\213M\4\213Eh\17\266\11\301ed\10\377M\10\301\340\10\13\301\377E\4\211Eh\377E,\213E49E,}s\213}$\213E\34\213Ud\3\377\2154\7f\213\6\17\267\310\301\352\13\17\257\3219Uh\211u s\27\211Ud\272\0\10\0\0+\321\301\372\5\3\320\321e$f\211\26\353,3\311A)Ud)Uh\213\331\213M,\323\343\213\313\213]0\13\3313\311f\213\310f\301\351\5\211]0+\301Gf\211\6\211}$\201}d\0\0\0\1s\207\351]\377\377\377\1]H\377EH\213EH\205\300\17\204`\2\0\0;E\24\17\207\205\2\0\0\203ED\2\213ED\1E\24\203}\20\0\17\204I\2\0\0\213E`+EH;E\0r\3\3E\0\213Ul\212\14\20\213E`\210\14\20@3\322\367u\0\213E\14\377E\14\377M\20\377MD\203}D\0\210M\30\210\10\211U`\177\274\351{\375\377\377\203}4\0u \213E(\203eD\0\213M\34\301\340\4\215D\1\4\211E\34\307E4\3\0\0\0\351\307\0\0\0\213u\34\203\306\2\307", ) , ) == 0x0
 00776   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\213Md\17\267\320\301\351\13\17\257\3129Mhs\30\211Md\271\0\10\0\0+\312\301\371\5\3\310\203e4\0f\211\16\353\33)Md)Mh3\311f\213\310f\301\351\5\307E4\1\0\0\0+\301f\211\6\201}d\0\0\0\1s%\203}\10\0\17\204\203\1\0\0\213M\4\213Eh\17\266\11\301ed\10\377M\10\301\340\10\13\301\377E\4\211Eh\213E\360\211E\354\351\257\367\377\377\203}4\0u\34\213E(\213M\34\301\340\4\307ED\10\0\0\0\215\204\1\4\1\0\0\351?\377\377\377\201E\34\4\2\0\0\307ED\20\0\0\0\307E4\10\0\0\0\307E\370\24\0\0\0\213E4\307E$\1\0\0\0\211E,\353(\203}\10\0\17\204\17\1\0\0\213M\4\213Eh\17\266\11\301ed\10\377M\10\301\340\10\13\301\377E\4\211Eh\377M,\203},\0~_\213U$\213E\34\213Md\3\322\2154\2f\213\6\17\267\370\301\351\13\17\257\3179Mh\211u s\27\211Md\271\0\10\0\0+\317\301\371\5\3\310\321e$f\211\16\353\30)Md)Mh3\311f\213\310f\301\351\5+\301Bf\211\6\211U$\201}d\0\0\0\1s\235\351s\377\377\377\213M4\213]$3\300@\323\340+\330\213E\370\211]0\351\6\377\377\377\1]D\213E\364\351\373\376\377\377\307E\354\1\0\0\0\353g\307E\354\3\0\0\0\353^\307E\354\15\0\0\0\353U\307E\354\16\0\0\0\353L\307E\354\17\0\0\0\353C\307E\354\32\0\0\0\353:\307E\354\33\0\0\0\3531\307E\354\14\0\0\0\353(\307E\354\20\0\0\0\353\37\203MD\377\353\31\307E\354\34\0\0\0\353\20\307E\354\5\0\0\0\353\7\307E\354\30\0\0\0\213}|j"Y\215u\354\363", ) Y\215u\354\363", ) == 0x0
 00777   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\305t\311\303?j@\0\341j@\0wk@\0Lk@\0\375q@\0Mr@\0\232k@\0>n@\0\243n@\0\340n@\0No@\0ro@\04p@\02l@\0\355l@\0\263m@\0\267p@\0\224n@\0\307q@\0}r@\0os@\0\254o@\0\304o@\0\273r@\0\312r@\0\362o@\0\202m@\0\4o@\0~q@\0\377%\210\202@\0\377%\204\202@\0\377%\200\202@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00778   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\4\233\0\0"\233\0\00\233\0\0@\233\0\0\210\233\0\0v\233\0\0d\233\0\0P\233\0\0\24\233\0\0\0\0\0\0\21\0\0\200t\221\0\0`\221\0\0\212\221\0\0\0\0\0\0\334\232\0\0\314\232\0\0\266\232\0\0\240\232\0\0\224\232\0\0\204\232\0\0\354\232\0\0t\232\0\0\0\0\0\0\370\222\0\0\12\223\0\0\32\223\0\0.\223\0\0>\223\0\0T\223\0\0j\223\0\0\206\223\0\0\240\223\0\0\254\223\0\0\272\223\0\0\310\223\0\0\336\223\0\0\360\223\0\0\376\223\0\0\22\224\0\0&\224\0\02\224\0\0>\224\0\0V\224\0\0l\224\0\0t\224\0\0\204\224\0\0\222\224\0\0\350\222\0\0\266\224\0\0\312\224\0\0\330\224\0\0\354\224\0\0\370\224\0\0\4\225\0\0\26\225\0\0.\225\0\0>\225\0\0V\225\0\0j\225\0\0z\225\0\0\210\225\0\0\226\225\0\0\246\225\0\0\270\225\0\0\314\225\0\0\330\225\0\0\344\225\0\0\364\225\0\0\6\226\0\0\26\226\0\0,\226\0\0B\226\0\0\372\221\0\0\4\222\0\0\326\222\0\0\310\222\0\0\262\222\0\0\224\222\0\0\22\222\0\0x\222\0\0l\222\0\0`\222\0\0N\222\0\0B\222\0\02\222\0\0 \222\0\0\240\224\0\0\0\0\0\0\274\233\0\0\344\233\0\0\372\233\0\0\10\234\0\0\250\233\0\0\314\233\0\0\0\0\0\0\262\227\0\0\304\227\0\0\326\227\0\0\342\227\0\0\362\227\0\0\10\230\0\0\30\230\0\0$\230\0\02\230\0\0D\230\0\0R\230\0\0^\230\0\0p\230\0\0\204\230\0\0\232\230\0\0\254\230\0\0\274\230\0\0\316\230\0\0\340\230\0\0\356\230\0\0\0\231\0\0\24\231\0\0&\231\0\06\231\0\0H\231\0\0X\231\0\0f\231\0\0x\231\0\0\214\231\0\0", ) \233\0\00\233\0\0@\233\0\0\210\233\0\0v\233\0\0d\233\0\0P\233\0\0\24\233\0\0\0\0\0\0\21\0\0\200t\221\0\0`\221\0\0\212\221\0\0\0\0\0\0\334\232\0\0\314\232\0\0\266\232\0\0\240\232\0\0\224\232\0\0\204\232\0\0\354\232\0\0t\232\0\0\0\0\0\0\370\222\0\0\12\223\0\0\32\223\0\0.\223\0\0>\223\0\0T\223\0\0j\223\0\0\206\223\0\0\240\223\0\0\254\223\0\0\272\223\0\0\310\223\0\0\336\223\0\0\360\223\0\0\376\223\0\0\22\224\0\0&\224\0\02\224\0\0>\224\0\0V\224\0\0l\224\0\0t\224\0\0\204\224\0\0\222\224\0\0\350\222\0\0\266\224\0\0\312\224\0\0\330\224\0\0\354\224\0\0\370\224\0\0\4\225\0\0\26\225\0\0.\225\0\0>\225\0\0V\225\0\0j\225\0\0z\225\0\0\210\225\0\0\226\225\0\0\246\225\0\0\270\225\0\0\314\225\0\0\330\225\0\0\344\225\0\0\364\225\0\0\6\226\0\0\26\226\0\0,\226\0\0B\226\0\0\372\221\0\0\4\222\0\0\326\222\0\0\310\222\0\0\262\222\0\0\224\222\0\0\22\222\0\0x\222\0\0l\222\0\0`\222\0\0N\222\0\0B\222\0\02\222\0\0 \222\0\0\240\224\0\0\0\0\0\0\274\233\0\0\344\233\0\0\372\233\0\0\10\234\0\0\250\233\0\0\314\233\0\0\0\0\0\0\262\227\0\0\304\227\0\0\326\227\0\0\342\227\0\0\362\227\0\0\10\230\0\0\30\230\0\0$\230\0\02\230\0\0D\230\0\0R\230\0\0^\230\0\0p\230\0\0\204\230\0\0\232\230\0\0\254\230\0\0\274\230\0\0\316\230\0\0\340\230\0\0\356\230\0\0\0\231\0\0\24\231\0\0&\231\0\06\231\0\0H\231\0\0X\231\0\0f\231\0\0x\231\0\0\214\231\0\0", ) == 0x0
 00779   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\312\231\0\0\334\231\0\0\354\231\0\0\376\231\0\0\26\232\0\0(\232\0\0:\232\0\0L\232\0\0Z\232\0\0\234\227\0\0\216\227\0\0\202\227\0\0v\227\0\0`\227\0\0P\227\0\0D\227\0\06\227\0\0$\227\0\0\26\227\0\0\16\227\0\0\376\226\0\0\356\226\0\0\332\226\0\0\310\226\0\0\246\226\0\0\230\226\0\0\210\226\0\0|\226\0\0p\226\0\0d\226\0\0\270\226\0\0\0\0\0\0\324\221\0\0\276\221\0\0\254\221\0\0\0\0\0\0F\234\0\0X\234\0\02\234\0\0\0\0\0\0logging set to %d\0\0\0settings logging to %d\0\0File Extraction: failed createprocess on uninstaller ("%s")\0File Extraction: success ("%s")\0" _?=\0\0\0 /x "\0\0\0created uninstaller: %d, "%s"\0\0\0WriteReg: error creating key %d\%s\0\0WriteRegBin: set %d\%s\%s with %d bytes\0WriteRegDWORD: set %d\%s\%s to %d\0\0\0WriteRegStr: set %d\%s\%s to %s\0DeleteRegKey", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\312\231\0\0\334\231\0\0\354\231\0\0\376\231\0\0\26\232\0\0(\232\0\0:\232\0\0L\232\0\0Z\232\0\0\234\227\0\0\216\227\0\0\202\227\0\0v\227\0\0`\227\0\0P\227\0\0D\227\0\06\227\0\0$\227\0\0\26\227\0\0\16\227\0\0\376\226\0\0\356\226\0\0\332\226\0\0\310\226\0\0\246\226\0\0\230\226\0\0\210\226\0\0|\226\0\0p\226\0\0d\226\0\0\270\226\0\0\0\0\0\0\324\221\0\0\276\221\0\0\254\221\0\0\0\0\0\0F\234\0\0X\234\0\02\234\0\0\0\0\0\0logging set to %d\0\0\0settings logging to %d\0\0File Extraction: failed createprocess on uninstaller ("%s")\0File Extraction: success ("%s")\0" _?=\0\0\0 /x "\0\0\0created uninstaller: %d, "%s"\0\0\0WriteReg: error creating key %d\%s\0\0WriteRegBin: set %d\%s\%s with %d bytes\0WriteRegDWORD: set %d\%s\%s to %d\0\0\0WriteRegStr: set %d\%s\%s to %s\0DeleteRegKey", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\312\231\0\0\334\231\0\0\354\231\0\0\376\231\0\0\26\232\0\0(\232\0\0:\232\0\0L\232\0\0Z\232\0\0\234\227\0\0\216\227\0\0\202\227\0\0v\227\0\0`\227\0\0P\227\0\0D\227\0\06\227\0\0$\227\0\0\26\227\0\0\16\227\0\0\376\226\0\0\356\226\0\0\332\226\0\0\310\226\0\0\246\226\0\0\230\226\0\0\210\226\0\0|\226\0\0p\226\0\0d\226\0\0\270\226\0\0\0\0\0\0\324\221\0\0\276\221\0\0\254\221\0\0\0\0\0\0F\234\0\0X\234\0\02\234\0\0\0\0\0\0logging set to %d\0\0\0settings logging to %d\0\0File Extraction: failed createprocess on uninstaller ("%s")\0File Extraction: success ("%s")\0" _?=\0\0\0 /x "\0\0\0created uninstaller: %d, "%s"\0\0\0WriteReg: error creating key %d\%s\0\0WriteRegBin: set %d\%s\%s with %d bytes\0WriteRegDWORD: set %d\%s\%s to %d\0\0\0WriteRegStr: set %d\%s\%s to %s\0DeleteRegKey", )  _?=\0\0\0 /x  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\312\231\0\0\334\231\0\0\354\231\0\0\376\231\0\0\26\232\0\0(\232\0\0:\232\0\0L\232\0\0Z\232\0\0\234\227\0\0\216\227\0\0\202\227\0\0v\227\0\0`\227\0\0P\227\0\0D\227\0\06\227\0\0$\227\0\0\26\227\0\0\16\227\0\0\376\226\0\0\356\226\0\0\332\226\0\0\310\226\0\0\246\226\0\0\230\226\0\0\210\226\0\0|\226\0\0p\226\0\0d\226\0\0\270\226\0\0\0\0\0\0\324\221\0\0\276\221\0\0\254\221\0\0\0\0\0\0F\234\0\0X\234\0\02\234\0\0\0\0\0\0logging set to %d\0\0\0settings logging to %d\0\0File Extraction: failed createprocess on uninstaller ("%s")\0File Extraction: success ("%s")\0" _?=\0\0\0 /x "\0\0\0created uninstaller: %d, "%s"\0\0\0WriteReg: error creating key %d\%s\0\0WriteRegBin: set %d\%s\%s with %d bytes\0WriteRegDWORD: set %d\%s\%s to %d\0\0\0WriteRegStr: set %d\%s\%s to %s\0DeleteRegKey", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\312\231\0\0\334\231\0\0\354\231\0\0\376\231\0\0\26\232\0\0(\232\0\0:\232\0\0L\232\0\0Z\232\0\0\234\227\0\0\216\227\0\0\202\227\0\0v\227\0\0`\227\0\0P\227\0\0D\227\0\06\227\0\0$\227\0\0\26\227\0\0\16\227\0\0\376\226\0\0\356\226\0\0\332\226\0\0\310\226\0\0\246\226\0\0\230\226\0\0\210\226\0\0|\226\0\0p\226\0\0d\226\0\0\270\226\0\0\0\0\0\0\324\221\0\0\276\221\0\0\254\221\0\0\0\0\0\0F\234\0\0X\234\0\02\234\0\0\0\0\0\0logging set to %d\0\0\0settings logging to %d\0\0File Extraction: failed createprocess on uninstaller ("%s")\0File Extraction: success ("%s")\0" _?=\0\0\0 /x "\0\0\0created uninstaller: %d, "%s"\0\0\0WriteReg: error creating key %d\%s\0\0WriteRegBin: set %d\%s\%s with %d bytes\0WriteRegDWORD: set %d\%s\%s to %d\0\0\0WriteRegStr: set %d\%s\%s to %s\0DeleteRegKey", ) , ) == 0x0
 00780   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "teRegValue: %d\%s\%s\0\0\0\0WriteINIStr: wrote [%s] %s=%s in %s\0\0\0\0\0CopyFiles "%s"->"%s"\0\0\0\0\0\0\0\0CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d\0\0\0Error registering DLL: Could not initialize OLE\0Error registering DLL: Could not load '%s' -> '%s'\0\0Error registering DLL: %s not found in %s\0\0\0RegDLL: Could not load '%s' -> '%s'\0\\0\0\0Exec: failed createprocess ("%s")\0\0\0Exec: success ("%s")\0\0\0\0Exec: command="%s"\0\0ExecShell: success ("%s": file:"%s" params:"%s")\0\0\0\0ExecShell: warning: ", ) , ) == 0x0
 00781   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, " file:"%s" params:"%s")=%d\0\0%s %s\0\0\0HideWindow\0\0Pop: stack empty\0\0\0\0Exch: stack < %d elements\0\0\0RMDir: "%s"\0MessageBox: %d,"%s"\0Delete: "%s"\0\0\0\0%s\0\0File: wrote %d to "%s"\0\0File: error, user cancel\0\0\0\0File: skipped: "%s" (overwriteflag=%d)\0\0File: error, user abort\0File: error, user retry\0File: error creating "%s"\0\0\0File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"\0\0\0\0Rename failed: %s\0\0\0Rename on reboot: %s\0\0\0\0Rename: %s\0\0->\0\0IfFileExists: file "%s" does not exist, jumping %d\0\0IfFileExists", ) , ) == 0x0
 00782   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "exists, jumping %d\0\0CreateDirectory: "%s" (%d)\0\0SetFileAttributes failed.\0\0\0SetFileAttributes: "%s":%08X\0\0\0\0BringToFront\0\0\0\0Sleep(%d)\0\0\0detailprint: %s\0Call: %d\0\0\0\0Aborting: "%s"\0\0Jump: %d\0\0\0\0... %d%%\0\0\0\0unpacking data: %d%%\0\0\0\0\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "exists, jumping %d\0\0CreateDirectory: "%s" (%d)\0\0SetFileAttributes failed.\0\0\0SetFileAttributes: "%s":%08X\0\0\0\0BringToFront\0\0\0\0Sleep(%d)\0\0\0detailprint: %s\0Call: %d\0\0\0\0Aborting: "%s"\0\0Jump: %d\0\0\0\0... %d%%\0\0\0\0unpacking data: %d%%\0\0\0\0\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "exists, jumping %d\0\0CreateDirectory: "%s" (%d)\0\0SetFileAttributes failed.\0\0\0SetFileAttributes: "%s":%08X\0\0\0\0BringToFront\0\0\0\0Sleep(%d)\0\0\0detailprint: %s\0Call: %d\0\0\0\0Aborting: "%s"\0\0Jump: %d\0\0\0\0... %d%%\0\0\0\0unpacking data: %d%%\0\0\0\0\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "exists, jumping %d\0\0CreateDirectory: "%s" (%d)\0\0SetFileAttributes failed.\0\0\0SetFileAttributes: "%s":%08X\0\0\0\0BringToFront\0\0\0\0Sleep(%d)\0\0\0detailprint: %s\0Call: %d\0\0\0\0Aborting: "%s"\0\0Jump: %d\0\0\0\0... %d%%\0\0\0\0unpacking data: %d%%\0\0\0\0\0\0\0\0The installer you are trying to use is corrupted or incomplete.\12This could be the result of a damaged disk, a failed download or a virus.\12\12You may want to contact the author of this installer to obtain a new copy.\12\12It may be possible to skip this check using the /NCRC", ) , ) == 0x0
 00783   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "e switch\12(NOT RECOMMENDED).\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0verifying installer: %d%%\0\0\0Error launching installer\0\0\0SeShutdownPrivilege\0AdjustTokenPrivileges\0\0\0LookupPrivilegeValueA\0\0\0OpenProcessToken\0\0\0\0ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0Out of Memory\0\0\0Extraction pathname not properly delimited.\12\12Try using quotes or a shorter path.\0\0\0\0C:\NSIS_ExtractFiles\\0\0\0\Temp\0\0\0NSIS Error\0\0install.log\0open\0\0\0\0%u.%u%s%s\0\0\0GetDiskFreeSpaceExA\0KERNEL32.dll\0\0\0\0Section: "%s"\0\0\0", )  \0\0Out of Memory\0\0\0Extraction pathname not properly delimited.\12\12Try using quotes or a shorter path.\0\0\0\0C:\NSIS_ExtractFiles\\0\0\0\Temp\0\0\0NSIS Error\0\0install.log\0open\0\0\0\0%u.%u%s%s\0\0\0GetDiskFreeSpaceExA\0KERNEL32.dll\0\0\0\0Section:  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "e switch\12(NOT RECOMMENDED).\0\0\0\0\0Error writing temporary file. Make sure your temp folder is valid.\0\0verifying installer: %d%%\0\0\0Error launching installer\0\0\0SeShutdownPrivilege\0AdjustTokenPrivileges\0\0\0LookupPrivilegeValueA\0\0\0OpenProcessToken\0\0\0\0ADVAPI32.dll\0\0\0\0 _?=\0\0\0\0" \0\0Out of Memory\0\0\0Extraction pathname not properly delimited.\12\12Try using quotes or a shorter path.\0\0\0\0C:\NSIS_ExtractFiles\\0\0\0\Temp\0\0\0NSIS Error\0\0install.log\0open\0\0\0\0%u.%u%s%s\0\0\0GetDiskFreeSpaceExA\0KERNEL32.dll\0\0\0\0Section: "%s"\0\0\0", ) \0\0\0", ) == 0x0
 00784   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) %s (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) :\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed( (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) )\0RMDir: RemoveDirectory on Reboot( (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) )\0\0RMDir: RemoveDirectory( (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) )\0\0\0\0Delete: DeleteFile failed( (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) )\0Delete: DeleteFile on Reboot( (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) )\0\0Delete: DeleteFile( (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tion: "%s"\0\0New install of "%s" to "%s"\0.exe\0\0\0\0%d\0\0*?|<>/":\0\0\0\0\15\12\0\0\12[\0\0[Rename]\15\12\0\0\wininit.ini\0\0\0\0%s=%s\15\12\0NUL\0MoveFileExA\0C:\Program Files\0\0\0\0ProgramFilesDir\0Software\Microsoft\Windows\CurrentVersion\0\0\0CommonFilesDir\0\0\Microsoft\Internet Explorer\Quick Launch\0\0\0RMDir: RemoveDirectory failed("%s")\0RMDir: RemoveDirectory on Reboot("%s")\0\0RMDir: RemoveDirectory("%s")\0\0\0\0Delete: DeleteFile failed("%s")\0Delete: DeleteFile on Reboot("%s")\0\0Delete: DeleteFile("%s")\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) )\0\0\0\0\*.*\0\0\0\0\356\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\1\24\2\0\0\0\0\0", ) == 0x0
 00785   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\300\0\0\0\0\0\0F\350\216\0\0\0\0\0\0\0\0\0\0\236\221\0\0(\200\0\0@\221\0\0\0\0\0\0\0\0\0\0\356\221\0\0\200\202\0\0 \217\0\0\0\0\0\0\0\0\0\0V\226\0\0`\200\0\0@\220\0\0\0\0\0\0\0\0\0\0h\232\0\0\200\201\0\0\374\216\0\0\0\0\0\0\0\0\0\0\372\232\0\0<\200\0\0\300\216\0\0\0\0\0\0\0\0\0\0\232\233\0\0\0\200\0\0$\220\0\0\0\0\0\0\0\0\0\0&\234\0\0d\201\0\0P\221\0\0\0\0\0\0\0\0\0\0h\234\0\0\220\202\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\233\0\0"\233\0\00\233\0\0@\233\0\0\210\233\0\0v\233\0\0d\233\0\0P\233\0\0\24\233\0\0\0\0\0\0\21\0\0\200t\221\0\0`\221\0\0\212\221\0\0\0\0\0\0\334\232\0\0\314\232\0\0\266\232\0\0\240\232\0\0\224\232\0\0\204\232\0\0\354\232\0\0t\232\0\0\0\0\0\0\370\222\0\0\12\223\0\0\32\223\0\0.\223\0\0>\223\0\0T\223\0\0j\223\0\0\206\223\0\0\240\223\0\0\254\223\0\0\272\223\0\0\310\223\0\0\336\223\0\0\360\223\0\0\376\223\0\0\22\224\0\0&\224\0\02\224\0\0>\224\0\0V\224\0\0l\224\0\0t\224\0\0\204\224\0\0\222\224\0\0\350\222\0\0\266\224\0\0\312\224\0\0\330\224\0\0\354\224\0\0\370\224\0\0\4\225\0\0\26\225\0\0.\225\0\0>\225\0\0V\225\0\0j\225\0\0z\225\0\0\210\225\0\0\226\225\0\0\246\225\0\0\270\225\0\0\314\225\0\0\330\225\0\0\344\225\0\0\364\225\0\0\6\226\0\0\26\226\0\0,\226\0\0B\226\0\0\372\221\0\0\4\222\0\0\326\222\0\0\310\222\0\0", ) \233\0\00\233\0\0@\233\0\0\210\233\0\0v\233\0\0d\233\0\0P\233\0\0\24\233\0\0\0\0\0\0\21\0\0\200t\221\0\0`\221\0\0\212\221\0\0\0\0\0\0\334\232\0\0\314\232\0\0\266\232\0\0\240\232\0\0\224\232\0\0\204\232\0\0\354\232\0\0t\232\0\0\0\0\0\0\370\222\0\0\12\223\0\0\32\223\0\0.\223\0\0>\223\0\0T\223\0\0j\223\0\0\206\223\0\0\240\223\0\0\254\223\0\0\272\223\0\0\310\223\0\0\336\223\0\0\360\223\0\0\376\223\0\0\22\224\0\0&\224\0\02\224\0\0>\224\0\0V\224\0\0l\224\0\0t\224\0\0\204\224\0\0\222\224\0\0\350\222\0\0\266\224\0\0\312\224\0\0\330\224\0\0\354\224\0\0\370\224\0\0\4\225\0\0\26\225\0\0.\225\0\0>\225\0\0V\225\0\0j\225\0\0z\225\0\0\210\225\0\0\226\225\0\0\246\225\0\0\270\225\0\0\314\225\0\0\330\225\0\0\344\225\0\0\364\225\0\0\6\226\0\0\26\226\0\0,\226\0\0B\226\0\0\372\221\0\0\4\222\0\0\326\222\0\0\310\222\0\0", ) == 0x0
 00786   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "x\222\0\0l\222\0\0`\222\0\0N\222\0\0B\222\0\02\222\0\0 \222\0\0\240\224\0\0\0\0\0\0\274\233\0\0\344\233\0\0\372\233\0\0\10\234\0\0\250\233\0\0\314\233\0\0\0\0\0\0\262\227\0\0\304\227\0\0\326\227\0\0\342\227\0\0\362\227\0\0\10\230\0\0\30\230\0\0$\230\0\02\230\0\0D\230\0\0R\230\0\0^\230\0\0p\230\0\0\204\230\0\0\232\230\0\0\254\230\0\0\274\230\0\0\316\230\0\0\340\230\0\0\356\230\0\0\0\231\0\0\24\231\0\0&\231\0\06\231\0\0H\231\0\0X\231\0\0f\231\0\0x\231\0\0\214\231\0\0\230\231\0\0\250\231\0\0\272\231\0\0\312\231\0\0\334\231\0\0\354\231\0\0\376\231\0\0\26\232\0\0(\232\0\0:\232\0\0L\232\0\0Z\232\0\0\234\227\0\0\216\227\0\0\202\227\0\0v\227\0\0`\227\0\0P\227\0\0D\227\0\06\227\0\0$\227\0\0\26\227\0\0\16\227\0\0\376\226\0\0\356\226\0\0\332\226\0\0\310\226\0\0\246\226\0\0\230\226\0\0\210\226\0\0|\226\0\0p\226\0\0d\226\0\0\270\226\0\0\0\0\0\0\324\221\0\0\276\221\0\0\254\221\0\0\0\0\0\0F\234\0\0X\234\0\02\234\0\0\0\0\0\08\0ImageList_Destroy\04\0ImageList_AddMasked\07\0ImageList_Create\0\0COMCTL32.dll\0\0\12\0VerQueryValueA\0\0\0\0GetFileVersionInfoA\0\1\0GetFileVersionInfoSizeA\0VERSIO", ) , ) == 0x0
 00787   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "iv\0\0|\0DeleteFileA\0\365\1GlobalFree\0\0\311\0FindFirstFileA\0\0\323\0FindNextFileA\0\305\0FindClose\0\16\3SetFilePointer\0\0\251\2ReadFile\0\0\224\3WriteFile\0\224\1GetPrivateProfileStringA\0\0\231\3WritePrivateProfileStringA\0\0k\2MultiByteToWideChar\0\357\0FreeLibrary\0\230\1GetProcAddress\0\0H\2LoadLibraryA\0\0\352\0FormatMessageA\0\0i\1GetLastError\0\0w\1GetModuleHandleA\0\0\10\3SetErrorMode\0\0R\1GetExitCodeProcess\0\0\203\3WaitForSingleObject\0\262\0ExpandEnvironmentStringsA\0P\1GetEnvironmentVariableA\0\263\3lstrcmpiA\0.\0CloseHandle\0\22\3SetFileTime\0V\1GetFileAttributesA\0\03\0CompareFileTime\0\316\2Se", ) , ) == 0x0
 00788   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "GetShortPathNameA\0a\1GetFullPathNameA\0\0d\2MoveFileA\0\255\3lstrcatA\0\0\375\2SetCurrentDirectoryA\0\0\14\3SetFileAttributesA\0\0G\3Sleep\0\325\1GetTickCount\0\0M\0CreateFileA\0[\1GetFileSize\0u\1GetModuleFileNameA\0\0E\0CreateDirectoryA\0\0\257\0ExitProcess\0:\1GetCurrentProcess\0=\0CopyFileA\0\271\3lstrcpynA\0\10\1GetCommandLineA\0\351\1GetWindowsDirectoryA\0\0\313\1GetTempPathA\0\0\332\1GetUserDefaultLangID\0\0E\1GetDiskFreeSpaceA\0\0\2GlobalUnlock\0\0\371\1GlobalLock\0\0\356\1GlobalAlloc\0i\0CreateThread\0\0`\0CreateProcessA\0\0\311\1GetTempFileNameA\0\0\266\3lstrcpyA\0\0\274\3lstrlenA\0\0\3\3SetEndOfFile\0\0", ) , ) == 0x0
 00789   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "fFile\0^\2MapViewOfFile\0N\0CreateFileMappingA\0\0\271\1GetSystemDirectoryA\0\270\2RemoveDirectoryA\0\0KERNEL32.dll\0\0\310\0EndPaint\0\0\274\0DrawTextA\0\342\0FillRect\0\0\377\0GetClientRect\0\15\0BeginPaint\0\0\216\0DefWindowProcA\0\0;\2SendMessageA\0\0\223\1InvalidateRect\0\0\241\0DispatchMessageA\0\0\377\1PeekMessageA\0\0\304\0EnableWindow\0\0\14\1GetDC\0\277\1LoadImageA\0\0\200\2SetWindowLongA\0\0\21\1GetDlgItem\0\0\255\1IsWindow\0\0\344\0FindWindowExA\0>\2SendMessageTimeoutA\0\326\2wsprintfA\0-\0CharPrevA\0\222\2ShowWindow\0\0W\2SetForegroundWindow\0\3\2PostQuitMessage\0\206\2SetWindowTextA\0\0z\2SetTimer\0\0\231\0DestroyWindow\0U\0", ) , ) == 0x0
 00790   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "ParamA\0\0\341\0ExitWindowsEx\0*\0CharNextA\0Z\1GetSysColor\0n\1GetWindowLongA\0\0\271\1LoadCursorA\0M\2SetCursor\08\0CheckDlgButton\0\0\362\0GetAsyncKeyState\0\0\243\1IsDlgButtonChecked\0\01\2ScreenToClient\0\0<\1GetMessagePos\0\33\0CallWindowProcA\0\261\1IsWindowVisible\0\267\1LoadBitmapA\0B\0CloseClipboard\0\0J\2SetClipboardData\0\0\301\0EmptyClipboard\0\0\365\1OpenClipboard\0\244\2TrackPopupMenu\0\0t\1GetWindowRect\0\10\0AppendMenuA\0^\0CreatePopupMenu\0]\1GetSystemMetrics\0\0\306\0EndDialog\0G\2SetClassLongA\0\256\1IsWindowEnabled\0\203\2SetWindowPos\0\0\236\0DialogBoxParamA\0\366\0GetClassInfoA\0`\0Create", ) , ) == 0x0
 00791   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "SystemParametersInfoA\0\26\2RegisterClassA\0\0S\2SetDlgItemTextA\0\23\1GetDlgItemTextA\0\336\1MessageBoxA\0\330\2wvsprintfA\0\0USER32.dll\0\0\16\2SelectObject\0\0<\2SetTextColor\0\0\26\2SetBkMode\0:\0CreateFontIndirectA\0)\0CreateBrushIndirect\0\217\0DeleteObject\0\0k\1GetDeviceCaps\0\25\2SetBkColor\0\0GDI32.dll\0\320\1RegDeleteKeyA\0\311\1RegCloseKey\0\325\1RegEnumKeyA\0\342\1RegOpenKeyExA\0\331\1RegEnumValueA\0\354\1RegQueryValueExA\0\0\371\1RegSetValueExA\0\0\315\1RegCreateKeyExA\0\322\1RegDeleteValueA\0ADVAPI32.dll\0\0\232\0SHFileOperationA\0\0\6\1ShellExecuteA\0\273\0SHGetPathFromIDListA\0\0y\0SHBrowseForFol", ) , ) == 0x0
 00792   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "tMalloc\0\302\0SHGetSpecialFolderLocation\0\0SHELL32.dll\0\20\0CoCreateInstance\0\0\4\1OleUninitialize\0\355\0OleInitialize\0ole32.dll\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00793   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "`dB\0\347\23@\0\6\0\0\0\377\377\377\377\377\377\377\377A~NSISu_.exe\0\0\0\0\377\377\377\377\214B@\0\224J@\0, ) , ) == 0x0
 00794   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\5\0\0\0H\0\0\200\16\0\0\0`\0\0\200\20\0\0\0x\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\220\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\250\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0g\0\0\0\300\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\330\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\20\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0 \1\0\00\361\2\0\350\2\0\0\0\0\0\0\0\0\0\0\30\364\2\0`\0\0\0\0\0\0\0\0\0\0\0x\364\2\0\24\0\0\0\0\0\0\0\0\0\0\0\220\364\2\00\3\0\0\0\0\0\0\0\0\0\0(\0\0\0 \0\0\0@\0\0\0\1\0\4\0\0\0\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\200\0\0\0\200\200\0\0\0\0\200\0\0\200\200\0\200\0\200\0\200\200\200\0\300\300\300\0\0\377\0\0\377\0\0\0\377\377\0\0\0\0\377\0\0\377\377\0\377\0\377\0\377\377\377\0\0\0\0\0\0\0\0\7w\0\0\0\0\0\0\0\0\0\0\0\0\0\7x\215\335\220\0\0\0\0\0\0x\370\360\0\0\177\217\210\335\231\220\0\0\0\0\0\177\217\200p\7\207\370\375\331\231\210\0\0\0\0\0x\370\360\207\7x\177\210\331\230\210\0\0\0\0\0\177\217\200xw\207\207\370\331\210\213", ) , ) == 0x0
 00795   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "p\11\213\273\260\0\0\0\0\177\217\200xw\207\207\0\0\273\270\200\0\0\0\0x\370\360\207x\210\273\0\0xxp\0\0\0\0\177\217\200xx\273\211\260\7\207\207\200\0\0\0\0\177\377\360\207{\270\233\275\377xxp\0\0\0\0\177\377\360xw\211\273\275\370\367\207\0\0\0\0\0\177\377\360\207\207\233\273\335\217\217x\10\210\210\0\0\177\377\360\210\210{\275\335\210\370\360\0\0\210p\0\177\377\360\210\210\7}\335\210\200\7ww\210p\0\177\377\360\210\210\17\367ww\177\377\377\377\377p\0wwp\210\210\7wwwwwwwxp\0wwp\210\210\0\0\0\0\0\0\0\0\0\200\7\377\377\367\10\210\7\210\210\210\210\210\210\210\207\0wwwwp\210\7\377\377\377\377\377\377\377\207\0\0\0\7ww\10\7\360\0\0\0\0\0\17\207\0\0\0\0wwp\7\360\0\0\0\0\0\17\207\0\0\0\0\7\377\377\7\360\0\0\360\17\0\17\207\0\0\0\0\0wwp\360\0\0\360\17\0\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\0\0\377\377\360\17\207\0\0\0\0\0\0\0\7\360\17\377\360\0\0\17\207\0\0\0\0\0\0\0\7\360\0\377\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\360\0\0\0\0\0\17\207\0\0\0\0\0\0\0\7\377\377\377\377\377\377\377\207\0\0\0\0\0\0\0\0wwwwwwww\0\377\376\7\377\300\370\1\377\300p\0\377\300 \0\177\300\0\0\177\300\0\0?\300\0\0?\300\0`?\300\0`?\300\0\0?\300\0\0?\300\0\0\3\300\0\0\1\300\0\0\0\300\0\0\0\300\0\0\0\300\0\0\0\300\0\0\0\200\0\0\1\0\0\0\1\370\0\0\1\374\0\0\1\376\0\0\1", ) , ) == 0x0
 00796   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\370\0\1\377\374\0\3\1\0\377\377\0\0\0\0\0\0\0\0\310\10\0\200\1\0\0\0\0\0\242\0\26\0\0\0\0\0\0\0\10\0\0\0\0\1M\0S\0 \0S\0h\0e\0l\0l\0 \0D\0l\0g\0\0\0\0\0\0\0\0\0\0\0\1\0\2P\7\0\7\0\224\0\10\0\6\4\0\0\377\377\202\0\0\0\0\0\0\0\1\0\1\0  \20\0\1\0\4\0\350\2\0\0\1\0\0\0\0\00\34\0\0\0V\0S\0_\0V\0E\0R\0S\0I\0O\0N\0_\0I\0N\0F\0O\0\0\0\0\0\275\4\357\376\0\0\0\0\1\0\6\0\2\0)\0\1\0\6\0\2\0)\0\0\0\0\0\0\0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\216\2\0\0\0\0S\0t\0r\0i\0n\0g\0F\0i\0l\0e\0I\0n\0f\0o\0\0\0j\2\0\0\0\00\04\00\09\00\04\0e\04\0\0\02\0\11\0\1\0C\0o\0m\0p\0a\0n\0y\0N\0a\0m\0e\0\0\0\0\0A\0O\0L\0 \0L\0L\0C\0.\0\0\0\0\0h\0 \0\1\0F\0i\0l\0e\0D\0e\0s\0c\0r\0i\0p\0t\0i\0o\0n\0\0\0\0\0A\0O\0L\0 \0D\0o\0w\0n\0l\0o\0a\0d\0 \0U\0t\0i\0l\0i\0t\0y\0 \06\0.\01\0.\04\01\0.\02\0.\01\0\0\06\0\13\0\1\0F\0i\0l\0e\0V\0e\0r\0s\0i\0o\0n\0\0\0\0\06\0.\01\0.\04\01\0.\02\0", ) , ) == 0x0
 00797   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\1\0L\0e\0g\0a\0l\0C\0o\0p\0y\0r\0i\0g\0h\0t\0\0\0C\0o\0p\0y\0r\0i\0g\0h\0t\0 \0\251\0 \02\00\00\04\0-\02\00\00\06\0 \0-\0 \0A\0O\0L\0 \0L\0L\0C\0.\0 \0A\0l\0l\0 \0R\0i\0g\0h\0t\0s\0 \0R\0e\0s\0e\0r\0v\0e\0d\0.\0\0\0f\0\37\0\1\0L\0e\0g\0a\0l\0T\0r\0a\0d\0e\0m\0a\0r\0k\0s\0\0\0\0\0A\0O\0L\0 \0i\0s\0 \0a\0 \0t\0r\0a\0d\0e\0m\0a\0r\0k\0 \0o\0f\0 \0A\0O\0L\0 \0L\0L\0C\0.\0\0\0\0\0J\0\25\0\1\0P\0r\0o\0d\0u\0c\0t\0N\0a\0m\0e\0\0\0\0\0A\0O\0L\0 \0D\0o\0w\0n\0l\0o\0a\0d\0 \0U\0t\0i\0l\0i\0t\0y\0\0\0\0\0:\0\13\0\1\0P\0r\0o\0d\0u\0c\0t\0V\0e\0r\0s\0i\0o\0n\0\0\06\0.\01\0.\04\01\0.\02\0.\01\0\0\0\0\0D\0\0\0\0\0V\0a\0r\0F\0i\0l\0e\0I\0n\0f\0o\0\0\0\0\0$\0\4\0\0\0T\0r\0a\0n\0s\0l\0a\0t\0i\0o\0n\0\0\0\0\0\11\4\344\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00798   408   NtReadFile  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512},  (76, 0, 0, 0, 512, 0x0, 0, ... {status=0x0, info=512}, "\2\0\0\0\357\276\255\336NullsoftInst\312\14\0\0d\16\4\0]\0\0\0\1\0e\2\374\27\303\202a\241F\34\37kT\246\320\240\200\235\346\353\310>\374\257.\254\203\261w\260Z;!k\2471\11\354\225O\311\246\305\21\37\217\301\36H\222\32\214wK\230\211\4E\237M\32\37\337{\251~\377#\3161ER\\307eh\363\302I\26*\273\353\179\347\304\342\215\324x\377\227_\236\255}\217\376\301j\340'&\305_{N\272\14\31\1\335\33\352sq\266\347a\206\302R\346\257\344\347\3558\324P\377\363\360*A\230Bp\235\222k)\335\221Yw\220\215\244\276$\323\316\316\22/\202\17\236\25\256\215\34\160\272\304\354\241*\31h\202\224\265\261d\310\300\212\200\274\351q\304\335\254\213\13\200\362\326L\3210c\243H\345{\246\203\311\344\347\362\21<\265\335u\372\20\0T\230\370\307\344\362\1\25\326\323\250\13\203\337Q\171\31kMC`\267\246!\207\2019\14~\256\377j\221\366\366\373\251Z\256\326<\264\2312\245\341K\325\254Q\262m\261|\227\276$\241\264t-\242\213y"s\270@\3\361L\\242\244);t\245C\232\364\237v\200!\30h\305\334\353\360\221\232\306\311cY)+\177\207H\W\12\255W%6\21\262\211:H\240\10=\352\224wB}\310\15\276`\345\357\271\210\245\331\11Fm]uQ\252\312\25\37\262\267HB\223\13\306\301\302\321\361G\6\24\320\321%\31N+\312##:i\312\277yZ\240\272Y\363t\262\314.e\263\0L'\210:8P!c\321\201\305\376\330\365:\244\305z\331J\56\262B\2179\370E[\255?270@\3\361L\\242\244);t\245C\232\364\237v\200!\30h\305\334\353\360\221\232\306\311cY)+\177\207H\W\12\255W%6\21\262\211:H\240\10=\352\224wB}\310\15\276`\345\357\271\210\245\331\11Fm]uQ\252\312\25\37\262\267HB\223\13\306\301\302\321\361G\6\24\320\321%\31N+\312##:i\312\277yZ\240\272Y\363t\262\314.e\263\0L'\210:8P!c\321\201\305\376\330\365:\244\305z\331J\56\262B\2179\370E[\255?251\354\315\20ET\301\253\215\217\27\36\313\216\360\265\271\356.X\313\246Fs}O\270\260\267C\342fL", ) == 0x0
 00799   408   NtClose  (76, ... ) == 0x0
 00800   408   NtUserDestroyWindow  (131250, ...
 00801   408   NtUserRemoveProp  (131250, 43288, ... ) == 0xffffffff
 00802   408   NtUserRemoveProp  (131250, 43282, ... ) == 0x0
 00803   408   NtUserRemoveProp  (131250, 43287, ... ) == 0x0
 00800   408   NtUserDestroyWindow  ... ) == 0x1
 00804   408   NtUserUnregisterClass  (1244984, 1998258176, 1244972, ... ) == 0x1
 00805   408   NtUserModifyUserStartupInfoFlags  (1, 0, ... ) == 0x810d68b8
 00806   408   NtUserGetDCEx  (0, 0, 3, ... ) == 0x1010051
 00807   408   NtGdiSetupPublicCFONT  (16842833, 0, 0, ... ) == 0x100
 00808   408   NtGdiGetTextExtent  (16842833, 1353088, 10, 1244416, 1, ... ) == 0x1
 00809   408   NtUserGetForegroundWindow  (... ) == 0x2005c
 00810   408   NtUserQueryWindow  (131164, 0, ... ) == 0x7e8
 00811   408   NtUserQueryWindow  (131164, 1, ... ) == 0x7ec
 00812   408   NtGdiSetupPublicCFONT  (16842833, 0, 0, ... ) == 0x100
 00813   408   NtGdiGetTextMetricsW  (16842833, 1243336, 68, ... ) == 0x1
 00814   408   NtGdiGetTextCharsetInfo  (16842833, 0, 0, ... ) == 0x0
 00815   408   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x1404040a
 00816   408   NtGdiGetRandomRgn  (16842833, 335807498, 1, ... ) == 0x0
 00817   408   NtGdiIntersectClipRect  (16842833, 0, 0, 565, 738, ... ) == 0x3
 00818   408   NtGdiExtSelectClipRgn  (16842833, 0, 5, ... ) == 0x2
 00819   408   NtGdiSetupPublicCFONT  (0, 50987263, 6, ... ) == 0x3
 00820   408   NtGdiGetTextCharsetInfo  (16842833, 0, 0, ... ) == 0x0
 00821   408   NtGdiGetRandomRgn  (16842833, 352584714, 1, ... ) == 0x0
 00822   408   NtGdiIntersectClipRect  (16842833, 0, 0, 355, 738, ... ) == 0x3
 00823   408   NtGdiExtSelectClipRgn  (16842833, 0, 5, ... ) == 0x2
 00824   408   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00825   408   NtUserFindExistingCursorIcon  (1243204, 1243220, 1243788, ... ) == 0x10011
 00826   408   NtUserSetCursor  (65553, ... ) == 0x10015
 00827   408   NtUserCallOneParam  (1, 49, ... ) == 0x1
 00828   408   NtUserFindExistingCursorIcon  (1243156, 1243172, 1243740, ... ) == 0x10015
 00829   408   NtUserSetCursor  (65557, ... ) == 0x10011
 00830   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x19010404
 00831   408   NtGdiExtGetObjectW  (50987263, 92, 1243484, ... ) == 0x5c
 00832   408   NtGdiHfontCreate  (1242920, 356, 0, 0, 1329784, ... ) == 0xc0a03ff
 00833   408   NtGdiGetTextMetricsW  (419496964, 1243424, 68, ... ) == 0x1
 00834   408   NtGdiGetWidthTable  (419496964, 52, 1334376, 308, 1334992, 1353936, 1353952, ... ) == 0x1
 00835   408   NtGdiDeleteObjectApp  (419496964, ... ) == 0x1
 00836   408   NtUserGetForegroundWindow  (... ) == 0x2005c
 00837   408   NtUserQueryWindow  (131164, 0, ... ) == 0x7e8
 00838   408   NtUserQueryWindow  (131164, 1, ... ) == 0x7ec
 00839   408   NtUserGetAtomName  (32770, 1242360, ... ) == 0x6
 00840   408   NtUserCreateWindowEx  (65793, 32770, 32770,  (65793, 32770, 32770, "NSIS Error", -2134375995, 300, 306, 431, 185, 0, 0, 2010382336, 0, 1073742848, 0, ... , -2134375995, 300, 306, 431, 185, 0, 0, 2010382336, 0, 1073742848, 0, ...
 00841   408   NtUserSetWindowFNID  (196786, 676, ... ) == 0x1
 00842   408   NtUserCallHwndParam  (196786, 1352972, 78, ... ) == 0x14a50c
 00843   408   NtUserMessageCall  (0x300b2, WM_NCCREATE, 0x0, 0x12f4a4, 0, 670, 0, ... ) == 0x1
 00844   408   NtUserMessageCall  (0x300b2, WM_NCCALCSIZE, 0x0, 0x12f4cc, 0, 670, 0, ... ) == 0x0
 00845   408   NtUserGetClassName  (196786, 0, 1241484, ... ) == 0x6
 00846   408   NtUserRemoveProp  (196786, 43282, ... ) == 0x0
 00847   408   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 76, 0, 0, 0}  (24, {24, 52, new_msg, 0, 76, 0, 0, 0} "\0\0\0\0\5\4\3\0`Z\374w\24\0\0\0\230\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 400, 408, 1513, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\24\0\0\0\230\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 400, 408, 1513, 0}  (24, {24, 52, new_msg, 0, 76, 0, 0, 0} "\0\0\0\0\5\4\3\0`Z\374w\24\0\0\0\230\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 400, 408, 1513, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\24\0\0\0\230\1\0\0\0\0\0\0" )  ) == 0x0
 00848   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x28
 00849   408   NtUserGetObjectInformation  (40, 2, 1241160, 520, 0, ... ) == 0x1
 00850   408   NtGdiDeleteObjectApp  (722469901, ... ) == 0x1
 00851   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00852   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00853   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00854   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00855   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00856   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00857   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00858   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00859   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00860   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00861   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00862   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00863   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00864   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00865   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00866   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00867   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00868   408   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2c10040d
 00869   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00870   408   NtAllocateVirtualMemory  (-1, 8732672, 0, 4096, 4096, 4, ... 8732672, 4096, ) == 0x0
 00871   408   NtUserSetProp  (196786, 43288, 8732256, ... ) == 0x1
 00840   408   NtUserCreateWindowEx  ... ) == 0x300b2
 00872   408   NtUserCallHwndLock  (196786, 89, ...
 00873   408   NtQueryDefaultLocale  (1, 1243260, ... ) == 0x0
 00874   408   NtUserCallNoParam  (0, ... ) == 0x2006b
 00875   408   NtUserCallNoParam  (0, ... ) == 0x2006d
 00876   408   NtUserThunkedMenuItemInfo  (131181, -1, 1, 1, 1243300, 1243348, ...
 00877   408   NtAllocateVirtualMemory  (-1, 5607424, 0, 4096, 4096, 32, ... 5607424, 4096, ) == 0x0
 00876   408   NtUserThunkedMenuItemInfo  ... ) == 0x1
 00878   408   NtUserThunkedMenuItemInfo  (131181, -1, 1, 1, 1243300, 1243348, ... ) == 0x1
 00879   408   NtUserThunkedMenuItemInfo  (131179, -1, 1, 1, 1243396, 1243444, ... ) == 0x1
 00872   408   NtUserCallHwndLock  ... ) == 0x1
 00880   408   NtUserGetAtomName  (49175, 1242360, ... ) == 0x6
 00881   408   NtUserCreateWindowEx  (4, 49175, 49175,  (4, 49175, 49175, "OK", 1342373889, 174, 119, 75, 23, 196786, 1, 2010382336, 0, 1073742848, 0, ... , 1342373889, 174, 119, 75, 23, 196786, 1, 2010382336, 0, 1073742848, 0, ...
 00882   408   NtUserSetWindowFNID  (65734, 673, ... ) == 0x1
 00883   408   NtUserSetWindowLong  (65734, 0, 1354716, 0, ... ) == 0x0
 00884   408   NtUserMessageCall  (0x100c6, WM_NCCREATE, 0x0, 0x12f4a4, 0, 670, 0, ... ) == 0x1
 00885   408   NtUserMessageCall  (0x100c6, WM_NCCALCSIZE, 0x0, 0x12f4cc, 0, 670, 0, ... ) == 0x0
 00886   408   NtUserSetProp  (65734, 43288, -1, ... ) == 0x1
 00881   408   NtUserCreateWindowEx  ... ) == 0x100c6
 00887   408   NtUserGetAtomName  (49177, 1242360, ... ) == 0x6
 00888   408   NtUserCreateWindowEx  (4, 49177, 49177, "1342308355, 11, 11, 0, 0, 196786, 20, 2010382336, 0, 1073742848, 0, ...
 00889   408   NtUserSetWindowFNID  (65736, 680, ... ) == 0x1
 00890   408   NtUserSetWindowLong  (65736, 0, 1354920, 0, ... ) == 0x0
 00891   408   NtUserMessageCall  (0x100c8, WM_NCCREATE, 0x0, 0x12f4a4, 0, 670, 0, ... ) == 0x1
 00892   408   NtUserMessageCall  (0x100c8, WM_NCCALCSIZE, 0x0, 0x12f4cc, 0, 670, 0, ... ) == 0x0
 00893   408   NtUserSetProp  (65736, 43288, -1, ... ) == 0x1
 00894   408   NtUserFindExistingCursorIcon  (1241148, 1241164, 1241732, ... ) == 0x0
 00895   408   NtUserFindExistingCursorIcon  (1241148, 1241164, 1241732, ... ) == 0x0
 00896   408   NtUserFindExistingCursorIcon  (1241148, 1241164, 1241732, ... ) == 0x10009
 00897   408   NtUserGetIconSize  (65545, 0, 1241752, 1241756, ... ) == 0x1
 00898   408   NtUserGetCursorFrameInfo  (65545, 0, 1241788, 1241764, ... ) == 0x10009
 00899   408   NtUserSetWindowPos  (65736, 0, 0, 0, 32, 32, 22, ...
 00900   408   NtUserMessageCall  (0x100c8, WM_WINDOWPOSCHANGING, 0x0, 0x12f214, 0, 670, 0, ... ) == 0x0
 00901   408   NtUserMessageCall  (0x100c8, WM_NCCALCSIZE, 0x1, 0x12f1e8, 0, 670, 0, ... ) == 0x0
 00899   408   NtUserSetWindowPos  ... ) == 0x1
 00888   408   NtUserCreateWindowEx  ... ) == 0x100c8
 00902   408   NtUserGetAtomName  (49177, 1242360, ... ) == 0x6
 00903   408   NtUserCreateWindowEx  (4, 49177, 49177, "The installer you are trying to use is corrupted or incomplete.
 00904   408   NtUserSetWindowFNID  (65738, 680, ... ) == 0x1
 00905   408   NtUserSetWindowLong  (65738, 0, 1354896, 0, ... ) == 0x0
 00906   408   NtUserMessageCall  (0x100ca, WM_NCCREATE, 0x0, 0x12f4a4, 0, 670, 0, ... ) == 0x1
 00907   408   NtUserMessageCall  (0x100ca, WM_NCCALCSIZE, 0x0, 0x12f4cc, 0, 670, 0, ... ) == 0x0
 00908   408   NtUserSetProp  (65738, 43288, -1, ... ) == 0x1
 00903   408   NtUserCreateWindowEx  ... ) == 0x100ca
 00909   408   NtUserSetWindowLong  (196786, -21, 1244860, 0, ... ) == 0x0
 00910   408   NtUserCallHwnd  (196786, 72, ... ) == 0xbc648d08
 00911   408   NtAllocateVirtualMemory  (-1, 0, 0, 131064, 8192, 4, ... 9371648, 131072, ) == 0x0
 00912   408   NtAllocateVirtualMemory  (-1, 9371648, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00913   408   NtUserSetFocus  (65734, ...
 00914   408   NtUserMessageCall  (0x300b2, WM_NCACTIVATE, 0x1, 0xffffffff, 0, 670, 0, ... ) == 0x1
 00915   408   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 00916   408   NtUserGetWindowDC  (196786, ... ) == 0x1010053
 00917   408   NtGdiGetTextMetricsW  (16842835, 1241420, 68, ... ) == 0x1
 00918   408   NtGdiGetRandomRgn  (16842835, 369361930, 1, ... ) == 0x0
 00919   408   NtGdiIntersectClipRect  (16842835, 0, 0, 0, 0, ... ) == 0x3
 00920   408   NtGdiGetWidthTable  (16842835, 10, 1335064, 266, 1335596, 1334432, 1334448, ... ) == 0x1
 00921   408   NtGdiExtSelectClipRgn  (16842835, 0, 5, ... ) == 0x1
 00922   408   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00923   408   NtUserCalcMenuBar  (196786, 3, 3, 29, 8732440, ... ) == 0x0
 00924   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1241388, 690, 0, ...
 00925   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 00924   408   NtUserMessageCall  ... ) == 0x0
 00926   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1241388, 690, 0, ...
 00927   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 00926   408   NtUserMessageCall  ... ) == 0x0
 00928   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1241388, 690, 0, ...
 00929   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00928   408   NtUserMessageCall  ... ) == 0x0
 00930   408   NtUserGetTitleBarInfo  (196786, 1242016, ... ) == 0x1
 00931   408   NtUserGetDCEx  (196786, 0, 66561, ... ) == 0x1010054
 00932   408   NtGdiExcludeClipRect  (16842836, 3, 29, 428, 182, ... ) == 0x3
 00933   408   NtGdiDrawStream  (16842836, 96, 1241420, ... ) == 0x1
 00934   408   NtGdiDrawStream  (16842836, 96, 1241420, ... ) == 0x1
 00935   408   NtGdiDrawStream  (16842836, 96, 1241420, ... ) == 0x1
 00936   408   NtGdiCreateCompatibleBitmap  (16842836, 431, 29, ... ) == 0x1e050404
 00937   408   NtGdiCreateCompatibleDC  (16842836, ... ) == 0x8010407
 00938   408   NtGdiSelectBitmap  (134284295, 503645188, ... ) == 0x185000f
 00939   408   NtGdiDrawStream  (134284295, 96, 1241312, ... ) == 0x1
 00940   408   NtGdiDrawStream  (134284295, 96, 1241268, ... ) == 0x1
 00941   408   NtGdiDrawStream  (134284295, 96, 1241268, ... ) == 0x1
 00942   408   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 00943   408   NtGdiGetRandomRgn  (134284295, 386139146, 1, ... ) == 0x0
 00944   408   NtGdiIntersectClipRect  (134284295, 8, 8, 403, 25, ... ) == 0x3
 00945   408   NtGdiExtSelectClipRgn  (134284295, 0, 5, ... ) == 0x2
 00946   408   NtGdiGetRandomRgn  (134284295, 402916362, 1, ... ) == 0x0
 00947   408   NtGdiIntersectClipRect  (134284295, 7, 7, 402, 25, ... ) == 0x3
 00948   408   NtGdiExtSelectClipRgn  (134284295, 0, 5, ... ) == 0x2
 00949   408   NtGdiBitBlt  (16842836, 0, 0, 431, 29, 134284295, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00950   408   NtGdiSelectBitmap  (134284295, 25493519, ... ) == 0x1e050404
 00951   408   NtGdiDeleteObjectApp  (134284295, ... ) == 0x1
 00952   408   NtGdiDeleteObjectApp  (503645188, ... ) == 0x1
 00953   408   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00913   408   NtUserSetFocus  ... ) == 0x0
 00954   408   NtUserSetWindowLong  (65734, -12, 2, 0, ... ) == 0x1
 00955   408   NtUserGetClassName  (65734, 0, 1242904, ... ) == 0x6
 00956   408   NtUserGetClassName  (65736, 0, 1242904, ... ) == 0x6
 00957   408   NtUserGetClassName  (65738, 0, 1242904, ... ) == 0x6
 00958   408   NtUserGetAncestor  (196786, 1, ... ) == 0x10014
 00959   408   NtUserSetWindowPos  (196786, 0, 300, 306, 431, 185, 1047, ... ) == 0x1
 00960   408   NtUserMessageCall  (0x300b2, 0x128, 0x30001, 0x0, 0, 670, 0, ...
 00961   408   NtUserMessageCall  (0x100c6, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00962   408   NtUserMessageCall  (0x100c8, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00963   408   NtUserMessageCall  (0x100ca, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00960   408   NtUserMessageCall  ... ) == 0x0
 00964   408   NtUserShowWindow  (196786, 1, ...
 00965   408   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 00966   408   NtUserGetWindowDC  (196786, ... ) == 0x1010054
 00967   408   NtGdiGetRandomRgn  (16842836, 419693578, 1, ... ) == 0x0
 00968   408   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 00969   408   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 00970   408   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x2
 00971   408   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00972   408   NtUserCalcMenuBar  (196786, 3, 3, 29, 8732440, ... ) == 0x0
 00973   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1242004, 690, 0, ...
 00974   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 00973   408   NtUserMessageCall  ... ) == 0x0
 00975   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1242004, 690, 0, ...
 00976   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 00975   408   NtUserMessageCall  ... ) == 0x0
 00977   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1242004, 690, 0, ...
 00978   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00977   408   NtUserMessageCall  ... ) == 0x0
 00979   408   NtUserGetTitleBarInfo  (196786, 1242632, ... ) == 0x1
 00980   408   NtUserGetDCEx  (196786, 0, 66561, ... ) == 0x1010053
 00981   408   NtGdiExcludeClipRect  (16842835, 3, 29, 428, 182, ... ) == 0x3
 00982   408   NtGdiDrawStream  (16842835, 96, 1242036, ... ) == 0x1
 00983   408   NtGdiDrawStream  (16842835, 96, 1242036, ... ) == 0x1
 00984   408   NtGdiDrawStream  (16842835, 96, 1242036, ... ) == 0x1
 00985   408   NtGdiCreateCompatibleBitmap  (16842835, 431, 29, ... ) == 0x22050404
 00986   408   NtGdiCreateCompatibleDC  (16842835, ... ) == 0xa010408
 00987   408   NtGdiSelectBitmap  (167838728, 570754052, ... ) == 0x185000f
 00988   408   NtGdiDrawStream  (167838728, 96, 1241928, ... ) == 0x1
 00989   408   NtGdiDrawStream  (167838728, 96, 1241884, ... ) == 0x1
 00990   408   NtGdiDrawStream  (167838728, 96, 1241884, ... ) == 0x1
 00991   408   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 00992   408   NtGdiGetRandomRgn  (167838728, 436470794, 1, ... ) == 0x0
 00993   408   NtGdiIntersectClipRect  (167838728, 8, 8, 403, 25, ... ) == 0x3
 00994   408   NtGdiExtSelectClipRgn  (167838728, 0, 5, ... ) == 0x2
 00995   408   NtGdiGetRandomRgn  (167838728, 453248010, 1, ... ) == 0x0
 00996   408   NtGdiIntersectClipRect  (167838728, 7, 7, 402, 25, ... ) == 0x3
 00997   408   NtGdiExtSelectClipRgn  (167838728, 0, 5, ... ) == 0x2
 00998   408   NtGdiBitBlt  (16842835, 0, 0, 431, 29, 167838728, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00999   408   NtGdiSelectBitmap  (167838728, 25493519, ... ) == 0x22050404
 01000   408   NtGdiDeleteObjectApp  (167838728, ... ) == 0x1
 01001   408   NtGdiDeleteObjectApp  (570754052, ... ) == 0x1
 01002   408   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01003   408   NtUserFillWindow  (196786, 196786, 16842832, 4, ...
 01004   408   NtUserGetAncestor  (196786, 1, ... ) == 0x10014
 01005   408   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01003   408   NtUserFillWindow  ... ) == 0x1
 01006   408   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01007   408   NtUserGetWindowDC  (196786, ... ) == 0x1010054
 01008   408   NtGdiGetRandomRgn  (16842836, 470025226, 1, ... ) == 0x0
 01009   408   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01010   408   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01011   408   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x2
 01012   408   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01013   408   NtUserCalcMenuBar  (196786, 3, 3, 29, 8732440, ... ) == 0x0
 01014   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1242288, 690, 0, ...
 01015   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01014   408   NtUserMessageCall  ... ) == 0x0
 01016   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1242288, 690, 0, ...
 01017   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01016   408   NtUserMessageCall  ... ) == 0x0
 01018   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1242288, 690, 0, ...
 01019   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01018   408   NtUserMessageCall  ... ) == 0x0
 01020   408   NtUserGetTitleBarInfo  (196786, 1242916, ... ) == 0x1
 01021   408   NtUserBuildHwndList  (0, 196786, 1, 0, 64, ... (0x100c6, 0x100c8, 0x100ca, 0x1, ), 4, ) == 0x0
 01022   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01023   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 01024   408   NtGdiExtCreateRegion  (0, 112, 8733936, ... ) == 0x24040404
 01025   408   NtGdiOffsetRgn  (604242948, 0, 0, ... ) == 0x3
 01026   408   NtGdiCombineRgn  (486802442, 604242948, 486802442, 5, ... ) == 0x3
 01027   408   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xb040408
 01028   408   NtGdiCombineRgn  (486802442, 184812552, 486802442, 2, ... ) == 0x3
 01029   408   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x6040405
 01030   408   NtGdiCombineRgn  (486802442, 100926469, 486802442, 2, ... ) == 0x3
 01031   408   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x6040406
 01032   408   NtGdiCombineRgn  (486802442, 100926470, 486802442, 2, ... ) == 0x3
 01033   408   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x60403df
 01034   408   NtGdiCombineRgn  (486802442, 100926431, 486802442, 2, ... ) == 0x3
 01035   408   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xc0403e3
 01036   408   NtGdiCombineRgn  (201589731, 486802442, 0, 5, ... ) == 0x3
 01037   408   NtUserSetWindowRgn  (196786, 486802442, 1, ...
 01038   408   NtUserMessageCall  (0x300b2, WM_NCCALCSIZE, 0x1, 0x12f668, 0, 670, 0, ... ) == 0x0
 01039   408   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01040   408   NtUserGetWindowDC  (196786, ... ) == 0x1010054
 01041   408   NtGdiGetRandomRgn  (16842836, 117703647, 1, ... ) == 0x0
 01042   408   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01043   408   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01044   408   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x3
 01045   408   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01046   408   NtUserCalcMenuBar  (196786, 3, 3, 29, 8732440, ... ) == 0x0
 01047   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 1241088, 690, 0, ...
 01048   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01047   408   NtUserMessageCall  ... ) == 0x0
 01049   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 1241088, 690, 0, ...
 01050   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01049   408   NtUserMessageCall  ... ) == 0x0
 01051   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 1241088, 690, 0, ...
 01052   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01051   408   NtUserMessageCall  ... ) == 0x0
 01053   408   NtUserGetTitleBarInfo  (196786, 1241716, ... ) == 0x1
 01054   408   NtUserGetDCEx  (196786, 0, 66561, ... ) == 0x1010050
 01055   408   NtGdiExcludeClipRect  (16842832, 3, 29, 428, 182, ... ) == 0x3
 01056   408   NtGdiDrawStream  (16842832, 96, 1241120, ... ) == 0x1
 01057   408   NtGdiDrawStream  (16842832, 96, 1241120, ... ) == 0x1
 01058   408   NtGdiDrawStream  (16842832, 96, 1241120, ... ) == 0x1
 01059   408   NtGdiCreateCompatibleBitmap  (16842832, 431, 29, ... ) == 0x9050400
 01060   408   NtGdiCreateCompatibleDC  (16842832, ... ) == 0x7010401
 01061   408   NtGdiSelectBitmap  (117507073, 151323648, ... ) == 0x185000f
 01062   408   NtGdiDrawStream  (117507073, 96, 1241012, ... ) == 0x1
 01063   408   NtGdiDrawStream  (117507073, 96, 1240968, ... ) == 0x1
 01064   408   NtGdiDrawStream  (117507073, 96, 1240968, ... ) == 0x1
 01065   408   NtUserInternalGetWindowText  (0x300b2, 260, ...  (0x300b2, 260, ... "NSIS Error", ) , ) == 0xa
 01066   408   NtGdiGetRandomRgn  (117507073, 134480863, 1, ... ) == 0x0
 01067   408   NtGdiIntersectClipRect  (117507073, 8, 8, 403, 25, ... ) == 0x3
 01068   408   NtGdiExtSelectClipRgn  (117507073, 0, 5, ... ) == 0x2
 01069   408   NtGdiGetRandomRgn  (117507073, 151258079, 1, ... ) == 0x0
 01070   408   NtGdiIntersectClipRect  (117507073, 7, 7, 402, 25, ... ) == 0x3
 01071   408   NtGdiExtSelectClipRgn  (117507073, 0, 5, ... ) == 0x2
 01072   408   NtGdiBitBlt  (16842832, 0, 0, 431, 29, 117507073, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01073   408   NtGdiSelectBitmap  (117507073, 25493519, ... ) == 0x9050400
 01074   408   NtGdiDeleteObjectApp  (117507073, ... ) == 0x1
 01075   408   NtGdiDeleteObjectApp  (151323648, ... ) == 0x1
 01076   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01077   408   NtUserFillWindow  (196786, 196786, 16842835, 4, ...
 01078   408   NtUserGetAncestor  (196786, 1, ... ) == 0x10014
 01079   408   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01077   408   NtUserFillWindow  ... ) == 0x1
 01037   408   NtUserSetWindowRgn  ... ) == 0x1
 00964   408   NtUserShowWindow  ... ) == 0x0
 01080   408   NtUserCallHwndLock  (196786, 93, ...
 01081   408   NtUserMessageCall  (0x300b2, WM_PAINT, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01082   408   NtUserBeginPaint  (0x100c6, 1243288, ...
 01083   408   NtUserMessageCall  (0x100c6, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01082   408   NtUserBeginPaint  ... ) == 0x1010053
 01084   408   NtUserGetControlBrush  (0x100c6, 16842835, 309, ... ) == 0x1100056
 01085   408   NtGdiIntersectClipRect  (16842835, 0, 0, 75, 23, ... ) == 0x3
 01086   408   NtGdiIntersectClipRect  (16842835, 3, 3, 72, 20, ... ) == 0x3
 01087   408   NtUserEndPaint  (0x100c6, 1243288, ... ) == 0x1
 01088   408   NtUserBeginPaint  (0x100c8, 1243300, ...
 01089   408   NtUserMessageCall  (0x100c8, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01088   408   NtUserBeginPaint  ... ) == 0x1010053
 01090   408   NtGdiIntersectClipRect  (16842835, 0, 0, 32, 32, ... ) == 0x3
 01091   408   NtUserGetControlBrush  (0x100c8, 16842835, 312, ... ) == 0x1100056
 01092   408   NtGdiGetDCDword  (16842835, 7, 1243020, ... ) == 0x1
 01093   408   NtUserDrawIconEx  (16842835, 0, 0, 65545, 32, 32, 0, 17825878, 3, 0, 1243064, ... ) == 0x1
 01094   408   NtUserEndPaint  (0x100c8, 1243300, ... ) == 0x1
 01095   408   NtUserBeginPaint  (0x100ca, 1243300, ...
 01096   408   NtUserMessageCall  (0x100ca, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01095   408   NtUserBeginPaint  ... ) == 0x1010053
 01097   408   NtGdiIntersectClipRect  (16842835, 0, 0, 357, 93, ... ) == 0x3
 01098   408   NtUserGetControlBrush  (0x100ca, 16842835, 312, ... ) == 0x1100056
 01099   408   NtGdiGetTextCharsetInfo  (16842835, 0, 0, ... ) == 0x0
 01100   408   NtUserEndPaint  (0x100ca, 1243300, ... ) == 0x1
 01080   408   NtUserCallHwndLock  ... ) == 0x1
 01101   408   NtUserPeekMessage  (0, 0, 0, 1, ...
 01102   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241152, ... ) }, 1241152, ... ) == 0x0
 01103   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 01104   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 76, ... 80, ) == 0x0
 01105   408   NtClose  (76, ... ) == 0x0
 01106   408   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x870000), 0x0, 45056, ) == 0x0
 01107   408   NtClose  (80, ... ) == 0x0
 01108   408   NtUnmapViewOfSection  (-1, 0x870000, ... ) == 0x0
 01109   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241468, ... ) }, 1241468, ... ) == 0x0
 01110   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241468, ... ) }, 1241468, ... ) == 0x0
 01111   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 01112   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 76, ) == 0x0
 01113   408   NtQuerySection  (76, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01114   408   NtClose  (80, ... ) == 0x0
 01115   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 49152, ) == 0x0
 01116   408   NtClose  (76, ... ) == 0x0
 01117   408   NtProtectVirtualMemory  (-1, (0x10006000), 256, 4, ... (0x10006000), 4096, 2, ) == 0x0
 01118   408   NtProtectVirtualMemory  (-1, (0x10006000), 4096, 2, ... (0x10006000), 4096, 4, ) == 0x0
 01119   408   NtFlushInstructionCache  (-1, 268460032, 256, ... ) == 0x0
 01120   408   NtProtectVirtualMemory  (-1, (0x10006000), 256, 4, ... (0x10006000), 4096, 2, ) == 0x0
 01121   408   NtProtectVirtualMemory  (-1, (0x10006000), 4096, 2, ... (0x10006000), 4096, 4, ) == 0x0
 01122   408   NtFlushInstructionCache  (-1, 268460032, 256, ... ) == 0x0
 01123   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01124   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 01125   408   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 01126   408   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 01127   408   NtQueryPerformanceCounter  (... {110368740, 0}, {3579545, 0}, ) == 0x0
 01128   408   NtUserMessageCall  (0x300b2, WM_SETCURSOR, 0x300b2, 0x2000001, 0, 670, 0, ... ) == 0x0
 01101   408   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6a62, {512, 384}}, ) == 0x1
 01129   408   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 01130   408   NtQueryInformationToken  (76, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01131   408   NtClose  (76, ... ) == 0x0
 01132   408   NtUserCallMsgFilter  (1243656, 0, ... ) == 0x0
 01133   408   NtUserPeekMessage  (0, 0, 0, 1, ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6a62, {512, 384}}, ) == 0x0
 01134   408   NtUserWaitMessage  (... ) == 0x1
 01135   408   NtUserPeekMessage  (0, 0, 0, 1, ...
 01136   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01135   408   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6a62, {512, 384}}, ) == 0x0
 01137   408   NtUserWaitMessage  (... ) == 0x1
 01138   408   NtUserPeekMessage  (0, 0, 0, 1, ...
 01139   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01138   408   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6a62, {512, 384}}, ) == 0x0
 01140   408   NtUserWaitMessage  (... ) == 0x1
 01141   408   NtUserPeekMessage  (0, 0, 0, 1, ...
 01142   408   NtUserMessageCall  (0x300b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01141   408   NtUserPeekMessage  ... {0x300b2, WM_MOUSEFIRST, 0x0, 0x3100d1, 0x6a62, {512, 384}}, ) == 0x0
 01143   408   NtUserWaitMessage  (...